npm - @eaccess/auth - Versions diffs - 0.1.20 → 1.0.0 - Mend

@eaccess/auth 0.1.20 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.d.cts CHANGED Viewed

@@ -1,5 +1,6 @@
 import { Request, Response, NextFunction } from 'express';
 import { Pool } from 'pg';
+import { IncomingMessage } from 'http';
 interface OAuthProviderConfig {
     clientId: string;
@@ -35,6 +36,7 @@ interface AuthConfig {
      */
     createUser?: (userData: OAuthUserData) => string | number | Promise<string | number>;
     tablePrefix?: string;
+    roles?: Record<string, number>;
     minPasswordLength?: number;
     maxPasswordLength?: number;
     rememberDuration?: string;
@@ -119,6 +121,10 @@ interface AuthRemember {
     token: string;
     expires: Date;
 }
+interface AuthenticateRequestResult {
+    account: AuthAccount | null;
+    source: "session" | "remember" | null;
+}
 interface AuthReset {
     id: number;
     account_id: number;
@@ -599,6 +605,7 @@ interface AuthContext {
 }
 declare function createAuthContext(config: AuthConfig): AuthContext;
+declare function authenticateRequest(config: AuthConfig, req: IncomingMessage, sessionMiddleware?: (req: any, res: any, next: () => void) => void): Promise<AuthenticateRequestResult>;
 declare function createUser(config: AuthConfig, credentials: {
     email: string;
     password: string;
@@ -654,6 +661,7 @@ declare function forceLogoutForUserBy(config: AuthConfig, identifier: {
 }>;
 declare const authFunctions_addRoleForUserBy: typeof addRoleForUserBy;
+declare const authFunctions_authenticateRequest: typeof authenticateRequest;
 declare const authFunctions_changePasswordForUserBy: typeof changePasswordForUserBy;
 declare const authFunctions_confirmResetPassword: typeof confirmResetPassword;
 declare const authFunctions_createUser: typeof createUser;
@@ -667,9 +675,10 @@ declare const authFunctions_resetPassword: typeof resetPassword;
 declare const authFunctions_setStatusForUserBy: typeof setStatusForUserBy;
 declare const authFunctions_userExistsByEmail: typeof userExistsByEmail;
 declare namespace authFunctions {
-  export { authFunctions_addRoleForUserBy as addRoleForUserBy, authFunctions_changePasswordForUserBy as changePasswordForUserBy, authFunctions_confirmResetPassword as confirmResetPassword, authFunctions_createUser as createUser, authFunctions_deleteUserBy as deleteUserBy, authFunctions_forceLogoutForUserBy as forceLogoutForUserBy, authFunctions_hasRoleForUserBy as hasRoleForUserBy, authFunctions_initiatePasswordResetForUserBy as initiatePasswordResetForUserBy, authFunctions_register as register, authFunctions_removeRoleForUserBy as removeRoleForUserBy, authFunctions_resetPassword as resetPassword, authFunctions_setStatusForUserBy as setStatusForUserBy, authFunctions_userExistsByEmail as userExistsByEmail };
+  export { authFunctions_addRoleForUserBy as addRoleForUserBy, authFunctions_authenticateRequest as authenticateRequest, authFunctions_changePasswordForUserBy as changePasswordForUserBy, authFunctions_confirmResetPassword as confirmResetPassword, authFunctions_createUser as createUser, authFunctions_deleteUserBy as deleteUserBy, authFunctions_forceLogoutForUserBy as forceLogoutForUserBy, authFunctions_hasRoleForUserBy as hasRoleForUserBy, authFunctions_initiatePasswordResetForUserBy as initiatePasswordResetForUserBy, authFunctions_register as register, authFunctions_removeRoleForUserBy as removeRoleForUserBy, authFunctions_resetPassword as resetPassword, authFunctions_setStatusForUserBy as setStatusForUserBy, authFunctions_userExistsByEmail as userExistsByEmail };
 }
+declare function defineRoles<const T extends readonly string[]>(...names: T): Readonly<Record<T[number], number>>;
 type UserIdentifier = {
     accountId?: number;
     email?: string;
@@ -866,11 +875,11 @@ declare class TotpProvider {
     generateQRCode(email: string, secret: string): string;
     verify(secret: string, code: string): boolean;
     generateBackupCodes(count?: number): string[];
-    hashBackupCodes(codes: string[]): string[];
-    verifyBackupCode(hashedCodes: string[], inputCode: string): {
