@devshub198211/devguard 2.0.2 → 2.0.3

package/dist/auth.cjs

@@ -1,787 +0,0 @@
-'use strict';
-
-var crypto2 = require('crypto');
-var https = require('https');
-
-function _interopNamespace(e) {
-  if (e && e.__esModule) return e;
-  var n = Object.create(null);
-  if (e) {
-    Object.keys(e).forEach(function (k) {
-      if (k !== 'default') {
-        var d = Object.getOwnPropertyDescriptor(e, k);
-        Object.defineProperty(n, k, d.get ? d : {
-          enumerable: true,
-          get: function () { return e[k]; }
-        });
-      }
-    });
-  }
-  n.default = e;
-  return Object.freeze(n);
-}
-
-var crypto2__namespace = /*#__PURE__*/_interopNamespace(crypto2);
-var https__namespace = /*#__PURE__*/_interopNamespace(https);
-
-// src/auth/zero-trust-jwt.ts
-var MIN_SECRET_LENGTH = 16;
-var CLOCK_SKEW_TOLERANCE = 30;
-function b64urlDecode(s) {
-  const base64 = s.replace(/-/g, "+").replace(/_/g, "/");
-  const padLen = (4 - base64.length % 4) % 4;
-  const padded = base64 + "=".repeat(padLen);
-  return Buffer.from(padded, "base64");
-}
-function b64urlEncode(buf) {
-  return buf.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
-}
-function decodeJWT(token) {
-  if (typeof token !== "string") return null;
-  const parts = token.split(".");
-  if (parts.length !== 3) return null;
-  if (!parts[0] || !parts[1] || !parts[2]) return null;
-  try {
-    const header = JSON.parse(b64urlDecode(parts[0]).toString());
-    const payload = JSON.parse(b64urlDecode(parts[1]).toString());
-    if (typeof header !== "object" || header === null) return null;
-    if (typeof payload !== "object" || payload === null) return null;
-    return { header, payload, sig: parts[2], signingInput: `${parts[0]}.${parts[1]}` };
-  } catch {
-    return null;
-  }
-}
-function signHMAC(payload, secret, algorithm = "HS256") {
-  if (!secret || typeof secret !== "string") throw new Error("JWT secret is required");
-  if (secret.length < MIN_SECRET_LENGTH) throw new Error(`JWT secret must be at least ${MIN_SECRET_LENGTH} characters (got ${secret.length})`);
-  if (typeof payload !== "object" || payload === null) throw new Error("Payload must be a non-null object");
-  const h = b64urlEncode(Buffer.from(JSON.stringify({ alg: algorithm, typ: "JWT" })));
-  const p = b64urlEncode(Buffer.from(JSON.stringify(payload)));
-  const input = `${h}.${p}`;
-  const sig = b64urlEncode(crypto2__namespace.createHmac(algorithm === "HS512" ? "sha512" : "sha256", secret).update(input).digest());
-  return `${input}.${sig}`;
-}
-function verifyHMAC(token, secret, expectedAlg) {
-  if (!secret || typeof secret !== "string") return { valid: false, error: "Secret is required" };
-  const decoded = decodeJWT(token);
-  if (!decoded) return { valid: false, error: "Malformed JWT" };
-  const alg = decoded.header.alg;
-  if (!["HS256", "HS512"].includes(alg)) return { valid: false, error: `Unsupported algorithm: ${alg}` };
-  if (expectedAlg && alg !== expectedAlg) return { valid: false, error: `Algorithm mismatch: expected ${expectedAlg}, got ${alg}` };
-  const expected = b64urlEncode(crypto2__namespace.createHmac(alg === "HS512" ? "sha512" : "sha256", secret).update(decoded.signingInput).digest());
-  const sigBuf = Buffer.from(decoded.sig);
-  const expBuf = Buffer.from(expected);
-  if (sigBuf.length !== expBuf.length || !crypto2__namespace.timingSafeEqual(sigBuf, expBuf)) return { valid: false, error: "Invalid signature" };
-  const now = Math.floor(Date.now() / 1e3);
-  if (decoded.payload.exp && now > decoded.payload.exp + CLOCK_SKEW_TOLERANCE) return { valid: false, error: "Token expired" };
-  if (decoded.payload.nbf && now < decoded.payload.nbf - CLOCK_SKEW_TOLERANCE) return { valid: false, error: "Token not yet valid" };
-  return { valid: true, payload: decoded.payload };
-}
-var JWKS_TTL_MS = 5 * 60 * 1e3;
-var JWKS_MAX_ENTRIES = 50;
-var BoundedJWKSCache = class {
-  constructor() {
-    this.cache = /* @__PURE__ */ new Map();
-    this.pruneTimer = null;
-    this.pruneTimer = setInterval(() => this.prune(), 6e4);
-    if (this.pruneTimer.unref) this.pruneTimer.unref();
-  }
-  get(uri) {
-    const entry = this.cache.get(uri);
