@enderworld/onlyapi 1.5.1

package/src/infrastructure/oauth/google.ts

@@ -0,0 +1,83 @@
+import { type AppError, internal, unauthorized } from "../../core/errors/app-error.js";
+import type { OAuthProvider, OAuthUserInfo } from "../../core/ports/oauth.js";
+import { type Result, err, ok } from "../../core/types/result.js";
+
+/**
+ * Google OAuth2 provider adapter.
+ * Uses Google's OAuth 2.0 endpoints for authorization code flow.
+ * Zero external dependencies — uses native fetch.
+ */
+
+interface GoogleOAuthConfig {
+  readonly clientId: string;
+  readonly clientSecret: string;
+}
+
+export const createGoogleOAuthProvider = (config: GoogleOAuthConfig): OAuthProvider => ({
+  name: "google",
+
+  getAuthorizationUrl(state: string, redirectUri: string): string {
+    const params = new URLSearchParams({
+      client_id: config.clientId,
+      redirect_uri: redirectUri,
+      response_type: "code",
+      scope: "openid email profile",
+      state,
+      access_type: "offline",
+    });
+    return `https://accounts.google.com/o/oauth2/v2/auth?${params.toString()}`;
+  },
+
+  async exchangeCode(code: string, redirectUri: string): Promise<Result<OAuthUserInfo, AppError>> {
+    try {
+      // Exchange authorization code for tokens
+      const tokenRes = await fetch("https://oauth2.googleapis.com/token", {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+          code,
+          client_id: config.clientId,
+          client_secret: config.clientSecret,
+          redirect_uri: redirectUri,
+          grant_type: "authorization_code",
+        }).toString(),
+      });
+
+      if (!tokenRes.ok) {
+        return err(unauthorized("Failed to exchange authorization code with Google"));
+      }
+
+      const tokenData = (await tokenRes.json()) as { access_token?: string };
+      if (!tokenData.access_token) {
+        return err(unauthorized("No access token in Google response"));
+      }
+
+      // Fetch user info
+      const userRes = await fetch("https://www.googleapis.com/oauth2/v2/userinfo", {
+        headers: { Authorization: `Bearer ${tokenData.access_token}` },
+      });
+
+      if (!userRes.ok) {
+        return err(unauthorized("Failed to fetch Google user info"));
+      }
+
+      const userData = (await userRes.json()) as {
+        id?: string;
+        email?: string;
+        name?: string;
+      };
+
+      if (!userData.id || !userData.email) {
+        return err(unauthorized("Incomplete Google user info"));
+      }
+
+      return ok({
+        providerId: userData.id,
+        email: userData.email,
+        ...(userData.name ? { name: userData.name } : {}),
+      });
+    } catch (e: unknown) {
+      return err(internal("Google OAuth exchange failed", e));
+    }
+  },
+});

package/src/infrastructure/oauth/index.ts

@@ -0,0 +1,2 @@
+export { createGoogleOAuthProvider } from "./google.js";
+export { createGitHubOAuthProvider } from "./github.js";

package/src/infrastructure/resilience/circuit-breaker.ts

@@ -0,0 +1,133 @@
+/**
+ * Circuit breaker implementation — resilience pattern for external calls.
+ *
+ * State machine:
+ *   CLOSED   → (failures ≥ threshold)  → OPEN
+ *   OPEN     → (timeout elapsed)      → HALF_OPEN
+ *   HALF_OPEN → (successes ≥ threshold) → CLOSED
+ *   HALF_OPEN → (any failure)           → OPEN
+ */
+
+import {
+  type CircuitBreaker,
+  type CircuitBreakerOptions,
+  CircuitState,
+} from "../../core/ports/circuit-breaker.js";
+
+export class CircuitBreakerOpenError extends Error {
+  readonly circuitName: string;
+
+  constructor(name: string) {
+    super(`Circuit breaker "${name}" is OPEN — request short-circuited`);
+    this.circuitName = name;
+    this.name = "CircuitBreakerOpenError";
+  }
+}
+
+export const createCircuitBreaker = (options: CircuitBreakerOptions): CircuitBreaker => {
+  const { name, failureThreshold, resetTimeoutMs, halfOpenSuccessThreshold, onStateChange } =
+    options;
+
+  let state: CircuitState = CircuitState.CLOSED;
+  let failures = 0;
+  let successes = 0;
+  let lastFailureTime = 0;
+  let halfOpenInFlight = 0;
+
+  const transition = (to: CircuitState): void => {
+    if (state === to) return;
+    const from = state;
+    state = to;
+    onStateChange?.(name, from, to);
+  };
+
+  const recordSuccess = (): void => {
+    if (state === CircuitState.HALF_OPEN) {
+      successes++;
+      halfOpenInFlight--;
+      if (successes >= halfOpenSuccessThreshold) {
+        failures = 0;
+        successes = 0;
+        transition(CircuitState.CLOSED);
+      }
+    } else {
+      failures = 0;
+    }
+  };
+
+  const recordFailure = (): void => {
+    failures++;
+    lastFailureTime = Date.now();
+
+    if (state === CircuitState.HALF_OPEN) {
+      halfOpenInFlight--;
+      successes = 0;
+      transition(CircuitState.OPEN);
+    } else if (failures >= failureThreshold) {
+      transition(CircuitState.OPEN);
+    }
+  };
+
+  return {
+    get state() {
+      // Check if it's time to transition OPEN → HALF_OPEN
+      if (state === CircuitState.OPEN) {
+        const elapsed = Date.now() - lastFailureTime;
+        if (elapsed >= resetTimeoutMs) {
+          successes = 0;
+          halfOpenInFlight = 0;
+          transition(CircuitState.HALF_OPEN);
+        }
+      }
+      return state;
+    },
+
+    get name() {
+      return name;
+    },
+
+    get failureCount() {
+      return failures;
+    },
+
+    reset(): void {
+      failures = 0;
+      successes = 0;
+      halfOpenInFlight = 0;
+      transition(CircuitState.CLOSED);
+    },
+
+    async execute<T>(fn: () => Promise<T>): Promise<T> {
+      // Re-check state (may transition OPEN → HALF_OPEN)
+      if (state === CircuitState.OPEN) {
+        const elapsed = Date.now() - lastFailureTime;
+        if (elapsed >= resetTimeoutMs) {
+          successes = 0;
+          halfOpenInFlight = 0;
+          transition(CircuitState.HALF_OPEN);
+        }
+      }
+
+      if (state === CircuitState.OPEN) {
+        throw new CircuitBreakerOpenError(name);
+      }
+
+      // In HALF_OPEN, limit concurrent probes
+      if (state === CircuitState.HALF_OPEN) {
+        if (halfOpenInFlight >= halfOpenSuccessThreshold) {
+          throw new CircuitBreakerOpenError(name);
+        }
+        halfOpenInFlight++;
+      }
+
+      try {
+        const result = await fn();
+        recordSuccess();
+        return result;
+      } catch (error: unknown) {
+        recordFailure();
+        throw error;
+      }
+    },
+  };
+};

