npm - @spfn/auth - Versions diffs - 0.2.0-beta.46 → 0.2.0-beta.47 - Mend

@spfn/auth 0.2.0-beta.46 → 0.2.0-beta.47

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/README.md +53 -30
package/dist/{authenticate-CRDUKQbi.d.ts → authenticate-eucncHxN.d.ts} +26 -1
package/dist/index.d.ts +3 -2
package/dist/index.js +1 -0
package/dist/index.js.map +1 -1
package/dist/server.d.ts +92 -4
package/dist/server.js +88 -1
package/dist/server.js.map +1 -1
package/package.json +3 -3

package/dist/server.d.ts CHANGED Viewed

@@ -1,11 +1,12 @@
-import { k as AuthInitOptions, l as KeyAlgorithmType, n as InvitationStatus, f as VerificationPurpose, j as PermissionCategory, p as SocialProvider, q as AuthContext } from './authenticate-CRDUKQbi.js';
-export { B as ChangePasswordParams, w as CheckAccountExistsParams, C as CheckAccountExistsResult, a6 as EmailSchema, I as INVITATION_STATUSES, K as KEY_ALGORITHM, y as LoginParams, L as LoginResult, z as LogoutParams, a2 as OAuthCallbackParams, a3 as OAuthCallbackResult, a1 as OAuthStartParams, O as OAuthStartResult, a8 as PasswordSchema, a7 as PhoneSchema, x as RegisterParams, Q as RegisterPublicKeyParams, a as RegisterResult, W as RevokeKeyParams, T as RotateKeyParams, b as RotateKeyResult, e as SOCIAL_PROVIDERS, F as SendVerificationCodeParams, S as SendVerificationCodeResult, a9 as TargetTypeSchema, d as USER_STATUSES, o as UserStatus, h as VERIFICATION_PURPOSES, g as VERIFICATION_TARGET_TYPES, aa as VerificationPurposeSchema, V as VerificationTargetType, G as VerifyCodeParams, H as VerifyCodeResult, m as authRouter, a4 as authenticate, Z as buildOAuthErrorUrl, v as changePasswordService, r as checkAccountExistsService, $ as getEnabledOAuthProviders, a0 as getGoogleAccessToken, _ as isOAuthProviderEnabled, t as loginService, u as logoutService, Y as oauthCallbackService, X as oauthStartService, a5 as optionalAuth, J as registerPublicKeyService, s as registerService, N as revokeKeyService, M as rotateKeyService, D as sendVerificationCodeService, E as verifyCodeService } from './authenticate-CRDUKQbi.js';
+import { l as AuthInitOptions, n as KeyAlgorithmType, o as InvitationStatus, g as VerificationPurpose, k as PermissionCategory, q as SocialProvider, r as AuthContext } from './authenticate-eucncHxN.js';
+export { D as ChangePasswordParams, x as CheckAccountExistsParams, C as CheckAccountExistsResult, a9 as EmailSchema, d as INVITATION_STATUSES, I as IssueOneTimeTokenResult, K as KEY_ALGORITHM, z as LoginParams, L as LoginResult, B as LogoutParams, a5 as OAuthCallbackParams, a6 as OAuthCallbackResult, a4 as OAuthStartParams, O as OAuthStartResult, ab as PasswordSchema, aa as PhoneSchema, y as RegisterParams, T as RegisterPublicKeyParams, a as RegisterResult, X as RevokeKeyParams, W as RotateKeyParams, b as RotateKeyResult, f as SOCIAL_PROVIDERS, G as SendVerificationCodeParams, S as SendVerificationCodeResult, ac as TargetTypeSchema, e as USER_STATUSES, p as UserStatus, i as VERIFICATION_PURPOSES, h as VERIFICATION_TARGET_TYPES, ad as VerificationPurposeSchema, V as VerificationTargetType, H as VerifyCodeParams, J as VerifyCodeResult, m as authRouter, a7 as authenticate, a0 as buildOAuthErrorUrl, w as changePasswordService, s as checkAccountExistsService, a2 as getEnabledOAuthProviders, a3 as getGoogleAccessToken, a1 as isOAuthProviderEnabled, Y as issueOneTimeTokenService, u as loginService, v as logoutService, $ as oauthCallbackService, _ as oauthStartService, a8 as optionalAuth, M as registerPublicKeyService, t as registerService, Q as revokeKeyService, N as rotateKeyService, E as sendVerificationCodeService, F as verifyCodeService, Z as verifyOneTimeTokenService } from './authenticate-eucncHxN.js';
 import * as drizzle_orm_pg_core from 'drizzle-orm/pg-core';
 import { UserProfile as UserProfile$1, ProfileInfo } from '@spfn/auth';
 import { BaseRepository } from '@spfn/core/db';
 import { Context } from 'hono';
 import * as _spfn_core_route from '@spfn/core/route';
 import { Algorithm } from 'jsonwebtoken';
+import { SSETokenManager } from '@spfn/core/event/sse';
 import * as _spfn_core_logger from '@spfn/core/logger';
 import * as _spfn_core_event from '@spfn/core/event';
 import * as _sinclair_typebox from '@sinclair/typebox';
@@ -4879,6 +4880,29 @@ interface RoleGuardOptions {
  */
 declare const roleGuard: _spfn_core_route.NamedMiddlewareFactory<"roleGuard", [options: RoleGuardOptions]>;
+/**
+ * One-Time Token Authentication Middleware
+ *
+ * Authenticates requests using a one-time token instead of JWT.