-    if (!entry) return null;
-    if (Date.now() - entry.fetchedAt > JWKS_TTL_MS) {
-      this.cache.delete(uri);
-      return null;
-    }
-    return entry.keys;
-  }
-  set(uri, keys) {
-    if (this.cache.size >= JWKS_MAX_ENTRIES) {
-      let oldestKey = null;
-      let oldestTime = Infinity;
-      for (const [k, v] of this.cache) {
-        if (v.fetchedAt < oldestTime) {
-          oldestTime = v.fetchedAt;
-          oldestKey = k;
-        }
-      }
-      if (oldestKey) this.cache.delete(oldestKey);
-    }
-    this.cache.set(uri, { keys, fetchedAt: Date.now() });
-  }
-  prune() {
-    const now = Date.now();
-    let pruned = 0;
-    for (const [uri, entry] of this.cache) {
-      if (now - entry.fetchedAt > JWKS_TTL_MS) {
-        this.cache.delete(uri);
-        pruned++;
-      }
-    }
-    return pruned;
-  }
-  size() {
-    return this.cache.size;
-  }
-  destroy() {
-    if (this.pruneTimer) {
-      clearInterval(this.pruneTimer);
-      this.pruneTimer = null;
-    }
-    this.cache.clear();
-  }
-};
-var jwksCache = new BoundedJWKSCache();
-var MAX_JWKS_SIZE = 512 * 1024;
-function httpsGet(url) {
-  return new Promise((resolve, reject) => {
-    let parsed;
-    try {
-      parsed = new URL(url);
-    } catch {
-      reject(new Error("Invalid JWKS URL"));
-      return;
-    }
-    if (parsed.protocol !== "https:") {
-      reject(new Error("JWKS URL must use HTTPS"));
-      return;
-    }
-    const req = https__namespace.get(url, { headers: { "Accept": "application/json" } }, (res) => {
-      let body = "";
-      let size = 0;
-      res.on("data", (d) => {
-        size += typeof d === "string" ? d.length : d.length;
-        if (size > MAX_JWKS_SIZE) {
-          req.destroy();
-          reject(new Error("JWKS response too large"));
-          return;
-        }
-        body += d;
-      });
-      res.on("end", () => resolve(body));
-    });
-    req.on("error", (e) => reject(new Error(`JWKS fetch failed: ${e.message}`)));
-    req.setTimeout(5e3, () => {
-      req.destroy();
-      reject(new Error("JWKS fetch timeout"));
-    });
-  });
-}
-async function fetchJWKS(jwksUri) {
-  const cached = jwksCache.get(jwksUri);
-  if (cached) return cached;
-  const body = await httpsGet(jwksUri);
-  let parsed;
-  try {
-    parsed = JSON.parse(body);
-  } catch {
-    throw new Error("Invalid JWKS JSON response");
-  }
-  if (!parsed || !Array.isArray(parsed.keys)) throw new Error("JWKS response missing 'keys' array");
-  const keys = parsed.keys;
-  jwksCache.set(jwksUri, keys);
-  return keys;
-}
-var jwksCacheUtils = {
-  prune: () => jwksCache.prune(),
-  size: () => jwksCache.size(),
-  destroy: () => jwksCache.destroy()
-};
-function jwkToPublicKey(jwk) {
-  if (jwk.kty !== "RSA" || !jwk.n || !jwk.e) throw new Error("Unsupported JWK type \u2014 only RSA is supported");
-  return crypto2__namespace.createPublicKey({ key: { kty: "RSA", n: jwk.n, e: jwk.e }, format: "jwk" });
-}
-async function verifyRS256(token, jwksUri) {
-  const decoded = decodeJWT(token);
-  if (!decoded) return { valid: false, error: "Malformed JWT" };
-  if (decoded.header.alg !== "RS256") return { valid: false, error: "Expected RS256" };
-  let keys;
-  try {
-    keys = await fetchJWKS(jwksUri);
-  } catch (e) {
-    return { valid: false, error: `JWKS fetch failed: ${e instanceof Error ? e.message : "Unknown error"}` };
-  }
-  const matching = decoded.header.kid ? keys.filter((k) => k.kid === decoded.header.kid) : keys;
-  if (!matching.length) return { valid: false, error: "No matching JWK found" };
-  for (const jwk of matching) {
-    try {
-      const pubKey = jwkToPublicKey(jwk);
-      const isValid = crypto2__namespace.verify("sha256", Buffer.from(decoded.signingInput), { key: pubKey, padding: crypto2__namespace.constants.RSA_PKCS1_PADDING }, b64urlDecode(decoded.sig));
-      if (isValid) {
-        const now = Math.floor(Date.now() / 1e3);
-        if (decoded.payload.exp && now > decoded.payload.exp + CLOCK_SKEW_TOLERANCE) return { valid: false, error: "Token expired" };
-        if (decoded.payload.nbf && now < decoded.payload.nbf - CLOCK_SKEW_TOLERANCE) return { valid: false, error: "Token not yet valid" };
