feat: add supertokens

modules/identity/routes/identities/get/handle.ts

@@ -1,16 +1,21 @@
 import { ForbiddenError, NotFoundError } from "@platform/relay";
+import { getPrincipalAttributes, getPrincipalRoles } from "@platform/supertoken/principal.ts";
+import { getUserById } from "@platform/supertoken/users.ts";
 
-import { getIdentityById } from "../../../database.ts";
 import route from "./spec.ts";
 
 export default route.access("session").handle(async ({ params: { id } }, { access }) => {
-  const identity = await getIdentityById(id);
-  if (identity === undefined) {
+  const user = await getUserById(id);
+  if (user === undefined) {
     return new NotFoundError("Identity does not exist, or has been removed.");
   }
-  const decision = await access.isAllowed({ kind: "identity", id: identity.id, attr: {} }, "read");
+  const decision = await access.isAllowed({ kind: "identity", id: user.id, attr: {} }, "read");
   if (decision === false) {
     return new ForbiddenError("You do not have permission to view this identity.");
   }
-  return identity;
+  return {
+    id: user.id,
+    roles: await getPrincipalRoles(id),
+    attr: await getPrincipalAttributes(id),
+  };
 });

modules/identity/routes/identities/get/spec.ts

@@ -1,12 +1,10 @@
 import { ForbiddenError, NotFoundError, route, UnauthorizedError } from "@platform/relay";
 import z from "zod";
 
-import { IdentitySchema } from "../../../models/identity.ts";
-
 export default route
-  .get("/api/v1/identities/:id")
+  .get("/api/v1/identity/:id")
   .params({
     id: z.string(),
   })
   .errors([UnauthorizedError, ForbiddenError, NotFoundError])
-  .response(IdentitySchema);
+  .response(z.any());

modules/identity/routes/identities/me/handle.ts

@@ -1,12 +0,0 @@
-import { UnauthorizedError } from "@platform/relay";
-
-import { getIdentityById } from "../../../database.ts";
-import route from "./spec.ts";
-
-export default route.access("session").handle(async ({ principal }) => {
-  const identity = await getIdentityById(principal.id);
-  if (identity === undefined) {
-    return new UnauthorizedError("You must be signed in to view your session.");
-  }
-  return identity;
-});

modules/identity/routes/identities/me/spec.ts

@@ -1,5 +0,0 @@
-import { NotFoundError, route, UnauthorizedError } from "@platform/relay";
-
-import { IdentitySchema } from "../../../models/identity.ts";
-
-export default route.get("/api/v1/identities/me").response(IdentitySchema).errors([UnauthorizedError, NotFoundError]);

modules/identity/routes/identities/register/handle.ts

@@ -1,11 +0,0 @@
-import { Identity, isEmailClaimed } from "../../../aggregates/identity.ts";
-import { IdentityEmailClaimedError } from "../../../errors.ts";
-import { eventStore } from "../../../event-store.ts";
-import route from "./spec.ts";
-
-export default route.access("public").handle(async ({ body: { name, email } }) => {
-  if ((await isEmailClaimed(email)) === true) {
-    return new IdentityEmailClaimedError(email);
-  }
-  return eventStore.aggregate.from(Identity).create().addName(name).addEmailStrategy(email).addRole("user").save();
-});

modules/identity/routes/identities/register/spec.ts

@@ -1,17 +0,0 @@
-import { route } from "@platform/relay";
-import z from "zod";
-
-import { IdentityEmailClaimedError } from "../../../errors.ts";
-import { IdentitySchema } from "../../../models/identity.ts";
-import { NameSchema } from "../../../schemas/name.ts";
-
-export default route
-  .post("/api/v1/identities")
-  .body(
-    z.object({
-      name: NameSchema,
-      email: z.email(),
-    }),
-  )
-  .errors([IdentityEmailClaimedError])
-  .response(IdentitySchema);

modules/identity/routes/identities/resolve/handle.ts

@@ -1,13 +0,0 @@
-import { NotFoundError } from "@platform/relay";
-
-import { config } from "../../../config.ts";
-import { getIdentityById } from "../../../database.ts";
-import route from "./spec.ts";
-
-export default route.access(["internal:public", config.internal.privateKey]).handle(async ({ params: { id } }) => {
-  const identity = await getIdentityById(id);
-  if (identity === undefined) {
-    return new NotFoundError();
-  }
-  return identity;
-});

