ofauth-shared-core 0.1.0-alpha.0

package/dist/services/impl/runtimeSupport.d.ts

@@ -0,0 +1,95 @@
+import type { ActivityRecord, DbAdapter, LoggerAdapter, PlatformAdapter } from 'ofcore';
+import type { AuthAuditEvent } from '../../contracts/AuthAuditContract';
+import type { AuthPolicySnapshot } from '../../contracts/AuthPolicyContract';
+import type { ContextAssignment } from '../../contracts/ContextContract';
+import type { IdentityRef, IdentityStatus } from '../../contracts/IdentityContract';
+import type { AssuranceLevel, SessionRef } from '../../contracts/SessionContract';
+export interface IdentityRow {
+    id: string;
+    principal: string;
+    secretHash: string;
+    verifyMethod: 'pin' | 'password' | 'custom';
+    status: IdentityStatus;
+    failedAttempts: number;
+    lockoutUntil: string | null;
+    version: number;
+    lastModified: string;
+    deleted: boolean;
+}
+export interface AssignmentRow {
+    id: string;
+    identityId: string;
+    roleRef: string;
+    tenantId: string | null;
+    branchId: string | null;
+    scopeAttributes: Record<string, string> | null;
+    version: number;
+    lastModified: string;
+    deleted: boolean;
+}
+export interface SessionRow {
+    id: string;
+    identityId: string;
+    activeAssignmentId: string | null;
+    assuranceLevel: AssuranceLevel;
+    issuedAt: string;
+    expiresAt: string;
+    revokedAt: string | null;
+    version: number;
+    lastModified: string;
+    deleted: boolean;
+}
+export interface PolicyProfileRow {
+    id: string;
+    profileId: 'cashier_fast' | 'supervisor_strict' | 'member_self_service';
+    defaultAssuranceLevel: AssuranceLevel;
+    lockoutPolicyRef: string;
+    version: number;
+    lastModified: string;
+    deleted: boolean;
+}
+export interface PolicyStepUpRow {
+    id: string;
+    actionRef: string;
+    requiredAssuranceLevel: AssuranceLevel;
+    reauthWindowSeconds: number | null;
+    version: number;
+    lastModified: string;
+    deleted: boolean;
+}
+export interface AuthAuditRow {
+    id: string;
+    eventType: AuthAuditEvent['eventType'];
+    identityId: string | null;
+    sessionId: string | null;
+    tenantId: string | null;
+    branchId: string | null;
+    scopeAttributes: Record<string, string> | null;
+    result: 'success' | 'failed';
+    reasonCode: string | null;
+    timestamp: string;
+    syncStatus: 'pending' | 'replayed';
+    replayedAt: string | null;
+    version: number;
+    lastModified: string;
+    deleted: boolean;
+}
+export interface ServiceRuntimeOptions {
+    logger?: LoggerAdapter;
+    platformAdapter?: PlatformAdapter;
+    emitActivity?: (record: ActivityRecord) => Promise<void>;
+}
+export declare const DEFAULT_LOCKOUT_THRESHOLD = 5;
+export declare const DEFAULT_LOCKOUT_COOLDOWN_SECONDS: number;
+export declare const DEFAULT_SESSION_TTL_SECONDS: number;
+export declare function nowIso(): string;
+export declare function plusSecondsIso(baseIso: string, seconds: number): string;
+export declare function isPast(iso: string): boolean;
+export declare function makeIdFactory(prefix: string): () => string;
+export declare function toIdentityRef(row: IdentityRow): IdentityRef;
+export declare function toAssignment(row: AssignmentRow): ContextAssignment;
+export declare function toSessionRef(row: SessionRow, assignment?: AssignmentRow | null): SessionRef;
+export declare function verifySecret(platformAdapter: PlatformAdapter | undefined, plainSecret: string, secretHash: string): Promise<boolean>;
+export declare function emitAuthActivity(options: ServiceRuntimeOptions, event: AuthAuditEvent): Promise<void>;
+export declare function getAssignmentById(db: DbAdapter, id: string | null): Promise<AssignmentRow | null>;
+export declare function fallbackPolicyProfiles(): AuthPolicySnapshot['profiles'];

