@absolutejs/auth 0.27.0-beta.1 → 0.27.0-beta.10

package/dist/abuse/captcha.d.ts

@@ -0,0 +1,11 @@
+import type { AbuseContext } from './config';
+export declare const verifyHcaptcha: ({ secret }: {
+    secret: string;
+}) => (token: string | undefined, context: AbuseContext) => Promise<boolean>;
+export declare const verifyRecaptcha: ({ minScore, secret }: {
+    minScore?: number;
+    secret: string;
+}) => (token: string | undefined, context: AbuseContext) => Promise<boolean>;
+export declare const verifyTurnstile: ({ secret }: {
+    secret: string;
+}) => (token: string | undefined, context: AbuseContext) => Promise<boolean>;

package/dist/abuse/config.d.ts

@@ -0,0 +1,29 @@
+export type AbuseAction = 'allow' | 'challenge' | 'deny';
+export type AbuseSignal = 'blocked_ip' | 'bot' | 'captcha_failed' | 'not_allowlisted';
+export type BotClass = 'agent' | 'bot' | 'crawler' | 'human';
+export type AbuseContext = {
+    captchaToken?: string;
+    ip?: string;
+    userAgent?: string;
+};
+export type AbuseReason = {
+    action: AbuseAction;
+    signal: AbuseSignal;
+};
+export type AbuseAssessment = {
+    action: AbuseAction;
+    reasons: AbuseReason[];
+};
+export type AbuseConfig = {
+    botAction?: AbuseAction;
+    captchaAction?: AbuseAction;
+    classifyBot?: (context: AbuseContext) => BotClass | Promise<BotClass>;
+    ipAllow?: string[];
+    ipDeny?: string[];
+    verifyCaptcha?: (token: string | undefined, context: AbuseContext) => boolean | Promise<boolean>;
+};
+export declare const assessAbuse: (config: AbuseConfig, context: AbuseContext) => Promise<AbuseAssessment>;
+export declare const createAbuseGuard: (config: AbuseConfig) => {
+    assess: (context: AbuseContext) => Promise<AbuseAssessment>;
+};
+export declare const defaultBotClassifier: (context: AbuseContext) => "bot" | "crawler" | "human";

package/dist/adaptive/config.d.ts

@@ -1,9 +1,13 @@
-import type { KnownDeviceStore, LoginHistoryStore, RiskAction, RiskAssessment, RiskContext, RiskSignal } from './types';
+import type { KnownDeviceStore, LoginHistoryStore, RiskAction, RiskAssessment, RiskContext, RiskSignal, RiskThresholds, RiskWeights, WeightedRiskAssessment } from './types';
 export type AdaptiveConfig = {
     historyLimit?: number;
     knownDeviceStore: KnownDeviceStore;
     loginHistoryStore: LoginHistoryStore;
     maxTravelKmh?: number;
+    offHours?: {
+        end: number;
+        start: number;
+    };
     rules?: Partial<Record<RiskSignal, RiskAction>>;
     velocityMaxAttempts?: number;
     velocityWindowMs?: number;
@@ -14,9 +18,17 @@ export declare const createRiskEngine: (config: AdaptiveConfig) => {
     recordAttempt: (context: RiskContext & {
         outcome: RiskAction;
     }) => Promise<void>;
+    scoreRisk: (context: RiskContext, options?: {
+        thresholds?: RiskThresholds;
+        weights?: RiskWeights;
+    }) => Promise<WeightedRiskAssessment>;
     trustDevice: (userId: string, deviceId: string, label?: string) => Promise<void>;
 };
 export declare const recordLoginAttempt: (config: AdaptiveConfig, context: RiskContext & {
     outcome: RiskAction;
 }) => Promise<void>;
+export declare const scoreRisk: (config: AdaptiveConfig & {
+    thresholds?: RiskThresholds;
+    weights?: RiskWeights;
+}, context: RiskContext) => Promise<WeightedRiskAssessment>;
 export declare const trustDevice: (config: AdaptiveConfig, userId: string, deviceId: string, label?: string) => Promise<void>;

package/dist/adaptive/fingerprint.d.ts

@@ -0,0 +1,2 @@
+export type DeviceSignals = Record<string, unknown>;
+export declare const fingerprintDevice: (signals: DeviceSignals) => Promise<string>;

