@eaccess/auth 0.1.2 → 0.1.4

package/dist/index.js

@@ -1,6 +1,74 @@
-// src/auth-admin-manager.ts
-import { hash as hash2 } from "@prsm/hash";
-import ms from "@prsm/ms";
+var __defProp = Object.defineProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// src/auth-manager.ts
+import { hash as hash4 } from "@prsm/hash";
+import ms3 from "@prsm/ms";
+
+// src/types.ts
+import "express-session";
+var TwoFactorMechanism = /* @__PURE__ */ ((TwoFactorMechanism2) => {
+  TwoFactorMechanism2[TwoFactorMechanism2["TOTP"] = 1] = "TOTP";
+  TwoFactorMechanism2[TwoFactorMechanism2["EMAIL"] = 2] = "EMAIL";
+  TwoFactorMechanism2[TwoFactorMechanism2["SMS"] = 3] = "SMS";
+  return TwoFactorMechanism2;
+})(TwoFactorMechanism || {});
+var AuthStatus = {
+  Normal: 0,
+  Archived: 1,
+  Banned: 2,
+  Locked: 3,
+  PendingReview: 4,
+  Suspended: 5
+};
+var AuthRole = {
+  Admin: 1,
+  Author: 2,
+  Collaborator: 4,
+  Consultant: 8,
+  Consumer: 16,
+  Contributor: 32,
+  Coordinator: 64,
+  Creator: 128,
+  Developer: 256,
+  Director: 512,
+  Editor: 1024,
+  Employee: 2048,
+  Maintainer: 4096,
+  Manager: 8192,
+  Moderator: 16384,
+  Publisher: 32768,
+  Reviewer: 65536,
+  Subscriber: 131072,
+  SuperAdmin: 262144,
+  SuperEditor: 524288,
+  SuperModerator: 1048576,
+  Translator: 2097152
+};
+var AuthActivityAction = {
+  Login: "login",
+  Logout: "logout",
+  FailedLogin: "failed_login",
+  Register: "register",
+  EmailConfirmed: "email_confirmed",
+  PasswordResetRequested: "password_reset_requested",
+  PasswordResetCompleted: "password_reset_completed",
+  PasswordChanged: "password_changed",
+  EmailChanged: "email_changed",
+  RoleChanged: "role_changed",
+  StatusChanged: "status_changed",
+  ForceLogout: "force_logout",
+  OAuthConnected: "oauth_connected",
+  RememberTokenCreated: "remember_token_created",
+  TwoFactorSetup: "two_factor_setup",
+  TwoFactorVerified: "two_factor_verified",
+  TwoFactorFailed: "two_factor_failed",
+  TwoFactorDisabled: "two_factor_disabled",
+  BackupCodeUsed: "backup_code_used"
+};
 
 // src/queries.ts
 var AuthQueries = class {
@@ -264,6 +332,158 @@ var AuthQueries = class {
   }
 };
 
+// src/activity-logger.ts
+import Bowser from "bowser";
+var ActivityLogger = class {
+  constructor(config) {
+    this.config = config;
+    this.enabled = config.activityLog?.enabled !== false;
+    this.maxEntries = config.activityLog?.maxEntries || 1e4;
+    this.allowedActions = config.activityLog?.actions || null;
+    this.tablePrefix = config.tablePrefix || "user_";
+  }
+  get activityTable() {
+    return `${this.tablePrefix}activity_log`;
+  }
+  parseUserAgent(userAgent) {
+    if (!userAgent) {
+      return { browser: null, os: null, device: null };
+    }
+    try {
+      const browser = Bowser.getParser(userAgent);
+      const result = browser.getResult();
+      return {
+        browser: result.browser.name || null,
+        os: result.os.name || null,
+        device: result.platform.type || "desktop"
+      };
+    } catch (error) {
+      return this.parseUserAgentSimple(userAgent);
+    }
+  }
+  parseUserAgentSimple(userAgent) {
+    let browser = null;
+    if (userAgent.includes("Chrome")) browser = "Chrome";
+    else if (userAgent.includes("Firefox")) browser = "Firefox";
+    else if (userAgent.includes("Safari")) browser = "Safari";
+    else if (userAgent.includes("Edge")) browser = "Edge";
+    let os = null;
+    if (userAgent.includes("Windows")) os = "Windows";
+    else if (userAgent.includes("Mac OS")) os = "macOS";
+    else if (userAgent.includes("Linux")) os = "Linux";
+    else if (userAgent.includes("Android")) os = "Android";
+    else if (userAgent.includes("iOS")) os = "iOS";
+    let device = "desktop";
+    if (userAgent.includes("Mobile")) device = "mobile";
+    else if (userAgent.includes("Tablet")) device = "tablet";
+    return { browser, os, device };
+  }
+  getIpAddress(req) {
+    return req.ip || req.connection?.remoteAddress || req.socket?.remoteAddress || req.connection?.socket?.remoteAddress || null;
+  }
+  async logActivity(accountId, action, req, success = true, metadata = {}) {
+    if (!this.enabled) return;
+    if (this.allowedActions && !this.allowedActions.includes(action)) {
+      return;
+    }
+    const userAgent = (typeof req.get === "function" ? req.get("User-Agent") : req.headers?.["user-agent"]) || null;
+    const ip = this.getIpAddress(req);
+    const parsed = this.parseUserAgent(userAgent);
+    try {
+      await this.config.db.query(
+        `
+        INSERT INTO ${this.activityTable} 
+        (account_id, action, ip_address, user_agent, browser, os, device, success, metadata)
+        VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
+        `,
+        [accountId, action, ip, userAgent, parsed.browser, parsed.os, parsed.device, success, Object.keys(metadata).length > 0 ? JSON.stringify(metadata) : null]
+      );
+      if (Math.random() < 0.01) {
+        await this.cleanup();
+      }
+    } catch (error) {
+      console.error("ActivityLogger: Failed to log activity:", error);
+    }
+  }
+  async cleanup() {
+    if (!this.enabled) return;
+    try {
+      await this.config.db.query(
+        `
+        DELETE FROM ${this.activityTable} 
+        WHERE id NOT IN (
+          SELECT id FROM ${this.activityTable} 
+          ORDER BY created_at DESC 
+          LIMIT $1
+        )
+        `,
+        [this.maxEntries]
+      );
+    } catch (error) {
+      console.error("ActivityLogger: Failed to cleanup old entries:", error);
+    }
+  }
+  async getRecentActivity(limit = 100, accountId) {
+    if (!this.enabled) return [];
+    try {
+      let sql = `
+        SELECT 
