ofauth-shared-core 0.1.0-alpha.0 → 0.1.0-alpha.1

package/dist/services/impl/DbAdapterIdentityService.js

@@ -1,146 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.DbAdapterIdentityService = void 0;
-const schemas_1 = require("../../data/schemas");
-const errors_1 = require("../errors");
-const runtimeSupport_1 = require("./runtimeSupport");
-class DbAdapterIdentityService {
-    constructor(db, options, sessionService, contextService, authAuditService) {
-        this.db = db;
-        this.options = options;
-        this.sessionService = sessionService;
-        this.contextService = contextService;
-        this.authAuditService = authAuditService;
-        this.newEventId = (0, runtimeSupport_1.makeIdFactory)('auth-event');
-    }
-    async findIdentityByPrincipal(principal) {
-        const rows = await this.db.query(schemas_1.OFAUTH_TABLES.identities, {
-            filters: { principal, deleted: false },
-            limit: 1,
-        });
-        return rows[0] ?? null;
-    }
-    async persistFailedAttempt(identity) {
-        const failedAttempts = identity.failedAttempts + 1;
-        const lockoutTriggered = failedAttempts >= runtimeSupport_1.DEFAULT_LOCKOUT_THRESHOLD;
-        const lockoutUntil = lockoutTriggered ? (0, runtimeSupport_1.plusSecondsIso)((0, runtimeSupport_1.nowIso)(), runtimeSupport_1.DEFAULT_LOCKOUT_COOLDOWN_SECONDS) : null;
-        const status = lockoutTriggered ? 'locked' : identity.status;
-        return this.db.update(schemas_1.OFAUTH_TABLES.identities, identity.id, {
-            failedAttempts,
-            lockoutUntil,
-            status,
-            version: identity.version + 1,
-            lastModified: (0, runtimeSupport_1.nowIso)(),
-        });
-    }
-    async clearFailedAttempt(identity) {
-        if (identity.failedAttempts === 0 && !identity.lockoutUntil && identity.status === 'active')
-            return;
-        await this.db.update(schemas_1.OFAUTH_TABLES.identities, identity.id, {
-            failedAttempts: 0,
-            lockoutUntil: null,
-            status: 'active',
-            version: identity.version + 1,
-            lastModified: (0, runtimeSupport_1.nowIso)(),
-        });
-    }
-    async emitAudit(event) {
-        await this.authAuditService.appendEvent(event);
-    }
-    async verifyCredential(input) {
-        const identity = await this.findIdentityByPrincipal(input.principal);
-        if (!identity) {
-            await this.emitAudit({
-                eventId: this.newEventId(),
-                eventType: 'LOGIN_FAILED',
-                result: 'failed',
-                reasonCode: 'INVALID_CREDENTIAL',
-                timestamp: (0, runtimeSupport_1.nowIso)(),
-            });
-            return { ok: false, reasonCode: 'INVALID_CREDENTIAL', retryable: true };
-        }
-        if (identity.status === 'disabled') {
-            await this.emitAudit({
-                eventId: this.newEventId(),
-                eventType: 'LOGIN_FAILED',
-                identityId: identity.id,
-                result: 'failed',
-                reasonCode: 'IDENTITY_DISABLED',
-                timestamp: (0, runtimeSupport_1.nowIso)(),
-            });
-            return { ok: false, reasonCode: 'IDENTITY_DISABLED', retryable: false };
-        }
-        if (identity.lockoutUntil && !(0, runtimeSupport_1.isPast)(identity.lockoutUntil)) {
-            await this.emitAudit({
-                eventId: this.newEventId(),
-                eventType: 'LOCKOUT_TRIGGERED',
-                identityId: identity.id,
-                result: 'failed',
-                reasonCode: 'IDENTITY_LOCKED',
-                timestamp: (0, runtimeSupport_1.nowIso)(),
-            });
-            return { ok: false, reasonCode: 'IDENTITY_LOCKED', retryable: false };
-        }
-        const verified = await (0, runtimeSupport_1.verifySecret)(this.options.platformAdapter, input.secret, identity.secretHash);
-        if (!verified) {
-            const afterFail = await this.persistFailedAttempt(identity);
-            const reasonCode = afterFail.status === 'locked' ? 'IDENTITY_LOCKED' : 'INVALID_CREDENTIAL';
-            await this.emitAudit({
-                eventId: this.newEventId(),
-                eventType: reasonCode === 'IDENTITY_LOCKED' ? 'LOCKOUT_TRIGGERED' : 'LOGIN_FAILED',
-                identityId: identity.id,
-                result: 'failed',
-                reasonCode,
-                timestamp: (0, runtimeSupport_1.nowIso)(),
-            });
-            return { ok: false, reasonCode, retryable: reasonCode === 'INVALID_CREDENTIAL' };
-        }
-        await this.clearFailedAttempt(identity);
-        const assignments = await this.contextService.listAssignments(identity.id);
-        await this.emitAudit({
-            eventId: this.newEventId(),
-            eventType: 'LOGIN_SUCCESS',
-            identityId: identity.id,
-            scopeRef: input.scopeRef,
-            result: 'success',
-            timestamp: (0, runtimeSupport_1.nowIso)(),
-        });
-        return {
-            ok: true,
-            identity: (0, runtimeSupport_1.toIdentityRef)(identity),
-            assignments,
-        };
-    }
-    async login(input) {
-        const verified = await this.verifyCredential({
-            principal: input.principal,
-            secret: input.secret,
-            verifyMethod: input.verifyMethod,
-        });
-        if (!verified.ok) {
-            throw (0, errors_1.unauthorized)('AUTH_INVALID_CREDENTIAL', `Authentication failed: ${verified.reasonCode}`);
-        }
-        const defaultAssignment = [...verified.assignments].sort((a, b) => a.assignmentId.localeCompare(b.assignmentId))[0];
-        const session = await this.sessionService.createSession({
-            identityId: verified.identity.identityId,
-            assignmentId: defaultAssignment?.assignmentId,
-            assuranceLevel: 'basic',
-        });
-        return {
-            identity: verified.identity,
-            sessionId: session.sessionId,
-        };
-    }
-    async logout(sessionId) {
-        await this.sessionService.revokeSession({ sessionId, reasonCode: 'LOGOUT' });
-        await this.emitAudit({
-            eventId: this.newEventId(),
-            eventType: 'SESSION_REVOKED',
-            sessionId,
-            result: 'success',
-            reasonCode: 'LOGOUT',
-            timestamp: (0, runtimeSupport_1.nowIso)(),
-        });
-    }
-}
-exports.DbAdapterIdentityService = DbAdapterIdentityService;

