@enderworld/onlyapi 1.5.1

package/src/infrastructure/database/sqlite-account-lockout.ts

@@ -0,0 +1,97 @@
+import type { Database } from "bun:sqlite";
+import { type AppError, internal } from "../../core/errors/app-error.js";
+import type { AccountLockout } from "../../core/ports/account-lockout.js";
+import { type Result, err, ok } from "../../core/types/result.js";
+
+/**
+ * SQLite-backed account lockout — persists across restarts.
+ * Uses the failed_login_attempts and locked_until columns on the users table.
+ */
+
+interface LockoutConfig {
+  readonly maxAttempts: number;
+  readonly lockoutDurationMs: number;
+}
+
+export const createSqliteAccountLockout = (
+  db: Database,
+  config: LockoutConfig = { maxAttempts: 5, lockoutDurationMs: 15 * 60 * 1000 },
+): AccountLockout => {
+  const getStmt = db.prepare<
+    { failed_login_attempts: number; locked_until: number | null },
+    [string]
+  >("SELECT failed_login_attempts, locked_until FROM users WHERE email = ?");
+
+  const incrementStmt = db.prepare(
+    "UPDATE users SET failed_login_attempts = failed_login_attempts + 1 WHERE email = ?",
+  );
+
+  const lockStmt = db.prepare(
+    "UPDATE users SET failed_login_attempts = ?, locked_until = ? WHERE email = ?",
+  );
+
+  const resetStmt = db.prepare(
+    "UPDATE users SET failed_login_attempts = 0, locked_until = NULL WHERE email = ?",
+  );
+
+  return {
+    async recordFailedAttempt(email: string): Promise<Result<boolean, AppError>> {
+      try {
+        const row = getStmt.get(email);
+        if (!row) return ok(false); // User doesn't exist — don't reveal that
+
+        const now = Date.now();
+
+        // If currently locked and not expired
+        if (row.locked_until !== null && row.locked_until > now) {
+          return ok(true);
+        }
+
+        // If lock expired, reset first
+        if (row.locked_until !== null && row.locked_until <= now) {
+          resetStmt.run(email);
+          incrementStmt.run(email);
+          return ok(false);
+        }
+
+        incrementStmt.run(email);
+        const newCount = row.failed_login_attempts + 1;
+
+        if (newCount >= config.maxAttempts) {
+          lockStmt.run(newCount, now + config.lockoutDurationMs, email);
+          return ok(true);
+        }
+
+        return ok(false);
+      } catch (e: unknown) {
+        return err(internal("Failed to record login attempt", e));
+      }
+    },
+
+    async resetAttempts(email: string): Promise<Result<void, AppError>> {
+      try {
+        resetStmt.run(email);
+        return ok(undefined);
+      } catch (e: unknown) {
+        return err(internal("Failed to reset login attempts", e));
+      }
+    },
+
+    async isLocked(email: string): Promise<Result<number | null, AppError>> {
+      try {
+        const row = getStmt.get(email);
+        if (!row || row.locked_until === null) return ok(null);
+
+        if (row.locked_until <= Date.now()) {
+          // Lock expired — reset
+          resetStmt.run(email);
+          return ok(null);
+        }
+
+        return ok(row.locked_until);
+      } catch (e: unknown) {
+        return err(internal("Failed to check lockout status", e));
+      }
+    },
+  };
+};