+    hashBackupCodes(codes: string[]): Promise<string[]>;
+    verifyBackupCode(hashedCodes: string[], inputCode: string): Promise<{
         isValid: boolean;
         index: number;
-    };
+    }>;
     maskEmail(email: string): string;
 }
@@ -1193,4 +1202,4 @@ declare class AzureProvider extends BaseOAuthProvider {
     protected exchangeCodeForToken(code: string, tokenUrl: string): Promise<string>;
 }
-export { ActivityLogger, type AuthAccount, type AuthActivity, AuthActivityAction, type AuthActivityActionType, type AuthConfig, type AuthConfirmation, type AuthContext, AuthError, type AuthManager$1 as AuthManager, type AuthProvider, type AuthRemember, type AuthReset, AuthRole, type AuthSession, AuthStatus, AzureProvider, type AzureProviderConfig, BaseOAuthProvider, ConfirmationExpiredError, ConfirmationNotFoundError, EmailNotVerifiedError, EmailTakenError, GitHubProvider, type GitHubProviderConfig, GoogleProvider, type GoogleProviderConfig, InvalidBackupCodeError, InvalidEmailError, InvalidPasswordError, InvalidTokenError, InvalidTwoFactorCodeError, type OAuthCallbackResult, type OAuthProvider, type OAuthProviderConfig, type OAuthUserData, OtpProvider, ResetDisabledError, ResetExpiredError, ResetNotFoundError, SecondFactorRequiredError, type TokenCallback, TooManyResetsError, TotpProvider, TwoFactorAlreadyEnabledError, type TwoFactorChallenge, TwoFactorExpiredError, TwoFactorManager, TwoFactorMechanism, type TwoFactorMethod, TwoFactorNotSetupError, TwoFactorSetupIncompleteError, type TwoFactorSetupResult, type TwoFactorToken, type UserIdentifier, UserInactiveError, UserNotFoundError, UserNotLoggedInError, addRoleForUserBy, addRoleToUser, authFunctions, changePasswordForUserBy, cleanupExpiredTokens, confirmResetPassword, createAuthContext, createAuthMiddleware, createAuthTables, createUser, deleteUserBy, dropAuthTables, forceLogoutForUserBy, getAuthTableStats, getUserRoles, hasRoleForUserBy, initiatePasswordResetForUserBy, isValidEmail, register, removeRoleForUserBy, removeRoleFromUser, resetPassword, setStatusForUserBy, setUserRoles, userExistsByEmail, validateEmail };
+export { ActivityLogger, type AuthAccount, type AuthActivity, AuthActivityAction, type AuthActivityActionType, type AuthConfig, type AuthConfirmation, type AuthContext, AuthError, type AuthManager$1 as AuthManager, type AuthProvider, type AuthRemember, type AuthReset, AuthRole, type AuthSession, AuthStatus, type AuthenticateRequestResult, AzureProvider, type AzureProviderConfig, BaseOAuthProvider, ConfirmationExpiredError, ConfirmationNotFoundError, EmailNotVerifiedError, EmailTakenError, GitHubProvider, type GitHubProviderConfig, GoogleProvider, type GoogleProviderConfig, InvalidBackupCodeError, InvalidEmailError, InvalidPasswordError, InvalidTokenError, InvalidTwoFactorCodeError, type OAuthCallbackResult, type OAuthProvider, type OAuthProviderConfig, type OAuthUserData, OtpProvider, ResetDisabledError, ResetExpiredError, ResetNotFoundError, SecondFactorRequiredError, type TokenCallback, TooManyResetsError, TotpProvider, TwoFactorAlreadyEnabledError, type TwoFactorChallenge, TwoFactorExpiredError, TwoFactorManager, TwoFactorMechanism, type TwoFactorMethod, TwoFactorNotSetupError, TwoFactorSetupIncompleteError, type TwoFactorSetupResult, type TwoFactorToken, type UserIdentifier, UserInactiveError, UserNotFoundError, UserNotLoggedInError, addRoleForUserBy, addRoleToUser, authFunctions, authenticateRequest, changePasswordForUserBy, cleanupExpiredTokens, confirmResetPassword, createAuthContext, createAuthMiddleware, createAuthTables, createUser, defineRoles, deleteUserBy, dropAuthTables, forceLogoutForUserBy, getAuthTableStats, getUserRoles, hasRoleForUserBy, initiatePasswordResetForUserBy, isValidEmail, register, removeRoleForUserBy, removeRoleFromUser, resetPassword, setStatusForUserBy, setUserRoles, userExistsByEmail, validateEmail };

package/dist/index.d.ts CHANGED Viewed

@@ -1,5 +1,6 @@
 import { Request, Response, NextFunction } from 'express';
 import { Pool } from 'pg';
+import { IncomingMessage } from 'http';
 interface OAuthProviderConfig {
     clientId: string;
@@ -35,6 +36,7 @@ interface AuthConfig {