+          al.*,
+          a.email 
+        FROM ${this.activityTable} al
+        LEFT JOIN ${this.tablePrefix}accounts a ON al.account_id = a.id
+      `;
+      const params = [];
+      if (accountId !== void 0) {
+        sql += " WHERE al.account_id = $1";
+        params.push(accountId);
+      }
+      sql += ` ORDER BY al.created_at DESC LIMIT $${params.length + 1}`;
+      params.push(Math.min(limit, 1e3));
+      const result = await this.config.db.query(sql, params);
+      return result.rows.map((row) => ({
+        ...row,
+        metadata: row.metadata ? JSON.parse(row.metadata) : null
+      }));
+    } catch (error) {
+      console.error("ActivityLogger: Failed to get recent activity:", error);
+      return [];
+    }
+  }
+  async getActivityStats() {
+    if (!this.enabled) {
+      return {
+        totalEntries: 0,
+        uniqueUsers: 0,
+        recentLogins: 0,
+        failedAttempts: 0
+      };
+    }
+    try {
+      const [total, unique, recent, failed] = await Promise.all([
+        this.config.db.query(`SELECT COUNT(*) as count FROM ${this.activityTable}`),
+        this.config.db.query(`SELECT COUNT(DISTINCT account_id) as count FROM ${this.activityTable} WHERE account_id IS NOT NULL`),
+        this.config.db.query(`SELECT COUNT(*) as count FROM ${this.activityTable} WHERE action = 'login' AND created_at > NOW() - INTERVAL '24 hours'`),
+        this.config.db.query(`SELECT COUNT(*) as count FROM ${this.activityTable} WHERE success = false AND created_at > NOW() - INTERVAL '24 hours'`)
+      ]);
+      return {
+        totalEntries: parseInt(total.rows[0]?.count || "0"),
+        uniqueUsers: parseInt(unique.rows[0]?.count || "0"),
+        recentLogins: parseInt(recent.rows[0]?.count || "0"),
+        failedAttempts: parseInt(failed.rows[0]?.count || "0")
+      };
+    } catch (error) {
+      console.error("ActivityLogger: Failed to get activity stats:", error);
+      return {
+        totalEntries: 0,
+        uniqueUsers: 0,
+        recentLogins: 0,
+        failedAttempts: 0
+      };
+    }
+  }
+};
+
 // src/errors.ts
 var AuthError = class extends Error {
   constructor(message) {
@@ -378,515 +598,23 @@ var TwoFactorSetupIncompleteError = class extends AuthError {
   }
 };
 
-// src/create-user.ts
-import { hash } from "@prsm/hash";
-
 // src/util.ts
 var isValidEmail = (email) => {
   const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
   return emailRegex.test(email);
 };
-var validateEmail = (email) => {
-  if (typeof email !== "string") {
-    throw new InvalidEmailError();
-  }
-  if (!email.trim()) {
-    throw new InvalidEmailError();
-  }
-  if (!isValidEmail(email)) {
-    throw new InvalidEmailError();
-  }
-};
-var createMapFromEnum = (enumObj) => Object.fromEntries(Object.entries(enumObj).map(([key, value]) => [value, key]));
-
-// src/types.ts
-import "express-session";
-var TwoFactorMechanism = /* @__PURE__ */ ((TwoFactorMechanism2) => {
-  TwoFactorMechanism2[TwoFactorMechanism2["TOTP"] = 1] = "TOTP";
-  TwoFactorMechanism2[TwoFactorMechanism2["EMAIL"] = 2] = "EMAIL";
-  TwoFactorMechanism2[TwoFactorMechanism2["SMS"] = 3] = "SMS";
-  return TwoFactorMechanism2;
-})(TwoFactorMechanism || {});
-var AuthStatus = {
-  Normal: 0,
-  Archived: 1,
-  Banned: 2,
-  Locked: 3,
-  PendingReview: 4,
-  Suspended: 5
-};
-var AuthRole = {
-  Admin: 1,
-  Author: 2,
-  Collaborator: 4,
-  Consultant: 8,
-  Consumer: 16,
-  Contributor: 32,
-  Coordinator: 64,
-  Creator: 128,
-  Developer: 256,
-  Director: 512,
-  Editor: 1024,
-  Employee: 2048,
-  Maintainer: 4096,
-  Manager: 8192,
-  Moderator: 16384,
-  Publisher: 32768,
-  Reviewer: 65536,
-  Subscriber: 131072,
-  SuperAdmin: 262144,
-  SuperEditor: 524288,
-  SuperModerator: 1048576,
-  Translator: 2097152
-};
-var AuthActivityAction = {
-  Login: "login",
-  Logout: "logout",
-  FailedLogin: "failed_login",
-  Register: "register",
-  EmailConfirmed: "email_confirmed",
-  PasswordResetRequested: "password_reset_requested",
-  PasswordResetCompleted: "password_reset_completed",
-  PasswordChanged: "password_changed",
-  EmailChanged: "email_changed",
-  RoleChanged: "role_changed",
-  StatusChanged: "status_changed",
-  ForceLogout: "force_logout",
-  OAuthConnected: "oauth_connected",
-  RememberTokenCreated: "remember_token_created",
-  TwoFactorSetup: "two_factor_setup",
-  TwoFactorVerified: "two_factor_verified",
-  TwoFactorFailed: "two_factor_failed",
-  TwoFactorDisabled: "two_factor_disabled",
-  BackupCodeUsed: "backup_code_used"
-};
-
-// src/create-user.ts
-function validatePassword(password, config) {
-  const minLength = config.minPasswordLength || 8;
-  const maxLength = config.maxPasswordLength || 64;
-  if (typeof password !== "string") {
-    throw new InvalidPasswordError();
-  }
-  if (password.length < minLength) {
-    throw new InvalidPasswordError();
-  }
-  if (password.length > maxLength) {
-    throw new InvalidPasswordError();
-  }
-}
-function generateAutoUserId() {
-  return crypto.randomUUID();
-}
-async function createConfirmationToken(queries, account, email, callback) {
-  const token = hash.encode(email);
-  const expires = new Date(Date.now() + 1e3 * 60 * 60 * 24 * 7);
-  await queries.createConfirmation({
-    accountId: account.id,
-    token,
-    email,
-    expires
-  });
-  if (callback) {
-    callback(token);
-  }
-}
-async function createUser(config, credentials, userId, callback) {
-  validateEmail(credentials.email);
-  validatePassword(credentials.password, config);
-  const queries = new AuthQueries(config);
-  const existing = await queries.findAccountByEmail(credentials.email);
-  if (existing) {
-    throw new EmailTakenError();
-  }