package/src/infrastructure/database/sqlite-api-keys.ts

@@ -0,0 +1,155 @@
+import type { Database } from "bun:sqlite";
+import { type AppError, internal, notFound, unauthorized } from "../../core/errors/app-error.js";
+import type { ApiKey, ApiKeyRepository } from "../../core/ports/api-key.js";
+import type { UserId } from "../../core/types/brand.js";
+import { brand } from "../../core/types/brand.js";
+import { type Result, err, ok } from "../../core/types/result.js";
+import { generateId } from "../../shared/utils/id.js";
+
+/**
+ * SQLite-backed API key repository.
+ * Keys are SHA-256 hashed before storage. Only the prefix is shown after creation.
+ * Raw keys are returned exactly once on creation.
+ */
+
+const hashKey = async (raw: string): Promise<string> => {
+  const data = new TextEncoder().encode(raw);
+  const buf = await crypto.subtle.digest("SHA-256", data);
+  return Array.from(new Uint8Array(buf))
+    .map((b) => b.toString(16).padStart(2, "0"))
+    .join("");
+};
+
+const generateRawKey = (): string => {
+  const bytes = new Uint8Array(32);
+  crypto.getRandomValues(bytes);
+  const hex = Array.from(bytes)
+    .map((b) => b.toString(16).padStart(2, "0"))
+    .join("");
+  return `oapi_${hex}`;
+};
+
+interface ApiKeyRow {
+  id: string;
+  user_id: string;
+  name: string;
+  key_hash: string;
+  key_prefix: string;
+  scopes: string;
+  expires_at: number | null;
+  last_used_at: number | null;
+  created_at: number;
+}
+
+const rowToApiKey = (row: ApiKeyRow): ApiKey => ({
+  id: row.id,
+  userId: brand<string, "UserId">(row.user_id),
+  name: row.name,
+  keyPrefix: row.key_prefix,
+  scopes: JSON.parse(row.scopes) as string[],
+  expiresAt: row.expires_at,
+  lastUsedAt: row.last_used_at,
+  createdAt: row.created_at,
+});
+
+export const createSqliteApiKeyRepository = (db: Database): ApiKeyRepository => {
+  const insertStmt = db.prepare(
+    "INSERT INTO api_keys (id, user_id, name, key_hash, key_prefix, scopes, expires_at, last_used_at, created_at) VALUES (?, ?, ?, ?, ?, ?, ?, NULL, ?)",
+  );
+  const findByHashStmt = db.prepare<ApiKeyRow, [string]>(
+    "SELECT * FROM api_keys WHERE key_hash = ?",
+  );
+  const listByUserStmt = db.prepare<ApiKeyRow, [string]>(
+    "SELECT * FROM api_keys WHERE user_id = ? ORDER BY created_at DESC",
+  );
+  const deleteStmt = db.prepare("DELETE FROM api_keys WHERE id = ? AND user_id = ?");
+  const touchStmt = db.prepare("UPDATE api_keys SET last_used_at = ? WHERE id = ?");
+
+  return {
+    async create(
+      userId: UserId,
+      name: string,
+      scopes: readonly string[],
+      expiresAt?: number,
+    ): Promise<Result<{ key: ApiKey; rawKey: string }, AppError>> {
+      try {
+        const rawKey = generateRawKey();
+        const keyHash = await hashKey(rawKey);
+        const id = generateId();
+        const now = Date.now();
+        const keyPrefix = `${rawKey.substring(0, 12)}...`;
+
+        insertStmt.run(
+          id,
+          userId,
+          name,
+          keyHash,
+          keyPrefix,
+          JSON.stringify(scopes),
+          expiresAt ?? null,
+          now,
+        );
+
+        const key: ApiKey = {
+          id,
+          userId,
+          name,
+          keyPrefix,
+          scopes,
+          expiresAt: expiresAt ?? null,
+          lastUsedAt: null,
+          createdAt: now,
+        };
+
+        return ok({ key, rawKey });
+      } catch (e: unknown) {
+        return err(internal("Failed to create API key", e));
+      }
+    },
+
+    async verify(rawKey: string): Promise<Result<ApiKey, AppError>> {
+      try {
+        const keyHash = await hashKey(rawKey);
+        const row = findByHashStmt.get(keyHash);
+        if (!row) return err(unauthorized("Invalid API key"));
+
+        // Check expiry
+        if (row.expires_at !== null && row.expires_at <= Date.now()) {
+          return err(unauthorized("API key has expired"));
+        }
+
+        return ok(rowToApiKey(row));
+      } catch (e: unknown) {
+        return err(internal("Failed to verify API key", e));
+      }
+    },
+
+    async listByUser(userId: UserId): Promise<Result<readonly ApiKey[], AppError>> {
+      try {
+        const rows = listByUserStmt.all(userId);
+        return ok(rows.map(rowToApiKey));
+      } catch (e: unknown) {
+        return err(internal("Failed to list API keys", e));
+      }
+    },
+
+    async revoke(id: string, userId: UserId): Promise<Result<void, AppError>> {
+      try {
+        const result = deleteStmt.run(id, userId);
+        if (result.changes === 0) return err(notFound("API key"));
+        return ok(undefined);
+      } catch (e: unknown) {
+        return err(internal("Failed to revoke API key", e));
+      }
+    },
+
+    async touch(id: string): Promise<Result<void, AppError>> {
+      try {
+        touchStmt.run(Date.now(), id);
+        return ok(undefined);
+      } catch (e: unknown) {
+        return err(internal("Failed to update API key usage", e));
+      }
+    },
+  };
+};

