feat: add functional authentication

2025-08-12 23:11:08 +02:00
parent f0630d43b7
commit 82d7a0d9cd
74 changed files with 763 additions and 396 deletions
--- a/spec/schemas/README.md
+++ b/spec/schemas/README.md
@@ -0,0 +1 @@
+# Modules
--- a/spec/schemas/access/role.ts
+++ b/spec/schemas/access/role.ts
@@ -0,0 +1,14 @@
+import z from "zod";
+
+import { makeSchemaParser } from "../database.ts";
+
+export const RoleSchema = z.object({
+  id: z.uuid(),
+  name: z.string(),
+  permissions: z.record(z.string(), z.array(z.string())),
+});
+
+export const parseRole = makeSchemaParser(RoleSchema);
+
+export type Role = z.infer<typeof RoleSchema>;
+export type RoleDocument = z.infer<typeof RoleSchema>;
--- a/spec/schemas/account/account.ts
+++ b/spec/schemas/account/account.ts
@@ -0,0 +1,27 @@
+import { z } from "zod";
+
+import { RoleSchema } from "../access/role.ts";
+import { AvatarSchema } from "../avatar.ts";
+import { ContactSchema } from "../contact.ts";
+import { makeSchemaParser } from "../database.ts";
+import { NameSchema } from "../name.ts";
+import { StrategySchema } from "./strategies.ts";
+
+export const AccountSchema = z.object({
+  id: z.uuid(),
+  avatar: AvatarSchema.optional(),
+  name: NameSchema.optional(),
+  contact: ContactSchema.default({
+    emails: [],
+  }),
+  strategies: z.array(StrategySchema).default([]),
+  roles: z.array(RoleSchema).default([]),
+});
+
+export const AccountDocumentSchema = AccountSchema.omit({ roles: true }).extend({ roles: z.array(z.string()) });
+
+export const toAccountDocument = makeSchemaParser(AccountDocumentSchema);
+export const fromAccountDocument = makeSchemaParser(AccountSchema);
+
+export type Account = z.infer<typeof AccountSchema>;
+export type AccountDocument = z.infer<typeof AccountDocumentSchema>;
--- a/spec/schemas/account/errors.ts
+++ b/spec/schemas/account/errors.ts
@@ -0,0 +1,7 @@
+import { ConflictError } from "@spec/relay/mod.ts";
+
+export class AccountEmailClaimedError extends ConflictError {
+  constructor(email: string) {
+    super(`Email '${email}' is already claimed by another account.`);
+  }
+}
--- a/spec/schemas/account/routes.ts
+++ b/spec/schemas/account/routes.ts
@@ -0,0 +1,20 @@
+import { route } from "@spec/relay";
+import z from "zod";
+
+import { NameSchema } from "../name.ts";
+import { AccountEmailClaimedError } from "./errors.ts";
+
+export const create = route
+  .post("/api/v1/accounts")
+  .body(
+    z.object({
+      name: NameSchema,
+      email: z.email(),
+    }),
+  )
+  .errors([AccountEmailClaimedError])
+  .response(z.uuid());
+
+export const routes = {
+  create,
+};
--- a/spec/schemas/account/strategies.ts
+++ b/spec/schemas/account/strategies.ts
@@ -0,0 +1,33 @@
+import z from "zod";
+
+const EmailStrategySchema = z.object({
+  type: z.literal("email"),
+  value: z.string(),
+});
+
+const PasswordStrategySchema = z.object({
+  type: z.literal("password"),
+  alias: z.string(),
+  password: z.string(),
+});
+
+const PasskeyStrategySchema = z.object({
+  type: z.literal("passkey"),
+  credId: z.string(),
+  credPublicKey: z.string(),
+  webauthnUserId: z.string(),
+  counter: z.number(),
+  backupEligible: z.boolean(),
+  backupStatus: z.boolean(),
+  transports: z.string(),
+  createdAt: z.date(),
+  lastUsed: z.date(),
+});
+
+export const StrategySchema = z.discriminatedUnion("type", [
+  EmailStrategySchema,
+  PasswordStrategySchema,
+  PasskeyStrategySchema,
+]);
+
+export type Strategy = z.infer<typeof StrategySchema>;
--- a/spec/schemas/auth/errors.ts
+++ b/spec/schemas/auth/errors.ts
@@ -0,0 +1,7 @@
+import { BadRequestError } from "@spec/relay";
+
+export class AuthenticationStrategyPayloadError extends BadRequestError {
+  constructor() {
+    super("Provided authentication payload is not recognized.");
+  }
+}
--- a/spec/schemas/auth/routes.ts
+++ b/spec/schemas/auth/routes.ts
@@ -0,0 +1,41 @@
+import { route, UnauthorizedError } from "@spec/relay";
+import z from "zod";
+
+import { AccountSchema } from "../account/account.ts";
+
+export * from "./errors.ts";
+export * from "./strategies.ts";
+
+export const email = route.post("/api/v1/auth/email").body(
+  z.object({
+    base: z.url(),
+    email: z.email(),
+  }),
+);
+
+export const password = route.post("/api/v1/auth/password").body(
+  z.object({
+    alias: z.string(),
+    password: z.string(),
+  }),
+);
+
+export const code = route
+  .get("/api/v1/auth/code/:accountId/code/:codeId/:value")
+  .params({
+    accountId: z.string(),
+    codeId: z.string(),
+    value: z.string(),
+  })
+  .query({
+    next: z.string().optional(),
+  });
+
+export const session = route.get("/api/v1/auth/session").response(AccountSchema).errors([UnauthorizedError]);