package/dist/services/impl/runtimeSupport.js

@@ -0,0 +1,112 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_SESSION_TTL_SECONDS = exports.DEFAULT_LOCKOUT_COOLDOWN_SECONDS = exports.DEFAULT_LOCKOUT_THRESHOLD = void 0;
+exports.nowIso = nowIso;
+exports.plusSecondsIso = plusSecondsIso;
+exports.isPast = isPast;
+exports.makeIdFactory = makeIdFactory;
+exports.toIdentityRef = toIdentityRef;
+exports.toAssignment = toAssignment;
+exports.toSessionRef = toSessionRef;
+exports.verifySecret = verifySecret;
+exports.emitAuthActivity = emitAuthActivity;
+exports.getAssignmentById = getAssignmentById;
+exports.fallbackPolicyProfiles = fallbackPolicyProfiles;
+const schemas_1 = require("../../data/schemas");
+exports.DEFAULT_LOCKOUT_THRESHOLD = 5;
+exports.DEFAULT_LOCKOUT_COOLDOWN_SECONDS = 15 * 60;
+exports.DEFAULT_SESSION_TTL_SECONDS = 8 * 60 * 60;
+function nowIso() {
+    return new Date().toISOString();
+}
+function plusSecondsIso(baseIso, seconds) {
+    return new Date(new Date(baseIso).getTime() + seconds * 1000).toISOString();
+}
+function isPast(iso) {
+    return new Date(iso).getTime() <= Date.now();
+}
+function makeIdFactory(prefix) {
+    let counter = 0;
+    return () => {
+        counter += 1;
+        return `${prefix}-${Date.now()}-${counter}`;
+    };
+}
+function toIdentityRef(row) {
+    return {
+        identityId: row.id,
+        principal: row.principal,
+        status: row.status,
+    };
+}
+function toAssignment(row) {
+    return {
+        assignmentId: row.id,
+        identityId: row.identityId,
+        roleRef: row.roleRef,
+        scopeRef: {
+            ...(row.tenantId ? { tenantId: row.tenantId } : {}),
+            ...(row.branchId ? { branchId: row.branchId } : {}),
+            ...(row.scopeAttributes ? { attributes: row.scopeAttributes } : {}),
+        },
+    };
+}
+function toSessionRef(row, assignment) {
+    return {
+        sessionId: row.id,
+        identityId: row.identityId,
+        activeScopeRef: assignment
+            ? {
+                ...(assignment.tenantId ? { tenantId: assignment.tenantId } : {}),
+                ...(assignment.branchId ? { branchId: assignment.branchId } : {}),
+                ...(assignment.scopeAttributes ? { attributes: assignment.scopeAttributes } : {}),
+            }
+            : undefined,
+        assuranceLevel: row.assuranceLevel,
+        issuedAt: row.issuedAt,
+        expiresAt: row.expiresAt,
+    };
+}
+async function verifySecret(platformAdapter, plainSecret, secretHash) {
+    if (platformAdapter) {
+        return platformAdapter.verifyPin(plainSecret, secretHash);
+    }
+    return plainSecret === secretHash;
+}
+async function emitAuthActivity(options, event) {
+    if (!options.emitActivity)
+        return;
+    await options.emitActivity({
+        activityId: event.eventId,
+        activityType: `ofauth.${event.eventType.toLowerCase()}`,
+        occurredAt: event.timestamp,
+        scopeRef: {
+            domain: 'ofauth',
+            ...(event.scopeRef?.tenantId ? { tenantId: event.scopeRef.tenantId } : {}),
+            ...(event.scopeRef?.branchId ? { branchId: event.scopeRef.branchId } : {}),
+        },
+        actor: event.identityId ? { userId: event.identityId } : undefined,
+        payload: {
+            eventType: event.eventType,
+            result: event.result,
+            reasonCode: event.reasonCode ?? null,
+            sessionId: event.sessionId ?? null,
+            scopeAttributes: event.scopeRef?.attributes ?? null,
+        },
+    });
+}
+async function getAssignmentById(db, id) {
+    if (!id)
+        return null;
+    const row = await db.get(schemas_1.OFAUTH_TABLES.assignments, id);
+    if (!row || row.deleted)
+        return null;
+    return row;
+}
+function fallbackPolicyProfiles() {
+    return [
+        { profileId: 'cashier_fast', defaultAssuranceLevel: 'basic', lockoutPolicyRef: 'default' },
+        { profileId: 'supervisor_strict', defaultAssuranceLevel: 'elevated', lockoutPolicyRef: 'strict' },
+        { profileId: 'member_self_service', defaultAssuranceLevel: 'basic', lockoutPolicyRef: 'member' },
+    ];
+}

package/package.json

@@ -0,0 +1,37 @@
+{
+  "name": "ofauth-shared-core",
+  "version": "0.1.0-alpha.0",
+  "private": false,
+  "description": "Offline-first auth shared-core (identity/session/context/assurance) for of* domain modules.",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "clean": "node -e \"require('fs').rmSync('dist',{recursive:true,force:true})\"",
+    "build": "npm run clean && tsc -p tsconfig.build.json",
+    "typecheck": "tsc -p tsconfig.json --noEmit",
+    "test": "NODE_PATH=.. npm run build && NODE_PATH=.. node --test ./tests/*.test.js",
+    "verify:contract": "node ./scripts/verify-surface.js",
+    "verify:surface": "node ./scripts/verify-surface.js",
+    "verify:logic": "NODE_PATH=.. npm run build && NODE_PATH=.. node ./scripts/verify-logic.js",
+    "verify:factory-boundary": "node ./scripts/verify-no-service-logic-in-factory.js",
+    "ci:check": "npm run typecheck && npm run verify:contract && npm run test && npm run verify:logic && npm run verify:factory-boundary",
+    "prepublishOnly": "npm run ci:check",
+    "prepack": "npm run build"
+  },
+  "dependencies": {
+    "ofcore": "0.1.0-alpha.0"
+  },
+  "devDependencies": {
+    "typescript": "^5.9.3"
+  },
+  "author": {
+    "name": "Agus Made",
+    "email": "krisnaparta@gmail.com"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}