package/src/infrastructure/resilience/index.ts

@@ -0,0 +1,2 @@
+export { createCircuitBreaker, CircuitBreakerOpenError } from "./circuit-breaker.js";
+export { createRetryPolicy } from "./retry.js";

package/src/infrastructure/resilience/retry.ts

@@ -0,0 +1,50 @@
+/**
+ * Retry with exponential backoff — configurable retry policy for transient failures.
+ *
+ * Features:
+ *   - Exponential backoff: delay = baseDelay × 2^attempt
+ *   - Jitter: ±random factor to prevent thundering herd
+ *   - Max delay cap
+ *   - Retryable predicate for selective retry
+ */
+
+import type { RetryOptions, RetryPolicy } from "../../core/ports/retry.js";
+
+const sleep = (ms: number): Promise<void> => new Promise((resolve) => setTimeout(resolve, ms));
+
+export const createRetryPolicy = (options: RetryOptions): RetryPolicy => {
+  const { maxRetries, baseDelayMs, maxDelayMs, jitter, retryable, onRetry } = options;
+
+  return {
+    async execute<T>(fn: () => Promise<T>): Promise<T> {
+      let lastError: unknown;
+
+      for (let attempt = 0; attempt <= maxRetries; attempt++) {
+        try {
+          return await fn();
+        } catch (error: unknown) {
+          lastError = error;
+
+          // Don't retry on final attempt
+          if (attempt === maxRetries) break;
+
+          // Check if error is retryable
+          if (retryable && !retryable(error)) break;
+
+          // Calculate delay with exponential backoff + jitter
+          const exponentialDelay = baseDelayMs * 2 ** attempt;
+          const cappedDelay = Math.min(exponentialDelay, maxDelayMs);
+          const jitterRange = cappedDelay * jitter;
+          const jitterOffset = (Math.random() * 2 - 1) * jitterRange;
+          const finalDelay = Math.max(0, Math.round(cappedDelay + jitterOffset));
+
+          onRetry?.(attempt + 1, error, finalDelay);
+
+          await sleep(finalDelay);
+        }
+      }
+
+      throw lastError;
+    },
+  };
+};

