@eaccess/auth 0.1.3 → 0.1.5

package/dist/index.cjs

@@ -65,10 +65,11 @@ __export(index_exports, {
   UserNotFoundError: () => UserNotFoundError,
   UserNotLoggedInError: () => UserNotLoggedInError,
   addRoleToUser: () => addRoleToUser,
+  authFunctions: () => auth_functions_exports,
   cleanupExpiredTokens: () => cleanupExpiredTokens,
+  createAuthContext: () => createAuthContext,
   createAuthMiddleware: () => createAuthMiddleware,
   createAuthTables: () => createAuthTables,
-  createUser: () => createUser,
   dropAuthTables: () => dropAuthTables,
   getAuthTableStats: () => getAuthTableStats,
   getUserRoles: () => getUserRoles,
@@ -79,9 +80,71 @@ __export(index_exports, {
 });
 module.exports = __toCommonJS(index_exports);
 
-// src/auth-admin-manager.ts
-var import_hash2 = require("@prsm/hash");
-var import_ms = __toESM(require("@prsm/ms"), 1);
+// src/auth-manager.ts
+var import_hash4 = require("@prsm/hash");
+var import_ms3 = __toESM(require("@prsm/ms"), 1);
+
+// src/types.ts
+var import_express_session = require("express-session");
+var TwoFactorMechanism = /* @__PURE__ */ ((TwoFactorMechanism2) => {
+  TwoFactorMechanism2[TwoFactorMechanism2["TOTP"] = 1] = "TOTP";
+  TwoFactorMechanism2[TwoFactorMechanism2["EMAIL"] = 2] = "EMAIL";
+  TwoFactorMechanism2[TwoFactorMechanism2["SMS"] = 3] = "SMS";
+  return TwoFactorMechanism2;
+})(TwoFactorMechanism || {});
+var AuthStatus = {
+  Normal: 0,
+  Archived: 1,
+  Banned: 2,
+  Locked: 3,
+  PendingReview: 4,
+  Suspended: 5
+};
+var AuthRole = {
+  Admin: 1,
+  Author: 2,
+  Collaborator: 4,
+  Consultant: 8,
+  Consumer: 16,
+  Contributor: 32,
+  Coordinator: 64,
+  Creator: 128,
+  Developer: 256,
+  Director: 512,
+  Editor: 1024,
+  Employee: 2048,
+  Maintainer: 4096,
+  Manager: 8192,
+  Moderator: 16384,
+  Publisher: 32768,
+  Reviewer: 65536,
+  Subscriber: 131072,
+  SuperAdmin: 262144,
+  SuperEditor: 524288,
+  SuperModerator: 1048576,
+  Translator: 2097152
+};
+var AuthActivityAction = {
+  Login: "login",
+  Logout: "logout",
+  FailedLogin: "failed_login",
+  Register: "register",
+  EmailConfirmed: "email_confirmed",
+  PasswordResetRequested: "password_reset_requested",
+  PasswordResetCompleted: "password_reset_completed",
+  PasswordChanged: "password_changed",
+  EmailChanged: "email_changed",
+  RoleChanged: "role_changed",
+  StatusChanged: "status_changed",
+  ForceLogout: "force_logout",
+  OAuthConnected: "oauth_connected",
+  RememberTokenCreated: "remember_token_created",
+  TwoFactorSetup: "two_factor_setup",
+  TwoFactorVerified: "two_factor_verified",
+  TwoFactorFailed: "two_factor_failed",
+  TwoFactorDisabled: "two_factor_disabled",
+  BackupCodeUsed: "backup_code_used"
+};
 
 // src/queries.ts
 var AuthQueries = class {
@@ -345,6 +408,158 @@ var AuthQueries = class {
   }
 };
 
+// src/activity-logger.ts
+var import_bowser = __toESM(require("bowser"), 1);
+var ActivityLogger = class {
+  constructor(config) {
+    this.config = config;
+    this.enabled = config.activityLog?.enabled !== false;
+    this.maxEntries = config.activityLog?.maxEntries || 1e4;
+    this.allowedActions = config.activityLog?.actions || null;
+    this.tablePrefix = config.tablePrefix || "user_";
+  }
+  get activityTable() {
+    return `${this.tablePrefix}activity_log`;
+  }
+  parseUserAgent(userAgent) {
+    if (!userAgent) {
+      return { browser: null, os: null, device: null };
+    }
+    try {
+      const browser = import_bowser.default.getParser(userAgent);
+      const result = browser.getResult();
+      return {
+        browser: result.browser.name || null,
+        os: result.os.name || null,
+        device: result.platform.type || "desktop"
+      };
+    } catch (error) {
+      return this.parseUserAgentSimple(userAgent);
+    }
+  }
+  parseUserAgentSimple(userAgent) {
+    let browser = null;
+    if (userAgent.includes("Chrome")) browser = "Chrome";
+    else if (userAgent.includes("Firefox")) browser = "Firefox";
+    else if (userAgent.includes("Safari")) browser = "Safari";
+    else if (userAgent.includes("Edge")) browser = "Edge";
+    let os = null;
+    if (userAgent.includes("Windows")) os = "Windows";
+    else if (userAgent.includes("Mac OS")) os = "macOS";
+    else if (userAgent.includes("Linux")) os = "Linux";
+    else if (userAgent.includes("Android")) os = "Android";
+    else if (userAgent.includes("iOS")) os = "iOS";
+    let device = "desktop";
+    if (userAgent.includes("Mobile")) device = "mobile";
+    else if (userAgent.includes("Tablet")) device = "tablet";
+    return { browser, os, device };
+  }
+  getIpAddress(req) {
+    return req.ip || req.connection?.remoteAddress || req.socket?.remoteAddress || req.connection?.socket?.remoteAddress || null;
+  }
+  async logActivity(accountId, action, req, success = true, metadata = {}) {
+    if (!this.enabled) return;
+    if (this.allowedActions && !this.allowedActions.includes(action)) {
+      return;
+    }
+    const userAgent = (typeof req.get === "function" ? req.get("User-Agent") : req.headers?.["user-agent"]) || null;
+    const ip = this.getIpAddress(req);
+    const parsed = this.parseUserAgent(userAgent);
+    try {
+      await this.config.db.query(
+        `
+        INSERT INTO ${this.activityTable} 
+        (account_id, action, ip_address, user_agent, browser, os, device, success, metadata)
+        VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
+        `,
+        [accountId, action, ip, userAgent, parsed.browser, parsed.os, parsed.device, success, Object.keys(metadata).length > 0 ? JSON.stringify(metadata) : null]
+      );
+      if (Math.random() < 0.01) {
+        await this.cleanup();
+      }
+    } catch (error) {
+      console.error("ActivityLogger: Failed to log activity:", error);
