@absolutejs/auth 0.27.0-beta.1 → 0.27.0-beta.2

package/dist/index.d.ts

@@ -8437,6 +8437,8 @@ export { consumeBackupCode, generateBackupCodes } from './mfa/backupCodes';
 export { createMfaGate } from './mfa/gate';
 export { mfaChallenge } from './mfa/challenge';
 export { mfaRoutes } from './mfa/routes';
+export { rotateMfaEncryptionKey } from './mfa/rotation';
+export type { MfaKeyRotationResult } from './mfa/rotation';
 export { mfaTotpRoutes } from './mfa/totp';
 export { decryptTotpSecret, encryptTotpSecret } from './mfa/secret';
 export { createInMemoryMfaStore } from './mfa/inMemoryMfaStore';

package/dist/index.js

@@ -17843,6 +17843,56 @@ var createPostgresCredentialStore = (db) => ({
     await db.update(credentialsTable).set({ email_verified: true, updated_at_ms: Date.now() }).where(eq(credentialsTable.email, email.toLowerCase()));
   }
 });
+// src/mfa/rotation.ts
+var tryDecrypt = async (ciphertext, key) => {
+  try {
+    return await decryptTotpSecret(ciphertext, key);
+  } catch {
+    return;
+  }
+};
+var ensureReadable = async (ciphertext, key, userId) => {
+  if (await tryDecrypt(ciphertext, key) === undefined) {
+    throw new Error(`TOTP secret for ${userId} decrypts with neither the old nor the new key`);
+  }
+};
+var planEnrollment = async (enrollment, oldKey, newKey) => {
+  const ciphertext = enrollment.totpSecretCiphertext;
+  if (ciphertext === undefined || ciphertext.length === 0) {
+    const plan2 = { kind: "skip" };
+    return plan2;
+  }
+  const secret = await tryDecrypt(ciphertext, oldKey);
+  if (secret === undefined) {
+    await ensureReadable(ciphertext, newKey, enrollment.userId);
+    const plan2 = { kind: "already" };
+    return plan2;
+  }
+  const plan = {
+    enrollment: {
+      ...enrollment,
+      totpSecretCiphertext: await encryptTotpSecret(secret, newKey),
+      updatedAt: Date.now()
+    },
+    kind: "rotate"
+  };
+  return plan;
+};
+var rotateMfaEncryptionKey = async ({
+  mfaStore,
+  newKey,
+  oldKey
+}) => {
+  const enrollments = await mfaStore.listEnrollments();
+  const plans = await Promise.all(enrollments.map((enrollment) => planEnrollment(enrollment, oldKey, newKey)));
+  await Promise.all(plans.map((plan) => plan.kind === "rotate" ? mfaStore.saveEnrollment(plan.enrollment) : Promise.resolve()));
+  return {
+    alreadyRotated: plans.filter((plan) => plan.kind === "already").length,
+    rotated: plans.filter((plan) => plan.kind === "rotate").length,
+    skippedNoSecret: plans.filter((plan) => plan.kind === "skip").length,
+    total: plans.length
+  };
+};
 // src/mfa/inMemoryMfaStore.ts
 var cloneEnrollment = (value) => ({
   ...value,
@@ -17855,6 +17905,7 @@ var createInMemoryMfaStore = () => {
       const enrollment = enrollments.get(userId);
       return enrollment ? cloneEnrollment(enrollment) : undefined;
     },
+    listEnrollments: async () => Array.from(enrollments.values()).map(cloneEnrollment),
     removeEnrollment: async (userId) => {
       enrollments.delete(userId);
     },
@@ -17889,6 +17940,10 @@ var createPostgresMfaStore = (db) => ({
     const [row] = await db.select().from(mfaEnrollmentsTable).where(eq(mfaEnrollmentsTable.user_id, userId)).limit(1);
     return row ? toEnrollment(row) : undefined;
   },
+  listEnrollments: async () => {
+    const rows = await db.select().from(mfaEnrollmentsTable);
+    return rows.map(toEnrollment);
+  },
   removeEnrollment: async (userId) => {
     await db.delete(mfaEnrollmentsTable).where(eq(mfaEnrollmentsTable.user_id, userId));
   },
@@ -19438,6 +19493,7 @@ export {
   scimTokensTable,
   scimRoutes,
   samlSsoRoutes,
+  rotateMfaEncryptionKey,
   rolesTable,
   roleRoutes,
   revokeUserSessions,
@@ -19639,5 +19695,5 @@ export {
   AuthIdentityConflictError
 };
 
-//# debugId=E141C00026B64EA864756E2164756E21
+//# debugId=F0BD7B32BDA8B43664756E2164756E21
 //# sourceMappingURL=index.js.map