swallowkit 1.0.0-beta.13 → 1.0.0-beta.15

package/src/cli/commands/scaffold.ts

@@ -6,7 +6,7 @@
 import * as fs from "fs";
 import * as path from "path";
 import { spawn, spawnSync } from "child_process";
-import { getBackendLanguage, getConnectorDefinition, ensureSwallowKitProject } from "../../core/config";
+import { getBackendLanguage, getConnectorDefinition, getAuthConfig, ensureSwallowKitProject } from "../../core/config";
 import { ModelInfo, parseModelFile, toKebabCase, toPascalCase, toCamelCase } from "../../core/scaffold/model-parser";
 import {
   generateCSharpAzureFunctionsCRUD,
@@ -30,6 +30,7 @@ import {
   generateFormComponent,
   generateNewPage,
   generateEditPage,
+  UIAuthOptions,
 } from "../../core/scaffold/ui-generator";
 import { detectFromProject, getCommands } from "../../utils/package-manager";
 import {
@@ -38,6 +39,8 @@ import {
   ApiConnectorConfig,
   RdbModelConnectorConfig,
   ApiModelConnectorConfig,
+  ModelAuthPolicy,
+  AuthConfig,
 } from "../../types";
 
 interface ScaffoldOptions {
@@ -103,6 +106,8 @@ export async function scaffoldCommand(options: ScaffoldOptions) {
     // 6. Generate Azure Functions code
     if (isConnectorModel) {
       await generateConnectorFunctionsCode(modelInfo, functionsDir, sharedPackageName, backendLanguage);
+      // 6b. Install connector driver dependencies
+      await installConnectorDriverDependencies(modelInfo, functionsDir, backendLanguage);
     } else {
       await generateFunctionsCode(modelInfo, functionsDir, sharedPackageName, backendLanguage);
 
@@ -126,7 +131,13 @@ export async function scaffoldCommand(options: ScaffoldOptions) {
 
     // 9. Generate UI components (unless --api-only)
     if (!options.apiOnly) {
-      await generateUIComponents(modelInfo, sharedPackageName);
+      const uiAuthConfig = getAuthConfig();
+      const uiAuthPolicy = resolveAuthPolicy(modelInfo, uiAuthConfig);
+      const uiAuthOptions: UIAuthOptions | undefined =
+        uiAuthPolicy && uiAuthConfig && uiAuthConfig.provider !== 'none'
+          ? { authPolicy: uiAuthPolicy }
+          : undefined;
+      await generateUIComponents(modelInfo, sharedPackageName, uiAuthOptions);
       await updateNavigationMenu(modelInfo);
     }
 
@@ -153,6 +164,33 @@ export async function scaffoldCommand(options: ScaffoldOptions) {
   }
 }
 
+/**
+ * モデルの authPolicy と auth config から実効的な認可ポリシーを解決
+ * - モデルに authPolicy があればそれを使用
+ * - なければ auth.authorization.defaultPolicy に従う
+ * - auth 設定がなければ undefined（ガードなし）
+ */
+function resolveAuthPolicy(modelInfo: ModelInfo, authConfig: AuthConfig | undefined): ModelAuthPolicy | undefined {
+  // モデルに明示的な authPolicy がある場合はそれを使用
+  if (modelInfo.authPolicy) {
+    return modelInfo.authPolicy;
+  }
+
+  // auth 設定がない場合はガードなし
+  if (!authConfig || authConfig.provider === 'none') {
+    return undefined;
+  }
+
+  // defaultPolicy が 'authenticated' なら認証のみ（ロール指定なし）のポリシーを返す
+  const defaultPolicy = authConfig.authorization?.defaultPolicy ?? 'authenticated';
+  if (defaultPolicy === 'authenticated') {
+    return {}; // 空のポリシー = 認証のみ、ロール制限なし
+  }
+
+  // defaultPolicy が 'anonymous' なら認証不要
+  return undefined;
+}
+
 /**
  * モデルファイルのパスを解決
  */
@@ -236,7 +274,17 @@ async function generateCallFunctionHelper(): Promise<void> {
     fs.mkdirSync(helperDir, { recursive: true });
   }
 
