ofauth-shared-core 0.1.0-alpha.0

package/dist/services/impl/DbAdapterAuthAuditService.js

@@ -0,0 +1,107 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DbAdapterAuthAuditService = void 0;
+const schemas_1 = require("../../data/schemas");
+const runtimeSupport_1 = require("./runtimeSupport");
+class DbAdapterAuthAuditService {
+    constructor(db, options) {
+        this.db = db;
+        this.options = options;
+        this.newId = (0, runtimeSupport_1.makeIdFactory)('auth-audit');
+    }
+    async appendEvent(event) {
+        const row = {
+            id: event.eventId || this.newId(),
+            eventType: event.eventType,
+            identityId: event.identityId ?? null,
+            sessionId: event.sessionId ?? null,
+            tenantId: event.scopeRef?.tenantId ?? null,
+            branchId: event.scopeRef?.branchId ?? null,
+            scopeAttributes: event.scopeRef?.attributes ?? null,
+            result: event.result,
+            reasonCode: event.reasonCode ?? null,
+            timestamp: event.timestamp,
+            syncStatus: event.syncStatus ?? 'pending',
+            replayedAt: event.replayedAt ?? null,
+            version: 1,
+            lastModified: (0, runtimeSupport_1.nowIso)(),
+            deleted: false,
+        };
+        await this.db.create(schemas_1.OFAUTH_TABLES.auditEvents, row);
+        await (0, runtimeSupport_1.emitAuthActivity)(this.options, event);
+    }
+    async queryEvents(query) {
+        const rows = await this.db.query(schemas_1.OFAUTH_TABLES.auditEvents, {
+            filters: { deleted: false },
+            sort: [{ field: 'timestamp', direction: 'desc' }],
+        });
+        return rows
+            .filter((row) => (query.identityId ? row.identityId === query.identityId : true))
+            .filter((row) => (query.sessionId ? row.sessionId === query.sessionId : true))
+            .filter((row) => (query.eventTypes?.length ? query.eventTypes.includes(row.eventType) : true))
+            .filter((row) => (query.fromTimestamp ? row.timestamp >= query.fromTimestamp : true))
+            .filter((row) => (query.toTimestamp ? row.timestamp <= query.toTimestamp : true))
+            .map((row) => ({
+            eventId: row.id,
+            eventType: row.eventType,
+            identityId: row.identityId ?? undefined,
+            sessionId: row.sessionId ?? undefined,
+            scopeRef: row.tenantId || row.branchId || row.scopeAttributes
+                ? {
+                    ...(row.tenantId ? { tenantId: row.tenantId } : {}),
+                    ...(row.branchId ? { branchId: row.branchId } : {}),
+                    ...(row.scopeAttributes ? { attributes: row.scopeAttributes } : {}),
+                }
+                : undefined,
+            result: row.result,
+            reasonCode: row.reasonCode ?? undefined,
+            timestamp: row.timestamp,
+            syncStatus: row.syncStatus ?? 'pending',
+            replayedAt: row.replayedAt ?? undefined,
+        }));
+    }
+    async listPendingReplay(query = {}) {
+        const rows = await this.db.query(schemas_1.OFAUTH_TABLES.auditEvents, {
+            filters: { deleted: false },
+            sort: [{ field: 'timestamp', direction: 'asc' }],
+        });
+        return rows
+            .filter((row) => row.syncStatus !== 'replayed')
+            .slice(0, query.limit ?? rows.length)
+            .map((row) => ({
+            eventId: row.id,
+            eventType: row.eventType,
+            identityId: row.identityId ?? undefined,
+            sessionId: row.sessionId ?? undefined,
+            scopeRef: row.tenantId || row.branchId || row.scopeAttributes
+                ? {
+                    ...(row.tenantId ? { tenantId: row.tenantId } : {}),
+                    ...(row.branchId ? { branchId: row.branchId } : {}),
+                    ...(row.scopeAttributes ? { attributes: row.scopeAttributes } : {}),
+                }
+                : undefined,
+            result: row.result,
+            reasonCode: row.reasonCode ?? undefined,
+            timestamp: row.timestamp,
+            syncStatus: row.syncStatus ?? 'pending',
+            replayedAt: row.replayedAt ?? undefined,
+        }));
+    }
+    async markReplayed(eventIds, replayedAt = (0, runtimeSupport_1.nowIso)()) {
+        let updatedCount = 0;
+        for (const eventId of eventIds) {
+            const row = await this.db.get(schemas_1.OFAUTH_TABLES.auditEvents, eventId);
+            if (!row || row.deleted || row.syncStatus === 'replayed')
+                continue;
+            await this.db.update(schemas_1.OFAUTH_TABLES.auditEvents, eventId, {
+                syncStatus: 'replayed',
+                replayedAt,
+                version: row.version + 1,
+                lastModified: (0, runtimeSupport_1.nowIso)(),
+            });
+            updatedCount += 1;
+        }
+        return updatedCount;
+    }
+}
+exports.DbAdapterAuthAuditService = DbAdapterAuthAuditService;

