or3-provider-basic-auth 0.0.1

package/README.md

@@ -0,0 +1,99 @@
+# or3-provider-basic-auth
+
+Basic-auth provider for OR3 Chat SSR mode.
+
+This package registers:
+
+- `AuthProvider` (`basic-auth`)
+- `ProviderTokenBroker` (`basic-auth`)
+- provider-owned auth UI adapter + components
+
+## Installation
+
+```bash
+bun add or3-provider-basic-auth
+```
+
+For local development from the OR3 monorepo:
+
+```bash
+# from /Users/brendon/Documents/or3/or3-chat
+bun add or3-provider-basic-auth@link:../or3-provider-basic-auth
+```
+
+## Runtime registration
+
+Add the module to your generated provider list:
+
+```ts
+export const or3ProviderModules = [
+  'or3-provider-basic-auth/nuxt'
+] as const;
+```
+
+## Environment
+
+Required:
+
+- `AUTH_PROVIDER=basic-auth`
+- `OR3_BASIC_AUTH_JWT_SECRET`
+
+Optional:
+
+- `OR3_BASIC_AUTH_REFRESH_SECRET` (falls back to `OR3_BASIC_AUTH_JWT_SECRET`)
+- `OR3_BASIC_AUTH_ACCESS_TTL_SECONDS` (default `900`)
+- `OR3_BASIC_AUTH_REFRESH_TTL_SECONDS` (default `2592000`)
+- `OR3_BASIC_AUTH_DB_PATH` (default `./.data/or3-basic-auth.sqlite`)
+- `OR3_BASIC_AUTH_BOOTSTRAP_EMAIL`
+- `OR3_BASIC_AUTH_BOOTSTRAP_PASSWORD`
+
+Strict-mode behavior:
+
+- `NODE_ENV=production` or `OR3_STRICT_CONFIG=true` fails startup if required secrets are missing.
+- non-strict mode logs diagnostics and leaves provider registration disabled.
+
+## Architecture notes
+
+- Credentials/session state is stored in a provider-owned SQLite DB.
+- Canonical OR3 users/workspaces are still resolved by the selected `AuthWorkspaceStore`.
+- Access JWTs are short-lived and validated by `basicAuthProvider.getSession(event)`.
+- Refresh tokens are rotated and hashed at rest; replay attempts revoke active sessions.
+
+## Troubleshooting
+
+- `Authentication provider is not configured`
+  - Ensure `AUTH_PROVIDER=basic-auth` and `SSR_AUTH_ENABLED=true`.
+  - Ensure `OR3_BASIC_AUTH_JWT_SECRET` is set.
+
+- `Missing OR3_BASIC_AUTH_JWT_SECRET`
+  - In strict mode (`NODE_ENV=production` or `OR3_STRICT_CONFIG=true`), startup fails intentionally.
+  - Add the missing secret and restart.
+
+- `Invalid credentials` on known user
+  - Verify the bootstrap account values.
+  - Confirm password updates were propagated after recent `change-password` calls.
+
+- `Session expired` during refresh
+  - Refresh token may be revoked/rotated/replayed.
+  - Sign in again to create a new session chain.
+
+## Intern quick start
+
+Implementation order used in this package:
+
+1. `src/runtime/server/lib/password.ts`
+2. `src/runtime/server/lib/jwt.ts`
+3. `src/runtime/server/db/client.ts` and `src/runtime/server/lib/session-store.ts`
+4. `src/runtime/server/api/basic-auth/*.post.ts`
+5. `src/runtime/server/auth/basic-auth-provider.ts`
+6. `src/runtime/server/plugins/register.ts`
+7. `src/runtime/components/*.client.vue` and `src/runtime/plugins/basic-auth-ui.client.ts`
+8. `src/runtime/**/__tests__/*.test.ts`
+
+## Scripts
+
+```bash
+bun run type-check
+bun run test
+bun run build
+```

package/dist/module.d.mts

@@ -0,0 +1,5 @@
+import * as _nuxt_schema from '@nuxt/schema';
+
+declare const _default: _nuxt_schema.NuxtModule<_nuxt_schema.ModuleOptions, _nuxt_schema.ModuleOptions, false>;
+
+export { _default as default };