-  const helperCode = generateBFFCallFunction();
+  // auth 設定がある場合は Authorization ヘッダー転送版を生成
+  const authConfig = getAuthConfig();
+  const hasAuth = authConfig && authConfig.provider !== 'none';
+  let helperCode: string;
+  if (hasAuth) {
+    const { generateBFFCallFunctionWithAuth } = await import("../../core/scaffold/auth-generator");
+    helperCode = generateBFFCallFunctionWithAuth();
+  } else {
+    helperCode = generateBFFCallFunction();
+  }
+
   fs.writeFileSync(helperPath, helperCode, "utf-8");
   console.log(`✅ Created: ${helperPath}`);
 }
@@ -252,6 +300,13 @@ async function generateFunctionsCode(
 ): Promise<void> {
   console.log("\n🔨 Generating Azure Functions CRUD code...");
 
+  // Resolve auth policy: model-level authPolicy or global defaultPolicy
+  const authConfig = getAuthConfig();
+  const authPolicy = resolveAuthPolicy(modelInfo, authConfig);
+  if (authPolicy) {
+    console.log(`🔐 Auth policy detected: ${JSON.stringify(authPolicy)}`);
+  }
+
   const modelKebab = toKebabCase(modelInfo.name);
   if (backendLanguage === "typescript") {
     const functionFilePath = path.join(
@@ -266,7 +321,7 @@ async function generateFunctionsCode(
       fs.mkdirSync(functionDir, { recursive: true });
     }
 
-    const code = generateCompactAzureFunctionsCRUD(modelInfo, sharedPackageName);
+    const code = generateCompactAzureFunctionsCRUD(modelInfo, sharedPackageName, authPolicy);
     fs.writeFileSync(functionFilePath, code, "utf-8");
     console.log(`✅ Created: ${functionFilePath}`);
     return;
@@ -316,6 +371,13 @@ async function generateConnectorFunctionsCode(
     );
   }
 
+  // Resolve auth policy (same logic as Cosmos model scaffolding)
+  const authConfig = getAuthConfig();
+  const authPolicy = resolveAuthPolicy(modelInfo, authConfig);
+  if (authPolicy) {
+    console.log(`🔐 Auth policy detected: ${JSON.stringify(authPolicy)}`);
+  }
+
   const modelKebab = toKebabCase(modelInfo.name);
 
   if (backendLanguage === "typescript") {
@@ -332,13 +394,15 @@ async function generateConnectorFunctionsCode(
       code = generateRdbConnectorFunctionTS(
         modelInfo, sharedPackageName,
         connectorDef as RdbConnectorConfig,
-        connectorConfig as RdbModelConnectorConfig
+        connectorConfig as RdbModelConnectorConfig,
+        authPolicy
       );
     } else {
       code = generateApiConnectorFunctionTS(
         modelInfo, sharedPackageName,
         connectorDef as ApiConnectorConfig,
-        connectorConfig as ApiModelConnectorConfig
+        connectorConfig as ApiModelConnectorConfig,
+        authPolicy
       );
     }
 
@@ -401,6 +465,96 @@ async function generateConnectorFunctionsCode(
   console.log(`✅ Created: ${blueprintPath}`);
 }
 