modules/identity/routes/identities/resolve/keys.ts

@@ -1,5 +0,0 @@
-import { importVault } from "@platform/vault";
-
-import { config } from "../../../config.ts";
-
-export const vault = importVault(config.internal);

modules/identity/routes/identities/resolve/spec.ts

@@ -1,12 +0,0 @@
-import { NotFoundError, route, UnauthorizedError } from "@platform/relay";
-import z from "zod";
-
-import { IdentitySchema } from "../../../models/identity.ts";
-
-export default route
-  .get("/api/v1/identities/:id/resolve")
-  .params({
-    id: z.string(),
-  })
-  .response(IdentitySchema)
-  .errors([UnauthorizedError, NotFoundError]);

modules/identity/routes/identities/update/handle.ts

@@ -0,0 +1,40 @@
+import { ForbiddenError } from "@platform/relay";
+import { getPrincipalAttributes } from "@platform/supertoken/principal.ts";
+import UserMetadata from "supertokens-node/recipe/usermetadata";
+
+import route from "./spec.ts";
+
+export default route.access("session").handle(async ({ params: { id }, body: ops }, { access }) => {
+  const decision = await access.isAllowed({ kind: "identity", id, attr: {} }, "update");
+  if (decision === false) {
+    return new ForbiddenError("You do not have permission to update this identity.");
+  }
+  const attr = await getPrincipalAttributes(id);
+  for (const op of ops) {
+    switch (op.type) {
+      case "add": {
+        attr[op.key] = op.value;
+        break;
+      }
+      case "push": {
+        if (attr[op.key] === undefined) {
+          attr[op.key] = op.values;
+        } else {
+          attr[op.key] = [...attr[op.key], ...op.values];
+        }
+        break;
+      }
+      case "pop": {
+        if (Array.isArray(attr[op.key])) {
+          attr[op.key] = attr[op.key].filter((value: any) => op.values.includes(value) === false);
+        }
+        break;
+      }
+      case "remove": {
+        delete attr[op.key];
+        break;
+      }
+    }
+  }
+  await UserMetadata.updateUserMetadata(id, { attr });
+});

modules/identity/routes/identities/update/spec.ts

@@ -0,0 +1,29 @@
+import { ForbiddenError, NotFoundError, route, UnauthorizedError } from "@platform/relay";
+import z from "zod";
+
+export default route
+  .put("/api/v1/identity/:id")
+  .params({
+    id: z.string(),
+  })
+  .body(
+    z.array(
+      z.union([
+        z.strictObject({
+          type: z.union([z.literal("add")]),
+          key: z.string(),
+          value: z.any(),
+        }),
+        z.strictObject({
+          type: z.union([z.literal("push"), z.literal("pop")]),
+          key: z.string(),
+          values: z.array(z.any()),
+        }),
+        z.strictObject({
+          type: z.union([z.literal("remove")]),
+          key: z.string(),
+        }),
+      ]),
+    ),
+  )
+  .errors([UnauthorizedError, ForbiddenError, NotFoundError]);

modules/identity/routes/login/code/handle.ts

@@ -1,85 +1,25 @@
 import { logger } from "@platform/logger";
-import cookie from "cookie";
+import { NotFoundError } from "@platform/relay";
+import { getSessionHeaders } from "@platform/supertoken/session.ts";
+import Passwordless from "supertokens-node/recipe/passwordless";
 
-import { Code } from "../../../aggregates/code.ts";
-import { Identity } from "../../../aggregates/identity.ts";
-import { auth } from "../../../auth.ts";
-import { config } from "../../../config.ts";
-import { eventStore } from "../../../event-store.ts";
 import route from "./spec.ts";
 
-export default route.access("public").handle(async ({ params: { identityId, codeId, value }, query: { next } }) => {
-  const code = await eventStore.aggregate.getByStream(Code, codeId);
-
-  if (code === undefined) {
-    return logger.info({
-      type: "code:claimed",
-      session: false,
-      message: "Invalid Code ID",
-      received: codeId,
-    });
+export default route.access("public").handle(async ({ body: { preAuthSessionId, deviceId, userInputCode } }) => {
+  const response = await Passwordless.consumeCode({ tenantId: "public", preAuthSessionId, deviceId, userInputCode });
+  if (response.status !== "OK") {
+    return new NotFoundError();
   }
 
