@rineex/auth-core 0.1.0 → 0.1.1

package/src/domain/policy/engine/auth-policy-engine.ts

@@ -1,41 +0,0 @@
-import { AuthPolicyDecision } from '../contracts/auth-policy-decision';
-import { AuthPolicyContext } from '../contracts/auth-policy-context';
-import { AuthPolicyEvaluator } from '../contracts/auth-policy';
-
-/**
- * Coordinates multiple authentication policies
- * and produces a final decision.
- */
-export class AuthPolicyEngine {
-  private readonly policies: readonly AuthPolicyEvaluator[];
-
-  constructor(policies: readonly AuthPolicyEvaluator[]) {
-    this.policies = policies;
-  }
-
-  /**
-   * Evaluates all policies in order.
-   * First hard-deny wins.
-   */
-  public evaluate(context: AuthPolicyContext): AuthPolicyDecision {
-    let requiresStepUp = false;
-
-    for (const policy of this.policies) {
-      const decision = policy.evaluate(context);
-      if (!decision) continue;
-
-      if (decision.allowed === false) {
-        return decision;
-      }
-
-      if (decision.requiresStepUp) {
-        requiresStepUp = true;
-      }
-    }
-
-    return {
-      requiresStepUp,
-      allowed: true,
-    };
-  }
-}

package/src/domain/policy/index.ts

@@ -1,2 +0,0 @@
-export * from './contracts';
-export * from './engine/auth-policy-engine';

package/src/domain/session/entities/session.entity.ts

@@ -1,82 +0,0 @@
-import { SessionToken } from '@/domain/token/value-objects/session-token.vo';
-import { defaultIfNilOrEmpty } from '@/utils/default-if-blank.util';
-import { CreateEntityProps, Entity } from '@rineex/ddd';
-import { IdentityId } from '@/domain/identity';
-
-import { SessionId } from '../value-objects/session-id.vo';
-
-interface CreateSessionProps extends CreateEntityProps<SessionId> {
-  readonly identityId: IdentityId;
-  readonly token: SessionToken;
-  readonly expiresAt: Date;
-  readonly revokedAt?: Date;
-}
-
-export class Session extends Entity<SessionId> {
-  private _identityId: IdentityId;
-  private _token: SessionToken;
-  private _expiresAt: Date;
-  private _revokedAt?: Date;
-
-  protected constructor({ createdAt, id, ...props }: CreateSessionProps) {
-    super({ createdAt, id });
-
-    this._expiresAt = props.expiresAt;
-    this._revokedAt = props.revokedAt;
-    this._identityId = props.identityId;
-    this._token = props.token;
-  }
-
-  public static create(props: CreateSessionProps): Session {
-    return new Session(props);
-  }
-
-  toObject(): Record<string, unknown> {
-    return {
-      identityId: this._identityId.getValue(),
-      revokedAt: this._revokedAt?.toString(),
-      expiresAt: this._expiresAt.toString(),
-      revoked: !!this._revokedAt,
-      id: this.id.getValue(),
-      token: this._token,
-    };
-  }
-
-  revoke(at: Date): void {
-    if (this._revokedAt) return;
-
-    this.mutate(draft => {
-      draft._revokedAt = at;
-    });
-  }
-
-  public isActive(now = new Date()): boolean {
-    if (this._revokedAt) return false;
-
-    return now < this._expiresAt;
-  }
-
-  protected snapshot() {
-    return {
-      revokedAt: defaultIfNilOrEmpty(this._revokedAt?.toISOString()),
-      expiresAt: this._expiresAt.toISOString(),
-      identityId: this._identityId.toJSON(),
-      token: this._token.toJSON(),
-    };
-  }
-
-  protected restore(snapshot: Record<string, unknown>): void {
-    this._revokedAt = snapshot?.revokedAt
-      ? new Date(snapshot.revokedAt as string)
-      : undefined;
-    this._expiresAt = new Date(snapshot.expiresAt as string);
-    this._identityId = IdentityId.create(snapshot.identityId as string);
-    this._token = SessionToken.create(snapshot.token as string);
-  }
-
-  validate(): void {
-    if (this._expiresAt <= new Date(0)) {
-      throw new Error('Session expiration must be valid');
-    }
-  }
-}