+
+export const routes = {
+  email,
+  password,
+  code,
+  session,
+};
--- a/spec/schemas/auth/strategies.ts
+++ b/spec/schemas/auth/strategies.ts
@@ -0,0 +1,44 @@
+import { z } from "zod";
+
+export const PasskeyStrategySchema = z.object({
+  type: z.literal("passkey").describe("Authentication strategy type for WebAuthn/Passkey"),
+  id: z.string().describe("Base64URL encoded credential ID"),
+  rawId: z.string().describe("Raw credential ID as base64URL encoded string"),
+  response: z
+    .object({
+      clientDataJSON: z.string().describe("Base64URL encoded client data JSON"),
+      authenticatorData: z.string().describe("Base64URL encoded authenticator data"),
+      signature: z.string().optional().describe("Signature for authentication responses"),
+      userHandle: z.string().optional().describe("Optional user handle identifier"),
+      attestationObject: z.string().optional().describe("Attestation object for registration responses"),
+    })
+    .describe("WebAuthn response data"),
+  clientExtensionResults: z
+    .record(z.string(), z.unknown())
+    .default({})
+    .describe("Results from WebAuthn extension inputs"),
+  authenticatorAttachment: z
+    .enum(["platform", "cross-platform"])
+    .optional()
+    .describe("Type of authenticator used (platform or cross-platform)"),
+});
+
+export const EmailStrategySchema = z.object({
+  type: z.literal("email").describe("Authentication strategy type for email"),
+  email: z.email().describe("User's email address for authentication"),
+});
+
+export const PasswordStrategySchema = z.object({
+  type: z.literal("password").describe("Authentication strategy type for password"),
+  alias: z.string().describe("User alias (username or email)"),
+  password: z.string().describe("User's password"),
+});
+
+export const StrategySchema = z
+  .union([PasskeyStrategySchema, EmailStrategySchema, PasswordStrategySchema])
+  .describe("Union of all available authentication strategy schemas");
+
+export type PasskeyStrategy = z.infer<typeof PasskeyStrategySchema>;
+export type EmailStrategy = z.infer<typeof EmailStrategySchema>;
+export type PasswordStrategy = z.infer<typeof PasswordStrategySchema>;
+export type Strategy = z.infer<typeof StrategySchema>;
--- a/spec/schemas/avatar.ts
+++ b/spec/schemas/avatar.ts
@@ -0,0 +1,7 @@
+import z from "zod";
+
+export const AvatarSchema = z.object({
+  url: z.string().describe("A valid URL pointing to the user's avatar image."),
+});
+
+export type Avatar = z.infer<typeof AvatarSchema>;
--- a/spec/schemas/contact.ts
+++ b/spec/schemas/contact.ts
@@ -0,0 +1,9 @@
+import z from "zod";
+
+import { EmailSchema } from "./email.ts";
+
+export const ContactSchema = z.object({
+  emails: z.array(EmailSchema).default([]).describe("A list of email addresses associated with the contact."),
+});
+
+export type Contact = z.infer<typeof ContactSchema>;
--- a/spec/schemas/database.ts
+++ b/spec/schemas/database.ts
@@ -0,0 +1,15 @@
+import z, { ZodObject } from "zod";
+
+export function makeSchemaParser<TSchema extends ZodObject>(schema: TSchema): SchemaParserFn<TSchema> {
+  return ((value: unknown | unknown[]) => {
+    if (Array.isArray(value)) {
+      return value.map((value: unknown) => schema.parse(value));
+    }
+    return schema.parse(value);
+  }) as SchemaParserFn<TSchema>;
+}
+
+type SchemaParserFn<TSchema extends ZodObject> = {
+  (value: unknown): z.infer<TSchema>;
+  (value: unknown[]): z.infer<TSchema>[];
+};
--- a/spec/schemas/email.ts
+++ b/spec/schemas/email.ts
@@ -0,0 +1,11 @@
+import z from "zod";
+
+export const EmailSchema = z.object({
+  type: z.enum(["personal", "work"]).describe("The context of the email address, e.g., personal or work."),
+  value: z.email().describe("A valid email address string."),
+  primary: z.boolean().describe("Indicates if this is the primary email."),
+  verified: z.boolean().describe("True if the email address has been verified."),
+  label: z.string().optional().describe("Optional display label for the email address."),
+});
+
+export type Email = z.infer<typeof EmailSchema>;
--- a/spec/schemas/name.ts
+++ b/spec/schemas/name.ts
@@ -0,0 +1,8 @@
+import { z } from "zod";
+
+export const NameSchema = z.object({
+  family: z.string().nullable().describe("Family name, also known as last name or surname."),
+  given: z.string().nullable().describe("Given name, also known as first name."),
+});
+
+export type Name = z.infer<typeof NameSchema>;
--- a/spec/schemas/package.json
+++ b/spec/schemas/package.json
@@ -0,0 +1,10 @@
+{
+  "name": "@spec/schemas",
+  "version": "0.0.0",
+  "private": true,
+  "type": "module",
+  "dependencies": {
+    "@spec/relay": "workspace:*",
+    "zod": "4"
+  }
+}