-  const finalUserId = userId || generateAutoUserId();
-  const hashedPassword = hash.encode(credentials.password);
-  const verified = typeof callback !== "function";
-  const account = await queries.createAccount({
-    userId: finalUserId,
-    email: credentials.email,
-    password: hashedPassword,
-    verified,
-    status: AuthStatus.Normal,
-    rolemask: 0
-  });
-  if (!verified && callback) {
-    await createConfirmationToken(queries, account, credentials.email, callback);
-  }
-  return account;
-}
-
-// src/auth-admin-manager.ts
-var AuthAdminManager = class {
-  constructor(req, res, config, auth) {
-    this.req = req;
-    this.res = res;
-    this.config = config;
-    this.queries = new AuthQueries(config);
-    this.auth = auth;
-  }
-  validatePassword(password) {
-    const minLength = this.config.minPasswordLength || 8;
-    const maxLength = this.config.maxPasswordLength || 64;
-    if (typeof password !== "string") {
-      throw new InvalidPasswordError();
-    }
-    if (password.length < minLength) {
-      throw new InvalidPasswordError();
-    }
-    if (password.length > maxLength) {
-      throw new InvalidPasswordError();
-    }
-  }
-  async findAccountByIdentifier(identifier) {
-    if (identifier.accountId !== void 0) {
-      return await this.queries.findAccountById(identifier.accountId);
-    } else if (identifier.email !== void 0) {
-      return await this.queries.findAccountByEmail(identifier.email);
-    } else if (identifier.userId !== void 0) {
-      return await this.queries.findAccountByUserId(identifier.userId);
-    }
-    return null;
-  }
-  async createConfirmationToken(account, email, callback) {
-    const token = hash2.encode(email);
-    const expires = new Date(Date.now() + 1e3 * 60 * 60 * 24 * 7);
-    await this.queries.createConfirmation({
-      accountId: account.id,
-      token,
-      email,
-      expires
-    });
-    if (callback) {
-      callback(token);
-    }
-  }
-  /**
-   * Create a new user account (admin function).
-   *
-   * @param credentials - Email and password for new account
-   * @param userId - Optional user ID to link this auth account to. If not provided, a UUID will be generated automatically.
-   * @param callback - If provided, account is created unverified and callback receives confirmation token. Create a URL like /confirm/{token} and call confirmEmail() in that handler. If omitted, account is immediately verified.
-   * @returns The created account record
-   * @throws {EmailTakenError} Email is already registered
-   * @throws {InvalidPasswordError} Password doesn't meet length requirements
-   */
-  async createUser(credentials, userId, callback) {
-    return createUser(this.config, credentials, userId, callback);
-  }
-  /**
-   * Log in as another user (admin function).
-   * Creates a new session as the target user without requiring their password.
-   *
-   * @param identifier - Find user by accountId, email, or userId
-   * @throws {UserNotFoundError} No account matches the identifier
-   */
-  async loginAsUserBy(identifier) {
-    const account = await this.findAccountByIdentifier(identifier);
-    if (!account) {
-      throw new UserNotFoundError();
-    }
-    await this.auth.onLoginSuccessful(account, false);
-  }
-  /**
-   * Delete a user account and all associated data (admin function).
-   * Removes account, confirmations, remember tokens, and reset tokens.
-   *
-   * @param identifier - Find user by accountId, email, or userId
-   * @throws {UserNotFoundError} No account matches the identifier
-   */
-  async deleteUserBy(identifier) {
-    const account = await this.findAccountByIdentifier(identifier);
-    if (!account) {
-      throw new UserNotFoundError();
-    }
-    await this.queries.deleteAccount(account.id);
-  }
-  /**
-   * Add a role to a user's account (admin function).
-   * Uses bitwise OR to add role to existing rolemask.
-   *
-   * @param identifier - Find user by accountId, email, or userId
-   * @param role - Role bitmask to add (e.g., AuthRole.Admin)
-   * @throws {UserNotFoundError} No account matches the identifier
-   */
-  async addRoleForUserBy(identifier, role) {
-    const account = await this.findAccountByIdentifier(identifier);
-    if (!account) {
-      throw new UserNotFoundError();
-    }
-    const rolemask = account.rolemask | role;
-    await this.queries.updateAccount(account.id, { rolemask });
-  }
-  /**
-   * Remove a role from a user's account (admin function).
-   * Uses bitwise operations to remove role from rolemask.
-   *
-   * @param identifier - Find user by accountId, email, or userId
-   * @param role - Role bitmask to remove (e.g., AuthRole.Admin)
-   * @throws {UserNotFoundError} No account matches the identifier
-   */
-  async removeRoleForUserBy(identifier, role) {
-    const account = await this.findAccountByIdentifier(identifier);
-    if (!account) {
-      throw new UserNotFoundError();
-    }
-    const rolemask = account.rolemask & ~role;
-    await this.queries.updateAccount(account.id, { rolemask });
-  }
-  /**
-   * Check if a user has a specific role (admin function).
-   *
-   * @param identifier - Find user by accountId, email, or userId
-   * @param role - Role bitmask to check (e.g., AuthRole.Admin)
-   * @returns true if user has the role, false otherwise
-   * @throws {UserNotFoundError} No account matches the identifier
-   */
-  async hasRoleForUserBy(identifier, role) {
-    const account = await this.findAccountByIdentifier(identifier);
-    if (!account) {
-      throw new UserNotFoundError();
-    }
-    return (account.rolemask & role) === role;
-  }
-  /**
-   * Change a user's password (admin function).
