refactor(sdk): wire AuthConfigSchema.parse and clean up redundancies#1190
Draft
toiroakr wants to merge 6 commits into
Draft
refactor(sdk): wire AuthConfigSchema.parse and clean up redundancies#1190toiroakr wants to merge 6 commits into
toiroakr wants to merge 6 commits into
Conversation
Replace the z.union([..., z.xor([...])]) structure with a flat object schema plus .refine that emits a friendly message when both userProfile and machineUserAttributes are supplied. The union+xor encoding produced verbose 3-variant types in auth.generated.ts and surfaced as Zod union errors that buried the actual constraint. The new shape generates a single object type and yields a one-line error pointing at machineUserAttributes. AuthConfigInput is consumed only inside its own generated file, so the type shape change is safe for downstream consumers.
Move the auth config validation that used to live in defineAuth (configure layer) into application.ts:defineAuth so it runs at CLI deploy/generate time. Matches the existing pattern used for IdP (IdPSchema.parse), TailorDB (TailorDBServiceConfigSchema.parse), and static websites (StaticWebsiteSchema.parse). Closes the gap where the configure layer stopped calling parse() but no CLI-side enforcement was wired up, leaving invalid auth configs to fall through silently until they hit the platform. Merge the parsed result back over the original config so runtime methods (invoker, getConnectionToken) attached by the configure layer survive, while parse-side transforms (OAuth2 token lifetime number to BigInt seconds) and validation refinements take effect.
AuthConfigSchema.parse now runs at the CLI defineAuth boundary, validating idProvider and connections as part of the top-level config parse. The per-field IdProviderSchema.optional().parse and per-connection AuthConnectionConfigSchema.parse calls inside createAuthService were duplicating that work. Replace them with simple type casts that surface the parsed shape stored in @/types/auth.generated. The runtime values are already validated, so the casts are not lying about anything that hasn't been checked. Removes two parser imports from the cli/services/auth/service.ts module, keeping the runtime path inside the configure-layer boundary unchanged.
|
⚡ pkg.pr.new@tailor-platform/sdk@tailor-platform/create-sdk
|
Replace the flat `.refine`-based mutex check with `z.xor([V1, V2], { error })`,
where V1 allows `userProfile` and V2 requires `machineUserAttributes`. A custom
`error` callback inspects `iss.errors` to detect the "both fields supplied"
case (every variant's errors must point at top-level `userProfile`/
`machineUserAttributes` paths) and emits a one-line friendly message. For any
other shape — e.g. nested validation failures inside `userProfile.type` — the
callback returns `undefined` and Zod's default union error is preserved.
This keeps the mutex constraint visible in the generated `AuthConfigInput`
type (`V1 | V2`) without sacrificing the focused error string users saw under
the `.refine` variant.
| [ | ||
| AuthConfigBaseSchema.extend({ | ||
| userProfile: UserProfileSchema, | ||
| userProfile: UserProfileSchema.optional().describe("User profile configuration"), |
Comment on lines
+178
to
+180
| const parsedConfig = { | ||
| ...config, | ||
| ...AuthConfigSchema.parse(config), |
Now that AuthConfigSchema.parse is wired into the CLI application loader (commit 4ec5165), the mutex between userProfile and machineUserAttributes is enforced at CLI parse time via z.xor(). The defensive runtime check in defineAuth duplicated that behavior and prevented the factory body from being side-effect-free for tree-shaking. The configure-layer test that bypassed the type system to exercise the throw is removed; the parser-layer test (src/parser/service/auth/index.test.ts) continues to cover the same case via AuthConfigSchema.parse().
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to PR #1189 (chore/side-effect). Splits the auth-related refactor into a focused stack so the parent PR can stay scoped to the tree-shaking cleanup.
AuthConfigSchemaso the mutex betweenuserProfileandmachineUserAttributesis encoded withz.xor([V1, V2], { error }). The customerrorcallback inspects the union'siss.errorsand emits a one-line friendly message only when every variant's failures point at the mutex paths; nested field errors fall through to Zod's default. Replaces the prior nestedz.union([..., z.xor([...])]), which produced verbose 3-variant types and Zod errors that buried the actual constraint.AuthConfigSchema.parseintoapplication.ts:defineAuthso auth configs are validated at CLI deploy/generate time. This matches the existing pattern used for IdP, TailorDB, and static websites, and closes the gap left when the configure-layerdefineAuthstopped callingparse().IdProviderSchema.optional().parseand per-connectionAuthConnectionConfigSchema.parseinsidecreateAuthService. They were duplicating work now done by the top-levelAuthConfigSchema.parseand pulled parser imports intocli/services/auth/service.tsunnecessarily.The merge
{ ...config, ...AuthConfigSchema.parse(config) }indefineAuthpreserves runtime methods (invoker,getConnectionToken) attached by the configure layer while applying parse-side transforms (OAuth2 token lifetime number to BigInt seconds) and refinements.AuthConfigInputis consumed only inside its own generated file, so the shape change (single object →V1 | V2union) is safe for downstream consumers.Base:
chore/side-effect(will rebase ontomainonce #1189 lands).