      */
     createUser?: (userData: OAuthUserData) => string | number | Promise<string | number>;
     tablePrefix?: string;
+    roles?: Record<string, number>;
     minPasswordLength?: number;
     maxPasswordLength?: number;
     rememberDuration?: string;
@@ -119,6 +121,10 @@ interface AuthRemember {
     token: string;
     expires: Date;
 }
+interface AuthenticateRequestResult {
+    account: AuthAccount | null;
+    source: "session" | "remember" | null;
+}
 interface AuthReset {
     id: number;
     account_id: number;
@@ -599,6 +605,7 @@ interface AuthContext {
 }
 declare function createAuthContext(config: AuthConfig): AuthContext;
+declare function authenticateRequest(config: AuthConfig, req: IncomingMessage, sessionMiddleware?: (req: any, res: any, next: () => void) => void): Promise<AuthenticateRequestResult>;
 declare function createUser(config: AuthConfig, credentials: {
     email: string;
     password: string;
@@ -654,6 +661,7 @@ declare function forceLogoutForUserBy(config: AuthConfig, identifier: {
 }>;
 declare const authFunctions_addRoleForUserBy: typeof addRoleForUserBy;
+declare const authFunctions_authenticateRequest: typeof authenticateRequest;
 declare const authFunctions_changePasswordForUserBy: typeof changePasswordForUserBy;
 declare const authFunctions_confirmResetPassword: typeof confirmResetPassword;
 declare const authFunctions_createUser: typeof createUser;
@@ -667,9 +675,10 @@ declare const authFunctions_resetPassword: typeof resetPassword;
 declare const authFunctions_setStatusForUserBy: typeof setStatusForUserBy;
 declare const authFunctions_userExistsByEmail: typeof userExistsByEmail;
 declare namespace authFunctions {
-  export { authFunctions_addRoleForUserBy as addRoleForUserBy, authFunctions_changePasswordForUserBy as changePasswordForUserBy, authFunctions_confirmResetPassword as confirmResetPassword, authFunctions_createUser as createUser, authFunctions_deleteUserBy as deleteUserBy, authFunctions_forceLogoutForUserBy as forceLogoutForUserBy, authFunctions_hasRoleForUserBy as hasRoleForUserBy, authFunctions_initiatePasswordResetForUserBy as initiatePasswordResetForUserBy, authFunctions_register as register, authFunctions_removeRoleForUserBy as removeRoleForUserBy, authFunctions_resetPassword as resetPassword, authFunctions_setStatusForUserBy as setStatusForUserBy, authFunctions_userExistsByEmail as userExistsByEmail };
+  export { authFunctions_addRoleForUserBy as addRoleForUserBy, authFunctions_authenticateRequest as authenticateRequest, authFunctions_changePasswordForUserBy as changePasswordForUserBy, authFunctions_confirmResetPassword as confirmResetPassword, authFunctions_createUser as createUser, authFunctions_deleteUserBy as deleteUserBy, authFunctions_forceLogoutForUserBy as forceLogoutForUserBy, authFunctions_hasRoleForUserBy as hasRoleForUserBy, authFunctions_initiatePasswordResetForUserBy as initiatePasswordResetForUserBy, authFunctions_register as register, authFunctions_removeRoleForUserBy as removeRoleForUserBy, authFunctions_resetPassword as resetPassword, authFunctions_setStatusForUserBy as setStatusForUserBy, authFunctions_userExistsByEmail as userExistsByEmail };
 }
+declare function defineRoles<const T extends readonly string[]>(...names: T): Readonly<Record<T[number], number>>;
 type UserIdentifier = {
     accountId?: number;
     email?: string;
@@ -866,11 +875,11 @@ declare class TotpProvider {
     generateQRCode(email: string, secret: string): string;
     verify(secret: string, code: string): boolean;
     generateBackupCodes(count?: number): string[];
-    hashBackupCodes(codes: string[]): string[];
-    verifyBackupCode(hashedCodes: string[], inputCode: string): {
+    hashBackupCodes(codes: string[]): Promise<string[]>;
+    verifyBackupCode(hashedCodes: string[], inputCode: string): Promise<{
         isValid: boolean;
         index: number;
-    };
+    }>;
     maskEmail(email: string): string;
 }
@@ -1193,4 +1202,4 @@ declare class AzureProvider extends BaseOAuthProvider {
     protected exchangeCodeForToken(code: string, tokenUrl: string): Promise<string>;