-        return { valid: true, payload: decoded.payload };
-      }
-    } catch {
-      continue;
-    }
-  }
-  return { valid: false, error: "Signature verification failed" };
-}
-var MAX_REVOCATION_SIZE = 1e5;
-var RevocationList = class {
-  constructor() {
-    this.revoked = /* @__PURE__ */ new Map();
-  }
-  revoke(jti) {
-    if (!jti || typeof jti !== "string") return;
-    if (this.revoked.size >= MAX_REVOCATION_SIZE && !this.revoked.has(jti)) {
-      let oldestKey = null;
-      let oldestTime = Infinity;
-      for (const [k, ts] of this.revoked) {
-        if (ts < oldestTime) {
-          oldestTime = ts;
-          oldestKey = k;
-        }
-      }
-      if (oldestKey) this.revoked.delete(oldestKey);
-    }
-    this.revoked.set(jti, Date.now());
-  }
-  isRevoked(jti) {
-    return jti ? this.revoked.has(jti) : false;
-  }
-  revokedCount() {
-    return this.revoked.size;
-  }
-  prune(maxAgeMs = 30 * 24 * 60 * 60 * 1e3) {
-    const cutoff = Date.now() - maxAgeMs;
-    let pruned = 0;
-    for (const [jti, ts] of this.revoked) if (ts < cutoff) {
-      this.revoked.delete(jti);
-      pruned++;
-    }
-    return pruned;
-  }
-  exportJSON() {
-    return JSON.stringify([...this.revoked.entries()]);
-  }
-  importJSON(json) {
-    let data;
-    try {
-      data = JSON.parse(json);
-    } catch {
-      return;
-    }
-    if (!Array.isArray(data)) return;
-    for (const entry of data) {
-      if (Array.isArray(entry) && entry.length === 2 && typeof entry[0] === "string" && typeof entry[1] === "number") {
-        if (this.revoked.size >= MAX_REVOCATION_SIZE) break;
-        this.revoked.set(entry[0], entry[1]);
-      }
-    }
-  }
-};
-function detectAnomalies(payload, ctx) {
-  const warnings = [];
-  let score = 0;
-  if (!payload.iat) {
-    warnings.push("Missing iat");
-    score += 20;
-  }
-  if (!payload.jti) {
-    warnings.push("Missing jti \u2014 revocation not possible");
-    score += 15;
-  }
-  if (!payload.iss) {
-    warnings.push("Missing iss");
-    score += 10;
-  }
-  if (!payload.sub) {
-    warnings.push("Missing sub");
-    score += 10;
-  }
-  if (ctx?.expectedIss && payload.iss !== ctx.expectedIss) {
-    warnings.push(`Issuer mismatch: ${payload.iss}`);
-    score += 40;
-  }
-  if (ctx?.expectedAud) {
-    const aud = Array.isArray(payload.aud) ? payload.aud : [payload.aud];
-    if (!aud.includes(ctx.expectedAud)) {
-      warnings.push("Audience mismatch");
-      score += 40;
-    }
-  }
-  if (payload.exp && payload.iat && payload.exp - payload.iat > 86400 * 30) {
-    warnings.push(`Token lifetime > 30 days`);
-    score += 25;
-  }
-  if (payload.nbf && payload.iat && payload.nbf > payload.iat + 86400) {
-    warnings.push("nbf is more than 1 day after iat");
-    score += 10;
-  }
-  if (!payload.exp) {
-    warnings.push("Missing exp \u2014 token never expires");
-    score += 20;
-  }
-  return { score: Math.min(100, score), warnings, level: score >= 50 ? "dangerous" : score >= 20 ? "suspicious" : "safe" };
-}
-var JWTVerifier = class {
-  constructor(opts) {
-    this.opts = opts;
-    this.revocation = new RevocationList();
-  }
-  async verify(token) {
-    if (!token || typeof token !== "string") return { valid: false, error: "Token is required" };
-    let result;
-    if (this.opts.secret) result = verifyHMAC(token, this.opts.secret, this.opts.expectedAlg);
-    else if (this.opts.jwksUri) result = await verifyRS256(token, this.opts.jwksUri);
-    else return { valid: false, error: "No secret or jwksUri configured" };
-    if (!result.valid || !result.payload) return result;
-    if (this.revocation.isRevoked(result.payload.jti)) return { valid: false, error: "Token has been revoked" };
-    return { ...result, anomalies: detectAnomalies(result.payload, { expectedIss: this.opts.expectedIss, expectedAud: this.opts.expectedAud }) };
-  }
-  revoke(jti) {
-    this.revocation.revoke(jti);
-  }
-  getRevocationList() {
-    return this.revocation;
-  }
-};
-
-// src/auth/bot-fence.ts
-var BOT_UA = /bot|crawl|spider|scraper|python-?requests|axios\/|node-?fetch|undici|got\/|superagent|aiohttp|httpx|libwww|java\/|curl\/|wget\//i;