-   * Does not require knowing the current password.
-   *
-   * @param identifier - Find user by accountId, email, or userId
-   * @param password - New password (will be hashed)
-   * @throws {UserNotFoundError} No account matches the identifier
-   * @throws {InvalidPasswordError} New password doesn't meet requirements
-   */
-  async changePasswordForUserBy(identifier, password) {
-    this.validatePassword(password);
-    const account = await this.findAccountByIdentifier(identifier);
-    if (!account) {
-      throw new UserNotFoundError();
-    }
-    await this.queries.updateAccount(account.id, {
-      password: hash2.encode(password)
-    });
-  }
-  /**
-   * Change a user's account status (admin function).
-   *
-   * @param identifier - Find user by accountId, email, or userId
-   * @param status - New status (0=Normal, 1=Archived, 2=Banned, 3=Locked, etc.)
-   * @throws {UserNotFoundError} No account matches the identifier
-   */
-  async setStatusForUserBy(identifier, status) {
-    const account = await this.findAccountByIdentifier(identifier);
-    if (!account) {
-      throw new UserNotFoundError();
-    }
-    await this.queries.updateAccount(account.id, { status });
-  }
-  /**
-   * Initiate password reset for a user (admin function).
-   * Creates a reset token without rate limiting.
-   *
-   * @param identifier - Find user by accountId, email, or userId
-   * @param expiresAfter - Token expiration (default: 6h). Accepts ms format like '1h', '30m'
-   * @param callback - Called with reset token. Create a URL like /reset/{token} and call confirmResetPassword() in that handler
-   * @throws {UserNotFoundError} No account matches the identifier
-   * @throws {EmailNotVerifiedError} Account exists but email is not verified
-   */
-  async initiatePasswordResetForUserBy(identifier, expiresAfter = null, callback) {
-    const account = await this.findAccountByIdentifier(identifier);
-    if (!account) {
-      throw new UserNotFoundError();
-    }
-    if (!account.verified) {
-      throw new EmailNotVerifiedError();
-    }
-    const expiry = !expiresAfter ? ms("6h") : ms(expiresAfter);
-    const token = hash2.encode(account.email);
-    const expires = new Date(Date.now() + expiry);
-    await this.queries.createResetToken({
-      accountId: account.id,
-      token,
-      expires
-    });
-    if (callback) {
-      callback(token);
-    }
-  }
-  /**
-   * Force logout all sessions for a specific user (admin function).
-   * Increments force_logout counter and deletes all remember tokens.
-   * If target user is currently logged in, marks their session for logout.
-   *
-   * @param identifier - Find user by accountId, email, or userId
-   * @throws {UserNotFoundError} No account matches the identifier
-   */
-  async forceLogoutForUserBy(identifier) {
-    const account = await this.findAccountByIdentifier(identifier);
-    if (!account) {
-      throw new UserNotFoundError();
-    }
-    await this.queries.incrementForceLogout(account.id);
-    if (this.auth.getId() === account.id) {
-      this.req.session.auth.shouldForceLogout = true;
-    }
-  }
-};
-
-// src/auth-manager.ts
-import { hash as hash5 } from "@prsm/hash";
-import ms3 from "@prsm/ms";
-
-// src/activity-logger.ts
-import Bowser from "bowser";
-var ActivityLogger = class {
-  constructor(config) {
-    this.config = config;
-    this.enabled = config.activityLog?.enabled !== false;
-    this.maxEntries = config.activityLog?.maxEntries || 1e4;
-    this.allowedActions = config.activityLog?.actions || null;
-    this.tablePrefix = config.tablePrefix || "user_";
-  }
-  get activityTable() {
-    return `${this.tablePrefix}activity_log`;
-  }
-  parseUserAgent(userAgent) {
-    if (!userAgent) {
-      return { browser: null, os: null, device: null };
-    }
-    try {
-      const browser = Bowser.getParser(userAgent);
-      const result = browser.getResult();
-      return {
-        browser: result.browser.name || null,
-        os: result.os.name || null,
-        device: result.platform.type || "desktop"
-      };
-    } catch (error) {
-      return this.parseUserAgentSimple(userAgent);
-    }
-  }
-  parseUserAgentSimple(userAgent) {
-    let browser = null;
-    if (userAgent.includes("Chrome")) browser = "Chrome";
-    else if (userAgent.includes("Firefox")) browser = "Firefox";
-    else if (userAgent.includes("Safari")) browser = "Safari";
-    else if (userAgent.includes("Edge")) browser = "Edge";
-    let os = null;
-    if (userAgent.includes("Windows")) os = "Windows";
-    else if (userAgent.includes("Mac OS")) os = "macOS";
-    else if (userAgent.includes("Linux")) os = "Linux";
-    else if (userAgent.includes("Android")) os = "Android";
-    else if (userAgent.includes("iOS")) os = "iOS";
-    let device = "desktop";
-    if (userAgent.includes("Mobile")) device = "mobile";
-    else if (userAgent.includes("Tablet")) device = "tablet";
-    return { browser, os, device };
-  }
-  getIpAddress(req) {
-    return req.ip || req.connection?.remoteAddress || req.socket?.remoteAddress || req.connection?.socket?.remoteAddress || null;
-  }
-  async logActivity(accountId, action, req, success = true, metadata = {}) {
-    if (!this.enabled) return;
-    if (this.allowedActions && !this.allowedActions.includes(action)) {
-      return;
-    }
-    const userAgent = (typeof req.get === "function" ? req.get("User-Agent") : req.headers?.["user-agent"]) || null;
-    const ip = this.getIpAddress(req);
-    const parsed = this.parseUserAgent(userAgent);
-    try {
-      await this.config.db.query(
-        `
-        INSERT INTO ${this.activityTable} 
-        (account_id, action, ip_address, user_agent, browser, os, device, success, metadata)
-        VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
-        `,
-        [accountId, action, ip, userAgent, parsed.browser, parsed.os, parsed.device, success, Object.keys(metadata).length > 0 ? JSON.stringify(metadata) : null]
-      );
-      if (Math.random() < 0.01) {
-        await this.cleanup();
-      }
-    } catch (error) {
-      console.error("ActivityLogger: Failed to log activity:", error);
-    }
-  }
-  async cleanup() {
-    if (!this.enabled) return;
-    try {