 }
-export { ActivityLogger, type AuthAccount, type AuthActivity, AuthActivityAction, type AuthActivityActionType, type AuthConfig, type AuthConfirmation, type AuthContext, AuthError, type AuthManager$1 as AuthManager, type AuthProvider, type AuthRemember, type AuthReset, AuthRole, type AuthSession, AuthStatus, AzureProvider, type AzureProviderConfig, BaseOAuthProvider, ConfirmationExpiredError, ConfirmationNotFoundError, EmailNotVerifiedError, EmailTakenError, GitHubProvider, type GitHubProviderConfig, GoogleProvider, type GoogleProviderConfig, InvalidBackupCodeError, InvalidEmailError, InvalidPasswordError, InvalidTokenError, InvalidTwoFactorCodeError, type OAuthCallbackResult, type OAuthProvider, type OAuthProviderConfig, type OAuthUserData, OtpProvider, ResetDisabledError, ResetExpiredError, ResetNotFoundError, SecondFactorRequiredError, type TokenCallback, TooManyResetsError, TotpProvider, TwoFactorAlreadyEnabledError, type TwoFactorChallenge, TwoFactorExpiredError, TwoFactorManager, TwoFactorMechanism, type TwoFactorMethod, TwoFactorNotSetupError, TwoFactorSetupIncompleteError, type TwoFactorSetupResult, type TwoFactorToken, type UserIdentifier, UserInactiveError, UserNotFoundError, UserNotLoggedInError, addRoleForUserBy, addRoleToUser, authFunctions, changePasswordForUserBy, cleanupExpiredTokens, confirmResetPassword, createAuthContext, createAuthMiddleware, createAuthTables, createUser, deleteUserBy, dropAuthTables, forceLogoutForUserBy, getAuthTableStats, getUserRoles, hasRoleForUserBy, initiatePasswordResetForUserBy, isValidEmail, register, removeRoleForUserBy, removeRoleFromUser, resetPassword, setStatusForUserBy, setUserRoles, userExistsByEmail, validateEmail };
+export { ActivityLogger, type AuthAccount, type AuthActivity, AuthActivityAction, type AuthActivityActionType, type AuthConfig, type AuthConfirmation, type AuthContext, AuthError, type AuthManager$1 as AuthManager, type AuthProvider, type AuthRemember, type AuthReset, AuthRole, type AuthSession, AuthStatus, type AuthenticateRequestResult, AzureProvider, type AzureProviderConfig, BaseOAuthProvider, ConfirmationExpiredError, ConfirmationNotFoundError, EmailNotVerifiedError, EmailTakenError, GitHubProvider, type GitHubProviderConfig, GoogleProvider, type GoogleProviderConfig, InvalidBackupCodeError, InvalidEmailError, InvalidPasswordError, InvalidTokenError, InvalidTwoFactorCodeError, type OAuthCallbackResult, type OAuthProvider, type OAuthProviderConfig, type OAuthUserData, OtpProvider, ResetDisabledError, ResetExpiredError, ResetNotFoundError, SecondFactorRequiredError, type TokenCallback, TooManyResetsError, TotpProvider, TwoFactorAlreadyEnabledError, type TwoFactorChallenge, TwoFactorExpiredError, TwoFactorManager, TwoFactorMechanism, type TwoFactorMethod, TwoFactorNotSetupError, TwoFactorSetupIncompleteError, type TwoFactorSetupResult, type TwoFactorToken, type UserIdentifier, UserInactiveError, UserNotFoundError, UserNotLoggedInError, addRoleForUserBy, addRoleToUser, authFunctions, authenticateRequest, changePasswordForUserBy, cleanupExpiredTokens, confirmResetPassword, createAuthContext, createAuthMiddleware, createAuthTables, createUser, defineRoles, deleteUserBy, dropAuthTables, forceLogoutForUserBy, getAuthTableStats, getUserRoles, hasRoleForUserBy, initiatePasswordResetForUserBy, isValidEmail, register, removeRoleForUserBy, removeRoleFromUser, resetPassword, setStatusForUserBy, setUserRoles, userExistsByEmail, validateEmail };

package/dist/index.js CHANGED Viewed

@@ -5,7 +5,7 @@ var __export = (target, all) => {
 };
 // src/auth-manager.ts
-import { hash as hash4 } from "@prsm/hash";
+import hash4 from "@prsm/hash";
 import ms3 from "@prsm/ms";
 // src/types.ts
@@ -721,7 +721,7 @@ var GitHubProvider = class extends BaseOAuthProvider {
       client_id: this.config.clientId,
       redirect_uri: this.config.redirectUri,
       scope: scopes?.join(" ") || "user:email",
-      state: state || Math.random().toString(36).substring(2),
+      state: state || crypto.randomUUID(),
       response_type: "code"
     });
     return `https://github.com/login/oauth/authorize?${params}`;
