swallowkit 1.0.0-beta.13 → 1.0.0-beta.15

package/src/__tests__/connector-mock-server.test.ts

@@ -15,7 +15,8 @@ function httpRequest(
   port: number,
   method: string,
   path: string,
-  body?: unknown
+  body?: unknown,
+  headers?: Record<string, string>
 ): Promise<{ status: number; body: unknown }> {
   return new Promise((resolve, reject) => {
     const opts: http.RequestOptions = {
@@ -23,7 +24,7 @@ function httpRequest(
       port,
       path,
       method,
-      headers: { "Content-Type": "application/json" },
+      headers: { "Content-Type": "application/json", ...headers },
     };
 
     const req = http.request(opts, (res) => {
@@ -250,3 +251,189 @@ describe("ConnectorMockServer", () => {
     expect(store[0].id).toBe("user-001");
   });
 });
+
+// ============================================================
+// Mock Auth Endpoints
+// ============================================================
+describe("ConnectorMockServer - Auth Endpoints", () => {
+  let server: ConnectorMockServer;
+  const AUTH_PORT = 19877;
+  const JWT_SECRET = "test-jwt-secret-for-mock-auth-tests";
+
+  // Auth-compatible User model (has loginId, password, roles fields)
+  const authUserModel = createRdbConnectorModelInfo({
+    name: "User",
+    displayName: "User",
+    schemaName: "userSchema",
+    filePath: "/models/user.ts",
+    fields: [
+      { name: "id", type: "string", isOptional: false, isArray: false },
+      { name: "loginId", type: "string", isOptional: false, isArray: false },
+      { name: "password", type: "string", isOptional: false, isArray: false },
+      { name: "name", type: "string", isOptional: false, isArray: false },
+      { name: "email", type: "string", isOptional: false, isArray: false },
+      { name: "roles", type: "string", isOptional: false, isArray: true },
+    ],
+    connectorConfig: {
+      connector: "mysql",
+      operations: ["getAll", "getById"],
+      table: "users",
+      idColumn: "id",
+    },
+  });
+
+  const testUsers = [
+    { id: "1", loginId: "admin", password: "password123", name: "Admin User", email: "admin@example.com", roles: ["admin"] },
+    { id: "2", loginId: "user", password: "password123", name: "Test User", email: "user@example.com", roles: ["user"] },
+  ];
+
+  afterEach(async () => {
+    if (server) {
+      await server.stop();
+    }
+  });
+
+  /** Start mock server with auth-compatible User model and seed data */
+  async function startAuthServer() {
+    server = new ConnectorMockServer({
+      port: AUTH_PORT,
+      functionsTarget: "localhost:7071",
+      connectorModels: [authUserModel],
+      mockCount: 0,
+      authConfig: {
+        jwtSecret: JWT_SECRET,
+        tokenExpiry: "1h",
+        customJwt: {
+          userTable: "users",
+          loginIdColumn: "loginId",
+          passwordHashColumn: "password",
+          rolesColumn: "roles",
+        },
+      },
+    });
+    await server.start();
+    // Populate user store with known test data
+    const store = server.getStore("User");
+    store.push(...testUsers);
+  }
+
+  it("handles POST /api/auth/login with users from RDB mock store", async () => {
+    await startAuthServer();
+
+    const res = await httpRequest(AUTH_PORT, "POST", "/api/auth/login", {
+      loginId: "admin",
+      password: "password123",
+    });
+
+    expect(res.status).toBe(200);
+    const body = res.body as any;
+    expect(body.user).toBeDefined();
+    expect(body.user.loginId).toBe("admin");
+    expect(body.user.roles).toContain("admin");
+    expect(body.token).toBeDefined();
+    expect(typeof body.token).toBe("string");
+    expect(body.expiresAt).toBeDefined();
+  });
+
+  it("returns 401 for invalid credentials", async () => {
+    await startAuthServer();
+
+    const res = await httpRequest(AUTH_PORT, "POST", "/api/auth/login", {
+      loginId: "admin",