package/dist/services/impl/DbAdapterSessionService.js

@@ -1,63 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.DbAdapterSessionService = void 0;
-const schemas_1 = require("../../data/schemas");
-const errors_1 = require("../errors");
-const runtimeSupport_1 = require("./runtimeSupport");
-class DbAdapterSessionService {
-    constructor(db, options) {
-        this.db = db;
-        this.options = options;
-        this.newId = (0, runtimeSupport_1.makeIdFactory)('auth-session');
-    }
-    async createSession(input) {
-        const issuedAt = (0, runtimeSupport_1.nowIso)();
-        const expiresAt = (0, runtimeSupport_1.plusSecondsIso)(issuedAt, input.ttlSeconds ?? runtimeSupport_1.DEFAULT_SESSION_TTL_SECONDS);
-        const created = await this.db.create(schemas_1.OFAUTH_TABLES.sessions, {
-            id: this.newId(),
-            identityId: input.identityId,
-            activeAssignmentId: input.assignmentId ?? null,
-            assuranceLevel: input.assuranceLevel ?? 'basic',
-            issuedAt,
-            expiresAt,
-            revokedAt: null,
-            version: 1,
-            lastModified: issuedAt,
-            deleted: false,
-        });
-        const assignment = await (0, runtimeSupport_1.getAssignmentById)(this.db, created.activeAssignmentId);
-        this.options.logger?.logInfo('[ofauth] session created', { sessionId: created.id, identityId: created.identityId });
-        return (0, runtimeSupport_1.toSessionRef)(created, assignment);
-    }
-    async refreshSession(input) {
-        const current = await this.db.get(schemas_1.OFAUTH_TABLES.sessions, input.sessionId);
-        if (!current || current.deleted || current.revokedAt)
-            throw (0, errors_1.unauthorized)('AUTH_SESSION_NOT_FOUND', 'Session not found');
-        const refreshed = await this.db.update(schemas_1.OFAUTH_TABLES.sessions, input.sessionId, {
-            expiresAt: (0, runtimeSupport_1.plusSecondsIso)((0, runtimeSupport_1.nowIso)(), input.ttlSeconds ?? runtimeSupport_1.DEFAULT_SESSION_TTL_SECONDS),
-            version: current.version + 1,
-            lastModified: (0, runtimeSupport_1.nowIso)(),
-        });
-        const assignment = await (0, runtimeSupport_1.getAssignmentById)(this.db, refreshed.activeAssignmentId);
-        return (0, runtimeSupport_1.toSessionRef)(refreshed, assignment);
-    }
-    async revokeSession(input) {
-        const current = await this.db.get(schemas_1.OFAUTH_TABLES.sessions, input.sessionId);
-        if (!current || current.deleted || current.revokedAt)
-            return;
-        await this.db.update(schemas_1.OFAUTH_TABLES.sessions, input.sessionId, {
-            revokedAt: (0, runtimeSupport_1.nowIso)(),
-            version: current.version + 1,
-            lastModified: (0, runtimeSupport_1.nowIso)(),
-        });
-        this.options.logger?.logInfo('[ofauth] session revoked', { sessionId: input.sessionId, reasonCode: input.reasonCode ?? null });
-    }
-    async getActiveSession(sessionId) {
-        const row = await this.db.get(schemas_1.OFAUTH_TABLES.sessions, sessionId);
-        if (!row || row.deleted || row.revokedAt || (0, runtimeSupport_1.isPast)(row.expiresAt))
-            return null;
-        const assignment = await (0, runtimeSupport_1.getAssignmentById)(this.db, row.activeAssignmentId);
-        return (0, runtimeSupport_1.toSessionRef)(row, assignment);
-    }
-}
-exports.DbAdapterSessionService = DbAdapterSessionService;