-      await this.config.db.query(
-        `
-        DELETE FROM ${this.activityTable} 
-        WHERE id NOT IN (
-          SELECT id FROM ${this.activityTable} 
-          ORDER BY created_at DESC 
-          LIMIT $1
-        )
-        `,
-        [this.maxEntries]
-      );
-    } catch (error) {
-      console.error("ActivityLogger: Failed to cleanup old entries:", error);
-    }
+var validateEmail = (email) => {
+  if (typeof email !== "string") {
+    throw new InvalidEmailError();
   }
-  async getRecentActivity(limit = 100, accountId) {
-    if (!this.enabled) return [];
-    try {
-      let sql = `
-        SELECT 
-          al.*,
-          a.email 
-        FROM ${this.activityTable} al
-        LEFT JOIN ${this.tablePrefix}accounts a ON al.account_id = a.id
-      `;
-      const params = [];
-      if (accountId !== void 0) {
-        sql += " WHERE al.account_id = $1";
-        params.push(accountId);
-      }
-      sql += ` ORDER BY al.created_at DESC LIMIT $${params.length + 1}`;
-      params.push(Math.min(limit, 1e3));
-      const result = await this.config.db.query(sql, params);
-      return result.rows.map((row) => ({
-        ...row,
-        metadata: row.metadata ? JSON.parse(row.metadata) : null
-      }));
-    } catch (error) {
-      console.error("ActivityLogger: Failed to get recent activity:", error);
-      return [];
-    }
+  if (!email.trim()) {
+    throw new InvalidEmailError();
   }
-  async getActivityStats() {
-    if (!this.enabled) {
-      return {
-        totalEntries: 0,
-        uniqueUsers: 0,
-        recentLogins: 0,
-        failedAttempts: 0
-      };
-    }
-    try {
-      const [total, unique, recent, failed] = await Promise.all([
-        this.config.db.query(`SELECT COUNT(*) as count FROM ${this.activityTable}`),
-        this.config.db.query(`SELECT COUNT(DISTINCT account_id) as count FROM ${this.activityTable} WHERE account_id IS NOT NULL`),
-        this.config.db.query(`SELECT COUNT(*) as count FROM ${this.activityTable} WHERE action = 'login' AND created_at > NOW() - INTERVAL '24 hours'`),
-        this.config.db.query(`SELECT COUNT(*) as count FROM ${this.activityTable} WHERE success = false AND created_at > NOW() - INTERVAL '24 hours'`)
-      ]);
-      return {
-        totalEntries: parseInt(total.rows[0]?.count || "0"),
-        uniqueUsers: parseInt(unique.rows[0]?.count || "0"),
-        recentLogins: parseInt(recent.rows[0]?.count || "0"),
-        failedAttempts: parseInt(failed.rows[0]?.count || "0")
-      };
-    } catch (error) {
-      console.error("ActivityLogger: Failed to get activity stats:", error);
-      return {
-        totalEntries: 0,
-        uniqueUsers: 0,
-        recentLogins: 0,
-        failedAttempts: 0
-      };
-    }
+  if (!isValidEmail(email)) {
+    throw new InvalidEmailError();
   }
 };
+var createMapFromEnum = (enumObj) => Object.fromEntries(Object.entries(enumObj).map(([key, value]) => [value, key]));
 
 // src/providers/base-provider.ts
 var BaseOAuthProvider = class {
@@ -1131,7 +859,7 @@ var AzureProvider = class extends BaseOAuthProvider {
 
 // src/two-factor/totp-provider.ts
 import Otp from "@eaccess/totp";
-import { hash as hash3 } from "@prsm/hash";
+import { hash } from "@prsm/hash";
 var TotpProvider = class {
   constructor(config) {
     this.config = config;
@@ -1160,11 +888,11 @@ var TotpProvider = class {
     return codes;
   }
   hashBackupCodes(codes) {
-    return codes.map((code) => hash3.encode(code));
+    return codes.map((code) => hash.encode(code));
   }
   verifyBackupCode(hashedCodes, inputCode) {
     for (let i = 0; i < hashedCodes.length; i++) {
-      if (hash3.verify(hashedCodes[i], inputCode.toUpperCase())) {
+      if (hash.verify(hashedCodes[i], inputCode.toUpperCase())) {
         return { isValid: true, index: i };
       }
     }
@@ -1180,8 +908,8 @@ var TotpProvider = class {
 };
 
 // src/two-factor/otp-provider.ts
-import ms2 from "@prsm/ms";
-import { hash as hash4 } from "@prsm/hash";
+import ms from "@prsm/ms";
+import { hash as hash2 } from "@prsm/hash";
 var OtpProvider = class {
   constructor(config) {
     this.config = config;
@@ -1206,9 +934,9 @@ var OtpProvider = class {
   async createAndStoreOTP(accountId, mechanism) {
     const otp = this.generateOTP();
     const selector = this.generateSelector();
-    const tokenHash = hash4.encode(otp);
+    const tokenHash = hash2.encode(otp);
     const expiryDuration = this.config.twoFactor?.tokenExpiry || "5m";
-    const expiresAt = new Date(Date.now() + ms2(expiryDuration));
+    const expiresAt = new Date(Date.now() + ms(expiryDuration));
     await this.queries.deleteTwoFactorTokensByAccountAndMechanism(accountId, mechanism);
     await this.queries.createTwoFactorToken({
       accountId,
@@ -1228,7 +956,7 @@ var OtpProvider = class {
       await this.queries.deleteTwoFactorToken(token.id);
       return { isValid: false };
     }
-    const isValid = hash4.verify(token.token_hash, inputCode);
+    const isValid = hash2.verify(token.token_hash, inputCode);
     if (isValid) {
       await this.queries.deleteTwoFactorToken(token.id);
       return { isValid: true, token };
@@ -1626,6 +1354,248 @@ var TwoFactorManager = class {
   }
 };
 
+// src/auth-functions.ts
+var auth_functions_exports = {};
+__export(auth_functions_exports, {
+  addRoleForUserBy: () => addRoleForUserBy,
+  changePasswordForUserBy: () => changePasswordForUserBy,
+  confirmResetPassword: () => confirmResetPassword,
+  createUser: () => createUser,
+  deleteUserBy: () => deleteUserBy,
+  forceLogoutForUserBy: () => forceLogoutForUserBy,
+  hasRoleForUserBy: () => hasRoleForUserBy,
+  initiatePasswordResetForUserBy: () => initiatePasswordResetForUserBy,
+  register: () => register,
+  removeRoleForUserBy: () => removeRoleForUserBy,
+  resetPassword: () => resetPassword,
+  setStatusForUserBy: () => setStatusForUserBy
+});
+import { hash as hash3 } from "@prsm/hash";
+import ms2 from "@prsm/ms";
+function validatePassword(password, config) {
+  const minLength = config.minPasswordLength || 8;
+  const maxLength = config.maxPasswordLength || 64;
+  if (typeof password !== "string") {
+    throw new InvalidPasswordError();
+  }
+  if (password.length < minLength) {
