modelence 0.7.2 → 0.9.0-dev.0

package/dist/auth/login.js

@@ -0,0 +1,100 @@
+import { z } from 'zod';
+import { usersCollection } from './db';
+import { clearSessionUser, setSessionUser } from './session';
+import { sendVerificationEmail } from './verification';
+import { getEmailConfig } from '../app/emailConfig';
+import { consumeRateLimit } from '../server';
+import { validateEmail } from './validators';
+import { getAuthConfig } from '../app/authConfig';
+import { comparePassword } from './password';
+export async function handleLoginWithPassword(args, { user, session, connectionInfo }) {
+    try {
+        if (!session) {
+            throw new Error('Session is not initialized');
+        }
+        const ip = connectionInfo?.ip;
+        if (ip) {
+            await consumeRateLimit({
+                bucket: 'signin',
+                type: 'ip',
+                value: ip,
+            });
+        }
+        const email = validateEmail(args.email);
+        // password is accepted just as a string, so users can still sign in if the password validation rules are changed
+        const password = z.string().parse(args.password);
+        // TODO: add rate limiting by email (and perhaps IP address overall)
+        if (user) {
+            // TODO: handle cases where a user is already logged in
+        }
+        const userDoc = await usersCollection.findOne({ 'emails.address': email, status: { $nin: ['deleted', 'disabled'] } }, { collation: { locale: 'en', strength: 2 } });
+        const passwordHash = userDoc?.authMethods?.password?.hash;
+        if (!passwordHash) {
+            throw incorrectCredentialsError();
+        }
+        const emailDoc = userDoc.emails?.find((e) => e.address === email);
+        if (!emailDoc?.verified && getEmailConfig()?.provider) {
+            if (ip) {
+                try {
+                    await consumeRateLimit({
+                        bucket: 'verification',
+                        type: 'user',
+                        value: userDoc._id.toString(),
+                    });
+                }
+                catch {
+                    throw new Error("Your email address hasn't been verified yet. Please use the verification email we've send earlier to your inbox.");
+                }
+            }
+            await sendVerificationEmail({
+                userId: userDoc?._id,
+                email,
+                baseUrl: connectionInfo?.baseUrl,
+            });
+            throw new Error("Your email address hasn't been verified yet. We've sent a new verification email to your inbox.");
+        }
+        const isValidPassword = await comparePassword(password, passwordHash);
+        if (!isValidPassword) {
+            throw incorrectCredentialsError();
+        }
+        await setSessionUser(session.authToken, userDoc._id);
+        getAuthConfig().onAfterLogin?.({
+            user: userDoc,
+            session,
+            connectionInfo,
+        });
+        getAuthConfig().login?.onSuccess?.(userDoc);
+        return {
+            user: {
+                id: userDoc._id,
+                handle: userDoc.handle,
+            },
+        };
+    }
+    catch (error) {
+        if (error instanceof Error) {
+            getAuthConfig().onLoginError?.({
+                error,
+                session,
+                connectionInfo,
+            });
+            getAuthConfig().login?.onError?.(error);
+        }
+        throw error;
+    }
+}
+export async function handleLogout(args, { session }) {
+    if (!session) {
+        throw new Error('Session is not initialized');
+    }
+    await clearSessionUser(session.authToken);
+}
+/*
+  It is important to return the same exact error both in case the email
+  or password is incorrect so that the client cannot tell the difference,
+  otherwise it would allow for an enumeration attack.
+*/
+function incorrectCredentialsError() {
+    return new Error('Incorrect email/password combination');
+}
+//# sourceMappingURL=login.js.map

package/dist/auth/login.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"login.js","sourceRoot":"","sources":["../../src/auth/login.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,OAAO,EAAE,eAAe,EAAE,MAAM,MAAM,CAAC;AACvC,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAC7D,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAE7C,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,IAAU,EACV,EAAE,IAAI,EAAE,OAAO,EAAE,cAAc,EAAW;IAE1C,IAAI,CAAC;QACH,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAChD,CAAC;QAED,MAAM,EAAE,GAAG,cAAc,EAAE,EAAE,CAAC;QAC9B,IAAI,EAAE,EAAE,CAAC;YACP,MAAM,gBAAgB,CAAC;gBACrB,MAAM,EAAE,QAAQ;gBAChB,IAAI,EAAE,IAAI;gBACV,KAAK,EAAE,EAAE;aACV,CAAC,CAAC;QACL,CAAC;QAED,MAAM,KAAK,GAAG,aAAa,CAAC,IAAI,CAAC,KAAe,CAAC,CAAC;QAClD,iHAAiH;QACjH,MAAM,QAAQ,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAEjD,oEAAoE;QAEpE,IAAI,IAAI,EAAE,CAAC;YACT,uDAAuD;QACzD,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,OAAO,CAC3C,EAAE,gBAAgB,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,CAAC,SAAS,EAAE,UAAU,CAAC,EAAE,EAAE,EACtE,EAAE,SAAS,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,EAAE,EAAE,CAC7C,CAAC;QAEF,MAAM,YAAY,GAAG,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,IAAI,CAAC;QAC1D,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,MAAM,yBAAyB,EAAE,CAAC;QACpC,CAAC;QAED,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,KAAK,CAAC,CAAC;QAElE,IAAI,CAAC,QAAQ,EAAE,QAAQ,IAAI,cAAc,EAAE,EAAE,QAAQ,EAAE,CAAC;YACtD,IAAI,EAAE,EAAE,CAAC;gBACP,IAAI,CAAC;oBACH,MAAM,gBAAgB,CAAC;wBACrB,MAAM,EAAE,cAAc;wBACtB,IAAI,EAAE,MAAM;wBACZ,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE;qBAC9B,CAAC,CAAC;gBACL,CAAC;gBAAC,MAAM,CAAC;oBACP,MAAM,IAAI,KAAK,CACb,kHAAkH,CACnH,CAAC;gBACJ,CAAC;YACH,CAAC;YAED,MAAM,qBAAqB,CAAC;gBAC1B,MAAM,EAAE,OAAO,EAAE,GAAG;gBACpB,KAAK;gBACL,OAAO,EAAE,cAAc,EAAE,OAAO;aACjC,CAAC,CAAC;YACH,MAAM,IAAI,KAAK,CACb,iGAAiG,CAClG,CAAC;QACJ,CAAC;QAED,MAAM,eAAe,GAAG,MAAM,eAAe,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;QACtE,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB,MAAM,yBAAyB,EAAE,CAAC;QACpC,CAAC;QAED,MAAM,cAAc,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;QAErD,aAAa,EAAE,CAAC,YAAY,EAAE,CAAC;YAC7B,IAAI,EAAE,OAAO;YACb,OAAO;YACP,cAAc;SACf,CAAC,CAAC;QACH,aAAa,EAAE,CAAC,KAAK,EAAE,SAAS,EAAE,CAAC,OAAO,CAAC,CAAC;QAE5C,OAAO;YACL,IAAI,EAAE;gBACJ,EAAE,EAAE,OAAO,CAAC,GAAG;gBACf,MAAM,EAAE,OAAO,CAAC,MAAM;aACvB;SACF,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;YAC3B,aAAa,EAAE,CAAC,YAAY,EAAE,CAAC;gBAC7B,KAAK;gBACL,OAAO;gBACP,cAAc;aACf,CAAC,CAAC;YACH,aAAa,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,CAAC,KAAK,CAAC,CAAC;QAC1C,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,IAAU,EAAE,EAAE,OAAO,EAAW;IACjE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IAED,MAAM,gBAAgB,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;AAC5C,CAAC;AAED;;;;EAIE;AACF,SAAS,yBAAyB;IAChC,OAAO,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;AAC3D,CAAC"}

