@rebasepro/server-core 0.6.0 → 0.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +14 -14
- package/src/api/errors.ts +16 -2
- package/src/api/graphql/graphql-schema-generator.ts +45 -10
- package/src/api/rest/api-generator.ts +19 -2
- package/src/api/server.ts +10 -2
- package/src/api/types.ts +6 -0
- package/src/auth/adapter-middleware.ts +10 -2
- package/src/auth/admin-roles-route.ts +36 -0
- package/src/auth/admin-users-route.ts +302 -0
- package/src/auth/api-keys/api-key-middleware.ts +4 -3
- package/src/auth/api-keys/api-key-routes.ts +12 -2
- package/src/auth/api-keys/api-key-store.ts +83 -66
- package/src/auth/api-keys/api-key-types.ts +8 -0
- package/src/auth/apple-oauth.ts +2 -1
- package/src/auth/auth-hooks.ts +21 -0
- package/src/auth/bitbucket-oauth.ts +2 -1
- package/src/auth/builtin-auth-adapter.ts +28 -4
- package/src/auth/custom-auth-adapter.ts +2 -0
- package/src/auth/discord-oauth.ts +2 -1
- package/src/auth/facebook-oauth.ts +2 -1
- package/src/auth/github-oauth.ts +2 -1
- package/src/auth/gitlab-oauth.ts +2 -1
- package/src/auth/google-oauth.ts +8 -4
- package/src/auth/index.ts +2 -0
- package/src/auth/interfaces.ts +27 -0
- package/src/auth/linkedin-oauth.ts +2 -1
- package/src/auth/magic-link-routes.ts +167 -0
- package/src/auth/mfa-crypto.ts +91 -0
- package/src/auth/mfa-routes.ts +34 -10
- package/src/auth/microsoft-oauth.ts +2 -1
- package/src/auth/middleware.ts +10 -1
- package/src/auth/reset-password-admin.ts +17 -1
- package/src/auth/routes.ts +77 -8
- package/src/auth/session-routes.ts +15 -3
- package/src/auth/slack-oauth.ts +2 -1
- package/src/auth/spotify-oauth.ts +2 -1
- package/src/auth/twitter-oauth.ts +8 -1
- package/src/cron/cron-store.ts +25 -23
- package/src/email/index.ts +3 -2
- package/src/email/templates.ts +82 -0
- package/src/email/types.ts +16 -0
- package/src/init.ts +137 -5
- package/src/services/routed-realtime-service.ts +113 -0
- package/src/storage/routes.ts +4 -0
- package/src/utils/dev-port.ts +13 -7
- package/test/auth-routes.test.ts +54 -4
- package/test/custom-auth-adapter.test.ts +20 -1
- package/test/env.test.ts +9 -19
- package/test/multi-datasource-routing.test.ts +113 -0
- package/test/routed-realtime-service.test.ts +86 -0
- package/test/transform-auth-response.test.ts +305 -0
- package/vite.config.ts +5 -0
- package/build-errors.txt +0 -52
- package/dist/api/ast-schema-editor.d.ts +0 -21
- package/dist/api/collections_for_test/callbacks_test_collection.d.ts +0 -2
- package/dist/api/errors.d.ts +0 -53
- package/dist/api/graphql/graphql-schema-generator.d.ts +0 -35
- package/dist/api/graphql/index.d.ts +0 -1
- package/dist/api/index.d.ts +0 -9
- package/dist/api/logs-routes.d.ts +0 -37
- package/dist/api/openapi-generator.d.ts +0 -16
- package/dist/api/rest/api-generator.d.ts +0 -88
- package/dist/api/rest/index.d.ts +0 -1
- package/dist/api/rest/query-parser.d.ts +0 -11
- package/dist/api/schema-editor-routes.d.ts +0 -3
- package/dist/api/server.d.ts +0 -40
- package/dist/api/types.d.ts +0 -98
- package/dist/auth/adapter-middleware.d.ts +0 -37
- package/dist/auth/admin-user-ops.d.ts +0 -79
- package/dist/auth/api-keys/api-key-middleware.d.ts +0 -39
- package/dist/auth/api-keys/api-key-permission-guard.d.ts +0 -32
- package/dist/auth/api-keys/api-key-routes.d.ts +0 -20
- package/dist/auth/api-keys/api-key-store.d.ts +0 -35
- package/dist/auth/api-keys/api-key-types.d.ts +0 -88
- package/dist/auth/api-keys/index.d.ts +0 -17
- package/dist/auth/apple-oauth.d.ts +0 -30
- package/dist/auth/auth-hooks.d.ts +0 -225
- package/dist/auth/bitbucket-oauth.d.ts +0 -11
- package/dist/auth/builtin-auth-adapter.d.ts +0 -49
- package/dist/auth/crypto-utils.d.ts +0 -16
- package/dist/auth/custom-auth-adapter.d.ts +0 -39
- package/dist/auth/discord-oauth.d.ts +0 -14
- package/dist/auth/facebook-oauth.d.ts +0 -14
- package/dist/auth/github-oauth.d.ts +0 -15
- package/dist/auth/gitlab-oauth.d.ts +0 -13
