@absolutejs/auth 0.27.0-beta.5 → 0.27.0-beta.7

package/dist/credentials/config.d.ts

@@ -19,6 +19,7 @@ export type CredentialEmailMessage = {
     type: CredentialEmailType;
 };
 export type CredentialsConfig<UserType> = {
+    checkBreachesOnLogin?: boolean;
     credentialStore: CredentialStore;
     getUserByEmail: (email: string) => Promise<UserType | null | undefined> | UserType | null | undefined;
     isMfaRequired?: (user: UserType) => boolean | Promise<boolean>;

package/dist/credentials/emailValidation.d.ts

@@ -0,0 +1,9 @@
+export type EmailValidationResult = {
+    ok: boolean;
+    reason?: 'disposable' | 'invalid_format' | 'no_mx';
+};
+export declare const isDisposableEmail: (email: string, extraDomains?: Iterable<string>) => boolean;
+export declare const validateEmailDeliverability: (email: string, options?: {
+    checkMx?: boolean;
+    disposableDomains?: Iterable<string>;
+}) => Promise<EmailValidationResult>;

package/dist/credentials/login.d.ts

@@ -1,6 +1,6 @@
 import { Elysia } from 'elysia';
 import { type CredentialRouteProps } from './config';
-export declare const credentialsLogin: <UserType>({ authSessionStore, credentialStore, getUserByEmail, isMfaRequired, lockoutGuard, loginRoute, onCredentialsLoginError, onCredentialsLoginSuccess, requireEmailVerification, sessionDurationMs }: CredentialRouteProps<UserType>) => Elysia<"", {
+export declare const credentialsLogin: <UserType>({ authSessionStore, checkBreachesOnLogin, credentialStore, getUserByEmail, isMfaRequired, lockoutGuard, loginRoute, onCredentialsLoginError, onCredentialsLoginSuccess, requireEmailVerification, sessionDurationMs }: CredentialRouteProps<UserType>) => Elysia<"", {
     decorator: {};
     store: {
         session: import("..").SessionRecord<UserType>;
@@ -32,6 +32,7 @@ export declare const credentialsLogin: <UserType>({ authSessionStore, credential
                 200: {
                     readonly status: "mfa_required";
                 } | {
+                    readonly passwordCompromised: boolean;
                     readonly status: "authenticated";
                 };
                 401: "Invalid email or password";

package/dist/credentials/passwordPolicy.d.ts

@@ -12,3 +12,4 @@ export type PasswordPolicyResult = {
     violations: PasswordPolicyViolation[];
 };
 export declare const evaluatePassword: (password: string, policy?: PasswordPolicy) => Promise<PasswordPolicyResult>;
+export declare const isPasswordCompromised: (password: string) => Promise<boolean>;

package/dist/credentials/routes.d.ts

@@ -100,6 +100,7 @@ export declare const credentialRoutes: <UserType>(config: CredentialRouteProps<U
                 200: {
                     readonly status: "mfa_required";
                 } | {
+                    readonly passwordCompromised: boolean;
                     readonly status: "authenticated";
                 };
                 401: "Invalid email or password";

package/dist/index.d.ts

@@ -12725,6 +12725,7 @@ export declare const auth: <UserType>({ providersConfiguration, authorizeRoute,
                 200: {
                     readonly status: "mfa_required";
                 } | {
+                    readonly passwordCompromised: boolean;
                     readonly status: "authenticated";
                 };
                 401: "Invalid email or password";
@@ -14652,6 +14653,8 @@ export { sessionRoutes } from './routes/sessions';
 export { stepUpPlugin } from './routes/stepUp';
 export * from './session/sessionsConfig';
 export { endImpersonation, isImpersonating, startImpersonation } from './session/impersonation';
+export { createAnonymousSession, isAnonymousSession } from './session/anonymous';
+export { addToSessionRing, listRingSessions, readSessionRing, removeFromSessionRing, switchActiveSession } from './session/multiSession';
 export { listUserSessions, revokeUserSessions } from './session/userSessions';
 export type { UserSession } from './session/userSessions';
 export { sessionCleanup } from './session/cleanup';
@@ -14666,6 +14669,7 @@ export * from './crypto';
 export * from './tenancy';
 export * from './credentials/config';
 export * from './credentials/passwordPolicy';
+export * from './credentials/emailValidation';
 export * from './credentials/types';
 export { credentialRoutes } from './credentials/routes';
 export { credentialsEmailVerification } from './credentials/emailVerification';

package/dist/index.js

@@ -3213,6 +3213,7 @@ var persistWhen = async (shouldPersist, persist) => {
     await persist();
 };
 var promoteToSession = async ({
+  anonymous,
   authSessionStore,
   cookie,
   impersonator,
@@ -3236,6 +3237,8 @@ var promoteToSession = async ({
     data.samlLogout = samlLogout;
   if (impersonator !== undefined)
     data.impersonator = impersonator;
+  if (anonymous === true)
+    data.anonymous = true;
   targetSession[userSessionId] = data;
   cookie.set({
     httpOnly: true,
@@ -3388,8 +3391,60 @@ var credentialsEmailVerification = ({
 