package/dist/auth/password.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Hash a password using Node.js native crypto scrypt algorithm
+ * @param password - The password to hash
+ * @returns A string containing the salt and hash separated by a colon
+ */
+export declare function hashPassword(password: string): Promise<string>;
+/**
+ * Compare a password with a hash
+ * @param password - The password to check
+ * @param hash - The hash to compare against (format: "salt:hash")
+ * @returns True if the password matches the hash
+ */
+export declare function comparePassword(password: string, hash: string): Promise<boolean>;
+//# sourceMappingURL=password.d.ts.map

package/dist/auth/password.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password.d.ts","sourceRoot":"","sources":["../../src/auth/password.ts"],"names":[],"mappings":"AAKA;;;;GAIG;AACH,wBAAsB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAIpE;AAED;;;;;GAKG;AACH,wBAAsB,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAKtF"}

package/dist/auth/password.js

@@ -0,0 +1,26 @@
+import { scrypt, randomBytes, timingSafeEqual } from 'crypto';
+import { promisify } from 'util';
+const scryptAsync = promisify(scrypt);
+/**
+ * Hash a password using Node.js native crypto scrypt algorithm
+ * @param password - The password to hash
+ * @returns A string containing the salt and hash separated by a colon
+ */
+export async function hashPassword(password) {
+    const salt = randomBytes(16).toString('hex');
+    const derivedKey = (await scryptAsync(password, salt, 64));
+    return `${salt}:${derivedKey.toString('hex')}`;
+}
+/**
+ * Compare a password with a hash
+ * @param password - The password to check
+ * @param hash - The hash to compare against (format: "salt:hash")
+ * @returns True if the password matches the hash
+ */
+export async function comparePassword(password, hash) {
+    const [salt, key] = hash.split(':');
+    const keyBuffer = Buffer.from(key, 'hex');
+    const derivedKey = (await scryptAsync(password, salt, 64));
+    return timingSafeEqual(keyBuffer, derivedKey);
+}
+//# sourceMappingURL=password.js.map

package/dist/auth/password.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"password.js","sourceRoot":"","sources":["../../src/auth/password.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,QAAQ,CAAC;AAC9D,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAEjC,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC;AAEtC;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,QAAgB;IACjD,MAAM,IAAI,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC7C,MAAM,UAAU,GAAG,CAAC,MAAM,WAAW,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,CAAC,CAAW,CAAC;IACrE,OAAO,GAAG,IAAI,IAAI,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;AACjD,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,QAAgB,EAAE,IAAY;IAClE,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACpC,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAC1C,MAAM,UAAU,GAAG,CAAC,MAAM,WAAW,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,CAAC,CAAW,CAAC;IACrE,OAAO,eAAe,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;AAChD,CAAC"}

package/dist/auth/profile.d.ts

@@ -0,0 +1,10 @@
+import { Args, Context } from '../methods/types';
+export declare function getOwnProfile(_args: Args, { user }: Context): Promise<{
+    handle: string;
+    emails: {
+        address: string;
+        verified: boolean;
+    }[] | undefined;
+    authMethods: string[];
+}>;
+//# sourceMappingURL=profile.d.ts.map

package/dist/auth/profile.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"profile.d.ts","sourceRoot":"","sources":["../../src/auth/profile.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAEjD,wBAAsB,aAAa,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,EAAE,OAAO;;;;;;;GAYjE"}

package/dist/auth/profile.js

@@ -0,0 +1,13 @@
+import { usersCollection } from './db';
+export async function getOwnProfile(_args, { user }) {
+    if (!user) {
+        throw new Error('Not authenticated');
+    }
+    const profile = await usersCollection.requireById(user.id);
+    return {
+        handle: profile.handle,
+        emails: profile.emails,
+        authMethods: Object.keys(profile.authMethods || {}),
+    };
+}
+//# sourceMappingURL=profile.js.map

