feat: Tier 0 server auth - cookie lifecycle, CSRF enforcement, device tokens, SSO wiring

- Add cookie lifecycle middleware (cookie.ts): intercepts auth mutation
  responses and sets/clears HttpOnly session cookies when enable_cookie_auth
  is true in app_auth_settings. Handles all sign-in/sign-up/sign-out mutations.

- Add CSRF protection middleware (csrf.ts): wires @constructive-io/csrf
  package into server. Only enforces on cookie-authenticated requests,
  completely skips Bearer token requests. Controlled by require_csrf_for_auth
  toggle in app_auth_settings.

- Add device token cookie support: on sign-in responses that include a
  device_id, sets a long-lived (90 day) constructive_device_token cookie
  for trusted device tracking.

- Add SSO/OAuth route middleware (oauth.ts): mounts /auth/:provider and
  /auth/:provider/callback routes. On successful OAuth callback, calls
  sign_in_sso() on the tenant DB private schema and optionally sets
  session cookie when cookie auth is enabled.

- Expand AuthSettings interface with enableCookieAuth and requireCsrfForAuth
  toggles. Update AUTH_SETTINGS_SQL query to fetch these columns.

- Set req.tokenSource on authenticated requests so downstream middleware
  knows whether auth came from bearer header, cookie, or none.

- Add cookie-parser, @constructive-io/csrf, @constructive-io/oauth as
  server dependencies.

Backward compatibility:
- All features are opt-in via app_auth_settings toggles (default: off)
- Bearer token authentication continues to work exactly as before
- CSRF only enforces on cookie-authenticated requests
- No changes to existing GraphQL mutations or API contracts

Author: pyramation

graphql/server/package.json

@@ -41,8 +41,10 @@
     "backend"
   ],
   "dependencies": {
+    "@constructive-io/csrf": "workspace:^",
     "@constructive-io/graphql-env": "workspace:^",
     "@constructive-io/graphql-types": "workspace:^",
+    "@constructive-io/oauth": "workspace:^",
     "@constructive-io/s3-utils": "workspace:^",
     "@constructive-io/upload-names": "workspace:^",
     "@constructive-io/url-domains": "workspace:^",
@@ -53,6 +55,7 @@
     "@pgpmjs/server-utils": "workspace:^",
     "@pgpmjs/types": "workspace:^",
     "@pgsql/quotes": "^17.1.0",
+    "cookie-parser": "^1.4.7",
     "cors": "^2.8.6",
     "deepmerge": "^4.3.1",
     "express": "^5.2.1",
@@ -79,6 +82,7 @@
   },
   "devDependencies": {
     "@aws-sdk/client-s3": "^3.1009.0",
+    "@types/cookie-parser": "^1.4.10",
     "@types/cors": "^2.8.17",
     "@types/express": "^5.0.6",
     "@types/graphql-upload": "^8.0.12",

graphql/server/src/middleware/api.ts

@@ -104,6 +104,8 @@ const AUTH_SETTINGS_DISCOVERY_SQL = `
  */
 const AUTH_SETTINGS_SQL = (schemaName: string, tableName: string) => `
   SELECT
+    enable_cookie_auth,
+    require_csrf_for_auth,
     cookie_secure,
     cookie_samesite,
     cookie_domain,
@@ -142,6 +144,8 @@ interface RlsModuleData {
 }
 
 interface AuthSettingsRow {
+  enable_cookie_auth: boolean;
+  require_csrf_for_auth: boolean;
   cookie_secure: boolean;
   cookie_samesite: string;
   cookie_domain: string | null;
@@ -252,6 +256,8 @@ const toRlsModule = (row: RlsModuleRow | null): RlsModule | undefined => {
 const toAuthSettings = (row: AuthSettingsRow | null): AuthSettings | undefined => {
   if (!row) return undefined;
   return {
+    enableCookieAuth: row.enable_cookie_auth,
+    requireCsrfForAuth: row.require_csrf_for_auth,
     cookieSecure: row.cookie_secure,
     cookieSamesite: row.cookie_samesite,
     cookieDomain: row.cookie_domain,