+/**
+ * コネクタモデルの scaffold 後に、生成コードが必要とする RDB/API ドライバを
+ * functions ディレクトリにインストールする。
+ */
+async function installConnectorDriverDependencies(
+  modelInfo: ModelInfo,
+  functionsDir: string,
+  backendLanguage: BackendLanguage
+): Promise<void> {
+  const connectorConfig = modelInfo.connectorConfig!;
+  const connectorDef = getConnectorDefinition(connectorConfig.connector);
+  if (!connectorDef || connectorDef.type !== "rdb") return;
+
+  const rdbDef = connectorDef as RdbConnectorConfig;
+  const functionsPath = path.join(process.cwd(), functionsDir);
+
+  if (backendLanguage === "typescript") {
+    const driverMap: Record<string, { deps: string[]; devDeps: string[] }> = {
+      mysql:     { deps: ["mysql2"],  devDeps: [] },
+      postgres:  { deps: ["pg"],      devDeps: ["@types/pg"] },
+      sqlserver: { deps: ["mssql"],   devDeps: [] },
+    };
+    const entry = driverMap[rdbDef.provider];
+    if (!entry) return;
+
+    // package.json を読んで、既にインストール済みならスキップ
+    const pkgJsonPath = path.join(functionsPath, "package.json");
+    if (fs.existsSync(pkgJsonPath)) {
+      const pkg = JSON.parse(fs.readFileSync(pkgJsonPath, "utf-8"));
+      const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+      const missingDeps = entry.deps.filter(d => !allDeps[d]);
+      const missingDevDeps = entry.devDeps.filter(d => !allDeps[d]);
+      if (missingDeps.length === 0 && missingDevDeps.length === 0) return;
+    }
+
+    console.log(`\n📦 Installing ${rdbDef.provider} driver dependencies...`);
+    const pm = detectFromProject(functionsPath);
+    const cmds = getCommands(pm);
+
+    const { spawnSync } = require("child_process");
+    if (entry.deps.length > 0) {
+      spawnSync(cmds.name, [pm === "pnpm" ? "add" : "install", ...entry.deps], {
+        cwd: functionsPath, stdio: "inherit", shell: true,
+      });
+    }
+    if (entry.devDeps.length > 0) {
+      spawnSync(cmds.name, [pm === "pnpm" ? "add" : "install", "-D", ...entry.devDeps], {
+        cwd: functionsPath, stdio: "inherit", shell: true,
+      });
+    }
+    console.log(`✅ ${rdbDef.provider} driver installed`);
+    return;
+  }
+
+  if (backendLanguage === "csharp") {
+    const nugetMap: Record<string, string> = {
+      mysql:     "MySqlConnector",
+      postgres:  "Npgsql",
+      sqlserver: "Microsoft.Data.SqlClient",
+    };
+    const pkg = nugetMap[rdbDef.provider];
+    if (!pkg) return;
+    console.log(`\n📦 Installing ${rdbDef.provider} NuGet package...`);
+    const { spawnSync } = require("child_process");
+    spawnSync("dotnet", ["add", path.join(functionsPath, "functions.csproj"), "package", pkg], {
+      cwd: functionsPath, stdio: "inherit", shell: true,
+    });
+    console.log(`✅ ${pkg} installed`);
+    return;
+  }
+
+  // Python — requirements.txt に追記
+  const pipMap: Record<string, string> = {
+    mysql:     "mysql-connector-python",
+    postgres:  "psycopg2-binary",
+    sqlserver: "pymssql",
+  };
+  const pipPkg = pipMap[rdbDef.provider];
+  if (!pipPkg) return;
+  const reqPath = path.join(functionsPath, "requirements.txt");
+  if (fs.existsSync(reqPath)) {
+    const existing = fs.readFileSync(reqPath, "utf-8");
+    if (!existing.includes(pipPkg)) {
+      console.log(`\n📦 Adding ${pipPkg} to requirements.txt...`);
+      fs.appendFileSync(reqPath, `\n${pipPkg}\n`);
+      console.log(`✅ ${pipPkg} added`);
+    }
+  }
+}
+
 /**
  * コネクタモデル用 BFF ルート生成（操作制限に対応）
  */
@@ -874,7 +1028,7 @@ module ${containerModuleName} 'containers/${modelKebab}-container.bicep' = {
 /**
  * Generate UI components (list, detail, form, create, edit pages)
  */
-async function generateUIComponents(modelInfo: any, sharedPackageName: string): Promise<void> {
+async function generateUIComponents(modelInfo: any, sharedPackageName: string, authOptions?: UIAuthOptions): Promise<void> {
   console.log("\n🎨 Generating UI components...");
 
   const modelKebab = toKebabCase(modelInfo.name);
@@ -896,11 +1050,11 @@ async function generateUIComponents(modelInfo: any, sharedPackageName: string):
   });
 