package/dist/auth/profile.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"profile.js","sourceRoot":"","sources":["../../src/auth/profile.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,MAAM,CAAC;AAGvC,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,KAAW,EAAE,EAAE,IAAI,EAAW;IAChE,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;IACvC,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAE3D,OAAO;QACL,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,WAAW,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,IAAI,EAAE,CAAC;KACpD,CAAC;AACJ,CAAC"}

package/dist/auth/providers/github.d.ts

@@ -0,0 +1,3 @@
+declare function getRouter(): import("express-serve-static-core").Router;
+export default getRouter;
+//# sourceMappingURL=github.d.ts.map

package/dist/auth/providers/github.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"github.d.ts","sourceRoot":"","sources":["../../../src/auth/providers/github.ts"],"names":[],"mappings":"AA6HA,iBAAS,SAAS,+CA2DjB;AAED,eAAe,SAAS,CAAC"}

package/dist/auth/providers/github.js

@@ -0,0 +1,122 @@
+import { getConfig } from '../../server';
+import { time } from '../../time';
+import { randomBytes } from 'crypto';
+import { Router } from 'express';
+import { getRedirectUri, handleOAuthUserAuthentication, validateOAuthCode, } from './oauth-common';
+async function exchangeCodeForToken(code, clientId, clientSecret, redirectUri) {
+    const tokenResponse = await fetch('https://github.com/login/oauth/access_token', {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            Accept: 'application/json',
+        },
+        body: JSON.stringify({
+            client_id: clientId,
+            client_secret: clientSecret,
+            code,
+            redirect_uri: redirectUri,
+        }),
+    });
+    if (!tokenResponse.ok) {
+        throw new Error(`Failed to exchange code for token: ${tokenResponse.statusText}`);
+    }
+    return tokenResponse.json();
+}
+async function fetchGitHubUserInfo(accessToken) {
+    const userInfoResponse = await fetch('https://api.github.com/user', {
+        headers: {
+            Authorization: `Bearer ${accessToken}`,
+            Accept: 'application/vnd.github.v3+json',
+        },
+    });
+    if (!userInfoResponse.ok) {
+        throw new Error(`Failed to fetch user info: ${userInfoResponse.statusText}`);
+    }
+    return userInfoResponse.json();
+}
+async function handleGitHubAuthenticationCallback(req, res) {
+    const code = validateOAuthCode(req.query.code);
+    const state = req.query.state;
+    const storedState = req.cookies.authStateGithub;
+    if (!code) {
+        res.status(400).json({ error: 'Missing authorization code' });
+        return;
+    }
+    if (!state || !storedState || state !== storedState) {
+        res.status(400).json({ error: 'Invalid OAuth state - possible CSRF attack' });
+        return;
+    }
+    res.clearCookie('authStateGithub');
+    const githubClientId = String(getConfig('_system.user.auth.github.clientId'));
+    const githubClientSecret = String(getConfig('_system.user.auth.github.clientSecret'));
+    const redirectUri = getRedirectUri('github');
+    try {
+        // Exchange code for access token
+        const tokenData = await exchangeCodeForToken(code, githubClientId, githubClientSecret, redirectUri);
+        // Fetch user info
+        const githubUser = await fetchGitHubUserInfo(tokenData.access_token);
+        // Use the public email from user profile
+        const githubEmail = githubUser.email || '';
+        if (!githubEmail) {
+            res.status(400).json({
+                error: 'Unable to retrieve email from GitHub. Please ensure your email is public or grant email permissions.',
+            });
+            return;
+        }
+        const userData = {
+            id: String(githubUser.id),
+            email: githubEmail,
+            emailVerified: true, // Assume public email is verified
+            providerName: 'github',
+        };
+        await handleOAuthUserAuthentication(req, res, userData);
+    }
+    catch (error) {
+        console.error('GitHub OAuth error:', error);
+        res.status(500).json({ error: 'Authentication failed' });
+    }
+}
+function getRouter() {
+    const githubAuthRouter = Router();
+    // Middleware to check if GitHub auth is enabled and configured
+    const checkGitHubEnabled = (_req, res, next) => {
+        const githubEnabled = Boolean(getConfig('_system.user.auth.github.enabled'));
+        const githubClientId = String(getConfig('_system.user.auth.github.clientId'));
+        const githubClientSecret = String(getConfig('_system.user.auth.github.clientSecret'));
+        if (!githubEnabled || !githubClientId || !githubClientSecret) {
+            res.status(503).json({ error: 'GitHub authentication is not configured' });
+            return;
+        }
+        next();
+    };
+    // Initiate OAuth flow
+    githubAuthRouter.get('/api/_internal/auth/github', checkGitHubEnabled, (req, res) => {
+        const githubClientId = String(getConfig('_system.user.auth.github.clientId'));
+        const redirectUri = getRedirectUri('github');
+        const githubScopes = getConfig('_system.user.auth.github.scopes');
+        const scopes = githubScopes
+            ? String(githubScopes)
+                .split(',')
+                .map((s) => s.trim())
+                .join(' ')
+            : 'user:email';
+        const state = randomBytes(32).toString('hex');
+        res.cookie('authStateGithub', state, {
+            httpOnly: true,
+            secure: process.env.NODE_ENV === 'production',
+            sameSite: 'lax',
+            maxAge: time.minutes(10), // 10 minutes
+        });
+        const authUrl = new URL('https://github.com/login/oauth/authorize');
+        authUrl.searchParams.append('client_id', githubClientId);
+        authUrl.searchParams.append('redirect_uri', redirectUri);
+        authUrl.searchParams.append('scope', scopes);
+        authUrl.searchParams.append('state', state);
+        res.redirect(authUrl.toString());
+    });
+    // Handle OAuth callback
+    githubAuthRouter.get('/api/_internal/auth/github/callback', checkGitHubEnabled, handleGitHubAuthenticationCallback);
+    return githubAuthRouter;
+}
+export default getRouter;
+//# sourceMappingURL=github.js.map