package/dist/adaptive/types.d.ts

@@ -1,5 +1,5 @@
 export type RiskAction = 'allow' | 'deny' | 'step_up';
-export type RiskSignal = 'impossible_travel' | 'new_country' | 'new_device' | 'velocity';
+export type RiskSignal = 'impossible_travel' | 'new_country' | 'new_device' | 'off_hours' | 'proxy' | 'velocity';
 export type GeoPoint = {
     country?: string;
     latitude?: number;
@@ -9,6 +9,8 @@ export type RiskContext = {
     deviceId: string;
     geo?: GeoPoint;
     ipAddress?: string;
+    isProxy?: boolean;
+    localHour?: number;
     now?: number;
     userId: string;
 };
@@ -20,6 +22,16 @@ export type RiskAssessment = {
     action: RiskAction;
     reasons: RiskReason[];
 };
+export type RiskWeights = Partial<Record<RiskSignal, number>>;
+export type RiskThresholds = {
+    deny: number;
+    stepUp: number;
+};
+export type WeightedRiskAssessment = {
+    action: RiskAction;
+    reasons: RiskReason[];
+    score: number;
+};
 export type KnownDevice = {
     deviceId: string;
     firstSeenAt: number;

package/dist/apikeys/routes.d.ts

@@ -47,9 +47,9 @@ export declare const apiKeysRoutes: ({ accessTokenStore, accessTokenTtlMs, apiCl
         post: {
             body: {
                 client_id?: string | undefined;
+                scope?: string | undefined;
                 client_secret?: string | undefined;
                 grant_type?: string | undefined;
-                scope?: string | undefined;
             };
             params: {};
             query: unknown;

package/dist/audit/export.d.ts

@@ -0,0 +1,2 @@
+import type { AuditEvent } from './types';
+export declare const exportAuditCsv: (events: AuditEvent[]) => string;

package/dist/audit/integrity.d.ts

@@ -0,0 +1,19 @@
+import type { AuditEvent, AuditSink } from './types';
+export type AuditIntegrity = {
+    hash: string;
+    previousHash: string;
+    writerId?: string;
+};
+export type AuditChainResult = {
+    brokenAt?: number;
+    ok: boolean;
+};
+export declare const createTamperEvidentSink: ({ loadWriterHead, secret, seedScanLimit, sink, writerId }: {
+    loadWriterHead?: (writerId: string) => Promise<string | undefined> | string | undefined;
+    secret?: string;
+    seedScanLimit?: number;
+    sink: AuditSink;
+    writerId?: string;
+}) => AuditSink;
+export declare const hashAuditEvent: (event: AuditEvent, previousHash: string, secret?: string) => Promise<string>;
+export declare const verifyAuditChain: (events: AuditEvent[], secret?: string) => Promise<AuditChainResult>;

package/dist/audit/siem.d.ts

@@ -0,0 +1,11 @@
+import type { AuditSink } from './types';
+export type SiemFormat = 'datadog' | 'generic' | 'splunk';
+export type SiemEndpoint = {
+    format?: SiemFormat;
+    headers?: Record<string, string>;
+    token?: string;
+    url: string;
+};
+export declare const createSiemLogStream: ({ endpoints }: {
+    endpoints: SiemEndpoint[];
+}) => AuditSink;

package/dist/audit/types.d.ts

@@ -1,5 +1,5 @@
 import type { OrganizationId } from '../tenancy';
-export type AuditEventType = 'account_deleted' | 'authorization_denied' | 'credentials_login' | 'credentials_login_failed' | 'data_exported' | 'email_verified' | 'identity_conflict' | 'invitation_accepted' | 'invitation_created' | 'logout' | 'membership_removed' | 'mfa_challenge' | 'mfa_challenge_failed' | 'mfa_enrolled' | 'oauth_login' | 'organization_created' | 'password_reset' | 'passwordless_login' | 'register' | 'role_assigned' | 'scim_provision' | 'scim_token_created' | 'session_revoked' | 'setup_session_created' | 'sso_connection_configured' | 'sso_login' | 'token_refreshed' | 'token_revoked' | 'webauthn_authenticated' | 'webauthn_registered';
+export type AuditEventType = 'account_deleted' | 'authorization_denied' | 'credentials_login' | 'credentials_login_failed' | 'data_exported' | 'email_verified' | 'identity_conflict' | 'impersonation_ended' | 'impersonation_started' | 'invitation_accepted' | 'invitation_created' | 'logout' | 'membership_removed' | 'mfa_challenge' | 'mfa_challenge_failed' | 'mfa_enrolled' | 'oauth_login' | 'organization_created' | 'password_reset' | 'passwordless_login' | 'register' | 'role_assigned' | 'scim_provision' | 'scim_token_created' | 'session_revoked' | 'setup_session_created' | 'sso_connection_configured' | 'sso_login' | 'token_refreshed' | 'token_revoked' | 'webauthn_authenticated' | 'webauthn_registered';
 export type AuditEvent = {
     at: number;
     ip?: string;
@@ -15,4 +15,5 @@ export type AuditEventFilter = {
 export type AuditSink = {
     append: (event: AuditEvent) => Promise<void>;
     list?: (filter?: AuditEventFilter) => Promise<AuditEvent[]>;
+    prune?: (before: number) => Promise<number>;
 };