package/dist/services/impl/DbAdapterAuthPolicyService.d.ts

@@ -0,0 +1,17 @@
+import type { DbAdapter } from 'ofcore';
+import type { AuthPolicySnapshot, StepUpEvaluation, StepUpRequirement } from '../../contracts/AuthPolicyContract';
+import type { SessionRef } from '../../contracts/SessionContract';
+import type { AuthAuditService } from '../AuthAuditService';
+import type { AuthPolicyService } from '../AuthPolicyService';
+export declare class DbAdapterAuthPolicyService implements AuthPolicyService {
+    private readonly db;
+    private readonly authAuditService;
+    private readonly newEventId;
+    constructor(db: DbAdapter, authAuditService: AuthAuditService);
+    private getActiveSessionOrThrow;
+    getPolicySnapshot(): Promise<AuthPolicySnapshot>;
+    getStepUpRequirement(actionRef: string): Promise<StepUpRequirement | null>;
+    evaluateStepUp(sessionId: string, actionRef: string): Promise<StepUpEvaluation>;
+    enforceStepUp(sessionId: string, actionRef: string): Promise<void>;
+    markStepUpPassed(sessionId: string, actionRef: string): Promise<SessionRef>;
+}

package/dist/services/impl/DbAdapterAuthPolicyService.js

@@ -0,0 +1,114 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DbAdapterAuthPolicyService = void 0;
+const SessionContract_1 = require("../../contracts/SessionContract");
+const schemas_1 = require("../../data/schemas");
+const errors_1 = require("../errors");
+const runtimeSupport_1 = require("./runtimeSupport");
+class DbAdapterAuthPolicyService {
+    constructor(db, authAuditService) {
+        this.db = db;
+        this.authAuditService = authAuditService;
+        this.newEventId = (0, runtimeSupport_1.makeIdFactory)('auth-event');
+    }
+    async getActiveSessionOrThrow(sessionId) {
+        const row = await this.db.get(schemas_1.OFAUTH_TABLES.sessions, sessionId);
+        if (!row || row.deleted || row.revokedAt || (0, runtimeSupport_1.isPast)(row.expiresAt)) {
+            throw (0, errors_1.unauthorized)('AUTH_SESSION_NOT_FOUND', 'Session not found');
+        }
+        return row;
+    }
+    async getPolicySnapshot() {
+        const profiles = await this.db.query(schemas_1.OFAUTH_TABLES.policyProfiles, {
+            filters: { deleted: false },
+            sort: [{ field: 'lastModified', direction: 'desc' }],
+        });
+        const stepups = await this.db.query(schemas_1.OFAUTH_TABLES.policyStepups, {
+            filters: { deleted: false },
+            sort: [{ field: 'lastModified', direction: 'desc' }],
+        });
+        return {
+            profiles: profiles.length > 0
+                ? profiles.map((p) => ({
+                    profileId: p.profileId,
+                    defaultAssuranceLevel: p.defaultAssuranceLevel,
+                    lockoutPolicyRef: p.lockoutPolicyRef,
+                }))
+                : (0, runtimeSupport_1.fallbackPolicyProfiles)(),
+            stepUpRequirements: stepups.map((s) => ({
+                actionRef: s.actionRef,
+                requiredAssuranceLevel: s.requiredAssuranceLevel,
+                reauthWindowSeconds: s.reauthWindowSeconds ?? undefined,
+            })),
+            version: '1',
+            updatedAt: (0, runtimeSupport_1.nowIso)(),
+        };
+    }
+    async getStepUpRequirement(actionRef) {
+        const row = await this.db.query(schemas_1.OFAUTH_TABLES.policyStepups, {
+            filters: { actionRef, deleted: false },
+            limit: 1,
+        });
+        if (!row[0])
+            return null;
+        return {
+            actionRef: row[0].actionRef,
+            requiredAssuranceLevel: row[0].requiredAssuranceLevel,
+            reauthWindowSeconds: row[0].reauthWindowSeconds ?? undefined,