package/dist/auth/providers/github.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"github.js","sourceRoot":"","sources":["../../../src/auth/providers/github.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AACrC,OAAO,EAAE,IAAI,EAAE,MAAM,QAAQ,CAAC;AAC9B,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AACrC,OAAO,EAAE,MAAM,EAAkD,MAAM,SAAS,CAAC;AACjF,OAAO,EACL,cAAc,EACd,6BAA6B,EAC7B,iBAAiB,GAElB,MAAM,gBAAgB,CAAC;AAgBxB,KAAK,UAAU,oBAAoB,CACjC,IAAY,EACZ,QAAgB,EAChB,YAAoB,EACpB,WAAmB;IAEnB,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,6CAA6C,EAAE;QAC/E,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,MAAM,EAAE,kBAAkB;SAC3B;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,SAAS,EAAE,QAAQ;YACnB,aAAa,EAAE,YAAY;YAC3B,IAAI;YACJ,YAAY,EAAE,WAAW;SAC1B,CAAC;KACH,CAAC,CAAC;IAEH,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,sCAAsC,aAAa,CAAC,UAAU,EAAE,CAAC,CAAC;IACpF,CAAC;IAED,OAAO,aAAa,CAAC,IAAI,EAAE,CAAC;AAC9B,CAAC;AAED,KAAK,UAAU,mBAAmB,CAAC,WAAmB;IACpD,MAAM,gBAAgB,GAAG,MAAM,KAAK,CAAC,6BAA6B,EAAE;QAClE,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,WAAW,EAAE;YACtC,MAAM,EAAE,gCAAgC;SACzC;KACF,CAAC,CAAC;IAEH,IAAI,CAAC,gBAAgB,CAAC,EAAE,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,8BAA8B,gBAAgB,CAAC,UAAU,EAAE,CAAC,CAAC;IAC/E,CAAC;IAED,OAAO,gBAAgB,CAAC,IAAI,EAAE,CAAC;AACjC,CAAC;AAED,KAAK,UAAU,kCAAkC,CAAC,GAAY,EAAE,GAAa;IAC3E,MAAM,IAAI,GAAG,iBAAiB,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/C,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,KAAe,CAAC;IACxC,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC;IAEhD,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,4BAA4B,EAAE,CAAC,CAAC;QAC9D,OAAO;IACT,CAAC;IAED,IAAI,CAAC,KAAK,IAAI,CAAC,WAAW,IAAI,KAAK,KAAK,WAAW,EAAE,CAAC;QACpD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,4CAA4C,EAAE,CAAC,CAAC;QAC9E,OAAO;IACT,CAAC;IAED,GAAG,CAAC,WAAW,CAAC,iBAAiB,CAAC,CAAC;IAEnC,MAAM,cAAc,GAAG,MAAM,CAAC,SAAS,CAAC,mCAAmC,CAAC,CAAC,CAAC;IAC9E,MAAM,kBAAkB,GAAG,MAAM,CAAC,SAAS,CAAC,uCAAuC,CAAC,CAAC,CAAC;IACtF,MAAM,WAAW,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;IAE7C,IAAI,CAAC;QACH,iCAAiC;QACjC,MAAM,SAAS,GAAG,MAAM,oBAAoB,CAC1C,IAAI,EACJ,cAAc,EACd,kBAAkB,EAClB,WAAW,CACZ,CAAC;QAEF,kBAAkB;QAClB,MAAM,UAAU,GAAG,MAAM,mBAAmB,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QAErE,yCAAyC;QACzC,MAAM,WAAW,GAAG,UAAU,CAAC,KAAK,IAAI,EAAE,CAAC;QAE3C,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EACH,sGAAsG;aACzG,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,MAAM,QAAQ,GAAkB;YAC9B,EAAE,EAAE,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;YACzB,KAAK,EAAE,WAAW;YAClB,aAAa,EAAE,IAAI,EAAE,kCAAkC;YACvD,YAAY,EAAE,QAAQ;SACvB,CAAC;QAEF,MAAM,6BAA6B,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC;IAC1D,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,qBAAqB,EAAE,KAAK,CAAC,CAAC;QAC5C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;IAC3D,CAAC;AACH,CAAC;AAED,SAAS,SAAS;IAChB,MAAM,gBAAgB,GAAG,MAAM,EAAE,CAAC;IAElC,+DAA+D;IAC/D,MAAM,kBAAkB,GAAG,CAAC,IAAa,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;QAC9E,MAAM,aAAa,GAAG,OAAO,CAAC,SAAS,CAAC,kCAAkC,CAAC,CAAC,CAAC;QAC7E,MAAM,cAAc,GAAG,MAAM,CAAC,SAAS,CAAC,mCAAmC,CAAC,CAAC,CAAC;QAC9E,MAAM,kBAAkB,GAAG,MAAM,CAAC,SAAS,CAAC,uCAAuC,CAAC,CAAC,CAAC;QAEtF,IAAI,CAAC,aAAa,IAAI,CAAC,cAAc,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC7D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yCAAyC,EAAE,CAAC,CAAC;YAC3E,OAAO;QACT,CAAC;QAED,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;IAEF,sBAAsB;IACtB,gBAAgB,CAAC,GAAG,CAClB,4BAA4B,EAC5B,kBAAkB,EAClB,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;QAC9B,MAAM,cAAc,GAAG,MAAM,CAAC,SAAS,CAAC,mCAAmC,CAAC,CAAC,CAAC;QAC9E,MAAM,WAAW,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;QAC7C,MAAM,YAAY,GAAG,SAAS,CAAC,iCAAiC,CAAC,CAAC;QAClE,MAAM,MAAM,GAAG,YAAY;YACzB,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC;iBACjB,KAAK,CAAC,GAAG,CAAC;iBACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;iBACpB,IAAI,CAAC,GAAG,CAAC;YACd,CAAC,CAAC,YAAY,CAAC;QAEjB,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAE9C,GAAG,CAAC,MAAM,CAAC,iBAAiB,EAAE,KAAK,EAAE;YACnC,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;YAC7C,QAAQ,EAAE,KAAK;YACf,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,aAAa;SACxC,CAAC,CAAC;QAEH,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,0CAA0C,CAAC,CAAC;QACpE,OAAO,CAAC,YAAY,CAAC,MAAM,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC;QACzD,OAAO,CAAC,YAAY,CAAC,MAAM,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;QACzD,OAAO,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC7C,OAAO,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QAE5C,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;IACnC,CAAC,CACF,CAAC;IAEF,wBAAwB;IACxB,gBAAgB,CAAC,GAAG,CAClB,qCAAqC,EACrC,kBAAkB,EAClB,kCAAkC,CACnC,CAAC;IAEF,OAAO,gBAAgB,CAAC;AAC1B,CAAC;AAED,eAAe,SAAS,CAAC"}