package/dist/credentials/config.d.ts

@@ -19,6 +19,7 @@ export type CredentialEmailMessage = {
     type: CredentialEmailType;
 };
 export type CredentialsConfig<UserType> = {
+    checkBreachesOnLogin?: boolean;
     credentialStore: CredentialStore;
     getUserByEmail: (email: string) => Promise<UserType | null | undefined> | UserType | null | undefined;
     isMfaRequired?: (user: UserType) => boolean | Promise<boolean>;

package/dist/credentials/emailValidation.d.ts

@@ -0,0 +1,9 @@
+export type EmailValidationResult = {
+    ok: boolean;
+    reason?: 'disposable' | 'invalid_format' | 'no_mx';
+};
+export declare const isDisposableEmail: (email: string, extraDomains?: Iterable<string>) => boolean;
+export declare const validateEmailDeliverability: (email: string, options?: {
+    checkMx?: boolean;
+    disposableDomains?: Iterable<string>;
+}) => Promise<EmailValidationResult>;

package/dist/credentials/login.d.ts

@@ -1,6 +1,6 @@
 import { Elysia } from 'elysia';
 import { type CredentialRouteProps } from './config';
-export declare const credentialsLogin: <UserType>({ authSessionStore, credentialStore, getUserByEmail, isMfaRequired, lockoutGuard, loginRoute, onCredentialsLoginError, onCredentialsLoginSuccess, requireEmailVerification, sessionDurationMs }: CredentialRouteProps<UserType>) => Elysia<"", {
+export declare const credentialsLogin: <UserType>({ authSessionStore, checkBreachesOnLogin, credentialStore, getUserByEmail, isMfaRequired, lockoutGuard, loginRoute, onCredentialsLoginError, onCredentialsLoginSuccess, requireEmailVerification, sessionDurationMs }: CredentialRouteProps<UserType>) => Elysia<"", {
     decorator: {};
     store: {
         session: import("..").SessionRecord<UserType>;
@@ -32,6 +32,7 @@ export declare const credentialsLogin: <UserType>({ authSessionStore, credential
                 200: {
                     readonly status: "mfa_required";
                 } | {
+                    readonly passwordCompromised: boolean;
                     readonly status: "authenticated";
                 };
                 401: "Invalid email or password";

package/dist/credentials/passwordPolicy.d.ts

@@ -12,3 +12,4 @@ export type PasswordPolicyResult = {
     violations: PasswordPolicyViolation[];
 };
 export declare const evaluatePassword: (password: string, policy?: PasswordPolicy) => Promise<PasswordPolicyResult>;
+export declare const isPasswordCompromised: (password: string) => Promise<boolean>;

package/dist/credentials/routes.d.ts

@@ -100,6 +100,7 @@ export declare const credentialRoutes: <UserType>(config: CredentialRouteProps<U
                 200: {
                     readonly status: "mfa_required";
                 } | {
+                    readonly passwordCompromised: boolean;
                     readonly status: "authenticated";
                 };
                 401: "Invalid email or password";

package/dist/fga/config.d.ts

@@ -0,0 +1,53 @@
+import type { FgaSchema, Warrant, WarrantStore } from './types';
+export type FgaCache = {
+    clear: () => void;
+    get: (key: string) => boolean | undefined;
+    set: (key: string, value: boolean) => void;
+};
+export type FgaConfig = {
+    cache?: FgaCache;
+    maxDepth?: number;
+    schema: FgaSchema;
+    warrantStore: WarrantStore;
+};
+export type CheckQuery = {
+    relation: string;
+    resourceId: string;
+    resourceType: string;
+    subjectId: string;
+    subjectType: string;
+};
+export type Subject = {
+    subjectId: string;
+    subjectType: string;
+};
+export type ObjectQuery = {
+    relation: string;
+    resourceType: string;
+    subjectId: string;
+    subjectType: string;
+};
+export declare const check: (config: FgaConfig, query: CheckQuery) => Promise<boolean>;
+export declare const createInMemoryCheckCache: ({ maxEntries, ttlMs }?: {
+    maxEntries?: number;
+    ttlMs?: number;
+}) => FgaCache;
+export declare const createFgaEngine: (config: FgaConfig) => {
+    check: (query: CheckQuery) => Promise<boolean>;
+    deleteWarrant: (warrant: Warrant) => Promise<void>;
+    listObjects: (query: ObjectQuery) => Promise<string[]>;
+    listSubjects: (query: {
+        relation: string;
+        resourceId: string;
+        resourceType: string;
+    }) => Promise<Subject[]>;
+    writeWarrant: (warrant: Warrant) => Promise<void>;
+};
+export declare const deleteWarrant: (config: FgaConfig, warrant: Warrant) => Promise<void>;
+export declare const listObjects: (config: FgaConfig, query: ObjectQuery) => Promise<string[]>;
+export declare const listSubjects: (config: FgaConfig, query: {
+    relation: string;
+    resourceId: string;
+    resourceType: string;
+}) => Promise<Subject[]>;
+export declare const writeWarrant: (config: FgaConfig, warrant: Warrant) => Promise<void>;

