@venturekit/auth 0.0.0-dev.20260701100017 → 0.0.0-dev.20260704225856
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.ts +2 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +5 -1
- package/dist/index.js.map +1 -1
- package/{migrations → dist/migrations}/vk_auth_001_verification_codes.sql +7 -4
- package/dist/migrations/vk_auth_003_role_scopes.sql +43 -0
- package/dist/roles/index.d.ts +5 -1
- package/dist/roles/index.d.ts.map +1 -1
- package/dist/roles/index.js +4 -1
- package/dist/roles/index.js.map +1 -1
- package/dist/roles/role-scopes.d.ts +92 -0
- package/dist/roles/role-scopes.d.ts.map +1 -0
- package/dist/roles/role-scopes.js +122 -0
- package/dist/roles/role-scopes.js.map +1 -0
- package/dist/server/cookies.d.ts +98 -13
- package/dist/server/cookies.d.ts.map +1 -1
- package/dist/server/cookies.js +77 -19
- package/dist/server/cookies.js.map +1 -1
- package/dist/server/federated-routes.d.ts +29 -22
- package/dist/server/federated-routes.d.ts.map +1 -1
- package/dist/server/federated-routes.js +31 -4
- package/dist/server/federated-routes.js.map +1 -1
- package/dist/server/federated.d.ts.map +1 -1
- package/dist/server/federated.js +7 -11
- package/dist/server/federated.js.map +1 -1
- package/dist/server/forgot-password.js +0 -1
- package/dist/server/forgot-password.js.map +1 -1
- package/dist/server/handoff-routes.d.ts +130 -0
- package/dist/server/handoff-routes.d.ts.map +1 -0
- package/dist/server/handoff-routes.js +178 -0
- package/dist/server/handoff-routes.js.map +1 -0
- package/dist/server/handoff.d.ts +112 -0
- package/dist/server/handoff.d.ts.map +1 -0
- package/dist/server/handoff.js +102 -0
- package/dist/server/handoff.js.map +1 -0
- package/dist/server/index.d.ts +11 -4
- package/dist/server/index.d.ts.map +1 -1
- package/dist/server/index.js +9 -3
- package/dist/server/index.js.map +1 -1
- package/dist/server/middleware.d.ts +35 -0
- package/dist/server/middleware.d.ts.map +1 -1
- package/dist/server/middleware.js +50 -10
- package/dist/server/middleware.js.map +1 -1
- package/dist/server/passwordless.d.ts +68 -0
- package/dist/server/passwordless.d.ts.map +1 -0
- package/dist/server/passwordless.js +136 -0
- package/dist/server/passwordless.js.map +1 -0
- package/dist/server/revoke.d.ts +10 -0
- package/dist/server/revoke.d.ts.map +1 -1
- package/dist/server/revoke.js +19 -2
- package/dist/server/revoke.js.map +1 -1
- package/dist/server/store/postgres.d.ts +35 -0
- package/dist/server/store/postgres.d.ts.map +1 -0
- package/dist/server/store/postgres.js +88 -0
- package/dist/server/store/postgres.js.map +1 -0
- package/dist/server/token-utils.d.ts +12 -2
- package/dist/server/token-utils.d.ts.map +1 -1
- package/dist/server/token-utils.js +9 -4
- package/dist/server/token-utils.js.map +1 -1
- package/package.json +21 -8
- package/src/migrations/vk_auth_001_verification_codes.sql +55 -0
- package/src/migrations/vk_auth_003_role_scopes.sql +43 -0
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"token-utils.js","sourceRoot":"","sources":["../../src/server/token-utils.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"token-utils.js","sourceRoot":"","sources":["../../src/server/token-utils.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,wDAAwD;AACxD,MAAM,CAAC,MAAM,gCAAgC,GAAG,IAAI,CAAC;AAErD;;;;;;;;;GASG;AACH,MAAM,UAAU,sBAAsB,CACpC,GAAW,EACX,aAAqB,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;IAElD,MAAM,OAAO,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;IACrC,IAAI,CAAC,OAAO;QAAE,OAAO,gCAAgC,CAAC;IAEtD,MAAM,GAAG,GAAG,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;IACtE,MAAM,GAAG,GAAG,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;IAEtE,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,gCAAgC,CAAC;IAE/D,MAAM,SAAS,GAAG,GAAG,GAAG,UAAU,CAAC;IACnC,IAAI,SAAS,GAAG,CAAC;QAAE,OAAO,SAAS,CAAC;IAEpC,0EAA0E;IAC1E,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,GAAG,GAAG;QAAE,OAAO,GAAG,GAAG,GAAG,CAAC;IAErD,OAAO,gCAAgC,CAAC;AAC1C,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,eAAe,CAC7B,GAAW;IAEX,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7D,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAClC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACrE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAY,CAAC;QAC3C,IAAI,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;YAAE,OAAO,GAAQ,CAAC;QACpD,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,26 +1,30 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@venturekit/auth",
|
|
3
|
-
"version": "0.0.0-dev.