package/dist/module.json

@@ -0,0 +1,9 @@
+{
+  "name": "or3-provider-basic-auth",
+  "configKey": "or3-provider-basic-auth",
+  "version": "0.0.1",
+  "builder": {
+    "@nuxt/module-builder": "1.0.2",
+    "unbuild": "3.6.1"
+  }
+}

package/dist/module.mjs

@@ -0,0 +1,42 @@
+import { defineNuxtModule, createResolver, addServerPlugin, addServerHandler, addPlugin } from '@nuxt/kit';
+
+const module$1 = defineNuxtModule({
+  meta: { name: "or3-provider-basic-auth" },
+  setup() {
+    const { resolve } = createResolver(import.meta.url);
+    addServerPlugin(resolve("runtime/server/plugins/register"));
+    addServerHandler({
+      route: "/api/basic-auth/sign-in",
+      method: "post",
+      handler: resolve("runtime/server/api/basic-auth/sign-in.post")
+    });
+    addServerHandler({
+      route: "/api/basic-auth/register",
+      method: "post",
+      handler: resolve("runtime/server/api/basic-auth/register.post")
+    });
+    addServerHandler({
+      route: "/api/basic-auth/sign-out",
+      method: "post",
+      handler: resolve("runtime/server/api/basic-auth/sign-out.post")
+    });
+    addServerHandler({
+      route: "/api/basic-auth/refresh",
+      method: "post",
+      handler: resolve("runtime/server/api/basic-auth/refresh.post")
+    });
+    addServerHandler({
+      route: "/api/basic-auth/change-password",
+      method: "post",
+      handler: resolve("runtime/server/api/basic-auth/change-password.post")
+    });
+    addPlugin(resolve("runtime/plugins/basic-auth-ui.client"), {
+      append: true
+    });
+    addPlugin(resolve("runtime/plugins/auth-status.client"), {
+      append: true
+    });
+  }
+});
+
+export { module$1 as default };

package/dist/runtime/components/BasicAuthChangePasswordModal.client.d.vue.ts

@@ -0,0 +1,12 @@
+type __VLS_Props = {
+    modelValue: boolean;
+    username?: string;
+};
+declare const _default: import("vue").DefineComponent<__VLS_Props, {}, {}, {}, {}, import("vue").ComponentOptionsMixin, import("vue").ComponentOptionsMixin, {} & {
+    "update:modelValue": (value: boolean) => any;
+    updated: () => any;
+}, string, import("vue").PublicProps, Readonly<__VLS_Props> & Readonly<{
+    "onUpdate:modelValue"?: ((value: boolean) => any) | undefined;
+    onUpdated?: (() => any) | undefined;
+}>, {}, {}, {}, {}, string, import("vue").ComponentProvideOptions, false, {}, any>;
+export default _default;