+ * Extracts token from query parameter `?token=xxx` or `Authorization: OTT xxx` header.
+ *
+ * On success, injects AuthContext identical to the `authenticate` middleware,
+ * making it transparent to downstream handlers using `getAuth(c)`.
+ *
+ * Auto-skips the global 'auth' middleware.
+ *
+ * @example
+ * ```typescript
+ * export const uploadFile = route.post('/files/upload')
+ *     .use([oneTimeTokenAuth])
+ *     .handler(async (c) => {
+ *         const { userId } = getAuth(c);
+ *         // handle file upload...
+ *     });
+ * ```
+ */
+declare const oneTimeTokenAuth: _spfn_core_route.NamedMiddleware<"oneTimeTokenAuth">;
 /**
  * Auth Context Helpers
  *
@@ -5309,6 +5333,45 @@ declare function createOAuthState(params: CreateOAuthStateParams): Promise<strin
  */
 declare function verifyOAuthState(encryptedState: string): Promise<OAuthState>;
+/**
+ * One-Time Token Manager
+ *
+ * Singleton wrapper around SSETokenManager for one-time token authentication.
+ * Used for direct API access (file uploads, SSE streaming, etc.) bypassing RPC proxy.
+ */
+/**
+ * Initialize the one-time token manager
+ *
+ * Called during auth lifecycle initialization.
+ * Creates a singleton SSETokenManager instance.
+ *
+ * @param config - Optional configuration
+ * @param config.ttl - Token time-to-live in milliseconds (default: 30000)
+ */
+declare function initOneTimeTokenManager(config?: {
+    ttl?: number;
+}): void;
+/**
+ * Get the one-time token manager instance
+ *
+ * @throws Error if initOneTimeTokenManager() has not been called
+ *
+ * @example
+ * ```typescript
+ * import { getOneTimeTokenManager } from '@spfn/auth/server';
+ *
+ * // Use as SSE tokenManager
+ * .eventsConfig({
+ *     auth: {
+ *         enabled: true,
+ *         tokenManager: getOneTimeTokenManager(),
+ *     },
+ * })
+ * ```
+ */
+declare function getOneTimeTokenManager(): SSETokenManager;
 /**
  * @spfn/auth - Centralized Logger
  *
@@ -5403,7 +5466,32 @@ interface AuthLifecycleConfig {
  *   .build();
  * ```
  */
-declare function createAuthLifecycle(options?: AuthInitOptions): AuthLifecycleConfig;
+/**
+ * Options for createAuthLifecycle
+ */
+interface AuthLifecycleOptions extends AuthInitOptions {
+    /**
+     * One-time token configuration
+     *
+     * Enables one-time token issuance for direct API access
+     * (file uploads, SSE streaming, etc.)