+    throw new InvalidPasswordError();
+  }
+  if (password.length > maxLength) {
+    throw new InvalidPasswordError();
+  }
+}
+function generateAutoUserId() {
+  return crypto.randomUUID();
+}
+async function findAccountByIdentifier(queries, identifier) {
+  if (identifier.accountId !== void 0) {
+    return await queries.findAccountById(identifier.accountId);
+  } else if (identifier.email !== void 0) {
+    return await queries.findAccountByEmail(identifier.email);
+  } else if (identifier.userId !== void 0) {
+    return await queries.findAccountByUserId(identifier.userId);
+  }
+  return null;
+}
+async function createConfirmationToken(queries, account, email, callback) {
+  const token = hash3.encode(email);
+  const expires = new Date(Date.now() + 1e3 * 60 * 60 * 24 * 7);
+  await queries.createConfirmation({
+    accountId: account.id,
+    token,
+    email,
+    expires
+  });
+  if (callback) {
+    callback(token);
+  }
+}
+async function createUser(config, credentials, userId, callback) {
+  validateEmail(credentials.email);
+  validatePassword(credentials.password, config);
+  const queries = new AuthQueries(config);
+  const existing = await queries.findAccountByEmail(credentials.email);
+  if (existing) {
+    throw new EmailTakenError();
+  }
+  const finalUserId = userId || generateAutoUserId();
+  const hashedPassword = hash3.encode(credentials.password);
+  const verified = typeof callback !== "function";
+  const account = await queries.createAccount({
+    userId: finalUserId,
+    email: credentials.email,
+    password: hashedPassword,
+    verified,
+    status: AuthStatus.Normal,
+    rolemask: 0
+  });
+  if (!verified && callback) {
+    await createConfirmationToken(queries, account, credentials.email, callback);
+  }
+  return account;
+}
+async function register(config, email, password, userId, callback) {
+  validateEmail(email);
+  validatePassword(password, config);
+  const queries = new AuthQueries(config);
+  const existing = await queries.findAccountByEmail(email);
+  if (existing) {
+    throw new EmailTakenError();
+  }
+  const finalUserId = userId || generateAutoUserId();
+  const hashedPassword = hash3.encode(password);
+  const verified = typeof callback !== "function";
+  const account = await queries.createAccount({
+    userId: finalUserId,
+    email,
+    password: hashedPassword,
+    verified,
+    status: AuthStatus.Normal,
+    rolemask: 0
+  });
+  if (!verified && callback) {
+    await createConfirmationToken(queries, account, email, callback);
+  }
+  return account;
+}
+async function deleteUserBy(config, identifier) {
+  const queries = new AuthQueries(config);
+  const account = await findAccountByIdentifier(queries, identifier);
+  if (!account) {
+    throw new UserNotFoundError();
+  }
+  await queries.deleteAccount(account.id);
+}
+async function addRoleForUserBy(config, identifier, role) {
+  const queries = new AuthQueries(config);
+  const account = await findAccountByIdentifier(queries, identifier);
+  if (!account) {
+    throw new UserNotFoundError();
+  }
+  const rolemask = account.rolemask | role;
+  await queries.updateAccount(account.id, { rolemask });
+}
+async function removeRoleForUserBy(config, identifier, role) {
+  const queries = new AuthQueries(config);
+  const account = await findAccountByIdentifier(queries, identifier);
+  if (!account) {
+    throw new UserNotFoundError();
+  }
+  const rolemask = account.rolemask & ~role;
+  await queries.updateAccount(account.id, { rolemask });
+}
+async function hasRoleForUserBy(config, identifier, role) {
+  const queries = new AuthQueries(config);
+  const account = await findAccountByIdentifier(queries, identifier);
+  if (!account) {
+    throw new UserNotFoundError();
+  }
+  return (account.rolemask & role) === role;
+}
+async function changePasswordForUserBy(config, identifier, password) {
+  validatePassword(password, config);
+  const queries = new AuthQueries(config);
+  const account = await findAccountByIdentifier(queries, identifier);
+  if (!account) {
+    throw new UserNotFoundError();
+  }
+  await queries.updateAccount(account.id, {
+    password: hash3.encode(password)
+  });
+}
+async function setStatusForUserBy(config, identifier, status) {
+  const queries = new AuthQueries(config);
+  const account = await findAccountByIdentifier(queries, identifier);
+  if (!account) {
+    throw new UserNotFoundError();
+  }
+  await queries.updateAccount(account.id, { status });
+}
+async function initiatePasswordResetForUserBy(config, identifier, expiresAfter = null, callback) {
+  const queries = new AuthQueries(config);
+  const account = await findAccountByIdentifier(queries, identifier);
+  if (!account) {
+    throw new UserNotFoundError();
+  }
+  if (!account.verified) {
+    throw new EmailNotVerifiedError();
+  }
+  const expiry = !expiresAfter ? ms2("6h") : ms2(expiresAfter);
+  const token = hash3.encode(account.email);
+  const expires = new Date(Date.now() + expiry);
+  await queries.createResetToken({
+    accountId: account.id,
+    token,
+    expires
+  });
+  if (callback) {
+    callback(token);
+  }
+}
+async function resetPassword(config, email, expiresAfter = null, maxOpenRequests = null, callback) {
+  validateEmail(email);
+  const expiry = !expiresAfter ? ms2("6h") : ms2(expiresAfter);
+  const maxRequests = maxOpenRequests === null ? 2 : Math.max(1, maxOpenRequests);
+  const queries = new AuthQueries(config);
+  const account = await queries.findAccountByEmail(email);
+  if (!account || !account.verified) {
+    throw new EmailNotVerifiedError();
+  }
+  if (!account.resettable) {
+    throw new ResetDisabledError();
+  }
+  const openRequests = await queries.countActiveResetTokensForAccount(account.id);
+  if (openRequests >= maxRequests) {
+    throw new TooManyResetsError();
+  }
+  const token = hash3.encode(email);
+  const expires = new Date(Date.now() + expiry);
+  await queries.createResetToken({
+    accountId: account.id,
+    token,
+    expires
+  });
+  if (callback) {
+    callback(token);
+  }
+}
+async function confirmResetPassword(config, token, password) {
+  const queries = new AuthQueries(config);
+  const reset = await queries.findResetToken(token);
