npm - @spotto/contract - Versions diffs - 1.0.69-alpha.29 → 1.0.69-alpha.30 - Mend

@spotto/contract 1.0.69-alpha.29 → 1.0.69-alpha.30

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/organisations/sso/types.d.ts +22 -4
package/dist/sso/onboard/request.d.ts +9 -3
package/dist/sso/revert/response.d.ts +5 -3
package/package.json +2 -2

package/dist/organisations/sso/types.d.ts CHANGED Viewed

@@ -68,12 +68,30 @@ export interface SsoEnabledBase<TRoleId = string> {
     roleMappings: RoleMapping<TRoleId>[];
     /**
      * Mixed-mode opt-in: when `true`, the org accepts both SSO-managed users
-     * (via federation) AND native "guest" users created through `POST /users`
-     * with password login. Guest emails must be OUTSIDE `emailDomains` — the
-     * staff-domain space is reserved for the IdP. Defaults to `false`
-     * (SSO-only) when absent.
+     * (via federation) AND password-auth users created through `POST /users`.
+     * Password-user emails must be OUTSIDE `emailDomains` — the staff-domain
+     * space is reserved for the IdP. Defaults to `false` (SSO-only) when
+     * absent.
+     *
+     * Note: there's no on-disk "guest" type. A password-auth user in a
+     * mixed-mode org is the same shape as any other password-auth user
+     * (`authProvider: undefined`). What distinguishes federation-managed
+     * from password-managed identity is the email-domain rule, not a flag
+     * on the user record.
      */
     allowGuestUsers?: boolean;
+    /**
+     * Testing escape hatch: when `true`, federation is allowed for users
+     * whose email domain isn't in `emailDomains`. Production orgs should
+     * leave this off — without it, the IdP-to-emailDomains contract is
+     * enforced and federation is refused for any email outside the
+     * configured domains (`SSO_EMAIL_DOMAIN_NOT_ALLOWED`).
+     *
+     * Even when this flag is on, the bind path still refuses to overwrite
+     * an existing password-auth user whose email is outside `emailDomains`
+     * (identity-integrity guard) — only fresh JIT-creates proceed.
+     */
+    allowOutOfDomainEmails?: boolean;
 }
 export interface SsoEnabledOidc<TRoleId = string> extends SsoEnabledBase<TRoleId> {
     mode: 'oidc';

package/dist/sso/onboard/request.d.ts CHANGED Viewed

@@ -32,11 +32,17 @@ interface OnboardSsoOrgWireBase {
      */
     roleMappings?: RoleMappingInput[];
     /**
-     * Opt-in to mixed-mode: allow native "guest" users alongside SSO-managed
-     * users in the same org. Guests authenticate by password and must use an
-     * email domain OUTSIDE `emailDomains`. Defaults to `false`.
+     * Opt-in to mixed-mode: allow password-auth users alongside SSO-managed
+     * users in the same org. Password-user emails must be OUTSIDE
+     * `emailDomains`. Defaults to `false`.
      */
     allowGuestUsers?: boolean;
+    /**
+     * Testing escape hatch: when `true`, federation is allowed for users
+     * whose email domain isn't in `emailDomains`. See `SsoEnabledBase`.
+     * Defaults to `false`.
+     */
+    allowOutOfDomainEmails?: boolean;
 }
 export interface OnboardSsoOrgOidcRequest extends OnboardSsoOrgWireBase {
     mode: 'oidc';

package/dist/sso/revert/response.d.ts CHANGED Viewed

@@ -5,9 +5,11 @@
  *   their original pre-SSO password.
  * - `noPriorAccount` — user was JIT-created post-SSO; no native record to
  *   restore. Loses access. Operator must manually re-add.
- * - `skippedGuest` — user is a mixed-mode guest (`authProvider: 'native'`).
- *   They were never IdP-managed; their native Cognito record is intact
- *   and they retain access. No Mongo write needed.
+ * - `skippedGuest` — user's email domain is outside the org's
+ *   (now-removed) `sso.emailDomains`, so they were never federation-
+ *   managed in the first place. Their native Cognito record is intact
+ *   and they retain access. No Mongo write needed. (Name kept for
+ *   contract stability; semantically "skipped because not SSO-bound".)
  * - `failed` — Mongo update threw mid-loop; see `error`. The revert as a
  *   whole continues processing other users; an operator can retry the
  *   failed ones.

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@spotto/contract",
   "license": "ISC",
-  "version": "1.0.69-alpha.29",
+  "version": "1.0.69-alpha.30",
   "description": "Spotto's API Contract type definitions",
   "main": "./dist/index.js",
   "files": [
@@ -18,5 +18,5 @@
     "@types/geojson": "^7946.0.11",
     "shx": "^0.3.4"
   },
-  "gitHead": "a9ff090ef4f24d4067f9ee212ffd0ab458c8af66"
+  "gitHead": "d0b13061fc923ffa432a8677206936242fb93958"
 }