@venturekit/auth 0.0.0-dev.20260701100017 → 0.0.0-dev.20260704225856

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (62) hide show
  1. package/dist/index.d.ts +2 -1
  2. package/dist/index.d.ts.map +1 -1
  3. package/dist/index.js +5 -1
  4. package/dist/index.js.map +1 -1
  5. package/{migrations → dist/migrations}/vk_auth_001_verification_codes.sql +7 -4
  6. package/dist/migrations/vk_auth_003_role_scopes.sql +43 -0
  7. package/dist/roles/index.d.ts +5 -1
  8. package/dist/roles/index.d.ts.map +1 -1
  9. package/dist/roles/index.js +4 -1
  10. package/dist/roles/index.js.map +1 -1
  11. package/dist/roles/role-scopes.d.ts +92 -0
  12. package/dist/roles/role-scopes.d.ts.map +1 -0
  13. package/dist/roles/role-scopes.js +122 -0
  14. package/dist/roles/role-scopes.js.map +1 -0
  15. package/dist/server/cookies.d.ts +98 -13
  16. package/dist/server/cookies.d.ts.map +1 -1
  17. package/dist/server/cookies.js +77 -19
  18. package/dist/server/cookies.js.map +1 -1
  19. package/dist/server/federated-routes.d.ts +29 -22
  20. package/dist/server/federated-routes.d.ts.map +1 -1
  21. package/dist/server/federated-routes.js +31 -4
  22. package/dist/server/federated-routes.js.map +1 -1
  23. package/dist/server/federated.d.ts.map +1 -1
  24. package/dist/server/federated.js +7 -11
  25. package/dist/server/federated.js.map +1 -1
  26. package/dist/server/forgot-password.js +0 -1
  27. package/dist/server/forgot-password.js.map +1 -1
  28. package/dist/server/handoff-routes.d.ts +130 -0
  29. package/dist/server/handoff-routes.d.ts.map +1 -0
  30. package/dist/server/handoff-routes.js +178 -0
  31. package/dist/server/handoff-routes.js.map +1 -0
  32. package/dist/server/handoff.d.ts +112 -0
  33. package/dist/server/handoff.d.ts.map +1 -0
  34. package/dist/server/handoff.js +102 -0
  35. package/dist/server/handoff.js.map +1 -0
  36. package/dist/server/index.d.ts +11 -4
  37. package/dist/server/index.d.ts.map +1 -1
  38. package/dist/server/index.js +9 -3
  39. package/dist/server/index.js.map +1 -1
  40. package/dist/server/middleware.d.ts +35 -0
  41. package/dist/server/middleware.d.ts.map +1 -1
  42. package/dist/server/middleware.js +50 -10
  43. package/dist/server/middleware.js.map +1 -1
  44. package/dist/server/passwordless.d.ts +68 -0
  45. package/dist/server/passwordless.d.ts.map +1 -0
  46. package/dist/server/passwordless.js +136 -0
  47. package/dist/server/passwordless.js.map +1 -0
  48. package/dist/server/revoke.d.ts +10 -0
  49. package/dist/server/revoke.d.ts.map +1 -1
  50. package/dist/server/revoke.js +19 -2
  51. package/dist/server/revoke.js.map +1 -1
  52. package/dist/server/store/postgres.d.ts +35 -0
  53. package/dist/server/store/postgres.d.ts.map +1 -0
  54. package/dist/server/store/postgres.js +88 -0
  55. package/dist/server/store/postgres.js.map +1 -0
  56. package/dist/server/token-utils.d.ts +12 -2
  57. package/dist/server/token-utils.d.ts.map +1 -1
  58. package/dist/server/token-utils.js +9 -4
  59. package/dist/server/token-utils.js.map +1 -1
  60. package/package.json +21 -8
  61. package/src/migrations/vk_auth_001_verification_codes.sql +55 -0
  62. package/src/migrations/vk_auth_003_role_scopes.sql +43 -0
@@ -1 +1 @@
1