|
|
3
|
+
"version": "0.0.0-dev.20260704225856",
|
|
4
4
|
"description": "Authentication and authorization for VentureKit",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "./dist/index.js",
|
|
7
7
|
"types": "./dist/index.d.ts",
|
|
8
8
|
"files": [
|
|
9
9
|
"dist",
|
|
10
|
-
"migrations"
|
|
10
|
+
"src/migrations/*.sql"
|
|
11
11
|
],
|
|
12
12
|
"repository": {
|
|
13
13
|
"type": "git",
|
|
14
|
-
"url": "https://github.com/venturekit-dev/venturekit.
|
|
14
|
+
"url": "https://github.com/venturekit-dev/venturekit.git",
|
|
15
15
|
"directory": "packages/auth"
|
|
16
16
|
},
|
|
17
|
+
"homepage": "https://venturekit.dev",
|
|
18
|
+
"bugs": {
|
|
19
|
+
"url": "https://github.com/venturekit-dev/venturekit/issues"
|
|
20
|
+
},
|
|
17
21
|
"publishConfig": {
|
|
18
22
|
"registry": "https://registry.npmjs.org",
|
|
19
23
|
"access": "public"
|
|
20
24
|
},
|
|
21
25
|
"license": "Apache-2.0",
|
|
22
26
|
"vk": {
|
|
23
|
-
"migrations": "migrations"
|
|
27
|
+
"migrations": "src/migrations"
|
|
24
28
|
},
|
|
25
29
|
"exports": {
|
|
26
30
|
".": {
|
|
@@ -30,30 +34,39 @@
|
|
|
30
34
|
"./server": {
|
|
31
35
|
"import": "./dist/server/index.js",
|
|
32
36
|
"types": "./dist/server/index.d.ts"
|
|
37
|
+
},
|
|
38
|
+
"./server/store/postgres": {
|
|
39
|
+
"import": "./dist/server/store/postgres.js",
|
|
40
|
+
"types": "./dist/server/store/postgres.d.ts"
|
|
33
41
|
}
|
|
34
42
|
},
|
|
35
43
|
"dependencies": {
|
|
36
|
-
"@venturekit/core": "0.0.0-dev.