+    }
+  }
+  async cleanup() {
+    if (!this.enabled) return;
+    try {
+      await this.config.db.query(
+        `
+        DELETE FROM ${this.activityTable} 
+        WHERE id NOT IN (
+          SELECT id FROM ${this.activityTable} 
+          ORDER BY created_at DESC 
+          LIMIT $1
+        )
+        `,
+        [this.maxEntries]
+      );
+    } catch (error) {
+      console.error("ActivityLogger: Failed to cleanup old entries:", error);
+    }
+  }
+  async getRecentActivity(limit = 100, accountId) {
+    if (!this.enabled) return [];
+    try {
+      let sql = `
+        SELECT 
+          al.*,
+          a.email 
+        FROM ${this.activityTable} al
+        LEFT JOIN ${this.tablePrefix}accounts a ON al.account_id = a.id
+      `;
+      const params = [];
+      if (accountId !== void 0) {
+        sql += " WHERE al.account_id = $1";
+        params.push(accountId);
+      }
+      sql += ` ORDER BY al.created_at DESC LIMIT $${params.length + 1}`;
+      params.push(Math.min(limit, 1e3));
+      const result = await this.config.db.query(sql, params);
+      return result.rows.map((row) => ({
+        ...row,
+        metadata: row.metadata ? JSON.parse(row.metadata) : null
+      }));
+    } catch (error) {
+      console.error("ActivityLogger: Failed to get recent activity:", error);
+      return [];
+    }
+  }
+  async getActivityStats() {
+    if (!this.enabled) {
+      return {
+        totalEntries: 0,
+        uniqueUsers: 0,
+        recentLogins: 0,
+        failedAttempts: 0
+      };
+    }
+    try {
+      const [total, unique, recent, failed] = await Promise.all([
+        this.config.db.query(`SELECT COUNT(*) as count FROM ${this.activityTable}`),
+        this.config.db.query(`SELECT COUNT(DISTINCT account_id) as count FROM ${this.activityTable} WHERE account_id IS NOT NULL`),
+        this.config.db.query(`SELECT COUNT(*) as count FROM ${this.activityTable} WHERE action = 'login' AND created_at > NOW() - INTERVAL '24 hours'`),
+        this.config.db.query(`SELECT COUNT(*) as count FROM ${this.activityTable} WHERE success = false AND created_at > NOW() - INTERVAL '24 hours'`)
+      ]);
+      return {
+        totalEntries: parseInt(total.rows[0]?.count || "0"),
+        uniqueUsers: parseInt(unique.rows[0]?.count || "0"),
+        recentLogins: parseInt(recent.rows[0]?.count || "0"),
+        failedAttempts: parseInt(failed.rows[0]?.count || "0")
+      };
+    } catch (error) {
+      console.error("ActivityLogger: Failed to get activity stats:", error);
+      return {
+        totalEntries: 0,
+        uniqueUsers: 0,
+        recentLogins: 0,
+        failedAttempts: 0
+      };
+    }
+  }
+};
+
 // src/errors.ts
 var AuthError = class extends Error {
   constructor(message) {
@@ -459,9 +674,6 @@ var TwoFactorSetupIncompleteError = class extends AuthError {
   }
 };
 
-// src/create-user.ts
-var import_hash = require("@prsm/hash");
-
 // src/util.ts
 var isValidEmail = (email) => {
   const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
@@ -472,502 +684,13 @@ var validateEmail = (email) => {
     throw new InvalidEmailError();
   }
   if (!email.trim()) {
-    throw new InvalidEmailError();
-  }
-  if (!isValidEmail(email)) {
-    throw new InvalidEmailError();
-  }
-};
-var createMapFromEnum = (enumObj) => Object.fromEntries(Object.entries(enumObj).map(([key, value]) => [value, key]));
-
-// src/types.ts
-var import_express_session = require("express-session");
-var TwoFactorMechanism = /* @__PURE__ */ ((TwoFactorMechanism2) => {
-  TwoFactorMechanism2[TwoFactorMechanism2["TOTP"] = 1] = "TOTP";
-  TwoFactorMechanism2[TwoFactorMechanism2["EMAIL"] = 2] = "EMAIL";
-  TwoFactorMechanism2[TwoFactorMechanism2["SMS"] = 3] = "SMS";
-  return TwoFactorMechanism2;
-})(TwoFactorMechanism || {});
-var AuthStatus = {
-  Normal: 0,
-  Archived: 1,
-  Banned: 2,
-  Locked: 3,
-  PendingReview: 4,
-  Suspended: 5
-};
-var AuthRole = {
-  Admin: 1,
-  Author: 2,
-  Collaborator: 4,
-  Consultant: 8,
-  Consumer: 16,
-  Contributor: 32,
-  Coordinator: 64,
-  Creator: 128,
-  Developer: 256,
-  Director: 512,
-  Editor: 1024,
-  Employee: 2048,
-  Maintainer: 4096,
-  Manager: 8192,
-  Moderator: 16384,
-  Publisher: 32768,
-  Reviewer: 65536,
-  Subscriber: 131072,
-  SuperAdmin: 262144,
-  SuperEditor: 524288,
-  SuperModerator: 1048576,
-  Translator: 2097152
-};
-var AuthActivityAction = {
-  Login: "login",
-  Logout: "logout",
-  FailedLogin: "failed_login",
-  Register: "register",
-  EmailConfirmed: "email_confirmed",
-  PasswordResetRequested: "password_reset_requested",
-  PasswordResetCompleted: "password_reset_completed",
-  PasswordChanged: "password_changed",
-  EmailChanged: "email_changed",
-  RoleChanged: "role_changed",
-  StatusChanged: "status_changed",
-  ForceLogout: "force_logout",
-  OAuthConnected: "oauth_connected",
-  RememberTokenCreated: "remember_token_created",
-  TwoFactorSetup: "two_factor_setup",
-  TwoFactorVerified: "two_factor_verified",
-  TwoFactorFailed: "two_factor_failed",
-  TwoFactorDisabled: "two_factor_disabled",
-  BackupCodeUsed: "backup_code_used"
-};
-
-// src/create-user.ts
-function validatePassword(password, config) {
-  const minLength = config.minPasswordLength || 8;
-  const maxLength = config.maxPasswordLength || 64;
-  if (typeof password !== "string") {
-    throw new InvalidPasswordError();
-  }
-  if (password.length < minLength) {
-    throw new InvalidPasswordError();
-  }
-  if (password.length > maxLength) {
-    throw new InvalidPasswordError();
-  }
-}
-function generateAutoUserId() {
-  return crypto.randomUUID();
-}
-async function createConfirmationToken(queries, account, email, callback) {