-var HEADLESS_UA = /headlesschrome|playwright|puppeteer|selenium|phantomjs|zombie|slimer|cypress/i;
-var AI_UA = /GPTBot|ChatGPT|Claude-Web|anthropic-ai|cohere-ai|meta-externalagent|Bytespider|CCBot/i;
-var KNOWN_GOOD_UA = /Mozilla\/5\.[01].+(Chrome\/[1-9]\d{2}|Firefox\/[1-9]\d{2}|Safari\/[0-9]+)/;
-var SIGNALS = [
-  { signal: "Bot user-agent", weight: 65, test: (fp) => BOT_UA.test(fp.userAgent ?? "") },
-  { signal: "Headless browser UA", weight: 80, test: (fp) => HEADLESS_UA.test(fp.userAgent ?? "") },
-  { signal: "Known AI crawler", weight: 70, test: (fp) => AI_UA.test(fp.userAgent ?? "") },
-  { signal: "Missing user-agent", weight: 45, test: (fp) => !fp.userAgent?.trim() },
-  { signal: "No Accept-Language", weight: 20, test: (fp) => !fp.acceptLanguage && !fp.headers?.["accept-language"] },
-  { signal: "No Accept-Encoding", weight: 15, test: (fp) => !fp.acceptEncoding && !fp.headers?.["accept-encoding"] },
-  { signal: "Missing Referer on form", weight: 10, test: (fp) => !fp.referer && !fp.headers?.["referer"] },
-  { signal: "Suspicious timing <80ms", weight: 30, test: (fp) => fp.timingMs !== void 0 && fp.timingMs < 80 },
-  { signal: "Zero mouse events", weight: 25, test: (fp) => fp.mouseEvents !== void 0 && fp.mouseEvents === 0 },
-  { signal: "No keyboard entropy", weight: 20, test: (fp) => fp.keystrokeIntervals !== void 0 && fp.keystrokeIntervals.length === 0 },
-  { signal: "Non-browser UA format", weight: 20, test: (fp) => !!fp.userAgent && !KNOWN_GOOD_UA.test(fp.userAgent) && !BOT_UA.test(fp.userAgent) },
-  { signal: "Duplicate headers", weight: 15, test: (fp) => fp.headers ? Object.values(fp.headers).some((v) => Array.isArray(v) && v.length > 1) : false }
-];
-function scoreRequest(fp) {
-  const results = SIGNALS.map((s) => ({ signal: s.signal, weight: s.weight, matched: s.test(fp) }));
-  const raw = results.filter((r) => r.matched).reduce((acc, r) => acc + r.weight, 0);
-  const score = Math.min(100, raw);
-  const verdict = score >= 70 ? "bot" : score >= 45 ? "suspicious" : score >= 20 ? "likely_human" : "human";
-  const recommendation = score >= 70 ? "block" : score >= 45 ? "challenge" : "allow";
-  return { score, verdict, signals: results, recommendation };
-}
-function normalizeIP(ip) {
-  if (!ip || typeof ip !== "string") return "";
-  const trimmed = ip.trim();
-  const v4mapped = trimmed.match(/^::ffff:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/i);
-  if (v4mapped) return v4mapped[1];
-  return trimmed;
-}
-var MAX_TRACKED_IPS = 1e5;
-var PRUNE_INTERVAL = 100;
-var IPRateLimiter = class {
-  constructor(maxRequests = 60, windowMs = 6e4, blockDurationMs = 5 * 6e4) {
-    this.maxRequests = maxRequests;
-    this.windowMs = windowMs;
-    this.blockDurationMs = blockDurationMs;
-    this.windows = /* @__PURE__ */ new Map();
-    this.blocked = /* @__PURE__ */ new Map();
-    // ip → blockedUntil timestamp
-    this.checkCount = 0;
-  }
-  check(ip) {
-    const normalizedIp = normalizeIP(ip);
-    if (!normalizedIp) return { allowed: false, remaining: 0, retryAfterMs: this.blockDurationMs };
-    this.checkCount++;
-    if (this.checkCount % PRUNE_INTERVAL === 0) this.prune();
-    const blockedUntil = this.blocked.get(normalizedIp);
-    if (blockedUntil !== void 0) {
-      if (Date.now() < blockedUntil) {
-        return { allowed: false, remaining: 0, retryAfterMs: blockedUntil - Date.now() };
-      }
-      this.blocked.delete(normalizedIp);
-    }
-    const now = Date.now();
-    let w = this.windows.get(normalizedIp);
-    if (!w || now - w.windowStart >= this.windowMs) {
-      w = { count: 0, windowStart: now };
-      this.windows.set(normalizedIp, w);
-    }
-    w.count++;
-    if (w.count > this.maxRequests) {
-      this.blocked.set(normalizedIp, Date.now() + this.blockDurationMs);
-      return { allowed: false, remaining: 0, retryAfterMs: this.blockDurationMs };
-    }
-    return { allowed: true, remaining: this.maxRequests - w.count };
-  }
-  /** Prune stale windows and expired blocks to prevent memory growth */
-  prune() {
-    const now = Date.now();
-    const windowCutoff = now - this.windowMs * 2;