@@ -770,7 +770,7 @@ var GoogleProvider = class extends BaseOAuthProvider {
       client_id: this.config.clientId,
       redirect_uri: this.config.redirectUri,
       scope: scopes?.join(" ") || "openid profile email",
-      state: state || Math.random().toString(36).substring(2),
+      state: state || crypto.randomUUID(),
       response_type: "code",
       access_type: "offline",
       prompt: "consent"
@@ -812,7 +812,7 @@ var AzureProvider = class extends BaseOAuthProvider {
       client_id: azureConfig.clientId,
       redirect_uri: azureConfig.redirectUri,
       scope: scopes?.join(" ") || "openid profile email User.Read",
-      state: state || Math.random().toString(36).substring(2),
+      state: state || crypto.randomUUID(),
       response_type: "code",
       response_mode: "query"
     });
@@ -871,7 +871,7 @@ var AzureProvider = class extends BaseOAuthProvider {
 // src/two-factor/totp-provider.ts
 import Otp from "@eaccess/totp";
-import { hash } from "@prsm/hash";
+import hash from "@prsm/hash";
 var TotpProvider = class {
   constructor(config) {
     this.config = config;
@@ -888,23 +888,20 @@ var TotpProvider = class {
     return Otp.verifyTotp(secret, code, window);
   }
   generateBackupCodes(count = 10) {
+    const chars = "23456789ABCDEFGHJKLMNPQRSTUVWXYZ";
     const codes = [];
     for (let i = 0; i < count; i++) {
-      const chars = "23456789ABCDEFGHJKLMNPQRSTUVWXYZ";
-      let code = "";
-      for (let j = 0; j < 8; j++) {
-        code += chars.charAt(Math.floor(Math.random() * chars.length));
-      }
-      codes.push(code);
+      const bytes = crypto.getRandomValues(new Uint8Array(8));
+      codes.push(Array.from(bytes, (b) => chars[b % chars.length]).join(""));
     }
     return codes;
   }
-  hashBackupCodes(codes) {
-    return codes.map((code) => hash.encode(code));
+  async hashBackupCodes(codes) {
+    return await Promise.all(codes.map((code) => hash.encode(code)));
   }
-  verifyBackupCode(hashedCodes, inputCode) {
+  async verifyBackupCode(hashedCodes, inputCode) {
     for (let i = 0; i < hashedCodes.length; i++) {
-      if (hash.verify(hashedCodes[i], inputCode.toUpperCase())) {
+      if (await hash.verify(hashedCodes[i], inputCode.toUpperCase())) {
         return { isValid: true, index: i };
       }
     }
@@ -921,7 +918,7 @@ var TotpProvider = class {
 // src/two-factor/otp-provider.ts
 import ms from "@prsm/ms";
-import { hash as hash2 } from "@prsm/hash";
+import hash2 from "@prsm/hash";
 var OtpProvider = class {
   constructor(config) {
     this.config = config;
@@ -929,24 +926,16 @@ var OtpProvider = class {
   }
   generateOTP() {
     const length = this.config.twoFactor?.codeLength || 6;
-    let otp = "";
-    for (let i = 0; i < length; i++) {
-      otp += Math.floor(Math.random() * 10).toString();
-    }
-    return otp;
+    const bytes = crypto.getRandomValues(new Uint8Array(length));
+    return Array.from(bytes, (b) => (b % 10).toString()).join("");
   }
   generateSelector() {
-    const chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
-    let selector = "";
-    for (let i = 0; i < 32; i++) {
-      selector += chars.charAt(Math.floor(Math.random() * chars.length));
-    }
-    return selector;
+    return crypto.randomUUID().replace(/-/g, "");
   }
   async createAndStoreOTP(accountId, mechanism) {
     const otp = this.generateOTP();
     const selector = this.generateSelector();
-    const tokenHash = hash2.encode(otp);
+    const tokenHash = await hash2.encode(otp);
     const expiryDuration = this.config.twoFactor?.tokenExpiry || "5m";
     const expiresAt = new Date(Date.now() + ms(expiryDuration));
     await this.queries.deleteTwoFactorTokensByAccountAndMechanism(accountId, mechanism);
@@ -968,7 +957,7 @@ var OtpProvider = class {
       await this.queries.deleteTwoFactorToken(token.id);
       return { isValid: false };
     }
-    const isValid = hash2.verify(token.token_hash, inputCode);
+    const isValid = await hash2.verify(token.token_hash, inputCode);
     if (isValid) {
       await this.queries.deleteTwoFactorToken(token.id);