-  const token = import_hash.hash.encode(email);
-  const expires = new Date(Date.now() + 1e3 * 60 * 60 * 24 * 7);
-  await queries.createConfirmation({
-    accountId: account.id,
-    token,
-    email,
-    expires
-  });
-  if (callback) {
-    callback(token);
-  }
-}
-async function createUser(config, credentials, userId, callback) {
-  validateEmail(credentials.email);
-  validatePassword(credentials.password, config);
-  const queries = new AuthQueries(config);
-  const existing = await queries.findAccountByEmail(credentials.email);
-  if (existing) {
-    throw new EmailTakenError();
-  }
-  const finalUserId = userId || generateAutoUserId();
-  const hashedPassword = import_hash.hash.encode(credentials.password);
-  const verified = typeof callback !== "function";
-  const account = await queries.createAccount({
-    userId: finalUserId,
-    email: credentials.email,
-    password: hashedPassword,
-    verified,
-    status: AuthStatus.Normal,
-    rolemask: 0
-  });
-  if (!verified && callback) {
-    await createConfirmationToken(queries, account, credentials.email, callback);
-  }
-  return account;
-}
-
-// src/auth-admin-manager.ts
-var AuthAdminManager = class {
-  constructor(req, res, config, auth) {
-    this.req = req;
-    this.res = res;
-    this.config = config;
-    this.queries = new AuthQueries(config);
-    this.auth = auth;
-  }
-  validatePassword(password) {
-    const minLength = this.config.minPasswordLength || 8;
-    const maxLength = this.config.maxPasswordLength || 64;
-    if (typeof password !== "string") {
-      throw new InvalidPasswordError();
-    }
-    if (password.length < minLength) {
-      throw new InvalidPasswordError();
-    }
-    if (password.length > maxLength) {
-      throw new InvalidPasswordError();
-    }
-  }
-  async findAccountByIdentifier(identifier) {
-    if (identifier.accountId !== void 0) {
-      return await this.queries.findAccountById(identifier.accountId);
-    } else if (identifier.email !== void 0) {
-      return await this.queries.findAccountByEmail(identifier.email);
-    } else if (identifier.userId !== void 0) {
-      return await this.queries.findAccountByUserId(identifier.userId);
-    }
-    return null;
-  }
-  async createConfirmationToken(account, email, callback) {
-    const token = import_hash2.hash.encode(email);
-    const expires = new Date(Date.now() + 1e3 * 60 * 60 * 24 * 7);
-    await this.queries.createConfirmation({
-      accountId: account.id,
-      token,
-      email,
-      expires
-    });
-    if (callback) {
-      callback(token);
-    }
-  }
-  /**
-   * Create a new user account (admin function).
-   *
-   * @param credentials - Email and password for new account
-   * @param userId - Optional user ID to link this auth account to. If not provided, a UUID will be generated automatically.
-   * @param callback - If provided, account is created unverified and callback receives confirmation token. Create a URL like /confirm/{token} and call confirmEmail() in that handler. If omitted, account is immediately verified.
-   * @returns The created account record
-   * @throws {EmailTakenError} Email is already registered
-   * @throws {InvalidPasswordError} Password doesn't meet length requirements
-   */
-  async createUser(credentials, userId, callback) {
-    return createUser(this.config, credentials, userId, callback);
-  }
-  /**
-   * Log in as another user (admin function).
-   * Creates a new session as the target user without requiring their password.
-   *
-   * @param identifier - Find user by accountId, email, or userId
-   * @throws {UserNotFoundError} No account matches the identifier
-   */
-  async loginAsUserBy(identifier) {
-    const account = await this.findAccountByIdentifier(identifier);
-    if (!account) {
-      throw new UserNotFoundError();
-    }
-    await this.auth.onLoginSuccessful(account, false);
-  }
-  /**
-   * Delete a user account and all associated data (admin function).
-   * Removes account, confirmations, remember tokens, and reset tokens.
-   *
-   * @param identifier - Find user by accountId, email, or userId
-   * @throws {UserNotFoundError} No account matches the identifier
-   */
-  async deleteUserBy(identifier) {
-    const account = await this.findAccountByIdentifier(identifier);
-    if (!account) {
-      throw new UserNotFoundError();
-    }
-    await this.queries.deleteAccount(account.id);
-  }
-  /**
-   * Add a role to a user's account (admin function).
-   * Uses bitwise OR to add role to existing rolemask.
-   *
-   * @param identifier - Find user by accountId, email, or userId
-   * @param role - Role bitmask to add (e.g., AuthRole.Admin)
-   * @throws {UserNotFoundError} No account matches the identifier
-   */
-  async addRoleForUserBy(identifier, role) {
-    const account = await this.findAccountByIdentifier(identifier);
-    if (!account) {
-      throw new UserNotFoundError();
-    }
-    const rolemask = account.rolemask | role;
-    await this.queries.updateAccount(account.id, { rolemask });
-  }
-  /**
-   * Remove a role from a user's account (admin function).
-   * Uses bitwise operations to remove role from rolemask.
-   *
-   * @param identifier - Find user by accountId, email, or userId
-   * @param role - Role bitmask to remove (e.g., AuthRole.Admin)
-   * @throws {UserNotFoundError} No account matches the identifier
-   */
-  async removeRoleForUserBy(identifier, role) {
-    const account = await this.findAccountByIdentifier(identifier);
-    if (!account) {
-      throw new UserNotFoundError();
-    }
-    const rolemask = account.rolemask & ~role;
-    await this.queries.updateAccount(account.id, { rolemask });
-  }
-  /**
-   * Check if a user has a specific role (admin function).
