refactor(dashboard): promote FP cloud token utils to core-protocols-dashboard

Move `createFPToken`, `getFPTokenContext`, `nameFromAuth`, `nickFromClarkClaim`,
and `toProvider` from `dashboard/backend/utils/` into the shared
`core/protocols/dashboard/fp-cloud-token.ts`. Also move `FPTokenContext`
interface from `dashboard/backend/types.ts` into
`core/types/protocols/dashboard/`. Dashboard backend now imports these
from `@fireproof/core-protocols-dashboard` so they can be reused outside
the backend package.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: mabels

core/protocols/dashboard/fp-cloud-token.ts

@@ -0,0 +1,73 @@
+import { FPCloudClaim } from "@fireproof/core-types-protocols-cloud";
+import { param, Result } from "@adviser/cement";
+import { ClerkClaim, ClerkEmailTemplateClaim, SuperThis } from "@fireproof/core-types-base";
+import { sts } from "@fireproof/core-runtime";
+import { SignJWT } from "jose/jwt/sign";
+import { FPTokenContext, VerifiedAuthUserResult } from "@fireproof/core-types-protocols-dashboard";
+
+export async function createFPToken(ctx: FPTokenContext, claim: FPCloudClaim) {
+  const privKeys = await sts.env2jwk(ctx.secretToken);
+  if (privKeys.length !== 1) {
+    throw new Error(`Expected exactly one private JWK, found ${privKeys.length}`);
+  }
+  const privKey = privKeys[0];
+  let validFor = ctx.validFor;
+  if (validFor <= 0) {
+    validFor = 60 * 60; // 1 hour
+  }
+  const expiresDate = new Date(Date.now() + validFor * 1000); // epoch sec
+  const expiresInSec = Math.floor((Math.floor(expiresDate.getTime() / 1000) + validFor) / 1000);
+  const epochExp = Math.floor(expiresDate.getTime() / 1000);
+  return {
+    expiresDate,
+    expiresInSec,
+    token: await new SignJWT(claim)
+      .setProtectedHeader({ alg: "ES256" }) // algorithm
+      .setIssuedAt()
+      .setIssuer(ctx.issuer) // issuer
+      .setAudience(ctx.audience) // audience
+      .setExpirationTime(epochExp) // expiration time
+      .sign(privKey),
+  };
+}
+
+export async function getFPTokenContext(sthis: SuperThis, ictx: Partial<FPTokenContext> = {}): Promise<Result<FPTokenContext>> {
+  const rCtx = sthis.env.gets({
+    CLOUD_SESSION_TOKEN_SECRET: ictx.secretToken ?? param.REQUIRED,
+    CLOUD_SESSION_TOKEN_PUBLIC: ictx.publicToken ?? param.REQUIRED,
+    CLOUD_SESSION_TOKEN_ISSUER: "FP_CLOUD",
+    CLOUD_SESSION_TOKEN_AUDIENCE: "PUBLIC",
+    CLOUD_SESSION_TOKEN_VALID_FOR: "" + 60 * 60,
+    CLOUD_SESSION_TOKEN_EXTEND_VALID_FOR: "" + 6 * 60 * 60,
+  });
+  if (rCtx.isErr()) {
+    return Result.Err(rCtx.Err());
+  }
+  const ctx = rCtx.Ok();
+  return Result.Ok({
+    secretToken: ctx.CLOUD_SESSION_TOKEN_SECRET,
+    publicToken: ctx.CLOUD_SESSION_TOKEN_PUBLIC,
+    issuer: ctx.CLOUD_SESSION_TOKEN_ISSUER,
+    audience: ctx.CLOUD_SESSION_TOKEN_AUDIENCE,
+    validFor: parseInt(ctx.CLOUD_SESSION_TOKEN_VALID_FOR, 10),
+    extendValidFor: parseInt(ctx.CLOUD_SESSION_TOKEN_EXTEND_VALID_FOR, 10),
+    ...ictx,
+  } satisfies FPTokenContext);
+}
+
+export function nameFromAuth(name: string | undefined, auth: VerifiedAuthUserResult): string {
+  return (
+    name ?? `${auth.verifiedAuth.claims.params.email ?? nickFromClarkClaim(auth.verifiedAuth.claims.params) ?? auth.user.userId}`
+  );
+}
+
+export function nickFromClarkClaim(auth: ClerkEmailTemplateClaim): string | undefined {
+  return auth.nick ?? auth.name ?? undefined;
+}
+
+export function toProvider(i: ClerkClaim): FPCloudClaim["provider"] {
+  if (i.params.nick) {
+    return "github";
+  }
+  return "google";
+}