- {"version":3,"file":"token-utils.js","sourceRoot":"","sources":["../../src/server/token-utils.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,wDAAwD;AACxD,MAAM,CAAC,MAAM,gCAAgC,GAAG,IAAI,CAAC;AAErD;;;;;;;;;GASG;AACH,MAAM,UAAU,sBAAsB,CACpC,GAAW,EACX,aAAqB,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;IAElD,MAAM,OAAO,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;IACtC,IAAI,CAAC,OAAO;QAAE,OAAO,gCAAgC,CAAC;IAEtD,MAAM,GAAG,GAAG,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;IACtE,MAAM,GAAG,GAAG,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;IAEtE,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,gCAAgC,CAAC;IAE/D,MAAM,SAAS,GAAG,GAAG,GAAG,UAAU,CAAC;IACnC,IAAI,SAAS,GAAG,CAAC;QAAE,OAAO,SAAS,CAAC;IAEpC,0EAA0E;IAC1E,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,GAAG,GAAG;QAAE,OAAO,GAAG,GAAG,GAAG,CAAC;IAErD,OAAO,gCAAgC,CAAC;AAC1C,CAAC;AAED;;;GAGG;AACH,SAAS,gBAAgB,CAAC,GAAW;IACnC,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7D,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAClC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACrE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAY,CAAC;QAC3C,IAAI,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;YAAE,OAAO,GAA8B,CAAC;QAC1E,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}
1
+ {"version":3,"file":"token-utils.js","sourceRoot":"","sources":["../../src/server/token-utils.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,wDAAwD;AACxD,MAAM,CAAC,MAAM,gCAAgC,GAAG,IAAI,CAAC;AAErD;;;;;;;;;GASG;AACH,MAAM,UAAU,sBAAsB,CACpC,GAAW,EACX,aAAqB,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;IAElD,MAAM,OAAO,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;IACrC,IAAI,CAAC,OAAO;QAAE,OAAO,gCAAgC,CAAC;IAEtD,MAAM,GAAG,GAAG,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;IACtE,MAAM,GAAG,GAAG,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;IAEtE,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,gCAAgC,CAAC;IAE/D,MAAM,SAAS,GAAG,GAAG,GAAG,UAAU,CAAC;IACnC,IAAI,SAAS,GAAG,CAAC;QAAE,OAAO,SAAS,CAAC;IAEpC,0EAA0E;IAC1E,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,GAAG,GAAG;QAAE,OAAO,GAAG,GAAG,GAAG,CAAC;IAErD,OAAO,gCAAgC,CAAC;AAC1C,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,eAAe,CAC7B,GAAW;IAEX,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7D,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAClC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACrE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAY,CAAC;QAC3C,IAAI,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;YAAE,OAAO,GAAQ,CAAC;QACpD,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}
package/package.json CHANGED
@@ -1,26 +1,30 @@
1
1
  {
2
2
  "name": "@venturekit/auth",
3
- "version": "0.0.0-dev.20260701100017",
3
+ "version": "0.0.0-dev.20260704225856",
4
4
  "description": "Authentication and authorization for VentureKit",
5
5
  "type": "module",
6
6
  "main": "./dist/index.js",
7
7
  "types": "./dist/index.d.ts",
8
8
  "files": [
9
9
  "dist",
10
- "migrations"
10
+ "src/migrations/*.sql"
11
11
  ],
12
12
  "repository": {
13
13
  "type": "git",
14
- "url": "https://github.com/venturekit-dev/venturekit.private.git",
14
+ "url": "https://github.com/venturekit-dev/venturekit.git",
15
15
  "directory": "packages/auth"
16
16
  },
17
+ "homepage": "https://venturekit.dev",
18
+ "bugs": {
19
+ "url": "https://github.com/venturekit-dev/venturekit/issues"
20
+ },
17
21
  "publishConfig": {
18