+  if (!reset) {
+    throw new ResetNotFoundError();
+  }
+  if (new Date(reset.expires) < /* @__PURE__ */ new Date()) {
+    throw new ResetExpiredError();
+  }
+  const account = await queries.findAccountById(reset.account_id);
+  if (!account) {
+    throw new UserNotFoundError();
+  }
+  if (!account.resettable) {
+    throw new ResetDisabledError();
+  }
+  validatePassword(password, config);
+  if (!hash3.verify(token, account.email)) {
+    throw new InvalidTokenError();
+  }
+  await queries.updateAccount(account.id, {
+    password: hash3.encode(password)
+  });
+  await queries.deleteResetToken(token);
+  return { accountId: account.id, email: account.email };
+}
+async function forceLogoutForUserBy(config, identifier) {
+  const queries = new AuthQueries(config);
+  const account = await findAccountByIdentifier(queries, identifier);
+  if (!account) {
+    throw new UserNotFoundError();
+  }
+  await queries.incrementForceLogout(account.id);
+  return { accountId: account.id };
+}
+
 // src/auth-manager.ts
 var AuthManager = class {
   constructor(req, res, config) {
@@ -1817,7 +1787,7 @@ var AuthManager = class {
     });
   }
   async createRememberDirective(account) {
-    const token = hash5.encode(account.email);
+    const token = hash4.encode(account.email);
     const duration = this.config.rememberDuration || "30d";
     const expires = new Date(Date.now() + ms3(duration));
     await this.queries.createRememberToken({
@@ -1855,7 +1825,7 @@ var AuthManager = class {
         await this.activityLogger.logActivity(null, AuthActivityAction.FailedLogin, this.req, false, { email, reason: "account_not_found" });
         throw new UserNotFoundError();
       }
-      if (!account.password || !hash5.verify(account.password, password)) {
+      if (!account.password || !hash4.verify(account.password, password)) {
         await this.activityLogger.logActivity(account.id, AuthActivityAction.FailedLogin, this.req, false, { email, reason: "invalid_password" });
         throw new InvalidPasswordError();
       }
@@ -1967,7 +1937,7 @@ var AuthManager = class {
       throw new EmailTakenError();
     }
     const finalUserId = userId || this.generateAutoUserId();
-    const hashedPassword = hash5.encode(password);
+    const hashedPassword = hash4.encode(password);
     const verified = typeof callback !== "function";
     const account = await this.queries.createAccount({
       userId: finalUserId,
@@ -1984,7 +1954,7 @@ var AuthManager = class {
     return account;
   }
   async createConfirmationToken(account, email, callback) {
-    const token = hash5.encode(email);
+    const token = hash4.encode(email);
     const expires = new Date(Date.now() + 1e3 * 60 * 60 * 24 * 7);
     await this.queries.createConfirmation({
       accountId: account.id,
@@ -2118,7 +2088,7 @@ var AuthManager = class {
     if (new Date(confirmation.expires) < /* @__PURE__ */ new Date()) {
       throw new ConfirmationExpiredError();
     }
-    if (!hash5.verify(token, confirmation.email)) {
+    if (!hash4.verify(token, confirmation.email)) {
       throw new InvalidTokenError();
     }
     await this.queries.updateAccount(confirmation.account_id, {
@@ -2215,7 +2185,7 @@ var AuthManager = class {
     if (openRequests >= maxRequests) {
       throw new TooManyResetsError();
     }
-    const token = hash5.encode(email);
+    const token = hash4.encode(email);
     const expires = new Date(Date.now() + expiry);
     await this.queries.createResetToken({
       accountId: account.id,
@@ -2257,11 +2227,11 @@ var AuthManager = class {
       throw new ResetDisabledError();
     }
     this.validatePassword(password);
-    if (!hash5.verify(token, account.email)) {
+    if (!hash4.verify(token, account.email)) {
       throw new InvalidTokenError();
     }
     await this.queries.updateAccount(account.id, {
-      password: hash5.encode(password)
+      password: hash4.encode(password)
     });
     if (logout) {
       await this.forceLogoutForAccountById(account.id);
@@ -2289,7 +2259,7 @@ var AuthManager = class {
     if (!account.password) {
       return false;
     }
-    return hash5.verify(account.password, password);
+    return hash4.verify(account.password, password);
   }
   async forceLogoutForAccountById(accountId) {
     await this.queries.deleteRememberTokensForAccount(accountId);
@@ -2327,6 +2297,61 @@ var AuthManager = class {
     await this.logoutEverywhereElse();
     await this.logout();
   }
+  async findAccountByIdentifier(identifier) {
+    if (identifier.accountId !== void 0) {
+      return await this.queries.findAccountById(identifier.accountId);
+    } else if (identifier.email !== void 0) {
+      return await this.queries.findAccountByEmail(identifier.email);
+    } else if (identifier.userId !== void 0) {
+      return await this.queries.findAccountByUserId(identifier.userId);
+    }
+    return null;
+  }
+  // Admin/standalone functions (delegated to auth-functions.js)
+  async createUser(credentials, userId, callback) {
+    return createUser(this.config, credentials, userId, callback);
+  }
+  async deleteUserBy(identifier) {
+    return deleteUserBy(this.config, identifier);
+  }
+  async addRoleForUserBy(identifier, role) {
+    return addRoleForUserBy(this.config, identifier, role);
+  }
+  async removeRoleForUserBy(identifier, role) {
+    return removeRoleForUserBy(this.config, identifier, role);
+  }
+  async hasRoleForUserBy(identifier, role) {
+    return hasRoleForUserBy(this.config, identifier, role);
+  }
+  async changePasswordForUserBy(identifier, password) {
+    return changePasswordForUserBy(this.config, identifier, password);
+  }
+  async setStatusForUserBy(identifier, status) {
+    return setStatusForUserBy(this.config, identifier, status);
+  }
+  async initiatePasswordResetForUserBy(identifier, expiresAfter, callback) {
+    return initiatePasswordResetForUserBy(this.config, identifier, expiresAfter, callback);
+  }
+  async forceLogoutForUserBy(identifier) {
+    const result = await forceLogoutForUserBy(this.config, identifier);
+    if (this.getId() === result.accountId) {
+      this.req.session.auth.shouldForceLogout = true;
+    }
+  }
+  /**
+   * Log in as another user (admin function).
