ofauth-shared-core 0.1.0-alpha.0

package/README.md

@@ -0,0 +1,20 @@
+# ofauth-shared-core
+
+`ofauth-shared-core` adalah auth shared-core offline-first untuk ekosistem `of*`.
+
+## Fitur Inti
+- identity/session/context contract,
+- assurance/step-up contract,
+- auth audit contract,
+- runtime entrypoint `OfauthCore`.
+
+## Build and Validate
+- `npm run build`
+- `npm run verify:contract`
+- `npm run verify:logic`
+- `npm run ci:check`
+
+## Publish
+1. `npm run ci:check`
+2. `npm pack --dry-run`
+3. `npm publish --access public`

package/dist/OfauthCore.d.ts

@@ -0,0 +1,48 @@
+import type { CoreAdapterRegistry, CoreRuntime, CoreRuntimeHooks, CoreRuntimeStartOptions } from 'ofcore';
+import type { DbAdapter, HttpAdapter, LoggerAdapter, PlatformAdapter, SocketAdapter, ActivitySink } from 'ofcore';
+import type { ReadonlyStore, Store } from 'ofcore';
+import type { OfauthDomainServices } from './services/createContractOnlyOfauthServices';
+export type OfauthDomainServicesOverride = Partial<OfauthDomainServices>;
+export type OfauthDomainServicesFactory = () => Promise<OfauthDomainServices> | OfauthDomainServices;
+export type OfauthRuntimeHooks = Pick<CoreRuntimeHooks<OfauthDomainServices, never>, 'runMigrations' | 'runSeed' | 'onInit' | 'onStop'>;
+export interface OfauthRuntimeState {
+    phase: 'idle' | 'starting' | 'started' | 'stopping' | 'stopped' | 'error';
+    started: boolean;
+    startCount: number;
+    stopCount: number;
+    lastError: string | null;
+    lastTransitionAt: string;
+}
+export declare class OfauthCore {
+    private readonly runtime;
+    private readonly runtimeStateStore;
+    domainServices?: OfauthDomainServices;
+    readonly runtimeStore: ReadonlyStore<OfauthRuntimeState>;
+    constructor(runtime: CoreRuntime<OfauthDomainServices, never>, runtimeStateStore: Store<OfauthRuntimeState>);
+    static builder(): OfauthCoreBuilder;
+    get registry(): CoreAdapterRegistry | undefined;
+    start(options?: CoreRuntimeStartOptions): Promise<void>;
+    init(options?: CoreRuntimeStartOptions): Promise<void>;
+    stop(): Promise<void>;
+    isStarted(): boolean;
+}
+export declare class OfauthCoreBuilder {
+    private readonly runtimeBuilder;
+    private domainServicesFactory?;
+    private domainServiceOverrides;
+    private runtimeHooks;
+    constructor();
+    withPlatformAdapter(factory: (core: CoreRuntime<any, any>) => PlatformAdapter): this;
+    withDbAdapter(factory: (core: CoreRuntime<any, any>) => DbAdapter): this;
+    withHttpAdapter(factory: (core: CoreRuntime<any, any>) => HttpAdapter): this;
+    withSocketAdapter(factory: (core: CoreRuntime<any, any>) => SocketAdapter): this;
+    withLoggerAdapter(factory: (core: CoreRuntime<any, any>) => LoggerAdapter): this;
+    withActivitySink(factory: (core: CoreRuntime<any, any>) => ActivitySink): this;
+    withExtension(name: string, factory: (core: CoreRuntime<any, any>) => unknown): this;
+    withDomainServicesFactory(factory: OfauthDomainServicesFactory): this;
+    overrideDomainServices(overrides: OfauthDomainServicesOverride): this;
+    withRuntimeHooks(hooks: Partial<OfauthRuntimeHooks>): this;
+    withMigrationRunner(runner: NonNullable<OfauthRuntimeHooks['runMigrations']>): this;
+    withSeedRunner(runner: NonNullable<OfauthRuntimeHooks['runSeed']>): this;
+    build(): OfauthCore;
+}