|
|
44
|
+
"@venturekit/core": "0.0.0-dev.20260704225856",
|
|
37
45
|
"@aws-sdk/client-cognito-identity-provider": "^3.1068.0",
|
|
38
46
|
"@aws-sdk/client-secrets-manager": "^3.1068.0",
|
|
39
47
|
"aws-jwt-verify": "^4.0.1"
|
|
40
48
|
},
|
|
41
49
|
"peerDependencies": {
|
|
42
|
-
"@venturekit/
|
|
50
|
+
"@venturekit/data": "0.0.0-dev.20260704225856",
|
|
51
|
+
"@venturekit/runtime": "0.0.0-dev.20260704225856"
|
|
43
52
|
},
|
|
44
53
|
"peerDependenciesMeta": {
|
|
54
|
+
"@venturekit/data": {
|
|
55
|
+
"optional": true
|
|
56
|
+
},
|
|
45
57
|
"@venturekit/runtime": {
|
|
46
58
|
"optional": true
|
|
47
59
|
}
|
|
48
60
|
},
|
|
49
61
|
"devDependencies": {
|
|
50
|
-
"@venturekit/
|
|
62
|
+
"@venturekit/data": "0.0.0-dev.20260704225856",
|
|
63
|
+
"@venturekit/runtime": "0.0.0-dev.20260704225856",
|
|
51
64
|
"@types/aws-lambda": "^8.10.131",
|
|
52
65
|
"@types/node": "^25.6.0",
|
|
53
66
|
"typescript": "^5.3.0"
|
|
54
67
|
},
|
|
55
68
|
"scripts": {
|
|
56
|
-
"build": "tsc",
|
|
69
|
+
"build": "tsc && node -e \"require('fs').cpSync('src/migrations','dist/migrations',{recursive:true})\"",
|
|
57
70
|
"dev": "tsc --watch",
|
|
58
71
|
"clean": "rm -rf dist"
|
|
59
72
|
}
|
|
@@ -0,0 +1,55 @@
|
|
|
1
|
+
-- vk_auth_001_verification_codes.sql
|
|
2
|
+
--
|
|
3
|
+
-- Owned by `@venturekit/auth`. Creates the `vk_verification_codes`
|
|
4
|
+
-- table backing `VerificationCodeStore` (used by the OTP gating on
|
|
5
|
+
-- self-service sign-up + sign-in / passwordless). The table is
|
|
6
|
+
-- `vk_`-prefixed per VentureKit's "package-owned tables are prefixed"
|
|
7
|
+
-- convention; consumer-side stores must query `vk_verification_codes`.
|
|
8
|
+
--
|
|
9
|
+
-- Rows are pre-Cognito state — created BEFORE a user exists in either
|
|
10
|
+
-- Cognito or any consumer-side `users` mirror. The `identifier` is the
|
|
11
|
+
-- email or E.164 phone number the code was sent to; `channel` is the
|
|
12
|
+
-- delivery surface.
|
|
13
|
+
--
|
|
14
|
+
-- Storage shape:
|
|
15
|
+
-- - `code_hash` is SHA-256 of the plaintext code (hex). Plaintext
|
|
16
|
+
-- never lands in the DB so a future leak still requires brute
|
|
17
|
+
-- force against the (short) TTL.
|
|
18
|
+
-- - `expires_at` is the wall-clock cutoff after which the
|
|
19
|
+
-- `verifyVerificationCode` helper deletes the row and surfaces
|
|
20
|
+
-- `verification_failed`.
|
|
21
|
+
-- - `attempts` is incremented on every wrong-code submission;
|
|
22
|
+
-- once it reaches `max_attempts` the row is deleted (forces the
|
|
23
|
+
-- user to request a fresh code).
|
|
24
|
+
--
|
|
25
|
+
-- Channel typing: stored as TEXT + CHECK rather than a Postgres enum
|
|
26
|
+
-- so this migration does not depend on `@venturekit/notify`'s
|
|
27
|
+
-- `notify_channel` enum (auth must be usable without notify — e.g. a
|
|
28
|
+
-- project that ships its own delivery layer). Add new values here when
|
|
29
|
+
-- the auth package learns to dispatch over them.
|
|
30
|
+
--
|
|
31
|
+
-- Idempotent: uses `CREATE TABLE IF NOT EXISTS` so projects that
|
|
32
|
+
-- previously created the table from their own migration (with a
|
|
33
|
+
-- compatible shape) can adopt this one without dropping data. The
|
|
34
|
+
-- expectation is that those projects will then leave their old
|
|
35
|
+
-- migration file in place but stop hand-maintaining the schema here.