 // src/credentials/login.ts
 import { Elysia as Elysia6, t as t6 } from "elysia";
+
+// src/credentials/passwordPolicy.ts
+var DEFAULT_MIN_LENGTH = 12;
+var HEX_RADIX = 16;
+var HIBP_PREFIX_LENGTH = 5;
+var HIBP_RANGE_URL = "https://api.pwnedpasswords.com/range/";
+var sha1Hex = async (input) => {
+  const digest = await crypto.subtle.digest("SHA-1", new TextEncoder().encode(input));
+  return [...new Uint8Array(digest)].map((byte) => byte.toString(HEX_RADIX).padStart(2, "0")).join("").toUpperCase();
+};
+var isPasswordBreached = async (password) => {
+  try {
+    const hash = await sha1Hex(password);
+    const prefix = hash.slice(0, HIBP_PREFIX_LENGTH);
+    const suffix = hash.slice(HIBP_PREFIX_LENGTH);
+    const response = await fetch(`${HIBP_RANGE_URL}${prefix}`);
+    if (!response.ok)
+      return false;
+    const body = await response.text();
+    return body.split(`
+`).some((line) => line.split(":")[0]?.trim() === suffix);
+  } catch {
+    return false;
+  }
+};
+var evaluatePassword = async (password, policy = {}) => {
+  const minLength = policy.minLength ?? DEFAULT_MIN_LENGTH;
+  const violations = [];
+  if (password.length < minLength) {
+    violations.push("too_short");
+  }
+  if (policy.requireUppercase && !/[A-Z]/u.test(password)) {
+    violations.push("missing_uppercase");
+  }
+  if (policy.requireLowercase && !/[a-z]/u.test(password)) {
+    violations.push("missing_lowercase");
+  }
+  if (policy.requireDigit && !/\d/u.test(password)) {
+    violations.push("missing_digit");
+  }
+  if (policy.requireSymbol && !/[^A-Za-z0-9]/u.test(password)) {
+    violations.push("missing_symbol");
+  }
+  if (policy.checkBreaches && await isPasswordBreached(password)) {
+    violations.push("breached");
+  }
+  return { ok: violations.length === 0, violations };
+};
+var isPasswordCompromised = (password) => isPasswordBreached(password);
+
+// src/credentials/login.ts
 var credentialsLogin = ({
   authSessionStore,
+  checkBreachesOnLogin,
   credentialStore,
   getUserByEmail,
   isMfaRequired,
@@ -3448,6 +3503,7 @@ var credentialsLogin = ({
     await persistWhen(authSessionStore !== undefined, compatibilityLayer.persist);
     return status("OK", { status: "mfa_required" });
   }
+  const passwordCompromised = checkBreachesOnLogin ? await isPasswordCompromised(password) : false;
   const userSessionId = await promoteToSession({
     authSessionStore,
     cookie: user_session_id,
@@ -3456,7 +3512,7 @@ var credentialsLogin = ({
     user
   });
   await onCredentialsLoginSuccess?.({ user, userSessionId });
-  return status("OK", { status: "authenticated" });
+  return status("OK", { passwordCompromised, status: "authenticated" });
 }, {
   body: t6.Object({ email: t6.String(), password: t6.String() }),
   cookie: t6.Cookie({ user_session_id: userSessionIdTypebox })
@@ -3464,56 +3520,6 @@ var credentialsLogin = ({
 