core/protocols/dashboard/index.ts

@@ -2,3 +2,5 @@ export * from "./msg-api.js";
 export * from "./dashboard-api.js";
 export * from "./token.js";
 export * from "./get-cloud-pubkey-from-env.js";
+
+export * from "./fp-cloud-token.js";

core/types/protocols/dashboard/index.ts

@@ -4,3 +4,11 @@ export * from "./msg-is.js";
 export * from "./msg-types.js";
 
 export * from "./token.js";
+export interface FPTokenContext {
+  readonly secretToken: string;
+  readonly publicToken: string;
+  readonly issuer: string;
+  readonly audience: string;
+  readonly validFor: number; // seconds
+  readonly extendValidFor: number; // seconds
+}

dashboard/actions/base/action.yaml

@@ -29,7 +29,7 @@ runs:
       working-directory: dashboard/frontend
       env:
         VITE_CLERK_PUBLISHABLE_KEY: ${{ inputs.CLERK_PUBLISHABLE_KEY }}
-      run: pnpm run build
+      run: FP_TSC=tsc pnpm run build
 
     - name: FRONTEND test
       shell: bash
@@ -57,7 +57,7 @@ runs:
       working-directory: dashboard/backend
       env:
         VITE_CLERK_PUBLISHABLE_KEY: ${{ inputs.CLERK_PUBLISHABLE_KEY }}
-      run: pnpm run build
+      run: FP_TSC=tsc pnpm run build
 
     - name: BACKEND test
       shell: bash

dashboard/backend/public/create-tenant.ts

@@ -1,9 +1,10 @@
 import { EventoHandler, Result, EventoResultType, HandleTriggerCtx } from "@adviser/cement";
 import { ReqCreateTenant, ResCreateTenant, validateCreateTenant } from "@fireproof/core-types-protocols-dashboard";
 import { FPApiSQLCtx, ReqWithVerifiedAuthUser } from "../types.js";
-import { nameFromAuth, checkAuth, wrapStop } from "../utils/index.js";
+import { checkAuth, wrapStop } from "../utils/index.js";
 import { insertTenant } from "../internal/insert-tenant.js";
 import { addUserToTenant } from "../internal/add-user-to-tenant.js";
+import { nameFromAuth } from "@fireproof/core-protocols-dashboard";
 
 async function createTenant(ctx: FPApiSQLCtx, req: ReqWithVerifiedAuthUser<ReqCreateTenant>): Promise<Result<ResCreateTenant>> {
   const rTenant = await insertTenant(ctx, req.auth.user, {

dashboard/backend/public/ensure-cloud-token.ts

@@ -1,5 +1,6 @@
 import { EventoHandler, Result, EventoResultType, HandleTriggerCtx } from "@adviser/cement";
 import {
+  FPTokenContext,
   ReqEnsureCloudToken,
   ResEnsureCloudToken,
   validateEnsureCloudToken,
@@ -9,12 +10,13 @@ import { FPCloudClaimSchema } from "@fireproof/core-types-protocols-cloud";
 import { eq, and, count } from "drizzle-orm";
 import { sqlAppIdBinding } from "../sql/app-id-bind.js";
 import { sqlLedgers, sqlLedgerUsers } from "../sql/ledgers.js";
-import { FPApiSQLCtx, FPTokenContext, ReqWithVerifiedAuthUser } from "../types.js";
-import { getFPTokenContext, createFPToken, toProvider, checkAuth, wrapStop } from "../utils/index.js";
+import { FPApiSQLCtx, ReqWithVerifiedAuthUser } from "../types.js";
+import { checkAuth, wrapStop } from "../utils/index.js";
 import { createLedger } from "./create-ledger.js";
 import { ensureUser } from "./ensure-user.js";
 import { listLedgersByUser } from "./list-ledgers-by-user.js";
 import { decodeJwt } from "jose";
+import { getFPTokenContext, createFPToken, toProvider } from "@fireproof/core-protocols-dashboard";
 
