@zintrust/core 0.7.7 → 0.7.9

package/src/templates/project/basic/app/Controllers/AuthController.ts.tpl

@@ -29,6 +29,7 @@ type PasswordLoginContext = {
   email: string;
   ipAddress: string;
   requestId?: string;
+  request: IRequest;
 };
 
 const toSubject = (id: unknown): string | undefined => {
@@ -37,10 +38,6 @@ const toSubject = (id: unknown): string | undefined => {
   return undefined;
 };
 
-const toDeviceId = (subject: string | undefined): string | undefined => {
-  return isUndefinedOrNull(subject) ? undefined : `dev-${subject}`;
-};
-
 const getClaimString = (claims: unknown, key: string): string | undefined => {
   if (typeof claims !== 'object' || claims === null) {
     return undefined;
@@ -55,7 +52,23 @@ const getIssuedToken = (issued: unknown): string => {
     return issued;
   }
 
-  throw ErrorFactory.createSecurityError('LoginFlow jwt issuer returned an invalid access token');
+  if (typeof issued === 'object' && issued !== null) {
+    const token = (issued as Record<string, unknown>)['token'];
+    if (typeof token === 'string' && token.trim() !== '') {
+      return token;
+    }
+  }
+
+  throw ErrorFactory.createSecurityError('LoginFlow issuer returned an invalid access token');
+};
+
+const getIssuedString = (issued: unknown, key: string): string | undefined => {
+  if (typeof issued !== 'object' || issued === null) {
+    return undefined;
+  }
+
+  const value = (issued as Record<string, unknown>)[key];
+  return typeof value === 'string' && value.trim() !== '' ? value : undefined;
 };
 
 const isLoginFlowUnauthorizedFailure = (error: unknown): boolean => {
@@ -120,7 +133,6 @@ const passwordLoginProvider = Object.freeze({
 
     const user = pickPublicUser(identity);
     const subject = toSubject(user.id);
-    const deviceId = toDeviceId(subject);
 
     return {
       user,
@@ -128,7 +140,6 @@ const passwordLoginProvider = Object.freeze({
       claims: {
         sub: subject,
         email: user.email,
-        ...(isUndefinedOrNull(deviceId) ? {} : { deviceId }),
       },
     };
   },
@@ -156,17 +167,19 @@ async function login(req: IRequest, res: IResponse): Promise<void> {
   try {
     const result = await LoginFlow.create({
       provider: passwordLoginProvider,
-      context: Object.freeze({ email, ipAddress, requestId }),
+      context: Object.freeze({ email, ipAddress, requestId, request: req }),
     })
       .identify({ email })
       .verify({ password })
-      .issue('jwt')
+      .issue('bulletproof')
       .audit()
       .run();
 
     const user = result.verified.user as { id: unknown; name: string; email: string };
     const subject = getClaimString(result.verified.claims, 'sub');
-    const deviceId = getClaimString(result.verified.claims, 'deviceId');
+    const deviceId =
+      getIssuedString(result.issued, 'deviceId') ?? getClaimString(result.verified.claims, 'deviceId');
+    const deviceSecret = getIssuedString(result.issued, 'deviceSecret');
     const token = getIssuedToken(result.issued);
 
     Logger.info('AuthController.login: successful login', {
@@ -181,6 +194,7 @@ async function login(req: IRequest, res: IResponse): Promise<void> {
       token,
       token_type: 'Bearer',
       ...(isUndefinedOrNull(deviceId) ? {} : { deviceId }),
+      ...(isUndefinedOrNull(deviceSecret) ? {} : { deviceSecret }),
       user,
     });
   } catch (error) {

