jazz-tools 0.18.0 → 0.18.2

package/src/better-auth/auth/server.ts

@@ -0,0 +1,250 @@
+import { AuthContext, MiddlewareContext, MiddlewareOptions } from "better-auth";
+import { APIError } from "better-auth/api";
+import { symmetricDecrypt, symmetricEncrypt } from "better-auth/crypto";
+import { BetterAuthPlugin, createAuthMiddleware } from "better-auth/plugins";
+import type { Account, AuthCredentials, ID } from "jazz-tools";
+
+/**
+ * @returns The BetterAuth server plugin.
+ *
+ * @example
+ * ```ts
+ * const auth = betterAuth({
+ *   plugins: [jazzPlugin()],
+ *   // ... other BetterAuth options
+ * });
+ * ```
+ */
+export const jazzPlugin = (): BetterAuthPlugin => {
+  return {
+    id: "jazz-plugin",
+    schema: {
+      user: {
+        fields: {
+          accountID: {
+            type: "string",
+            required: false,
+            input: false,
+          },
+          encryptedCredentials: {
+            type: "string",
+            required: false,
+            input: false,
+            returned: false,
+          },
+        },
+      },
+    },
+
+    init() {
+      return {
+        options: {
+          databaseHooks: {
+            user: {
+              create: {
+                before: async (user, context) => {
+                  // If the user is created without a jazzAuth, it will throw an error.
+                  if (!contextContainsJazzAuth(context)) {
+                    throw new APIError(422, {
+                      message: "JazzAuth is required",
+                    });
+                  }
+                  // Decorate the user with the jazz's credentials.
+                  return {
+                    data: {
+                      accountID: context?.jazzAuth?.accountID,
+                      encryptedCredentials:
+                        context?.jazzAuth?.encryptedCredentials,
+                    },
+                  };
+                },
+              },
+            },
+            verification: {
+              create: {
+                before: async (verification, context) => {
+                  // If a jazzAuth is provided, save it for later usage.
+                  if (contextContainsJazzAuth(context)) {
+                    const parsed = JSON.parse(verification.value);
+                    const newValue = JSON.stringify({
+                      ...parsed,
+                      jazzAuth: context.jazzAuth,
+                    });
+
+                    return {
+                      data: {
+                        value: newValue,
+                      },
+                    };
+                  }
+                },
+              },
+            },
+          },
+        },
+      };
+    },
+
+    hooks: {
+      before: [
+        /**
+         * If the client sends a x-jazz-auth header,
+         * we encrypt the credentials and inject them into the context.
+         */
+        {
+          matcher: (context) => {
+            return !!context.headers?.get("x-jazz-auth");
+          },
+          handler: createAuthMiddleware(async (ctx) => {
+            const jazzAuth = JSON.parse(ctx.headers?.get("x-jazz-auth")!);
+
+            const credentials: AuthCredentials = {
+              accountID: jazzAuth.accountID as ID<Account>,
+              secretSeed: jazzAuth.secretSeed,
+              accountSecret: jazzAuth.accountSecret as any,
+              // If the provider remains 'anonymous', Jazz will not consider us authenticated later.
+              provider: "better-auth",
+            };
+
+            const encryptedCredentials = await symmetricEncrypt({
+              key: ctx.context.secret,
+              data: JSON.stringify(credentials),
+            });
+
+            return {
+              context: {
+                ...ctx,
+                jazzAuth: {
+                  accountID: jazzAuth.accountID,
+                  encryptedCredentials: encryptedCredentials,
+                },
+              },
+            };
+          }),
+        },
+
+        /**
+         * /callback is the endpoint that BetterAuth uses to authenticate the user coming from a social provider.
+         * 1. Catch the state
+         * 2. Find the verification value
+         * 3. If the verification value contains a jazzAuth, inject into the context to have it in case of registration.
+         */
+        {
+          matcher: (context) => {
+            return context.path.startsWith("/callback");
+          },
+          handler: createAuthMiddleware(async (ctx) => {
+            const state = ctx.query?.state || ctx.body?.state;
+
+            const data = await ctx.context.adapter.findOne<{ value: string }>({
+              model: ctx.context.tables.verification!.modelName,
+              where: [
+                {
+                  field: "identifier",
+                  operator: "eq",
+                  value: state,
+                },
+              ],
+              select: ["value"],
+            });
+
+            // if not found, the social plugin will throw later anyway
+            if (!data) {
+              throw new APIError(404, {
+                message: "Verification not found",
+              });
+            }
+
+            const parsed = JSON.parse(data.value);
+
+            if (parsed && "jazzAuth" in parsed) {
+              ctx.context.jazzAuth = parsed.jazzAuth;
+            } else {
+              throw new APIError(404, {
+                message: "JazzAuth not found in verification value",
+              });
+            }
+          }),
+        },
+      ],
+      after: [
+        /**
+         * This middleware is used to extract the jazzAuth from the user and return it in the response.