-    for (const [ip, w] of this.windows) if (w.windowStart < windowCutoff) this.windows.delete(ip);
-    for (const [ip, until] of this.blocked) if (now >= until) this.blocked.delete(ip);
-    if (this.windows.size > MAX_TRACKED_IPS) {
-      const sorted = [...this.windows.entries()].sort((a, b) => a[1].windowStart - b[1].windowStart);
-      const toRemove = sorted.slice(0, this.windows.size - MAX_TRACKED_IPS);
-      for (const [ip] of toRemove) this.windows.delete(ip);
-    }
-  }
-};
-function createMiddleware(opts = {}) {
-  const { blockThreshold = 70, challengeThreshold = 50, whitelist = [], blacklist = [] } = opts;
-  const wSet = new Set(whitelist.map(normalizeIP));
-  const bSet = new Set(blacklist.map(normalizeIP));
-  return function botFenceMiddleware(req, res, next) {
-    const rawIp = req.ip ?? req.connection?.remoteAddress ?? "";
-    const ip = normalizeIP(rawIp);
-    if (wSet.has(ip)) return next();
-    if (bSet.has(ip)) return res.status(403).json({ error: "Access denied" });
-    if (opts.rateLimiter) {
-      const rl = opts.rateLimiter.check(ip);
-      if (!rl.allowed) {
-        res.setHeader("Retry-After", Math.ceil((rl.retryAfterMs ?? 6e4) / 1e3));
-        return res.status(429).json({ error: "Too many requests" });
-      }
-    }
-    const fp = {
-      ip,
-      userAgent: req.headers["user-agent"],
-      headers: req.headers,
-      acceptLanguage: req.headers["accept-language"],
-      acceptEncoding: req.headers["accept-encoding"],
-      referer: req.headers["referer"],
-      origin: req.headers["origin"]
-    };
-    const botScore = scoreRequest(fp);
-    req.botScore = botScore;
-    if (botScore.score >= blockThreshold) {
-      opts.onBlock?.(fp, botScore);
-      return res.status(403).json({ error: "Automated request detected", verdict: botScore.verdict });
-    }
-    if (botScore.score >= challengeThreshold) {
-      res.setHeader("X-Bot-Challenge", "true");
-    }
-    next();
-  };
-}
-var MAX_CBOR_DEPTH = 20;
-var MAX_CBOR_SIZE = 1 * 1024 * 1024;
-function cborDecode(buf) {
-  if (buf.length > MAX_CBOR_SIZE) throw new Error("CBOR input too large");
-  let offset = 0;
-  function read(depth) {
-    if (depth > MAX_CBOR_DEPTH) throw new Error("CBOR nesting too deep");
-    if (offset >= buf.length) throw new Error("CBOR: unexpected end of input");
-    const b = buf[offset++];
-    const mt = b >> 5 & 7;
-    let ai = b & 31;
-    let val = ai;
-    if (ai === 24) {
-      if (offset >= buf.length) throw new Error("CBOR: unexpected end of input");
-      val = buf[offset++];
-    } else if (ai === 25) {
-      if (offset + 2 > buf.length) throw new Error("CBOR: unexpected end of input");
-      val = buf.readUInt16BE(offset);
-      offset += 2;
-    } else if (ai === 26) {
-      if (offset + 4 > buf.length) throw new Error("CBOR: unexpected end of input");
-      val = buf.readUInt32BE(offset);
-      offset += 4;
-    } else if (ai >= 28) {
-      if (ai === 31 && (mt === 2 || mt === 3)) throw new Error("CBOR: indefinite length not supported");
-      if (ai >= 28 && ai <= 30) throw new Error("CBOR: reserved additional info");
-    }
-    if (mt === 0) return val;
-    if (mt === 1) return -1 - val;
-    if (mt === 2) {
-      if (offset + val > buf.length) throw new Error("CBOR: byte string exceeds buffer");
-      const s = buf.slice(offset, offset + val);
-      offset += val;
-      return s;
-    }
-    if (mt === 3) {
-      if (offset + val > buf.length) throw new Error("CBOR: text string exceeds buffer");
-      const s = buf.slice(offset, offset + val).toString("utf8");
-      offset += val;
-      return s;
-    }
-    if (mt === 4) {
-      if (val > 1e4) throw new Error("CBOR: array too large");
-      const arr = [];
-      for (let i = 0; i < val; i++) arr.push(read(depth + 1));
-      return arr;
-    }
-    if (mt === 5) {
-      if (val > 1e4) throw new Error("CBOR: map too large");
-      const obj = {};
-      for (let i = 0; i < val; i++) {
-        const k = read(depth + 1);
-        const v = read(depth + 1);
-        if (k === "__proto__" || k === "constructor" || k === "prototype") continue;
-        obj[k] = v;
-      }
-      return obj;
-    }
-    if (mt === 7) {