package/src/templates/project/basic/config/trace.ts.tpl

@@ -0,0 +1,73 @@
+import { Env } from '@zintrust/core';
+import type { TraceConfigOverrides } from '@zintrust/trace';
+
+/**
+ * SystemTrace Configuration
+ *
+ * Keep this file declarative:
+ * - Package owns defaults and type validation.
+ * - Edit values below to override for this project.
+ *
+ * Usage: import '@zintrust/trace/register' in your bootstrap.
+ * Protect /trace with your own middleware (auth, admin role, etc.).
+ */
+
+export default {
+  enabled: Env.getBool('TRACE_ENABLED', false),
+
+  // Optional: use a separate DB connection for trace tables.
+  // Leave undefined to fall back to the app's default connection.
+  connection: Env.get('TRACE_DB_CONNECTION', '') || undefined,
+
+  pruneAfterHours: Env.getInt('TRACE_PRUNE_HOURS', 72),
+
+  ignoreRoutes: ['/trace', '/health', '/ping', '/metrics', '/api-docs', '/api-docs-json'],
+
+  ignorePaths: [
+    '/telemetry',
+    '/favicon.ico',
+    '/robots.txt',
+    '/sitemap.xml',
+    '/workers',
+    '/queue-monitor',
+    '.js',
+    '.css',
+  ],
+
+  slowQueryThreshold: Env.getInt('TRACE_SLOW_QUERY_MS', 100),
+
+  logMinLevel: Env.get('TRACE_LOG_LEVEL', 'warn') as 'debug' | 'info' | 'warn' | 'error' | 'fatal',
+
+  watchers: {
+    // Set a watcher to false to disable it entirely.
+    // All watchers are enabled by default when trace is enabled.
+    // Include/exclude filters are contains-based and can be applied per watcher.
+    // request: {
+    //   get: { exclude: ['report','workers/events'] },
+    //   post: { include: ['auth'] },
+    //   patch: { include: ['profile'] },
+    //   delete: { exclude: ['internal'] },
+    // },
+    // log: { exclude: ['healthcheck'] },
+    // exception: { include: ['trace'] },
+    // clientRequest: {
+    //   exclude: ['internal-http'],
+    //   sources: {
+    //     termii: { enabled: false },
+    //     sendgrid: { responseBody: false },
+    //     s3: { requestHeaders: false, responseHeaders: false },
+    //   },
+    // },
+    // cache: { include: ['session:'] },
+    // dump: false,  // DumpWatcher is opt-in — enable explicitly if needed
+  },
+
+  redaction: {
+    // Extra keys to mask recursively before trace entries are persisted.
+    // You can also provide these via TRACE_REDACT_KEYS as JSON or CSV.
+    keys: ['password', 'token', 'secret', 'authorization', 'card', 'cardNumber', 'cvv'],
+    headers: ['authorization', 'cookie', 'x-api-key', 'x-auth-token'],
+    body: ['password', 'token', 'secret', 'apiKey', 'api_key', 'jwt', 'bearer'],
+    query: [],
+  },
+} satisfies TraceConfigOverrides;

package/src/templates/project/basic/database/migrations/20260419000000_create_bulletproof_devices_table.ts.tpl

@@ -0,0 +1,36 @@
+/**
+ * Migration: CreateBulletproofDevicesTable
+ * Creates the core-backed device store used by Bulletproof authentication.
+ */
+import type { Blueprint, IDatabase } from '@zintrust/core';
+import { MigrationSchema } from '@zintrust/core';
+
+export interface Migration {
+  up(db: IDatabase): Promise<void>;
+  down(db: IDatabase): Promise<void>;
+}
+
+export const migration: Migration = {
+  async up(db: IDatabase): Promise<void> {
+    const schema = MigrationSchema.create(db);
+
+    await schema.create('zintrust_bulletproof_devices', (table: Blueprint) => {
+      table.id();
+      table.string('user_id', 191).nullable();
+      table.string('device_id', 191).unique();
+      table.text('signing_secret');
+      table.text('user_agent').nullable();
+      table.timestamp('last_seen_at').notNullable().default('CURRENT_TIMESTAMP');
+      table.timestamp('created_at').notNullable().default('CURRENT_TIMESTAMP');
+      table.timestamp('updated_at').notNullable().default('CURRENT_TIMESTAMP');
+
+      table.index(['user_id']);
+      table.index(['last_seen_at']);
+    });
+  },
+
+  async down(db: IDatabase): Promise<void> {
+    const schema = MigrationSchema.create(db);
+    await schema.dropIfExists('zintrust_bulletproof_devices');
+  },
+};