+        };
+    }
+    async evaluateStepUp(sessionId, actionRef) {
+        const session = await this.getActiveSessionOrThrow(sessionId);
+        const requirement = await this.getStepUpRequirement(actionRef);
+        const requiredAssuranceLevel = requirement?.requiredAssuranceLevel ?? 'basic';
+        const requiresStepUp = !(0, SessionContract_1.isAssuranceLevelAtLeast)(session.assuranceLevel, requiredAssuranceLevel);
+        return {
+            actionRef,
+            requiredAssuranceLevel,
+            currentAssuranceLevel: session.assuranceLevel,
+            requiresStepUp,
+            reauthWindowSeconds: requirement?.reauthWindowSeconds,
+        };
+    }
+    async enforceStepUp(sessionId, actionRef) {
+        const session = await this.getActiveSessionOrThrow(sessionId);
+        const evalResult = await this.evaluateStepUp(sessionId, actionRef);
+        if (!evalResult.requiresStepUp)
+            return;
+        await this.authAuditService.appendEvent({
+            eventId: this.newEventId(),
+            eventType: 'STEP_UP_CHALLENGED',
+            identityId: session.identityId,
+            sessionId,
+            result: 'failed',
+            reasonCode: 'AUTH_STEP_UP_REQUIRED',
+            timestamp: (0, runtimeSupport_1.nowIso)(),
+        });
+        throw (0, errors_1.unauthorized)('AUTH_STEP_UP_REQUIRED', `Step-up required for action '${actionRef}' (needs ${evalResult.requiredAssuranceLevel})`);
+    }
+    async markStepUpPassed(sessionId, actionRef) {
+        const session = await this.getActiveSessionOrThrow(sessionId);
+        const requirement = await this.getStepUpRequirement(actionRef);
+        const targetAssurance = requirement?.requiredAssuranceLevel ?? 'elevated';
+        await this.db.update(schemas_1.OFAUTH_TABLES.sessions, sessionId, {
+            assuranceLevel: targetAssurance,
+            version: session.version + 1,
+            lastModified: (0, runtimeSupport_1.nowIso)(),
+        });
+        await this.authAuditService.appendEvent({
+            eventId: this.newEventId(),
+            eventType: 'STEP_UP_PASSED',
+            identityId: session.identityId,
+            sessionId,
+            result: 'success',
+            reasonCode: actionRef,
+            timestamp: (0, runtimeSupport_1.nowIso)(),
+        });
+        const active = await this.db.get(schemas_1.OFAUTH_TABLES.sessions, sessionId);
+        const assignment = active ? await (0, runtimeSupport_1.getAssignmentById)(this.db, active.activeAssignmentId) : null;
+        if (!active)
+            throw (0, errors_1.unauthorized)('AUTH_SESSION_NOT_FOUND', 'Session not found');
+        return (0, runtimeSupport_1.toSessionRef)(active, assignment ?? undefined);
+    }
+}
+exports.DbAdapterAuthPolicyService = DbAdapterAuthPolicyService;

package/dist/services/impl/DbAdapterContextService.d.ts

@@ -0,0 +1,13 @@
+import type { DbAdapter } from 'ofcore';
+import type { ActiveContext, ContextAssignment, ContextSwitchRequest, ContextSwitchResult } from '../../contracts/ContextContract';
+import type { AuthAuditService } from '../AuthAuditService';
+import type { ContextService } from '../ContextService';
+export declare class DbAdapterContextService implements ContextService {
+    private readonly db;
+    private readonly authAuditService;
+    private readonly newEventId;
+    constructor(db: DbAdapter, authAuditService: AuthAuditService);
+    listAssignments(identityId: string): Promise<ContextAssignment[]>;
+    getActiveContext(sessionId: string): Promise<ActiveContext | null>;
+    switchContext(input: ContextSwitchRequest): Promise<ContextSwitchResult>;
+}

