@siran/auth-core 0.1.1 → 0.14.0

package/src/application/services/composite-auth.service.ts

@@ -0,0 +1,96 @@
+import type {
+  AuthMethod,
+  AuthResult,
+  AuthServicePort,
+} from '@application/ports/auth-service.port.js';
+
+export type AuthMethodConfig = Partial<
+  Record<AuthMethod['type'], AuthServicePort>
+>;
+
+export class CompositeAuthService implements AuthServicePort {
+  private readonly methodConfig: AuthMethodConfig;
+  private readonly adapters: AuthServicePort[];
+
+  constructor(config: AuthMethodConfig) {
+    this.methodConfig = config;
+    // Extract all adapters from config for operations like logout
+    this.adapters = Object.values(config).filter(
+      (adapter): adapter is AuthServicePort => adapter !== undefined
+    );
+  }
+
+  async authenticate(method: AuthMethod): Promise<AuthResult> {
+    const adapter = this.getAdapterForMethod(method);
+
+    if (!adapter) {
+      return {
+        ok: false,
+        error: 'ADAPTER_UNAVAILABLE',
+        violatedPolicies: [],
+      };
+    }
+
+    try {
+      return await adapter.authenticate(method);
+    } catch (error) {
+      console.error('Authentication error in adapter:', error);
+      return {
+        ok: false,
+        error: 'NETWORK_ERROR',
+        violatedPolicies: [],
+      };
+    }
+  }
+
+  async register(method: AuthMethod): Promise<AuthResult> {
+    const adapter = this.getAdapterForMethod(method);
+
+    if (!adapter) {
+      return {
+        ok: false,
+        error: 'ADAPTER_UNAVAILABLE',
+        violatedPolicies: [],
+      };
+    }
+
+    try {
+      return await adapter.register(method);
+    } catch (error) {
+      console.error('Registration error in adapter:', error);
+      return {
+        ok: false,
+        error: 'NETWORK_ERROR',
+        violatedPolicies: [],
+      };
+    }
+  }
+
+  async logout(): Promise<void> {
+    // Try to logout from all adapters
+    const logoutPromises = this.adapters.map(async (adapter) => {
+      try {
+        await adapter.logout();
+      } catch (error) {
+        console.error('Logout error in adapter:', error);
+        // Continue with other adapters even if one fails
+      }
+    });
+
+    await Promise.allSettled(logoutPromises);
+  }
+
+  /**
+   * Get adapter for specific auth method
+   */
+  private getAdapterForMethod(method: AuthMethod): AuthServicePort | undefined {
+    return this.methodConfig[method.type];
+  }
+
+  /**
+   * Get method configuration (read-only)
+   */
+  getMethodConfig(): AuthMethodConfig {
+    return { ...this.methodConfig };
+  }
+}

package/src/application/use-cases/authenticate-user.ts

@@ -1,8 +1,21 @@
+import { AuthPreferencesServicePort } from "@application/ports/auth-preference-service.port.js";
+import type { AuthMethod, AuthResult } from "@application/ports/auth-service.port.js";
 import { AuthServicePort } from "@application/ports/auth-service.port.js";
-import type { AuthMethod } from "@application/ports/auth-service.port.js";
 
 
 export const authenticateUser =
-  (authService: AuthServicePort) =>
-  (method: AuthMethod) =>
-    authService.authenticate(method);
+  (authService: AuthServicePort, authPreferencesService: AuthPreferencesServicePort) =>
+    async (method: AuthMethod): Promise<AuthResult> => {
+      const result = await authService.authenticate(method);
+      if (!result.ok) {
+        return { ok: false, error: result.error, violatedPolicies: [] };
+      }
+      if (result.user.status === 'disabled') {
+        return { ok: false, error: 'ACCOUNT_DISABLED', violatedPolicies: [] };
+      }
+      const preferences = await authPreferencesService.getAuthPreferences();
+      if (!result.user.isVerified && !preferences.allowLoginWithNotVerifiedAccount) {
+        return { ok: false, error: 'ACCOUNT_NOT_VERIFIED', violatedPolicies: [] };
+      }
+      return { ok: true, user: result.user };
+    }