package/src/infrastructure/database/sqlite-audit-log.ts

@@ -0,0 +1,90 @@
+import type { Database } from "bun:sqlite";
+import { type AppError, internal } from "../../core/errors/app-error.js";
+import type { AuditEntry, AuditLog, AuditQueryOptions } from "../../core/ports/audit-log.js";
+import { type Result, err, ok } from "../../core/types/result.js";
+import { generateId } from "../../shared/utils/id.js";
+
+/**
+ * SQLite audit log — append-only ledger backed by bun:sqlite.
+ * Supports querying by userId, action, and time range.
+ */
+
+interface AuditRow {
+  id: string;
+  user_id: string | null;
+  action: string;
+  resource: string;
+  resource_id: string | null;
+  detail: string | null;
+  ip: string;
+  timestamp: number;
+}
+
+const rowToEntry = (row: AuditRow): AuditEntry => ({
+  id: row.id,
+  userId: row.user_id,
+  action: row.action as AuditEntry["action"],
+  resource: row.resource,
+  resourceId: row.resource_id,
+  detail: row.detail,
+  ip: row.ip,
+  timestamp: row.timestamp,
+});
+
+export const createSqliteAuditLog = (db: Database): AuditLog => {
+  const insertStmt = db.prepare(
+    "INSERT INTO audit_log (id, user_id, action, resource, resource_id, detail, ip, timestamp) VALUES (?, ?, ?, ?, ?, ?, ?, ?)",
+  );
+
+  return {
+    async append(entry: Omit<AuditEntry, "id" | "timestamp">): Promise<Result<void, AppError>> {
+      try {
+        insertStmt.run(
+          generateId(),
+          entry.userId,
+          entry.action,
+          entry.resource,
+          entry.resourceId,
+          entry.detail,
+          entry.ip,
+          Date.now(),
+        );
+        return ok(undefined);
+      } catch (e: unknown) {
+        return err(internal("Failed to append audit entry", e));
+      }
+    },
+
+    async query(options: AuditQueryOptions): Promise<Result<readonly AuditEntry[], AppError>> {
+      try {
+        const conditions: string[] = [];
+        const params: unknown[] = [];
+
+        if (options.userId !== undefined) {
+          conditions.push("user_id = ?");
+          params.push(options.userId);
+        }
+        if (options.action !== undefined) {
+          conditions.push("action = ?");
+          params.push(options.action);
+        }
+        if (options.since !== undefined) {
+          conditions.push("timestamp >= ?");
+          params.push(options.since);
+        }
+
+        const where = conditions.length > 0 ? `WHERE ${conditions.join(" AND ")}` : "";
+        const limit = options.limit ?? 50;
+        const sql = `SELECT * FROM audit_log ${where} ORDER BY timestamp DESC LIMIT ?`;
+        params.push(limit);
+
+        const rows = db
+          .query(sql)
+          .all(...(params as import("bun:sqlite").SQLQueryBindings[])) as AuditRow[];
+        return ok(rows.map(rowToEntry));
+      } catch (e: unknown) {
+        return err(internal("Failed to query audit log", e));
+      }
+    },
+  };
+};