package/dist/auth/providers/google.d.ts

@@ -0,0 +1,3 @@
+declare function getRouter(): import("express-serve-static-core").Router;
+export default getRouter;
+//# sourceMappingURL=google.d.ts.map

package/dist/auth/providers/google.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"google.d.ts","sourceRoot":"","sources":["../../../src/auth/providers/google.ts"],"names":[],"mappings":"AAmHA,iBAAS,SAAS,+CAsDjB;AAED,eAAe,SAAS,CAAC"}

package/dist/auth/providers/google.js

@@ -0,0 +1,108 @@
+import { getConfig } from '../../server';
+import { time } from '../../time';
+import { randomBytes } from 'crypto';
+import { Router } from 'express';
+import { getRedirectUri, handleOAuthUserAuthentication, validateOAuthCode, } from './oauth-common';
+async function exchangeCodeForToken(code, clientId, clientSecret, redirectUri) {
+    const tokenResponse = await fetch('https://oauth2.googleapis.com/token', {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+        },
+        body: new URLSearchParams({
+            code,
+            client_id: clientId,
+            client_secret: clientSecret,
+            redirect_uri: redirectUri,
+            grant_type: 'authorization_code',
+        }),
+    });
+    if (!tokenResponse.ok) {
+        throw new Error(`Failed to exchange code for token: ${tokenResponse.statusText}`);
+    }
+    return tokenResponse.json();
+}
+async function fetchGoogleUserInfo(accessToken) {
+    const userInfoResponse = await fetch('https://www.googleapis.com/oauth2/v2/userinfo', {
+        headers: {
+            Authorization: `Bearer ${accessToken}`,
+        },
+    });
+    if (!userInfoResponse.ok) {
+        throw new Error(`Failed to fetch user info: ${userInfoResponse.statusText}`);
+    }
+    return userInfoResponse.json();
+}
+async function handleGoogleAuthenticationCallback(req, res) {
+    const code = validateOAuthCode(req.query.code);
+    const state = req.query.state;
+    const storedState = req.cookies.authStateGoogle;
+    if (!code) {
+        res.status(400).json({ error: 'Missing authorization code' });
+        return;
+    }
+    if (!state || !storedState || state !== storedState) {
+        res.status(400).json({ error: 'Invalid OAuth state - possible CSRF attack' });
+        return;
+    }
+    res.clearCookie('authStateGoogle');
+    const googleClientId = String(getConfig('_system.user.auth.google.clientId'));
+    const googleClientSecret = String(getConfig('_system.user.auth.google.clientSecret'));
+    const redirectUri = getRedirectUri('google');
+    try {
+        // Exchange code for tokens
+        const tokenData = await exchangeCodeForToken(code, googleClientId, googleClientSecret, redirectUri);
+        // Fetch user info
+        const googleUser = await fetchGoogleUserInfo(tokenData.access_token);
+        const userData = {
+            id: googleUser.id,
+            email: googleUser.email,
+            emailVerified: googleUser.verified_email,
+            providerName: 'google',
+        };
+        await handleOAuthUserAuthentication(req, res, userData);
+    }
+    catch (error) {
+        console.error('Google OAuth error:', error);
+        res.status(500).json({ error: 'Authentication failed' });
+    }
+}
+function getRouter() {
+    const googleAuthRouter = Router();
+    // Middleware to check if Google auth is enabled and configured
+    const checkGoogleEnabled = (_req, res, next) => {
+        const googleEnabled = Boolean(getConfig('_system.user.auth.google.enabled'));
+        const googleClientId = String(getConfig('_system.user.auth.google.clientId'));
+        const googleClientSecret = String(getConfig('_system.user.auth.google.clientSecret'));
+        if (!googleEnabled || !googleClientId || !googleClientSecret) {
+            res.status(503).json({ error: 'Google authentication is not configured' });
+            return;
+        }
+        next();
+    };
+    // Initiate OAuth flow
+    googleAuthRouter.get('/api/_internal/auth/google', checkGoogleEnabled, (req, res) => {
+        const googleClientId = String(getConfig('_system.user.auth.google.clientId'));
+        const redirectUri = getRedirectUri('google');
+        const state = randomBytes(32).toString('hex');
+        res.cookie('authStateGoogle', state, {
+            httpOnly: true,
+            secure: process.env.NODE_ENV === 'production',
+            sameSite: 'lax',
+            maxAge: time.minutes(10), // 10 minutes
+        });
+        const authUrl = new URL('https://accounts.google.com/o/oauth2/v2/auth');
+        authUrl.searchParams.append('client_id', googleClientId);
+        authUrl.searchParams.append('redirect_uri', redirectUri);
+        authUrl.searchParams.append('response_type', 'code');
+        authUrl.searchParams.append('scope', 'profile email');
+        authUrl.searchParams.append('access_type', 'online');
+        authUrl.searchParams.append('state', state);
+        res.redirect(authUrl.toString());
+    });
+    // Handle OAuth callback
+    googleAuthRouter.get('/api/_internal/auth/google/callback', checkGoogleEnabled, handleGoogleAuthenticationCallback);
+    return googleAuthRouter;
+}
+export default getRouter;
+//# sourceMappingURL=google.js.map