+         * It is used in the following endpoints that return the user:
+         * - /sign-up/email
+         * - /sign-in/email
+         * - /get-session
+         */
+        {
+          matcher: (context) => {
+            return (
+              context.path.startsWith("/sign-up") ||
+              context.path.startsWith("/sign-in") ||
+              context.path.startsWith("/get-session")
+            );
+          },
+          handler: createAuthMiddleware({}, async (ctx) => {
+            const returned = ctx.context.returned as any;
+            if (!returned?.user?.id) {
+              return;
+            }
+            const jazzAuth = await extractJazzAuth(returned.user.id, ctx);
+
+            return ctx.json({
+              ...returned,
+              jazzAuth: jazzAuth,
+            });
+          }),
+        },
+      ],
+    },
+  };
+};
+
+function contextContainsJazzAuth(ctx: unknown): ctx is {
+  jazzAuth: {
+    accountID: string;
+    encryptedCredentials: string;
+  };
+} {
+  return !!ctx && typeof ctx === "object" && "jazzAuth" in ctx;
+}
+
+async function extractJazzAuth(
+  userId: string,
+  ctx: MiddlewareContext<
+    MiddlewareOptions,
+    AuthContext & {
+      returned?: unknown;
+      responseHeaders?: Headers;
+    }
+  >,
+) {
+  const user = await ctx.context.adapter.findOne<{
+    accountID: string;
+    encryptedCredentials: string;
+  }>({
+    model: ctx.context.tables.user!.modelName,
+    where: [
+      {
+        field: "id",
+        operator: "eq",
+        value: userId,
+      },
+    ],
+    select: ["accountID", "encryptedCredentials"],
+  });
+
+  if (!user) {
+    return;
+  }
+
+  const jazzAuth = JSON.parse(
+    await symmetricDecrypt({
+      key: ctx.context.secret,
+      data: user.encryptedCredentials,
+    }),
+  );
+
+  return jazzAuth;
+}

package/src/better-auth/auth/tests/client.test.ts

@@ -0,0 +1,249 @@
+import { createAuthClient } from "better-auth/client";
+import type { Account, AuthSecretStorage } from "jazz-tools";
+import {
+  TestJazzContextManager,
+  setActiveAccount,
+  setupJazzTestSync,
+} from "jazz-tools/testing";
+import { assert, beforeEach, describe, expect, it, vi } from "vitest";
+import { jazzPluginClient } from "../client.js";
+
+describe("auth client", () => {
+  let account: Account;
+  let jazzContextManager: TestJazzContextManager<Account>;
+  let authSecretStorage: AuthSecretStorage;
+  let authClient: ReturnType<
+    typeof createAuthClient<{
+      plugins: ReturnType<typeof jazzPluginClient>[];
+    }>
+  >;
+  let customFetchImpl = vi.fn();
+
+  beforeEach(async () => {
+    account = await setupJazzTestSync();
+    setActiveAccount(account);
+
+    jazzContextManager = TestJazzContextManager.fromAccountOrGuest(account);
+    authSecretStorage = jazzContextManager.getAuthSecretStorage();
+
+    // start a new context
+    await jazzContextManager.createContext({});
+
+    authClient = createAuthClient({
+      baseURL: "http://localhost:3000",
+      plugins: [jazzPluginClient()],
+      fetchOptions: {
+        customFetchImpl,
+      },
+    });
+
+    const context = jazzContextManager.getCurrentValue();
+    assert(context, "Jazz context is not available");
+    authClient.jazz.setJazzContext(context);
+    authClient.jazz.setAuthSecretStorage(authSecretStorage);
+
+    customFetchImpl.mockReset();
+  });
+
+  it("should send Jazz credentials over signup", async () => {
+    const credentials = await authSecretStorage.get();
+    expect(authSecretStorage.isAuthenticated).toBe(false);
+    assert(credentials, "Jazz credentials are not available");
+
+    customFetchImpl.mockResolvedValue(
+      new Response(
+        JSON.stringify({
+          token: "6diDScDDcLJLl3sxAEestZz63mrw9Azy",
+          user: {
+            id: "S6SDKApdnh746gUnP3zujzsEY53tjuTm",
+            email: "test@jazz.dev",
+            name: "Matteo",
+            image: null,
+            emailVerified: false,
+            createdAt: new Date(),
+            updatedAt: new Date(),
+          },
+          jazzAuth: {
+            accountID: credentials.accountID,
+            secretSeed: credentials.secretSeed,
+            accountSecret: credentials.accountSecret,
+          },
+        }),
+      ),
+    );
+
+    // Sign up
+    await authClient.signUp.email({
+      email: "test@jazz.dev",
+      password: "12345678",
+      name: "Matteo",
+    });
+
+    expect(customFetchImpl).toHaveBeenCalledTimes(1);
+    expect(customFetchImpl.mock.calls[0]![0].toString()).toBe(
+      "http://localhost:3000/api/auth/sign-up/email",
+    );
+
+    // Verify the credentials have been injected in the request body
+    expect(
+      customFetchImpl.mock.calls[0]![1].headers.get("x-jazz-auth")!,
+    ).toEqual(
+      JSON.stringify({
+        accountID: credentials!.accountID,