package/src/infrastructure/database/sqlite-oauth-accounts.ts

@@ -0,0 +1,105 @@
+import type { Database } from "bun:sqlite";
+import { type AppError, conflict, internal, notFound } from "../../core/errors/app-error.js";
+import type { OAuthAccount, OAuthAccountRepository } from "../../core/ports/oauth.js";
+import type { UserId } from "../../core/types/brand.js";
+import { brand } from "../../core/types/brand.js";
+import { type Result, err, ok } from "../../core/types/result.js";
+import { generateId } from "../../shared/utils/id.js";
+
+/**
+ * SQLite-backed OAuth account repository.
+ * Links external OAuth provider identities to internal user accounts.
+ */
+
+interface OAuthRow {
+  id: string;
+  user_id: string;
+  provider: string;
+  provider_user_id: string;
+  email: string | null;
+  created_at: number;
+}
+
+const rowToAccount = (row: OAuthRow): OAuthAccount => ({
+  id: row.id,
+  userId: brand<string, "UserId">(row.user_id),
+  provider: row.provider,
+  providerUserId: row.provider_user_id,
+  email: row.email,
+  createdAt: row.created_at,
+});
+
+const isUniqueViolation = (e: unknown): boolean =>
+  e instanceof Error && e.message.includes("UNIQUE");
+
+export const createSqliteOAuthAccountRepo = (db: Database): OAuthAccountRepository => {
+  const insertStmt = db.prepare(
+    "INSERT INTO oauth_accounts (id, user_id, provider, provider_user_id, email, created_at) VALUES (?, ?, ?, ?, ?, ?)",
+  );
+  const findByProviderStmt = db.prepare<OAuthRow, [string, string]>(
+    "SELECT * FROM oauth_accounts WHERE provider = ? AND provider_user_id = ?",
+  );
+  const listByUserStmt = db.prepare<OAuthRow, [string]>(
+    "SELECT * FROM oauth_accounts WHERE user_id = ? ORDER BY created_at DESC",
+  );
+  const deleteStmt = db.prepare("DELETE FROM oauth_accounts WHERE id = ? AND user_id = ?");
+
+  return {
+    async link(
+      userId: UserId,
+      provider: string,
+      providerUserId: string,
+      email: string | null,
+    ): Promise<Result<OAuthAccount, AppError>> {
+      try {
+        const id = generateId();
+        const now = Date.now();
+        insertStmt.run(id, userId, provider, providerUserId, email, now);
+        return ok({
+          id,
+          userId,
+          provider,
+          providerUserId,
+          email,
+          createdAt: now,
+        });
+      } catch (e: unknown) {
+        if (isUniqueViolation(e)) {
+          return err(conflict("OAuth account already linked"));
+        }
+        return err(internal("Failed to link OAuth account", e));
+      }
+    },
+
+    async findByProvider(
+      provider: string,
+      providerUserId: string,
+    ): Promise<Result<OAuthAccount | null, AppError>> {
+      try {
+        const row = findByProviderStmt.get(provider, providerUserId);
+        return ok(row ? rowToAccount(row) : null);
+      } catch (e: unknown) {
+        return err(internal("Failed to find OAuth account", e));
+      }
+    },
+
+    async listByUser(userId: UserId): Promise<Result<readonly OAuthAccount[], AppError>> {
+      try {
+        const rows = listByUserStmt.all(userId);
+        return ok(rows.map(rowToAccount));
+      } catch (e: unknown) {
+        return err(internal("Failed to list OAuth accounts", e));
+      }
+    },
+
+    async unlink(id: string, userId: UserId): Promise<Result<void, AppError>> {
+      try {
+        const result = deleteStmt.run(id, userId);
+        if (result.changes === 0) return err(notFound("OAuth account"));
+        return ok(undefined);
+      } catch (e: unknown) {
+        return err(internal("Failed to unlink OAuth account", e));
+      }
+    },
+  };
+};