graphql/server/src/middleware/auth.ts

@@ -136,6 +136,7 @@ export const createAuthenticateMiddleware = (
       }
 
       req.token = token;
+      req.tokenSource = tokenSource as 'bearer' | 'cookie' | 'none';
     } else {
       log.info(
         `[auth] Skipping auth: authFn=${authFn ?? 'none'}, ` +

graphql/server/src/middleware/cookie.ts

@@ -0,0 +1,219 @@
+import { Logger } from '@pgpmjs/logger';
+import type { NextFunction, Request, RequestHandler, Response } from 'express';
+import type { AuthSettings } from '../types';
+import './types'; // for Request type
+
+const log = new Logger('cookie');
+
+/** Default cookie name for session tokens (matches auth.ts). */
+const SESSION_COOKIE_NAME = 'constructive_session';
+
+/** Default cookie name for device tokens (long-lived trusted device). */
+const DEVICE_COOKIE_NAME = 'constructive_device_token';
+
+/**
+ * GraphQL mutation names that return an access_token on success.
+ * When cookie auth is enabled, the server sets an HttpOnly session cookie
+ * from the access_token in the response payload.
+ */
+const AUTH_MUTATIONS_SIGN_IN = new Set([
+  'signIn',
+  'signUp',
+  'signInSso',
+  'signUpSso',
+  'signInMagicLink',
+  'signInEmailOtp',
+  'signInSmsOtp',
+  'signInOneTimeToken',
+  'signInCrossOrigin',
+  'completeMfaChallenge',
+]);
+
+/**
+ * GraphQL mutation names that should clear the session cookie.
+ */
+const AUTH_MUTATIONS_SIGN_OUT = new Set([
+  'signOut',
+  'revokeSession',
+]);
+
+/**
+ * Attempt to extract the GraphQL operation name from the request body.
+ * Works for both JSON and already-parsed bodies.
+ */
+const getOperationName = (req: Request): string | undefined => {
+  const body = (req as any).body;
+  if (!body) return undefined;
+  if (typeof body === 'object' && body.operationName) {
+    return body.operationName;
+  }
+  return undefined;
+};
+
+/**
+ * Build cookie options from AuthSettings.
+ * Falls back to secure defaults when settings are missing.
+ */
+const buildCookieOptions = (
+  settings: AuthSettings | undefined,
+): Record<string, unknown> => {
+  const secure = settings?.cookieSecure ?? (process.env.NODE_ENV === 'production');
+  const sameSite = (settings?.cookieSamesite ?? 'lax') as 'strict' | 'lax' | 'none';
+  const httpOnly = settings?.cookieHttponly ?? true;
+  const path = settings?.cookiePath ?? '/';
+  const domain = settings?.cookieDomain ?? undefined;
+
+  const opts: Record<string, unknown> = {
+    httpOnly,
+    secure,
+    sameSite,
+    path,
+  };
+  if (domain) {
+    opts.domain = domain;
+  }
+
+  // maxAge from settings is an interval string (e.g. "7 days").
+  // Express cookie maxAge is in milliseconds. We parse common interval formats.
+  const maxAgeStr = settings?.cookieMaxAge;
+  if (maxAgeStr) {
+    const ms = parseIntervalToMs(maxAgeStr);
+    if (ms > 0) {
+      opts.maxAge = ms;
+    }
+  }
+
+  return opts;
+};
+
+/**
+ * Parse a PostgreSQL interval string (e.g. "7 days", "24 hours", "30 minutes")
+ * into milliseconds. Supports common auth-relevant durations.
+ */
+const parseIntervalToMs = (interval: string): number => {
+  const normalized = interval.trim().toLowerCase();
+
+  // Try numeric-only (assume seconds)
+  const numOnly = Number(normalized);
+  if (!isNaN(numOnly) && numOnly > 0) {
+    return numOnly * 1000;
+  }
+
+  // Match patterns like "7 days", "24 hours", "30 minutes", "1 year"
+  const match = normalized.match(/^(\d+)\s*(second|minute|hour|day|week|month|year)s?$/);
+  if (!match) return 0;
+
+  const value = parseInt(match[1], 10);
+  const unit = match[2];
+
+  const multipliers: Record<string, number> = {
+    second: 1000,
+    minute: 60 * 1000,
+    hour: 60 * 60 * 1000,
+    day: 24 * 60 * 60 * 1000,
+    week: 7 * 24 * 60 * 60 * 1000,
+    month: 30 * 24 * 60 * 60 * 1000,
+    year: 365 * 24 * 60 * 60 * 1000,
+  };
+
+  return value * (multipliers[unit] || 0);