       return { isValid: true, token };
@@ -1015,7 +1004,7 @@ var TwoFactorManager = class {
           const backupCodesCount = this.config.twoFactor?.backupCodesCount || 10;
           backupCodes = this.totpProvider.generateBackupCodes(backupCodesCount);
         }
-        const hashedBackupCodes = backupCodes ? this.totpProvider.hashBackupCodes(backupCodes) : void 0;
+        const hashedBackupCodes = backupCodes ? await this.totpProvider.hashBackupCodes(backupCodes) : void 0;
         const verified = !requireVerification;
         if (existingMethod) {
           await this.queries.updateTwoFactorMethod(existingMethod.id, {
@@ -1113,7 +1102,7 @@ var TwoFactorManager = class {
         }
         const backupCodesCount = this.config.twoFactor?.backupCodesCount || 10;
         const backupCodes = this.totpProvider.generateBackupCodes(backupCodesCount);
-        const hashedBackupCodes = this.totpProvider.hashBackupCodes(backupCodes);
+        const hashedBackupCodes = await this.totpProvider.hashBackupCodes(backupCodes);
         await this.queries.updateTwoFactorMethod(method.id, {
           verified: true,
           backup_codes: hashedBackupCodes,
@@ -1165,7 +1154,7 @@ var TwoFactorManager = class {
         if (!method || !method.verified || !method.backup_codes) {
           throw new TwoFactorNotSetupError();
         }
-        const { isValid, index } = this.totpProvider.verifyBackupCode(method.backup_codes, code);
+        const { isValid, index } = await this.totpProvider.verifyBackupCode(method.backup_codes, code);
         if (!isValid) {
           await this.activityLogger.logActivity(twoFactorState.accountId, AuthActivityAction.TwoFactorFailed, this.req, false, { mechanism: "backup_code", reason: "invalid_code" });
           throw new InvalidBackupCodeError();
@@ -1314,7 +1303,7 @@ var TwoFactorManager = class {
     }
     const backupCodesCount = this.config.twoFactor?.backupCodesCount || 10;
     const backupCodes = this.totpProvider.generateBackupCodes(backupCodesCount);
-    const hashedBackupCodes = this.totpProvider.hashBackupCodes(backupCodes);
+    const hashedBackupCodes = await this.totpProvider.hashBackupCodes(backupCodes);
     await this.queries.updateTwoFactorMethod(method.id, {
       backup_codes: hashedBackupCodes
     });
@@ -1382,6 +1371,7 @@ var TwoFactorManager = class {
 var auth_functions_exports = {};
 __export(auth_functions_exports, {
   addRoleForUserBy: () => addRoleForUserBy,
+  authenticateRequest: () => authenticateRequest,
   changePasswordForUserBy: () => changePasswordForUserBy,
   confirmResetPassword: () => confirmResetPassword,
   createUser: () => createUser,
@@ -1395,8 +1385,50 @@ __export(auth_functions_exports, {
   setStatusForUserBy: () => setStatusForUserBy,
   userExistsByEmail: () => userExistsByEmail
 });
-import { hash as hash3 } from "@prsm/hash";
+import hash3 from "@prsm/hash";
 import ms2 from "@prsm/ms";
+function parseCookies(cookieHeader) {
+  const cookies = {};
+  if (!cookieHeader) return cookies;
+  for (const pair of cookieHeader.split(";")) {
+    const idx = pair.indexOf("=");
+    if (idx === -1) continue;
+    const key = pair.slice(0, idx).trim();
+    const value = pair.slice(idx + 1).trim();
+    if (key) cookies[key] = decodeURIComponent(value);
+  }
+  return cookies;
+}
+async function authenticateRequest(config, req, sessionMiddleware) {
+  const queries = new AuthQueries(config);
+  if (sessionMiddleware) {
+    await new Promise((resolve) => {
+      sessionMiddleware(req, {}, resolve);
+    });
+  }
+  const session = req.session;
+  if (session?.auth?.loggedIn && session.auth.accountId) {
+    const account2 = await queries.findAccountById(session.auth.accountId);
+    if (account2 && account2.status === AuthStatus.Normal) {
+      return { account: account2, source: "session" };
+    }
+  }
+  const cookies = parseCookies(req.headers.cookie || "");
+  const cookieName = config.rememberCookieName || "remember_token";
+  const token = cookies[cookieName];
+  if (!token) {
+    return { account: null, source: null };
+  }