package/dist/OfauthCore.js

@@ -0,0 +1,200 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OfauthCoreBuilder = exports.OfauthCore = void 0;
+const ofcore_1 = require("ofcore");
+const ofcore_2 = require("ofcore");
+const ofcore_3 = require("ofcore");
+const createDbAdapterOfauthServices_1 = require("./services/createDbAdapterOfauthServices");
+const applyPendingMigrations_1 = require("./data/applyPendingMigrations");
+class OfauthCore {
+    constructor(runtime, runtimeStateStore) {
+        this.runtime = runtime;
+        this.runtimeStateStore = runtimeStateStore;
+        this.runtimeStore = (0, ofcore_3.asReadonlyStore)(this.runtimeStateStore);
+    }
+    static builder() {
+        return new OfauthCoreBuilder();
+    }
+    get registry() {
+        return this.runtime.registry;
+    }
+    async start(options = {}) {
+        this.runtimeStateStore.setState({
+            phase: 'starting',
+            started: false,
+            lastError: null,
+            lastTransitionAt: new Date().toISOString(),
+        });
+        try {
+            await this.runtime.start(options);
+            this.domainServices = this.runtime.domainServices;
+            this.runtimeStateStore.setState((state) => ({
+                ...state,
+                phase: 'started',
+                started: true,
+                startCount: state.startCount + 1,
+                lastError: null,
+                lastTransitionAt: new Date().toISOString(),
+            }));
+        }
+        catch (error) {
+            this.runtimeStateStore.setState({
+                phase: 'error',
+                started: false,
+                lastError: error instanceof Error ? error.message : String(error),
+                lastTransitionAt: new Date().toISOString(),
+            });
+            throw error;
+        }
+    }
+    async init(options = {}) {
+        this.runtimeStateStore.setState({
+            phase: 'starting',
+            started: false,
+            lastError: null,
+            lastTransitionAt: new Date().toISOString(),
+        });
+        try {
+            await this.runtime.init(options);
+            this.domainServices = this.runtime.domainServices;
+            this.runtimeStateStore.setState((state) => ({
+                ...state,
+                phase: 'started',
+                started: true,
+                startCount: state.startCount + 1,
+                lastError: null,
+                lastTransitionAt: new Date().toISOString(),
+            }));
+        }
+        catch (error) {
+            this.runtimeStateStore.setState({
+                phase: 'error',
+                started: false,
+                lastError: error instanceof Error ? error.message : String(error),
+                lastTransitionAt: new Date().toISOString(),
+            });
+            throw error;
+        }
+    }
+    async stop() {
+        this.runtimeStateStore.setState({
+            phase: 'stopping',
+            started: this.runtime.isStarted(),
+            lastError: null,
+            lastTransitionAt: new Date().toISOString(),
+        });
+        try {
+            await this.runtime.stop();
+            this.runtimeStateStore.setState((state) => ({
+                ...state,
+                phase: 'stopped',
+                started: false,
+                stopCount: state.stopCount + 1,
+                lastError: null,
+                lastTransitionAt: new Date().toISOString(),
+            }));
+        }
+        catch (error) {
+            this.runtimeStateStore.setState({
+                phase: 'error',
+                started: this.runtime.isStarted(),
+                lastError: error instanceof Error ? error.message : String(error),
+                lastTransitionAt: new Date().toISOString(),
+            });
+            throw error;
+        }
+    }
+    isStarted() {
+        return this.runtime.isStarted();
+    }
+}
+exports.OfauthCore = OfauthCore;
+class OfauthCoreBuilder {
+    constructor() {
+        this.runtimeBuilder = ofcore_1.CoreRuntime.builder();
+        this.domainServiceOverrides = {};
+        this.runtimeHooks = {};
+        this.runtimeBuilder.withDbAdapter(() => new ofcore_2.InMemoryDbAdapter());
+    }
+    withPlatformAdapter(factory) {
+        this.runtimeBuilder.withPlatformAdapter(factory);
+        return this;
+    }
+    withDbAdapter(factory) {
+        this.runtimeBuilder.withDbAdapter(factory);
+        return this;
+    }
+    withHttpAdapter(factory) {
+        this.runtimeBuilder.withHttpAdapter(factory);
+        return this;
+    }
+    withSocketAdapter(factory) {
+        this.runtimeBuilder.withSocketAdapter(factory);
+        return this;
+    }
+    withLoggerAdapter(factory) {
+        this.runtimeBuilder.withLoggerAdapter(factory);
+        return this;
+    }
+    withActivitySink(factory) {
+        this.runtimeBuilder.withActivitySink(factory);
+        return this;
+    }
+    withExtension(name, factory) {
+        this.runtimeBuilder.withExtension(name, factory);
+        return this;
+    }
+    withDomainServicesFactory(factory) {
+        this.domainServicesFactory = factory;
+        return this;
+    }
+    overrideDomainServices(overrides) {
+        this.domainServiceOverrides = { ...this.domainServiceOverrides, ...overrides };
+        return this;
+    }
+    withRuntimeHooks(hooks) {
+        this.runtimeHooks = { ...this.runtimeHooks, ...hooks };
+        return this;
+    }
+    withMigrationRunner(runner) {
+        return this.withRuntimeHooks({ runMigrations: runner });
+    }
+    withSeedRunner(runner) {
+        return this.withRuntimeHooks({ runSeed: runner });
+    }
+    build() {
+        const runtimeStateStore = (0, ofcore_3.createStore)({
+            phase: 'idle',
+            started: false,
+            startCount: 0,
+            stopCount: 0,
+            lastError: null,
+            lastTransitionAt: new Date().toISOString(),
+        });
+        const defaultRunMigrations = async (runtime) => {
+            const dbAdapter = runtime.registry?.dbAdapter;
+            if (!dbAdapter)
+                return;
+            await (0, applyPendingMigrations_1.applyPendingMigrations)(dbAdapter, runtime.registry?.loggerAdapter);
+        };
+        this.runtimeBuilder.withHooks({
+            ...this.runtimeHooks,
+            runMigrations: this.runtimeHooks.runMigrations ?? defaultRunMigrations,
+            createDomainServices: async (runtime) => {
+                const base = this.domainServicesFactory
+                    ? await this.domainServicesFactory()
+                    : await (0, createDbAdapterOfauthServices_1.createDbAdapterOfauthServices)(runtime.registry?.dbAdapter ?? new ofcore_2.InMemoryDbAdapter(), {
+                        logger: runtime.registry?.loggerAdapter,
+                        platformAdapter: runtime.registry?.platformAdapter,
+                        emitActivity: async (record) => {
+                            await runtime.emitActivity(record);
+                        },
+                    });
+                return { ...base, ...this.domainServiceOverrides };
+            },
+        });
+        const runtime = this.runtimeBuilder.build();
+        return new OfauthCore(runtime, runtimeStateStore);
+    }
+}
+exports.OfauthCoreBuilder = OfauthCoreBuilder;