+};
+
+/**
+ * Extract the access_token from a GraphQL JSON response body.
+ * Auth mutations return { data: { mutationName: { accessToken: "..." } } }
+ * PostGraphile camelCases the output columns, so we look for accessToken.
+ */
+const extractAccessToken = (body: any, operationName: string): string | undefined => {
+  if (!body?.data) return undefined;
+
+  // The mutation result is nested under the camelCase mutation name
+  const mutationResult = body.data[operationName];
+  if (!mutationResult) return undefined;
+
+  // PostGraphile wraps in { result: { ... } } for function mutations
+  const result = mutationResult.result ?? mutationResult;
+
+  // Look for access_token or accessToken in the result
+  return result?.accessToken ?? result?.access_token ?? undefined;
+};
+
+/**
+ * Extract device_id from a GraphQL JSON response body.
+ * Sign-in mutations may return a device_id when device tracking is enabled.
+ */
+const extractDeviceId = (body: any, operationName: string): string | undefined => {
+  if (!body?.data) return undefined;
+  const mutationResult = body.data[operationName];
+  if (!mutationResult) return undefined;
+  const result = mutationResult.result ?? mutationResult;
+  return result?.deviceId ?? result?.device_id ?? undefined;
+};
+
+/**
+ * Creates the cookie lifecycle middleware.
+ *
+ * When `enable_cookie_auth` is true in app_auth_settings:
+ * - On sign-in/sign-up mutations: intercepts the response and sets an HttpOnly
+ *   session cookie from the returned access_token.
+ * - On sign-out/revoke mutations: clears the session cookie.
+ * - On sign-in with device tracking: sets a long-lived device token cookie.
+ *
+ * When `enable_cookie_auth` is false (default): this middleware is a no-op.
+ * Bearer token authentication continues to work regardless of this setting.
+ */
+export const createCookieMiddleware = (): RequestHandler => {
+  return (req: Request, res: Response, next: NextFunction): void => {
+    const authSettings = req.api?.authSettings;
+
+    // Skip if cookie auth is not enabled
+    if (!authSettings?.enableCookieAuth) {
+      return next();
+    }
+
+    const opName = getOperationName(req);
+    if (!opName) {
+      return next();
+    }
+
+    // Sign-out: clear session cookie before passing through
+    if (AUTH_MUTATIONS_SIGN_OUT.has(opName)) {
+      const cookieOpts = buildCookieOptions(authSettings);
+      res.clearCookie(SESSION_COOKIE_NAME, cookieOpts);
+      log.info(`[cookie] Cleared session cookie for operation=${opName}`);
+      return next();
+    }
+
+    // Sign-in: intercept the response to set session cookie
+    if (AUTH_MUTATIONS_SIGN_IN.has(opName)) {
+      // Monkey-patch res.json to intercept the GraphQL response
+      const originalJson = res.json.bind(res);
+      res.json = (body: any) => {
+        try {
+          const accessToken = extractAccessToken(body, opName);
+          if (accessToken) {
+            const cookieOpts = buildCookieOptions(authSettings);
+            res.cookie(SESSION_COOKIE_NAME, accessToken, cookieOpts);
+            log.info(`[cookie] Set session cookie for operation=${opName}`);
+          }
+
+          // Also handle device token cookie
+          const deviceId = extractDeviceId(body, opName);
+          if (deviceId) {
+            const deviceCookieOpts = buildCookieOptions(authSettings);
+            // Device tokens are long-lived (90 days default)
+            deviceCookieOpts.maxAge = 90 * 24 * 60 * 60 * 1000;
+            res.cookie(DEVICE_COOKIE_NAME, deviceId, deviceCookieOpts);
+            log.info(`[cookie] Set device token cookie for operation=${opName}`);
+          }
+        } catch (e: any) {
+          log.error(`[cookie] Error processing response for ${opName}:`, e.message);
+        }
+
+        return originalJson(body);
+      };
+    }
+
+    next();
+  };
+};

