aaspai-authx 0.1.0 → 0.1.2

package/dist/express/index.cjs

@@ -44,24 +44,6 @@ var import_crypto = require("crypto");
 var import_express = __toESM(require("express"), 1);
 var import_jsonwebtoken4 = __toESM(require("jsonwebtoken"), 1);
 
-// src/core/utils.ts
-function baseProjectCookieOptionsFrom(cookie) {
-  const base = {
-    secure: cookie.secure ?? false,
-    sameSite: cookie.sameSite ?? "lax",
-    path: cookie.path ?? "/",
-    maxAge: cookie.maxAgeMs
-  };
-  if (cookie.domain) base.domain = cookie.domain;
-  return base;
-}
-function hasAnyRole(session, roles) {
-  if (!session || !session.roles || !Array.isArray(roles) || roles.length === 0) {
-    return false;
-  }
-  return roles.some((role) => session.roles.includes(role));
-}
-
 // src/config/loadConfig.ts
 function loadConfig() {
   return {
@@ -125,6 +107,37 @@ function isPlainObject(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
 
+// src/core/utils.ts
+function baseProjectCookieOptionsFrom(cookie) {
+  const base = {
+    secure: cookie.secure ?? false,
+    sameSite: cookie.sameSite ?? "lax",
+    path: cookie.path ?? "/",
+    maxAge: cookie.maxAgeMs
+  };
+  if (cookie.domain) base.domain = cookie.domain;
+  return base;
+}
+function buildClearCookieOptions(cookie) {
+  const opts = {
+    httpOnly: true,
+    // not strictly required but fine
+    secure: cookie.secure ?? false,
+    sameSite: cookie.sameSite ?? "lax",
+    path: cookie.path ?? "/"
+  };
+  if (cookie.domain) {
+    opts.domain = cookie.domain;
+  }
+  return opts;
+}
+function hasAnyRole(session, roles) {
+  if (!session || !session.roles || !Array.isArray(roles) || roles.length === 0) {
+    return false;
+  }
+  return roles.some((role) => session.roles.includes(role));
+}
+
 // src/core/roles.config.ts
 var PLATFORM_ROLES = [
   {
@@ -169,10 +182,14 @@ function buildSession(payload) {
     roles: normalizedRoles,
     permissions
   };
+  if (payload?.firstName) session.firstName = payload.firstName;
+  if (payload?.lastName) session.lastName = payload.lastName;
   if (payload?.projectId) session.projectId = payload.projectId;
   if (payload?.orgId) session.orgId = payload.orgId;
   if (payload?.org_id) session.org_id = payload.org_id;
   if (payload?.authType) session.authType = payload.authType;
+  if (payload?.createdAt) session.createdAt = payload.createdAt;
+  if (payload?.metadata) session.metadata = payload.metadata;
   Object.keys(payload || {}).forEach((key) => {
     if (![
       "sub",
@@ -226,7 +243,7 @@ var MetadataSchema = new import_mongoose2.default.Schema(
 );
 var OrgUserSchema = new import_mongoose2.default.Schema(
   {
-    id: { type: String, default: (0, import_uuid.v4)(), index: true },
+    id: { type: String, default: (0, import_uuid.v4)(), index: true, unique: true },
     email: { type: String, required: true, unique: true },
     firstName: { type: String, required: true },
     lastName: { type: String, required: true },
@@ -346,10 +363,14 @@ function requireAuth() {
         const session = buildSession({
           sub: user.id.toString(),
           email: user.email,
+          firstName: user.firstName,
+          lastName: user.lastName,
+          metadata: user.metadata || [],
           roles: user.roles || [],
           orgId: user.orgId,
           org_id: user.orgId,
-          projectId: user.projectId
+          projectId: user.projectId,
+          createdAt: user.createdAt
         });
         session.authType = "api-key";
         session.projectId = readProjectId(req) || user.projectId || void 0;
@@ -515,14 +536,14 @@ var AuthAdminService = class {
   async createUserInRealm(payload) {
     const hashedPassword = payload.credentials?.[0]?.value ? await import_bcrypt.default.hash(payload.credentials[0].value, 10) : void 0;
     const user = await OrgUser.create({