- package/dist/auth/google-oauth.d.ts +0 -47
- package/dist/auth/index.d.ts +0 -36
- package/dist/auth/interfaces.d.ts +0 -401
- package/dist/auth/jwt.d.ts +0 -55
- package/dist/auth/linkedin-oauth.d.ts +0 -18
- package/dist/auth/mfa-routes.d.ts +0 -6
- package/dist/auth/mfa.d.ts +0 -49
- package/dist/auth/microsoft-oauth.d.ts +0 -16
- package/dist/auth/middleware.d.ts +0 -106
- package/dist/auth/password.d.ts +0 -22
- package/dist/auth/rate-limiter.d.ts +0 -50
- package/dist/auth/reset-password-admin.d.ts +0 -29
- package/dist/auth/rls-scope.d.ts +0 -31
- package/dist/auth/routes.d.ts +0 -33
- package/dist/auth/session-routes.d.ts +0 -25
- package/dist/auth/slack-oauth.d.ts +0 -12
- package/dist/auth/spotify-oauth.d.ts +0 -12
- package/dist/auth/twitter-oauth.d.ts +0 -18
- package/dist/backend-CIxN4FVm.js +0 -15
- package/dist/backend-CIxN4FVm.js.map +0 -1
- package/dist/chunk-Dze3rakg.js +0 -42
- package/dist/collections/BackendCollectionRegistry.d.ts +0 -13
- package/dist/collections/loader.d.ts +0 -5
- package/dist/cron/cron-loader.d.ts +0 -17
- package/dist/cron/cron-routes.d.ts +0 -14
- package/dist/cron/cron-scheduler.d.ts +0 -106
- package/dist/cron/cron-store.d.ts +0 -32
- package/dist/cron/index.d.ts +0 -6
- package/dist/db/interfaces.d.ts +0 -18
- package/dist/dist-CZKP-Xz4.js +0 -832
- package/dist/dist-CZKP-Xz4.js.map +0 -1
- package/dist/email/index.d.ts +0 -6
- package/dist/email/smtp-email-service.d.ts +0 -25
- package/dist/email/templates.d.ts +0 -42
- package/dist/email/types.d.ts +0 -108
- package/dist/env.d.ts +0 -102
- package/dist/from-VbwD7xRf.js +0 -3849
- package/dist/from-VbwD7xRf.js.map +0 -1
- package/dist/functions/function-loader.d.ts +0 -17
- package/dist/functions/function-routes.d.ts +0 -10
- package/dist/functions/index.d.ts +0 -3
- package/dist/history/history-routes.d.ts +0 -23
- package/dist/history/index.d.ts +0 -1
- package/dist/index.d.ts +0 -33
- package/dist/index.es.js +0 -61726
- package/dist/index.es.js.map +0 -1
- package/dist/index.umd.js +0 -73216
- package/dist/index.umd.js.map +0 -1
- package/dist/init/docs.d.ts +0 -4
- package/dist/init/health.d.ts +0 -2
- package/dist/init/middlewares.d.ts +0 -10
- package/dist/init/shutdown.d.ts +0 -11
- package/dist/init/storage.d.ts +0 -5
- package/dist/init.d.ts +0 -258
- package/dist/jwt-DHcQRGC3.js +0 -4168
- package/dist/jwt-DHcQRGC3.js.map +0 -1
- package/dist/logger-BYU66ENZ.js +0 -94
- package/dist/logger-BYU66ENZ.js.map +0 -1
- package/dist/ms-BeBSuOXN.js +0 -125
- package/dist/ms-BeBSuOXN.js.map +0 -1
- package/dist/multipart-parser-CedBDOeC.js +0 -299
- package/dist/multipart-parser-CedBDOeC.js.map +0 -1
- package/dist/serve-spa.d.ts +0 -30
- package/dist/services/driver-registry.d.ts +0 -78
- package/dist/services/webhook-service.d.ts +0 -29
- package/dist/singleton.d.ts +0 -35
- package/dist/src-COaj0G3P.js +0 -1182
- package/dist/src-COaj0G3P.js.map +0 -1
- package/dist/storage/LocalStorageController.d.ts +0 -46
- package/dist/storage/S3StorageController.d.ts +0 -36
- package/dist/storage/image-transform.d.ts +0 -50
- package/dist/storage/index.d.ts +0 -28
- package/dist/storage/routes.d.ts +0 -38
- package/dist/storage/storage-registry.d.ts +0 -78
- package/dist/storage/tus-handler.d.ts +0 -51
- package/dist/storage/types.d.ts +0 -103
- package/dist/types/index.d.ts +0 -11
- package/dist/utils/dev-port.d.ts +0 -35
- package/dist/utils/logger.d.ts +0 -31
- package/dist/utils/logging.d.ts +0 -9
- package/dist/utils/request-id.d.ts +0 -4
- package/dist/utils/request-logger.d.ts +0 -19
- package/dist/utils/sql.d.ts +0 -27
|
@@ -1,401 +0,0 @@
|
|
|
1
|
-
import { z } from "zod";
|
|
2
|
-
/**
|
|
3
|
-
* Authentication Abstraction Interfaces
|
|
4
|
-
*
|
|
5
|
-
* These interfaces define the contracts for authentication-related operations.
|
|
6
|
-
* Implementations can use different databases (PostgreSQL, MongoDB, etc.) to
|
|
7
|
-
* store user, role, and token data.