package/dist/fga/inMemoryStores.d.ts

@@ -0,0 +1,3 @@
+import type { Warrant, WarrantStore } from './types';
+export declare const createInMemoryWarrantStore: () => WarrantStore;
+export declare const warrantKey: (warrant: Warrant) => string;

package/dist/fga/postgresStores.d.ts

@@ -0,0 +1,144 @@
+import { type AnyPgDatabase } from '../stores/postgres';
+import type { WarrantStore } from './types';
+export declare const warrantsTable: import("drizzle-orm/pg-core").PgTableWithColumns<{
+    name: "auth_fga_warrants";
+    schema: undefined;
+    columns: {
+        id: import("drizzle-orm/pg-core").PgColumn<{
+            name: "id";
+            tableName: "auth_fga_warrants";
+            dataType: "string";
+            columnType: "PgVarchar";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: true;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: 255;
+        }>;
+        relation: import("drizzle-orm/pg-core").PgColumn<{
+            name: "relation";
+            tableName: "auth_fga_warrants";
+            dataType: "string";
+            columnType: "PgVarchar";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: 255;
+        }>;
+        resource_id: import("drizzle-orm/pg-core").PgColumn<{
+            name: "resource_id";
+            tableName: "auth_fga_warrants";
+            dataType: "string";
+            columnType: "PgVarchar";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: 255;
+        }>;
+        resource_type: import("drizzle-orm/pg-core").PgColumn<{
+            name: "resource_type";
+            tableName: "auth_fga_warrants";
+            dataType: "string";
+            columnType: "PgVarchar";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: 255;
+        }>;
+        subject_id: import("drizzle-orm/pg-core").PgColumn<{
+            name: "subject_id";
+            tableName: "auth_fga_warrants";
+            dataType: "string";
+            columnType: "PgVarchar";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: 255;
+        }>;
+        subject_relation: import("drizzle-orm/pg-core").PgColumn<{
+            name: "subject_relation";
+            tableName: "auth_fga_warrants";
+            dataType: "string";
+            columnType: "PgVarchar";
+            data: string;
+            driverParam: string;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: 255;
+        }>;
+        subject_type: import("drizzle-orm/pg-core").PgColumn<{
+            name: "subject_type";
+            tableName: "auth_fga_warrants";
+            dataType: "string";
+            columnType: "PgVarchar";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: 255;
+        }>;
+    };
+    dialect: "pg";
+}>;
+export declare const createNeonWarrantStore: (databaseUrl: string) => WarrantStore;
+export declare const createPostgresWarrantStore: (db: AnyPgDatabase) => WarrantStore;

package/dist/fga/schema.d.ts

@@ -0,0 +1,2 @@
+import type { FgaSchema } from './types';
+export declare const parseSchema: (dsl: string) => FgaSchema;

package/dist/fga/types.d.ts

@@ -0,0 +1,28 @@
+export type Warrant = {
+    relation: string;
+    resourceId: string;
+    resourceType: string;
+    subjectId: string;
+    subjectRelation?: string;
+    subjectType: string;
+};
+export type WarrantStore = {
+    deleteWarrant: (warrant: Warrant) => Promise<void>;
+    listForResource: (resourceType: string, resourceId: string, relation: string) => Promise<Warrant[]>;
+    listResourceIds: (resourceType: string) => Promise<string[]>;
+    saveWarrant: (warrant: Warrant) => Promise<void>;
+};
+export type RelationRule = {
+    kind: 'computedUserset';
+    relation: string;
+} | {
+    kind: 'self';
+} | {
+    kind: 'tupleToUserset';
+    relation: string;
+    viaRelation: string;
+} | {
+    kind: 'union';
+    rules: RelationRule[];
+};
+export type FgaSchema = Record<string, Record<string, RelationRule>>;