feat(auth): authenticate automation

package.json

@@ -82,7 +82,7 @@
 		"@junobuild/cli-tools": "^0.10.1",
 		"@junobuild/config": "^2.10.1",
 		"@junobuild/config-loader": "^0.4.8",
-		"@junobuild/errors": "^0.2.2",
+		"@junobuild/errors": "^0.2.2-next-2026-02-12",
 		"@junobuild/functions": "^0.5.6",
 		"@ltd/j-toml": "^1.38.0",
 		"@playwright/test": "^1.57.0",

src/console/console.did

@@ -123,6 +123,7 @@ type GetDelegationError = variant {
   JwtVerify : JwtVerifyError;
   GetOrFetchJwks : GetOrRefreshJwksError;
   DeriveSeedFailed : text;
+  InvalidObservatoryId : text;
 };
 type GetOrRefreshJwksError = variant {
   InvalidConfig : text;
@@ -262,6 +263,7 @@ type PrepareDelegationError = variant {
   JwtVerify : JwtVerifyError;
   GetOrFetchJwks : GetOrRefreshJwksError;
   DeriveSeedFailed : text;
+  InvalidObservatoryId : text;
 };
 type PreparedDelegation = record { user_key : blob; expiration : nat64 };
 type Proposal = record {

src/declarations/console/console.did.d.ts

@@ -161,7 +161,8 @@ export type GetDelegationError =
 	| { NoSuchDelegation: null }
 	| { JwtVerify: JwtVerifyError }
 	| { GetOrFetchJwks: GetOrRefreshJwksError }
-	| { DeriveSeedFailed: string };
+	| { DeriveSeedFailed: string }
+	| { InvalidObservatoryId: string };
 export type GetOrRefreshJwksError =
 	| { InvalidConfig: string }
 	| { MissingKid: null }
@@ -319,7 +320,8 @@ export type PrepareDelegationError =
 	| { GetCachedJwks: null }
 	| { JwtVerify: JwtVerifyError }
 	| { GetOrFetchJwks: GetOrRefreshJwksError }
-	| { DeriveSeedFailed: string };
+	| { DeriveSeedFailed: string }
+	| { InvalidObservatoryId: string };
 export interface PreparedDelegation {
 	user_key: Uint8Array;
 	expiration: bigint;

src/declarations/console/console.factory.certified.did.js

@@ -85,7 +85,8 @@ export const idlFactory = ({ IDL }) => {
 		GetCachedJwks: IDL.Null,
 		JwtVerify: JwtVerifyError,
 		GetOrFetchJwks: GetOrRefreshJwksError,
-		DeriveSeedFailed: IDL.Text
+		DeriveSeedFailed: IDL.Text,
+		InvalidObservatoryId: IDL.Text
 	});
 	const AuthenticationError = IDL.Variant({
 		PrepareDelegation: PrepareDelegationError,
@@ -215,7 +216,8 @@ export const idlFactory = ({ IDL }) => {
 		NoSuchDelegation: IDL.Null,
 		JwtVerify: JwtVerifyError,
 		GetOrFetchJwks: GetOrRefreshJwksError,
-		DeriveSeedFailed: IDL.Text
+		DeriveSeedFailed: IDL.Text,
+		InvalidObservatoryId: IDL.Text
 	});
 	const Result_1 = IDL.Variant({
 		Ok: SignedDelegation,

src/declarations/console/console.factory.did.js

@@ -85,7 +85,8 @@ export const idlFactory = ({ IDL }) => {
 		GetCachedJwks: IDL.Null,
 		JwtVerify: JwtVerifyError,
 		GetOrFetchJwks: GetOrRefreshJwksError,
-		DeriveSeedFailed: IDL.Text
+		DeriveSeedFailed: IDL.Text,
+		InvalidObservatoryId: IDL.Text
 	});
 	const AuthenticationError = IDL.Variant({
 		PrepareDelegation: PrepareDelegationError,
@@ -215,7 +216,8 @@ export const idlFactory = ({ IDL }) => {
 		NoSuchDelegation: IDL.Null,
 		JwtVerify: JwtVerifyError,
 		GetOrFetchJwks: GetOrRefreshJwksError,
-		DeriveSeedFailed: IDL.Text
+		DeriveSeedFailed: IDL.Text,
+		InvalidObservatoryId: IDL.Text
 	});
 	const Result_1 = IDL.Variant({
 		Ok: SignedDelegation,