package/dist/services/impl/runtimeSupport.js

@@ -1,112 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.DEFAULT_SESSION_TTL_SECONDS = exports.DEFAULT_LOCKOUT_COOLDOWN_SECONDS = exports.DEFAULT_LOCKOUT_THRESHOLD = void 0;
-exports.nowIso = nowIso;
-exports.plusSecondsIso = plusSecondsIso;
-exports.isPast = isPast;
-exports.makeIdFactory = makeIdFactory;
-exports.toIdentityRef = toIdentityRef;
-exports.toAssignment = toAssignment;
-exports.toSessionRef = toSessionRef;
-exports.verifySecret = verifySecret;
-exports.emitAuthActivity = emitAuthActivity;
-exports.getAssignmentById = getAssignmentById;
-exports.fallbackPolicyProfiles = fallbackPolicyProfiles;
-const schemas_1 = require("../../data/schemas");
-exports.DEFAULT_LOCKOUT_THRESHOLD = 5;
-exports.DEFAULT_LOCKOUT_COOLDOWN_SECONDS = 15 * 60;
-exports.DEFAULT_SESSION_TTL_SECONDS = 8 * 60 * 60;
-function nowIso() {
-    return new Date().toISOString();
-}
-function plusSecondsIso(baseIso, seconds) {
-    return new Date(new Date(baseIso).getTime() + seconds * 1000).toISOString();
-}
-function isPast(iso) {
-    return new Date(iso).getTime() <= Date.now();
-}
-function makeIdFactory(prefix) {
-    let counter = 0;
-    return () => {
-        counter += 1;
-        return `${prefix}-${Date.now()}-${counter}`;
-    };
-}
-function toIdentityRef(row) {
-    return {
-        identityId: row.id,
-        principal: row.principal,
-        status: row.status,
-    };
-}
-function toAssignment(row) {
-    return {
-        assignmentId: row.id,
-        identityId: row.identityId,
-        roleRef: row.roleRef,
-        scopeRef: {
-            ...(row.tenantId ? { tenantId: row.tenantId } : {}),
-            ...(row.branchId ? { branchId: row.branchId } : {}),
-            ...(row.scopeAttributes ? { attributes: row.scopeAttributes } : {}),
-        },
-    };
-}
-function toSessionRef(row, assignment) {
-    return {
-        sessionId: row.id,
-        identityId: row.identityId,
-        activeScopeRef: assignment
-            ? {
-                ...(assignment.tenantId ? { tenantId: assignment.tenantId } : {}),
-                ...(assignment.branchId ? { branchId: assignment.branchId } : {}),
-                ...(assignment.scopeAttributes ? { attributes: assignment.scopeAttributes } : {}),
-            }
-            : undefined,
-        assuranceLevel: row.assuranceLevel,
-        issuedAt: row.issuedAt,
-        expiresAt: row.expiresAt,
-    };
-}
-async function verifySecret(platformAdapter, plainSecret, secretHash) {
-    if (platformAdapter) {
-        return platformAdapter.verifyPin(plainSecret, secretHash);
-    }
-    return plainSecret === secretHash;
-}
-async function emitAuthActivity(options, event) {
-    if (!options.emitActivity)
-        return;
-    await options.emitActivity({
-        activityId: event.eventId,
-        activityType: `ofauth.${event.eventType.toLowerCase()}`,
-        occurredAt: event.timestamp,
-        scopeRef: {
-            domain: 'ofauth',
-            ...(event.scopeRef?.tenantId ? { tenantId: event.scopeRef.tenantId } : {}),
-            ...(event.scopeRef?.branchId ? { branchId: event.scopeRef.branchId } : {}),
-        },
-        actor: event.identityId ? { userId: event.identityId } : undefined,
-        payload: {
-            eventType: event.eventType,
-            result: event.result,
-            reasonCode: event.reasonCode ?? null,
-            sessionId: event.sessionId ?? null,
-            scopeAttributes: event.scopeRef?.attributes ?? null,
-        },
-    });
-}
-async function getAssignmentById(db, id) {
-    if (!id)
-        return null;
-    const row = await db.get(schemas_1.OFAUTH_TABLES.assignments, id);
-    if (!row || row.deleted)
-        return null;
-    return row;
-}
-function fallbackPolicyProfiles() {
-    return [
-        { profileId: 'cashier_fast', defaultAssuranceLevel: 'basic', lockoutPolicyRef: 'default' },
-        { profileId: 'supervisor_strict', defaultAssuranceLevel: 'elevated', lockoutPolicyRef: 'strict' },
-        { profileId: 'member_self_service', defaultAssuranceLevel: 'basic', lockoutPolicyRef: 'member' },
-    ];
-}