package/src/infrastructure/database/sqlite-password-history.ts

@@ -0,0 +1,54 @@
+import type { Database } from "bun:sqlite";
+import { type AppError, internal } from "../../core/errors/app-error.js";
+import type { PasswordHistory } from "../../core/ports/password-history.js";
+import type { UserId } from "../../core/types/brand.js";
+import { type Result, err, ok } from "../../core/types/result.js";
+import { generateId } from "../../shared/utils/id.js";
+
+/**
+ * SQLite-backed password history — stores past password hashes
+ * to prevent reuse of recently used passwords.
+ */
+
+export const createSqlitePasswordHistory = (db: Database): PasswordHistory => {
+  const insertStmt = db.prepare(
+    "INSERT INTO password_history (id, user_id, password_hash, created_at) VALUES (?, ?, ?, ?)",
+  );
+  const getRecentStmt = db.prepare<{ password_hash: string }, [string, number]>(
+    "SELECT password_hash FROM password_history WHERE user_id = ? ORDER BY created_at DESC LIMIT ?",
+  );
+  const pruneStmt = db.prepare(
+    `DELETE FROM password_history WHERE id NOT IN (
+      SELECT id FROM password_history WHERE user_id = ? ORDER BY created_at DESC LIMIT ?
+    ) AND user_id = ?`,
+  );
+
+  return {
+    async add(userId: UserId, passwordHash: string): Promise<Result<void, AppError>> {
+      try {
+        insertStmt.run(generateId(), userId, passwordHash, Date.now());
+        return ok(undefined);
+      } catch (e: unknown) {
+        return err(internal("Failed to add password history", e));
+      }
+    },
+
+    async getRecent(userId: UserId, count: number): Promise<Result<readonly string[], AppError>> {
+      try {
+        const rows = getRecentStmt.all(userId, count);
+        return ok(rows.map((r) => r.password_hash));
+      } catch (e: unknown) {
+        return err(internal("Failed to get password history", e));
+      }
+    },
+
+    async prune(userId: UserId, keepCount: number): Promise<Result<void, AppError>> {
+      try {
+        pruneStmt.run(userId, keepCount, userId);
+        return ok(undefined);
+      } catch (e: unknown) {
+        return err(internal("Failed to prune password history", e));
+      }
+    },
+  };
+};

package/src/infrastructure/database/sqlite-refresh-token-store.ts

@@ -0,0 +1,122 @@
+import type { Database } from "bun:sqlite";
+import { type AppError, internal, unauthorized } from "../../core/errors/app-error.js";
+import type {
+  RefreshTokenFamily,
+  RefreshTokenStore,
+} from "../../core/ports/refresh-token-store.js";
+import type { UserId } from "../../core/types/brand.js";
+import { brand } from "../../core/types/brand.js";
+import { type Result, err, ok } from "../../core/types/result.js";
+import { generateId } from "../../shared/utils/id.js";
+
+/**
+ * SQLite-backed refresh token store with family tracking.
+ * Enables refresh token rotation with reuse detection:
+ * - Each login creates a new "family"
+ * - Each refresh rotates the token within the family
+ * - If an old token is reused → entire family is revoked (potential theft)
+ */
+
+interface FamilyRow {
+  id: string;
+  user_id: string;
+  current_token_hash: string;
+  revoked: number;
+  created_at: number;
+  updated_at: number;
+}
+
+const rowToFamily = (row: FamilyRow): RefreshTokenFamily => ({
+  id: row.id,
+  userId: brand<string, "UserId">(row.user_id),
+  currentTokenHash: row.current_token_hash,
+  revoked: row.revoked === 1,
+  createdAt: row.created_at,
+  updatedAt: row.updated_at,
+});
+
+export const createSqliteRefreshTokenStore = (db: Database): RefreshTokenStore => {
+  const insertStmt = db.prepare(
+    "INSERT INTO refresh_token_families (id, user_id, current_token_hash, revoked, created_at, updated_at) VALUES (?, ?, ?, 0, ?, ?)",
+  );
+  const findByHashStmt = db.prepare<FamilyRow, [string]>(
+    "SELECT * FROM refresh_token_families WHERE current_token_hash = ?",
+  );
+  const rotateStmt = db.prepare(
+    "UPDATE refresh_token_families SET current_token_hash = ?, updated_at = ? WHERE id = ? AND current_token_hash = ?",
+  );
+  const revokeFamilyStmt = db.prepare(
+    "UPDATE refresh_token_families SET revoked = 1, updated_at = ? WHERE id = ?",
+  );
+  const revokeAllStmt = db.prepare(
+    "UPDATE refresh_token_families SET revoked = 1, updated_at = ? WHERE user_id = ?",
+  );
+  const pruneStmt = db.prepare("DELETE FROM refresh_token_families WHERE updated_at < ?");
+
+  return {
+    async createFamily(userId: UserId, tokenHash: string): Promise<Result<string, AppError>> {
+      try {
+        const id = generateId();
+        const now = Date.now();
+        insertStmt.run(id, userId, tokenHash, now, now);
+        return ok(id);
+      } catch (e: unknown) {
+        return err(internal("Failed to create refresh token family", e));
+      }
+    },
+
+    async rotate(
+      familyId: string,
+      oldTokenHash: string,
+      newTokenHash: string,
+    ): Promise<Result<void, AppError>> {
+      try {
+        const now = Date.now();
+        const result = rotateStmt.run(newTokenHash, now, familyId, oldTokenHash);
+        if (result.changes === 0) {
+          return err(unauthorized("Token rotation failed — token mismatch"));
+        }
+        return ok(undefined);
+      } catch (e: unknown) {
+        return err(internal("Failed to rotate refresh token", e));
+      }
+    },
+
+    async findByTokenHash(tokenHash: string): Promise<Result<RefreshTokenFamily | null, AppError>> {
+      try {
+        const row = findByHashStmt.get(tokenHash);
+        return ok(row ? rowToFamily(row) : null);
+      } catch (e: unknown) {
+        return err(internal("Failed to find refresh token family", e));
+      }
+    },
+
+    async revokeFamily(familyId: string): Promise<Result<void, AppError>> {
+      try {
+        revokeFamilyStmt.run(Date.now(), familyId);
+        return ok(undefined);
+      } catch (e: unknown) {
+        return err(internal("Failed to revoke refresh token family", e));
+      }
+    },
+
+    async revokeAllForUser(userId: UserId): Promise<Result<void, AppError>> {
+      try {
+        revokeAllStmt.run(Date.now(), userId);
+        return ok(undefined);
+      } catch (e: unknown) {
+        return err(internal("Failed to revoke all refresh tokens", e));
+      }
+    },
+
+    async prune(maxAgeMs: number): Promise<Result<number, AppError>> {
+      try {
+        const cutoff = Date.now() - maxAgeMs;
+        const result = pruneStmt.run(cutoff);
+        return ok(result.changes);
+      } catch (e: unknown) {
+        return err(internal("Failed to prune refresh token families", e));
+      }
+    },
+  };
+};