-  if (code.claimedAt !== undefined) {
-    return logger.info({
-      type: "code:claimed",
-      session: false,
-      message: "Code Already Claimed",
-      received: codeId,
-    });
-  }
-
-  await code.claim().save();
-
-  if (code.value !== value) {
-    return logger.info({
-      type: "code:claimed",
-      session: false,
-      message: "Invalid Value",
-      expected: code.value,
-      received: value,
-    });
-  }
-
-  if (code.identity.id !== identityId) {
-    return logger.info({
-      type: "code:claimed",
-      session: false,
-      message: "Invalid Identity ID",
-      expected: code.identity.id,
-      received: identityId,
-    });
-  }
-
-  const account = await eventStore.aggregate.getByStream(Identity, identityId);
-  if (account === undefined) {
-    return logger.info({
-      type: "code:claimed",
-      session: false,
-      message: "Account Not Found",
-      expected: code.identity.id,
-      received: undefined,
-    });
-  }
-
-  logger.info({ type: "code:claimed", session: true });
-
-  const options = config.cookie(1000 * 60 * 60 * 24 * 7);
-
-  if (next !== undefined) {
-    return new Response(null, {
-      status: 302,
-      headers: {
-        location: next,
-        "set-cookie": cookie.serialize("token", await auth.generate({ id: account.id }, "1 week"), options),
-      },
-    });
-  }
+  logger.info({
+    type: "code:claimed",
+    session: true,
+    message: "Identity resolved",
+    user: response.user.toJson(),
+  });
 
   return new Response(null, {
     status: 200,
-    headers: {
-      "set-cookie": cookie.serialize("token", await auth.generate({ id: account.id }, "1 week"), options),
-    },
+    headers: await getSessionHeaders("public", response.recipeUserId),
   });
 });

modules/identity/routes/login/code/spec.ts

@@ -2,12 +2,14 @@ import { route } from "@platform/relay";
 import z from "zod";
 
 export default route
-  .get("/api/v1/identities/login/code/:identityId/code/:codeId/:value")
-  .params({
-    identityId: z.string(),
-    codeId: z.string(),
-    value: z.string(),
-  })
+  .post("/api/v1/identity/login/code")
+  .body(
+    z.strictObject({
+      deviceId: z.string(),
+      preAuthSessionId: z.string(),
+      userInputCode: z.string(),
+    }),
+  )
   .query({
     next: z.string().optional(),
   });

modules/identity/routes/login/email/handle.ts

@@ -1,27 +1,23 @@
 import { logger } from "@platform/logger";
+import Passwordless from "supertokens-node/recipe/passwordless";
 
-import { Code } from "../../../aggregates/code.ts";
-import { getIdentityEmailRelation, Identity } from "../../../aggregates/identity.ts";
-import { eventStore } from "../../../event-store.ts";
 import route from "./spec.ts";
 
-export default route.access("public").handle(async ({ body: { base, email } }) => {
-  const identity = await eventStore.aggregate.getByRelation(Identity, getIdentityEmailRelation(email));
-  if (identity === undefined) {
+export default route.access("public").handle(async ({ body: { email } }) => {
+  const response = await Passwordless.createCode({ tenantId: "public", email });
+  if (response.status !== "OK") {
     return logger.info({
-      type: "auth:email",
-      code: false,
-      message: "Identity Not Found",
+      type: "auth:passwordless",
+      message: "Create code failed.",
       received: email,
     });
   }
-  const code = await eventStore.aggregate.from(Code).create({ id: identity.id }).save();
   logger.info({
-    type: "auth:email",
+    type: "auth:passwordless",
     data: {
-      code: code.id,
-      identityId: identity.id,
+      deviceId: response.deviceId,
+      preAuthSessionId: response.preAuthSessionId,
+      userInputCode: response.userInputCode,
     },
-    link: `${base}/api/v1/admin/auth/${identity.id}/code/${code.id}/${code.value}?next=${base}/admin`,
   });
 });

modules/identity/routes/login/email/spec.ts

@@ -1,9 +1,8 @@
 import { route } from "@platform/relay";
 import z from "zod";
 