package/src/application/use-cases/register-user.ts

@@ -0,0 +1,28 @@
+import { AuthMethod, AuthResult, AuthServicePort } from "@application/ports/auth-service.port.js";
+import { PreRegisterPolicy } from "@application/ports/pre-register-policy.port.js";
+
+export const registerUser =
+  (authService: AuthServicePort, policies: PreRegisterPolicy[]) =>
+    async (method: AuthMethod): Promise<AuthResult> => {
+      const activePolicies = await Promise.all(policies
+        .map(async policy => ({
+          isActive: await policy.isActive(method),
+          value: policy,
+        }))
+      );
+      const results = await Promise.all(activePolicies
+        .filter(policy => policy.isActive)
+        .map(async policy => ({
+          code: policy.value.code,
+          ok: await policy.value.check(method),
+        })));
+      const violdatedPolicies = results.filter(result => !result.ok);
+      if (violdatedPolicies.length > 0) {
+        return {
+          ok: false,
+          error: 'PRE_REGISTER_POLICY_VIOLATED',
+          violatedPolicies: violdatedPolicies.map(result => result.code)
+        };
+      }
+      return authService.register(method);
+    };

package/src/auth-engine.factory.ts

@@ -0,0 +1,53 @@
+import { AccountAlreadyExistsPolicy } from '@application/policies/account-already-exists.policy.js';
+import { OtpCodePolicy } from '@application/policies/otp-code.policy.js';
+import { OtpIdentifierPolicy } from '@application/policies/otp-identifier.policy.js';
+import { PasswordIdentifierPolicy } from '@application/policies/password-identifier.policy.js';
+import { PasswordPresentPolicy } from '@application/policies/password-present.policy.js';
+import { PasswordStrengthPolicy } from '@application/policies/password-strength.policy.js';
+import { AuthPreferencesServicePort } from '@application/ports/auth-preference-service.port.js';
+import { AuthServicePort } from '@application/ports/auth-service.port.js';
+import { PreRegisterPolicy } from '@application/ports/pre-register-policy.port.js';
+import { UserExistencePort } from '@application/ports/user-existence.port.js';
+import { authenticateUser } from '@application/use-cases/authenticate-user.js';
+import { registerUser } from '@application/use-cases/register-user.js';
+import { AuthEngine } from '@root/auth-engine.js';
+
+export class AuthEngineFactory {
+  static async create(
+    authService: AuthServicePort,
+    authPreferencesService: AuthPreferencesServicePort,
+    userExistence: UserExistencePort,
+    basePolicies: PreRegisterPolicy[]
+  ): Promise<AuthEngine> {
+    const preferences = await authPreferencesService.getAuthPreferences();
+
+    const policies = [
+      ...basePolicies,
+      new AccountAlreadyExistsPolicy(
+        userExistence,
+        !preferences.allowDuplicatedAccount
+      ),
+      new PasswordStrengthPolicy(
+        !preferences.allowWeakPassword
+      ),
+      new PasswordIdentifierPolicy(
+        !preferences.allowMissingPasswordIdentifier
+      ),
+      new PasswordPresentPolicy(
+        !preferences.allowMissingPassword
+      ),
+      new OtpIdentifierPolicy(
+        !preferences.allowMissingOtpIdentifier
+      ),
+      new OtpCodePolicy(
+        !preferences.allowMissingOtpCode
+      ),
+    ];
+
+    return new AuthEngine({
+      register: registerUser(authService, policies),
+      authenticate: authenticateUser(authService, authPreferencesService),
+      logout: () => authService.logout(),
+    });
+  }
+}

package/src/auth-engine.ts

@@ -0,0 +1,25 @@
+import { AuthMethod, AuthResult } from "@application/ports/auth-service.port.js";
+
+export interface AuthActions {
+  register(method: AuthMethod): Promise<AuthResult>;
+  authenticate(method: AuthMethod): Promise<AuthResult>;
+  logout(): Promise<void>;
+}
+
+export class AuthEngine implements AuthActions {
+  constructor(
+    private readonly useCases: AuthActions,
+  ) { }
+
+  async register(method: AuthMethod): Promise<AuthResult> {
+    return this.useCases.register(method);
+  }
+
+  async authenticate(method: AuthMethod): Promise<AuthResult> {
+    return await this.useCases.authenticate(method);
+  }
+
+  async logout(): Promise<void> {
+    return await this.useCases.logout();
+  }
+}

package/src/domain/user-account.ts

@@ -1,22 +1,16 @@
 export type UserStatus = "active" | "disabled" | "lockedTemporarily";
 
