npm - @absolutejs/auth - Versions diffs - 0.27.0-beta.6 → 0.27.0-beta.8 - Mend

@absolutejs/auth 0.27.0-beta.6 → 0.27.0-beta.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/audit/integrity.d.ts +5 -1
package/dist/credentials/config.d.ts +1 -0
package/dist/credentials/login.d.ts +2 -1
package/dist/credentials/routes.d.ts +1 -0
package/dist/index.d.ts +1 -0
package/dist/index.js +85 -60
package/dist/index.js.map +7 -7
package/package.json +1 -1

package/dist/audit/integrity.d.ts CHANGED Viewed

@@ -2,14 +2,18 @@ import type { AuditEvent, AuditSink } from './types';
 export type AuditIntegrity = {
     hash: string;
     previousHash: string;
+    writerId?: string;
 };
 export type AuditChainResult = {
     brokenAt?: number;
     ok: boolean;
 };
-export declare const createTamperEvidentSink: ({ secret, sink }: {
+export declare const createTamperEvidentSink: ({ loadWriterHead, secret, seedScanLimit, sink, writerId }: {
+    loadWriterHead?: (writerId: string) => Promise<string | undefined> | string | undefined;
     secret?: string;
+    seedScanLimit?: number;
     sink: AuditSink;
+    writerId?: string;
 }) => AuditSink;
 export declare const hashAuditEvent: (event: AuditEvent, previousHash: string, secret?: string) => Promise<string>;
 export declare const verifyAuditChain: (events: AuditEvent[], secret?: string) => Promise<AuditChainResult>;

package/dist/credentials/config.d.ts CHANGED Viewed

@@ -19,6 +19,7 @@ export type CredentialEmailMessage = {
     type: CredentialEmailType;
 };
 export type CredentialsConfig<UserType> = {
+    checkBreachesOnLogin?: boolean;
     credentialStore: CredentialStore;
     getUserByEmail: (email: string) => Promise<UserType | null | undefined> | UserType | null | undefined;
     isMfaRequired?: (user: UserType) => boolean | Promise<boolean>;

package/dist/credentials/login.d.ts CHANGED Viewed

@@ -1,6 +1,6 @@
 import { Elysia } from 'elysia';
 import { type CredentialRouteProps } from './config';
-export declare const credentialsLogin: <UserType>({ authSessionStore, credentialStore, getUserByEmail, isMfaRequired, lockoutGuard, loginRoute, onCredentialsLoginError, onCredentialsLoginSuccess, requireEmailVerification, sessionDurationMs }: CredentialRouteProps<UserType>) => Elysia<"", {
+export declare const credentialsLogin: <UserType>({ authSessionStore, checkBreachesOnLogin, credentialStore, getUserByEmail, isMfaRequired, lockoutGuard, loginRoute, onCredentialsLoginError, onCredentialsLoginSuccess, requireEmailVerification, sessionDurationMs }: CredentialRouteProps<UserType>) => Elysia<"", {
     decorator: {};
     store: {
         session: import("..").SessionRecord<UserType>;
@@ -32,6 +32,7 @@ export declare const credentialsLogin: <UserType>({ authSessionStore, credential
                 200: {
                     readonly status: "mfa_required";
                 } | {
+                    readonly passwordCompromised: boolean;
                     readonly status: "authenticated";
                 };
                 401: "Invalid email or password";

package/dist/credentials/routes.d.ts CHANGED Viewed

@@ -100,6 +100,7 @@ export declare const credentialRoutes: <UserType>(config: CredentialRouteProps<U
                 200: {
                     readonly status: "mfa_required";
                 } | {
+                    readonly passwordCompromised: boolean;
                     readonly status: "authenticated";
                 };
                 401: "Invalid email or password";

package/dist/index.d.ts CHANGED Viewed

@@ -12725,6 +12725,7 @@ export declare const auth: <UserType>({ providersConfiguration, authorizeRoute,
                 200: {
                     readonly status: "mfa_required";
                 } | {
+                    readonly passwordCompromised: boolean;
                     readonly status: "authenticated";
                 };
                 401: "Invalid email or password";