graphql/server/src/middleware/csrf.ts

@@ -0,0 +1,86 @@
+import { Logger } from '@pgpmjs/logger';
+import { createCsrfMiddleware, csrfErrorHandler } from '@constructive-io/csrf';
+import type { NextFunction, Request, RequestHandler, Response } from 'express';
+import './types'; // for Request type
+
+const log = new Logger('csrf');
+
+/**
+ * Creates CSRF protection middleware that is aware of auth settings and token source.
+ *
+ * CSRF is only enforced when ALL of the following are true:
+ * 1. `require_csrf_for_auth` is enabled in app_auth_settings
+ * 2. `enable_cookie_auth` is enabled in app_auth_settings
+ * 3. The current request was authenticated via a session cookie (not Bearer token)
+ *
+ * When the request uses a Bearer token (API tokens, service credentials),
+ * CSRF protection is skipped because Bearer tokens are not automatically
+ * attached by the browser and are therefore not vulnerable to CSRF attacks.
+ *
+ * This ensures the engineering team can continue using API tokens with zero changes
+ * while gradually enabling cookie-based auth with CSRF protection.
+ */
+export const createCsrfProtectionMiddleware = (): {
+  setToken: RequestHandler;
+  protect: RequestHandler;
+  errorHandler: (err: Error, req: Request, res: Response, next: NextFunction) => void;
+} => {
+  const csrf = createCsrfMiddleware({
+    cookieName: 'csrf_token',
+    headerName: 'x-csrf-token',
+    cookieOptions: {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === 'production',
+      sameSite: 'lax',
+      maxAge: 86400,
+      path: '/',
+    },
+  });
+
+  /**
+   * Sets the CSRF token cookie on every request when CSRF is enabled.
+   * This ensures the client has a token to submit on mutations.
+   */
+  const setToken: RequestHandler = (req: Request, res: Response, next: NextFunction): void => {
+    const authSettings = req.api?.authSettings;
+
+    // Only set CSRF cookie when both cookie auth AND CSRF are enabled
+    if (!authSettings?.enableCookieAuth || !authSettings?.requireCsrfForAuth) {
+      return next();
+    }
+
+    csrf.setToken(req as any, res as any, next);
+  };
+
+  /**
+   * Validates the CSRF token on mutations when the request is cookie-authenticated.
+   * Skips validation for Bearer-authenticated or anonymous requests.
+   */
+  const protect: RequestHandler = (req: Request, res: Response, next: NextFunction): void => {
+    const authSettings = req.api?.authSettings;
+
+    // Skip if cookie auth or CSRF is not enabled
+    if (!authSettings?.enableCookieAuth || !authSettings?.requireCsrfForAuth) {
+      return next();
+    }
+
+    // Only enforce CSRF for cookie-authenticated requests.
+    // Bearer token requests are immune to CSRF by design.
+    if (req.tokenSource !== 'cookie') {
+      return next();
+    }
+
+    log.debug('[csrf] Enforcing CSRF protection for cookie-authenticated request');
+    csrf.protect(req as any, res as any, next);
+  };
+
+  /**
+   * Error handler that converts CSRF errors into GraphQL-style error responses.
+   * Must be registered as Express error-handling middleware (4 args).
+   */
+  const errorHandler = (err: Error, _req: Request, res: Response, next: NextFunction): void => {
+    csrfErrorHandler(err, _req, res as any, next);
+  };
+
+  return { setToken, protect, errorHandler };
+};