@absolutejs/auth 0.27.0-beta.6 → 0.27.0-beta.7

package/dist/credentials/config.d.ts

@@ -19,6 +19,7 @@ export type CredentialEmailMessage = {
     type: CredentialEmailType;
 };
 export type CredentialsConfig<UserType> = {
+    checkBreachesOnLogin?: boolean;
     credentialStore: CredentialStore;
     getUserByEmail: (email: string) => Promise<UserType | null | undefined> | UserType | null | undefined;
     isMfaRequired?: (user: UserType) => boolean | Promise<boolean>;

package/dist/credentials/login.d.ts

@@ -1,6 +1,6 @@
 import { Elysia } from 'elysia';
 import { type CredentialRouteProps } from './config';
-export declare const credentialsLogin: <UserType>({ authSessionStore, credentialStore, getUserByEmail, isMfaRequired, lockoutGuard, loginRoute, onCredentialsLoginError, onCredentialsLoginSuccess, requireEmailVerification, sessionDurationMs }: CredentialRouteProps<UserType>) => Elysia<"", {
+export declare const credentialsLogin: <UserType>({ authSessionStore, checkBreachesOnLogin, credentialStore, getUserByEmail, isMfaRequired, lockoutGuard, loginRoute, onCredentialsLoginError, onCredentialsLoginSuccess, requireEmailVerification, sessionDurationMs }: CredentialRouteProps<UserType>) => Elysia<"", {
     decorator: {};
     store: {
         session: import("..").SessionRecord<UserType>;
@@ -32,6 +32,7 @@ export declare const credentialsLogin: <UserType>({ authSessionStore, credential
                 200: {
                     readonly status: "mfa_required";
                 } | {
+                    readonly passwordCompromised: boolean;
                     readonly status: "authenticated";
                 };
                 401: "Invalid email or password";

package/dist/credentials/routes.d.ts

@@ -100,6 +100,7 @@ export declare const credentialRoutes: <UserType>(config: CredentialRouteProps<U
                 200: {
                     readonly status: "mfa_required";
                 } | {
+                    readonly passwordCompromised: boolean;
                     readonly status: "authenticated";
                 };
                 401: "Invalid email or password";

package/dist/index.d.ts

@@ -12725,6 +12725,7 @@ export declare const auth: <UserType>({ providersConfiguration, authorizeRoute,
                 200: {
                     readonly status: "mfa_required";
                 } | {
+                    readonly passwordCompromised: boolean;
                     readonly status: "authenticated";
                 };
                 401: "Invalid email or password";

package/dist/index.js

@@ -3391,8 +3391,60 @@ var credentialsEmailVerification = ({
 
 // src/credentials/login.ts
 import { Elysia as Elysia6, t as t6 } from "elysia";
+
+// src/credentials/passwordPolicy.ts
+var DEFAULT_MIN_LENGTH = 12;
+var HEX_RADIX = 16;
+var HIBP_PREFIX_LENGTH = 5;
+var HIBP_RANGE_URL = "https://api.pwnedpasswords.com/range/";
+var sha1Hex = async (input) => {
+  const digest = await crypto.subtle.digest("SHA-1", new TextEncoder().encode(input));
+  return [...new Uint8Array(digest)].map((byte) => byte.toString(HEX_RADIX).padStart(2, "0")).join("").toUpperCase();
+};
+var isPasswordBreached = async (password) => {
+  try {
+    const hash = await sha1Hex(password);
+    const prefix = hash.slice(0, HIBP_PREFIX_LENGTH);
+    const suffix = hash.slice(HIBP_PREFIX_LENGTH);
+    const response = await fetch(`${HIBP_RANGE_URL}${prefix}`);
+    if (!response.ok)
+      return false;
+    const body = await response.text();
+    return body.split(`
+`).some((line) => line.split(":")[0]?.trim() === suffix);
+  } catch {
+    return false;
+  }
+};
+var evaluatePassword = async (password, policy = {}) => {
+  const minLength = policy.minLength ?? DEFAULT_MIN_LENGTH;
+  const violations = [];
+  if (password.length < minLength) {
+    violations.push("too_short");
+  }
+  if (policy.requireUppercase && !/[A-Z]/u.test(password)) {
+    violations.push("missing_uppercase");
+  }
+  if (policy.requireLowercase && !/[a-z]/u.test(password)) {
+    violations.push("missing_lowercase");
+  }
+  if (policy.requireDigit && !/\d/u.test(password)) {
+    violations.push("missing_digit");
+  }
+  if (policy.requireSymbol && !/[^A-Za-z0-9]/u.test(password)) {
+    violations.push("missing_symbol");
+  }
+  if (policy.checkBreaches && await isPasswordBreached(password)) {
+    violations.push("breached");
+  }
+  return { ok: violations.length === 0, violations };
+};
+var isPasswordCompromised = (password) => isPasswordBreached(password);
+
+// src/credentials/login.ts
 var credentialsLogin = ({
   authSessionStore,
+  checkBreachesOnLogin,
   credentialStore,
   getUserByEmail,
   isMfaRequired,
@@ -3451,6 +3503,7 @@ var credentialsLogin = ({
     await persistWhen(authSessionStore !== undefined, compatibilityLayer.persist);
     return status("OK", { status: "mfa_required" });
   }
+  const passwordCompromised = checkBreachesOnLogin ? await isPasswordCompromised(password) : false;
   const userSessionId = await promoteToSession({
     authSessionStore,
     cookie: user_session_id,
@@ -3459,7 +3512,7 @@ var credentialsLogin = ({
     user
   });
   await onCredentialsLoginSuccess?.({ user, userSessionId });
-  return status("OK", { status: "authenticated" });
+  return status("OK", { passwordCompromised, status: "authenticated" });
 }, {
   body: t6.Object({ email: t6.String(), password: t6.String() }),
   cookie: t6.Cookie({ user_session_id: userSessionIdTypebox })
@@ -3467,57 +3520,6 @@ var credentialsLogin = ({
 