package/dist/services/impl/DbAdapterContextService.js

@@ -0,0 +1,79 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DbAdapterContextService = void 0;
+const schemas_1 = require("../../data/schemas");
+const errors_1 = require("../errors");
+const runtimeSupport_1 = require("./runtimeSupport");
+class DbAdapterContextService {
+    constructor(db, authAuditService) {
+        this.db = db;
+        this.authAuditService = authAuditService;
+        this.newEventId = (0, runtimeSupport_1.makeIdFactory)('auth-event');
+    }
+    async listAssignments(identityId) {
+        const rows = await this.db.query(schemas_1.OFAUTH_TABLES.assignments, {
+            filters: { identityId, deleted: false },
+            sort: [{ field: 'lastModified', direction: 'desc' }],
+        });
+        return rows.map(runtimeSupport_1.toAssignment);
+    }
+    async getActiveContext(sessionId) {
+        const session = await this.db.get(schemas_1.OFAUTH_TABLES.sessions, sessionId);
+        if (!session || session.deleted || session.revokedAt || !session.activeAssignmentId)
+            return null;
+        const assignment = await (0, runtimeSupport_1.getAssignmentById)(this.db, session.activeAssignmentId);
+        if (!assignment)
+            return null;
+        return {
+            sessionId,
+            assignmentId: assignment.id,
+            scopeRef: {
+                ...(assignment.tenantId ? { tenantId: assignment.tenantId } : {}),
+                ...(assignment.branchId ? { branchId: assignment.branchId } : {}),
+                ...(assignment.scopeAttributes ? { attributes: assignment.scopeAttributes } : {}),
+            },
+        };
+    }
+    async switchContext(input) {
+        const session = await this.db.get(schemas_1.OFAUTH_TABLES.sessions, input.sessionId);
+        if (!session || session.deleted || session.revokedAt)
+            throw (0, errors_1.unauthorized)('AUTH_SESSION_NOT_FOUND', 'Session not found');
+        const target = await (0, runtimeSupport_1.getAssignmentById)(this.db, input.targetAssignmentId);
+        if (!target || target.identityId !== session.identityId) {
+            throw (0, errors_1.unauthorized)('AUTH_CONTEXT_FORBIDDEN', 'Requested context is not assigned to this identity');
+        }
+        const updatedSession = await this.db.update(schemas_1.OFAUTH_TABLES.sessions, input.sessionId, {
+            activeAssignmentId: target.id,
+            version: session.version + 1,
+            lastModified: (0, runtimeSupport_1.nowIso)(),
+        });
+        await this.authAuditService.appendEvent({
+            eventId: this.newEventId(),
+            eventType: 'CONTEXT_SWITCHED',
+            identityId: session.identityId,
+            sessionId: input.sessionId,
+            scopeRef: {
+                ...(target.tenantId ? { tenantId: target.tenantId } : {}),
+                ...(target.branchId ? { branchId: target.branchId } : {}),
+                ...(target.scopeAttributes ? { attributes: target.scopeAttributes } : {}),
+            },
+            result: 'success',
+            reasonCode: input.reasonCode,
+            timestamp: updatedSession.lastModified,
+        });
+        return {
+            activeContext: {
+                sessionId: input.sessionId,
+                assignmentId: target.id,
+                scopeRef: {
+                    ...(target.tenantId ? { tenantId: target.tenantId } : {}),
+                    ...(target.branchId ? { branchId: target.branchId } : {}),
+                    ...(target.scopeAttributes ? { attributes: target.scopeAttributes } : {}),
+                },
+            },
+            requiresStepUp: false,
+            reasonCode: input.reasonCode,
+        };
+    }
+}
+exports.DbAdapterContextService = DbAdapterContextService;