-export type UserRole = "parent" | "staff" | "admin" | "student" | "teacher";
-
 /**
  * Domaine: compte utilisateur Sekoliko.
  * Indépendant de toute technologie (pas de dépendance à Supabase ou React).
  */
 export interface UserAccount {
   id: string;
-  establishmentIds: string[];
   displayName: string;
-  firstName?: string;
-  lastName?: string;
-  contactEmail: string;
   status: UserStatus;
-  roles: UserRole[];
-  failedLoginAttempts: number;
-  lastFailedLoginAt: Date | null;
+  failedLoginAttempts?: number;
+  lastFailedLoginAt?: Date | null;
+  isVerified?: boolean;
 }
 
 export const canLogin = (user: UserAccount): boolean =>

package/src/index.ts

@@ -2,10 +2,24 @@
  * Domain
  */
 export * from '@domain/user-account.js';
-export * from '@domain/session.js';
 
 /**
  * Application
  */
-export * from '@application/use-cases/authenticate-user.js';
+export * from '@application/ports/auth-preference-service.port.js';
 export * from '@application/ports/auth-service.port.js';
+export * from '@application/ports/pre-register-policy.port.js';
+export * from '@application/ports/user-existence.port.js';
+export * from '@application/services/composite-auth.service.js';
+
+/**
+ * Infrastructure
+ */
+// Infrastructure adapters are provided as separate packages
+
+/**
+ * Auth Engine
+ */
+export * from '@root/auth-engine.factory.js';
+export * from '@root/auth-engine.js';
+

package/tests/application/policies/magic-link-token.policy.test.ts

@@ -0,0 +1,74 @@
+import { MagicLinkTokenPolicy } from '@application/policies/magic-link-token.policy.js';
+import { describe, expect, it } from 'vitest';
+
+describe('MagicLinkTokenPolicy', () => {
+  it('should return false when policy is disabled', async () => {
+    const policy = new MagicLinkTokenPolicy(false);
+    const method = {
+      type: 'magic_link' as const,
+      token: 'short',
+    };
+
+    expect(await policy.isActive(method)).toBe(false);
+  });
+
+  it('should return true when policy is enabled and token meets minimum length', async () => {
+    const policy = new MagicLinkTokenPolicy(true);
+    const method = {
+      type: 'magic_link' as const,
+      token: 'valid-token-123456789',
+    };
+
+    expect(await policy.isActive(method)).toBe(true);
+    expect(await policy.check(method)).toBe(true);
+  });
+
+  it('should return false when policy is enabled but token is missing', async () => {
+    const policy = new MagicLinkTokenPolicy(true);
+    const method = {
+      type: 'magic_link' as const,
+      token: '',
+    };
+
+    expect(await policy.isActive(method)).toBe(true);
+    expect(await policy.check(method)).toBe(false);
+  });
+
+  it('should return false when policy is enabled but token is too short', async () => {
+    const policy = new MagicLinkTokenPolicy(true);
+    const method = {
+      type: 'magic_link' as const,
+      token: 'short', // 5 chars
+    };
+
+    expect(await policy.isActive(method)).toBe(true);
+    expect(await policy.check(method)).toBe(false);
+  });
+
+  it('should return false when policy is enabled but token is exactly at boundary', async () => {
+    const policy = new MagicLinkTokenPolicy(true);
+    const method = {
+      type: 'magic_link' as const,
+      token: '1234567890', // exactly 10 chars
+    };
+
+    expect(await policy.isActive(method)).toBe(true);
+    expect(await policy.check(method)).toBe(true);
+  });
+
+  it('should return false for non-magic link methods', async () => {
+    const policy = new MagicLinkTokenPolicy(true);
+    const passwordMethod = {
+      type: 'password' as const,
+      identifier: 'test@example.com',
+      password: 'password123',
+    };
+
+    expect(await policy.isActive(passwordMethod)).toBe(false);
+  });
+
+  it('should have correct error code', () => {
+    const policy = new MagicLinkTokenPolicy(true);
+    expect(policy.code).toBe('MISSING_MAGIC_LINK_TOKEN');
+  });
+});