|
|
8
|
-
*/
|
|
9
|
-
/**
|
|
10
|
-
* User data structure
|
|
11
|
-
*/
|
|
12
|
-
export interface UserData {
|
|
13
|
-
id: string;
|
|
14
|
-
email: string;
|
|
15
|
-
passwordHash?: string | null;
|
|
16
|
-
displayName?: string | null;
|
|
17
|
-
photoUrl?: string | null;
|
|
18
|
-
emailVerified: boolean;
|
|
19
|
-
emailVerificationToken?: string | null;
|
|
20
|
-
emailVerificationSentAt?: Date | null;
|
|
21
|
-
isAnonymous?: boolean;
|
|
22
|
-
metadata?: Record<string, unknown>;
|
|
23
|
-
createdAt: Date;
|
|
24
|
-
updatedAt: Date;
|
|
25
|
-
}
|
|
26
|
-
/**
|
|
27
|
-
* Data for creating a new user
|
|
28
|
-
*/
|
|
29
|
-
export interface CreateUserData {
|
|
30
|
-
email: string;
|
|
31
|
-
passwordHash?: string;
|
|
32
|
-
displayName?: string;
|
|
33
|
-
photoUrl?: string;
|
|
34
|
-
emailVerified?: boolean;
|
|
35
|
-
isAnonymous?: boolean;
|
|
36
|
-
metadata?: Record<string, unknown>;
|
|
37
|
-
}
|
|
38
|
-
/**
|
|
39
|
-
* User Identity Data (OAuth accounts linked to user)
|
|
40
|
-
*/
|
|
41
|
-
export interface UserIdentityData {
|
|
42
|
-
id: string;
|
|
43
|
-
userId: string;
|
|
44
|
-
provider: string;
|
|
45
|
-
providerId: string;
|
|
46
|
-
profileData?: Record<string, unknown> | null;
|
|
47
|
-
createdAt: Date;
|
|
48
|
-
updatedAt: Date;
|
|
49
|
-
}
|
|
50
|
-
/**
|
|
51
|
-
* Standardized profile data returned by an OAuth provider verification payload
|
|
52
|
-
*/
|
|
53
|
-
export interface OAuthProviderProfile {
|
|
54
|
-
providerId: string;
|
|
55
|
-
email: string;
|
|
56
|
-
displayName?: string | null;
|
|
57
|
-
photoUrl?: string | null;
|
|
58
|
-
}
|
|
59
|
-
/**
|
|
60
|
-
* Pluggable OAuth Provider integration strategy
|
|
61
|
-
*/
|
|
62
|
-
export interface OAuthProvider<T = unknown> {
|
|
63
|
-
/** The identifier of the provider (e.g. "github", "google") */
|
|
64
|
-
id: string;
|
|
65
|
-
/** Zod schema validating the expected request payload (e.g. { code: string }) */
|
|
66
|
-
schema: z.ZodSchema<T>;
|
|
67
|
-
/** Verify external tokens/codes and return a standardized user profile */
|
|
68
|
-
verify: (payload: T) => Promise<OAuthProviderProfile | null>;
|
|
69
|
-
}
|
|
70
|
-
/**
|
|
71
|
-
* Role data structure
|
|
72
|
-
*/
|
|
73
|
-
export interface RoleData {
|
|
74
|
-
id: string;
|
|
75
|
-
name: string;
|
|
76
|
-
isAdmin: boolean;
|
|
77
|
-
defaultPermissions: {
|
|
78
|
-
read?: boolean;
|
|
79
|
-
create?: boolean;
|
|
80
|
-
edit?: boolean;
|
|
81
|
-
delete?: boolean;
|
|
82
|
-
} | null;
|
|
83
|
-
collectionPermissions: Record<string, {
|
|
84
|
-
read?: boolean;
|
|
85
|
-
create?: boolean;
|
|
86
|
-
edit?: boolean;
|
|
87
|
-
delete?: boolean;
|
|
88
|
-
}> | null;
|
|
89
|
-
}
|
|
90
|
-
/**
|
|
91
|
-
* Data for creating a new role
|
|
92
|
-
*/
|
|
93
|
-
export interface CreateRoleData {
|
|
94
|
-
id: string;
|
|
95
|
-
name: string;
|
|
96
|
-
isAdmin?: boolean;
|
|
97
|
-
defaultPermissions?: RoleData["defaultPermissions"];
|
|
98
|
-
collectionPermissions?: RoleData["collectionPermissions"];
|
|
99
|
-
}
|
|
100
|
-
/**
|
|
101
|
-
* Refresh token info
|
|
102
|
-
*/
|
|
103
|
-
export interface RefreshTokenInfo {
|
|
104
|
-
id: string;
|
|
105
|
-
userId: string;
|
|
106
|
-
tokenHash: string;
|
|
107
|
-
expiresAt: Date;
|
|
108
|
-
createdAt: Date;
|
|
109
|
-
userAgent?: string | null;
|
|
110
|
-
ipAddress?: string | null;
|
|
111
|
-
}
|
|
112
|
-
/**
|
|
113
|
-
* Password reset token info
|
|
114
|
-
*/
|
|
115
|
-
export interface PasswordResetTokenInfo {
|
|
116
|
-
userId: string;
|
|
117
|
-
expiresAt: Date;
|
|
118
|
-
}
|
|
119
|
-
/**
|
|
120
|
-
* Options for paginated user listing
|
|
121
|
-
*/
|
|
122
|
-
export interface ListUsersOptions {
|
|
123
|
-
/** Max results per page (default 25) */
|
|
124
|
-
limit?: number;
|
|
125
|
-
/** Number of results to skip (default 0) */
|
|
126
|
-
offset?: number;
|
|
127
|
-
/** Search term — matches against email and displayName (case-insensitive) */
|
|
128
|
-
search?: string;
|
|
129
|
-
/** Field to sort by (default "createdAt") */
|
|
130
|
-
orderBy?: string;
|
|
131
|
-
/** Sort direction (default "desc") */
|
|
132
|
-
orderDir?: "asc" | "desc";
|
|
133
|
-
/** Filter by role ID */
|
|
134
|
-
roleId?: string;
|
|
135
|
-
}
|
|
136
|
-
/**
|
|
137
|
-
* Result of a paginated user listing
|
|
138
|
-
*/
|
|
139
|
-
export interface PaginatedUsersResult {
|
|
140
|
-
users: UserData[];
|
|
141
|
-
/** Total number of users matching the filters (ignoring limit/offset) */
|
|
142
|
-
total: number;
|
|
143
|
-
limit: number;
|
|
144
|
-
offset: number;
|
|
145
|
-
}
|
|
146
|
-
/**
|
|
147
|
-
* Abstract user repository interface.
|
|
148
|
-
* Handles all user-related database operations.