-      if (ai === 20) return false;
-      if (ai === 21) return true;
-      if (ai === 22) return null;
-      if (ai === 23) return void 0;
-    }
-    return null;
-  }
-  return read(0);
-}
-var MAX_CHALLENGES = 1e4;
-var ChallengeStore = class {
-  constructor() {
-    this.challenges = /* @__PURE__ */ new Map();
-  }
-  create(ttlMs = 3e5) {
-    if (this.challenges.size >= MAX_CHALLENGES) {
-      this._prune();
-      if (this.challenges.size >= MAX_CHALLENGES) {
-        throw new Error("Challenge store capacity exceeded \u2014 too many pending challenges");
-      }
-    }
-    const challenge = crypto2__namespace.randomBytes(32).toString("base64url");
-    this.challenges.set(challenge, { challenge, expiresAt: Date.now() + ttlMs });
-    return challenge;
-  }
-  consume(challenge) {
-    if (!challenge || typeof challenge !== "string") return false;
-    const entry = this.challenges.get(challenge);
-    if (!entry) return false;
-    this.challenges.delete(challenge);
-    return Date.now() <= entry.expiresAt;
-  }
-  _prune() {
-    const now = Date.now();
-    for (const [k, v] of this.challenges) if (v.expiresAt < now) this.challenges.delete(k);
-  }
-  /** Get the number of active challenges */
-  size() {
-    return this.challenges.size;
-  }
-};
-var MAX_CREDENTIALS_PER_USER = 50;
-var CredentialStore = class {
-  constructor() {
-    this.creds = /* @__PURE__ */ new Map();
-    this.byUser = /* @__PURE__ */ new Map();
-  }
-  save(cred) {
-    const userCreds = this.byUser.get(cred.userId);
-    if (userCreds && !userCreds.has(cred.credentialId) && userCreds.size >= MAX_CREDENTIALS_PER_USER) {
-      throw new Error(`User ${cred.userId} has reached the maximum credential limit (${MAX_CREDENTIALS_PER_USER})`);
-    }
-    this.creds.set(cred.credentialId, cred);
-    if (!this.byUser.has(cred.userId)) this.byUser.set(cred.userId, /* @__PURE__ */ new Set());
-    this.byUser.get(cred.userId).add(cred.credentialId);
-  }
-  get(credentialId) {
-    return this.creds.get(credentialId);
-  }
-  getByUser(userId) {
-    const ids = this.byUser.get(userId) ?? /* @__PURE__ */ new Set();
-    return [...ids].map((id) => this.creds.get(id)).filter(Boolean);
-  }
-  update(credentialId, patch) {
-    const existing = this.creds.get(credentialId);
-    if (existing) {
-      const safeUpdate = {};
-      if (typeof patch.signCount === "number") safeUpdate.signCount = patch.signCount;
-      if (typeof patch.lastUsedAt === "number") safeUpdate.lastUsedAt = patch.lastUsedAt;
-      if (Array.isArray(patch.transports)) safeUpdate.transports = patch.transports;
-      this.creds.set(credentialId, { ...existing, ...safeUpdate });
-    }
-  }
-  delete(credentialId) {
-    const cred = this.creds.get(credentialId);
-    if (cred) {
-      this.byUser.get(cred.userId)?.delete(credentialId);
-      this.creds.delete(credentialId);
-    }
-  }
-  exportJSON() {
-    return JSON.stringify([...this.creds.values()], null, 2);
-  }
-  importJSON(json) {
-    let creds;
-    try {
-      creds = JSON.parse(json);
-    } catch {
-      return;
-    }
-    if (!Array.isArray(creds)) return;
-    for (const c of creds) {
-      if (c && typeof c === "object" && typeof c.credentialId === "string" && typeof c.publicKeyPem === "string") {
-        try {
-          this.save(c);
-        } catch {
-        }
-      }
-    }
-  }
-};
-function generateRegistrationOptions(opts) {
-  if (!opts.rpId || !opts.rpName || !opts.userId || !opts.userName) {
-    throw new Error("rpId, rpName, userId, and userName are required");
-  }
-  const store = opts.challengeStore ?? new ChallengeStore();
-  return {
-    challenge: store.create(),
-    rp: { id: opts.rpId, name: opts.rpName },
-    user: { id: Buffer.from(opts.userId).toString("base64url"), name: opts.userName, displayName: opts.userDisplayName ?? opts.userName },
-    pubKeyCredParams: [{ type: "public-key", alg: -7 }, { type: "public-key", alg: -257 }],
-    timeout: 6e4,
-    attestation: "none",
-    authenticatorSelection: { userVerification: "preferred", residentKey: "preferred" }
-  };
-}
-function parseAuthenticatorData(buf) {