package/dist/auth/providers/google.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"google.js","sourceRoot":"","sources":["../../../src/auth/providers/google.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AACrC,OAAO,EAAE,IAAI,EAAE,MAAM,QAAQ,CAAC;AAC9B,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AACrC,OAAO,EAAE,MAAM,EAAkD,MAAM,SAAS,CAAC;AACjF,OAAO,EACL,cAAc,EACd,6BAA6B,EAC7B,iBAAiB,GAElB,MAAM,gBAAgB,CAAC;AAkBxB,KAAK,UAAU,oBAAoB,CACjC,IAAY,EACZ,QAAgB,EAChB,YAAoB,EACpB,WAAmB;IAEnB,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,qCAAqC,EAAE;QACvE,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,mCAAmC;SACpD;QACD,IAAI,EAAE,IAAI,eAAe,CAAC;YACxB,IAAI;YACJ,SAAS,EAAE,QAAQ;YACnB,aAAa,EAAE,YAAY;YAC3B,YAAY,EAAE,WAAW;YACzB,UAAU,EAAE,oBAAoB;SACjC,CAAC;KACH,CAAC,CAAC;IAEH,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,sCAAsC,aAAa,CAAC,UAAU,EAAE,CAAC,CAAC;IACpF,CAAC;IAED,OAAO,aAAa,CAAC,IAAI,EAAE,CAAC;AAC9B,CAAC;AAED,KAAK,UAAU,mBAAmB,CAAC,WAAmB;IACpD,MAAM,gBAAgB,GAAG,MAAM,KAAK,CAAC,+CAA+C,EAAE;QACpF,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,WAAW,EAAE;SACvC;KACF,CAAC,CAAC;IAEH,IAAI,CAAC,gBAAgB,CAAC,EAAE,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,8BAA8B,gBAAgB,CAAC,UAAU,EAAE,CAAC,CAAC;IAC/E,CAAC;IAED,OAAO,gBAAgB,CAAC,IAAI,EAAE,CAAC;AACjC,CAAC;AAED,KAAK,UAAU,kCAAkC,CAAC,GAAY,EAAE,GAAa;IAC3E,MAAM,IAAI,GAAG,iBAAiB,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/C,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,KAAe,CAAC;IACxC,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC;IAEhD,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,4BAA4B,EAAE,CAAC,CAAC;QAC9D,OAAO;IACT,CAAC;IAED,IAAI,CAAC,KAAK,IAAI,CAAC,WAAW,IAAI,KAAK,KAAK,WAAW,EAAE,CAAC;QACpD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,4CAA4C,EAAE,CAAC,CAAC;QAC9E,OAAO;IACT,CAAC;IAED,GAAG,CAAC,WAAW,CAAC,iBAAiB,CAAC,CAAC;IAEnC,MAAM,cAAc,GAAG,MAAM,CAAC,SAAS,CAAC,mCAAmC,CAAC,CAAC,CAAC;IAC9E,MAAM,kBAAkB,GAAG,MAAM,CAAC,SAAS,CAAC,uCAAuC,CAAC,CAAC,CAAC;IACtF,MAAM,WAAW,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;IAE7C,IAAI,CAAC;QACH,2BAA2B;QAC3B,MAAM,SAAS,GAAG,MAAM,oBAAoB,CAC1C,IAAI,EACJ,cAAc,EACd,kBAAkB,EAClB,WAAW,CACZ,CAAC;QAEF,kBAAkB;QAClB,MAAM,UAAU,GAAG,MAAM,mBAAmB,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QAErE,MAAM,QAAQ,GAAkB;YAC9B,EAAE,EAAE,UAAU,CAAC,EAAE;YACjB,KAAK,EAAE,UAAU,CAAC,KAAK;YACvB,aAAa,EAAE,UAAU,CAAC,cAAc;YACxC,YAAY,EAAE,QAAQ;SACvB,CAAC;QAEF,MAAM,6BAA6B,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC;IAC1D,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,qBAAqB,EAAE,KAAK,CAAC,CAAC;QAC5C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;IAC3D,CAAC;AACH,CAAC;AAED,SAAS,SAAS;IAChB,MAAM,gBAAgB,GAAG,MAAM,EAAE,CAAC;IAElC,+DAA+D;IAC/D,MAAM,kBAAkB,GAAG,CAAC,IAAa,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;QAC9E,MAAM,aAAa,GAAG,OAAO,CAAC,SAAS,CAAC,kCAAkC,CAAC,CAAC,CAAC;QAC7E,MAAM,cAAc,GAAG,MAAM,CAAC,SAAS,CAAC,mCAAmC,CAAC,CAAC,CAAC;QAC9E,MAAM,kBAAkB,GAAG,MAAM,CAAC,SAAS,CAAC,uCAAuC,CAAC,CAAC,CAAC;QAEtF,IAAI,CAAC,aAAa,IAAI,CAAC,cAAc,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC7D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yCAAyC,EAAE,CAAC,CAAC;YAC3E,OAAO;QACT,CAAC;QAED,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;IAEF,sBAAsB;IACtB,gBAAgB,CAAC,GAAG,CAClB,4BAA4B,EAC5B,kBAAkB,EAClB,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;QAC9B,MAAM,cAAc,GAAG,MAAM,CAAC,SAAS,CAAC,mCAAmC,CAAC,CAAC,CAAC;QAC9E,MAAM,WAAW,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;QAE7C,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAE9C,GAAG,CAAC,MAAM,CAAC,iBAAiB,EAAE,KAAK,EAAE;YACnC,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;YAC7C,QAAQ,EAAE,KAAK;YACf,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,aAAa;SACxC,CAAC,CAAC;QAEH,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,8CAA8C,CAAC,CAAC;QACxE,OAAO,CAAC,YAAY,CAAC,MAAM,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC;QACzD,OAAO,CAAC,YAAY,CAAC,MAAM,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;QACzD,OAAO,CAAC,YAAY,CAAC,MAAM,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;QACrD,OAAO,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QACtD,OAAO,CAAC,YAAY,CAAC,MAAM,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;QACrD,OAAO,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QAE5C,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;IACnC,CAAC,CACF,CAAC;IAEF,wBAAwB;IACxB,gBAAgB,CAAC,GAAG,CAClB,qCAAqC,EACrC,kBAAkB,EAClB,kCAAkC,CACnC,CAAC;IAEF,OAAO,gBAAgB,CAAC;AAC1B,CAAC;AAED,eAAe,SAAS,CAAC"}