-   *
-   * @param identifier - Find user by accountId, email, or userId
-   * @param role - Role bitmask to check (e.g., AuthRole.Admin)
-   * @returns true if user has the role, false otherwise
-   * @throws {UserNotFoundError} No account matches the identifier
-   */
-  async hasRoleForUserBy(identifier, role) {
-    const account = await this.findAccountByIdentifier(identifier);
-    if (!account) {
-      throw new UserNotFoundError();
-    }
-    return (account.rolemask & role) === role;
-  }
-  /**
-   * Change a user's password (admin function).
-   * Does not require knowing the current password.
-   *
-   * @param identifier - Find user by accountId, email, or userId
-   * @param password - New password (will be hashed)
-   * @throws {UserNotFoundError} No account matches the identifier
-   * @throws {InvalidPasswordError} New password doesn't meet requirements
-   */
-  async changePasswordForUserBy(identifier, password) {
-    this.validatePassword(password);
-    const account = await this.findAccountByIdentifier(identifier);
-    if (!account) {
-      throw new UserNotFoundError();
-    }
-    await this.queries.updateAccount(account.id, {
-      password: import_hash2.hash.encode(password)
-    });
-  }
-  /**
-   * Change a user's account status (admin function).
-   *
-   * @param identifier - Find user by accountId, email, or userId
-   * @param status - New status (0=Normal, 1=Archived, 2=Banned, 3=Locked, etc.)
-   * @throws {UserNotFoundError} No account matches the identifier
-   */
-  async setStatusForUserBy(identifier, status) {
-    const account = await this.findAccountByIdentifier(identifier);
-    if (!account) {
-      throw new UserNotFoundError();
-    }
-    await this.queries.updateAccount(account.id, { status });
-  }
-  /**
-   * Initiate password reset for a user (admin function).
-   * Creates a reset token without rate limiting.
-   *
-   * @param identifier - Find user by accountId, email, or userId
-   * @param expiresAfter - Token expiration (default: 6h). Accepts ms format like '1h', '30m'
-   * @param callback - Called with reset token. Create a URL like /reset/{token} and call confirmResetPassword() in that handler
-   * @throws {UserNotFoundError} No account matches the identifier
-   * @throws {EmailNotVerifiedError} Account exists but email is not verified
-   */
-  async initiatePasswordResetForUserBy(identifier, expiresAfter = null, callback) {
-    const account = await this.findAccountByIdentifier(identifier);
-    if (!account) {
-      throw new UserNotFoundError();
-    }
-    if (!account.verified) {
-      throw new EmailNotVerifiedError();
-    }
-    const expiry = !expiresAfter ? (0, import_ms.default)("6h") : (0, import_ms.default)(expiresAfter);
-    const token = import_hash2.hash.encode(account.email);
-    const expires = new Date(Date.now() + expiry);
-    await this.queries.createResetToken({
-      accountId: account.id,
-      token,
-      expires
-    });
-    if (callback) {
-      callback(token);
-    }
-  }
-  /**
-   * Force logout all sessions for a specific user (admin function).
-   * Increments force_logout counter and deletes all remember tokens.
-   * If target user is currently logged in, marks their session for logout.
-   *
-   * @param identifier - Find user by accountId, email, or userId
-   * @throws {UserNotFoundError} No account matches the identifier
-   */
-  async forceLogoutForUserBy(identifier) {
-    const account = await this.findAccountByIdentifier(identifier);
-    if (!account) {
-      throw new UserNotFoundError();
-    }
-    await this.queries.incrementForceLogout(account.id);
-    if (this.auth.getId() === account.id) {
-      this.req.session.auth.shouldForceLogout = true;
-    }
-  }
-};
-
-// src/auth-manager.ts
-var import_hash5 = require("@prsm/hash");
-var import_ms3 = __toESM(require("@prsm/ms"), 1);
-
-// src/activity-logger.ts
-var import_bowser = __toESM(require("bowser"), 1);
-var ActivityLogger = class {
-  constructor(config) {
-    this.config = config;
-    this.enabled = config.activityLog?.enabled !== false;
-    this.maxEntries = config.activityLog?.maxEntries || 1e4;
-    this.allowedActions = config.activityLog?.actions || null;
-    this.tablePrefix = config.tablePrefix || "user_";
-  }
-  get activityTable() {
-    return `${this.tablePrefix}activity_log`;
-  }
-  parseUserAgent(userAgent) {
-    if (!userAgent) {
-      return { browser: null, os: null, device: null };
-    }
-    try {
-      const browser = import_bowser.default.getParser(userAgent);
-      const result = browser.getResult();
-      return {
-        browser: result.browser.name || null,
-        os: result.os.name || null,
-        device: result.platform.type || "desktop"
-      };
-    } catch (error) {
-      return this.parseUserAgentSimple(userAgent);
-    }
-  }
-  parseUserAgentSimple(userAgent) {
-    let browser = null;
-    if (userAgent.includes("Chrome")) browser = "Chrome";
-    else if (userAgent.includes("Firefox")) browser = "Firefox";
-    else if (userAgent.includes("Safari")) browser = "Safari";
-    else if (userAgent.includes("Edge")) browser = "Edge";
-    let os = null;
-    if (userAgent.includes("Windows")) os = "Windows";
-    else if (userAgent.includes("Mac OS")) os = "macOS";
-    else if (userAgent.includes("Linux")) os = "Linux";
-    else if (userAgent.includes("Android")) os = "Android";
-    else if (userAgent.includes("iOS")) os = "iOS";
-    let device = "desktop";
-    if (userAgent.includes("Mobile")) device = "mobile";
-    else if (userAgent.includes("Tablet")) device = "tablet";
-    return { browser, os, device };
-  }
-  getIpAddress(req) {
-    return req.ip || req.connection?.remoteAddress || req.socket?.remoteAddress || req.connection?.socket?.remoteAddress || null;
-  }
-  async logActivity(accountId, action, req, success = true, metadata = {}) {
-    if (!this.enabled) return;
-    if (this.allowedActions && !this.allowedActions.includes(action)) {
-      return;
-    }
-    const userAgent = (typeof req.get === "function" ? req.get("User-Agent") : req.headers?.["user-agent"]) || null;