+     *
+     * @example
+     * ```typescript
+     * createAuthLifecycle({
+     *     oneTimeToken: { ttl: 60000 },  // 60 seconds
+     * })
+     * ```
+     */
+    oneTimeToken?: {
+        /**
+         * Token time-to-live in milliseconds
+         * @default 30000
+         */
+        ttl?: number;
+    };
+}
+declare function createAuthLifecycle(options?: AuthLifecycleOptions): AuthLifecycleConfig;
 /**
  * @spfn/auth - Auth Events
@@ -5522,4 +5610,4 @@ type AuthRegisterPayload = typeof authRegisterEvent._payload;
 type InvitationCreatedPayload = typeof invitationCreatedEvent._payload;
 type InvitationAcceptedPayload = typeof invitationAcceptedEvent._payload;
-export { type AuthConfig, AuthContext, type AuthLoginPayload, type AuthMetadataEntity, AuthMetadataRepository, AuthProviderSchema, type AuthRegisterPayload, COOKIE_NAMES, type CreateOAuthStateParams, type GoogleTokenResponse, type GoogleUserInfo, type Invitation, type InvitationAcceptedPayload, type InvitationCreatedPayload, InvitationStatus, InvitationsRepository, KeyAlgorithmType, type KeyPair, KeysRepository, type NewAuthMetadataEntity, type NewInvitation, type NewPermission, type NewPermissionEntity, type NewRole, type NewRoleEntity, type NewRolePermission, type NewUser, type NewUserPermission, type NewUserProfile, type NewUserPublicKey, type NewUserSocialAccount, type NewVerificationCode, type OAuthState, type Permission, type PermissionEntity, PermissionsRepository, type Role, type RoleEntity, type RoleGuardOptions, type RolePermission, RolePermissionsRepository, RolesRepository, type SessionData, type SessionPayload, SocialAccountsRepository, SocialProvider, type TokenPayload, type UpdateProfileParams, type User, type UserPermission, UserPermissionsRepository, type UserProfile, UserProfilesRepository, type UserPublicKey, type UserSocialAccount, UsersRepository, type VerificationCode, VerificationCodesRepository, VerificationPurpose, acceptInvitation, addPermissionToRole, authLogger, authLoginEvent, authMetadata, authMetadataRepository, authRegisterEvent, authSchema, cancelInvitation, checkUsernameAvailableService, configureAuth, createAuthLifecycle, createInvitation, createOAuthState, createRole, decodeToken, deleteInvitation, deleteRole, exchangeCodeForTokens, expireOldInvitations, generateClientToken, generateKeyPair, generateKeyPairES256, generateKeyPairRS256, generateToken, getAllRoles, getAuth, getAuthConfig, getAuthSessionService, getGoogleAuthUrl, getGoogleOAuthConfig, getGoogleUserInfo, getInvitationByToken, getInvitationWithDetails, getKeyId, getKeySize, getLocale, getOptionalAuth, getRole, getRoleByName, getRolePermissions, getSessionInfo, getSessionTtl, getUser, getUserByEmailService, getUserByIdService, getUserByPhoneService, getUserId, getUserPermissions, getUserProfileService, getUserRole, hasAllPermissions, hasAnyPermission, hasAnyRole, hasPermission, hasRole, hashPassword, initializeAuth, invitationAcceptedEvent, invitationCreatedEvent, invitationsRepository, isGoogleOAuthEnabled, keysRepository, listInvitations, parseDuration, permissions, permissionsRepository, refreshAccessToken, removePermissionFromRole, requireAnyPermission, requirePermissions, requireRole, resendInvitation, roleGuard, rolePermissions, rolePermissionsRepository, roles, rolesRepository, sealSession, setRolePermissions, shouldRefreshSession, shouldRotateKey, socialAccountsRepository, unsealSession, updateLastLoginService, updateLocaleService, updateRole, updateUserProfileService, updateUserService, updateUsernameService, userInvitations, userPermissions, userPermissionsRepository, userProfiles, userProfilesRepository, userPublicKeys, userSocialAccounts, users, usersRepository, validateInvitation, validatePasswordStrength, verificationCodes, verificationCodesRepository, verifyClientToken, verifyKeyFingerprint, verifyOAuthState, verifyPassword, verifyToken };