package/dist/runtime/components/BasicAuthChangePasswordModal.client.vue

@@ -0,0 +1,133 @@
+<template>
+  <UModal
+    v-model:open="isOpen"
+    title="Change Password"
+    description="Update your account password"
+    :ui="modalUi"
+  >
+    <template #body>
+      <UForm :state="state" @submit.prevent="onSubmit">
+        <div class="flex flex-col gap-4">
+          <input
+            :value="props.username ?? ''"
+            type="text"
+            autocomplete="username"
+            tabindex="-1"
+            aria-hidden="true"
+            class="sr-only pointer-events-none h-0 w-0 opacity-0"
+            readonly
+          />
+
+          <UFormField label="Current Password" name="currentPassword">
+            <UInput
+              v-model="state.currentPassword"
+              type="password"
+              placeholder="••••••••"
+              autocomplete="current-password"
+              required
+              class="w-full"
+            />
+          </UFormField>
+
+          <USeparator />
+
+          <UFormField label="New Password" name="newPassword">
+            <UInput
+              v-model="state.newPassword"
+              type="password"
+              placeholder="••••••••"
+              autocomplete="new-password"
+              required
+              class="w-full"
+            />
+          </UFormField>
+
+          <UFormField label="Confirm New Password" name="confirmNewPassword">
+            <UInput
+              v-model="state.confirmNewPassword"
+              type="password"
+              placeholder="••••••••"
+              autocomplete="new-password"
+              required
+              class="w-full"
+            />
+          </UFormField>
+
+          <div
+            v-if="errorMessage"
+            class="flex items-start gap-2 rounded-[var(--md-border-radius)] border border-[var(--md-error)]/30 bg-[var(--md-error)]/8 px-3 py-2.5 text-sm text-[var(--md-error)]"
+          >
+            <UIcon name="i-lucide-alert-circle" class="w-4 h-4 mt-0.5 shrink-0" />
+            {{ errorMessage }}
+          </div>
+
+          <div class="flex justify-end gap-2 pt-1">
+            <UButton
+              color="neutral"
+              variant="outline"
+              type="button"
+              :disabled="pending"
+              @click="close"
+            >
+              Cancel
+            </UButton>
+            <UButton type="submit" :loading="pending">
+              Update Password
+            </UButton>
+          </div>
+        </div>
+      </UForm>
+    </template>
+  </UModal>
+</template>
+
+<script setup>
+import { computed, reactive, ref } from "vue";
+const modalUi = {
+  content: "sm:max-w-[400px]"
+};
+const props = defineProps({
+  modelValue: { type: Boolean, required: true },
+  username: { type: String, required: false }
+});
+const emit = defineEmits(["update:modelValue", "updated"]);
+const pending = ref(false);
+const errorMessage = ref("");
+const state = reactive({
+  currentPassword: "",
+  newPassword: "",
+  confirmNewPassword: ""
+});
+const isOpen = computed({
+  get: () => props.modelValue,
+  set: (value) => emit("update:modelValue", value)
+});
+function close() {
+  errorMessage.value = "";
+  emit("update:modelValue", false);
+}
+async function onSubmit() {
+  if (state.newPassword !== state.confirmNewPassword) {
+    errorMessage.value = "Passwords do not match";
+    return;
+  }
+  pending.value = true;
+  errorMessage.value = "";
+  try {
+    await $fetch("/api/basic-auth/change-password", {
+      method: "POST",
+      body: {
+        currentPassword: state.currentPassword,
+        newPassword: state.newPassword,
+        confirmNewPassword: state.confirmNewPassword
+      }
+    });
+    emit("updated");
+    close();
+  } catch {
+    errorMessage.value = "Unable to change password";
+  } finally {
+    pending.value = false;
+  }
+}
+</script>

package/dist/runtime/components/BasicAuthChangePasswordModal.client.vue.d.ts

@@ -0,0 +1,12 @@
+type __VLS_Props = {
+    modelValue: boolean;
+    username?: string;
+};
+declare const _default: import("vue").DefineComponent<__VLS_Props, {}, {}, {}, {}, import("vue").ComponentOptionsMixin, import("vue").ComponentOptionsMixin, {} & {
+    "update:modelValue": (value: boolean) => any;
+    updated: () => any;
+}, string, import("vue").PublicProps, Readonly<__VLS_Props> & Readonly<{
+    "onUpdate:modelValue"?: ((value: boolean) => any) | undefined;
+    onUpdated?: (() => any) | undefined;
+}>, {}, {}, {}, {}, string, import("vue").ComponentProvideOptions, false, {}, any>;
+export default _default;

package/dist/runtime/components/BasicAuthRegisterModal.client.d.vue.ts

@@ -0,0 +1,11 @@
+type __VLS_Props = {
+    modelValue: boolean;
+};
+declare const _default: import("vue").DefineComponent<__VLS_Props, {}, {}, {}, {}, import("vue").ComponentOptionsMixin, import("vue").ComponentOptionsMixin, {} & {
+    "update:modelValue": (value: boolean) => any;
+    registered: () => any;
+}, string, import("vue").PublicProps, Readonly<__VLS_Props> & Readonly<{
+    "onUpdate:modelValue"?: ((value: boolean) => any) | undefined;
+    onRegistered?: (() => any) | undefined;
+}>, {}, {}, {}, {}, string, import("vue").ComponentProvideOptions, false, {}, any>;
+export default _default;