package/dist/auth/providers/oauth-common.d.ts

@@ -0,0 +1,13 @@
+import { type Request, type Response } from 'express';
+import { ObjectId } from 'mongodb';
+export interface OAuthUserData {
+    id: string;
+    email: string;
+    emailVerified: boolean;
+    providerName: 'google' | 'github';
+}
+export declare function authenticateUser(res: Response, userId: ObjectId): Promise<void>;
+export declare function getRedirectUri(provider: string): string;
+export declare function handleOAuthUserAuthentication(req: Request, res: Response, userData: OAuthUserData): Promise<void>;
+export declare function validateOAuthCode(code: unknown): string | null;
+//# sourceMappingURL=oauth-common.d.ts.map

package/dist/auth/providers/oauth-common.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-common.d.ts","sourceRoot":"","sources":["../../../src/auth/providers/oauth-common.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,SAAS,CAAC;AACtD,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAOnC,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,OAAO,CAAC;IACvB,YAAY,EAAE,QAAQ,GAAG,QAAQ,CAAC;CACnC;AAED,wBAAsB,gBAAgB,CAAC,GAAG,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,iBAUrE;AAED,wBAAgB,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAEvD;AAED,wBAAsB,6BAA6B,CACjD,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,QAAQ,EAAE,aAAa,GACtB,OAAO,CAAC,IAAI,CAAC,CAqGf;AAED,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAK9D"}

package/dist/auth/providers/oauth-common.js

@@ -0,0 +1,109 @@
+import { usersCollection } from '../../auth/db';
+import { createSession } from '../../auth/session';
+import { getAuthConfig } from '../../app/authConfig';
+import { getCallContext } from '../../app/server';
+import { getConfig } from '../../config/server';
+export async function authenticateUser(res, userId) {
+    const { authToken } = await createSession(userId);
+    res.cookie('authToken', authToken, {
+        httpOnly: true,
+        secure: process.env.NODE_ENV === 'production',
+        sameSite: 'strict',
+    });
+    res.status(301);
+    res.redirect('/');
+}
+export function getRedirectUri(provider) {
+    return `${getConfig('_system.site.url')}/api/_internal/auth/${provider}/callback`;
+}
+export async function handleOAuthUserAuthentication(req, res, userData) {
+    const existingUser = await usersCollection.findOne({
+        [`authMethods.${userData.providerName}.id`]: userData.id,
+    });
+    const { session, connectionInfo } = await getCallContext(req);
+    try {
+        if (existingUser) {
+            await authenticateUser(res, existingUser._id);
+            getAuthConfig().onAfterLogin?.({
+                user: existingUser,
+                session,
+                connectionInfo,
+            });
+            getAuthConfig().login?.onSuccess?.(existingUser);
+            return;
+        }
+    }
+    catch (error) {
+        if (error instanceof Error) {
+            getAuthConfig().login?.onError?.(error);
+            getAuthConfig().onLoginError?.({
+                error,
+                session,
+                connectionInfo,
+            });
+        }
+        throw error;
+    }
+    try {
+        if (!userData.email) {
+            res.status(400).json({
+                error: `Email address is required for ${userData.providerName} authentication.`,
+            });
+            return;
+        }
+        const existingUserByEmail = await usersCollection.findOne({ 'emails.address': userData.email }, { collation: { locale: 'en', strength: 2 } });
+        // TODO: check if the email is verified
+        if (existingUserByEmail) {
+            // TODO: handle case with an HTML page
+            res.status(400).json({
+                error: 'User with this email already exists. Please log in instead.',
+            });
+            return;
+        }
+        // If the user does not exist, create a new user
+        const newUser = await usersCollection.insertOne({
+            handle: userData.email,
+            status: 'active',
+            emails: [
+                {
+                    address: userData.email,
+                    verified: userData.emailVerified,
+                },
+            ],
+            createdAt: new Date(),
+            authMethods: {
+                [userData.providerName]: {
+                    id: userData.id,
+                },
+            },
+        });
+        await authenticateUser(res, newUser.insertedId);
+        const userDocument = await usersCollection.findOne({ _id: newUser.insertedId }, { readPreference: 'primary' });
+        if (userDocument) {
+            getAuthConfig().onAfterSignup?.({
+                user: userDocument,
+                session,
+                connectionInfo,
+            });
+            getAuthConfig().signup?.onSuccess?.(userDocument);
+        }
+    }
+    catch (error) {
+        if (error instanceof Error) {
+            getAuthConfig().onSignupError?.({
+                error,
+                session,
+                connectionInfo,
+            });
+            getAuthConfig().signup?.onError?.(error);
+        }
+        throw error;
+    }
+}
+export function validateOAuthCode(code) {
+    if (!code || typeof code !== 'string') {
+        return null;
+    }
+    return code;
+}
+//# sourceMappingURL=oauth-common.js.map