   // Generate and write files
-  const listPage = generateListPage(modelInfo, sharedPackageName);
-  const detailPage = generateDetailPage(modelInfo, sharedPackageName);
+  const listPage = generateListPage(modelInfo, sharedPackageName, authOptions);
+  const detailPage = generateDetailPage(modelInfo, sharedPackageName, authOptions);
   const formComponent = generateFormComponent(modelInfo, sharedPackageName);
-  const newPage = generateNewPage(modelInfo);
-  const editPage = generateEditPage(modelInfo, sharedPackageName);
+  const newPage = generateNewPage(modelInfo, authOptions);
+  const editPage = generateEditPage(modelInfo, sharedPackageName, authOptions);
 
   fs.writeFileSync(path.join(modelDir, "page.tsx"), listPage, "utf-8");
   fs.writeFileSync(path.join(idDir, "page.tsx"), detailPage, "utf-8");

package/src/cli/index.ts

@@ -11,6 +11,7 @@ import { Command } from "commander";
 import { initCommand, devCommand, devSeedsCommand, scaffoldCommand, createModelCommand } from "./commands";
 import { provisionCommand } from "./commands/provision";
 import { addConnectorCommand } from "./commands/add-connector";
+import { addAuthCommand } from "./commands/add-auth";
 
 const program = new Command();
 
@@ -87,4 +88,14 @@ program
     });
   });
 
+program
+  .command("add-auth")
+  .description("Add authentication and authorization to the project")
+  .option("--provider <provider>", "Auth provider: custom-jwt | swa | swa-custom | none", "custom-jwt")
+  .action((options) => {
+    addAuthCommand({
+      provider: options.provider,
+    });
+  });
+
 program.parse();

package/src/core/config.ts

@@ -1,6 +1,6 @@
 import * as fs from "fs";
 import * as path from "path";
-import { BackendLanguage, ConnectorDefinition, SwallowKitConfig } from "../types";
+import { AuthConfig, BackendLanguage, ConnectorDefinition, SwallowKitConfig } from "../types";
 import { detectFromProject, getCommands } from "../utils/package-manager";
 
 const VALID_BACKEND_LANGUAGES: BackendLanguage[] = ["typescript", "csharp", "python"];
@@ -81,7 +81,10 @@ function mergeConfig(defaultConfig: SwallowKitConfig, userConfig: Partial<Swallo
         ...userConfig.api?.cors,
       },
     },
-    ...(userConfig.connectors ? { connectors: userConfig.connectors } : {}),
+    connectors: userConfig.connectors ?? defaultConfig.connectors,
+    auth: userConfig.auth
+      ? { ...defaultConfig.auth, ...userConfig.auth }
+      : defaultConfig.auth,
   };
 }
 
@@ -177,6 +180,14 @@ export function getConnectorDefinition(connectorName: string, configPath?: strin
   return config.connectors?.[connectorName];
 }
 
+/**
+ * 認証設定を取得
+ */
+export function getAuthConfig(configPath?: string): AuthConfig | undefined {
+  const config = getFullConfig(configPath);
+  return config.auth;
+}
+
 /**
  * 設定の検証
  */

package/src/core/mock/connector-mock-server.ts

@@ -26,6 +26,23 @@ export interface ConnectorMockServerOptions {
   mockCount?: number;
   /** ホスト名 */
   host?: string;
+  /** Auth config — auth functions use RDB connector, mocked the same way */
+  authConfig?: {
+    /** JWT secret for mock token generation/verification */
+    jwtSecret: string;
+    /** Token expiry (e.g., '24h') */
+    tokenExpiry?: string;
+    /** Custom JWT config from swallowkit.config.js */
+    customJwt?: {
+      /** RDB table name that holds user records (e.g., "users") */
+      userTable: string;
+      loginIdColumn: string;
+      passwordHashColumn: string;
+      rolesColumn: string;
+    };
+    /** Default auth policy: 'authenticated' = all models need auth, 'anonymous' = only models with authPolicy */
+    defaultPolicy?: "authenticated" | "anonymous";
+  };
 }
 
 type MockDocument = Record<string, unknown>;
@@ -128,6 +145,12 @@ export class ConnectorMockServer {
   private handleRequest(req: http.IncomingMessage, res: http.ServerResponse) {
     const { route, id } = this.parseRoute(req.url || "");
 
+    // Auth endpoints (when authConfig is set)
+    if (this.options.authConfig && route === "auth") {
+      this.handleAuthRequest(req, res, id);
+      return;
+    }
+
     // コネクタモデルのルートか判定
     if (route && this.routeMap.has(route)) {
       this.handleMockCrud(req, res, route, id);
@@ -165,6 +188,11 @@ export class ConnectorMockServer {
     const model = this.routeMap.get(route)!;
     const ops = model.connectorConfig?.operations || [];
 