package/tests/application/policies/oauth-code.policy.test.ts

@@ -0,0 +1,79 @@
+import { OAuthCodePolicy } from '@application/policies/oauth-code.policy.js';
+import { describe, expect, it } from 'vitest';
+
+describe('OAuthCodePolicy', () => {
+  it('should return false when policy is disabled', async () => {
+    const policy = new OAuthCodePolicy(false);
+    const method = {
+      type: 'oauth' as const,
+      provider: 'google' as const,
+      code: '',
+    };
+
+    expect(await policy.isActive(method)).toBe(false);
+  });
+
+  it('should return true when policy is enabled and code meets minimum length', async () => {
+    const policy = new OAuthCodePolicy(true);
+    const method = {
+      type: 'oauth' as const,
+      provider: 'google' as const,
+      code: 'auth-code-12345',
+    };
+
+    expect(await policy.isActive(method)).toBe(true);
+    expect(await policy.check(method)).toBe(true);
+  });
+
+  it('should return false when policy is enabled but code is missing', async () => {
+    const policy = new OAuthCodePolicy(true);
+    const method = {
+      type: 'oauth' as const,
+      provider: 'google' as const,
+      code: '',
+    };
+
+    expect(await policy.isActive(method)).toBe(true);
+    expect(await policy.check(method)).toBe(false);
+  });
+
+  it('should return false when policy is enabled but code is too short', async () => {
+    const policy = new OAuthCodePolicy(true);
+    const method = {
+      type: 'oauth' as const,
+      provider: 'google' as const,
+      code: 'five', // 5 chars (too short)
+    };
+
+    expect(await policy.isActive(method)).toBe(true);
+    expect(await policy.check(method)).toBe(false);
+  });
+
+  it('should return true when policy is enabled and code is exactly at boundary', async () => {
+    const policy = new OAuthCodePolicy(true);
+    const method = {
+      type: 'oauth' as const,
+      provider: 'google' as const,
+      code: '12345', // exactly 5 chars
+    };
+
+    expect(await policy.isActive(method)).toBe(true);
+    expect(await policy.check(method)).toBe(true);
+  });
+
+  it('should return false for non-OAuth methods', async () => {
+    const policy = new OAuthCodePolicy(true);
+    const passwordMethod = {
+      type: 'password' as const,
+      identifier: 'test@example.com',
+      password: 'password123',
+    };
+
+    expect(await policy.isActive(passwordMethod)).toBe(false);
+  });
+
+  it('should have correct error code', () => {
+    const policy = new OAuthCodePolicy(true);
+    expect(policy.code).toBe('MISSING_OAUTH_CODE');
+  });
+});

package/tests/application/policies/oauth-provider.policy.test.ts

@@ -0,0 +1,76 @@
+import { OAuthProviderPolicy } from '@application/policies/oauth-provider.policy.js';
+import { describe, expect, it } from 'vitest';
+
+describe('OAuthProviderPolicy', () => {
+  it('should return false when policy is disabled', async () => {
+    const policy = new OAuthProviderPolicy(false);
+    const method = {
+      type: 'oauth' as const,
+      provider: 'unsupported' as any,
+      code: 'auth-code',
+    };
+
+    expect(await policy.isActive(method)).toBe(false);
+  });
+
+  it('should return true when policy is enabled and provider is supported', async () => {
+    const policy = new OAuthProviderPolicy(true);
+    const method = {
+      type: 'oauth' as const,
+      provider: 'google' as const,
+      code: 'auth-code',
+    };
+
+    expect(await policy.isActive(method)).toBe(true);
+    expect(await policy.check(method)).toBe(true);
+  });
+
+  it('should return true for all supported providers', async () => {
+    const policy = new OAuthProviderPolicy(true);
+    const supportedProviders = [
+      'google',
+      'github',
+      'apple',
+      'facebook',
+    ] as const;
+
+    for (const provider of supportedProviders) {
+      const method = {
+        type: 'oauth' as const,
+        provider,
+        code: 'auth-code',
+      };
+
+      expect(await policy.isActive(method)).toBe(true);
+      expect(await policy.check(method)).toBe(true);
+    }
+  });
+
+  it('should return false when policy is enabled but provider is unsupported', async () => {
+    const policy = new OAuthProviderPolicy(true);
+    const method = {
+      type: 'oauth' as const,
+      provider: 'unsupported-provider' as any,
+      code: 'auth-code',
+    };
+
+    expect(await policy.isActive(method)).toBe(true);
+    expect(await policy.check(method)).toBe(false);
+  });
+
+  it('should return false for non-OAuth methods', async () => {
+    const policy = new OAuthProviderPolicy(true);
+    const passwordMethod = {
+      type: 'password' as const,
+      identifier: 'test@example.com',
+      password: 'password123',
+    };
+
+    expect(await policy.isActive(passwordMethod)).toBe(false);
+  });
+
+  it('should have correct error code', () => {
+    const policy = new OAuthProviderPolicy(true);
+    expect(policy.code).toBe('UNSUPPORTED_OAUTH_PROVIDER');
+  });
+});