package/dist/runtime/components/BasicAuthRegisterModal.client.vue

@@ -0,0 +1,164 @@
+<template>
+  <UModal
+    v-model:open="isOpen"
+    title="Create Account"
+    description="Register a new account"
+    :close="{
+  class: 'theme-btn',
+  size: 'sm'
+}"
+    :ui="modalUi"
+  >
+    <template #body>
+      <UForm :state="state" @submit.prevent="onSubmit">
+        <div class="flex flex-col gap-4">
+          <input
+            :value="state.email"
+            type="text"
+            autocomplete="username"
+            tabindex="-1"
+            aria-hidden="true"
+            class="sr-only pointer-events-none h-0 w-0 opacity-0"
+            readonly
+          />
+
+          <UFormField label="Email" name="email">
+            <UInput
+              v-model="state.email"
+              type="email"
+              placeholder="you@example.com"
+              autocomplete="username"
+              required
+              class="w-full"
+            />
+          </UFormField>
+
+          <UFormField label="Display name" name="displayName">
+            <UInput
+              v-model="state.displayName"
+              type="text"
+              placeholder="Your name"
+              autocomplete="name"
+              class="w-full"
+            />
+          </UFormField>
+
+          <UFormField label="Password" name="password">
+            <UInput
+              v-model="state.password"
+              type="password"
+              placeholder="••••••••"
+              autocomplete="new-password"
+              required
+              class="w-full"
+            />
+          </UFormField>
+
+          <UFormField label="Confirm password" name="confirmPassword">
+            <UInput
+              v-model="state.confirmPassword"
+              type="password"
+              placeholder="••••••••"
+              autocomplete="new-password"
+              required
+              class="w-full"
+            />
+          </UFormField>
+
+          <UFormField label="Invite token (optional)" name="inviteToken">
+            <UInput
+              v-model="state.inviteToken"
+              type="text"
+              placeholder="paste invite token"
+              class="w-full"
+            />
+          </UFormField>
+
+          <div
+            v-if="errorMessage"
+            class="flex items-start gap-2 rounded-[var(--md-border-radius)] border border-[var(--md-error)]/30 bg-[var(--md-error)]/8 px-3 py-2.5 text-sm text-[var(--md-error)]"
+          >
+            <UIcon name="i-lucide-alert-circle" class="w-4 h-4 mt-0.5 shrink-0" />
+            {{ errorMessage }}
+          </div>
+
+          <div class="flex justify-end gap-2 pt-1">
+            <UButton
+              color="neutral"
+              variant="outline"
+              type="button"
+              :disabled="pending"
+              @click="close"
+            >
+              Cancel
+            </UButton>
+            <UButton class="theme-btn new-act-btn" type="submit" :loading="pending">
+              Create account
+            </UButton>
+          </div>
+        </div>
+      </UForm>
+    </template>
+  </UModal>
+</template>
+
+<script setup>
+import { computed, reactive, ref } from "vue";
+const modalUi = {
+  content: "sm:max-w-[420px]"
+};
+const props = defineProps({
+  modelValue: { type: Boolean, required: true }
+});
+const emit = defineEmits(["update:modelValue", "registered"]);
+const state = reactive({
+  email: "",
+  displayName: "",
+  password: "",
+  confirmPassword: "",
+  inviteToken: ""
+});
+const pending = ref(false);
+const errorMessage = ref("");
+const isOpen = computed({
+  get: () => props.modelValue,
+  set: (value) => {
+    emit("update:modelValue", value);
+  }
+});
+function close() {
+  errorMessage.value = "";
+  emit("update:modelValue", false);
+}
+async function onSubmit() {
+  pending.value = true;
+  errorMessage.value = "";
+  try {
+    await $fetch("/api/basic-auth/register", {
+      method: "POST",
+      body: {
+        email: state.email,
+        displayName: state.displayName || void 0,
+        password: state.password,
+        confirmPassword: state.confirmPassword,
+        inviteToken: state.inviteToken || void 0
+      }
+    });
+    emit("registered");
+    close();
+  } catch (error) {
+    const statusCode = typeof error === "object" && error !== null && "statusCode" in error ? Number(error.statusCode) : null;
+    if (statusCode === 400) {
+      errorMessage.value = "Please check your input and try again.";
+    } else if (statusCode === 403) {
+      errorMessage.value = "Registration is restricted for this instance.";
+    } else if (statusCode === 409) {
+      errorMessage.value = "Email is already in use.";
+    } else {
+      errorMessage.value = "Unable to register right now. Please try again.";
+    }
+  } finally {
+    pending.value = false;
+  }
+}
+</script>

