@siran/auth-core 0.9.0 → 0.14.0

package/CHANGELOG.md

@@ -1,3 +1,47 @@
+## 0.14.0 (2026-01-25)
+
+### 🚀 Features
+
+- update index.ts to export new application ports ([de8d09e](https://github.com/narisraz/auth/commit/de8d09e))
+
+### ❤️ Thank You
+
+- Naris Razafimahatratra
+
+## 0.13.0 (2026-01-25)
+
+### 🚀 Features
+
+- add comprehensive tests for authentication policies ([5a4b9ff](https://github.com/narisraz/auth/commit/5a4b9ff))
+
+### ❤️ Thank You
+
+- Naris Razafimahatratra
+
+## 0.12.0 (2026-01-25)
+
+### 🚀 Features
+
+- integrate UserExistencePort for account existence checks ([47fcde5](https://github.com/narisraz/auth/commit/47fcde5))
+
+### ❤️ Thank You
+
+- Naris Razafimahatratra
+
+## 0.11.0 (2026-01-25)
+
+### 🚀 Features
+
+- enhance authentication framework with CompositeAuthService and policies ([ac9fa89](https://github.com/narisraz/auth/commit/ac9fa89))
+
+### ❤️ Thank You
+
+- Naris Razafimahatratra
+
+## 0.10.0 (2026-01-24)
+
+This was a version bump only for @siran/auth-core to align it with other projects, there were no code changes.
+
 ## 0.9.0 (2026-01-24)
 
 ### 🚀 Features

package/COMPOSITE_AUTH_SERVICE.md

@@ -0,0 +1,104 @@
+# CompositeAuthService Usage
+
+The `CompositeAuthService` allows you to configure different adapters for each authentication method type with an immutable configuration.
+
+## Configuration
+
+```typescript
+import { CompositeAuthService } from '@siran/auth-core';
+import { PasswordAdapter } from '@siran/password-adapter';
+import { OAuthAdapter } from '@siran/oauth-adapter';
+
+const authService = new CompositeAuthService({
+  password: new PasswordAdapter(),
+  oauth: new OAuthAdapter(),
+  // otp: new OTPAdapter(),  // Optional
+  // magic_link: new MagicLinkAdapter(),  // Optional
+});
+```
+
+## Supported Methods
+
+- `password`: For username/password authentication
+- `oauth`: For OAuth provider authentication (Google, GitHub, Apple, Facebook)
+- `otp`: For one-time password authentication
+- `magic_link`: For magic link authentication
+
+## Error Handling
+
+The service provides specific error codes for different failure scenarios:
+
+### Method/Payload Errors
+
+- `ADAPTER_UNAVAILABLE`: No adapter configured for the auth method
+- `INVALID_METHOD_PAYLOAD`: Malformed or incomplete auth method data
+- `UNSUPPORTED_OAUTH_PROVIDER`: OAuth provider not in supported list
+
+### Authentication Errors
+
+- `INVALID_CREDENTIALS`: Username/password incorrect or invalid credentials
+
+### Account Status Errors
+
+- `ACCOUNT_DISABLED`: Account is disabled
+- `ACCOUNT_NOT_VERIFIED`: Account email not verified
+- `ACCOUNT_LOCKED`: Account permanently locked
+- `ACCOUNT_LOCKED_TEMPORARILY`: Account temporarily locked
+
+### Policy Errors
+
+- `PRE_REGISTER_POLICY_VIOLATED`: Pre-registration policy violated
+- `RATE_LIMIT_EXCEEDED`: Too many authentication attempts
+
+### System Errors
+
+- `OAUTH_PROVIDER_DOWN`: OAuth provider service unavailable
+- `NETWORK_ERROR`: Network connectivity issues
+- `INTERNAL_ERROR`: Unexpected server error
+
+## Usage Example
+
+```typescript
+// Password authentication
+const passwordResult = await authService.authenticate({
+  type: 'password',
+  identifier: 'user@example.com',
+  password: 'password123',
+});
+
+// OAuth authentication
+const oauthResult = await authService.authenticate({
+  type: 'oauth',
+  provider: 'google',
+  code: 'auth-code',
+});
+
+// If a method is not configured, it returns a specific error:
+const magicLinkResult = await authService.authenticate({
+  type: 'magic_link',
+  token: 'token',
+});
+
+console.log(magicLinkResult.ok); // false
+console.log(magicLinkResult.error); // 'ADAPTER_UNAVAILABLE'
+
+// Invalid payloads are caught early:
+const invalidPassword = await authService.authenticate({
+  type: 'password',
+  identifier: 'test@example.com',
+  password: 'short', // Too short
+});
+
+console.log(invalidPassword.error); // 'INVALID_CREDENTIALS'
+```
+
+## Configuration Access
+
+The service provides read-only access to the configuration:
+
+```typescript
+const config = authService.getMethodConfig();
+// Returns: { password: PasswordAdapter, oauth: OAuthAdapter }
+```
+
+Note: The configuration is immutable once created. No runtime adapter management is supported.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@siran/auth-core",
-  "version": "0.9.0",
+  "version": "0.14.0",
   "type": "module",
   "main": "./dist/index.js",
   "module": "./dist/index.js",