-    const ip = this.getIpAddress(req);
-    const parsed = this.parseUserAgent(userAgent);
-    try {
-      await this.config.db.query(
-        `
-        INSERT INTO ${this.activityTable} 
-        (account_id, action, ip_address, user_agent, browser, os, device, success, metadata)
-        VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
-        `,
-        [accountId, action, ip, userAgent, parsed.browser, parsed.os, parsed.device, success, Object.keys(metadata).length > 0 ? JSON.stringify(metadata) : null]
-      );
-      if (Math.random() < 0.01) {
-        await this.cleanup();
-      }
-    } catch (error) {
-      console.error("ActivityLogger: Failed to log activity:", error);
-    }
-  }
-  async cleanup() {
-    if (!this.enabled) return;
-    try {
-      await this.config.db.query(
-        `
-        DELETE FROM ${this.activityTable} 
-        WHERE id NOT IN (
-          SELECT id FROM ${this.activityTable} 
-          ORDER BY created_at DESC 
-          LIMIT $1
-        )
-        `,
-        [this.maxEntries]
-      );
-    } catch (error) {
-      console.error("ActivityLogger: Failed to cleanup old entries:", error);
-    }
-  }
-  async getRecentActivity(limit = 100, accountId) {
-    if (!this.enabled) return [];
-    try {
-      let sql = `
-        SELECT 
-          al.*,
-          a.email 
-        FROM ${this.activityTable} al
-        LEFT JOIN ${this.tablePrefix}accounts a ON al.account_id = a.id
-      `;
-      const params = [];
-      if (accountId !== void 0) {
-        sql += " WHERE al.account_id = $1";
-        params.push(accountId);
-      }
-      sql += ` ORDER BY al.created_at DESC LIMIT $${params.length + 1}`;
-      params.push(Math.min(limit, 1e3));
-      const result = await this.config.db.query(sql, params);
-      return result.rows.map((row) => ({
-        ...row,
-        metadata: row.metadata ? JSON.parse(row.metadata) : null
-      }));
-    } catch (error) {
-      console.error("ActivityLogger: Failed to get recent activity:", error);
-      return [];
-    }
+    throw new InvalidEmailError();
   }
-  async getActivityStats() {
-    if (!this.enabled) {
-      return {
-        totalEntries: 0,
-        uniqueUsers: 0,
-        recentLogins: 0,
-        failedAttempts: 0
-      };
-    }
-    try {
-      const [total, unique, recent, failed] = await Promise.all([
-        this.config.db.query(`SELECT COUNT(*) as count FROM ${this.activityTable}`),
-        this.config.db.query(`SELECT COUNT(DISTINCT account_id) as count FROM ${this.activityTable} WHERE account_id IS NOT NULL`),
-        this.config.db.query(`SELECT COUNT(*) as count FROM ${this.activityTable} WHERE action = 'login' AND created_at > NOW() - INTERVAL '24 hours'`),
-        this.config.db.query(`SELECT COUNT(*) as count FROM ${this.activityTable} WHERE success = false AND created_at > NOW() - INTERVAL '24 hours'`)
-      ]);
-      return {
-        totalEntries: parseInt(total.rows[0]?.count || "0"),
-        uniqueUsers: parseInt(unique.rows[0]?.count || "0"),
-        recentLogins: parseInt(recent.rows[0]?.count || "0"),
-        failedAttempts: parseInt(failed.rows[0]?.count || "0")
-      };
-    } catch (error) {
-      console.error("ActivityLogger: Failed to get activity stats:", error);
-      return {
-        totalEntries: 0,
-        uniqueUsers: 0,
-        recentLogins: 0,
-        failedAttempts: 0
-      };
-    }
+  if (!isValidEmail(email)) {
+    throw new InvalidEmailError();
   }
 };
+var createMapFromEnum = (enumObj) => Object.fromEntries(Object.entries(enumObj).map(([key, value]) => [value, key]));
 
 // src/providers/base-provider.ts
 var BaseOAuthProvider = class {
@@ -1212,7 +935,7 @@ var AzureProvider = class extends BaseOAuthProvider {
 
 // src/two-factor/totp-provider.ts
 var import_totp = __toESM(require("@eaccess/totp"), 1);
-var import_hash3 = require("@prsm/hash");
+var import_hash = require("@prsm/hash");
 var TotpProvider = class {
   constructor(config) {
     this.config = config;
@@ -1241,11 +964,11 @@ var TotpProvider = class {
     return codes;
   }
   hashBackupCodes(codes) {
-    return codes.map((code) => import_hash3.hash.encode(code));
+    return codes.map((code) => import_hash.hash.encode(code));
   }
   verifyBackupCode(hashedCodes, inputCode) {
     for (let i = 0; i < hashedCodes.length; i++) {
-      if (import_hash3.hash.verify(hashedCodes[i], inputCode.toUpperCase())) {
+      if (import_hash.hash.verify(hashedCodes[i], inputCode.toUpperCase())) {
         return { isValid: true, index: i };
       }
     }
@@ -1261,8 +984,8 @@ var TotpProvider = class {
 };
 
 // src/two-factor/otp-provider.ts
-var import_ms2 = __toESM(require("@prsm/ms"), 1);
-var import_hash4 = require("@prsm/hash");
+var import_ms = __toESM(require("@prsm/ms"), 1);
+var import_hash2 = require("@prsm/hash");
 var OtpProvider = class {
   constructor(config) {
     this.config = config;
@@ -1287,9 +1010,9 @@ var OtpProvider = class {
   async createAndStoreOTP(accountId, mechanism) {
     const otp = this.generateOTP();
     const selector = this.generateSelector();
-    const tokenHash = import_hash4.hash.encode(otp);
+    const tokenHash = import_hash2.hash.encode(otp);
     const expiryDuration = this.config.twoFactor?.tokenExpiry || "5m";
-    const expiresAt = new Date(Date.now() + (0, import_ms2.default)(expiryDuration));
+    const expiresAt = new Date(Date.now() + (0, import_ms.default)(expiryDuration));
     await this.queries.deleteTwoFactorTokensByAccountAndMechanism(accountId, mechanism);
     await this.queries.createTwoFactorToken({
       accountId,
@@ -1309,7 +1032,7 @@ var OtpProvider = class {
       await this.queries.deleteTwoFactorToken(token.id);
       return { isValid: false };
     }
-    const isValid = import_hash4.hash.verify(token.token_hash, inputCode);
+    const isValid = import_hash2.hash.verify(token.token_hash, inputCode);
     if (isValid) {
       await this.queries.deleteTwoFactorToken(token.id);
       return { isValid: true, token };
@@ -1707,6 +1430,248 @@ var TwoFactorManager = class {