+      password: "wrong-password",
+    });
+
+    expect(res.status).toBe(401);
+  });
+
+  it("returns 401 for non-existent user", async () => {
+    await startAuthServer();
+
+    const res = await httpRequest(AUTH_PORT, "POST", "/api/auth/login", {
+      loginId: "nobody",
+      password: "password123",
+    });
+
+    expect(res.status).toBe(401);
+  });
+
+  it("handles GET /api/auth/me with valid JWT", async () => {
+    await startAuthServer();
+
+    // Login first
+    const loginRes = await httpRequest(AUTH_PORT, "POST", "/api/auth/login", {
+      loginId: "admin",
+      password: "password123",
+    });
+    const token = (loginRes.body as any).token;
+
+    // Then call /me
+    const meRes = await httpRequest(AUTH_PORT, "GET", "/api/auth/me", undefined, {
+      Authorization: `Bearer ${token}`,
+    });
+
+    expect(meRes.status).toBe(200);
+    const meBody = meRes.body as any;
+    expect(meBody.loginId).toBe("admin");
+    expect(meBody.roles).toContain("admin");
+  });
+
+  it("returns 401 for /api/auth/me without token", async () => {
+    await startAuthServer();
+
+    const res = await httpRequest(AUTH_PORT, "GET", "/api/auth/me");
+    expect(res.status).toBe(401);
+  });
+
+  it("handles POST /api/auth/logout", async () => {
+    await startAuthServer();
+
+    const res = await httpRequest(AUTH_PORT, "POST", "/api/auth/logout");
+    expect(res.status).toBe(200);
+    expect((res.body as any).message).toBe("Logged out");
+  });
+
+  it("does not intercept auth routes when authConfig is not set", async () => {
+    // Without authConfig, auth routes should be proxied (which will fail since no real Functions)
+    server = new ConnectorMockServer({
+      port: AUTH_PORT,
+      functionsTarget: "localhost:19999", // non-existent to trigger proxy error
+      connectorModels: [],
+    });
+    await server.start();
+
+    const res = await httpRequest(AUTH_PORT, "POST", "/api/auth/login", {
+      loginId: "admin",
+      password: "password123",
+    });
+
+    // Should get 502 (proxy error) since auth is not handled by mock
+    expect(res.status).toBe(502);
+  });
+
+  it("returns 500 when no user model matches the configured userTable", async () => {
+    server = new ConnectorMockServer({
+      port: AUTH_PORT,
+      functionsTarget: "localhost:7071",
+      connectorModels: [], // no models at all
+      authConfig: {
+        jwtSecret: JWT_SECRET,
+        customJwt: {
+          userTable: "users",
+          loginIdColumn: "loginId",
+          passwordHashColumn: "password",
+          rolesColumn: "roles",
+        },
+      },
+    });
+    await server.start();
+
+    const res = await httpRequest(AUTH_PORT, "POST", "/api/auth/login", {
+      loginId: "admin",
+      password: "password123",
+    });
+
+    expect(res.status).toBe(500);
+    expect((res.body as any).error).toContain("No user model found");
+  });
+});

package/src/cli/commands/add-auth.ts

@@ -0,0 +1,413 @@
+/**
+ * SwallowKit Add-Auth コマンド
+ * 認証認可基盤ファイルを生成する
+ */
+
+import * as fs from "fs";
+import * as path from "path";
+import { ensureSwallowKitProject, getBackendLanguage, getConnectorDefinition, getFullConfig } from "../../core/config";
+import { AuthProvider, BackendLanguage, CustomJwtConfig, RdbConnectorConfig } from "../../types";
+import {
+  generateAuthModels,
+  generateAuthFunctionsTS,
+  generateJwtHelperTS,
+  generateAuthFunctionsCSharp,
+  generateJwtHelperCSharp,
+  generateAuthFunctionsPython,
+  generateJwtHelperPython,
+  generateBFFAuthLoginRoute,
+  generateBFFAuthLogoutRoute,
+  generateBFFAuthMeRoute,
+  generateMiddleware,
+  generateLoginPage,
+  generateAuthContext,
+  generateBFFCallFunctionWithAuth,
+} from "../../core/scaffold/auth-generator";
+import { detectFromProject, getCommands } from "../../utils/package-manager";
+
+interface AddAuthOptions {
+  provider?: string;