-      username: payload.username,
+      id: crypto.randomUUID(),
       email: payload.email,
       firstName: payload.firstName,
       lastName: payload.lastName,
       projectId: payload.projectId,
       emailVerified: payload.emailVerified || false,
       passwordHash: hashedPassword,
-      enabled: true
+      metadata: payload.metadata || []
     });
     return user;
   }
@@ -610,29 +631,13 @@ var EmailService = class {
   }
 };
 
-// src/utils/cookie.ts
-function cookieOpts(isRefresh = false) {
-  const maxAge = isRefresh ? config.cookies.refreshTtlMs : config.cookies.accessTtlMs;
-  const secure = process.env.NODE_ENV === "production" ? process.env.COOKIE_SECURE ?? true : false;
-  return {
-    httpOnly: true,
-    secure,
-    sameSite: "none",
-    domain: process.env.COOKIE_DOMAIN,
-    maxAge
-  };
-}
-function clearOpts() {
-  const secure = process.env.NODE_ENV === "production" ? process.env.COOKIE_SECURE ?? true : false;
-  return {
-    domain: process.env.COOKIE_DOMAIN,
-    sameSite: "none",
-    secure
-  };
-}
-
 // src/express/auth.routes.ts
 function createAuthRouter(options = {}) {
+  const googleClientId = process.env.GOOGLE_CLIENT_ID;
+  const googleClientSecret = process.env.GOOGLE_CLIENT_SECRET;
+  const googleRedirectUri = process.env.GOOGLE_REDIRECT_URI;
+  const googleDefaultRedirect = process.env.GOOGLE_DEFAULT_REDIRECT || getFrontendBaseUrl(options) || "/";
+  const isGoogleEnabled = !!googleClientId && !!googleClientSecret && !!googleRedirectUri;
   if (options.config) {
     configureAuthX(options.config);
   }
@@ -657,8 +662,10 @@ function createAuthRouter(options = {}) {
   );
   r.post("/login", validateLogin, async (req, res) => {
     const { email: emailAddress, password } = req.body || {};
+    console.log(emailAddress, password, "body");
     try {
       const user = await OrgUser.findOne({ email: emailAddress }).select("+password").lean();
+      console.log(user, "user");
       if (!user) {
         return res.status(400).json({
           error: "Invalid email or password",
@@ -711,13 +718,13 @@ function createAuthRouter(options = {}) {
         firstName,
         lastName,
         projectId,
-        credentials: [{ type: "password", value: password, temporary: false }]
+        credentials: [{ type: "password", value: password, temporary: false }],
+        metadata
       });
       await authAdmin.assignRealmRole(kcUser.id, "platform_user");
       const user = await OrgUser.findOneAndUpdate(
         { email: kcUser.email },
         {
-          id: kcUser.id,
           email: kcUser.email,
           firstName,
           lastName,
@@ -757,8 +764,9 @@ function createAuthRouter(options = {}) {
     return res.json(req.user || null);
   });
   r.post("/logout", async (_req, res) => {
-    res.clearCookie("access_token", clearOpts());
-    res.clearCookie("refresh_token", clearOpts());
+    const clearOptions = buildClearCookieOptions(cookieConfig);
+    res.clearCookie("access_token", clearOptions);
+    res.clearCookie("refresh_token", clearOptions);
     res.json({ ok: true });
   });
   r.put("/:userId/metadata", requireAuth(), async (req, res) => {
@@ -997,16 +1005,186 @@ function createAuthRouter(options = {}) {
     const user = await OrgUser.findOne({ email: req.query.email }).lean();
     res.json(user || null);
   });
-  r.get("/google", async (_req, res) => {
-    res.json({ url: "/auth/google/callback?code=demo" });
+  r.get("/google", (req, res) => {
+    if (!isGoogleEnabled) {
+      return res.status(500).json({ error: "Google login not configured" });
+    }
+    const state = req.query.redirectTo ? encodeURIComponent(String(req.query.redirectTo)) : "";
+    const params = new URLSearchParams({
+      client_id: googleClientId,
+      redirect_uri: googleRedirectUri,