package/src/application/policies/account-already-exists.policy.ts

@@ -0,0 +1,23 @@
+
+import { AuthMethod, AuthMethodOtp, AuthMethodPassword } from "@application/ports/auth-service.port.js";
+import { PreRegisterPolicy } from "@application/ports/pre-register-policy.port.js";
+import { UserExistencePort } from "@application/ports/user-existence.port.js";
+
+export class AccountAlreadyExistsPolicy implements PreRegisterPolicy {
+  constructor(
+    private readonly userExistence: UserExistencePort,
+    private readonly enabled: boolean,
+  ) { }
+
+  code: string = 'ACCOUNT_ALREADY_EXISTS';
+
+  async check(method: AuthMethod): Promise<boolean> {
+    const identifier = (method as AuthMethodPassword | AuthMethodOtp).identifier;
+    if (!identifier) return false;
+    return this.userExistence.userExistsByIdentifier(identifier);
+  }
+
+  async isActive(method: AuthMethod): Promise<boolean> {
+    return this.enabled && method.type === 'password' || method.type === 'otp';
+  }
+}

package/src/application/policies/magic-link-token.policy.ts

@@ -0,0 +1,23 @@
+import {
+  AuthMethod,
+  AuthMethodMagicLink,
+} from '@application/ports/auth-service.port.js';
+import { PreRegisterPolicy } from '@application/ports/pre-register-policy.port.js';
+
+export class MagicLinkTokenPolicy implements PreRegisterPolicy {
+  constructor(private readonly enabled: boolean) { }
+
+  code: string = 'MISSING_MAGIC_LINK_TOKEN';
+
+  private checkMagicLink(method: AuthMethodMagicLink): boolean {
+    return !!method.token && method.token.length >= 10;
+  }
+
+  async check(method: AuthMethod): Promise<boolean> {
+    return this.checkMagicLink(method as AuthMethodMagicLink);
+  }
+
+  async isActive(method: AuthMethod): Promise<boolean> {
+    return this.enabled && method.type === 'magic_link';
+  }
+}

package/src/application/policies/oauth-code.policy.ts

@@ -0,0 +1,23 @@
+import {
+  AuthMethod,
+  AuthMethodOAuth,
+} from '@application/ports/auth-service.port.js';
+import { PreRegisterPolicy } from '@application/ports/pre-register-policy.port.js';
+
+export class OAuthCodePolicy implements PreRegisterPolicy {
+  constructor(private readonly enabled: boolean) { }
+
+  code: string = 'MISSING_OAUTH_CODE';
+
+  private checkOAuth(method: AuthMethodOAuth): boolean {
+    return !!method.code && method.code.length >= 5;
+  }
+
+  async check(method: AuthMethod): Promise<boolean> {
+    return this.checkOAuth(method as AuthMethodOAuth);
+  }
+
+  async isActive(method: AuthMethod): Promise<boolean> {
+    return this.enabled && method.type === 'oauth';
+  }
+}

package/src/application/policies/oauth-provider.policy.ts

@@ -0,0 +1,29 @@
+import {
+  AuthMethod,
+  AuthMethodOAuth,
+} from '@application/ports/auth-service.port.js';
+import { PreRegisterPolicy } from '@application/ports/pre-register-policy.port.js';
+
+export class OAuthProviderPolicy implements PreRegisterPolicy {
+  constructor(private readonly enabled: boolean) { }
+
+  code: string = 'UNSUPPORTED_OAUTH_PROVIDER';
+
+  private checkOAuth(method: AuthMethodOAuth): boolean {
+    const supportedProviders = [
+      'google',
+      'github',
+      'apple',
+      'facebook',
+    ] as const;
+    return supportedProviders.includes(method.provider);
+  }
+
+  async check(method: AuthMethod): Promise<boolean> {
+    return this.checkOAuth(method as AuthMethodOAuth);
+  }
+
+  async isActive(method: AuthMethod): Promise<boolean> {
+    return this.enabled && method.type === 'oauth';
+  }
+}