package/dist/services/impl/DbAdapterIdentityService.d.ts

@@ -0,0 +1,23 @@
+import type { DbAdapter } from 'ofcore';
+import type { CredentialVerifyRequest, CredentialVerifyResult } from '../../contracts/IdentityContract';
+import type { AuthAuditService } from '../AuthAuditService';
+import type { ContextService } from '../ContextService';
+import type { IdentityService, LoginRequest, LoginResult } from '../IdentityService';
+import type { SessionService } from '../SessionService';
+import type { ServiceRuntimeOptions } from './runtimeSupport';
+export declare class DbAdapterIdentityService implements IdentityService {
+    private readonly db;
+    private readonly options;
+    private readonly sessionService;
+    private readonly contextService;
+    private readonly authAuditService;
+    private readonly newEventId;
+    constructor(db: DbAdapter, options: ServiceRuntimeOptions, sessionService: SessionService, contextService: ContextService, authAuditService: AuthAuditService);
+    private findIdentityByPrincipal;
+    private persistFailedAttempt;
+    private clearFailedAttempt;
+    private emitAudit;
+    verifyCredential(input: CredentialVerifyRequest): Promise<CredentialVerifyResult>;
+    login(input: LoginRequest): Promise<LoginResult>;
+    logout(sessionId: string): Promise<void>;
+}