+export { type AuthConfig, AuthContext, type AuthLifecycleConfig, type AuthLifecycleOptions, type AuthLoginPayload, type AuthMetadataEntity, AuthMetadataRepository, AuthProviderSchema, type AuthRegisterPayload, COOKIE_NAMES, type CreateOAuthStateParams, type GoogleTokenResponse, type GoogleUserInfo, type Invitation, type InvitationAcceptedPayload, type InvitationCreatedPayload, InvitationStatus, InvitationsRepository, KeyAlgorithmType, type KeyPair, KeysRepository, type NewAuthMetadataEntity, type NewInvitation, type NewPermission, type NewPermissionEntity, type NewRole, type NewRoleEntity, type NewRolePermission, type NewUser, type NewUserPermission, type NewUserProfile, type NewUserPublicKey, type NewUserSocialAccount, type NewVerificationCode, type OAuthState, type Permission, type PermissionEntity, PermissionsRepository, type Role, type RoleEntity, type RoleGuardOptions, type RolePermission, RolePermissionsRepository, RolesRepository, type SessionData, type SessionPayload, SocialAccountsRepository, SocialProvider, type TokenPayload, type UpdateProfileParams, type User, type UserPermission, UserPermissionsRepository, type UserProfile, UserProfilesRepository, type UserPublicKey, type UserSocialAccount, UsersRepository, type VerificationCode, VerificationCodesRepository, VerificationPurpose, acceptInvitation, addPermissionToRole, authLogger, authLoginEvent, authMetadata, authMetadataRepository, authRegisterEvent, authSchema, cancelInvitation, checkUsernameAvailableService, configureAuth, createAuthLifecycle, createInvitation, createOAuthState, createRole, decodeToken, deleteInvitation, deleteRole, exchangeCodeForTokens, expireOldInvitations, generateClientToken, generateKeyPair, generateKeyPairES256, generateKeyPairRS256, generateToken, getAllRoles, getAuth, getAuthConfig, getAuthSessionService, getGoogleAuthUrl, getGoogleOAuthConfig, getGoogleUserInfo, getInvitationByToken, getInvitationWithDetails, getKeyId, getKeySize, getLocale, getOneTimeTokenManager, getOptionalAuth, getRole, getRoleByName, getRolePermissions, getSessionInfo, getSessionTtl, getUser, getUserByEmailService, getUserByIdService, getUserByPhoneService, getUserId, getUserPermissions, getUserProfileService, getUserRole, hasAllPermissions, hasAnyPermission, hasAnyRole, hasPermission, hasRole, hashPassword, initOneTimeTokenManager, initializeAuth, invitationAcceptedEvent, invitationCreatedEvent, invitationsRepository, isGoogleOAuthEnabled, keysRepository, listInvitations, oneTimeTokenAuth, parseDuration, permissions, permissionsRepository, refreshAccessToken, removePermissionFromRole, requireAnyPermission, requirePermissions, requireRole, resendInvitation, roleGuard, rolePermissions, rolePermissionsRepository, roles, rolesRepository, sealSession, setRolePermissions, shouldRefreshSession, shouldRotateKey, socialAccountsRepository, unsealSession, updateLastLoginService, updateLocaleService, updateRole, updateUserProfileService, updateUserService, updateUsernameService, userInvitations, userPermissions, userPermissionsRepository, userProfiles, userProfilesRepository, userPublicKeys, userSocialAccounts, users, usersRepository, validateInvitation, validatePasswordStrength, verificationCodes, verificationCodesRepository, verifyClientToken, verifyKeyFingerprint, verifyOAuthState, verifyPassword, verifyToken };

package/dist/server.js CHANGED Viewed

@@ -7884,6 +7884,38 @@ async function getAuthSessionService(userId) {
   };
 }
+// src/server/lib/one-time-token.ts
+import { SSETokenManager } from "@spfn/core/event/sse";
+var manager = null;
+function initOneTimeTokenManager(config) {
+  if (manager) {
+    manager.destroy();
+  }
+  manager = new SSETokenManager({
+    ttl: config?.ttl
+  });
+}
+function getOneTimeTokenManager() {
+  if (!manager) {
+    throw new Error(
+      "OneTimeTokenManager not initialized. Ensure createAuthLifecycle() is configured in your server config."