package/src/domain/session/value-objects/session-id.vo.ts

@@ -1,10 +0,0 @@
-import { InvalidSessionViolation } from '@/domain/violations/invalid-session.violation';
-import { PrimitiveValueObject } from '@rineex/ddd';
-
-export class SessionId extends PrimitiveValueObject<string> {
-  protected validate(value: string): void {
-    if (!value || value.length < 16) {
-      throw InvalidSessionViolation.create();
-    }
-  }
-}

package/src/domain/token/aggregates/token.aggregate.ts

@@ -1,34 +0,0 @@
-import { AggregateRoot, CreateEntityProps } from '@rineex/ddd';
-import { IdentityId } from '@/domain/identity';
-
-interface TokenProps extends CreateEntityProps<IdentityId> {
-  readonly identityId: IdentityId;
-  readonly expiresAt: Date;
-  revokedAt?: Date;
-}
-
-export class Token extends AggregateRoot<IdentityId> {
-  protected constructor(private props: TokenProps) {
-    super(props);
-  }
-
-  public revoke(at: Date): void {
-    if (this.props.revokedAt) return;
-
-    this.mutate(draft => {
-      draft.revokedAt = at;
-    });
-  }
-
-  public isActive(now = new Date()): boolean {
-    return (
-      !this.props.revokedAt && this.props.expiresAt.getTime() > now.getTime()
-    );
-  }
-
-  validate(): void {
-    if (this.props.expiresAt.getTime() <= Date.now()) {
-      throw new Error('Token already expired');
-    }
-  }
-}

package/src/domain/token/value-objects/auth-token.vo.ts

@@ -1,29 +0,0 @@
-import { InvalidAuthTokenViolation } from '@/domain/violations/invalid-auth-token.violation';
-import { PrimitiveValueObject } from '@rineex/ddd';
-
-/**
- * Represents a cryptographic authentication token.
- *
- * IMPORTANT:
- * - This is NOT a JWT
- * - This is NOT a bearer string
- * - This is a domain-level proof of authentication
- *
- * Concrete formats live in adapters.
- */
-export abstract class AuthToken extends PrimitiveValueObject<string> {
-  /**
-   * Token type identifier.
-   * Used for routing to correct adapters.
-   */
-  abstract readonly type: string;
-
-  protected validate(value: string): void {
-    if (value.length < 32) {
-      throw InvalidAuthTokenViolation.create({
-        actualLength: value.length,
-        minLength: 32,
-      });
-    }
-  }
-}

package/src/domain/token/value-objects/session-token.vo.ts

@@ -1,14 +0,0 @@
-import { AuthToken } from './auth-token.vo';
-
-/**
- * Token bound to a session lifecycle.
- */
-export class SessionToken extends AuthToken {
-  get type() {
-    return 'session';
-  }
-
-  public static create(value: string): SessionToken {
-    return new SessionToken(value);
-  }
-}

package/src/domain/violations/auth-domain.violation.ts

@@ -1,9 +0,0 @@
-import { DomainViolation } from '@rineex/ddd';
-
-/**
- * Base class for all authentication domain violations.
- *
- * Auth domain MUST only throw DomainViolation objects.
- * Mapping to native Error happens at application or adapter layer.
- */
-export abstract class AuthDomainViolation extends DomainViolation {}

package/src/domain/violations/invalid-auth-token.violation.ts

@@ -1,13 +0,0 @@
-import { AuthDomainViolation } from './auth-domain.violation';
-
-/**
- * Raised when an authentication token violates domain invariants.
- */
-export class InvalidAuthTokenViolation extends AuthDomainViolation {
-  readonly code = 'AUTH_TOKEN_INVALID';
-  readonly message = 'Authentication token is invalid';
-
-  public static create(details: { actualLength: number; minLength: number }) {
-    return new InvalidAuthTokenViolation(details);
-  }
-}