package/dist/services/impl/DbAdapterIdentityService.js

@@ -0,0 +1,146 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DbAdapterIdentityService = void 0;
+const schemas_1 = require("../../data/schemas");
+const errors_1 = require("../errors");
+const runtimeSupport_1 = require("./runtimeSupport");
+class DbAdapterIdentityService {
+    constructor(db, options, sessionService, contextService, authAuditService) {
+        this.db = db;
+        this.options = options;
+        this.sessionService = sessionService;
+        this.contextService = contextService;
+        this.authAuditService = authAuditService;
+        this.newEventId = (0, runtimeSupport_1.makeIdFactory)('auth-event');
+    }
+    async findIdentityByPrincipal(principal) {
+        const rows = await this.db.query(schemas_1.OFAUTH_TABLES.identities, {
+            filters: { principal, deleted: false },
+            limit: 1,
+        });
+        return rows[0] ?? null;
+    }
+    async persistFailedAttempt(identity) {
+        const failedAttempts = identity.failedAttempts + 1;
+        const lockoutTriggered = failedAttempts >= runtimeSupport_1.DEFAULT_LOCKOUT_THRESHOLD;
+        const lockoutUntil = lockoutTriggered ? (0, runtimeSupport_1.plusSecondsIso)((0, runtimeSupport_1.nowIso)(), runtimeSupport_1.DEFAULT_LOCKOUT_COOLDOWN_SECONDS) : null;
+        const status = lockoutTriggered ? 'locked' : identity.status;
+        return this.db.update(schemas_1.OFAUTH_TABLES.identities, identity.id, {
+            failedAttempts,
+            lockoutUntil,
+            status,
+            version: identity.version + 1,
+            lastModified: (0, runtimeSupport_1.nowIso)(),
+        });
+    }
+    async clearFailedAttempt(identity) {
+        if (identity.failedAttempts === 0 && !identity.lockoutUntil && identity.status === 'active')
+            return;
+        await this.db.update(schemas_1.OFAUTH_TABLES.identities, identity.id, {
+            failedAttempts: 0,
+            lockoutUntil: null,
+            status: 'active',
+            version: identity.version + 1,
+            lastModified: (0, runtimeSupport_1.nowIso)(),
+        });
+    }
+    async emitAudit(event) {
+        await this.authAuditService.appendEvent(event);
+    }
+    async verifyCredential(input) {
+        const identity = await this.findIdentityByPrincipal(input.principal);
+        if (!identity) {
+            await this.emitAudit({
+                eventId: this.newEventId(),
+                eventType: 'LOGIN_FAILED',
+                result: 'failed',
+                reasonCode: 'INVALID_CREDENTIAL',
+                timestamp: (0, runtimeSupport_1.nowIso)(),
+            });
+            return { ok: false, reasonCode: 'INVALID_CREDENTIAL', retryable: true };
+        }
+        if (identity.status === 'disabled') {
+            await this.emitAudit({
+                eventId: this.newEventId(),
+                eventType: 'LOGIN_FAILED',
+                identityId: identity.id,
+                result: 'failed',
+                reasonCode: 'IDENTITY_DISABLED',
+                timestamp: (0, runtimeSupport_1.nowIso)(),
+            });
+            return { ok: false, reasonCode: 'IDENTITY_DISABLED', retryable: false };
+        }
+        if (identity.lockoutUntil && !(0, runtimeSupport_1.isPast)(identity.lockoutUntil)) {
+            await this.emitAudit({
+                eventId: this.newEventId(),
+                eventType: 'LOCKOUT_TRIGGERED',
+                identityId: identity.id,
+                result: 'failed',
+                reasonCode: 'IDENTITY_LOCKED',
+                timestamp: (0, runtimeSupport_1.nowIso)(),
+            });
+            return { ok: false, reasonCode: 'IDENTITY_LOCKED', retryable: false };
+        }
+        const verified = await (0, runtimeSupport_1.verifySecret)(this.options.platformAdapter, input.secret, identity.secretHash);
+        if (!verified) {
+            const afterFail = await this.persistFailedAttempt(identity);
+            const reasonCode = afterFail.status === 'locked' ? 'IDENTITY_LOCKED' : 'INVALID_CREDENTIAL';
+            await this.emitAudit({
+                eventId: this.newEventId(),
+                eventType: reasonCode === 'IDENTITY_LOCKED' ? 'LOCKOUT_TRIGGERED' : 'LOGIN_FAILED',
+                identityId: identity.id,
+                result: 'failed',
+                reasonCode,
+                timestamp: (0, runtimeSupport_1.nowIso)(),
+            });
+            return { ok: false, reasonCode, retryable: reasonCode === 'INVALID_CREDENTIAL' };
+        }
+        await this.clearFailedAttempt(identity);
+        const assignments = await this.contextService.listAssignments(identity.id);
+        await this.emitAudit({
+            eventId: this.newEventId(),
+            eventType: 'LOGIN_SUCCESS',
+            identityId: identity.id,
+            scopeRef: input.scopeRef,
+            result: 'success',
+            timestamp: (0, runtimeSupport_1.nowIso)(),
+        });
+        return {
+            ok: true,
+            identity: (0, runtimeSupport_1.toIdentityRef)(identity),
+            assignments,
+        };
+    }
+    async login(input) {
+        const verified = await this.verifyCredential({
+            principal: input.principal,
+            secret: input.secret,
+            verifyMethod: input.verifyMethod,
+        });
+        if (!verified.ok) {
+            throw (0, errors_1.unauthorized)('AUTH_INVALID_CREDENTIAL', `Authentication failed: ${verified.reasonCode}`);
+        }
+        const defaultAssignment = [...verified.assignments].sort((a, b) => a.assignmentId.localeCompare(b.assignmentId))[0];
+        const session = await this.sessionService.createSession({
+            identityId: verified.identity.identityId,
+            assignmentId: defaultAssignment?.assignmentId,
+            assuranceLevel: 'basic',
+        });
+        return {
+            identity: verified.identity,
+            sessionId: session.sessionId,
+        };
+    }
+    async logout(sessionId) {
+        await this.sessionService.revokeSession({ sessionId, reasonCode: 'LOGOUT' });
+        await this.emitAudit({
+            eventId: this.newEventId(),
+            eventType: 'SESSION_REVOKED',
+            sessionId,
+            result: 'success',
+            reasonCode: 'LOGOUT',
+            timestamp: (0, runtimeSupport_1.nowIso)(),
+        });
+    }
+}
+exports.DbAdapterIdentityService = DbAdapterIdentityService;

package/dist/services/impl/DbAdapterSessionService.d.ts

@@ -0,0 +1,14 @@
+import type { DbAdapter } from 'ofcore';
+import type { CreateSessionRequest, RefreshSessionRequest, RevokeSessionRequest, SessionRef } from '../../contracts/SessionContract';
+import type { SessionService } from '../SessionService';
+import type { ServiceRuntimeOptions } from './runtimeSupport';
+export declare class DbAdapterSessionService implements SessionService {
+    private readonly db;
+    private readonly options;
+    private readonly newId;
+    constructor(db: DbAdapter, options: ServiceRuntimeOptions);
+    createSession(input: CreateSessionRequest): Promise<SessionRef>;
+    refreshSession(input: RefreshSessionRequest): Promise<SessionRef>;
+    revokeSession(input: RevokeSessionRequest): Promise<void>;
+    getActiveSession(sessionId: string): Promise<SessionRef | null>;
+}