 function getAppIdBinding(
   ctx: FPApiSQLCtx,

dashboard/backend/public/ensure-user.ts

@@ -11,12 +11,13 @@ import { getTableColumns, eq } from "drizzle-orm";
 import { queryEmail, queryNick } from "../sql/sql-helper.js";
 import { sqlTenants } from "../sql/tenants.js";
 import { upsetUserByProvider, sqlUsers, UserByProviderWithoutDate } from "../sql/users.js";
-import { nickFromClarkClaim, nameFromAuth, wrapStop, verifyAuth } from "../utils/index.js";
+import { wrapStop, verifyAuth } from "../utils/index.js";
 import { addUserToTenant } from "../internal/add-user-to-tenant.js";
 import { insertTenant } from "../internal/insert-tenant.js";
 import { FPApiSQLCtx } from "../types.js";
 import { listTenantsByUser } from "./list-tenants-by-user.js";
 import { redeemInvite } from "./redeem-invite.js";
+import { nickFromClarkClaim, nameFromAuth } from "@fireproof/core-protocols-dashboard";
 
 export async function ensureUser(ctx: FPApiSQLCtx, req: ReqEnsureUser): Promise<Result<ResEnsureUser>> {
   const rAuth = await verifyAuth(ctx, req);

dashboard/backend/public/get-cloud-session-token.ts

@@ -1,11 +1,17 @@
 import { EventoHandler, Result, EventoResultType, HandleTriggerCtx } from "@adviser/cement";
-import { ReqCloudSessionToken, ResCloudSessionToken, validateCloudSessionToken } from "@fireproof/core-types-protocols-dashboard";
+import {
+  FPTokenContext,
+  ReqCloudSessionToken,
+  ResCloudSessionToken,
+  validateCloudSessionToken,
+} from "@fireproof/core-types-protocols-dashboard";
 import { FPCloudClaim } from "@fireproof/core-types-protocols-cloud";
-import { getFPTokenContext, createFPToken, toProvider, checkAuth, wrapStop } from "../utils/index.js";
-import { FPApiSQLCtx, FPTokenContext, ReqWithVerifiedAuthUser } from "../types.js";
+import { checkAuth, wrapStop } from "../utils/index.js";
+import { FPApiSQLCtx, ReqWithVerifiedAuthUser } from "../types.js";
 import { listTenantsByUser } from "./list-tenants-by-user.js";
 import { listLedgersByUser } from "./list-ledgers-by-user.js";
 import { addTokenByResultId } from "../internal/add-token-by-result-id.js";
+import { getFPTokenContext, createFPToken, toProvider } from "@fireproof/core-protocols-dashboard";
 
 async function getCloudSessionToken(
   ctx: FPApiSQLCtx,

dashboard/backend/types.ts

@@ -39,15 +39,6 @@ export type ReqWithVerifiedAuthUser<REQ extends { type: string; auth: DashAuthTy
   readonly auth: VerifiedAuthUserResult;
 };
 
-export interface FPTokenContext {
-  readonly secretToken: string;
-  readonly publicToken: string;
-  readonly issuer: string;
-  readonly audience: string;
-  readonly validFor: number; // seconds
-  readonly extendValidFor: number; // seconds
-}
-
 export interface FPApiSQLCtx {
   readonly db: DashSqlite;
   readonly logger: Logger;

dashboard/backend/utils/index.ts

@@ -1,77 +1,6 @@
-import { FPCloudClaim } from "@fireproof/core-types-protocols-cloud";
-import { EventoResult, EventoResultType, param, Result } from "@adviser/cement";
-import { ClerkClaim, ClerkEmailTemplateClaim, SuperThis } from "@fireproof/core";
-import { sts } from "@fireproof/core-runtime";
-import { SignJWT } from "jose/jwt/sign";
-import { FPTokenContext } from "../types.js";
-import { VerifiedAuthUserResult } from "@fireproof/core-types-protocols-dashboard";
+import { Result, EventoResultType, EventoResult } from "@adviser/cement";
 