+}
+
+export async function addAuthCommand(options: AddAuthOptions) {
+  ensureSwallowKitProject("add-auth");
+
+  console.log(" SwallowKit Add-Auth: Setting up authentication...\n");
+
+  const provider = (options.provider || "custom-jwt") as AuthProvider;
+  if (!["custom-jwt", "swa", "swa-custom", "none"].includes(provider)) {
+    console.error(` Unknown provider: ${provider}. Use: custom-jwt | swa | swa-custom | none`);
+    process.exit(1);
+  }
+
+  const backendLanguage = getBackendLanguage();
+  const config = getFullConfig();
+  const cwd = process.cwd();
+
+  // Read project name from package.json
+  const pkgPath = path.join(cwd, "package.json");
+  const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf-8"));
+  const projectName = pkg.name || "app";
+
+  // Read shared package name
+  const sharedPkgPath = path.join(cwd, "shared", "package.json");
+  let sharedPackageName = `@${projectName}/shared`;
+  if (fs.existsSync(sharedPkgPath)) {
+    const sharedPkg = JSON.parse(fs.readFileSync(sharedPkgPath, "utf-8"));
+    sharedPackageName = sharedPkg.name || sharedPackageName;
+  }
+
+  // Default custom-jwt config
+  const customJwtConfig: CustomJwtConfig = config.auth?.customJwt || {
+    userConnector: "mysql",
+    userTable: "users",
+    loginIdColumn: "login_id",
+    passwordHashColumn: "password_hash",
+    rolesColumn: "roles",
+    jwtSecretEnv: "JWT_SECRET",
+    tokenExpiry: "24h",
+  };
+
+  // 1. Generate shared/models/auth.ts
+  console.log(" Generating auth models...");
+  const modelsDir = path.join(cwd, "shared", "models");
+  fs.mkdirSync(modelsDir, { recursive: true });
+  const authModelPath = path.join(modelsDir, "auth.ts");
+  fs.writeFileSync(authModelPath, generateAuthModels(), "utf-8");
+  console.log(` Created: shared/models/auth.ts`);
+
+  // Update shared/index.ts to re-export auth
+  updateSharedIndex(cwd);
+
+  // Resolve RDB provider for dependency installation
+  const connDef = getConnectorDefinition(customJwtConfig.userConnector);
+  const rdbProvider = (connDef as RdbConnectorConfig | undefined)?.provider ?? "mysql";
+
+  // 2. Generate Functions auth code
+  console.log("\n Generating auth functions...");
+  generateFunctionsAuth(cwd, backendLanguage, sharedPackageName, customJwtConfig);
+
+  // 3. Generate BFF auth routes
+  console.log("\n Generating BFF auth routes...");
+  generateBFFAuth(cwd, projectName, sharedPackageName);
+
+  // 4. Generate middleware
+  console.log("\n  Generating middleware...");
+  const middlewarePath = path.join(cwd, "middleware.ts");
+  fs.writeFileSync(middlewarePath, generateMiddleware(projectName), "utf-8");
+  console.log(` Created: middleware.ts`);
+
+  // 5. Generate login page
+  console.log("\n Generating login page...");
+  const loginDir = path.join(cwd, "app", "login");
+  fs.mkdirSync(loginDir, { recursive: true });
+  fs.writeFileSync(path.join(loginDir, "page.tsx"), generateLoginPage(), "utf-8");
+  console.log(` Created: app/login/page.tsx`);
+
+  // 6. Generate auth context
+  console.log("\n Generating auth context...");
+  const authLibDir = path.join(cwd, "lib", "auth");
+  fs.mkdirSync(authLibDir, { recursive: true });
+  fs.writeFileSync(path.join(authLibDir, "auth-context.tsx"), generateAuthContext(), "utf-8");
+  console.log(`✅ Created: lib/auth/auth-context.tsx`);
+
+  // 7. Update callFunction with auth support
+  console.log("\n Updating callFunction with auth support...");
+  const callFnPath = path.join(cwd, "lib", "api", "call-function.ts");
+  const callFnDir = path.dirname(callFnPath);
+  fs.mkdirSync(callFnDir, { recursive: true });
+  fs.writeFileSync(callFnPath, generateBFFCallFunctionWithAuth(), "utf-8");
+  console.log(` Updated: lib/api/call-function.ts`);
+
+  // 8. Update swallowkit.config.js
+  console.log("\n Updating configuration...");
+  updateConfigWithAuth(cwd, provider, customJwtConfig);