+   * Creates a new session as the target user without requiring their password.
+   *
+   * @param identifier - Find user by accountId, email, or userId
+   * @throws {UserNotFoundError} No account matches the identifier
+   */
+  async loginAsUserBy(identifier) {
+    const account = await this.findAccountByIdentifier(identifier);
+    if (!account) {
+      throw new UserNotFoundError();
+    }
+    await this.onLoginSuccessful(account, false);
+  }
 };
 
 // src/middleware.ts
@@ -2334,9 +2359,7 @@ function createAuthMiddleware(config) {
   return async (req, res, next) => {
     try {
       const authManager = new AuthManager(req, res, config);
-      const authAdminManager = new AuthAdminManager(req, res, config, authManager);
       req.auth = authManager;
-      req.authAdmin = authAdminManager;
       await authManager.resyncSession();
       await authManager.processRememberDirective();
       next();
@@ -2544,6 +2567,62 @@ async function getAuthTableStats(config) {
     expiredTwoFactorTokens: parseInt(expiredTwoFactorTokensResult.rows[0]?.count || "0")
   };
 }
+
+// src/auth-context.ts
+function createAuthContext(config) {
+  return {
+    createUser: (credentials, userId, callback) => createUser(config, credentials, userId, callback),
+    register: (email, password, userId, callback) => register(config, email, password, userId, callback),
+    deleteUserBy: (identifier) => deleteUserBy(config, identifier),
+    addRoleForUserBy: (identifier, role) => addRoleForUserBy(config, identifier, role),
+    removeRoleForUserBy: (identifier, role) => removeRoleForUserBy(config, identifier, role),
+    hasRoleForUserBy: (identifier, role) => hasRoleForUserBy(config, identifier, role),
+    changePasswordForUserBy: (identifier, password) => changePasswordForUserBy(config, identifier, password),
+    setStatusForUserBy: (identifier, status) => setStatusForUserBy(config, identifier, status),
+    initiatePasswordResetForUserBy: (identifier, expiresAfter, callback) => initiatePasswordResetForUserBy(config, identifier, expiresAfter, callback),
+    resetPassword: (email, expiresAfter, maxOpenRequests, callback) => resetPassword(config, email, expiresAfter, maxOpenRequests, callback),
+    confirmResetPassword: (token, password) => confirmResetPassword(config, token, password),
+    forceLogoutForUserBy: (identifier) => forceLogoutForUserBy(config, identifier)
+  };
+}
+
+// src/user-roles.ts
+async function findAccountByIdentifier2(queries, identifier) {
+  let account = null;
+  if (identifier.accountId !== void 0) {
+    account = await queries.findAccountById(identifier.accountId);
+  } else if (identifier.email !== void 0) {
+    account = await queries.findAccountByEmail(identifier.email);
+  } else if (identifier.userId !== void 0) {
+    account = await queries.findAccountByUserId(identifier.userId);
+  }
+  if (!account) {
+    throw new UserNotFoundError();
+  }
+  return account;
+}
+async function addRoleToUser(config, identifier, role) {
+  const queries = new AuthQueries(config);
+  const account = await findAccountByIdentifier2(queries, identifier);
+  const rolemask = account.rolemask | role;
+  await queries.updateAccount(account.id, { rolemask });
+}
+async function removeRoleFromUser(config, identifier, role) {
+  const queries = new AuthQueries(config);
+  const account = await findAccountByIdentifier2(queries, identifier);
+  const rolemask = account.rolemask & ~role;
+  await queries.updateAccount(account.id, { rolemask });
+}
+async function setUserRoles(config, identifier, rolemask) {
+  const queries = new AuthQueries(config);
+  const account = await findAccountByIdentifier2(queries, identifier);
+  await queries.updateAccount(account.id, { rolemask });
+}
+async function getUserRoles(config, identifier) {
+  const queries = new AuthQueries(config);
+  const account = await findAccountByIdentifier2(queries, identifier);
+  return account.rolemask;
+}
 export {
   ActivityLogger,
   AuthActivityAction,
@@ -2579,13 +2658,18 @@ export {
   UserInactiveError,
   UserNotFoundError,
   UserNotLoggedInError,
+  addRoleToUser,
+  auth_functions_exports as authFunctions,
   cleanupExpiredTokens,
+  createAuthContext,
   createAuthMiddleware,
   createAuthTables,
-  createUser,
   dropAuthTables,
   getAuthTableStats,
+  getUserRoles,
   isValidEmail,
+  removeRoleFromUser,
+  setUserRoles,
   validateEmail
 };
 //# sourceMappingURL=index.js.map