|
|
36
|
+
|
|
37
|
+
CREATE TABLE IF NOT EXISTS vk_verification_codes (
|
|
38
|
+
channel TEXT NOT NULL,
|
|
39
|
+
identifier TEXT NOT NULL,
|
|
40
|
+
code_hash TEXT NOT NULL,
|
|
41
|
+
expires_at TIMESTAMPTZ NOT NULL,
|
|
42
|
+
attempts INT NOT NULL DEFAULT 0,
|
|
43
|
+
max_attempts INT NOT NULL DEFAULT 5,
|
|
44
|
+
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
|
|
45
|
+
PRIMARY KEY (channel, identifier),
|
|
46
|
+
CONSTRAINT verification_codes_channel_chk
|
|
47
|
+
CHECK (channel IN ('email', 'whatsapp', 'sms')),
|
|
48
|
+
CONSTRAINT verification_codes_attempts_chk
|
|
49
|
+
CHECK (attempts >= 0),
|
|
50
|
+
CONSTRAINT verification_codes_max_attempts_chk
|
|
51
|
+
CHECK (max_attempts >= 1)
|
|
52
|
+
);
|
|
53
|
+
|
|
54
|
+
CREATE INDEX IF NOT EXISTS idx_verification_codes_expires_at
|
|
55
|
+
ON vk_verification_codes (expires_at);
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
-- @venturekit/auth — role → scopes mapping.
|
|
2
|
+
--
|
|
3
|
+
-- The DB is the SOURCE OF TRUTH for which scopes each role grants.
|
|
4
|
+
-- VentureKit ships the STRUCTURE (this migration, applied automatically
|
|
5
|
+
-- with every other package migration); the consuming app ships DATA
|
|
6
|
+
-- migrations to seed its own taxonomy, e.g.:
|
|
7
|
+
--
|
|
8
|
+
-- INSERT INTO vk_role_scopes (role, scope) VALUES
|
|
9
|
+
-- ('member', 'member.verified'),
|
|
10
|
+
-- ('moderator', 'member.verified'),
|
|
11
|
+
-- ('moderator', 'moderation.reports.read')
|
|
12
|
+
-- ON CONFLICT DO NOTHING;
|
|
13
|
+
--
|
|
14
|
+
-- Lives in @venturekit/auth — NOT in a pro package — because a role →
|
|
15
|
+
-- scopes matrix is baseline authorization for ANY app: single-tenant
|
|
16
|
+
-- apps key it by their global user role; multi-tenant apps feed it to
|
|
17
|
+
-- `@venturekit-pro/tenancy`'s scopes middleware
|
|
18
|
+
-- (`createTenantUserScopesMiddleware({ scopesByRole: resolver.lookup })`).
|
|
19
|
+
--
|
|
20
|
+
-- At runtime the mapping is read through `createRoleScopesResolver()`
|
|
21
|
+
-- (cached, TTL-refreshed). Mutations go through `setRoleScopes` /
|
|
22
|
+
-- `grantScopeToRole` / `revokeScopeFromRole`, so apps can build
|
|
23
|
+
-- management UIs on top — changes propagate to warm instances within
|
|
24
|
+
-- the resolver's TTL.
|
|
25
|
+
--
|
|
26
|
+
-- Deliberately GLOBAL (no tenant column): the mapping is the app's
|
|
27
|
+
-- authorization POLICY, not tenant data. Per-tenant overrides, if ever
|
|
28
|
+
-- needed, belong in a separate overlay table so the hot path stays a
|
|
29
|
+
-- single cached full-table read.
|
|
30
|
+
|
|
31
|
+
CREATE TABLE IF NOT EXISTS vk_role_scopes (
|
|
32
|
+
role text NOT NULL,
|
|
33
|
+
scope text NOT NULL,
|
|
34
|
+
created_at timestamptz NOT NULL DEFAULT now(),
|
|
35
|
+
PRIMARY KEY (role, scope)
|
|
36
|
+
);
|
|
37
|
+
|
|
38
|
+
COMMENT ON TABLE vk_role_scopes IS
|
|
39
|
+
'Role → scope grants. Structure owned by @venturekit/auth; rows owned by the consuming app (seed via app migrations, manage via the role-scopes helpers).';
|
|
40
|
+
|
|
41
|
+
-- Scope grants are read by role on every request that misses the
|
|
42
|
+
-- resolver cache; the PK already serves (role, scope) lookups and
|
|
43
|
+
-- role-prefix scans.
|