+
+  // 9. Update environment files
+  console.log("\n Updating environment files...");
+  updateEnvironmentFiles(cwd);
+
+  // 10. Install dependencies
+  console.log("\n Installing auth dependencies...");
+  await installAuthDependencies(cwd, backendLanguage, rdbProvider);
+
+  console.log("\n Authentication setup complete!");
+  console.log("\n Next steps:");
+  console.log("  1. Review the generated files");
+  console.log("  2. Set JWT_SECRET in functions/local.settings.json");
+  if (provider === "custom-jwt") {
+    console.log("  3. Ensure your user database table matches the config");
+    console.log("  4. Add authPolicy to your models for role-based access control:");
+    console.log("     export const authPolicy = { roles: ['admin'] };");
+  }
+  console.log(`  5. Run scaffold to regenerate functions with auth guards`);
+}
+
+function updateSharedIndex(cwd: string): void {
+  const indexPath = path.join(cwd, "shared", "index.ts");
+  if (fs.existsSync(indexPath)) {
+    let content = fs.readFileSync(indexPath, "utf-8");
+    if (!content.includes("./models/auth")) {
+      content += `\nexport { LoginRequest, AuthUser, LoginResponse } from './models/auth';\n`;
+      fs.writeFileSync(indexPath, content, "utf-8");
+      console.log(` Updated: shared/index.ts`);
+    }
+  } else {
+    fs.writeFileSync(indexPath, `export { LoginRequest, AuthUser, LoginResponse } from './models/auth';\n`, "utf-8");
+    console.log(` Created: shared/index.ts`);
+  }
+}
+
+function generateFunctionsAuth(
+  cwd: string,
+  backendLanguage: BackendLanguage,
+  sharedPackageName: string,
+  config: CustomJwtConfig,
+): void {
+  const functionsDir = path.join(cwd, "functions");
+
+  // Resolve the RDB provider from the connector definition
+  const connDef = getConnectorDefinition(config.userConnector);
+  const provider = (connDef as RdbConnectorConfig | undefined)?.provider ?? "mysql";
+
+  if (backendLanguage === "typescript") {
+    // Auth functions
+    const srcDir = path.join(functionsDir, "src");
+    fs.mkdirSync(srcDir, { recursive: true });
+    fs.writeFileSync(
+      path.join(srcDir, "auth.ts"),
+      generateAuthFunctionsTS(sharedPackageName, config, provider),
+      "utf-8"
+    );
+    console.log(` Created: functions/src/auth.ts`);
+
+    // JWT helper
+    const authDir = path.join(srcDir, "auth");
+    fs.mkdirSync(authDir, { recursive: true });
+    fs.writeFileSync(
+      path.join(authDir, "jwt-helper.ts"),
+      generateJwtHelperTS(),
+      "utf-8"
+    );
+    console.log(` Created: functions/src/auth/jwt-helper.ts`);
+  } else if (backendLanguage === "csharp") {
+    const authDir = path.join(functionsDir, "Auth");
+    fs.mkdirSync(authDir, { recursive: true });
+    fs.writeFileSync(
+      path.join(authDir, "AuthFunctions.cs"),
+      generateAuthFunctionsCSharp(config, provider),
+      "utf-8"
+    );
+    console.log(` Created: functions/Auth/AuthFunctions.cs`);
+    fs.writeFileSync(
+      path.join(authDir, "JwtHelper.cs"),
+      generateJwtHelperCSharp(),
+      "utf-8"
+    );
+    console.log(` Created: functions/Auth/JwtHelper.cs`);
+  } else if (backendLanguage === "python") {
+    const blueprintsDir = path.join(functionsDir, "blueprints");
+    fs.mkdirSync(blueprintsDir, { recursive: true });
+    fs.writeFileSync(
+      path.join(blueprintsDir, "auth.py"),
+      generateAuthFunctionsPython(config, provider),
+      "utf-8"
+    );
+    console.log(` Created: functions/blueprints/auth.py`);
+
+    const authDir = path.join(functionsDir, "auth");
+    fs.mkdirSync(authDir, { recursive: true });
+    fs.writeFileSync(
+      path.join(authDir, "jwt_helper.py"),
+      generateJwtHelperPython(),
+      "utf-8"
+    );
+    console.log(` Created: functions/auth/jwt_helper.py`);
+
+    // __init__.py
+    fs.writeFileSync(path.join(authDir, "__init__.py"), "", "utf-8");