package/dist/index.js CHANGED Viewed

@@ -3391,8 +3391,60 @@ var credentialsEmailVerification = ({
 // src/credentials/login.ts
 import { Elysia as Elysia6, t as t6 } from "elysia";
+// src/credentials/passwordPolicy.ts
+var DEFAULT_MIN_LENGTH = 12;
+var HEX_RADIX = 16;
+var HIBP_PREFIX_LENGTH = 5;
+var HIBP_RANGE_URL = "https://api.pwnedpasswords.com/range/";
+var sha1Hex = async (input) => {
+  const digest = await crypto.subtle.digest("SHA-1", new TextEncoder().encode(input));
+  return [...new Uint8Array(digest)].map((byte) => byte.toString(HEX_RADIX).padStart(2, "0")).join("").toUpperCase();
+};
+var isPasswordBreached = async (password) => {
+  try {
+    const hash = await sha1Hex(password);
+    const prefix = hash.slice(0, HIBP_PREFIX_LENGTH);
+    const suffix = hash.slice(HIBP_PREFIX_LENGTH);
+    const response = await fetch(`${HIBP_RANGE_URL}${prefix}`);
+    if (!response.ok)
+      return false;
+    const body = await response.text();
+    return body.split(`
+`).some((line) => line.split(":")[0]?.trim() === suffix);
+  } catch {
+    return false;
+  }
+};
+var evaluatePassword = async (password, policy = {}) => {
+  const minLength = policy.minLength ?? DEFAULT_MIN_LENGTH;
+  const violations = [];
+  if (password.length < minLength) {
+    violations.push("too_short");
+  }
+  if (policy.requireUppercase && !/[A-Z]/u.test(password)) {
+    violations.push("missing_uppercase");
+  }
+  if (policy.requireLowercase && !/[a-z]/u.test(password)) {
+    violations.push("missing_lowercase");
+  }
+  if (policy.requireDigit && !/\d/u.test(password)) {
+    violations.push("missing_digit");
+  }
+  if (policy.requireSymbol && !/[^A-Za-z0-9]/u.test(password)) {
+    violations.push("missing_symbol");
+  }
+  if (policy.checkBreaches && await isPasswordBreached(password)) {
+    violations.push("breached");
+  }
+  return { ok: violations.length === 0, violations };
+};
+var isPasswordCompromised = (password) => isPasswordBreached(password);
+// src/credentials/login.ts
 var credentialsLogin = ({
   authSessionStore,
+  checkBreachesOnLogin,
   credentialStore,
   getUserByEmail,
   isMfaRequired,
@@ -3451,6 +3503,7 @@ var credentialsLogin = ({
     await persistWhen(authSessionStore !== undefined, compatibilityLayer.persist);
     return status("OK", { status: "mfa_required" });
   }
+  const passwordCompromised = checkBreachesOnLogin ? await isPasswordCompromised(password) : false;
   const userSessionId = await promoteToSession({
     authSessionStore,
     cookie: user_session_id,
@@ -3459,7 +3512,7 @@ var credentialsLogin = ({
     user
   });
   await onCredentialsLoginSuccess?.({ user, userSessionId });
-  return status("OK", { status: "authenticated" });
+  return status("OK", { passwordCompromised, status: "authenticated" });
 }, {
   body: t6.Object({ email: t6.String(), password: t6.String() }),
   cookie: t6.Cookie({ user_session_id: userSessionIdTypebox })
@@ -3467,57 +3520,6 @@ var credentialsLogin = ({
 // src/credentials/passwordReset.ts
 import { Elysia as Elysia7, t as t7 } from "elysia";
-// src/credentials/passwordPolicy.ts
-var DEFAULT_MIN_LENGTH = 12;
-var HEX_RADIX = 16;
-var HIBP_PREFIX_LENGTH = 5;
-var HIBP_RANGE_URL = "https://api.pwnedpasswords.com/range/";
-var sha1Hex = async (input) => {
-  const digest = await crypto.subtle.digest("SHA-1", new TextEncoder().encode(input));
-  return [...new Uint8Array(digest)].map((byte) => byte.toString(HEX_RADIX).padStart(2, "0")).join("").toUpperCase();
-};
-var isPasswordBreached = async (password) => {
-  try {
-    const hash = await sha1Hex(password);
-    const prefix = hash.slice(0, HIBP_PREFIX_LENGTH);
-    const suffix = hash.slice(HIBP_PREFIX_LENGTH);
-    const response = await fetch(`${HIBP_RANGE_URL}${prefix}`);
-    if (!response.ok)
-      return false;
-    const body = await response.text();
-    return body.split(`
-`).some((line) => line.split(":")[0]?.trim() === suffix);
-  } catch {
-    return false;
-  }
-};
-var evaluatePassword = async (password, policy = {}) => {