package/dist/contracts/AuthAuditContract.d.ts

@@ -0,0 +1,25 @@
+import type { AuthScopeRef } from './ContextContract';
+export type AuthAuditEventType = 'LOGIN_SUCCESS' | 'LOGIN_FAILED' | 'LOCKOUT_TRIGGERED' | 'SESSION_REVOKED' | 'CONTEXT_SWITCHED' | 'STEP_UP_CHALLENGED' | 'STEP_UP_PASSED' | 'STEP_UP_FAILED';
+export interface AuthAuditEvent {
+    eventId: string;
+    eventType: AuthAuditEventType;
+    identityId?: string;
+    sessionId?: string;
+    scopeRef?: AuthScopeRef;
+    result: 'success' | 'failed';
+    reasonCode?: string;
+    timestamp: string;
+    syncStatus?: 'pending' | 'replayed';
+    replayedAt?: string;
+}
+export interface AuthAuditQuery {
+    identityId?: string;
+    sessionId?: string;
+    eventTypes?: AuthAuditEventType[];
+    fromTimestamp?: string;
+    toTimestamp?: string;
+}
+export interface AuthAuditReplayQuery {
+    limit?: number;
+}
+export declare function isAuthAuditEventType(value: string): value is AuthAuditEventType;

package/dist/contracts/AuthAuditContract.js

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isAuthAuditEventType = isAuthAuditEventType;
+function isAuthAuditEventType(value) {
+    const allowed = [
+        'LOGIN_SUCCESS',
+        'LOGIN_FAILED',
+        'LOCKOUT_TRIGGERED',
+        'SESSION_REVOKED',
+        'CONTEXT_SWITCHED',
+        'STEP_UP_CHALLENGED',
+        'STEP_UP_PASSED',
+        'STEP_UP_FAILED',
+    ];
+    return allowed.includes(value);
+}

package/dist/contracts/AuthErrorContract.d.ts

@@ -0,0 +1,5 @@
+import type { ErrorEnvelope } from 'ofcore';
+export type AuthErrorCode = 'AUTH_INVALID_CREDENTIAL' | 'AUTH_LOCKED' | 'AUTH_DISABLED' | 'AUTH_SESSION_NOT_FOUND' | 'AUTH_STEP_UP_REQUIRED' | 'AUTH_CONTEXT_FORBIDDEN' | 'AUTH_NOT_IMPLEMENTED';
+export interface AuthErrorEnvelope extends ErrorEnvelope {
+    code: AuthErrorCode;
+}

package/dist/contracts/AuthErrorContract.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/contracts/AuthPolicyContract.d.ts