package/dist/auth/providers/oauth-common.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-common.js","sourceRoot":"","sources":["../../../src/auth/providers/oauth-common.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAC/C,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAS5C,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,GAAa,EAAE,MAAgB;IACpE,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC;IAElD,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,SAAS,EAAE;QACjC,QAAQ,EAAE,IAAI;QACd,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;QAC7C,QAAQ,EAAE,QAAQ;KACnB,CAAC,CAAC;IACH,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAChB,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;AACpB,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,QAAgB;IAC7C,OAAO,GAAG,SAAS,CAAC,kBAAkB,CAAC,uBAAuB,QAAQ,WAAW,CAAC;AACpF,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,6BAA6B,CACjD,GAAY,EACZ,GAAa,EACb,QAAuB;IAEvB,MAAM,YAAY,GAAG,MAAM,eAAe,CAAC,OAAO,CAAC;QACjD,CAAC,eAAe,QAAQ,CAAC,YAAY,KAAK,CAAC,EAAE,QAAQ,CAAC,EAAE;KACzD,CAAC,CAAC;IAEH,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,GAAG,MAAM,cAAc,CAAC,GAAG,CAAC,CAAC;IAE9D,IAAI,CAAC;QACH,IAAI,YAAY,EAAE,CAAC;YACjB,MAAM,gBAAgB,CAAC,GAAG,EAAE,YAAY,CAAC,GAAG,CAAC,CAAC;YAE9C,aAAa,EAAE,CAAC,YAAY,EAAE,CAAC;gBAC7B,IAAI,EAAE,YAAY;gBAClB,OAAO;gBACP,cAAc;aACf,CAAC,CAAC;YACH,aAAa,EAAE,CAAC,KAAK,EAAE,SAAS,EAAE,CAAC,YAAY,CAAC,CAAC;YAEjD,OAAO;QACT,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;YAC3B,aAAa,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,CAAC,KAAK,CAAC,CAAC;YAExC,aAAa,EAAE,CAAC,YAAY,EAAE,CAAC;gBAC7B,KAAK;gBACL,OAAO;gBACP,cAAc;aACf,CAAC,CAAC;QACL,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;YACpB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,iCAAiC,QAAQ,CAAC,YAAY,kBAAkB;aAChF,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,MAAM,mBAAmB,GAAG,MAAM,eAAe,CAAC,OAAO,CACvD,EAAE,gBAAgB,EAAE,QAAQ,CAAC,KAAK,EAAE,EACpC,EAAE,SAAS,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,EAAE,EAAE,CAC7C,CAAC;QAEF,uCAAuC;QACvC,IAAI,mBAAmB,EAAE,CAAC;YACxB,sCAAsC;YACtC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,6DAA6D;aACrE,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,gDAAgD;QAChD,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,SAAS,CAAC;YAC9C,MAAM,EAAE,QAAQ,CAAC,KAAK;YACtB,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE;gBACN;oBACE,OAAO,EAAE,QAAQ,CAAC,KAAK;oBACvB,QAAQ,EAAE,QAAQ,CAAC,aAAa;iBACjC;aACF;YACD,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,WAAW,EAAE;gBACX,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE;oBACvB,EAAE,EAAE,QAAQ,CAAC,EAAE;iBAChB;aACF;SACF,CAAC,CAAC;QAEH,MAAM,gBAAgB,CAAC,GAAG,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;QAEhD,MAAM,YAAY,GAAG,MAAM,eAAe,CAAC,OAAO,CAChD,EAAE,GAAG,EAAE,OAAO,CAAC,UAAU,EAAE,EAC3B,EAAE,cAAc,EAAE,SAAS,EAAE,CAC9B,CAAC;QAEF,IAAI,YAAY,EAAE,CAAC;YACjB,aAAa,EAAE,CAAC,aAAa,EAAE,CAAC;gBAC9B,IAAI,EAAE,YAAY;gBAClB,OAAO;gBACP,cAAc;aACf,CAAC,CAAC;YAEH,aAAa,EAAE,CAAC,MAAM,EAAE,SAAS,EAAE,CAAC,YAAY,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;YAC3B,aAAa,EAAE,CAAC,aAAa,EAAE,CAAC;gBAC9B,KAAK;gBACL,OAAO;gBACP,cAAc;aACf,CAAC,CAAC;YAEH,aAAa,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC,KAAK,CAAC,CAAC;QAC3C,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,IAAa;IAC7C,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtC,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/auth/resetPassword.d.ts

@@ -0,0 +1,10 @@
+import { Args, Context } from '../methods/types';
+export declare function handleSendResetPasswordToken(args: Args, { connectionInfo }: Context): Promise<{
+    success: boolean;
+    message: string;
+}>;
+export declare function handleResetPassword(args: Args, {}: Context): Promise<{
+    success: boolean;
+    message: string;
+}>;
+//# sourceMappingURL=resetPassword.d.ts.map

package/dist/auth/resetPassword.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resetPassword.d.ts","sourceRoot":"","sources":["../../src/auth/resetPassword.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAqChD,wBAAsB,4BAA4B,CAAC,IAAI,EAAE,IAAI,EAAE,EAAE,cAAc,EAAE,EAAE,OAAO;;;GAyDzF;AAED,wBAAsB,mBAAmB,CAAC,IAAI,EAAE,IAAI,EAAE,EAAE,EAAE,OAAO;;;GAuChE"}