+    );
+  }
+  return manager;
+}
+// src/server/services/one-time-token.service.ts
+async function issueOneTimeTokenService(userId) {
+  const manager2 = getOneTimeTokenManager();
+  const token = await manager2.issue(userId);
+  const expiresAt = new Date(Date.now() + 3e4).toISOString();
+  return { token, expiresAt };
+}
+async function verifyOneTimeTokenService(token) {
+  const manager2 = getOneTimeTokenManager();
+  return await manager2.verify(token);
+}
 // src/server/services/user-profile.service.ts
 init_repositories();
 async function getUserProfileService(userId) {
@@ -8457,6 +8489,10 @@ var getAuthSession = route.get("/_auth/session").handler(async (c) => {
   const { userId } = getAuth(c);
   return await getAuthSessionService(userId);
 });
+var issueOneTimeToken = route.post("/_auth/tokens").handler(async (c) => {
+  const { userId } = getAuth(c);
+  return await issueOneTimeTokenService(userId);
+});
 var authRouter = defineRouter({
   checkAccountExists,
   sendVerificationCode,
@@ -8466,7 +8502,8 @@ var authRouter = defineRouter({
   logout,
   rotateKey,
   changePassword,
-  getAuthSession
+  getAuthSession,
+  issueOneTimeToken
 });
 // src/server/routes/invitations/index.ts
@@ -8753,6 +8790,47 @@ var roleGuard = defineMiddleware4(
   }
 );
+// src/server/middleware/one-time-token-auth.ts
+import { defineMiddleware as defineMiddleware5 } from "@spfn/core/route";
+import { UnauthorizedError as UnauthorizedError2 } from "@spfn/core/errors";
+import { usersRepository as usersRepository3, userProfilesRepository as userProfilesRepository3 } from "@spfn/auth/server";
+var oneTimeTokenAuth = defineMiddleware5("oneTimeTokenAuth", async (c, next) => {
+  const token = c.req.query("token") ?? extractOTTHeader(c.req.header("Authorization"));
+  if (!token) {
+    throw new UnauthorizedError2({ message: "One-time token required: ?token=xxx or Authorization: OTT xxx" });
+  }
+  const userId = await verifyOneTimeTokenService(token);
+  if (!userId) {
+    throw new UnauthorizedError2({ message: "Invalid or expired one-time token" });
+  }
+  const [result, locale] = await Promise.all([
+    usersRepository3.findByIdWithRole(Number(userId)),
+    userProfilesRepository3.findLocaleByUserId(Number(userId))
+  ]);
+  if (!result) {
+    throw new UnauthorizedError2({ message: "User not found" });
+  }
+  const { user, role } = result;
+  if (user.status !== "active") {
+    throw new UnauthorizedError2({ message: "Account is not active" });
+  }
+  c.set("auth", {
+    user,
+    userId: String(user.id),
+    keyId: "",
+    // No key involved in OTT auth
+    role: role?.name ?? null,
+    locale
+  });
+  await next();
+}, { skips: ["auth"] });
+function extractOTTHeader(header) {
+  if (!header || !header.startsWith("OTT ")) {
+    return null;
+  }
+  return header.substring(4);
+}
 // src/server/routes/invitations/index.ts
 init_types();
 init_esm();
@@ -9242,6 +9320,8 @@ var mainAuthRouter = defineRouter5({
   rotateKey,
   changePassword,
   getAuthSession,
+  // One-Time Token routes
+  issueOneTimeToken,
   // OAuth routes
   oauthGoogleStart,
   oauthGoogleCallback,
@@ -9571,10 +9651,12 @@ function createAuthLifecycle(options = {}) {
      * Performs:
      * 1. Ensures admin account exists (creates if missing)
      * 2. Initializes RBAC system with built-in + custom roles/permissions
+     * 3. Initializes one-time token manager
      */
     afterInfrastructure: async () => {
       await initializeAuth(options);
       await ensureAdminExists();
+      initOneTimeTokenManager(options.oneTimeToken);
     }
   };
 }
@@ -9647,6 +9729,7 @@ export {
   getKeyId,
   getKeySize,
   getLocale,
+  getOneTimeTokenManager,
   getOptionalAuth,
   getRole,
   getRoleByName,
@@ -9667,18 +9750,21 @@ export {
   hasPermission,
   hasRole,
   hashPassword,
+  initOneTimeTokenManager,
   initializeAuth,
   invitationAcceptedEvent,
   invitationCreatedEvent,
   invitationsRepository,
   isGoogleOAuthEnabled,
   isOAuthProviderEnabled,
+  issueOneTimeTokenService,
   keysRepository,
   listInvitations,
   loginService,
   logoutService,
   oauthCallbackService,
   oauthStartService,
+  oneTimeTokenAuth,
   optionalAuth,
   parseDuration,
   permissions,
@@ -9728,6 +9814,7 @@ export {
   verifyCodeService,
   verifyKeyFingerprint,
   verifyOAuthState,
+  verifyOneTimeTokenService,
   verifyPassword,
   verifyToken
 };