-  if (buf.length < 37) throw new Error("AuthenticatorData too short");
-  let offset = 0;
-  const rpIdHash = buf.slice(offset, offset + 32);
-  offset += 32;
-  const flags = buf[offset++];
-  const signCount = buf.readUInt32BE(offset);
-  offset += 4;
-  let aaguid;
-  let credentialId;
-  let coseKey;
-  if (flags & 64) {
-    if (offset + 18 > buf.length) throw new Error("AuthenticatorData truncated (attested credential data)");
-    aaguid = buf.slice(offset, offset + 16).toString("hex");
-    offset += 16;
-    const credIdLen = buf.readUInt16BE(offset);
-    offset += 2;
-    if (credIdLen > 1024) throw new Error("Credential ID too large");
-    if (offset + credIdLen > buf.length) throw new Error("AuthenticatorData truncated (credential ID)");
-    credentialId = buf.slice(offset, offset + credIdLen);
-    offset += credIdLen;
-    if (offset >= buf.length) throw new Error("AuthenticatorData truncated (COSE key)");
-    coseKey = cborDecode(buf.slice(offset));
-  }
-  return { rpIdHash, flags, signCount, aaguid, credentialId, coseKey };
-}
-function coseToPublicKeyPem(coseKey) {
-  if (!coseKey || typeof coseKey !== "object") throw new Error("Invalid COSE key");
-  const kty = coseKey[1];
-  coseKey[3];
-  if (kty === 2) {
-    const x = Buffer.isBuffer(coseKey[-2]) ? coseKey[-2] : Buffer.from(coseKey[-2]);
-    const y = Buffer.isBuffer(coseKey[-3]) ? coseKey[-3] : Buffer.from(coseKey[-3]);
-    if (x.length !== 32 || y.length !== 32) throw new Error("Invalid EC2 key coordinates");
-    const key = crypto2__namespace.createPublicKey({ key: { kty: "EC", crv: "P-256", x: x.toString("base64url"), y: y.toString("base64url") }, format: "jwk" });
-    return { pem: key.export({ type: "spki", format: "pem" }), alg: -7 };
-  }
-  if (kty === 3) {
-    const n = Buffer.isBuffer(coseKey[-1]) ? coseKey[-1] : Buffer.from(coseKey[-1]);
-    const e = Buffer.isBuffer(coseKey[-2]) ? coseKey[-2] : Buffer.from(coseKey[-2]);
-    if (n.length < 128) throw new Error("RSA key modulus too short");
-    const key = crypto2__namespace.createPublicKey({ key: { kty: "RSA", n: n.toString("base64url"), e: e.toString("base64url") }, format: "jwk" });
-    return { pem: key.export({ type: "spki", format: "pem" }), alg: -257 };
-  }
-  throw new Error(`Unsupported COSE key type: ${kty}`);
-}
-async function verifyRegistration(opts) {
-  try {
-    if (!opts.response || !opts.expectedChallenge || !opts.expectedOrigin || !opts.expectedRpId || !opts.userId) {
-      return { verified: false, error: "Missing required parameters" };
-    }
-    const clientDataBuf = Buffer.from(opts.response.clientDataJSON, "base64url");
-    if (clientDataBuf.length > MAX_CBOR_SIZE) return { verified: false, error: "clientDataJSON too large" };
-    const clientData = JSON.parse(clientDataBuf.toString());
-    if (clientData.type !== "webauthn.create") return { verified: false, error: "Wrong clientData type" };
-    if (clientData.challenge !== opts.expectedChallenge) return { verified: false, error: "Challenge mismatch" };
-    if (clientData.origin !== opts.expectedOrigin) return { verified: false, error: "Origin mismatch" };
-    const attObjBuf = Buffer.from(opts.response.attestationObject, "base64url");
-    if (attObjBuf.length > MAX_CBOR_SIZE) return { verified: false, error: "attestationObject too large" };
-    const attObj = cborDecode(attObjBuf);
-    const authData = parseAuthenticatorData(Buffer.isBuffer(attObj.authData) ? attObj.authData : Buffer.from(attObj.authData));
-    const expectedHash = crypto2__namespace.createHash("sha256").update(opts.expectedRpId).digest();
-    if (!expectedHash.equals(authData.rpIdHash)) return { verified: false, error: "RP ID hash mismatch" };
-    if (!(authData.flags & 1)) return { verified: false, error: "User presence not verified" };
-    if (!authData.credentialId || !authData.coseKey) return { verified: false, error: "No credential in authData" };
-    const { pem, alg } = coseToPublicKeyPem(authData.coseKey);
-    const credential = {
-      credentialId: authData.credentialId.toString("base64url"),
-      publicKeyPem: pem,
-      publicKeyAlg: alg,
-      userId: opts.userId,
-      userHandle: opts.userId,
-      signCount: authData.signCount,