 // src/credentials/passwordReset.ts
 import { Elysia as Elysia7, t as t7 } from "elysia";
-
-// src/credentials/passwordPolicy.ts
-var DEFAULT_MIN_LENGTH = 12;
-var HEX_RADIX = 16;
-var HIBP_PREFIX_LENGTH = 5;
-var HIBP_RANGE_URL = "https://api.pwnedpasswords.com/range/";
-var sha1Hex = async (input) => {
-  const digest = await crypto.subtle.digest("SHA-1", new TextEncoder().encode(input));
-  return [...new Uint8Array(digest)].map((byte) => byte.toString(HEX_RADIX).padStart(2, "0")).join("").toUpperCase();
-};
-var isPasswordBreached = async (password) => {
-  try {
-    const hash = await sha1Hex(password);
-    const prefix = hash.slice(0, HIBP_PREFIX_LENGTH);
-    const suffix = hash.slice(HIBP_PREFIX_LENGTH);
-    const response = await fetch(`${HIBP_RANGE_URL}${prefix}`);
-    if (!response.ok)
-      return false;
-    const body = await response.text();
-    return body.split(`
-`).some((line) => line.split(":")[0]?.trim() === suffix);
-  } catch {
-    return false;
-  }
-};
-var evaluatePassword = async (password, policy = {}) => {
-  const minLength = policy.minLength ?? DEFAULT_MIN_LENGTH;
-  const violations = [];
-  if (password.length < minLength) {
-    violations.push("too_short");
-  }
-  if (policy.requireUppercase && !/[A-Z]/u.test(password)) {
-    violations.push("missing_uppercase");
-  }
-  if (policy.requireLowercase && !/[a-z]/u.test(password)) {
-    violations.push("missing_lowercase");
-  }
-  if (policy.requireDigit && !/\d/u.test(password)) {
-    violations.push("missing_digit");
-  }
-  if (policy.requireSymbol && !/[^A-Za-z0-9]/u.test(password)) {
-    violations.push("missing_symbol");
-  }
-  if (policy.checkBreaches && await isPasswordBreached(password)) {
-    violations.push("breached");
-  }
-  return { ok: violations.length === 0, violations };
-};
-var isPasswordCompromised = (password) => isPasswordBreached(password);
-
-// src/credentials/passwordReset.ts
 var credentialsPasswordReset = ({
   credentialStore,
   onPasswordReset,
@@ -20974,5 +20976,5 @@ export {
   AuthIdentityConflictError
 };
 
-//# debugId=D6A51261327D341C64756E2164756E21
+//# debugId=580D3E8ACE9EF4E864756E2164756E21
 //# sourceMappingURL=index.js.map