+      response_type: "code",
+      scope: "openid email profile",
+      access_type: "offline",
+      prompt: "consent",
+      state
+    });
+    const url = `https://accounts.google.com/o/oauth2/v2/auth?${params.toString()}`;
+    res.redirect(url);
   });
-  r.get("/google/callback", async (_req, res) => {
-    res.cookie(
-      "access_token",
-      "ACCESS.TOKEN.PLACEHOLDER",
-      cookieOpts(false)
-    );
-    res.redirect("/");
+  r.get("/google/callback", async (req, res) => {
+    if (!isGoogleEnabled) {
+      return res.status(500).json({ error: "Google login not configured" });
+    }
+    const code = String(req.query.code || "");
+    const state = req.query.state ? String(req.query.state) : "";
+    if (!code) {
+      return res.status(400).json({ ok: false, error: "Missing authorization code" });
+    }
+    try {
+      const tokenRes = await fetch("https://oauth2.googleapis.com/token", {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+          code,
+          client_id: googleClientId,
+          client_secret: googleClientSecret,
+          redirect_uri: googleRedirectUri,
+          grant_type: "authorization_code"
+        })
+      });
+      if (!tokenRes.ok) {
+        const errJson = await tokenRes.json().catch(() => ({}));
+        console.error("Google token error", errJson);
+        return res.status(400).json({ ok: false, error: "Failed to exchange Google code" });
+      }
+      const tokenJson = await tokenRes.json();
+      if (!tokenJson.id_token) {
+        return res.status(400).json({ ok: false, error: "Missing id_token from Google" });
+      }
+      const decoded = import_jsonwebtoken4.default.decode(tokenJson.id_token);
+      const email2 = decoded?.email;
+      if (!email2) {
+        return res.status(400).json({ ok: false, error: "Google account has no email" });
+      }
+      const emailVerified = decoded.email_verified ?? true;
+      const firstName = decoded.given_name || "";
+      const lastName = decoded.family_name || "";
+      let user = await OrgUser.findOne({ email: email2 }).lean();
+      if (!user) {
+        const created = await OrgUser.create({
+          email: email2,
+          firstName,
+          lastName,
+          emailVerified,
+          roles: ["platform_user"],
+          projectId: null,
+          metadata: []
+          // you can also store googleId: decoded.sub
+        });
+        user = created.toObject();
+      }
+      const tokens = generateTokens(user);
+      setAuthCookies(res, tokens, cookieConfig);
+      const redirectTo = state ? decodeURIComponent(state) : googleDefaultRedirect;
+      res.redirect(redirectTo);
+    } catch (err) {
+      console.error("Google callback error", err);
+      const redirectError = googleDefaultRedirect.includes("?") ? `${googleDefaultRedirect}&error=google_login_failed` : `${googleDefaultRedirect}?error=google_login_failed`;
+      res.redirect(redirectError);
+    }
+  });
+  r.get("/github", (req, res) => {
+    const githubClientId = process.env.GITHUB_CLIENT_ID;
+    const githubRedirectUri = process.env.GITHUB_REDIRECT_URI;
+    if (!githubClientId || !githubRedirectUri) {
+      return res.status(500).json({ error: "GitHub login not configured" });
+    }
+    const state = req.query.redirectTo ? encodeURIComponent(String(req.query.redirectTo)) : "";
+    const params = new URLSearchParams({
+      client_id: githubClientId,
+      redirect_uri: githubRedirectUri,
+      scope: "user:email",
+      state,
+      allow_signup: "true"
+    });
+    const url = `https://github.com/login/oauth/authorize?${params.toString()}`;
+    res.redirect(url);
+  });
+  r.get("/github/callback", async (req, res) => {
+    const githubClientId = process.env.GITHUB_CLIENT_ID;