 // src/credentials/passwordReset.ts
 import { Elysia as Elysia7, t as t7 } from "elysia";
-
-// src/credentials/passwordPolicy.ts
-var DEFAULT_MIN_LENGTH = 12;
-var HEX_RADIX = 16;
-var HIBP_PREFIX_LENGTH = 5;
-var HIBP_RANGE_URL = "https://api.pwnedpasswords.com/range/";
-var sha1Hex = async (input) => {
-  const digest = await crypto.subtle.digest("SHA-1", new TextEncoder().encode(input));
-  return [...new Uint8Array(digest)].map((byte) => byte.toString(HEX_RADIX).padStart(2, "0")).join("").toUpperCase();
-};
-var isPasswordBreached = async (password) => {
-  try {
-    const hash = await sha1Hex(password);
-    const prefix = hash.slice(0, HIBP_PREFIX_LENGTH);
-    const suffix = hash.slice(HIBP_PREFIX_LENGTH);
-    const response = await fetch(`${HIBP_RANGE_URL}${prefix}`);
-    if (!response.ok)
-      return false;
-    const body = await response.text();
-    return body.split(`
-`).some((line) => line.split(":")[0]?.trim() === suffix);
-  } catch {
-    return false;
-  }
-};
-var evaluatePassword = async (password, policy = {}) => {
-  const minLength = policy.minLength ?? DEFAULT_MIN_LENGTH;
-  const violations = [];
-  if (password.length < minLength) {
-    violations.push("too_short");
-  }
-  if (policy.requireUppercase && !/[A-Z]/u.test(password)) {
-    violations.push("missing_uppercase");
-  }
-  if (policy.requireLowercase && !/[a-z]/u.test(password)) {
-    violations.push("missing_lowercase");
-  }
-  if (policy.requireDigit && !/\d/u.test(password)) {
-    violations.push("missing_digit");
-  }
-  if (policy.requireSymbol && !/[^A-Za-z0-9]/u.test(password)) {
-    violations.push("missing_symbol");
-  }
-  if (policy.checkBreaches && await isPasswordBreached(password)) {
-    violations.push("breached");
-  }
-  return { ok: violations.length === 0, violations };
-};
-
-// src/credentials/passwordReset.ts
 var credentialsPasswordReset = ({
   credentialStore,
   onPasswordReset,
@@ -18141,6 +18147,90 @@ var startImpersonation = async ({
   });
   return sessionId;
 };
+// src/session/anonymous.ts
+var DEFAULT_GUEST_TTL_MS = MILLISECONDS_IN_A_DAY;
+var createAnonymousSession = async ({
+  authSessionStore,
+  cookie,
+  guestUser,
+  inMemorySession,
+  sessionDurationMs = DEFAULT_GUEST_TTL_MS
+}) => promoteToSession({
+  anonymous: true,
+  authSessionStore,
+  cookie,
+  inMemorySession,
+  sessionDurationMs,
+  user: guestUser
+});
+var isAnonymousSession = (session) => session?.anonymous === true;
+// src/session/multiSession.ts
+var SEPARATOR = " ";
+var writeRing = (ring, ids) => ring.set({
+  httpOnly: true,
+  sameSite: "lax",
+  secure: true,
+  value: ids.join(SEPARATOR)
+});
+var readRing = (ring) => (ring.value ?? "").split(SEPARATOR).filter((entry) => isUserSessionId(entry));
+var addToSessionRing = (ring, sessionId) => writeRing(ring, [...new Set([...readRing(ring), sessionId])]);
+var listRingSessions = async ({
+  authSessionStore,
+  inMemorySession,
+  ring
+}) => {
+  const resolved = await Promise.all(readRing(ring).map(async (sessionId) => {
+    const session = await loadSessionFromSource({
+      authSessionStore,
+      session: inMemorySession,
+      userSessionId: sessionId
+    });
+    return session === undefined ? undefined : { sessionId, user: session.user };
+  }));
+  return resolved.filter((entry) => entry !== undefined);
+};
+var readSessionRing = (ring) => readRing(ring);
+var removeFromSessionRing = async ({
+  activeCookie,
+  authSessionStore,
+  inMemorySession,
+  ring,
+  sessionId
+}) => {
+  const remaining = readRing(ring).filter((id) => id !== sessionId);
+  writeRing(ring, remaining);
+  if (authSessionStore)
+    await authSessionStore.removeSession(sessionId);
+  else if (inMemorySession)
+    delete inMemorySession[sessionId];
+  if (activeCookie?.value !== sessionId)
+    return;
+  const [fallback] = remaining;