|
|
149
|
-
*/
|
|
150
|
-
export interface UserRepository {
|
|
151
|
-
/**
|
|
152
|
-
* Create a new user
|
|
153
|
-
*/
|
|
154
|
-
createUser(data: CreateUserData): Promise<UserData>;
|
|
155
|
-
/**
|
|
156
|
-
* Get a user by ID
|
|
157
|
-
*/
|
|
158
|
-
getUserById(id: string): Promise<UserData | null>;
|
|
159
|
-
/**
|
|
160
|
-
* Get a user by email
|
|
161
|
-
*/
|
|
162
|
-
getUserByEmail(email: string): Promise<UserData | null>;
|
|
163
|
-
/**
|
|
164
|
-
* Get a user by an OAuth identity
|
|
165
|
-
*/
|
|
166
|
-
getUserByIdentity(provider: string, providerId: string): Promise<UserData | null>;
|
|
167
|
-
/**
|
|
168
|
-
* Get all identities linked to a user
|
|
169
|
-
*/
|
|
170
|
-
getUserIdentities(userId: string): Promise<UserIdentityData[]>;
|
|
171
|
-
/**
|
|
172
|
-
* Link a new OAuth identity to a user
|
|
173
|
-
*/
|
|
174
|
-
linkUserIdentity(userId: string, provider: string, providerId: string, profileData?: Record<string, unknown>): Promise<void>;
|
|
175
|
-
/**
|
|
176
|
-
* Update a user
|
|
177
|
-
*/
|
|
178
|
-
updateUser(id: string, data: Partial<Omit<CreateUserData, "id">>): Promise<UserData | null>;
|
|
179
|
-
/**
|
|
180
|
-
* Delete a user
|
|
181
|
-
*/
|
|
182
|
-
deleteUser(id: string): Promise<void>;
|
|
183
|
-
/**
|
|
184
|
-
* List all users (unbounded — use listUsersPaginated for large datasets)
|
|
185
|
-
*/
|
|
186
|
-
listUsers(): Promise<UserData[]>;
|
|
187
|
-
/**
|
|
188
|
-
* List users with server-side pagination, search, and sorting.
|
|
189
|
-
*/
|
|
190
|
-
listUsersPaginated(options?: ListUsersOptions): Promise<PaginatedUsersResult>;
|
|
191
|
-
/**
|
|
192
|
-
* Update user's password hash
|
|
193
|
-
*/
|
|
194
|
-
updatePassword(id: string, passwordHash: string): Promise<void>;
|
|
195
|
-
/**
|
|
196
|
-
* Set email verification status
|
|
197
|
-
*/
|
|
198
|
-
setEmailVerified(id: string, verified: boolean): Promise<void>;
|
|
199
|
-
/**
|
|
200
|
-
* Set email verification token
|
|
201
|
-
*/
|
|
202
|
-
setVerificationToken(id: string, token: string | null): Promise<void>;
|
|
203
|
-
/**
|
|
204
|
-
* Find user by email verification token
|
|
205
|
-
*/
|
|
206
|
-
getUserByVerificationToken(token: string): Promise<UserData | null>;
|
|
207
|
-
/**
|
|
208
|
-
* Get roles for a user
|
|
209
|
-
*/
|
|
210
|
-
getUserRoles(userId: string): Promise<RoleData[]>;
|
|
211
|
-
/**
|
|
212
|
-
* Get role IDs for a user
|
|
213
|
-
*/
|
|
214
|
-
getUserRoleIds(userId: string): Promise<string[]>;
|
|
215
|
-
/**
|
|
216
|
-
* Set roles for a user (replaces existing roles)
|
|
217
|
-
*/
|
|
218
|
-
setUserRoles(userId: string, roleIds: string[]): Promise<void>;
|
|
219
|
-
/**
|
|
220
|
-
* Assign a specific role to a new user
|
|
221
|
-
*/
|
|
222
|
-
assignDefaultRole(userId: string, roleId: string): Promise<void>;
|
|
223
|
-
/**
|
|
224
|
-
* Get user with their roles
|
|
225
|
-
*/
|
|
226
|
-
getUserWithRoles(userId: string): Promise<{
|
|
227
|
-
user: UserData;
|
|
228
|
-
roles: RoleData[];
|
|
229
|
-
} | null>;
|
|
230
|
-
}
|
|
231
|
-
/**
|
|
232
|
-
* Abstract role repository interface.
|
|
233
|
-
* Handles all role-related database operations.
|
|
234
|
-
*/
|
|
235
|
-
export interface RoleRepository {
|
|
236
|
-
/**
|
|
237
|
-
* Get a role by ID
|
|
238
|
-
*/
|
|
239
|
-
getRoleById(id: string): Promise<RoleData | null>;
|
|
240
|
-
/**
|
|
241
|
-
* List all roles
|
|
242
|
-
*/
|
|
243
|
-
listRoles(): Promise<RoleData[]>;
|
|
244
|
-
/**
|
|
245
|
-
* Create a new role
|
|
246
|
-
*/
|
|
247
|
-
createRole(data: CreateRoleData): Promise<RoleData>;
|
|
248
|
-
/**
|
|
249
|
-
* Update a role
|
|
250
|
-
*/
|
|
251
|
-
updateRole(id: string, data: Partial<Omit<RoleData, "id">>): Promise<RoleData | null>;
|
|
252
|
-
/**
|
|
253
|
-
* Delete a role
|
|
254
|
-
*/
|
|
255
|
-
deleteRole(id: string): Promise<void>;
|
|
256
|
-
}
|
|
257
|
-
/**
|
|
258
|
-
* Abstract token repository interface.
|
|
259
|
-
* Handles refresh tokens and password reset tokens.