22
  "registry": "https://registry.npmjs.org",
19
23
  "access": "public"
20
24
  },
21
25
  "license": "Apache-2.0",
22
26
  "vk": {
23
- "migrations": "migrations"
27
+ "migrations": "src/migrations"
24
28
  },
25
29
  "exports": {
26
30
  ".": {
@@ -30,30 +34,39 @@
30
34
  "./server": {
31
35
  "import": "./dist/server/index.js",
32
36
  "types": "./dist/server/index.d.ts"
37
+ },
38
+ "./server/store/postgres": {
39
+ "import": "./dist/server/store/postgres.js",
40
+ "types": "./dist/server/store/postgres.d.ts"
33
41
  }
34
42
  },
35
43
  "dependencies": {
36
- "@venturekit/core": "0.0.0-dev.20260701100017",
44
+ "@venturekit/core": "0.0.0-dev.20260704225856",
37
45
  "@aws-sdk/client-cognito-identity-provider": "^3.1068.0",
38
46
  "@aws-sdk/client-secrets-manager": "^3.1068.0",
39
47
  "aws-jwt-verify": "^4.0.1"
40
48
  },
41
49
  "peerDependencies": {
42
- "@venturekit/runtime": "0.0.0-dev.20260701100017"
50
+ "@venturekit/data": "0.0.0-dev.20260704225856",
51
+ "@venturekit/runtime": "0.0.0-dev.20260704225856"
43
52
  },
44
53
  "peerDependenciesMeta": {
54
+ "@venturekit/data": {
55
+ "optional": true
56
+ },
45
57
  "@venturekit/runtime": {
46
58
  "optional": true
47
59
  }
48
60
  },
49
61
  "devDependencies": {
50
- "@venturekit/runtime": "0.0.0-dev.20260701100017",
62
+ "@venturekit/data": "0.0.0-dev.20260704225856",
63
+ "@venturekit/runtime": "0.0.0-dev.20260704225856",
51
64
  "@types/aws-lambda": "^8.10.131",
52
65
  "@types/node": "^25.6.0",
53
66
  "typescript": "^5.3.0"
54
67
  },
55
68
  "scripts": {
56
- "build": "tsc",
69
+ "build": "tsc && node -e \"require('fs').cpSync('src/migrations','dist/migrations',{recursive:true})\"",
57
70
  "dev": "tsc --watch",
58
71
  "clean": "rm -rf dist"
59
72
  }
@@ -0,0 +1,55 @@
1
+ -- vk_auth_001_verification_codes.sql
2
+ --
3
+ -- Owned by `@venturekit/auth`. Creates the `vk_verification_codes`
4
+ -- table backing `VerificationCodeStore` (used by the OTP gating on
5
+ -- self-service sign-up + sign-in / passwordless). The table is
6
+ -- `vk_`-prefixed per VentureKit's "package-owned tables are prefixed"
7
+ -- convention; consumer-side stores must query `vk_verification_codes`.
8
+ --
9
+ -- Rows are pre-Cognito state — created BEFORE a user exists in either
10
+ -- Cognito or any consumer-side `users` mirror. The `identifier` is the
11
+ -- email or E.164 phone number the code was sent to; `channel` is the
12
+ -- delivery surface.
13
+ --
14
+ -- Storage shape:
15
+ -- - `code_hash` is SHA-256 of the plaintext code (hex). Plaintext
16
+ -- never lands in the DB so a future leak still requires brute
17
+ -- force against the (short) TTL.
18
+ -- - `expires_at` is the wall-clock cutoff after which the
19
+ -- `verifyVerificationCode` helper deletes the row and surfaces
20
+ -- `verification_failed`.
21
+ -- - `attempts` is incremented on every wrong-code submission;
22
+ -- once it reaches `max_attempts` the row is deleted (forces the
23
+ -- user to request a fresh code).
24
+ --
25
+ -- Channel typing: stored as TEXT + CHECK rather than a Postgres enum
26
+ -- so this migration does not depend on `@venturekit/notify`'s
27
+ -- `notify_channel` enum (auth must be usable without notify — e.g. a
28
+ -- project that ships its own delivery layer). Add new values here when
29
+ -- the auth package learns to dispatch over them.