package/dist/runtime/components/BasicAuthRegisterModal.client.vue.d.ts

@@ -0,0 +1,11 @@
+type __VLS_Props = {
+    modelValue: boolean;
+};
+declare const _default: import("vue").DefineComponent<__VLS_Props, {}, {}, {}, {}, import("vue").ComponentOptionsMixin, import("vue").ComponentOptionsMixin, {} & {
+    "update:modelValue": (value: boolean) => any;
+    registered: () => any;
+}, string, import("vue").PublicProps, Readonly<__VLS_Props> & Readonly<{
+    "onUpdate:modelValue"?: ((value: boolean) => any) | undefined;
+    onRegistered?: (() => any) | undefined;
+}>, {}, {}, {}, {}, string, import("vue").ComponentProvideOptions, false, {}, any>;
+export default _default;

package/dist/runtime/components/BasicAuthSignInModal.client.d.vue.ts

@@ -0,0 +1,13 @@
+type __VLS_Props = {
+    modelValue: boolean;
+};
+declare const _default: import("vue").DefineComponent<__VLS_Props, {}, {}, {}, {}, import("vue").ComponentOptionsMixin, import("vue").ComponentOptionsMixin, {} & {
+    "update:modelValue": (value: boolean) => any;
+    "signed-in": () => any;
+    "open-register": () => any;
+}, string, import("vue").PublicProps, Readonly<__VLS_Props> & Readonly<{
+    "onUpdate:modelValue"?: ((value: boolean) => any) | undefined;
+    "onSigned-in"?: (() => any) | undefined;
+    "onOpen-register"?: (() => any) | undefined;
+}>, {}, {}, {}, {}, string, import("vue").ComponentProvideOptions, false, {}, any>;
+export default _default;