   }
 };
 
+// src/auth-functions.ts
+var auth_functions_exports = {};
+__export(auth_functions_exports, {
+  addRoleForUserBy: () => addRoleForUserBy,
+  changePasswordForUserBy: () => changePasswordForUserBy,
+  confirmResetPassword: () => confirmResetPassword,
+  createUser: () => createUser,
+  deleteUserBy: () => deleteUserBy,
+  forceLogoutForUserBy: () => forceLogoutForUserBy,
+  hasRoleForUserBy: () => hasRoleForUserBy,
+  initiatePasswordResetForUserBy: () => initiatePasswordResetForUserBy,
+  register: () => register,
+  removeRoleForUserBy: () => removeRoleForUserBy,
+  resetPassword: () => resetPassword,
+  setStatusForUserBy: () => setStatusForUserBy
+});
+var import_hash3 = require("@prsm/hash");
+var import_ms2 = __toESM(require("@prsm/ms"), 1);
+function validatePassword(password, config) {
+  const minLength = config.minPasswordLength || 8;
+  const maxLength = config.maxPasswordLength || 64;
+  if (typeof password !== "string") {
+    throw new InvalidPasswordError();
+  }
+  if (password.length < minLength) {
+    throw new InvalidPasswordError();
+  }
+  if (password.length > maxLength) {
+    throw new InvalidPasswordError();
+  }
+}
+function generateAutoUserId() {
+  return crypto.randomUUID();
+}
+async function findAccountByIdentifier(queries, identifier) {
+  if (identifier.accountId !== void 0) {
+    return await queries.findAccountById(identifier.accountId);
+  } else if (identifier.email !== void 0) {
+    return await queries.findAccountByEmail(identifier.email);
+  } else if (identifier.userId !== void 0) {
+    return await queries.findAccountByUserId(identifier.userId);
+  }
+  return null;
+}
+async function createConfirmationToken(queries, account, email, callback) {
+  const token = import_hash3.hash.encode(email);
+  const expires = new Date(Date.now() + 1e3 * 60 * 60 * 24 * 7);
+  await queries.createConfirmation({
+    accountId: account.id,
+    token,
+    email,
+    expires
+  });
+  if (callback) {
+    callback(token);
+  }
+}
+async function createUser(config, credentials, userId, callback) {
+  validateEmail(credentials.email);
+  validatePassword(credentials.password, config);
+  const queries = new AuthQueries(config);
+  const existing = await queries.findAccountByEmail(credentials.email);
+  if (existing) {
+    throw new EmailTakenError();
+  }
+  const finalUserId = userId || generateAutoUserId();
+  const hashedPassword = import_hash3.hash.encode(credentials.password);
+  const verified = typeof callback !== "function";
+  const account = await queries.createAccount({
+    userId: finalUserId,
+    email: credentials.email,
+    password: hashedPassword,
+    verified,
+    status: AuthStatus.Normal,
+    rolemask: 0
+  });
+  if (!verified && callback) {
+    await createConfirmationToken(queries, account, credentials.email, callback);
+  }
+  return account;
+}
+async function register(config, email, password, userId, callback) {
+  validateEmail(email);
+  validatePassword(password, config);
+  const queries = new AuthQueries(config);
+  const existing = await queries.findAccountByEmail(email);
+  if (existing) {
+    throw new EmailTakenError();
+  }
+  const finalUserId = userId || generateAutoUserId();
+  const hashedPassword = import_hash3.hash.encode(password);
+  const verified = typeof callback !== "function";
+  const account = await queries.createAccount({
+    userId: finalUserId,
+    email,
+    password: hashedPassword,
+    verified,
+    status: AuthStatus.Normal,
+    rolemask: 0
+  });
+  if (!verified && callback) {
+    await createConfirmationToken(queries, account, email, callback);
+  }
+  return account;
+}
+async function deleteUserBy(config, identifier) {
+  const queries = new AuthQueries(config);
+  const account = await findAccountByIdentifier(queries, identifier);
+  if (!account) {
+    throw new UserNotFoundError();
+  }
+  await queries.deleteAccount(account.id);
+}
+async function addRoleForUserBy(config, identifier, role) {
+  const queries = new AuthQueries(config);
+  const account = await findAccountByIdentifier(queries, identifier);
+  if (!account) {
+    throw new UserNotFoundError();
+  }
+  const rolemask = account.rolemask | role;
+  await queries.updateAccount(account.id, { rolemask });
+}
+async function removeRoleForUserBy(config, identifier, role) {
+  const queries = new AuthQueries(config);
+  const account = await findAccountByIdentifier(queries, identifier);
+  if (!account) {
+    throw new UserNotFoundError();
+  }
+  const rolemask = account.rolemask & ~role;
+  await queries.updateAccount(account.id, { rolemask });
+}
+async function hasRoleForUserBy(config, identifier, role) {
+  const queries = new AuthQueries(config);
+  const account = await findAccountByIdentifier(queries, identifier);
+  if (!account) {
+    throw new UserNotFoundError();
+  }
+  return (account.rolemask & role) === role;
+}
+async function changePasswordForUserBy(config, identifier, password) {
+  validatePassword(password, config);
+  const queries = new AuthQueries(config);
+  const account = await findAccountByIdentifier(queries, identifier);
+  if (!account) {
+    throw new UserNotFoundError();
+  }
+  await queries.updateAccount(account.id, {
+    password: import_hash3.hash.encode(password)
+  });
+}
+async function setStatusForUserBy(config, identifier, status) {
+  const queries = new AuthQueries(config);
+  const account = await findAccountByIdentifier(queries, identifier);
+  if (!account) {
+    throw new UserNotFoundError();
+  }
+  await queries.updateAccount(account.id, { status });
+}
+async function initiatePasswordResetForUserBy(config, identifier, expiresAfter = null, callback) {
+  const queries = new AuthQueries(config);
+  const account = await findAccountByIdentifier(queries, identifier);
+  if (!account) {
+    throw new UserNotFoundError();
+  }
+  if (!account.verified) {
+    throw new EmailNotVerifiedError();
+  }
+  const expiry = !expiresAfter ? (0, import_ms2.default)("6h") : (0, import_ms2.default)(expiresAfter);
+  const token = import_hash3.hash.encode(account.email);