|
|
260
|
-
*/
|
|
261
|
-
export interface TokenRepository {
|
|
262
|
-
/**
|
|
263
|
-
* Create a new refresh token
|
|
264
|
-
*/
|
|
265
|
-
createRefreshToken(userId: string, tokenHash: string, expiresAt: Date, userAgent?: string, ipAddress?: string): Promise<void>;
|
|
266
|
-
/**
|
|
267
|
-
* Find a refresh token by hash
|
|
268
|
-
*/
|
|
269
|
-
findRefreshTokenByHash(tokenHash: string): Promise<RefreshTokenInfo | null>;
|
|
270
|
-
/**
|
|
271
|
-
* Delete a refresh token by hash
|
|
272
|
-
*/
|
|
273
|
-
deleteRefreshToken(tokenHash: string): Promise<void>;
|
|
274
|
-
/**
|
|
275
|
-
* Delete all refresh tokens for a user
|
|
276
|
-
*/
|
|
277
|
-
deleteAllRefreshTokensForUser(userId: string): Promise<void>;
|
|
278
|
-
/**
|
|
279
|
-
* List all refresh tokens for a user
|
|
280
|
-
*/
|
|
281
|
-
listRefreshTokensForUser(userId: string): Promise<RefreshTokenInfo[]>;
|
|
282
|
-
/**
|
|
283
|
-
* Delete a specific refresh token by its primary key ID
|
|
284
|
-
*/
|
|
285
|
-
deleteRefreshTokenById(id: string, userId: string): Promise<void>;
|
|
286
|
-
/**
|
|
287
|
-
* Create a password reset token
|
|
288
|
-
*/
|
|
289
|
-
createPasswordResetToken(userId: string, tokenHash: string, expiresAt: Date): Promise<void>;
|
|
290
|
-
/**
|
|
291
|
-
* Find a valid (not expired, not used) password reset token by hash
|
|
292
|
-
*/
|
|
293
|
-
findValidPasswordResetToken(tokenHash: string): Promise<PasswordResetTokenInfo | null>;
|
|
294
|
-
/**
|
|
295
|
-
* Mark a password reset token as used
|
|
296
|
-
*/
|
|
297
|
-
markPasswordResetTokenUsed(tokenHash: string): Promise<void>;
|
|
298
|
-
/**
|
|
299
|
-
* Delete all password reset tokens for a user
|
|
300
|
-
*/
|
|
301
|
-
deleteAllPasswordResetTokensForUser(userId: string): Promise<void>;
|
|
302
|
-
/**
|
|
303
|
-
* Clean up expired tokens
|
|
304
|
-
*/
|
|
305
|
-
deleteExpiredTokens(): Promise<void>;
|
|
306
|
-
}
|
|
307
|
-
/**
|
|
308
|
-
* MFA factor data structure
|
|
309
|
-
*/
|
|
310
|
-
export interface MfaFactor {
|
|
311
|
-
id: string;
|
|
312
|
-
userId: string;
|
|
313
|
-
factorType: "totp";
|
|
314
|
-
friendlyName?: string;
|
|
315
|
-
verified: boolean;
|
|
316
|
-
createdAt: Date;
|
|
317
|
-
updatedAt: Date;
|
|
318
|
-
}
|
|
319
|
-
/**
|
|
320
|
-
* MFA challenge information
|
|
321
|
-
*/
|
|
322
|
-
export interface MfaChallengeInfo {
|
|
323
|
-
id: string;
|
|
324
|
-
factorId: string;
|
|
325
|
-
createdAt: Date;
|
|
326
|
-
verifiedAt?: Date;
|
|
327
|
-
ipAddress?: string;
|
|
328
|
-
}
|
|
329
|
-
/**
|
|
330
|
-
* Recovery code data structure
|
|
331
|
-
*/
|
|
332
|
-
export interface RecoveryCode {
|
|
333
|
-
id: string;
|
|
334
|
-
userId: string;
|
|
335
|
-
usedAt?: Date;
|
|
336
|
-
}
|
|
337
|
-
/**
|
|
338
|
-
* Abstract MFA repository interface.
|
|
339
|
-
* Handles all MFA-related database operations.
|
|
340
|
-
*/
|
|
341
|
-
export interface MfaRepository {
|
|
342
|
-
/**
|
|
343
|
-
* Create a new MFA factor for a user
|
|
344
|
-
*/
|
|
345
|
-
createMfaFactor(userId: string, factorType: "totp", secretEncrypted: string, friendlyName?: string): Promise<MfaFactor>;
|
|
346
|
-
/**
|
|
347
|
-
* Get all MFA factors for a user
|
|
348
|
-
*/
|
|
349
|
-
getMfaFactors(userId: string): Promise<MfaFactor[]>;
|
|
350
|
-
/**
|
|
351
|
-
* Get a specific MFA factor by ID
|
|
352
|
-
*/
|
|
353
|
-
getMfaFactorById(factorId: string): Promise<(MfaFactor & {
|
|
354
|
-
secretEncrypted: string;
|
|
355
|
-
}) | null>;
|
|
356
|
-
/**
|
|
357
|
-
* Mark an MFA factor as verified
|
|
358
|
-
*/
|
|
359
|
-
verifyMfaFactor(factorId: string): Promise<void>;
|
|
360
|
-
/**
|
|
361
|
-
* Delete an MFA factor
|
|
362
|
-
*/
|
|
363
|
-
deleteMfaFactor(factorId: string, userId: string): Promise<void>;
|
|
364
|
-
/**
|
|
365
|
-
* Create an MFA challenge
|
|
366
|
-
*/
|
|
367
|
-
createMfaChallenge(factorId: string, ipAddress?: string): Promise<MfaChallengeInfo>;
|
|
368
|
-
/**
|
|
369
|
-
* Get an MFA challenge by ID
|
|
370
|
-
*/
|
|
371
|
-
getMfaChallengeById(challengeId: string): Promise<MfaChallengeInfo | null>;
|
|
372
|
-
/**
|
|
373
|
-
* Mark an MFA challenge as verified
|
|
374
|
-
*/
|
|
375
|
-
verifyMfaChallenge(challengeId: string): Promise<void>;
|
|
376
|
-
/**
|
|
377
|
-
* Create recovery codes for a user
|
|
378
|
-
*/
|
|
379
|
-
createRecoveryCodes(userId: string, codeHashes: string[]): Promise<void>;
|
|
380
|
-
/**
|
|
381
|
-
* Use a recovery code (mark as used)
|
|
382
|
-
*/
|
|
383
|
-