+        secretSeed: credentials!.secretSeed,
+        accountSecret: credentials!.accountSecret,
+      }),
+    );
+
+    expect(authSecretStorage.isAuthenticated).toBe(true);
+
+    // Verify the profile name has been updated
+    const context = jazzContextManager.getCurrentValue();
+    assert(context && "me" in context);
+    expect(context.me.$jazz.id).toBe(credentials!.accountID);
+  });
+
+  it("should become logged in Jazz credentials after sign-in", async () => {
+    const credentials = await jazzContextManager.getAuthSecretStorage().get();
+
+    // Log out from initial context
+    await jazzContextManager.logOut();
+    expect(authSecretStorage.isAuthenticated).toBe(false);
+
+    customFetchImpl.mockResolvedValue(
+      new Response(
+        JSON.stringify({
+          user: {
+            id: "123",
+            email: "test@jazz.dev",
+            name: "Matteo",
+          },
+          jazzAuth: {
+            accountID: credentials!.accountID,
+            secretSeed: credentials!.secretSeed,
+            accountSecret: credentials!.accountSecret,
+            provider: "better-auth",
+          },
+        }),
+      ),
+    );
+
+    // Retrieve the BetterAuth session and trigger the authentication
+    await authClient.signIn.email({
+      email: "test@jazz.dev",
+      password: "12345678",
+    });
+
+    expect(customFetchImpl).toHaveBeenCalledTimes(1);
+    expect(customFetchImpl.mock.calls[0]![0].toString()).toBe(
+      "http://localhost:3000/api/auth/sign-in/email",
+    );
+
+    expect(authSecretStorage.isAuthenticated).toBe(true);
+
+    const newContext = jazzContextManager.getCurrentValue()!;
+    expect("me" in newContext).toBe(true);
+    expect(await authSecretStorage.get()).toMatchObject({
+      accountID: credentials!.accountID,
+      provider: "better-auth",
+    });
+  });
+
+  it("should logout from Jazz after BetterAuth sign-out", async () => {
+    const credentials = await authSecretStorage.get();
+    expect(authSecretStorage.isAuthenticated).toBe(false);
+    customFetchImpl.mockResolvedValueOnce(
+      new Response(
+        JSON.stringify({
+          token: "6diDScDDcLJLl3sxAEestZz63mrw9Azy",
+          user: {
+            id: "S6SDKApdnh746gUnP3zujzsEY53tjuTm",
+            email: "test@jazz.dev",
+            name: "Matteo",
+            image: null,
+            emailVerified: false,
+            createdAt: new Date(),
+            updatedAt: new Date(),
+          },
+          jazzAuth: {
+            accountID: credentials!.accountID,
+            secretSeed: credentials!.secretSeed,
+            accountSecret: credentials!.accountSecret,
+            provider: "better-auth",
+          },
+        }),
+      ),
+    );
+
+    // 1. Sign up
+    await authClient.signUp.email({
+      email: "test@jazz.dev",
+      password: "12345678",
+      name: "Matteo",
+    });
+
+    expect(authSecretStorage.isAuthenticated).toBe(true);
+
+    // 2. Sign out
+    customFetchImpl.mockResolvedValueOnce(
+      new Response(JSON.stringify({ success: true })),
+    );
+
+    await authClient.signOut();
+
+    expect(authSecretStorage.isAuthenticated).toBe(false);
+
+    const anonymousCredentials = await authSecretStorage.get();
+    expect(anonymousCredentials).not.toMatchObject(credentials!);
+  });
+
+  it("should logout from Jazz after BetterAuth user deletion", async () => {
+    const credentials = await authSecretStorage.get();
+    expect(authSecretStorage.isAuthenticated).toBe(false);
+    customFetchImpl.mockResolvedValueOnce(
+      new Response(
+        JSON.stringify({
+          token: "6diDScDDcLJLl3sxAEestZz63mrw9Azy",
+          user: {
+            id: "S6SDKApdnh746gUnP3zujzsEY53tjuTm",
+            email: "test@jazz.dev",
+            name: "Matteo",
+            image: null,
+            emailVerified: false,
+            createdAt: new Date(),
+            updatedAt: new Date(),
+          },
+          jazzAuth: {
+            accountID: credentials!.accountID,
+            secretSeed: credentials!.secretSeed,
+            accountSecret: credentials!.accountSecret,
+            provider: "better-auth",
+          },
+        }),
+      ),
+    );
+
+    // 1. Sign up
+    await authClient.signUp.email({
+      email: "test@jazz.dev",
+      password: "12345678",
+      name: "Matteo",
+    });
+
+    expect(authSecretStorage.isAuthenticated).toBe(true);
+
+    // 2. Delete user
+    customFetchImpl.mockResolvedValueOnce(
+      new Response(JSON.stringify({ success: true })),
+    );
+
+    await authClient.deleteUser();
+
+    expect(authSecretStorage.isAuthenticated).toBe(false);
+
+    const anonymousCredentials = await authSecretStorage.get();
+    expect(anonymousCredentials).not.toMatchObject(credentials!);
+  });
+
+  it.todo("should logout from Better Auth after Jazz's log-out");
+});