src/declarations/console/console.factory.did.mjs

@@ -85,7 +85,8 @@ export const idlFactory = ({ IDL }) => {
 		GetCachedJwks: IDL.Null,
 		JwtVerify: JwtVerifyError,
 		GetOrFetchJwks: GetOrRefreshJwksError,
-		DeriveSeedFailed: IDL.Text
+		DeriveSeedFailed: IDL.Text,
+		InvalidObservatoryId: IDL.Text
 	});
 	const AuthenticationError = IDL.Variant({
 		PrepareDelegation: PrepareDelegationError,
@@ -215,7 +216,8 @@ export const idlFactory = ({ IDL }) => {
 		NoSuchDelegation: IDL.Null,
 		JwtVerify: JwtVerifyError,
 		GetOrFetchJwks: GetOrRefreshJwksError,
-		DeriveSeedFailed: IDL.Text
+		DeriveSeedFailed: IDL.Text,
+		InvalidObservatoryId: IDL.Text
 	});
 	const Result_1 = IDL.Variant({
 		Ok: SignedDelegation,

src/declarations/satellite/satellite.did.d.ts

@@ -34,12 +34,27 @@ export interface AssetNoContent {
 export interface AssetsUpgradeOptions {
 	clear_existing_assets: [] | [boolean];
 }
+export type AuthenticateAutomationArgs = {
+	OpenId: OpenIdPrepareAutomationArgs;
+};
+export type AuthenticateAutomationResultResponse =
+	| {
+			Ok: [Principal, AutomationController];
+	  }
+	| { Err: AuthenticationAutomationError };
 export type AuthenticateResultResponse = { Ok: Authentication } | { Err: AuthenticationError };
 export interface Authentication {
 	doc: Doc;
 	delegation: PreparedDelegation;
 }
 export type AuthenticationArgs = { OpenId: OpenIdPrepareDelegationArgs };
+export type AuthenticationAutomationError =
+	| {
+			PrepareAutomation: PrepareAutomationError;
+	  }
+	| { RegisterController: string }
+	| { SaveWorkflowMetadata: string }
+	| { SaveUniqueJtiToken: string };
 export interface AuthenticationConfig {
 	updated_at: [] | [bigint];
 	openid: [] | [AuthenticationConfigOpenId];
@@ -74,6 +89,10 @@ export interface AutomationConfigOpenId {
 	observatory_id: [] | [Principal];
 	providers: Array<[OpenIdAutomationProvider, OpenIdAutomationProviderConfig]>;
 }
+export interface AutomationController {
+	scope: AutomationScope;
+	expires_at: bigint;
+}
 export type AutomationScope = { Write: null } | { Submit: null };
 export type CollectionType = { Db: null } | { Storage: null };
 export interface CommitBatch {
@@ -153,7 +172,8 @@ export type GetDelegationError =
 	| { NoSuchDelegation: null }
 	| { JwtVerify: JwtVerifyError }
 	| { GetOrFetchJwks: GetOrRefreshJwksError }
-	| { DeriveSeedFailed: string };
+	| { DeriveSeedFailed: string }
+	| { InvalidObservatoryId: string };
 export type GetDelegationResultResponse = { Ok: SignedDelegation } | { Err: GetDelegationError };
 export type GetOrRefreshJwksError =
 	| { InvalidConfig: string }
@@ -300,6 +320,10 @@ export interface OpenIdGetDelegationArgs {
 	salt: Uint8Array;
 	expiration: bigint;
 }
+export interface OpenIdPrepareAutomationArgs {
+	jwt: string;
+	salt: Uint8Array;
+}
 export interface OpenIdPrepareDelegationArgs {
 	jwt: string;
 	session_key: Uint8Array;
@@ -310,14 +334,26 @@ export type Permission =
 	| { Private: null }
 	| { Public: null }
 	| { Managed: null };
+export type PrepareAutomationError =
+	| {
+			JwtFindProvider: JwtFindProviderError;
+	  }
+	| { InvalidController: string }
+	| { GetCachedJwks: null }
+	| { JwtVerify: JwtVerifyError }
+	| { GetOrFetchJwks: GetOrRefreshJwksError }
+	| { ControllerAlreadyExists: null }
+	| { InvalidObservatoryId: string }
+	| { TooManyControllers: string };
 export type PrepareDelegationError =
 	| {
 			JwtFindProvider: JwtFindProviderError;
 	  }
 	| { GetCachedJwks: null }
 	| { JwtVerify: JwtVerifyError }
 	| { GetOrFetchJwks: GetOrRefreshJwksError }
-	| { DeriveSeedFailed: string };
+	| { DeriveSeedFailed: string }
+	| { InvalidObservatoryId: string };
 export interface PreparedDelegation {
 	user_key: Uint8Array;
 	expiration: bigint;
@@ -475,6 +511,10 @@ export interface UploadChunkResult {
 }
 export interface _SERVICE {
 	authenticate: ActorMethod<[AuthenticationArgs], AuthenticateResultResponse>;
+	authenticate_automation: ActorMethod<
+		[AuthenticateAutomationArgs],
+		AuthenticateAutomationResultResponse
+	>;
 	commit_asset_upload: ActorMethod<[CommitBatch], undefined>;
 	commit_proposal: ActorMethod<[CommitProposal], null>;
 	commit_proposal_asset_upload: ActorMethod<[CommitBatch], undefined>;