+  }
+}
+
+function generateBFFAuth(cwd: string, projectName: string, sharedPackageName: string): void {
+  const authApiDir = path.join(cwd, "app", "api", "auth");
+
+  // Login route
+  const loginDir = path.join(authApiDir, "login");
+  fs.mkdirSync(loginDir, { recursive: true });
+  fs.writeFileSync(
+    path.join(loginDir, "route.ts"),
+    generateBFFAuthLoginRoute(projectName, sharedPackageName),
+    "utf-8"
+  );
+  console.log(` Created: app/api/auth/login/route.ts`);
+
+  // Logout route
+  const logoutDir = path.join(authApiDir, "logout");
+  fs.mkdirSync(logoutDir, { recursive: true });
+  fs.writeFileSync(
+    path.join(logoutDir, "route.ts"),
+    generateBFFAuthLogoutRoute(projectName),
+    "utf-8"
+  );
+  console.log(` Created: app/api/auth/logout/route.ts`);
+
+  // Me route
+  const meDir = path.join(authApiDir, "me");
+  fs.mkdirSync(meDir, { recursive: true });
+  fs.writeFileSync(
+    path.join(meDir, "route.ts"),
+    generateBFFAuthMeRoute(sharedPackageName),
+    "utf-8"
+  );
+  console.log(` Created: app/api/auth/me/route.ts`);
+}
+
+function updateConfigWithAuth(cwd: string, provider: AuthProvider, config: CustomJwtConfig): void {
+  const configPath = path.join(cwd, "swallowkit.config.js");
+  if (!fs.existsSync(configPath)) {
+    console.warn("  swallowkit.config.js not found. Please add auth config manually.");
+    return;
+  }
+
+  const content = fs.readFileSync(configPath, "utf-8");
+
+  if (content.includes("auth:") || content.includes("auth :")) {
+    console.log("  'auth' section already exists in swallowkit.config.js");
+    return;
+  }
+
+  // Find the last property before the closing of module.exports
+  const closingBraceIdx = content.lastIndexOf("}");
+  if (closingBraceIdx === -1) {
+    console.error(" Could not parse config file structure.");
+    return;
+  }
+
+  const beforeClosing = content.substring(0, closingBraceIdx).trimEnd();
+  const needsComma = !beforeClosing.endsWith(",") && !beforeClosing.endsWith("{");
+
+  const authBlock = `${needsComma ? "," : ""}
+  // 認証認可設定
+  auth: {
+    provider: '${provider}',
+    customJwt: {
+      userConnector: '${config.userConnector}',
+      userTable: '${config.userTable}',
+      loginIdColumn: '${config.loginIdColumn}',
+      passwordHashColumn: '${config.passwordHashColumn}',
+      rolesColumn: '${config.rolesColumn}',
+      jwtSecretEnv: '${config.jwtSecretEnv || "JWT_SECRET"}',
+      tokenExpiry: '${config.tokenExpiry || "24h"}',
+    },
+    authorization: {
+      defaultPolicy: 'authenticated',
+    },
+  },
+`;
+
+  const newContent = content.substring(0, closingBraceIdx) + authBlock + content.substring(closingBraceIdx);
+  fs.writeFileSync(configPath, newContent, "utf-8");
+  console.log(` Updated: swallowkit.config.js`);
+}
+
+function updateEnvironmentFiles(cwd: string): void {
+  // Update functions/local.settings.json
+  const localSettingsPath = path.join(cwd, "functions", "local.settings.json");
+  if (fs.existsSync(localSettingsPath)) {
+    const settings = JSON.parse(fs.readFileSync(localSettingsPath, "utf-8"));
+    if (!settings.Values) settings.Values = {};
+    if (!settings.Values.JWT_SECRET) {
+      settings.Values.JWT_SECRET = "dev-jwt-secret-change-in-production-min-32-chars!!";
+    }
+    fs.writeFileSync(localSettingsPath, JSON.stringify(settings, null, 2), "utf-8");
+    console.log(` Updated: functions/local.settings.json`);
+  }
+
+  // Update .env.example
+  const envExamplePath = path.join(cwd, ".env.example");
+  if (fs.existsSync(envExamplePath)) {
+    let content = fs.readFileSync(envExamplePath, "utf-8");
+    if (!content.includes("JWT_SECRET")) {
+      content += "\n# Authentication\nJWT_SECRET=your-jwt-secret-key-at-least-32-chars\n";
+      fs.writeFileSync(envExamplePath, content, "utf-8");
+      console.log(` Updated: .env.example`);