useRecoveryCode(userId: string, codeHash: string): Promise<boolean>;
|
|
384
|
-
/**
|
|
385
|
-
* Get unused recovery code count for a user
|
|
386
|
-
*/
|
|
387
|
-
getUnusedRecoveryCodeCount(userId: string): Promise<number>;
|
|
388
|
-
/**
|
|
389
|
-
* Delete all recovery codes for a user
|
|
390
|
-
*/
|
|
391
|
-
deleteAllRecoveryCodes(userId: string): Promise<void>;
|
|
392
|
-
/**
|
|
393
|
-
* Check if a user has any verified MFA factors
|
|
394
|
-
*/
|
|
395
|
-
hasVerifiedMfaFactors(userId: string): Promise<boolean>;
|
|
396
|
-
}
|
|
397
|
-
/**
|
|
398
|
-
* Combined auth repository interface for convenience
|
|
399
|
-
*/
|
|
400
|
-
export interface AuthRepository extends UserRepository, RoleRepository, TokenRepository, MfaRepository {
|
|
401
|
-
}
|
package/dist/auth/jwt.d.ts
DELETED
|
@@ -1,55 +0,0 @@
|
|
|
1
|
-
export interface JwtConfig {
|
|
2
|
-
secret: string;
|
|
3
|
-
accessExpiresIn?: string;
|
|
4
|
-
refreshExpiresIn?: string;
|
|
5
|
-
}
|
|
6
|
-
export interface AccessTokenPayload {
|
|
7
|
-
userId: string;
|
|
8
|
-
roles: string[];
|
|
9
|
-
uid?: string;
|
|
10
|
-
/** Authentication Assurance Level: aal1 = password/oauth, aal2 = MFA verified */
|
|
11
|
-
aal?: "aal1" | "aal2";
|
|
12
|
-
/** Email claim from the JWT, if present */
|
|
13
|
-
email?: string;
|
|
14
|
-
/** Display name claim from the JWT, if present */
|
|
15
|
-
displayName?: string;
|
|
16
|
-
/** Photo URL claim from the JWT, if present */
|
|
17
|
-
photoURL?: string;
|
|
18
|
-
/** Whether MFA has been verified for this session */
|
|
19
|
-
mfa_verified?: boolean;
|
|
20
|
-
/** Authentication Methods Reference — list of methods used (e.g. 'pwd', 'otp') */
|
|
21
|
-
amr?: string[];
|
|
22
|
-
}
|
|
23
|
-
/**
|
|
24
|
-
* Configure JWT settings - call this during initialization.
|
|
25
|
-
* Validates the secret strength to prevent deployment with default/weak secrets.
|
|
26
|
-
*/
|
|
27
|
-
export declare function configureJwt(config: JwtConfig): void;
|
|
28
|
-
/**
|
|
29
|
-
* Generate an access token (short-lived, 1 hour by default)
|
|
30
|
-
*/
|
|
31
|
-
export declare function generateAccessToken(userId: string, roles: string[], aal?: "aal1" | "aal2", customClaims?: Record<string, unknown>): string;
|
|
32
|
-
/**
|
|
33
|
-
* Get the expiration time of an access token in milliseconds from now
|
|
34
|
-
*/
|
|
35
|
-
export declare function getAccessTokenExpiryMs(): number;
|
|
36
|
-
/**
|
|
37
|
-
* Get the expiration timestamp for an access token
|
|
38
|
-
*/
|
|
39
|
-
export declare function getAccessTokenExpiry(): number;
|
|
40
|
-
/**
|
|
41
|
-
* Verify and decode an access token
|
|
42
|
-
*/
|
|
43
|
-
export declare function verifyAccessToken(token: string): AccessTokenPayload | null;
|
|
44
|
-
/**
|
|
45
|
-
* Generate a random refresh token (long-lived, 30 days by default)
|
|
46
|
-
*/
|
|
47
|
-
export declare function generateRefreshToken(): string;
|
|
48
|
-
/**
|
|
49
|
-
* Hash a refresh token for database storage (don't store raw tokens)
|
|
50
|
-
*/
|
|
51
|
-
export declare function hashRefreshToken(token: string): string;
|
|
52
|
-
/**
|
|
53
|
-
* Calculate refresh token expiration date
|
|
54
|
-
*/
|
|
55
|
-
export declare function getRefreshTokenExpiry(): Date;
|
|
@@ -1,18 +0,0 @@
|
|
|
1
|
-
import type { OAuthProvider } from "./interfaces";
|
|
2
|
-
export interface LinkedinUserInfo {
|
|
3
|
-
linkedinId: string;
|
|
4
|
-
email: string;
|
|
5
|
-
displayName: string | null;
|
|
6
|
-
photoUrl: string | null;
|
|
7
|
-
emailVerified: boolean;
|
|
8
|
-
}
|
|
9
|
-
/**
|
|
10
|
-
* Creates a LinkedIn OAuth Provider integration
|
|
11
|
-
*/
|
|
12
|
-
export declare function createLinkedinProvider(config: {
|
|
13
|
-
clientId: string;
|
|
14
|
-
clientSecret: string;
|
|
15
|
-
}): OAuthProvider<{
|
|
16
|
-
code: string;
|
|
17
|
-
redirectUri: string;
|
|
18
|
-
}>;
|
|
@@ -1,6 +0,0 @@
|
|
|
1
|
-
import { Hono } from "hono";
|
|
2
|
-
import { z } from "zod";
|
|
3
|
-
import { HonoEnv } from "../api/types";
|
|
4
|
-
import type { AuthModuleConfig } from "./routes";
|
|
5
|
-
import { resolveAuthHooks } from "./auth-hooks";
|
|
6
|
-
export declare function mountMfaRoutes(router: Hono<HonoEnv>, config: AuthModuleConfig, ops: ReturnType<typeof resolveAuthHooks>, parseBody: <T>(schema: z.ZodSchema<T>, body: unknown) => T): void;
|
package/dist/auth/mfa.d.ts
DELETED
|
@@ -1,49 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* TOTP (Time-based One-Time Password) implementation.