src/declarations/satellite/satellite.factory.certified.did.js

@@ -65,7 +65,8 @@ export const idlFactory = ({ IDL }) => {
 		GetCachedJwks: IDL.Null,
 		JwtVerify: JwtVerifyError,
 		GetOrFetchJwks: GetOrRefreshJwksError,
-		DeriveSeedFailed: IDL.Text
+		DeriveSeedFailed: IDL.Text,
+		InvalidObservatoryId: IDL.Text
 	});
 	const AuthenticationError = IDL.Variant({
 		PrepareDelegation: PrepareDelegationError,
@@ -75,6 +76,41 @@ export const idlFactory = ({ IDL }) => {
 		Ok: Authentication,
 		Err: AuthenticationError
 	});
+	const OpenIdPrepareAutomationArgs = IDL.Record({
+		jwt: IDL.Text,
+		salt: IDL.Vec(IDL.Nat8)
+	});
+	const AuthenticateAutomationArgs = IDL.Variant({
+		OpenId: OpenIdPrepareAutomationArgs
+	});
+	const AutomationScope = IDL.Variant({
+		Write: IDL.Null,
+		Submit: IDL.Null
+	});
+	const AutomationController = IDL.Record({
+		scope: AutomationScope,
+		expires_at: IDL.Nat64
+	});
+	const PrepareAutomationError = IDL.Variant({
+		JwtFindProvider: JwtFindProviderError,
+		InvalidController: IDL.Text,
+		GetCachedJwks: IDL.Null,
+		JwtVerify: JwtVerifyError,
+		GetOrFetchJwks: GetOrRefreshJwksError,
+		ControllerAlreadyExists: IDL.Null,
+		InvalidObservatoryId: IDL.Text,
+		TooManyControllers: IDL.Text
+	});
+	const AuthenticationAutomationError = IDL.Variant({
+		PrepareAutomation: PrepareAutomationError,
+		RegisterController: IDL.Text,
+		SaveWorkflowMetadata: IDL.Text,
+		SaveUniqueJtiToken: IDL.Text
+	});
+	const AuthenticateAutomationResultResponse = IDL.Variant({
+		Ok: IDL.Tuple(IDL.Principal, AutomationController),
+		Err: AuthenticationAutomationError
+	});
 	const CommitBatch = IDL.Record({
 		batch_id: IDL.Nat,
 		headers: IDL.Vec(IDL.Tuple(IDL.Text, IDL.Text)),
@@ -195,10 +231,6 @@ export const idlFactory = ({ IDL }) => {
 		rules: IDL.Opt(AuthenticationRules)
 	});
 	const OpenIdAutomationProvider = IDL.Variant({ GitHub: IDL.Null });
-	const AutomationScope = IDL.Variant({
-		Write: IDL.Null,
-		Submit: IDL.Null
-	});
 	const OpenIdAutomationProviderControllerConfig = IDL.Record({
 		scope: IDL.Opt(AutomationScope),
 		max_time_to_live: IDL.Opt(IDL.Nat64)
@@ -283,7 +315,8 @@ export const idlFactory = ({ IDL }) => {
 		NoSuchDelegation: IDL.Null,
 		JwtVerify: JwtVerifyError,
 		GetOrFetchJwks: GetOrRefreshJwksError,
-		DeriveSeedFailed: IDL.Text
+		DeriveSeedFailed: IDL.Text,
+		InvalidObservatoryId: IDL.Text
 	});
 	const GetDelegationResultResponse = IDL.Variant({
 		Ok: SignedDelegation,
@@ -484,6 +517,11 @@ export const idlFactory = ({ IDL }) => {
 
 	return IDL.Service({
 		authenticate: IDL.Func([AuthenticationArgs], [AuthenticateResultResponse], []),
+		authenticate_automation: IDL.Func(
+			[AuthenticateAutomationArgs],
+			[AuthenticateAutomationResultResponse],
+			[]
+		),
 		commit_asset_upload: IDL.Func([CommitBatch], [], []),
 		commit_proposal: IDL.Func([CommitProposal], [IDL.Null], []),
 		commit_proposal_asset_upload: IDL.Func([CommitBatch], [], []),