package/src/application/policies/otp-code-format.policy.ts

@@ -0,0 +1,23 @@
+import {
+  AuthMethod,
+  AuthMethodOtp,
+} from '@application/ports/auth-service.port.js';
+import { PreRegisterPolicy } from '@application/ports/pre-register-policy.port.js';
+
+export class OtpCodeFormatPolicy implements PreRegisterPolicy {
+  constructor(private readonly enabled: boolean) { }
+
+  code: string = 'INVALID_OTP_FORMAT';
+
+  private checkOtp(method: AuthMethodOtp): boolean {
+    return /^\d{6}$/.test(method.code || '');
+  }
+
+  async check(method: AuthMethod): Promise<boolean> {
+    return this.checkOtp(method as AuthMethodOtp);
+  }
+
+  async isActive(method: AuthMethod): Promise<boolean> {
+    return this.enabled && method.type === 'otp';
+  }
+}

package/src/application/policies/otp-code.policy.ts

@@ -0,0 +1,23 @@
+import {
+  AuthMethod,
+  AuthMethodOtp,
+} from '@application/ports/auth-service.port.js';
+import { PreRegisterPolicy } from '@application/ports/pre-register-policy.port.js';
+
+export class OtpCodePolicy implements PreRegisterPolicy {
+  constructor(private readonly enabled: boolean) { }
+
+  code: string = 'MISSING_OTP_CODE';
+
+  private checkOtp(method: AuthMethodOtp): boolean {
+    return !!method.code;
+  }
+
+  async check(method: AuthMethod): Promise<boolean> {
+    return this.checkOtp(method as AuthMethodOtp);
+  }
+
+  async isActive(method: AuthMethod): Promise<boolean> {
+    return this.enabled && method.type === 'otp';
+  }
+}

package/src/application/policies/otp-identifier.policy.ts

@@ -0,0 +1,23 @@
+import {
+  AuthMethod,
+  AuthMethodOtp,
+} from '@application/ports/auth-service.port.js';
+import { PreRegisterPolicy } from '@application/ports/pre-register-policy.port.js';
+
+export class OtpIdentifierPolicy implements PreRegisterPolicy {
+  constructor(private readonly enabled: boolean) { }
+
+  code: string = 'MISSING_OTP_IDENTIFIER';
+
+  private checkOtp(method: AuthMethodOtp): boolean {
+    return !!method.identifier;
+  }
+
+  async check(method: AuthMethod): Promise<boolean> {
+    return this.checkOtp(method as AuthMethodOtp);
+  }
+
+  async isActive(method: AuthMethod): Promise<boolean> {
+    return this.enabled && method.type === 'otp';
+  }
+}

package/src/application/policies/password-identifier.policy.ts

@@ -0,0 +1,23 @@
+import {
+  AuthMethod,
+  AuthMethodPassword,
+} from '@application/ports/auth-service.port.js';
+import { PreRegisterPolicy } from '@application/ports/pre-register-policy.port.js';
+
+export class PasswordIdentifierPolicy implements PreRegisterPolicy {
+  constructor(private readonly enabled: boolean) { }
+
+  code: string = 'MISSING_PASSWORD_IDENTIFIER';
+
+  private checkPassword(method: AuthMethodPassword): boolean {
+    return !!method.identifier;
+  }
+
+  async check(method: AuthMethod): Promise<boolean> {
+    return this.checkPassword(method as AuthMethodPassword);
+  }
+
+  async isActive(method: AuthMethod): Promise<boolean> {
+    return this.enabled && method.type === 'password';
+  }
+}

package/src/application/policies/password-min-length.policy.ts

@@ -0,0 +1,29 @@
+import {
+  AuthMethod,
+  AuthMethodPassword,
+} from '@application/ports/auth-service.port.js';
+import { PreRegisterPolicy } from '@application/ports/pre-register-policy.port.js';
+
+export class PasswordMinLengthPolicy implements PreRegisterPolicy {
+  constructor(
+    private readonly enabled: boolean,
+    private readonly minLength: number = 8
+  ) {}
+
+  code: string = 'PASSWORD_TOO_SHORT';
+
+  private checkPassword(method: AuthMethodPassword): boolean {
+    return method.password?.length >= this.minLength;
+  }
+
+  async check(method: AuthMethod): Promise<boolean> {
+    if (method.type === 'password') {
+      return this.checkPassword(method);
+    }
+    return true;
+  }
+
+  async isActive(method: AuthMethod): Promise<boolean> {
+    return this.enabled && method.type === 'password';
+  }
+}