+  if (fallback === undefined)
+    activeCookie.remove();
+  else
+    activeCookie.set({
+      httpOnly: true,
+      sameSite: "lax",
+      secure: true,
+      value: fallback
+    });
+};
+var switchActiveSession = ({
+  activeCookie,
+  ring,
+  sessionId
+}) => {
+  if (!readRing(ring).includes(sessionId))
+    return false;
+  activeCookie.set({
+    httpOnly: true,
+    sameSite: "lax",
+    secure: true,
+    value: sessionId
+  });
+  return true;
+};
 // src/utils.ts
 var defineAuthConfig = (configuration) => configuration;
 var defineAuthHtmxConfig = (htmxConfig) => htmxConfig;
@@ -18316,6 +18406,48 @@ var getUserSessionId = ({
 };
 // src/tenancy.ts
 var hasOrganizationScope = (value) => typeof value.organizationId === "string" && value.organizationId.length > 0;
+// src/credentials/emailValidation.ts
+import { resolveMx } from "dns/promises";
+var EMAIL_PATTERN = /^[^\s@]+@[^\s@]+\.[^\s@]+$/u;
+var DISPOSABLE_DOMAINS = new Set([
+  "10minutemail.com",
+  "fakeinbox.com",
+  "getnada.com",
+  "guerrillamail.com",
+  "mailinator.com",
+  "maildrop.cc",
+  "sharklasers.com",
+  "temp-mail.org",
+  "tempmail.com",
+  "throwaway.email",
+  "trashmail.com",
+  "yopmail.com"
+]);
+var domainOf = (email) => email.slice(email.lastIndexOf("@") + 1).toLowerCase();
+var hasMxRecord = async (domain) => {
+  try {
+    return (await resolveMx(domain)).length > 0;
+  } catch {
+    return false;
+  }
+};
+var isDisposableEmail = (email, extraDomains) => {
+  const domain = domainOf(email);
+  return DISPOSABLE_DOMAINS.has(domain) || extraDomains !== undefined && new Set(extraDomains).has(domain);
+};
+var validateEmailDeliverability = async (email, options) => {
+  const normalized = email.trim().toLowerCase();
+  if (!EMAIL_PATTERN.test(normalized)) {
+    return { ok: false, reason: "invalid_format" };
+  }
+  if (isDisposableEmail(normalized, options?.disposableDomains)) {
+    return { ok: false, reason: "disposable" };
+  }
+  if (options?.checkMx === true && !await hasMxRecord(domainOf(normalized))) {
+    return { ok: false, reason: "no_mx" };
+  }
+  return { ok: true };
+};
 // src/credentials/inMemoryCredentialStore.ts
 var cloneCredential = (value) => ({
   ...value
@@ -20580,9 +20712,11 @@ export {
   verifyApiKey,
   verifyAccessToken,
   validateSession,
+  validateEmailDeliverability,
   userSessionIdTypebox,
   trustDevice,
   toPublicJwk,
+  switchActiveSession,
   stepUpPlugin,
   startImpersonation,
   ssoDiscoveryRoute,
@@ -20612,8 +20746,10 @@ export {
   resolveClientProviderEntry,
   resolveAuthHtmxRenderers,
   resolveApiPrincipal,
+  removeFromSessionRing,
   refreshableProviderOptions,
   recordLoginAttempt,
+  readSessionRing,
   providers,
   providerOptions,
   protectRoutePlugin,
@@ -20642,6 +20778,7 @@ export {
   listUserSessions,
   listUserOrganizations,
   listSubjects,
+  listRingSessions,
   knownDevicesTable,
   jwkThumbprint,
   issueTokenSet,
@@ -20652,11 +20789,14 @@ export {
   isRevocableOAuth2Client,
   isRefreshableProviderOption,
   isRefreshableOAuth2Client,
+  isPasswordCompromised,
   isPKCEProviderOption,
   isOIDCProviderOption,
   isMfaEnrolled,
   isImpersonating,
+  isDisposableEmail,
   isAuthIntent,
+  isAnonymousSession,
   inviteToOrganization,
   instantiateUserSession,
   hashToken,
@@ -20784,6 +20924,7 @@ export {
   createAuditEmitter,
   createApiKey,
   createApiClient,
+  createAnonymousSession,
   createAbuseGuard,
   consumeBackupCode,
   constantTimeEqual,
@@ -20802,6 +20943,7 @@ export {
   apiKeysTable,
   apiKeysRoutes,
   apiClientsTable,
+  addToSessionRing,
   accessTokensTable,
   acceptInvitation,
   WEBAUTHN_CHALLENGE_COOKIE,
@@ -20834,5 +20976,5 @@ export {
   AuthIdentityConflictError
 };
 
-//# debugId=514E4AE78CF406D164756E2164756E21
+//# debugId=580D3E8ACE9EF4E864756E2164756E21
 //# sourceMappingURL=index.js.map