+    }
+  }
+}
+
+async function installAuthDependencies(cwd: string, backendLanguage: BackendLanguage, provider: "mysql" | "postgres" | "sqlserver" = "mysql"): Promise<void> {
+  const pm = detectFromProject();
+  const cmds = getCommands(pm);
+
+  if (backendLanguage === "typescript") {
+    const funcPkgPath = path.join(cwd, "functions", "package.json");
+    if (fs.existsSync(funcPkgPath)) {
+      const funcPkg = JSON.parse(fs.readFileSync(funcPkgPath, "utf-8"));
+      if (!funcPkg.dependencies) funcPkg.dependencies = {};
+      funcPkg.dependencies["jsonwebtoken"] = "^9.0.0";
+      funcPkg.dependencies["bcryptjs"] = "^2.4.3";
+      // RDB driver based on provider
+      if (provider === "mysql") funcPkg.dependencies["mysql2"] = "^3.11.0";
+      else if (provider === "postgres") funcPkg.dependencies["pg"] = "^8.13.0";
+      else funcPkg.dependencies["mssql"] = "^11.0.0";
+      if (!funcPkg.devDependencies) funcPkg.devDependencies = {};
+      funcPkg.devDependencies["@types/jsonwebtoken"] = "^9.0.0";
+      funcPkg.devDependencies["@types/bcryptjs"] = "^2.4.0";
+      if (provider === "postgres") funcPkg.devDependencies["@types/pg"] = "^8.11.0";
+      fs.writeFileSync(funcPkgPath, JSON.stringify(funcPkg, null, 2), "utf-8");
+      console.log(` Updated: functions/package.json with auth dependencies (${provider})`);
+    }
+  } else if (backendLanguage === "csharp") {
+    // Add NuGet package references to .csproj
+    const functionsDir = path.join(cwd, "functions");
+    const csprojFiles = fs.readdirSync(functionsDir).filter((f: string) => f.endsWith(".csproj"));
+    if (csprojFiles.length > 0) {
+      const csprojPath = path.join(functionsDir, csprojFiles[0]);
+      let csprojContent = fs.readFileSync(csprojPath, "utf-8");
+      const nugetPackages: { name: string; version: string }[] = [
+        { name: "System.IdentityModel.Tokens.Jwt", version: "7.0.0" },
+        { name: "Microsoft.IdentityModel.Tokens", version: "7.0.0" },
+        { name: "BCrypt.Net-Next", version: "4.0.3" },
+      ];
+      // RDB driver based on provider
+      if (provider === "mysql") nugetPackages.push({ name: "MySqlConnector", version: "2.3.0" });
+      else if (provider === "postgres") nugetPackages.push({ name: "Npgsql", version: "8.0.0" });
+      else nugetPackages.push({ name: "Microsoft.Data.SqlClient", version: "5.2.0" });
+      for (const pkg of nugetPackages) {
+        if (!csprojContent.includes(`"${pkg.name}"`)) {
+          const insertPoint = csprojContent.lastIndexOf("</ItemGroup>");
+          if (insertPoint >= 0) {
+            csprojContent =
+              csprojContent.slice(0, insertPoint) +
+              `  <PackageReference Include="${pkg.name}" Version="${pkg.version}" />\n  ` +
+              csprojContent.slice(insertPoint);
+          }
+        }
+      }
+      fs.writeFileSync(csprojPath, csprojContent, "utf-8");
+      console.log(` Updated: ${csprojFiles[0]} with auth NuGet packages (${provider})`);
+    }
+  } else if (backendLanguage === "python") {
+    // Add Python dependencies to requirements.txt
+    const requirementsPath = path.join(cwd, "functions", "requirements.txt");
+    const baseDeps = ["PyJWT>=2.8.0", "bcrypt>=4.1.0"];
+    // RDB driver based on provider
+    if (provider === "mysql") baseDeps.push("mysql-connector-python>=8.3.0");
+    else if (provider === "postgres") baseDeps.push("psycopg2-binary>=2.9.0");
+    else baseDeps.push("pymssql>=2.2.0");
+    if (fs.existsSync(requirementsPath)) {
+      let content = fs.readFileSync(requirementsPath, "utf-8");
+      for (const dep of baseDeps) {
+        const pkgName = dep.split(">=")[0].split("==")[0];
+        if (!content.includes(pkgName)) {
+          content += `${dep}\n`;
+        }
+      }
+      fs.writeFileSync(requirementsPath, content, "utf-8");
+    } else {