-  const minLength = policy.minLength ?? DEFAULT_MIN_LENGTH;
-  const violations = [];
-  if (password.length < minLength) {
-    violations.push("too_short");
-  }
-  if (policy.requireUppercase && !/[A-Z]/u.test(password)) {
-    violations.push("missing_uppercase");
-  }
-  if (policy.requireLowercase && !/[a-z]/u.test(password)) {
-    violations.push("missing_lowercase");
-  }
-  if (policy.requireDigit && !/\d/u.test(password)) {
-    violations.push("missing_digit");
-  }
-  if (policy.requireSymbol && !/[^A-Za-z0-9]/u.test(password)) {
-    violations.push("missing_symbol");
-  }
-  if (policy.checkBreaches && await isPasswordBreached(password)) {
-    violations.push("breached");
-  }
-  return { ok: violations.length === 0, violations };
-};
-var isPasswordCompromised = (password) => isPasswordBreached(password);
-// src/credentials/passwordReset.ts
 var credentialsPasswordReset = ({
   credentialStore,
   onPasswordReset,
@@ -18708,6 +18710,7 @@ var INTEGRITY_KEY = "__integrity";
 var GENESIS = "";
 var HEX_RADIX2 = 16;
 var HEX_PAD = 2;
+var DEFAULT_SEED_SCAN_LIMIT = 1000;
 var encoder = new TextEncoder;
 var toHex = (buffer) => [...new Uint8Array(buffer)].map((byte) => byte.toString(HEX_RADIX2).padStart(HEX_PAD, "0")).join("");
 var sha256Hex = async (message) => toHex(await crypto.subtle.digest("SHA-256", encoder.encode(message)));
@@ -18738,15 +18741,31 @@ var brokenAt = (index) => {
   return result;
 };
 var createTamperEvidentSink = ({
+  loadWriterHead,
   secret,
-  sink
+  seedScanLimit = DEFAULT_SEED_SCAN_LIMIT,
+  sink,
+  writerId
 }) => {
+  const chainWriterId = writerId ?? crypto.randomUUID();
+  const isResuming = writerId !== undefined;
   let lastHash;
+  let seeded = false;
   const seed = async () => {
-    if (lastHash !== undefined)
+    if (seeded)
+      return;
+    seeded = true;
+    if (!isResuming) {
+      lastHash = GENESIS;
+      return;
+    }
+    if (loadWriterHead) {
+      lastHash = await loadWriterHead(chainWriterId) ?? GENESIS;
       return;
-    const [recent] = await sink.list?.({ limit: 1 }) ?? [];
-    lastHash = recent ? readIntegrity(recent)?.hash ?? GENESIS : GENESIS;
+    }
+    const recent = await sink.list?.({ limit: seedScanLimit }) ?? [];
+    const head = recent.find((event) => readIntegrity(event)?.writerId === chainWriterId);
+    lastHash = head ? readIntegrity(head)?.hash ?? GENESIS : GENESIS;
   };
   return {
     list: sink.list,
@@ -18755,7 +18774,11 @@ var createTamperEvidentSink = ({
       const previousHash = lastHash ?? GENESIS;
       const hash = await hashAuditEvent(event, previousHash, secret);
       lastHash = hash;
-      const integrity = { hash, previousHash };
+      const integrity = {
+        hash,
+        previousHash,
+        writerId: chainWriterId
+      };
       await sink.append({
         ...event,
         metadata: { ...event.metadata, [INTEGRITY_KEY]: integrity }
@@ -18771,17 +18794,19 @@ var hashAuditEvent = async (event, previousHash, secret) => {
   return secret === undefined ? sha256Hex(message) : hmacSha256Hex(secret, message);
 };
 var verifyAuditChain = async (events, secret) => {
-  let previousHash = GENESIS;
+  const heads = new Map;
   for (let index = 0;index < events.length; index += 1) {
     const event = events[index];
     if (event === undefined)
       return brokenAt(index);
     const integrity = readIntegrity(event);
+    const chain = integrity?.writerId ?? GENESIS;
+    const previousHash = heads.get(chain) ?? GENESIS;
     const expected = await hashAuditEvent(event, previousHash, secret);
     if (integrity === undefined || integrity.previousHash !== previousHash || integrity.hash !== expected) {
       return brokenAt(index);
     }
-    previousHash = integrity.hash;
+    heads.set(chain, integrity.hash);
   }
   const valid = { ok: true };
   return valid;
@@ -20974,5 +20999,5 @@ export {
   AuthIdentityConflictError
 };
-//# debugId=D6A51261327D341C64756E2164756E21
+//# debugId=B234E4311897F15C64756E2164756E21
 //# sourceMappingURL=index.js.map