|
|
3
|
-
*
|
|
4
|
-
* Pure Node.js crypto implementation — no external dependencies required.
|
|
5
|
-
* Implements RFC 6238 (TOTP) and RFC 4226 (HOTP).
|
|
6
|
-
*/
|
|
7
|
-
/**
|
|
8
|
-
* Encode a Buffer to Base32 string (RFC 4648)
|
|
9
|
-
*/
|
|
10
|
-
export declare function base32Encode(buffer: Buffer): string;
|
|
11
|
-
/**
|
|
12
|
-
* Decode a Base32 string to Buffer
|
|
13
|
-
*/
|
|
14
|
-
export declare function base32Decode(encoded: string): Buffer;
|
|
15
|
-
/**
|
|
16
|
-
* Generate a TOTP value for the current time step
|
|
17
|
-
*/
|
|
18
|
-
export declare function generateTotp(secret: Buffer, timeStep?: number): string;
|
|
19
|
-
/**
|
|
20
|
-
* Verify a TOTP token with a configurable time window
|
|
21
|
-
*
|
|
22
|
-
* @param secret - The shared secret as a Buffer
|
|
23
|
-
* @param token - The 6-digit TOTP code to verify
|
|
24
|
-
* @param window - Number of time steps to check on each side (default: 1)
|
|
25
|
-
* @returns true if the token is valid within the window
|
|
26
|
-
*/
|
|
27
|
-
export declare function verifyTotp(secret: Buffer, token: string, window?: number): boolean;
|
|
28
|
-
/**
|
|
29
|
-
* Generate a new TOTP secret and return the setup information
|
|
30
|
-
*
|
|
31
|
-
* @param issuer - The issuer name (app name) for the QR code
|
|
32
|
-
* @param accountName - The account identifier (usually email)
|
|
33
|
-
* @returns Object with base32 secret and otpauth URI
|
|
34
|
-
*/
|
|
35
|
-
export declare function generateTotpSecret(issuer: string, accountName: string): {
|
|
36
|
-
secret: string;
|
|
37
|
-
uri: string;
|
|
38
|
-
};
|
|
39
|
-
/**
|
|
40
|
-
* Generate a set of one-time recovery codes
|
|
41
|
-
*
|
|
42
|
-
* @param count - Number of recovery codes to generate (default: 10)
|
|
43
|
-
* @returns Array of formatted recovery code strings (e.g. "A1B2C-D3E4F")
|
|
44
|
-
*/
|
|
45
|
-
export declare function generateRecoveryCodes(count?: number): string[];
|
|
46
|
-
/**
|
|
47
|
-
* Hash a recovery code for storage
|
|
48
|
-
*/
|
|
49
|
-
export declare function hashRecoveryCode(code: string): string;
|
|
@@ -1,16 +0,0 @@
|
|
|
1
|
-
import type { OAuthProvider } from "./interfaces";
|
|
2
|
-
/**
|
|
3
|
-
* Creates a Microsoft / Entra ID (Azure AD) OAuth Provider integration.
|
|
4
|
-
*
|
|
5
|
-
* Supports both personal Microsoft accounts and work/school (Azure AD) accounts
|
|
6
|
-
* via the "common" tenant endpoint. Uses the authorization code flow.
|
|
7
|
-
*/
|
|
8
|
-
export declare function createMicrosoftProvider(config: {
|
|
9
|
-
clientId: string;
|
|
10
|
-
clientSecret: string;
|
|
11
|
-
/** Tenant ID. Defaults to "common" which allows both personal and organizational accounts. */
|
|
12
|
-
tenantId?: string;
|
|
13
|
-
}): OAuthProvider<{
|
|
14
|
-
code: string;
|
|
15
|
-
redirectUri: string;
|
|
16
|
-
}>;
|
|
@@ -1,106 +0,0 @@
|
|
|
1
|
-
import { MiddlewareHandler, Context } from "hono";
|
|
2
|
-
import { DataDriver } from "@rebasepro/types";
|
|
3
|
-
import { AccessTokenPayload } from "./jwt";
|
|
4
|
-
import { HonoEnv } from "../api/types";
|
|
5
|
-
import type { ApiKeyStore } from "./api-keys/api-key-store";
|
|
6
|
-
/**
|
|
7
|
-
* Result from a custom auth validator.
|
|
8
|
-
* - `false`/`null`/`undefined` = not authenticated
|
|
9
|
-
* - `true` = authenticated as default user
|
|
10
|
-
* - object with `userId` or `uid` = authenticated with user info
|
|
11
|
-
*/
|
|
12
|
-
export type AuthResult = boolean | null | undefined | {
|
|
13
|
-
userId?: string;
|
|
14
|
-
uid?: string;
|
|
15
|
-
roles?: string[];
|
|
16
|
-
[key: string]: unknown;
|
|
17
|
-
};
|
|
18
|
-
/**
|
|
19
|
-
* Options for creating an auth middleware via createAuthMiddleware()
|
|
20
|
-
*/
|
|
21
|
-
export interface AuthMiddlewareOptions {
|
|
22
|
-
/** DataDriver to scope via withAuth() for RLS */
|
|
23
|
-
driver: DataDriver;
|
|
24
|
-
/**
|
|
25
|
-
* If true, return 401 when no valid token is present.
|
|
26
|
-
*
|
|
27
|
-
* **Defaults to `true` (secure by default).** Set to `false` only for
|
|
28
|
-
* intentionally public endpoints where access control is fully delegated
|
|
29
|
-
* to Postgres Row-Level Security policies.
|
|
30
|
-
*/
|
|
31
|
-
requireAuth?: boolean;
|
|
32
|
-
/** Optional custom validator (for non-JWT auth, e.g. Firebase Auth) */
|
|
33
|
-
validator?: (c: Context<HonoEnv>) => Promise<AuthResult>;
|
|
34
|
-
/**
|
|
35
|
-
* A static secret key for server-to-server / script authentication.