-export async function createFPToken(ctx: FPTokenContext, claim: FPCloudClaim) {
-  const privKeys = await sts.env2jwk(ctx.secretToken);
-  if (privKeys.length !== 1) {
-    throw new Error(`Expected exactly one private JWK, found ${privKeys.length}`);
-  }
-  const privKey = privKeys[0];
-  let validFor = ctx.validFor;
-  if (validFor <= 0) {
-    validFor = 60 * 60; // 1 hour
-  }
-  const expiresDate = new Date(Date.now() + validFor * 1000); // epoch sec
-  const expiresInSec = Math.floor((Math.floor(expiresDate.getTime() / 1000) + validFor) / 1000);
-  const epochExp = Math.floor(expiresDate.getTime() / 1000);
-  return {
-    expiresDate,
-    expiresInSec,
-    token: await new SignJWT(claim)
-      .setProtectedHeader({ alg: "ES256" }) // algorithm
-      .setIssuedAt()
-      .setIssuer(ctx.issuer) // issuer
-      .setAudience(ctx.audience) // audience
-      .setExpirationTime(epochExp) // expiration time
-      .sign(privKey),
-  };
-}
-
-export async function getFPTokenContext(sthis: SuperThis, ictx: Partial<FPTokenContext> = {}): Promise<Result<FPTokenContext>> {
-  const rCtx = sthis.env.gets({
-    CLOUD_SESSION_TOKEN_SECRET: ictx.secretToken ?? param.REQUIRED,
-    CLOUD_SESSION_TOKEN_PUBLIC: ictx.publicToken ?? param.REQUIRED,
-    CLOUD_SESSION_TOKEN_ISSUER: "FP_CLOUD",
-    CLOUD_SESSION_TOKEN_AUDIENCE: "PUBLIC",
-    CLOUD_SESSION_TOKEN_VALID_FOR: "" + 60 * 60,
-    CLOUD_SESSION_TOKEN_EXTEND_VALID_FOR: "" + 6 * 60 * 60,
-  });
-  if (rCtx.isErr()) {
-    return Result.Err(rCtx.Err());
-  }
-  const ctx = rCtx.Ok();
-  return Result.Ok({
-    secretToken: ctx.CLOUD_SESSION_TOKEN_SECRET,
-    publicToken: ctx.CLOUD_SESSION_TOKEN_PUBLIC,
-    issuer: ctx.CLOUD_SESSION_TOKEN_ISSUER,
-    audience: ctx.CLOUD_SESSION_TOKEN_AUDIENCE,
-    validFor: parseInt(ctx.CLOUD_SESSION_TOKEN_VALID_FOR, 10),
-    extendValidFor: parseInt(ctx.CLOUD_SESSION_TOKEN_EXTEND_VALID_FOR, 10),
-    ...ictx,
-  } satisfies FPTokenContext);
-}
-
-export function nameFromAuth(name: string | undefined, auth: VerifiedAuthUserResult): string {
-  return (
-    name ?? `${auth.verifiedAuth.claims.params.email ?? nickFromClarkClaim(auth.verifiedAuth.claims.params) ?? auth.user.userId}`
-  );
-}
-
-export function nickFromClarkClaim(auth: ClerkEmailTemplateClaim): string | undefined {
-  return auth.nick ?? auth.name ?? undefined;
-}
-
-export function toProvider(i: ClerkClaim): FPCloudClaim["provider"] {
-  if (i.params.nick) {
-    return "github";
-  }
-  return "google";
-}
+export * from "./auth.js";
 
 export function wrapStop<T>(res: Promise<Result<T>>): Promise<Result<EventoResultType>> {
   return res.then((r) => {
@@ -81,5 +10,3 @@ export function wrapStop<T>(res: Promise<Result<T>>): Promise<Result<EventoResul
     return Result.Ok(EventoResult.Stop);
   });
 }
-
-export * from "./auth.js";