+  const remember = await queries.findRememberToken(token);
+  if (!remember || /* @__PURE__ */ new Date() > remember.expires) {
+    return { account: null, source: null };
+  }
+  const account = await queries.findAccountById(remember.account_id);
+  if (!account || account.status !== AuthStatus.Normal) {
+    return { account: null, source: null };
+  }
+  return { account, source: "remember" };
+}
 function validatePassword(password, config) {
   const minLength = config.minPasswordLength || 8;
   const maxLength = config.maxPasswordLength || 64;
@@ -1424,7 +1456,7 @@ async function findAccountByIdentifier(queries, identifier) {
   return null;
 }
 async function createConfirmationToken(queries, account, email, callback) {
-  const token = hash3.encode(email);
+  const token = await hash3.encode(email);
   const expires = new Date(Date.now() + 1e3 * 60 * 60 * 24 * 7);
   await queries.createConfirmation({
     accountId: account.id,
@@ -1445,7 +1477,7 @@ async function createUser(config, credentials, userId, callback) {
     throw new EmailTakenError();
   }
   const finalUserId = userId || generateAutoUserId();
-  const hashedPassword = hash3.encode(credentials.password);
+  const hashedPassword = await hash3.encode(credentials.password);
   const verified = typeof callback !== "function";
   const account = await queries.createAccount({
     userId: finalUserId,
@@ -1469,7 +1501,7 @@ async function register(config, email, password, userId, callback) {
     throw new EmailTakenError();
   }
   const finalUserId = userId || generateAutoUserId();
-  const hashedPassword = hash3.encode(password);
+  const hashedPassword = await hash3.encode(password);
   const verified = typeof callback !== "function";
   const account = await queries.createAccount({
     userId: finalUserId,
@@ -1526,7 +1558,7 @@ async function changePasswordForUserBy(config, identifier, password) {
     throw new UserNotFoundError();
   }
   await queries.updateAccount(account.id, {
-    password: hash3.encode(password)
+    password: await hash3.encode(password)
   });
 }
 async function setStatusForUserBy(config, identifier, status) {
@@ -1547,7 +1579,7 @@ async function initiatePasswordResetForUserBy(config, identifier, expiresAfter =
     throw new EmailNotVerifiedError();
   }
   const expiry = !expiresAfter ? ms2("6h") : ms2(expiresAfter);
-  const token = hash3.encode(account.email);
+  const token = await hash3.encode(account.email);
   const expires = new Date(Date.now() + expiry);
   await queries.createResetToken({
     accountId: account.id,
@@ -1574,7 +1606,7 @@ async function resetPassword(config, email, expiresAfter = null, maxOpenRequests
   if (openRequests >= maxRequests) {
     throw new TooManyResetsError();
   }
-  const token = hash3.encode(email);
+  const token = await hash3.encode(email);
   const expires = new Date(Date.now() + expiry);
   await queries.createResetToken({
     accountId: account.id,
@@ -1602,11 +1634,11 @@ async function confirmResetPassword(config, token, password) {
     throw new ResetDisabledError();
   }
   validatePassword(password, config);
-  if (!hash3.verify(token, account.email)) {
+  if (!await hash3.verify(token, account.email)) {
     throw new InvalidTokenError();
   }
   await queries.updateAccount(account.id, {
-    password: hash3.encode(password)
+    password: await hash3.encode(password)
   });
   await queries.deleteResetToken(token);
   return { accountId: account.id, email: account.email };
@@ -1676,7 +1708,7 @@ var AuthManager = class {
     }
   }
   getRoleMap() {
-    return createMapFromEnum(AuthRole);
+    return createMapFromEnum(this.config.roles || AuthRole);
   }
   getStatusMap() {
     return createMapFromEnum(AuthStatus);
@@ -1827,7 +1859,7 @@ var AuthManager = class {
     });
   }
   async createRememberDirective(account) {
-    const token = hash4.encode(account.email);
+    const token = await hash4.encode(account.email);
     const duration = this.config.rememberDuration || "30d";
     const expires = new Date(Date.now() + ms3(duration));
     await this.queries.createRememberToken({
@@ -1865,7 +1897,7 @@ var AuthManager = class {