+      fs.writeFileSync(requirementsPath, baseDeps.join("\n") + "\n", "utf-8");
+    }
+    console.log(` Updated: functions/requirements.txt with auth dependencies`);
+  }
+}

package/src/cli/commands/dev.ts

@@ -4,7 +4,7 @@ import * as path from 'path';
 import * as fs from 'fs';
 import * as os from 'os';
 import { CosmosClient, PartitionKeyKind } from '@azure/cosmos';
-import { ensureSwallowKitProject, getBackendLanguage } from '../../core/config';
+import { ensureSwallowKitProject, getBackendLanguage, getAuthConfig, getFullConfig } from '../../core/config';
 import { ModelInfo } from '../../core/scaffold/model-parser';
 import { applyDevSeedEnvironment, getContainerNameForModel, loadProjectModels } from './dev-seeds';
 import { BackendLanguage } from '../../types';
@@ -709,7 +709,34 @@ async function startDevEnvironment(options: DevOptions) {
       const allModels = await loadProjectModels();
       const connectorModels = allModels.filter((m) => m.connectorConfig);
 
-      if (connectorModels.length > 0) {
+      // Resolve auth config — auth functions use RDB connectors, mocked alongside other models
+      const authConfig = getAuthConfig();
+      let mockAuthConfig: { jwtSecret: string; tokenExpiry?: string; customJwt?: { userTable: string; loginIdColumn: string; passwordHashColumn: string; rolesColumn: string }; defaultPolicy?: "authenticated" | "anonymous" } | undefined;
+      if (authConfig?.provider === 'custom-jwt' && authConfig.customJwt) {
+        const fullConfig = getFullConfig();
+        // Read JWT_SECRET from functions/local.settings.json if available
+        let jwtSecret = 'dev-jwt-secret-change-in-production-min-32-chars!!';
+        try {
+          const localSettingsPath = path.join(process.cwd(), 'functions', 'local.settings.json');
+          if (fs.existsSync(localSettingsPath)) {
+            const localSettings = JSON.parse(fs.readFileSync(localSettingsPath, 'utf-8'));
+            jwtSecret = localSettings.Values?.[authConfig.customJwt.jwtSecretEnv || 'JWT_SECRET'] || jwtSecret;
+          }
+        } catch { /* ignore */ }
+        mockAuthConfig = {
+          jwtSecret,
+          tokenExpiry: authConfig.customJwt.tokenExpiry,
+          customJwt: {
+            userTable: authConfig.customJwt.userTable,
+            loginIdColumn: authConfig.customJwt.loginIdColumn,
+            passwordHashColumn: authConfig.customJwt.passwordHashColumn,
+            rolesColumn: authConfig.customJwt.rolesColumn,
+          },
+          defaultPolicy: authConfig.authorization?.defaultPolicy,
+        };
+      }
+
+      if (connectorModels.length > 0 || mockAuthConfig) {
         const mockPort = parseInt(functionsPort, 10) + 1;
         mockServer = new ConnectorMockServer({
           port: mockPort,
@@ -718,18 +745,22 @@ async function startDevEnvironment(options: DevOptions) {
           allModels,
           seedEnv: options.seedEnv,
           host: options.host || 'localhost',
+          authConfig: mockAuthConfig,
         });
 
         await mockServer.start();
         bffTargetPort = String(mockPort);
 
+        const modelCount = connectorModels.length + (mockAuthConfig ? 1 : 0);
         console.log('');
-        console.log(`🔌 Connector mock server started (port: ${mockPort})`);
-        console.log(`   Mocking ${connectorModels.length} connector model(s):`);
+        console.log(`🔌 Mock server started (port: ${mockPort}) — ${modelCount} model(s) mocked via Zod/seed data`);
         for (const m of connectorModels) {
           const ops = m.connectorConfig!.operations.join(', ');
           console.log(`     - ${m.name} [${ops}]`);
         }
+        if (mockAuthConfig) {
+          console.log(`     - auth [login, me, logout]`);
+        }
         console.log(`   Other routes → proxied to Azure Functions (port: ${functionsPort})`);
       } else {
         console.log('');