package/src/infrastructure/database/sqlite-token-blacklist.ts

@@ -0,0 +1,47 @@
+import type { Database } from "bun:sqlite";
+import { type AppError, internal } from "../../core/errors/app-error.js";
+import type { TokenBlacklist } from "../../core/ports/token-blacklist.js";
+import { type Result, err, ok } from "../../core/types/result.js";
+
+/**
+ * SQLite-backed token blacklist — persists across restarts.
+ * Requires migration 002_create_token_blacklist to be applied.
+ */
+export const createSqliteTokenBlacklist = (db: Database): TokenBlacklist => {
+  const insertStmt = db.prepare(
+    "INSERT OR IGNORE INTO token_blacklist (token_hash, expires_at, created_at) VALUES (?, ?, ?)",
+  );
+  const checkStmt = db.prepare<{ token_hash: string }, [string, number]>(
+    "SELECT token_hash FROM token_blacklist WHERE token_hash = ? AND expires_at > ?",
+  );
+  const pruneStmt = db.prepare("DELETE FROM token_blacklist WHERE expires_at <= ?");
+
+  return {
+    async add(tokenHash: string, expiresAt: number): Promise<Result<void, AppError>> {
+      try {
+        insertStmt.run(tokenHash, expiresAt, Date.now());
+        return ok(undefined);
+      } catch (e: unknown) {
+        return err(internal("Failed to blacklist token", e));
+      }
+    },
+
+    async isBlacklisted(tokenHash: string): Promise<Result<boolean, AppError>> {
+      try {
+        const row = checkStmt.get(tokenHash, Date.now());
+        return ok(row !== null);
+      } catch (e: unknown) {
+        return err(internal("Failed to check token blacklist", e));
+      }
+    },
+
+    async prune(): Promise<Result<number, AppError>> {
+      try {
+        const result = pruneStmt.run(Date.now());
+        return ok(result.changes);
+      } catch (e: unknown) {
+        return err(internal("Failed to prune token blacklist", e));
+      }
+    },
+  };
+};