package/src/application/policies/password-present.policy.ts

@@ -0,0 +1,23 @@
+import {
+  AuthMethod,
+  AuthMethodPassword,
+} from '@application/ports/auth-service.port.js';
+import { PreRegisterPolicy } from '@application/ports/pre-register-policy.port.js';
+
+export class PasswordPresentPolicy implements PreRegisterPolicy {
+  constructor(private readonly enabled: boolean) { }
+
+  code: string = 'MISSING_PASSWORD';
+
+  private checkPassword(method: AuthMethodPassword): boolean {
+    return !!method.password;
+  }
+
+  async check(method: AuthMethod): Promise<boolean> {
+    return this.checkPassword(method as AuthMethodPassword);
+  }
+
+  async isActive(method: AuthMethod): Promise<boolean> {
+    return this.enabled && method.type === 'password';
+  }
+}

package/src/application/policies/password-strength.policy.ts

@@ -0,0 +1,27 @@
+import type {
+  AuthErrorCode,
+  AuthMethod,
+  AuthMethodPassword,
+} from '@application/ports/auth-service.port.js';
+import type { PreRegisterPolicy } from '@application/ports/pre-register-policy.port.js';
+
+export class PasswordStrengthPolicy implements PreRegisterPolicy {
+  code: AuthErrorCode = 'WEAK_PASSWORD';
+
+  constructor(
+    private readonly enabled: boolean,
+    private readonly minLength: number = 8
+  ) { }
+
+  private checkPassword(method: AuthMethodPassword): boolean {
+    return method.password?.length >= this.minLength;
+  }
+
+  async check(method: AuthMethod): Promise<boolean> {
+    return this.checkPassword(method as AuthMethodPassword);
+  }
+
+  async isActive(method: AuthMethod): Promise<boolean> {
+    return this.enabled && method.type === 'password';
+  }
+}

package/src/application/ports/auth-preference-service.port.ts

@@ -1,6 +1,11 @@
 export type AuthPreferences = {
   allowLoginWithNotVerifiedAccount: boolean;
   allowDuplicatedAccount: boolean;
+  allowWeakPassword: boolean;
+  allowMissingPasswordIdentifier: boolean;
+  allowMissingPassword: boolean;
+  allowMissingOtpIdentifier: boolean;
+  allowMissingOtpCode: boolean;
 };
 
 export interface AuthPreferencesServicePort {

package/src/application/ports/auth-service.port.ts

@@ -1,20 +1,62 @@
-import type { UserAccount } from "@domain/user-account.js";
+import type { UserAccount } from '@domain/user-account.js';
+
+export type AuthMethodPassword = {
+  type: 'password';
+  identifier: string;
+  password: string;
+};
+export type AuthMethodOtp = { type: 'otp'; identifier: string; code: string };
+export type AuthMethodMagicLink = { type: 'magic_link'; token: string };
+export type AuthMethodOAuth = {
+  type: 'oauth';
+  provider: 'google' | 'github' | 'apple' | 'facebook';
+  code: string;
+};
 
 export type AuthMethod =
-  | { type: "password"; identifier: string; password: string }
-  | { type: "otp"; identifier: string; code: string }
-  | { type: "magic_link"; token: string }
-  | { type: "oauth"; provider: "google" | "github" | "apple" | "facebook"; code: string };
+  | AuthMethodPassword
+  | AuthMethodOtp
+  | AuthMethodMagicLink
+  | AuthMethodOAuth;
 
 export type AuthErrorCode =
-  | "INVALID_CREDENTIALS"
-  | "ACCOUNT_DISABLED"
-  | "ACCOUNT_NOT_VERIFIED"
-  | "ACCOUNT_LOCKED"
-  | "PRE_REGISTER_POLICY_VIOLATED";
+  // Method/Payload specific errors
+  | 'ADAPTER_UNAVAILABLE' // No adapter configured for this auth method
+  | 'INVALID_CREDENTIALS' // Username/password incorrect
+  | 'INVALID_METHOD_PAYLOAD' // Malformed auth method data
+  | 'UNSUPPORTED_OAUTH_PROVIDER' // OAuth provider not supported
+
+  // Account status errors
+  | 'ACCOUNT_DISABLED' // Account is disabled
+  | 'ACCOUNT_NOT_VERIFIED' // Account email not verified
+  | 'ACCOUNT_LOCKED' // Account temporarily locked
+  | 'ACCOUNT_LOCKED_TEMPORARILY' // Account temporarily locked
+
+  // Policy errors
+  | 'PRE_REGISTER_POLICY_VIOLATED' // Pre-registration policy violated
+  | 'RATE_LIMIT_EXCEEDED' // Too many attempts
+  | 'WEAK_PASSWORD' // Password doesn't meet strength requirements
+  | 'ACCOUNT_ALREADY_EXISTS' // Account already exists
+  | 'MISSING_PASSWORD_IDENTIFIER' // Password identifier missing
+  | 'MISSING_PASSWORD' // Password missing
+  | 'PASSWORD_TOO_SHORT' // Password too short
+  | 'MISSING_OTP_IDENTIFIER' // OTP identifier missing
+  | 'MISSING_OTP_CODE' // OTP code missing
+  | 'INVALID_OTP_FORMAT' // OTP code format invalid
+  | 'MISSING_MAGIC_LINK_TOKEN' // Magic link token missing
+  | 'MISSING_OAUTH_CODE' // OAuth code missing
+
+  // System errors
+  | 'OAUTH_PROVIDER_DOWN' // OAuth provider unavailable
+  | 'NETWORK_ERROR' // Network connectivity issues
+  | 'INTERNAL_ERROR'; // Unexpected server error;
 