package/tests/application/policies/otp-code-format.policy.test.ts

@@ -0,0 +1,90 @@
+import { OtpCodeFormatPolicy } from '@application/policies/otp-code-format.policy.js';
+import { describe, expect, it } from 'vitest';
+
+describe('OtpCodeFormatPolicy', () => {
+  it('should return false when policy is disabled', async () => {
+    const policy = new OtpCodeFormatPolicy(false);
+    const method = {
+      type: 'otp' as const,
+      identifier: 'test@example.com',
+      code: 'invalid',
+    };
+
+    expect(await policy.isActive(method)).toBe(false);
+  });
+
+  it('should return true when policy is enabled and code has valid format', async () => {
+    const policy = new OtpCodeFormatPolicy(true);
+    const method = {
+      type: 'otp' as const,
+      identifier: 'test@example.com',
+      code: '123456',
+    };
+
+    expect(await policy.isActive(method)).toBe(true);
+    expect(await policy.check(method)).toBe(true);
+  });
+
+  it('should return false when policy is enabled but code format is invalid', async () => {
+    const policy = new OtpCodeFormatPolicy(true);
+    const method = {
+      type: 'otp' as const,
+      identifier: 'test@example.com',
+      code: 'abc123', // Contains letters
+    };
+
+    expect(await policy.isActive(method)).toBe(true);
+    expect(await policy.check(method)).toBe(false);
+  });
+
+  it('should return false when policy is enabled but code is too short', async () => {
+    const policy = new OtpCodeFormatPolicy(true);
+    const method = {
+      type: 'otp' as const,
+      identifier: 'test@example.com',
+      code: '12345', // 5 digits
+    };
+
+    expect(await policy.isActive(method)).toBe(true);
+    expect(await policy.check(method)).toBe(false);
+  });
+
+  it('should return false when policy is enabled but code is too long', async () => {
+    const policy = new OtpCodeFormatPolicy(true);
+    const method = {
+      type: 'otp' as const,
+      identifier: 'test@example.com',
+      code: '1234567', // 7 digits
+    };
+
+    expect(await policy.isActive(method)).toBe(true);
+    expect(await policy.check(method)).toBe(false);
+  });
+
+  it('should handle empty code string', async () => {
+    const policy = new OtpCodeFormatPolicy(true);
+    const method = {
+      type: 'otp' as const,
+      identifier: 'test@example.com',
+      code: '',
+    };
+
+    expect(await policy.check(method)).toBe(false);
+  });
+
+  it('should return false for non-OTP methods', async () => {
+    const policy = new OtpCodeFormatPolicy(true);
+    const passwordMethod = {
+      type: 'password' as const,
+      identifier: 'test@example.com',
+      password: 'password123',
+    };
+
+    expect(await policy.isActive(passwordMethod)).toBe(false);
+  });
+
+  it('should have correct error code', () => {
+    const policy = new OtpCodeFormatPolicy(true);
+    expect(policy.code).toBe('INVALID_OTP_FORMAT');
+  });
+});

package/tests/application/policies/otp-code.policy.test.ts

@@ -0,0 +1,55 @@
+import { OtpCodePolicy } from '@application/policies/otp-code.policy.js';
+import { describe, expect, it } from 'vitest';
+
+describe('OtpCodePolicy', () => {
+  it('should return false when policy is disabled', async () => {
+    const policy = new OtpCodePolicy(false);
+    const method = {
+      type: 'otp' as const,
+      identifier: 'test@example.com',
+      code: '',
+    };
+
+    expect(await policy.isActive(method)).toBe(false);
+  });
+
+  it('should return true when policy is enabled and code is present', async () => {
+    const policy = new OtpCodePolicy(true);
+    const method = {
+      type: 'otp' as const,
+      identifier: 'test@example.com',
+      code: '123456',
+    };
+
+    expect(await policy.isActive(method)).toBe(true);
+    expect(await policy.check(method)).toBe(true);
+  });
+
+  it('should return false when policy is enabled but code is missing', async () => {
+    const policy = new OtpCodePolicy(true);
+    const method = {
+      type: 'otp' as const,
+      identifier: 'test@example.com',
+      code: '',
+    };
+
+    expect(await policy.isActive(method)).toBe(true);
+    expect(await policy.check(method)).toBe(false);
+  });
+
+  it('should return false for non-OTP methods', async () => {
+    const policy = new OtpCodePolicy(true);
+    const passwordMethod = {
+      type: 'password' as const,
+      identifier: 'test@example.com',
+      password: 'password123',
+    };
+
+    expect(await policy.isActive(passwordMethod)).toBe(false);
+  });
+
+  it('should have correct error code', () => {
+    const policy = new OtpCodePolicy(true);
+    expect(policy.code).toBe('MISSING_OTP_CODE');
+  });
+});