package/dist/services/impl/DbAdapterSessionService.js

@@ -0,0 +1,63 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DbAdapterSessionService = void 0;
+const schemas_1 = require("../../data/schemas");
+const errors_1 = require("../errors");
+const runtimeSupport_1 = require("./runtimeSupport");
+class DbAdapterSessionService {
+    constructor(db, options) {
+        this.db = db;
+        this.options = options;
+        this.newId = (0, runtimeSupport_1.makeIdFactory)('auth-session');
+    }
+    async createSession(input) {
+        const issuedAt = (0, runtimeSupport_1.nowIso)();
+        const expiresAt = (0, runtimeSupport_1.plusSecondsIso)(issuedAt, input.ttlSeconds ?? runtimeSupport_1.DEFAULT_SESSION_TTL_SECONDS);
+        const created = await this.db.create(schemas_1.OFAUTH_TABLES.sessions, {
+            id: this.newId(),
+            identityId: input.identityId,
+            activeAssignmentId: input.assignmentId ?? null,
+            assuranceLevel: input.assuranceLevel ?? 'basic',
+            issuedAt,
+            expiresAt,
+            revokedAt: null,
+            version: 1,
+            lastModified: issuedAt,
+            deleted: false,
+        });
+        const assignment = await (0, runtimeSupport_1.getAssignmentById)(this.db, created.activeAssignmentId);
+        this.options.logger?.logInfo('[ofauth] session created', { sessionId: created.id, identityId: created.identityId });
+        return (0, runtimeSupport_1.toSessionRef)(created, assignment);
+    }
+    async refreshSession(input) {
+        const current = await this.db.get(schemas_1.OFAUTH_TABLES.sessions, input.sessionId);
+        if (!current || current.deleted || current.revokedAt)
+            throw (0, errors_1.unauthorized)('AUTH_SESSION_NOT_FOUND', 'Session not found');
+        const refreshed = await this.db.update(schemas_1.OFAUTH_TABLES.sessions, input.sessionId, {
+            expiresAt: (0, runtimeSupport_1.plusSecondsIso)((0, runtimeSupport_1.nowIso)(), input.ttlSeconds ?? runtimeSupport_1.DEFAULT_SESSION_TTL_SECONDS),
+            version: current.version + 1,
+            lastModified: (0, runtimeSupport_1.nowIso)(),
+        });
+        const assignment = await (0, runtimeSupport_1.getAssignmentById)(this.db, refreshed.activeAssignmentId);
+        return (0, runtimeSupport_1.toSessionRef)(refreshed, assignment);
+    }
+    async revokeSession(input) {
+        const current = await this.db.get(schemas_1.OFAUTH_TABLES.sessions, input.sessionId);
+        if (!current || current.deleted || current.revokedAt)
+            return;
+        await this.db.update(schemas_1.OFAUTH_TABLES.sessions, input.sessionId, {
+            revokedAt: (0, runtimeSupport_1.nowIso)(),
+            version: current.version + 1,
+            lastModified: (0, runtimeSupport_1.nowIso)(),
+        });
+        this.options.logger?.logInfo('[ofauth] session revoked', { sessionId: input.sessionId, reasonCode: input.reasonCode ?? null });
+    }
+    async getActiveSession(sessionId) {
+        const row = await this.db.get(schemas_1.OFAUTH_TABLES.sessions, sessionId);
+        if (!row || row.deleted || row.revokedAt || (0, runtimeSupport_1.isPast)(row.expiresAt))
+            return null;
+        const assignment = await (0, runtimeSupport_1.getAssignmentById)(this.db, row.activeAssignmentId);
+        return (0, runtimeSupport_1.toSessionRef)(row, assignment);
+    }
+}
+exports.DbAdapterSessionService = DbAdapterSessionService;