 export type AuthResultSuccess = { ok: true; user: UserAccount };
-export type AuthResultFailure = { ok: false; error: AuthErrorCode; violatedPolicies: string[] };
+export type AuthResultFailure = {
+  ok: false;
+  error: AuthErrorCode;
+  violatedPolicies: string[];
+};
 
 export type AuthResult = AuthResultSuccess | AuthResultFailure;
 
@@ -22,7 +64,4 @@ export interface AuthServicePort {
   authenticate(method: AuthMethod): Promise<AuthResult>;
   register(method: AuthMethod): Promise<AuthResult>;
   logout(): Promise<void>;
-  userExists(method: AuthMethod): Promise<boolean>;
 }
-
-

package/src/application/ports/user-existence.port.ts

@@ -0,0 +1,3 @@
+export interface UserExistencePort {
+  userExistsByIdentifier(identifier: string): Promise<boolean>;
+}

package/src/application/services/composite-auth.service.ts

@@ -0,0 +1,96 @@
+import type {
+  AuthMethod,
+  AuthResult,
+  AuthServicePort,
+} from '@application/ports/auth-service.port.js';
+
+export type AuthMethodConfig = Partial<
+  Record<AuthMethod['type'], AuthServicePort>
+>;
+
+export class CompositeAuthService implements AuthServicePort {
+  private readonly methodConfig: AuthMethodConfig;
+  private readonly adapters: AuthServicePort[];
+
+  constructor(config: AuthMethodConfig) {
+    this.methodConfig = config;
+    // Extract all adapters from config for operations like logout
+    this.adapters = Object.values(config).filter(
+      (adapter): adapter is AuthServicePort => adapter !== undefined
+    );
+  }
+
+  async authenticate(method: AuthMethod): Promise<AuthResult> {
+    const adapter = this.getAdapterForMethod(method);
+
+    if (!adapter) {
+      return {
+        ok: false,
+        error: 'ADAPTER_UNAVAILABLE',
+        violatedPolicies: [],
+      };
+    }
+
+    try {
+      return await adapter.authenticate(method);
+    } catch (error) {
+      console.error('Authentication error in adapter:', error);
+      return {
+        ok: false,
+        error: 'NETWORK_ERROR',
+        violatedPolicies: [],
+      };
+    }
+  }
+
+  async register(method: AuthMethod): Promise<AuthResult> {
+    const adapter = this.getAdapterForMethod(method);
+
+    if (!adapter) {
+      return {
+        ok: false,
+        error: 'ADAPTER_UNAVAILABLE',
+        violatedPolicies: [],
+      };
+    }
+
+    try {
+      return await adapter.register(method);
+    } catch (error) {
+      console.error('Registration error in adapter:', error);
+      return {
+        ok: false,
+        error: 'NETWORK_ERROR',
+        violatedPolicies: [],
+      };
+    }
+  }
+
+  async logout(): Promise<void> {
+    // Try to logout from all adapters
+    const logoutPromises = this.adapters.map(async (adapter) => {
+      try {
+        await adapter.logout();
+      } catch (error) {
+        console.error('Logout error in adapter:', error);
+        // Continue with other adapters even if one fails
+      }
+    });
+
+    await Promise.allSettled(logoutPromises);
+  }
+
+  /**
+   * Get adapter for specific auth method
+   */
+  private getAdapterForMethod(method: AuthMethod): AuthServicePort | undefined {
+    return this.methodConfig[method.type];
+  }
+
+  /**
+   * Get method configuration (read-only)
+   */
+  getMethodConfig(): AuthMethodConfig {
+    return { ...this.methodConfig };
+  }
+}