@@ -0,0 +1,25 @@
+import type { AssuranceLevel } from './SessionContract';
+export type AuthProfileId = 'cashier_fast' | 'supervisor_strict' | 'member_self_service';
+export interface AuthProfile {
+    profileId: AuthProfileId;
+    defaultAssuranceLevel: AssuranceLevel;
+    lockoutPolicyRef: string;
+}
+export interface StepUpRequirement {
+    actionRef: string;
+    requiredAssuranceLevel: AssuranceLevel;
+    reauthWindowSeconds?: number;
+}
+export interface StepUpEvaluation {
+    actionRef: string;
+    requiredAssuranceLevel: AssuranceLevel;
+    currentAssuranceLevel: AssuranceLevel;
+    requiresStepUp: boolean;
+    reauthWindowSeconds?: number;
+}
+export interface AuthPolicySnapshot {
+    profiles: AuthProfile[];
+    stepUpRequirements: StepUpRequirement[];
+    version: string;
+    updatedAt: string;
+}

package/dist/contracts/AuthPolicyContract.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/contracts/ContextContract.d.ts

@@ -0,0 +1,27 @@
+export interface AuthScopeRef {
+    tenantId?: string;
+    branchId?: string;
+    attributes?: Record<string, string>;
+}
+export interface ContextAssignment {
+    assignmentId: string;
+    identityId: string;
+    roleRef: string;
+    scopeRef: AuthScopeRef;
+}
+export interface ActiveContext {
+    sessionId: string;
+    assignmentId: string;
+    scopeRef: AuthScopeRef;
+}
+export interface ContextSwitchRequest {
+    sessionId: string;
+    targetAssignmentId: string;
+    reasonCode?: string;
+}
+export interface ContextSwitchResult {
+    activeContext: ActiveContext;
+    requiresStepUp: boolean;
+    reasonCode?: string;
+}
+export declare function hasAnyScopeDimension(scope: AuthScopeRef): boolean;

package/dist/contracts/ContextContract.js

@@ -0,0 +1,8 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.hasAnyScopeDimension = hasAnyScopeDimension;
+function hasAnyScopeDimension(scope) {
+    return Boolean(scope.tenantId ||
+        scope.branchId ||
+        (scope.attributes && Object.keys(scope.attributes).length > 0));
+}

package/dist/contracts/IdentityContract.d.ts

@@ -0,0 +1,36 @@
+import type { AuthScopeRef, ContextAssignment } from './ContextContract';
+export type IdentityStatus = 'active' | 'disabled' | 'locked';
+export type CredentialVerifyMethod = 'pin' | 'password' | 'custom';
+export interface IdentityRef {
+    identityId: string;
+    principal: string;
+    status: IdentityStatus;
+}
+export interface IdentityAssignmentRef {
+    assignmentId: string;
+    identityId: string;
+    scopeRef: AuthScopeRef;
+    roleRef: string;
+}
+export interface CredentialPolicy {
+    verifyMethod: CredentialVerifyMethod;
+    lockoutThreshold: number;
+    cooldownSeconds: number;
+}
+export interface CredentialVerifyRequest {
+    principal: string;
+    secret: string;
+    verifyMethod: CredentialVerifyMethod;
+    scopeRef?: AuthScopeRef;
+}
+export interface CredentialVerifySuccess {
+    ok: true;
+    identity: IdentityRef;
+    assignments: ContextAssignment[];
+}
+export interface CredentialVerifyFailure {
+    ok: false;
+    reasonCode: 'INVALID_CREDENTIAL' | 'IDENTITY_LOCKED' | 'IDENTITY_DISABLED';
+    retryable: boolean;
+}
+export type CredentialVerifyResult = CredentialVerifySuccess | CredentialVerifyFailure;

package/dist/contracts/IdentityContract.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/contracts/SessionContract.d.ts