package/src/domain/violations/invalid-scope.violation.ts

@@ -1,10 +0,0 @@
-import { DomainViolation } from '@rineex/ddd';
-
-export class InvalidScopeViolation extends DomainViolation {
-  public readonly code = 'auth.scope.invalid';
-  public readonly message = 'Scope format is invalid';
-
-  public static create(): InvalidScopeViolation {
-    return new InvalidScopeViolation();
-  }
-}

package/src/domain/violations/invalid-session.violation.ts

@@ -1,13 +0,0 @@
-import { AuthDomainViolation } from './auth-domain.violation';
-
-/**
- * Raised when a session invariant is violated.
- */
-export class InvalidSessionViolation extends AuthDomainViolation {
-  readonly code = 'session.invalid';
-  readonly message = 'Session state is invalid';
-
-  public static create(): InvalidSessionViolation {
-    return new InvalidSessionViolation();
-  }
-}

package/src/index.ts

@@ -1,3 +0,0 @@
-export * from './domain';
-export * from './ports';
-export * from './types';

package/src/ports/inbound/auth-method.port.ts

@@ -1,18 +0,0 @@
-import { AuthMethod } from '@/domain/identity/value-objects';
-import { AuthContext } from '@/types/auth-context.type';
-
-/**
- * Contract implemented by authentication method modules.
- *
- * Examples:
- * - OTP
- * - OAuth
- * - Passkeys
- *
- * Auth-core depends on this abstraction, not implementations.
- */
-export type AuthMethodPort = {
-  readonly method: AuthMethod;
-
-  authenticate: (context: AuthContext) => Promise<void>;
-};

package/src/ports/inbound/index.ts

@@ -1,2 +0,0 @@
-export * from './auth-method.port';
-export * from './start-auth.command';

package/src/ports/inbound/start-auth.command.ts

@@ -1,28 +0,0 @@
-import { AuthMethodName } from '@/types/auth-method.type';
-import { AuthContext } from '@/types/auth-context.type';
-import { IdentityId } from '@/domain';
-
-/**
- * Command representing a request to start authentication.
- *
- * This is a pure use-case input.
- * It is NOT tied to HTTP, RPC, GraphQL, or CLI.
- */
-export type StartAuthenticationCommand = {
-  /**
-   * Authentication method requested.
-   * Strongly typed and autocomplete-safe.
-   */
-  readonly method: AuthMethodName;
-
-  /**
-   * Optional identity hint.
-   * Used for passwordless, SSO, or known users.
-   */
-  readonly identityId?: IdentityId;
-
-  /**
-   * Execution context for auditing, correlation, and risk.
-   */
-  readonly context: AuthContext;
-};

package/src/ports/index.ts

@@ -1,2 +0,0 @@
-export * from './inbound';
-export * from './outbound';

package/src/ports/log/log.port.ts

@@ -1,25 +0,0 @@
-/**
- * Application-level logger port.
- *
- * Must be:
- * - side-effect only
- * - non-throwing
- * - fast
- *
- * Domain must never depend on this.
- */
-export type LoggerPort = {
-  info: (message: string, metadata?: Readonly<Record<string, unknown>>) => void;
-
-  debug: (
-    message: string,
-    metadata?: Readonly<Record<string, unknown>>,
-  ) => void;
-
-  warn: (message: string, metadata?: Readonly<Record<string, unknown>>) => void;
-
-  error: (
-    message: string,
-    metadata?: Readonly<Record<string, unknown>>,
-  ) => void;
-};

package/src/ports/mfa/mfa-clock.port.ts

@@ -1,11 +0,0 @@
-/**
- * Time abstraction for MFA logic.
- *
- * Required for:
- * - expiration checks
- * - deterministic testing
- * - avoiding Date.now() in domain
- */
-export type MfaClock = {
-  now: () => Date;
-};

package/src/ports/mfa/mfa-session-id-generator.port.ts

@@ -1,15 +0,0 @@
-import { MfaSessionId } from '@/domain/mfa/value-objects/mfa-session-id.vo';
-
-/**
- * Generates MFA session identifiers.
- *
- * Examples:
- * - ULID
- * - UUIDv7
- * - KSUID
- *
- * Domain does NOT care.
- */
-export type MfaSessionIdGenerator = {
-  generate: () => MfaSessionId;
-};