30
+ --
31
+ -- Idempotent: uses `CREATE TABLE IF NOT EXISTS` so projects that
32
+ -- previously created the table from their own migration (with a
33
+ -- compatible shape) can adopt this one without dropping data. The
34
+ -- expectation is that those projects will then leave their old
35
+ -- migration file in place but stop hand-maintaining the schema here.
36
+
37
+ CREATE TABLE IF NOT EXISTS vk_verification_codes (
38
+ channel TEXT NOT NULL,
39
+ identifier TEXT NOT NULL,
40
+ code_hash TEXT NOT NULL,
41
+ expires_at TIMESTAMPTZ NOT NULL,
42
+ attempts INT NOT NULL DEFAULT 0,
43
+ max_attempts INT NOT NULL DEFAULT 5,
44
+ created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
45
+ PRIMARY KEY (channel, identifier),
46
+ CONSTRAINT verification_codes_channel_chk
47
+ CHECK (channel IN ('email', 'whatsapp', 'sms')),
48
+ CONSTRAINT verification_codes_attempts_chk
49
+ CHECK (attempts >= 0),
50
+ CONSTRAINT verification_codes_max_attempts_chk
51
+ CHECK (max_attempts >= 1)
52
+ );
53
+
54
+ CREATE INDEX IF NOT EXISTS idx_verification_codes_expires_at
55
+ ON vk_verification_codes (expires_at);
@@ -0,0 +1,43 @@
1
+ -- @venturekit/auth — role → scopes mapping.
2
+ --
3
+ -- The DB is the SOURCE OF TRUTH for which scopes each role grants.
4
+ -- VentureKit ships the STRUCTURE (this migration, applied automatically
5
+ -- with every other package migration); the consuming app ships DATA
6
+ -- migrations to seed its own taxonomy, e.g.:
7
+ --
8
+ -- INSERT INTO vk_role_scopes (role, scope) VALUES
9
+ -- ('member', 'member.verified'),
10
+ -- ('moderator', 'member.verified'),
11
+ -- ('moderator', 'moderation.reports.read')
12
+ -- ON CONFLICT DO NOTHING;
13
+ --
14
+ -- Lives in @venturekit/auth — NOT in a pro package — because a role →
15
+ -- scopes matrix is baseline authorization for ANY app: single-tenant
16
+ -- apps key it by their global user role; multi-tenant apps feed it to
17
+ -- `@venturekit-pro/tenancy`'s scopes middleware
18
+ -- (`createTenantUserScopesMiddleware({ scopesByRole: resolver.lookup })`).
19
+ --
20
+ -- At runtime the mapping is read through `createRoleScopesResolver()`
21
+ -- (cached, TTL-refreshed). Mutations go through `setRoleScopes` /
22
+ -- `grantScopeToRole` / `revokeScopeFromRole`, so apps can build
23
+ -- management UIs on top — changes propagate to warm instances within
24
+ -- the resolver's TTL.
25
+ --
26
+ -- Deliberately GLOBAL (no tenant column): the mapping is the app's
27
+ -- authorization POLICY, not tenant data. Per-tenant overrides, if ever
28
+ -- needed, belong in a separate overlay table so the hot path stays a
29
+ -- single cached full-table read.
30
+
31
+ CREATE TABLE IF NOT EXISTS vk_role_scopes (
32
+ role text NOT NULL,
33
+ scope text NOT NULL,
34
+ created_at timestamptz NOT NULL DEFAULT now(),
35
+ PRIMARY KEY (role, scope)
36
+ );
37
+
38
+ COMMENT ON TABLE vk_role_scopes IS
39
+ 'Role → scope grants. Structure owned by @venturekit/auth; rows owned by the consuming app (seed via app migrations, manage via the role-scopes helpers).';
40
+
41
+ -- Scope grants are read by role on every request that misses the
42
+ -- resolver cache; the PK already serves (role, scope) lookups and
43
+ -- role-prefix scans.