+    const isWrite = method === "POST" || method === "PUT" || method === "DELETE";
+    const requiredRoles = this.resolveRequiredRoles(model, isWrite);
+    const authResult = this.checkAuth(req, res, model, requiredRoles);
+    if (authResult === "error") return; // 401/403 already sent
+
     switch (method) {
       case "GET":
         req.resume();
@@ -258,8 +286,228 @@ export class ConnectorMockServer {
     req.pipe(proxyReq, { end: true });
   }
 
+  // ─── Auth Routes (RDB user queries + JWT generation) ───
+
+  private handleAuthRequest(
+    req: http.IncomingMessage,
+    res: http.ServerResponse,
+    endpoint: string | null
+  ) {
+    const method = (req.method || "GET").toUpperCase();
+
+    // Handle CORS preflight
+    if (method === "OPTIONS") {
+      req.resume();
+      res.writeHead(200, {
+        "Access-Control-Allow-Origin": "*",
+        "Access-Control-Allow-Methods": "GET, POST, OPTIONS",
+        "Access-Control-Allow-Headers": "Content-Type, Authorization",
+      });
+      res.end();
+      return;
+    }
+
+    if (endpoint === "login" && method === "POST") {
+      this.handleLogin(req, res);
+    } else if (endpoint === "me" && method === "GET") {
+      this.handleMe(req, res);
+    } else if (endpoint === "logout" && method === "POST") {
+      req.resume();
+      this.sendJson(res, 200, { message: "Logged out" });
+    } else {
+      req.resume();
+      this.sendJson(res, 404, { error: "Auth endpoint not found" });
+    }
+  }
+
+  private handleLogin(req: http.IncomingMessage, res: http.ServerResponse) {
+    this.readBody(req, (body) => {
+      const loginId = body.loginId as string;
+      const password = body.password as string;
+
+      if (!loginId || !password) {
+        return this.sendJson(res, 400, { error: "loginId and password are required" });
+      }
+
+      const users = this.resolveUserStore();
+      if (!users) {
+        return this.sendJson(res, 500, {
+          error: "No user model found — ensure a connector model with the configured userTable exists",
+        });
+      }
+
+      const loginField = this.options.authConfig?.customJwt?.loginIdColumn || "loginId";
+      const passwordField = this.options.authConfig?.customJwt?.passwordHashColumn || "password";
+      const rolesField = this.options.authConfig?.customJwt?.rolesColumn || "roles";
+
+      const user = users.find(
+        (u) => (u[loginField] || u.loginId) === loginId
+      );
+
+      if (!user) {
+        return this.sendJson(res, 401, { error: "Invalid credentials" });
+      }
+
+      // Plaintext password comparison (mock mode only)
+      const storedPassword = (user[passwordField] || user.password) as string;
+      if (storedPassword !== password) {
+        return this.sendJson(res, 401, { error: "Invalid credentials" });
+      }
+
+      // Parse roles
+      let roles: string[] = [];
+      const rolesValue = user[rolesField] || user.roles;
+      if (Array.isArray(rolesValue)) {
+        roles = rolesValue as string[];
+      } else if (typeof rolesValue === "string") {
+        try {
+          roles = JSON.parse(rolesValue);
+        } catch {
+          roles = (rolesValue as string).split(",").map((r: string) => r.trim());
+        }
+      }
+
+      const authUser = {
+        id: String(user.id),
+        loginId: String(user[loginField] || user.loginId),
+        name: String(user.name || user[loginField] || user.loginId),
+        email: String(user.email || ""),
+        roles,
+      };
+
+      // Generate JWT
+      const jwt = require("jsonwebtoken");
+      const secret = this.options.authConfig!.jwtSecret;
+      const expiry = this.options.authConfig!.tokenExpiry || "24h";
+
+      const token = jwt.sign(
+        {
+          sub: authUser.id,
+          loginId: authUser.loginId,
+          name: authUser.name,
+          email: authUser.email,
+          roles: authUser.roles,
+        },
+        secret,
+        { expiresIn: expiry }
+      );
+
+      const expiresAt = new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString();
+
+      this.sendJson(res, 200, { user: authUser, token, expiresAt });
+    });
+  }
+
+  private handleMe(req: http.IncomingMessage, res: http.ServerResponse) {
+    req.resume();
+
+    const authHeader = req.headers["authorization"];
+    if (!authHeader || !authHeader.startsWith("Bearer ")) {
+      return this.sendJson(res, 401, { error: "Missing or invalid Authorization header" });
+    }
+
+    const token = authHeader.slice(7);
+    try {
+      const jwt = require("jsonwebtoken");
+      const secret = this.options.authConfig!.jwtSecret;
+      const payload = jwt.verify(token, secret) as Record<string, unknown>;
+      this.sendJson(res, 200, {
+        sub: payload.sub,
+        loginId: payload.loginId,
+        name: payload.name,
+        email: payload.email,
+        roles: payload.roles,
+      });
+    } catch {
+      this.sendJson(res, 401, { error: "Invalid or expired token" });
+    }
+  }
+
   // ─── Utilities ────────────────────────────────────────────
 