package/dist/runtime/components/BasicAuthSignInModal.client.vue

@@ -0,0 +1,136 @@
+<template>
+  <UModal
+    v-model:open="isOpen"
+    title="Sign In"
+        :close="{
+  class: 'theme-btn',
+  size: 'sm'
+}"
+    description="Enter your credentials to continue"
+    :ui="modalUi"
+  >
+    <template #body>
+      <UForm :state="state" @submit.prevent="onSubmit">
+        <div class="flex flex-col gap-4">
+          <input
+            :value="state.email"
+            type="text"
+            autocomplete="username"
+            tabindex="-1"
+            aria-hidden="true"
+            class="sr-only pointer-events-none h-0 w-0 opacity-0"
+            readonly
+          />
+
+          <UFormField label="Email" name="email">
+            <UInput
+              v-model="state.email"
+              type="email"
+              placeholder="you@example.com"
+              autocomplete="username"
+              required
+              class="w-full"
+            />
+          </UFormField>
+
+          <UFormField label="Password" name="password">
+            <UInput
+              v-model="state.password"
+              type="password"
+              placeholder="••••••••"
+              autocomplete="current-password"
+              required
+              class="w-full"
+            />
+          </UFormField>
+
+          <div
+            v-if="errorMessage"
+            class="flex items-start gap-2 rounded-[var(--md-border-radius)] border border-[var(--md-error)]/30 bg-[var(--md-error)]/8 px-3 py-2.5 text-sm text-[var(--md-error)]"
+          >
+            <UIcon name="i-lucide-alert-circle" class="w-4 h-4 mt-0.5 shrink-0" />
+            {{ errorMessage }}
+          </div>
+
+          <div class="flex justify-end gap-2 pt-1">
+            <UButton
+              class="theme-btn create-act-si-btn"
+              color="neutral"
+              variant="ghost"
+              type="button"
+              :disabled="pending"
+              @click="emit('open-register')"
+            >
+              Create account
+            </UButton>
+            <UButton
+              color="neutral"
+              variant="outline"
+              type="button"
+              :disabled="pending"
+              @click="close"
+            >
+              Cancel
+            </UButton>
+            <UButton type="submit" :loading="pending">
+              Sign In
+            </UButton>
+          </div>
+        </div>
+      </UForm>
+    </template>
+  </UModal>
+</template>
+
+<script setup>
+import { computed, reactive, ref } from "vue";
+const modalUi = {
+  content: "sm:max-w-[380px]"
+};
+const props = defineProps({
+  modelValue: { type: Boolean, required: true }
+});
+const emit = defineEmits(["update:modelValue", "signed-in", "open-register"]);
+const state = reactive({
+  email: "",
+  password: ""
+});
+const pending = ref(false);
+const errorMessage = ref("");
+const isOpen = computed({
+  get: () => props.modelValue,
+  set: (value) => {
+    emit("update:modelValue", value);
+  }
+});
+function close() {
+  errorMessage.value = "";
+  emit("update:modelValue", false);
+}
+async function onSubmit() {
+  pending.value = true;
+  errorMessage.value = "";
+  try {
+    await $fetch("/api/basic-auth/sign-in", {
+      method: "POST",
+      body: {
+        email: state.email,
+        password: state.password
+      }
+    });
+    emit("signed-in");
+    close();
+  } catch (error) {
+    const statusCode = typeof error === "object" && error !== null && "statusCode" in error ? Number(error.statusCode) : null;
+    if (statusCode === 400) {
+      errorMessage.value = "Please enter a valid email and password.";
+    } else if (statusCode === 401) {
+      errorMessage.value = "Invalid credentials";
+    } else {
+      errorMessage.value = "Unable to sign in right now. Please try again.";
+    }
+  } finally {
+    pending.value = false;
+  }
+}
+</script>

package/dist/runtime/components/BasicAuthSignInModal.client.vue.d.ts

@@ -0,0 +1,13 @@
+type __VLS_Props = {
+    modelValue: boolean;
+};
+declare const _default: import("vue").DefineComponent<__VLS_Props, {}, {}, {}, {}, import("vue").ComponentOptionsMixin, import("vue").ComponentOptionsMixin, {} & {
+    "update:modelValue": (value: boolean) => any;
+    "signed-in": () => any;
+    "open-register": () => any;
+}, string, import("vue").PublicProps, Readonly<__VLS_Props> & Readonly<{
+    "onUpdate:modelValue"?: ((value: boolean) => any) | undefined;
+    "onSigned-in"?: (() => any) | undefined;
+    "onOpen-register"?: (() => any) | undefined;
+}>, {}, {}, {}, {}, string, import("vue").ComponentProvideOptions, false, {}, any>;
+export default _default;

package/dist/runtime/components/BasicAuthUserMenu.client.d.vue.ts

@@ -0,0 +1,12 @@
+type __VLS_Props = {
+    email?: string;
+    displayName?: string;
+};
+declare const _default: import("vue").DefineComponent<__VLS_Props, {}, {}, {}, {}, import("vue").ComponentOptionsMixin, import("vue").ComponentOptionsMixin, {} & {
+    "signed-out": () => any;
+    "change-password": () => any;
+}, string, import("vue").PublicProps, Readonly<__VLS_Props> & Readonly<{
+    "onSigned-out"?: (() => any) | undefined;
+    "onChange-password"?: (() => any) | undefined;
+}>, {}, {}, {}, {}, string, import("vue").ComponentProvideOptions, false, {}, any>;
+export default _default;