package/src/ports/mfa/mfa-session-repository.port.ts

@@ -1,31 +0,0 @@
-import { MfaSessionId } from '@/domain/mfa/value-objects/mfa-session-id.vo';
-import { MFASession } from '@/domain/mfa/aggregates/mfa-session.aggregate';
-import { IdentityId } from '@/domain';
-
-/**
- * Persistence port for MFA sessions.
- *
- * Implementations may use:
- * - SQL
- * - NoSQL
- * - Redis
- * - In-memory
- *
- * Domain MUST NOT know which.
- */
-export type MfaSessionRepository = {
-  /**
-   * Find MFA session by aggregate id.
-   */
-  findById: (id: MfaSessionId) => Promise<MFASession | null>;
-
-  /**
-   * Find active MFA session for an identity.
-   */
-  findActiveByIdentity: (identityId: IdentityId) => Promise<MFASession | null>;
-
-  /**
-   * Persist MFA session state.
-   */
-  save: (session: MFASession) => Promise<void>;
-};

package/src/ports/observability/observability-event.port.ts

@@ -1,16 +0,0 @@
-import { ObservabilityEvent } from '@/types/observability-event';
-
-/**
- * Observability event emitter.
- *
- * Used for:
- * - audit logs
- * - security monitoring
- * - metrics
- * - tracing
- *
- * Must be non-blocking and non-throwing.
- */
-export type ObservabilityEventPort = {
-  emit: (event: ObservabilityEvent) => void;
-};

package/src/ports/outbound/authentication-attempt.repository.port.ts

@@ -1,11 +0,0 @@
-import { AuthenticationAttempt } from '@/domain/aggregates/authentication-attempt.aggregate';
-
-/**
- * Persistence port for authentication attempts.
- *
- * Implementation is infrastructure-specific.
- */
-export type AuthenticationAttemptRepositoryPort = {
-  save: (attempt: AuthenticationAttempt) => Promise<void>;
-  findById: (id: string) => Promise<AuthenticationAttempt | null>;
-};

package/src/ports/outbound/domain-event-publisher.port.ts

@@ -1,13 +0,0 @@
-import { DomainEvent } from '@rineex/ddd';
-
-/**
- * Publishes domain events emitted by aggregates.
- *
- * Implementations may:
- * - dispatch to message bus
- * - log events
- * - forward to observability stack
- */
-export type DomainEventPublisherPort = {
-  publish: (events: readonly DomainEvent[]) => Promise<void>;
-};

package/src/ports/outbound/index.ts

@@ -1,2 +0,0 @@
-export * from './authentication-attempt.repository.port';
-export * from './domain-event-publisher.port';

package/src/ports/outbound/session.repository.port.ts

@@ -1,9 +0,0 @@
-import { SessionToken } from '@/domain/token/value-objects/session-token.vo';
-import { SessionId } from '@/domain/session/value-objects/session-id.vo';
-import { Session } from '@/domain/session/entities/session.entity';
-
-export type SessionRepositoryPort = {
-  save: (session: Session) => Promise<void>;
-  findById: (id: SessionId) => Promise<Session | null>;
-  findByToken: (token: SessionToken) => Promise<Session | null>;
-};

package/src/ports/repositories/oauth-authorization.repository.ts

@@ -1,21 +0,0 @@
-import { OauthAuthorization } from '@/domain/oauth/aggregates/oauth-authorization.aggregate';
-
-export type OAuthAuthorizationRepository = {
-  /**
-   * Persists an OAuth authorization aggregate.
-   */
-  save: (authorization: OauthAuthorization) => Promise<void>;
-
-  /**
-   * Loads authorization by its identifier.
-   */
-  getById: (id: string) => Promise<OauthAuthorization | null>;
-
-  /**
-   * Finds active authorization by client and identity.
-   */
-  findActiveByClientAndIdentity: (params: {
-    readonly clientId: string;
-    readonly identityId: string;
-  }) => Promise<OauthAuthorization | null>;
-};