+  const expires = new Date(Date.now() + expiry);
+  await queries.createResetToken({
+    accountId: account.id,
+    token,
+    expires
+  });
+  if (callback) {
+    callback(token);
+  }
+}
+async function resetPassword(config, email, expiresAfter = null, maxOpenRequests = null, callback) {
+  validateEmail(email);
+  const expiry = !expiresAfter ? (0, import_ms2.default)("6h") : (0, import_ms2.default)(expiresAfter);
+  const maxRequests = maxOpenRequests === null ? 2 : Math.max(1, maxOpenRequests);
+  const queries = new AuthQueries(config);
+  const account = await queries.findAccountByEmail(email);
+  if (!account || !account.verified) {
+    throw new EmailNotVerifiedError();
+  }
+  if (!account.resettable) {
+    throw new ResetDisabledError();
+  }
+  const openRequests = await queries.countActiveResetTokensForAccount(account.id);
+  if (openRequests >= maxRequests) {
+    throw new TooManyResetsError();
+  }
+  const token = import_hash3.hash.encode(email);
+  const expires = new Date(Date.now() + expiry);
+  await queries.createResetToken({
+    accountId: account.id,
+    token,
+    expires
+  });
+  if (callback) {
+    callback(token);
+  }
+}
+async function confirmResetPassword(config, token, password) {
+  const queries = new AuthQueries(config);
+  const reset = await queries.findResetToken(token);
+  if (!reset) {
+    throw new ResetNotFoundError();
+  }
+  if (new Date(reset.expires) < /* @__PURE__ */ new Date()) {
+    throw new ResetExpiredError();
+  }
+  const account = await queries.findAccountById(reset.account_id);
+  if (!account) {
+    throw new UserNotFoundError();
+  }
+  if (!account.resettable) {
+    throw new ResetDisabledError();
+  }
+  validatePassword(password, config);
+  if (!import_hash3.hash.verify(token, account.email)) {
+    throw new InvalidTokenError();
+  }
+  await queries.updateAccount(account.id, {
+    password: import_hash3.hash.encode(password)
+  });
+  await queries.deleteResetToken(token);
+  return { accountId: account.id, email: account.email };
+}
+async function forceLogoutForUserBy(config, identifier) {
+  const queries = new AuthQueries(config);
+  const account = await findAccountByIdentifier(queries, identifier);
+  if (!account) {
+    throw new UserNotFoundError();
+  }
+  await queries.incrementForceLogout(account.id);
+  return { accountId: account.id };
+}
+
 // src/auth-manager.ts
 var AuthManager = class {
   constructor(req, res, config) {
@@ -1898,7 +1863,7 @@ var AuthManager = class {
     });
   }
   async createRememberDirective(account) {
-    const token = import_hash5.hash.encode(account.email);
+    const token = import_hash4.hash.encode(account.email);
     const duration = this.config.rememberDuration || "30d";
     const expires = new Date(Date.now() + (0, import_ms3.default)(duration));
     await this.queries.createRememberToken({
@@ -1936,7 +1901,7 @@ var AuthManager = class {
         await this.activityLogger.logActivity(null, AuthActivityAction.FailedLogin, this.req, false, { email, reason: "account_not_found" });
         throw new UserNotFoundError();
       }
-      if (!account.password || !import_hash5.hash.verify(account.password, password)) {
+      if (!account.password || !import_hash4.hash.verify(account.password, password)) {
         await this.activityLogger.logActivity(account.id, AuthActivityAction.FailedLogin, this.req, false, { email, reason: "invalid_password" });
         throw new InvalidPasswordError();
       }
@@ -2048,7 +2013,7 @@ var AuthManager = class {
       throw new EmailTakenError();
     }
     const finalUserId = userId || this.generateAutoUserId();
-    const hashedPassword = import_hash5.hash.encode(password);
+    const hashedPassword = import_hash4.hash.encode(password);
     const verified = typeof callback !== "function";
     const account = await this.queries.createAccount({
       userId: finalUserId,
@@ -2065,7 +2030,7 @@ var AuthManager = class {
     return account;
   }
   async createConfirmationToken(account, email, callback) {
-    const token = import_hash5.hash.encode(email);
+    const token = import_hash4.hash.encode(email);
     const expires = new Date(Date.now() + 1e3 * 60 * 60 * 24 * 7);
     await this.queries.createConfirmation({
       accountId: account.id,
@@ -2199,7 +2164,7 @@ var AuthManager = class {
     if (new Date(confirmation.expires) < /* @__PURE__ */ new Date()) {
       throw new ConfirmationExpiredError();
     }
-    if (!import_hash5.hash.verify(token, confirmation.email)) {
+    if (!import_hash4.hash.verify(token, confirmation.email)) {
       throw new InvalidTokenError();
     }
     await this.queries.updateAccount(confirmation.account_id, {
@@ -2296,7 +2261,7 @@ var AuthManager = class {
     if (openRequests >= maxRequests) {
       throw new TooManyResetsError();
     }
-    const token = import_hash5.hash.encode(email);
+    const token = import_hash4.hash.encode(email);
     const expires = new Date(Date.now() + expiry);
     await this.queries.createResetToken({
       accountId: account.id,
@@ -2338,11 +2303,11 @@ var AuthManager = class {
       throw new ResetDisabledError();
     }
     this.validatePassword(password);
-    if (!import_hash5.hash.verify(token, account.email)) {
+    if (!import_hash4.hash.verify(token, account.email)) {
       throw new InvalidTokenError();
     }
     await this.queries.updateAccount(account.id, {
-      password: import_hash5.hash.encode(password)
+      password: import_hash4.hash.encode(password)
     });
     if (logout) {
       await this.forceLogoutForAccountById(account.id);
@@ -2370,7 +2335,7 @@ var AuthManager = class {
     if (!account.password) {
       return false;
     }
-    return import_hash5.hash.verify(account.password, password);
+    return import_hash4.hash.verify(account.password, password);
   }
   async forceLogoutForAccountById(accountId) {
     await this.queries.deleteRememberTokensForAccount(accountId);
@@ -2408,6 +2373,61 @@ var AuthManager = class {
     await this.logoutEverywhereElse();
     await this.logout();
   }
+  async findAccountByIdentifier(identifier) {