-export default route.post("/api/v1/identities/login/email").body(
+export default route.post("/api/v1/identity/login/email").body(
   z.object({
-    base: z.url(),
     email: z.email(),
   }),
 );

modules/identity/routes/login/sudo/handle.ts

@@ -0,0 +1,48 @@
+import { logger } from "@platform/logger";
+import { NotFoundError } from "@platform/relay";
+import { getSessionHeaders } from "@platform/supertoken/session.ts";
+import Passwordless from "supertokens-node/recipe/passwordless";
+
+import route from "./spec.ts";
+
+export default route.access("public").handle(async ({ body: { email } }) => {
+  const code = await Passwordless.createCode({ tenantId: "public", email });
+  if (code.status !== "OK") {
+    return logger.info({
+      type: "auth:passwordless",
+      message: "Create code failed.",
+      received: email,
+    });
+  }
+
+  logger.info({
+    type: "auth:passwordless",
+    data: {
+      deviceId: code.deviceId,
+      preAuthSessionId: code.preAuthSessionId,
+      userInputCode: code.userInputCode,
+    },
+  });
+
+  const response = await Passwordless.consumeCode({
+    tenantId: "public",
+    preAuthSessionId: code.preAuthSessionId,
+    deviceId: code.deviceId,
+    userInputCode: code.userInputCode,
+  });
+  if (response.status !== "OK") {
+    return new NotFoundError();
+  }
+
+  logger.info({
+    type: "code:claimed",
+    session: true,
+    message: "Identity resolved",
+    user: response.user.toJson(),
+  });
+
+  return new Response(null, {
+    status: 200,
+    headers: await getSessionHeaders("public", response.recipeUserId),
+  });
+});

modules/identity/routes/login/sudo/spec.ts

@@ -0,0 +1,8 @@
+import { route } from "@platform/relay";
+import z from "zod";
+
+export default route.post("/api/v1/identities/login/sudo").body(
+  z.object({
+    email: z.email(),
+  }),
+);

modules/identity/routes/me/handle.ts

@@ -0,0 +1,5 @@
+import route from "./spec.ts";
+
+export default route.access("session").handle(async ({ principal }) => {
+  return principal;
+});

modules/identity/routes/me/spec.ts

@@ -0,0 +1,4 @@
+import { NotFoundError, route, UnauthorizedError } from "@platform/relay";
+import z from "zod";
+
+export default route.get("/api/v1/identity/me").errors([UnauthorizedError, NotFoundError]).response(z.any());

modules/identity/routes/roles/handle.ts

@@ -0,0 +1,30 @@
+import { ForbiddenError } from "@platform/relay";
+import { getPrincipalRoles } from "@platform/supertoken/principal.ts";
+import UserMetadata from "supertokens-node/recipe/usermetadata";
+
+import route from "./spec.ts";
+
+export default route.access("session").handle(async ({ params: { id }, body: ops }, { access }) => {
+  const decision = await access.isAllowed({ kind: "role", id, attr: {} }, "manage");
+  if (decision === false) {
+    return new ForbiddenError("You do not have permission to modify roles for this identity.");
+  }
+  const roles: Set<string> = new Set(await getPrincipalRoles(id));
+  for (const op of ops) {
+    switch (op.type) {
+      case "add": {
+        for (const role of op.roles) {
+          roles.add(role);
+        }
+        break;
+      }
+      case "remove": {
+        for (const role of op.roles) {
+          roles.delete(role);
+        }
+        break;
+      }
+    }
+  }
+  await UserMetadata.updateUserMetadata(id, { roles: Array.from(roles) });
+});

modules/identity/routes/roles/spec.ts

@@ -0,0 +1,19 @@
+import { ForbiddenError, NotFoundError, route, UnauthorizedError } from "@platform/relay";
+import z from "zod";
+
+export default route
+  .put("/api/v1/identity/:id/roles")
+  .params({
+    id: z.string(),
+  })
+  .body(
+    z.array(
+      z.union([
+        z.strictObject({
+          type: z.union([z.literal("add"), z.literal("remove")]),
+          roles: z.array(z.any()),
+        }),
+      ]),
+    ),
+  )
+  .errors([UnauthorizedError, ForbiddenError, NotFoundError]);