npm - @spfn/auth - Versions diffs - 0.2.0-beta.46 → 0.2.0-beta.48 - Mend

@spfn/auth 0.2.0-beta.46 → 0.2.0-beta.48

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/README.md +53 -30
package/dist/{authenticate-CRDUKQbi.d.ts → authenticate-eucncHxN.d.ts} +26 -1
package/dist/config.d.ts +20 -0
package/dist/config.js +9 -0
package/dist/config.js.map +1 -1
package/dist/index.d.ts +3 -2
package/dist/index.js +1 -0
package/dist/index.js.map +1 -1
package/dist/nextjs/api.js +24 -15
package/dist/nextjs/api.js.map +1 -1
package/dist/server.d.ts +92 -4
package/dist/server.js +88 -1
package/dist/server.js.map +1 -1
package/package.json +3 -3

package/dist/server.js CHANGED Viewed

@@ -7884,6 +7884,38 @@ async function getAuthSessionService(userId) {
   };
 }
+// src/server/lib/one-time-token.ts
+import { SSETokenManager } from "@spfn/core/event/sse";
+var manager = null;
+function initOneTimeTokenManager(config) {
+  if (manager) {
+    manager.destroy();
+  }
+  manager = new SSETokenManager({
+    ttl: config?.ttl
+  });
+}
+function getOneTimeTokenManager() {
+  if (!manager) {
+    throw new Error(
+      "OneTimeTokenManager not initialized. Ensure createAuthLifecycle() is configured in your server config."
+    );
+  }
+  return manager;
+}
+// src/server/services/one-time-token.service.ts
+async function issueOneTimeTokenService(userId) {
+  const manager2 = getOneTimeTokenManager();
+  const token = await manager2.issue(userId);
+  const expiresAt = new Date(Date.now() + 3e4).toISOString();
+  return { token, expiresAt };
+}
+async function verifyOneTimeTokenService(token) {
+  const manager2 = getOneTimeTokenManager();
+  return await manager2.verify(token);
+}
 // src/server/services/user-profile.service.ts
 init_repositories();
 async function getUserProfileService(userId) {
@@ -8457,6 +8489,10 @@ var getAuthSession = route.get("/_auth/session").handler(async (c) => {
   const { userId } = getAuth(c);
   return await getAuthSessionService(userId);
 });
+var issueOneTimeToken = route.post("/_auth/tokens").handler(async (c) => {
+  const { userId } = getAuth(c);
+  return await issueOneTimeTokenService(userId);
+});
 var authRouter = defineRouter({
   checkAccountExists,
   sendVerificationCode,
@@ -8466,7 +8502,8 @@ var authRouter = defineRouter({
   logout,
   rotateKey,
   changePassword,
-  getAuthSession
+  getAuthSession,
+  issueOneTimeToken
 });
 // src/server/routes/invitations/index.ts
@@ -8753,6 +8790,47 @@ var roleGuard = defineMiddleware4(
   }
 );
+// src/server/middleware/one-time-token-auth.ts
+import { defineMiddleware as defineMiddleware5 } from "@spfn/core/route";
+import { UnauthorizedError as UnauthorizedError2 } from "@spfn/core/errors";
+import { usersRepository as usersRepository3, userProfilesRepository as userProfilesRepository3 } from "@spfn/auth/server";
+var oneTimeTokenAuth = defineMiddleware5("oneTimeTokenAuth", async (c, next) => {
+  const token = c.req.query("token") ?? extractOTTHeader(c.req.header("Authorization"));
+  if (!token) {
+    throw new UnauthorizedError2({ message: "One-time token required: ?token=xxx or Authorization: OTT xxx" });
+  }
+  const userId = await verifyOneTimeTokenService(token);
+  if (!userId) {
+    throw new UnauthorizedError2({ message: "Invalid or expired one-time token" });
+  }
+  const [result, locale] = await Promise.all([
+    usersRepository3.findByIdWithRole(Number(userId)),
+    userProfilesRepository3.findLocaleByUserId(Number(userId))
+  ]);
+  if (!result) {
+    throw new UnauthorizedError2({ message: "User not found" });
+  }
+  const { user, role } = result;
+  if (user.status !== "active") {
+    throw new UnauthorizedError2({ message: "Account is not active" });
+  }
+  c.set("auth", {
+    user,
+    userId: String(user.id),
+    keyId: "",
+    // No key involved in OTT auth
+    role: role?.name ?? null,
+    locale
+  });
+  await next();
+}, { skips: ["auth"] });
+function extractOTTHeader(header) {
+  if (!header || !header.startsWith("OTT ")) {
+    return null;
+  }
+  return header.substring(4);
+}
 // src/server/routes/invitations/index.ts
 init_types();
 init_esm();
@@ -9242,6 +9320,8 @@ var mainAuthRouter = defineRouter5({
   rotateKey,
   changePassword,
   getAuthSession,
+  // One-Time Token routes
+  issueOneTimeToken,
   // OAuth routes
   oauthGoogleStart,
   oauthGoogleCallback,
@@ -9571,10 +9651,12 @@ function createAuthLifecycle(options = {}) {
      * Performs:
      * 1. Ensures admin account exists (creates if missing)
      * 2. Initializes RBAC system with built-in + custom roles/permissions
+     * 3. Initializes one-time token manager
      */
     afterInfrastructure: async () => {
       await initializeAuth(options);
       await ensureAdminExists();
+      initOneTimeTokenManager(options.oneTimeToken);
     }
   };
 }
@@ -9647,6 +9729,7 @@ export {
   getKeyId,
   getKeySize,
   getLocale,
+  getOneTimeTokenManager,
   getOptionalAuth,
   getRole,
   getRoleByName,
@@ -9667,18 +9750,21 @@ export {
   hasPermission,
   hasRole,
   hashPassword,
+  initOneTimeTokenManager,
   initializeAuth,
   invitationAcceptedEvent,
   invitationCreatedEvent,
   invitationsRepository,
   isGoogleOAuthEnabled,
   isOAuthProviderEnabled,
+  issueOneTimeTokenService,
   keysRepository,
   listInvitations,
   loginService,
   logoutService,
   oauthCallbackService,
   oauthStartService,
+  oneTimeTokenAuth,
   optionalAuth,
   parseDuration,
   permissions,
@@ -9728,6 +9814,7 @@ export {
   verifyCodeService,
   verifyKeyFingerprint,
   verifyOAuthState,
+  verifyOneTimeTokenService,
   verifyPassword,
   verifyToken
 };