+    if (identifier.accountId !== void 0) {
+      return await this.queries.findAccountById(identifier.accountId);
+    } else if (identifier.email !== void 0) {
+      return await this.queries.findAccountByEmail(identifier.email);
+    } else if (identifier.userId !== void 0) {
+      return await this.queries.findAccountByUserId(identifier.userId);
+    }
+    return null;
+  }
+  // admin/standalone functions (delegated to auth-functions.js due to lack of need for request context)
+  async createUser(credentials, userId, callback) {
+    return createUser(this.config, credentials, userId, callback);
+  }
+  async deleteUserBy(identifier) {
+    return deleteUserBy(this.config, identifier);
+  }
+  async addRoleForUserBy(identifier, role) {
+    return addRoleForUserBy(this.config, identifier, role);
+  }
+  async removeRoleForUserBy(identifier, role) {
+    return removeRoleForUserBy(this.config, identifier, role);
+  }
+  async hasRoleForUserBy(identifier, role) {
+    return hasRoleForUserBy(this.config, identifier, role);
+  }
+  async changePasswordForUserBy(identifier, password) {
+    return changePasswordForUserBy(this.config, identifier, password);
+  }
+  async setStatusForUserBy(identifier, status) {
+    return setStatusForUserBy(this.config, identifier, status);
+  }
+  async initiatePasswordResetForUserBy(identifier, expiresAfter, callback) {
+    return initiatePasswordResetForUserBy(this.config, identifier, expiresAfter, callback);
+  }
+  async forceLogoutForUserBy(identifier) {
+    const result = await forceLogoutForUserBy(this.config, identifier);
+    if (this.getId() === result.accountId) {
+      this.req.session.auth.shouldForceLogout = true;
+    }
+  }
+  /**
+   * Log in as another user (admin function).
+   * Creates a new session as the target user without requiring their password.
+   *
+   * @param identifier - Find user by accountId, email, or userId
+   * @throws {UserNotFoundError} No account matches the identifier
+   */
+  async loginAsUserBy(identifier) {
+    const account = await this.findAccountByIdentifier(identifier);
+    if (!account) {
+      throw new UserNotFoundError();
+    }
+    await this.onLoginSuccessful(account, false);
+  }
 };
 
 // src/middleware.ts
@@ -2415,9 +2435,7 @@ function createAuthMiddleware(config) {
   return async (req, res, next) => {
     try {
       const authManager = new AuthManager(req, res, config);
-      const authAdminManager = new AuthAdminManager(req, res, config, authManager);
       req.auth = authManager;
-      req.authAdmin = authAdminManager;
       await authManager.resyncSession();
       await authManager.processRememberDirective();
       next();
@@ -2626,8 +2644,26 @@ async function getAuthTableStats(config) {
   };
 }
 
+// src/auth-context.ts
+function createAuthContext(config) {
+  return {
+    createUser: (credentials, userId, callback) => createUser(config, credentials, userId, callback),
+    register: (email, password, userId, callback) => register(config, email, password, userId, callback),
+    deleteUserBy: (identifier) => deleteUserBy(config, identifier),
+    addRoleForUserBy: (identifier, role) => addRoleForUserBy(config, identifier, role),
+    removeRoleForUserBy: (identifier, role) => removeRoleForUserBy(config, identifier, role),
+    hasRoleForUserBy: (identifier, role) => hasRoleForUserBy(config, identifier, role),
+    changePasswordForUserBy: (identifier, password) => changePasswordForUserBy(config, identifier, password),
+    setStatusForUserBy: (identifier, status) => setStatusForUserBy(config, identifier, status),
+    initiatePasswordResetForUserBy: (identifier, expiresAfter, callback) => initiatePasswordResetForUserBy(config, identifier, expiresAfter, callback),
+    resetPassword: (email, expiresAfter, maxOpenRequests, callback) => resetPassword(config, email, expiresAfter, maxOpenRequests, callback),
+    confirmResetPassword: (token, password) => confirmResetPassword(config, token, password),
+    forceLogoutForUserBy: (identifier) => forceLogoutForUserBy(config, identifier)
+  };
+}
+
 // src/user-roles.ts
-async function findAccountByIdentifier(queries, identifier) {
+async function findAccountByIdentifier2(queries, identifier) {
   let account = null;
   if (identifier.accountId !== void 0) {
     account = await queries.findAccountById(identifier.accountId);
@@ -2643,24 +2679,24 @@ async function findAccountByIdentifier(queries, identifier) {
 }
 async function addRoleToUser(config, identifier, role) {
   const queries = new AuthQueries(config);
-  const account = await findAccountByIdentifier(queries, identifier);
+  const account = await findAccountByIdentifier2(queries, identifier);
   const rolemask = account.rolemask | role;
   await queries.updateAccount(account.id, { rolemask });
 }
 async function removeRoleFromUser(config, identifier, role) {
   const queries = new AuthQueries(config);
-  const account = await findAccountByIdentifier(queries, identifier);
+  const account = await findAccountByIdentifier2(queries, identifier);
   const rolemask = account.rolemask & ~role;
   await queries.updateAccount(account.id, { rolemask });
 }
 async function setUserRoles(config, identifier, rolemask) {
   const queries = new AuthQueries(config);
-  const account = await findAccountByIdentifier(queries, identifier);
+  const account = await findAccountByIdentifier2(queries, identifier);
   await queries.updateAccount(account.id, { rolemask });
 }
 async function getUserRoles(config, identifier) {
   const queries = new AuthQueries(config);
-  const account = await findAccountByIdentifier(queries, identifier);
+  const account = await findAccountByIdentifier2(queries, identifier);
   return account.rolemask;
 }
 // Annotate the CommonJS export names for ESM import in node:
@@ -2700,10 +2736,11 @@ async function getUserRoles(config, identifier) {
   UserNotFoundError,
   UserNotLoggedInError,
   addRoleToUser,
+  authFunctions,
   cleanupExpiredTokens,
+  createAuthContext,
   createAuthMiddleware,
   createAuthTables,
-  createUser,
   dropAuthTables,
   getAuthTableStats,
   getUserRoles,