-      createdAt: Date.now(),
-      lastUsedAt: Date.now(),
-      aaguid: authData.aaguid
-    };
-    return { verified: true, credential };
-  } catch (e) {
-    return { verified: false, error: e?.message ?? "Verification failed" };
-  }
-}
-function generateAuthenticationOptions(opts) {
-  if (!opts.rpId) throw new Error("rpId is required");
-  const store = opts.challengeStore ?? new ChallengeStore();
-  return {
-    challenge: store.create(),
-    rpId: opts.rpId,
-    timeout: 6e4,
-    userVerification: opts.userVerification ?? "preferred",
-    allowCredentials: opts.allowCredentialIds?.map((id) => ({ type: "public-key", id }))
-  };
-}
-async function verifyAuthentication(opts) {
-  try {
-    if (!opts.response || !opts.expectedChallenge || !opts.expectedOrigin || !opts.expectedRpId || !opts.storedCredential) {
-      return { verified: false, error: "Missing required parameters" };
-    }
-    const { response, storedCredential } = opts;
-    const clientDataBuf = Buffer.from(response.clientDataJSON, "base64url");
-    if (clientDataBuf.length > MAX_CBOR_SIZE) return { verified: false, error: "clientDataJSON too large" };
-    const clientData = JSON.parse(clientDataBuf.toString());
-    if (clientData.type !== "webauthn.get") return { verified: false, error: "Wrong clientData type" };
-    if (clientData.challenge !== opts.expectedChallenge) return { verified: false, error: "Challenge mismatch" };
-    if (clientData.origin !== opts.expectedOrigin) return { verified: false, error: "Origin mismatch" };
-    const authDataBuf = Buffer.from(response.authenticatorData, "base64url");
-    if (authDataBuf.length > MAX_CBOR_SIZE) return { verified: false, error: "authenticatorData too large" };
-    const authData = parseAuthenticatorData(authDataBuf);
-    const expectedHash = crypto2__namespace.createHash("sha256").update(opts.expectedRpId).digest();
-    if (!expectedHash.equals(authData.rpIdHash)) return { verified: false, error: "RP ID hash mismatch" };
-    if (!(authData.flags & 1)) return { verified: false, error: "User presence not verified" };
-    if (opts.requireUserVerification && !(authData.flags & 4)) {
-      return { verified: false, error: "User verification required but not performed" };
-    }
-    if (storedCredential.signCount > 0 && authData.signCount <= storedCredential.signCount) {
-      return { verified: false, error: `Sign count replay detected: got ${authData.signCount}, expected > ${storedCredential.signCount}` };
-    }
-    const clientDataHash = crypto2__namespace.createHash("sha256").update(Buffer.from(response.clientDataJSON, "base64url")).digest();
-    const signedData = Buffer.concat([authDataBuf, clientDataHash]);
-    const sigBuf = Buffer.from(response.signature, "base64url");
-    const pubKey = crypto2__namespace.createPublicKey(storedCredential.publicKeyPem);
-    const alg = storedCredential.publicKeyAlg === -7 ? "SHA256" : "RSA-SHA256";
-    const isValid = crypto2__namespace.verify(alg, signedData, pubKey, sigBuf);
-    if (!isValid) return { verified: false, error: "Signature verification failed" };
-    const updated = { ...storedCredential, signCount: authData.signCount, lastUsedAt: Date.now() };
-    return { verified: true, credential: updated };
-  } catch (e) {
-    return { verified: false, error: e?.message ?? "Authentication verification failed" };
-  }
-}
-
-exports.ChallengeStore = ChallengeStore;
-exports.CredentialStore = CredentialStore;
-exports.IPRateLimiter = IPRateLimiter;
-exports.JWTVerifier = JWTVerifier;
-exports.RevocationList = RevocationList;
-exports.createMiddleware = createMiddleware;
-exports.decodeJWT = decodeJWT;
-exports.detectAnomalies = detectAnomalies;
-exports.fetchJWKS = fetchJWKS;
-exports.generateAuthenticationOptions = generateAuthenticationOptions;
-exports.generateRegistrationOptions = generateRegistrationOptions;
-exports.jwksCacheUtils = jwksCacheUtils;
-exports.scoreRequest = scoreRequest;
-exports.signHMAC = signHMAC;
-exports.verifyAuthentication = verifyAuthentication;
-exports.verifyHMAC = verifyHMAC;
-exports.verifyRS256 = verifyRS256;
-exports.verifyRegistration = verifyRegistration;