|
|
36
|
-
*
|
|
37
|
-
* When a request sends `Authorization: Bearer <key>` and the key matches
|
|
38
|
-
* this value, the request is granted admin-level access (uid: `service`,
|
|
39
|
-
* roles: `["admin"]`) **without** JWT verification. The driver is scoped
|
|
40
|
-
* via `withAuth()` with the service identity.
|
|
41
|
-
*
|
|
42
|
-
* This is the Rebase equivalent of a Firebase Service Account key.
|
|
43
|
-
* Set via `REBASE_SERVICE_KEY` in `.env` and pass through the backend config.
|
|
44
|
-
*
|
|
45
|
-
* **Security:** The comparison uses constant-time equality to prevent
|
|
46
|
-
* timing attacks. The key must be at least 32 characters.
|
|
47
|
-
*/
|
|
48
|
-
serviceKey?: string;
|
|
49
|
-
/**
|
|
50
|
-
* API key store for authenticating `rk_` prefixed tokens.
|
|
51
|
-
* When set, tokens starting with `rk_` are validated against the
|
|
52
|
-
* database instead of being treated as JWTs.
|
|
53
|
-
*/
|
|
54
|
-
apiKeyStore?: ApiKeyStore;
|
|
55
|
-
}
|
|
56
|
-
/**
|
|
57
|
-
* Hono middleware that requires a valid JWT token
|
|
58
|
-
* Returns 401 if token is missing or invalid
|
|
59
|
-
*/
|
|
60
|
-
export declare const requireAuth: MiddlewareHandler<HonoEnv>;
|
|
61
|
-
/**
|
|
62
|
-
* Factory that creates a requireAuth middleware with optional service key support.
|
|
63
|
-
*
|
|
64
|
-
* When `serviceKey` is provided, the middleware will check if the Bearer token
|
|
65
|
-
* matches the service key using constant-time comparison. If it matches, the
|
|
66
|
-
* request is authenticated as a service user with admin privileges.
|
|
67
|
-
*
|
|
68
|
-
* This allows admin routes (which use standalone requireAuth + requireAdmin)
|
|
69
|
-
* to be accessed via service keys for scripts and server-to-server calls.
|
|
70
|
-
*/
|
|
71
|
-
export declare function createRequireAuth(options?: {
|
|
72
|
-
serviceKey?: string;
|
|
73
|
-
}): MiddlewareHandler<HonoEnv>;
|
|
74
|
-
/**
|
|
75
|
-
* Middleware that requires the user to have an admin or schema-admin role.
|
|
76
|
-
* Must be used AFTER requireAuth or on a route where user is guaranteed.
|
|
77
|
-
*/
|
|
78
|
-
export declare const requireAdmin: MiddlewareHandler<HonoEnv>;
|
|
79
|
-
/**
|
|
80
|
-
* Middleware that optionally extracts user from JWT
|
|
81
|
-
* Does not return 401 if token is missing - allows anonymous access
|
|
82
|
-
*/
|
|
83
|
-
export declare const optionalAuth: MiddlewareHandler<HonoEnv>;
|
|
84
|
-
/**
|
|
85
|
-
* Extract user from token - for WebSocket authentication
|
|
86
|
-
*/
|
|
87
|
-
export declare function extractUserFromToken(token: string): AccessTokenPayload | null;
|
|
88
|
-
/**
|
|
89
|
-
* Create a configurable auth middleware that handles:
|
|
90
|
-
* 1. Token extraction (via custom validator or JWT Bearer token)
|
|
91
|
-
* 2. RLS-scoped DataDriver via withAuth()
|
|
92
|
-
* 3. Enforcement (401 when requireAuth is true and no user)
|
|
93
|
-
*
|
|
94
|
-
* **Secure by default:** `requireAuth` defaults to `true`. Anonymous
|
|
95
|
-
* access is only allowed when the developer explicitly opts out by
|
|
96
|
-
* setting `requireAuth: false`, indicating that Postgres RLS policies
|
|
97
|
-
* fully control access.
|
|
98
|
-
*
|
|
99
|
-
* **Fail-closed:** The raw unscoped driver is never placed in the
|
|
100
|
-
* request context. Every code path either scopes via `withAuth()` or
|
|
101
|
-
* rejects the request. This prevents silent RLS bypass.
|
|
102
|
-
*
|
|
103
|
-
* This is the single source of truth for HTTP auth in Rebase.
|
|
104
|
-
* Use this instead of manually parsing tokens in route handlers.
|
|
105
|
-
*/
|
|
106
|
-
export declare function createAuthMiddleware(options: AuthMiddlewareOptions): MiddlewareHandler<HonoEnv>;
|
package/dist/auth/password.d.ts
DELETED
|
@@ -1,22 +0,0 @@
|
|
|
1
|
-
export interface PasswordValidationResult {
|
|
2
|
-
valid: boolean;
|
|
3
|
-
errors: string[];
|
|
4
|
-
}
|
|
5
|
-
/**
|
|
6
|
-
* Password requirements:
|
|
7
|
-
* - Minimum 8 characters
|
|
8
|
-
* - At least 1 uppercase letter
|
|
9
|
-
* - At least 1 lowercase letter
|
|
10
|
-
* - At least 1 number
|
|
11
|
-
*/
|
|
12
|
-
export declare function validatePasswordStrength(password: string): PasswordValidationResult;
|
|
13
|
-
/**
|
|
14
|
-
* Hash a password using Node's built-in scrypt
|
|
15
|
-
* Returns format: salt:hash (both hex encoded)
|
|
16
|
-
*/
|
|
17
|
-
export declare function hashPassword(password: string): Promise<string>;
|
|
18
|
-
/**
|
|
19
|
-
* Verify a password against a scrypt hash
|
|
20
|
-
* Expects format: salt:hash (both hex encoded)
|
|
21
|
-
*/
|
|
22
|
-
export declare function verifyPassword(password: string, storedHash: string): Promise<boolean>;
|