package/src/ports/repositories/token.repository.ts

@@ -1,11 +0,0 @@
-export type TokenRepository = {
-  save: (token: Token) => Promise<void>;
-
-  getById: (id: string) => Promise<Token | null>;
-
-  /**
-   * Revokes all active tokens for an identity.
-   * Used for logout-all / security events.
-   */
-  revokeAllByIdentity: (identityId: string) => Promise<void>;
-};

package/src/types/auth-context.type.ts

@@ -1,11 +0,0 @@
-/**
- * Context passed across authentication boundaries.
- *
- * This type is intentionally open-ended and extensible.
- */
-export type AuthContext = {
-  readonly correlationId: string;
-  readonly ipAddress?: string;
-  readonly userAgent?: string;
-  readonly metadata?: Record<string, unknown>;
-};

package/src/types/auth-factor.type.ts

@@ -1,10 +0,0 @@
-/**
- * Registry of authentication factor identifiers.
- *
- * Used for MFA and step-up authentication.
- */
-export type AuthFactorRegistry = {
-  password: 'password';
-};
-
-export type AuthFactorName = keyof AuthFactorRegistry;

package/src/types/auth-method.type.ts

@@ -1,20 +0,0 @@
-/**
- * Registry for authentication method identifiers.
- *
- * This type is intentionally open for module augmentation.
- * Each auth-method package extends this registry.
- */
-export type AuthMethodRegistry = {
-  readonly passwordless: true;
-  readonly otp: true;
-};
-
-/**
- * Union of all registered authentication method names.
- *
- * This enables:
- * - IDE autocomplete
- * - Type safety
- * - Plugin-based extension
- */
-export type AuthMethodName = keyof AuthMethodRegistry;

package/src/types/auth-policy.type.ts

@@ -1,16 +0,0 @@
-/**
- * Registry of authentication policy identifiers.
- *
- * This registry is intentionally open for module augmentation.
- * Each policy package extends this type.
- */
-export type AuthPolicyRegistry = {
-  readonly base: true;
-};
-
-/**
- * Union of all registered authentication policy names.
- *
- * Enables autocomplete and compile-time safety.
- */
-export type AuthPolicyName = keyof AuthPolicyRegistry;

package/src/types/identity-provider.type.ts

@@ -1,8 +0,0 @@
-/**
- * Registry of identity provider identifiers.
- *
- * Supports social login, enterprise SSO, and internal IdPs.
- */
-export type IdentityProviderRegistry = {};
-
-export type IdentityProviderName = keyof IdentityProviderRegistry;

package/src/types/index.ts

@@ -1,6 +0,0 @@
-export * from './auth-context.type';
-export * from './auth-factor.type';
-export * from './auth-method.type';
-export * from './auth-policy.type';
-export * from './identity-provider.type';
-export * from './risk-signal.type';

package/src/types/observability-event.ts

@@ -1,33 +0,0 @@
-/**
- * Base structure for observability events.
- *
- * These events:
- * - are NOT domain events
- * - must be safe to store long-term
- * - must never contain secrets
- */
-export type ObservabilityEventProps = {
-  readonly name: string;
-  readonly occurredAt?: Date;
-  readonly payload: Readonly<Record<string, unknown>>;
-};
-
-export class ObservabilityEvent {
-  public readonly name: string;
-  public readonly occurredAt: Date;
-  public readonly payload: Readonly<Record<string, unknown>>;
-
-  constructor(props: ObservabilityEventProps) {
-    this.name = props.name;
-    this.occurredAt = props.occurredAt ?? new Date();
-    this.payload = props.payload;
-  }
-
-  toPrimitives() {
-    return {
-      occurredAt: this.occurredAt.toISOString(),
-      payload: this.payload,
-      name: this.name,
-    };
-  }
-}

package/src/types/risk-signal.type.ts

@@ -1,11 +0,0 @@
-/**
- * Registry of risk signal identifiers.
- *
- * Signals are produced by detectors and consumed by policies.
- */
-export type RiskSignalRegistry = {};
-
-/**
- * Union of all registered risk signal names.
- */
-export type RiskSignalName = keyof RiskSignalRegistry;