+    const githubClientSecret = process.env.GITHUB_CLIENT_SECRET;
+    const githubRedirectUri = process.env.GITHUB_REDIRECT_URI;
+    const githubDefaultRedirect = process.env.GITHUB_DEFAULT_REDIRECT || getFrontendBaseUrl(options) || "/";
+    if (!githubClientId || !githubClientSecret || !githubRedirectUri) {
+      return res.status(500).json({ error: "GitHub login not configured" });
+    }
+    const code = String(req.query.code || "");
+    const state = req.query.state ? String(req.query.state) : "";
+    if (!code) {
+      return res.status(400).json({ ok: false, error: "Missing GitHub code" });
+    }
+    try {
+      const tokenRes = await fetch(
+        "https://github.com/login/oauth/access_token",
+        {
+          method: "POST",
+          headers: {
+            Accept: "application/json",
+            "Content-Type": "application/x-www-form-urlencoded"
+          },
+          body: new URLSearchParams({
+            client_id: githubClientId,
+            client_secret: githubClientSecret,
+            code,
+            redirect_uri: githubRedirectUri
+          })
+        }
+      );
+      const tokenJson = await tokenRes.json();
+      if (!tokenJson.access_token) {
+        console.error("GitHub token error:", tokenJson);
+        return res.status(400).json({ ok: false, error: "Failed to get GitHub access token" });
+      }
+      const accessToken = tokenJson.access_token;
+      const userRes = await fetch("https://api.github.com/user", {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          Accept: "application/vnd.github+json"
+        }
+      });
+      const githubUser = await userRes.json();
+      const emailRes = await fetch("https://api.github.com/user/emails", {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          Accept: "application/vnd.github+json"
+        }
+      });
+      const emails = await emailRes.json();
+      const primaryEmail = emails?.find(
+        (e) => e.primary && e.verified
+      )?.email;
+      if (!primaryEmail) {
+        return res.status(400).json({
+          ok: false,
+          error: "GitHub account has no verified email"
+        });
+      }
+      const firstName = githubUser.name?.split(" ")[0] || "";
+      const lastName = githubUser.name?.split(" ").slice(1).join(" ") || "";
+      let user = await OrgUser.findOne({ email: primaryEmail }).lean();
+      if (!user) {
+        const created = await OrgUser.create({
+          email: primaryEmail,
+          firstName,
+          lastName,
+          emailVerified: true,
+          roles: ["platform_user"],
+          projectId: null,
+          metadata: [],
+          githubId: githubUser.id
+        });
+        user = created.toObject();
+      }
+      const tokens = generateTokens(user);
+      setAuthCookies(res, tokens, cookieConfig);
+      const redirectTo = state ? decodeURIComponent(state) : githubDefaultRedirect;
+      res.redirect(redirectTo);
+    } catch (err) {
+      console.error("GitHub callback error:", err);
+      const redirectError = githubDefaultRedirect.includes("?") ? `${githubDefaultRedirect}&error=github_login_failed` : `${githubDefaultRedirect}?error=github_login_failed`;
+      res.redirect(redirectError);
+    }
   });
   r.get("/get-users", async (req, res) => {
     const user = await OrgUser.find({ projectId: req.query.projectId }).lean();
@@ -1084,6 +1262,11 @@ function generateTokens(user) {
     orgId: user.orgId || null,
     org_id: user.orgId || null,
     projectId: user.projectId || null,
+    firstName: user.firstName,
+    lastName: user.lastName,
+    emailVerified: user.emailVerified,
+    createdAt: user.createdAt,
+    metadata: user.metadata,
     type: "user"
   };
   const accessToken = import_jsonwebtoken4.default.sign(accessPayload, process.env.JWT_SECRET, {