         await this.activityLogger.logActivity(null, AuthActivityAction.FailedLogin, this.req, false, { email, reason: "account_not_found" });
         throw new UserNotFoundError();
       }
-      if (!account.password || !hash4.verify(account.password, password)) {
+      if (!account.password || !await hash4.verify(account.password, password)) {
         await this.activityLogger.logActivity(account.id, AuthActivityAction.FailedLogin, this.req, false, { email, reason: "invalid_password" });
         throw new InvalidPasswordError();
       }
@@ -1978,7 +2010,7 @@ var AuthManager = class {
       throw new EmailTakenError();
     }
     const finalUserId = userId || this.generateAutoUserId();
-    const hashedPassword = hash4.encode(password);
+    const hashedPassword = await hash4.encode(password);
     const verified = typeof callback !== "function";
     const account = await this.queries.createAccount({
       userId: finalUserId,
@@ -1995,7 +2027,7 @@ var AuthManager = class {
     return account;
   }
   async createConfirmationToken(account, email, callback) {
-    const token = hash4.encode(email);
+    const token = await hash4.encode(email);
     const expires = new Date(Date.now() + 1e3 * 60 * 60 * 24 * 7);
     await this.queries.createConfirmation({
       accountId: account.id,
@@ -2137,7 +2169,7 @@ var AuthManager = class {
     if (new Date(confirmation.expires) < /* @__PURE__ */ new Date()) {
       throw new ConfirmationExpiredError();
     }
-    if (!hash4.verify(token, confirmation.email)) {
+    if (!await hash4.verify(token, confirmation.email)) {
       throw new InvalidTokenError();
     }
     await this.queries.updateAccount(confirmation.account_id, {
@@ -2235,7 +2267,7 @@ var AuthManager = class {
     if (openRequests >= maxRequests) {
       throw new TooManyResetsError();
     }
-    const token = hash4.encode(email);
+    const token = await hash4.encode(email);
     const expires = new Date(Date.now() + expiry);
     await this.queries.createResetToken({
       accountId: account.id,
@@ -2277,11 +2309,11 @@ var AuthManager = class {
       throw new ResetDisabledError();
     }
     this.validatePassword(password);
-    if (!hash4.verify(token, account.email)) {
+    if (!await hash4.verify(token, account.email)) {
       throw new InvalidTokenError();
     }
     await this.queries.updateAccount(account.id, {
-      password: hash4.encode(password)
+      password: await hash4.encode(password)
     });
     if (logout) {
       await this.forceLogoutForAccountById(account.id);
@@ -2309,7 +2341,7 @@ var AuthManager = class {
     if (!account.password) {
       return false;
     }
-    return hash4.verify(account.password, password);
+    return await hash4.verify(account.password, password);
   }
   async forceLogoutForAccountById(accountId) {
     await this.queries.deleteRememberTokensForAccount(accountId);
@@ -2641,6 +2673,26 @@ function createAuthContext(config) {
 }
 // src/user-roles.ts
+var MAX_ROLES = 31;
+function defineRoles(...names) {
+  if (names.length > MAX_ROLES) {
+    throw new Error(`Cannot define more than ${MAX_ROLES} roles (postgres INTEGER is 32-bit signed)`);
+  }
+  if (names.length === 0) {
+    throw new Error("At least one role name is required");
+  }
+  const seen = /* @__PURE__ */ new Set();
+  const roles = {};
+  for (let i = 0; i < names.length; i++) {
+    const name = names[i];
+    if (seen.has(name)) {
+      throw new Error(`Duplicate role name: ${name}`);
+    }
+    seen.add(name);
+    roles[name] = 1 << i;
+  }
+  return Object.freeze(roles);
+}
 async function findAccountByIdentifier2(queries, identifier) {
   let account = null;
   if (identifier.accountId !== void 0) {
@@ -2715,6 +2767,7 @@ export {
   addRoleForUserBy,
   addRoleToUser,
   auth_functions_exports as authFunctions,
+  authenticateRequest,
   changePasswordForUserBy,
   cleanupExpiredTokens,
   confirmResetPassword,
@@ -2722,6 +2775,7 @@ export {
   createAuthMiddleware,
   createAuthTables,
   createUser,
+  defineRoles,
   deleteUserBy,
   dropAuthTables,
   forceLogoutForUserBy,