@@ -0,0 +1,25 @@
+import type { AuthScopeRef } from './ContextContract';
+export type AssuranceLevel = 'basic' | 'elevated';
+export interface SessionRef {
+    sessionId: string;
+    identityId: string;
+    activeScopeRef?: AuthScopeRef;
+    assuranceLevel: AssuranceLevel;
+    issuedAt: string;
+    expiresAt: string;
+}
+export interface CreateSessionRequest {
+    identityId: string;
+    assignmentId?: string;
+    assuranceLevel?: AssuranceLevel;
+    ttlSeconds?: number;
+}
+export interface RefreshSessionRequest {
+    sessionId: string;
+    ttlSeconds?: number;
+}
+export interface RevokeSessionRequest {
+    sessionId: string;
+    reasonCode?: string;
+}
+export declare function isAssuranceLevelAtLeast(current: AssuranceLevel, required: AssuranceLevel): boolean;

package/dist/contracts/SessionContract.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isAssuranceLevelAtLeast = isAssuranceLevelAtLeast;
+function isAssuranceLevelAtLeast(current, required) {
+    const rank = {
+        basic: 1,
+        elevated: 2,
+    };
+    return rank[current] >= rank[required];
+}

package/dist/data/applyPendingMigrations.d.ts

@@ -0,0 +1,2 @@
+import type { DbAdapter, LoggerAdapter } from 'ofcore';
+export declare function applyPendingMigrations(adapter: DbAdapter, logger?: LoggerAdapter): Promise<void>;

package/dist/data/applyPendingMigrations.js

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.applyPendingMigrations = applyPendingMigrations;
+const migrations_1 = require("./migrations");
+const noopLogger = {
+    logInfo() { },
+    logWarn() { },
+    logError() { },
+};
+async function applyPendingMigrations(adapter, logger = noopLogger) {
+    logger.logInfo('[ofauth] starting database migration process');
+    const sorted = [...migrations_1.migrations].sort((a, b) => a.toVersion - b.toVersion);
+    const targetVersion = sorted.length > 0 ? sorted[sorted.length - 1].toVersion : 0;
+    let currentVersion = await adapter.getSchemaVersion();
+    if (currentVersion == null || currentVersion < 0)
+        currentVersion = 0;
+    if (currentVersion >= targetVersion) {
+        logger.logInfo(`[ofauth] database already up-to-date at v${currentVersion}`);
+        return;
+    }
+    for (const migration of sorted) {
+        if (migration.toVersion > currentVersion) {
+            logger.logInfo(`[ofauth] applying migration v${migration.toVersion}`);
+            await migration.up(adapter);
+            await adapter.setSchemaVersion(migration.toVersion);
+            currentVersion = migration.toVersion;
+        }
+    }
+    logger.logInfo(`[ofauth] migration completed at v${currentVersion}`);
+}

package/dist/data/migrations.d.ts

@@ -0,0 +1,2 @@
+import type { Migration } from 'ofcore';
+export declare const migrations: Migration[];

package/dist/data/migrations.js

@@ -0,0 +1,47 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.migrations = void 0;
+const schemas_1 = require("./schemas");
+exports.migrations = [
+    {
+        toVersion: 1,
+        up: async (adapter) => {
+            const tables = (0, schemas_1.getOfauthTableSchemas)();
+            for (const table of tables) {
+                try {
+                    await adapter.addTable(table);
+                }
+                catch {
+                    // keep migration idempotent for adapters that throw when table exists
+                }
+            }
+        },
+    },
+    {
+        toVersion: 2,
+        up: async (adapter) => {
+            try {
+                await adapter.addColumn(schemas_1.OFAUTH_TABLES.auditEvents, {
+                    name: 'syncStatus',
+                    type: 'string',
+                    enum: ['pending', 'replayed'],
+                    isIndexed: true,
+                });
+            }
+            catch {
+                // keep migration idempotent
+            }
+            try {
+                await adapter.addColumn(schemas_1.OFAUTH_TABLES.auditEvents, {
+                    name: 'replayedAt',
+                    type: 'string',
+                    isOptional: true,
+                    isIndexed: true,
+                });
+            }
+            catch {
+                // keep migration idempotent
+            }
+        },
+    },
+];

package/dist/data/schemas.d.ts

@@ -0,0 +1,11 @@
+import type { DbSchema, TableSchema } from 'ofcore';
+export declare const OFAUTH_TABLES: {
+    readonly identities: "ofauth_identities";
+    readonly assignments: "ofauth_assignments";
+    readonly sessions: "ofauth_sessions";
+    readonly policyProfiles: "ofauth_policy_profiles";
+    readonly policyStepups: "ofauth_policy_stepups";
+    readonly auditEvents: "ofauth_audit_events";
+};
+export declare const ofauthSchema: DbSchema;
+export declare function getOfauthTableSchemas(): TableSchema[];