+  /**
+   * authConfig.customJwt.userTable に対応するモデルのストアを返す。
+   * ユーザーテーブルが見つからない場合は null を返す。
+   */
+  private resolveUserStore(): MockDocument[] | null {
+    const userTable = this.options.authConfig?.customJwt?.userTable;
+    if (!userTable) return null;
+
+    for (const model of this.options.connectorModels) {
+      const cfg = model.connectorConfig;
+      if (cfg && "table" in cfg && cfg.table === userTable) {
+        return this.stores.get(toCamelCase(model.name)) || null;
+      }
+    }
+    return null;
+  }
+
+  /**
+   * JWT を検証し、ペイロード（roles 含む）を返す。
+   * 認証不要な場合は null を返す。401/403 の場合はレスポンスを送信して 'error' を返す。
+   */
+  private checkAuth(
+    req: http.IncomingMessage,
+    res: http.ServerResponse,
+    model: ModelInfo,
+    requiredRoles: string[] | undefined
+  ): Record<string, unknown> | null | "error" {
+    const authCfg = this.options.authConfig;
+    if (!authCfg) return null; // auth 未設定 → 全スルー
+
+    const policy = model.authPolicy;
+    const defaultPolicy = authCfg.defaultPolicy || "anonymous";
+
+    // モデルに authPolicy がなく defaultPolicy が anonymous → 認証不要
+    if (!policy && defaultPolicy === "anonymous") return null;
+
+    // JWT 検証
+    const authHeader = req.headers["authorization"];
+    if (!authHeader || !authHeader.startsWith("Bearer ")) {
+      this.sendJson(res, 401, { error: "Missing or invalid Authorization header" });
+      return "error";
+    }
+
+    const token = authHeader.slice(7);
+    try {
+      const jwt = require("jsonwebtoken");
+      const payload = jwt.verify(token, authCfg.jwtSecret) as Record<string, unknown>;
+
+      // ロールチェック
+      if (requiredRoles && requiredRoles.length > 0) {
+        const userRoles = Array.isArray(payload.roles) ? (payload.roles as string[]) : [];
+        const hasRole = requiredRoles.some((r) => userRoles.includes(r));
+        if (!hasRole) {
+          this.sendJson(res, 403, {
+            error: `Requires one of roles: ${requiredRoles.join(", ")}`,
+          });
+          return "error";
+        }
+      }
+
+      return payload;
+    } catch {
+      this.sendJson(res, 401, { error: "Invalid or expired token" });
+      return "error";
+    }
+  }
+
+  /**
+   * モデルの authPolicy から read/write に必要なロールを解決
+   */
+  private resolveRequiredRoles(
+    model: ModelInfo,
+    isWrite: boolean
+  ): string[] | undefined {
+    const policy = model.authPolicy;
+    if (!policy) return undefined; // defaultPolicy: authenticated → 認証のみ、ロールチェック不要
+
+    if (isWrite) {
+      return policy.write || policy.roles;
+    }
+    return policy.read || policy.roles;
+  }
+
   private readBody(req: http.IncomingMessage, callback: (body: MockDocument) => void) {
     let data = "";
     req.on("data", (chunk) => (data += chunk));