package/src/infrastructure/security/account-lockout.ts

@@ -0,0 +1,73 @@
+import type { AppError } from "../../core/errors/app-error.js";
+import type { AccountLockout } from "../../core/ports/account-lockout.js";
+import { type Result, ok } from "../../core/types/result.js";
+
+/**
+ * In-memory account lockout tracker.
+ * Locks account after maxAttempts failed logins for lockoutDurationMs.
+ */
+
+interface LockoutEntry {
+  attempts: number;
+  lockedUntil: number | null;
+}
+
+interface LockoutConfig {
+  readonly maxAttempts: number;
+  readonly lockoutDurationMs: number;
+}
+
+export const createInMemoryAccountLockout = (
+  config: LockoutConfig = { maxAttempts: 5, lockoutDurationMs: 15 * 60 * 1000 },
+): AccountLockout => {
+  const store = new Map<string, LockoutEntry>();
+
+  return {
+    async recordFailedAttempt(email: string): Promise<Result<boolean, AppError>> {
+      let entry = store.get(email);
+      if (!entry) {
+        entry = { attempts: 0, lockedUntil: null };
+        store.set(email, entry);
+      }
+
+      // If currently locked and lock hasn't expired, just report still locked
+      if (entry.lockedUntil !== null && entry.lockedUntil > Date.now()) {
+        return ok(true);
+      }
+
+      // If lock expired, reset
+      if (entry.lockedUntil !== null && entry.lockedUntil <= Date.now()) {
+        entry.attempts = 0;
+        entry.lockedUntil = null;
+      }
+
+      entry.attempts++;
+
+      if (entry.attempts >= config.maxAttempts) {
+        entry.lockedUntil = Date.now() + config.lockoutDurationMs;
+        return ok(true);
+      }
+
+      return ok(false);
+    },
+
+    async resetAttempts(email: string): Promise<Result<void, AppError>> {
+      store.delete(email);
+      return ok(undefined);
+    },
+
+    async isLocked(email: string): Promise<Result<number | null, AppError>> {
+      const entry = store.get(email);
+      if (!entry || entry.lockedUntil === null) return ok(null);
+
+      if (entry.lockedUntil <= Date.now()) {
+        // Lock expired — clean up
+        entry.attempts = 0;
+        entry.lockedUntil = null;
+        return ok(null);
+      }
+
+      return ok(entry.lockedUntil);
+    },
+  };
+};

package/src/infrastructure/security/index.ts

@@ -0,0 +1,6 @@
+export { createPasswordHasher } from "./password-hasher.js";
+export { createTokenService } from "./token-service.js";
+export { createInMemoryTokenBlacklist } from "./token-blacklist.js";
+export { createInMemoryAccountLockout } from "./account-lockout.js";
+export { createTotpService } from "./totp-service.js";
+export { createPasswordPolicy } from "./password-policy.js";

package/src/infrastructure/security/password-hasher.ts

@@ -0,0 +1,31 @@
+import { type AppError, internal } from "../../core/errors/app-error.js";
+import type { PasswordHasher } from "../../core/ports/password-hasher.js";
+import { type Result, err, ok } from "../../core/types/result.js";
+
+/**
+ * Bun-native password hasher using Argon2id via Bun.password.
+ * Zero external dependencies — Bun ships Argon2 in its runtime.
+ */
+export const createPasswordHasher = (): PasswordHasher => ({
+  async hash(plain: string): Promise<Result<string, AppError>> {
+    try {
+      const hashed = await Bun.password.hash(plain, {
+        algorithm: "argon2id",
+        memoryCost: 65536, // 64 MiB
+        timeCost: 3,
+      });
+      return ok(hashed);
+    } catch (e: unknown) {
+      return err(internal("Failed to hash password", e));
+    }
+  },
+
+  async verify(plain: string, hash: string): Promise<Result<boolean, AppError>> {
+    try {
+      const matches = await Bun.password.verify(plain, hash);
+      return ok(matches);
+    } catch (e: unknown) {
+      return err(internal("Failed to verify password", e));
+    }
+  },
+});

package/src/infrastructure/security/password-policy.ts

@@ -0,0 +1,77 @@
+import { type AppError, internal } from "../../core/errors/app-error.js";
+import type { PasswordHasher } from "../../core/ports/password-hasher.js";
+import type { PasswordHistory } from "../../core/ports/password-history.js";
+import type {
+  PasswordPolicy,
+  PasswordPolicyConfig,
+  PasswordPolicyResult,
+} from "../../core/ports/password-policy.js";
+import type { UserId } from "../../core/types/brand.js";
+import { type Result, err, ok } from "../../core/types/result.js";
+
+/**
+ * Password policy validator.
+ * Checks complexity rules, history reuse, and expiry.
+ * Zero external dependencies.
+ */
+
+const SPECIAL_CHARS = /[!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]/;
+
+export const createPasswordPolicy = (config: PasswordPolicyConfig): PasswordPolicy => ({
+  config,
+
+  validate(password: string): PasswordPolicyResult {
+    const violations: string[] = [];
+
+    if (password.length < config.minLength) {
+      violations.push(`Password must be at least ${config.minLength} characters`);
+    }
+    if (config.requireUppercase && !/[A-Z]/.test(password)) {
+      violations.push("Password must contain at least one uppercase letter");
+    }
+    if (config.requireLowercase && !/[a-z]/.test(password)) {
+      violations.push("Password must contain at least one lowercase letter");
+    }
+    if (config.requireDigit && !/\d/.test(password)) {
+      violations.push("Password must contain at least one digit");
+    }
+    if (config.requireSpecial && !SPECIAL_CHARS.test(password)) {
+      violations.push("Password must contain at least one special character");
+    }
+
+    return { valid: violations.length === 0, violations };
+  },
+
+  async checkHistory(
+    userId: UserId,
+    password: string,
+    passwordHasher: PasswordHasher,
+    history: PasswordHistory,
+  ): Promise<Result<boolean, AppError>> {
+    if (config.historyCount <= 0) return ok(false);
+
+    try {
+      const recentResult = await history.getRecent(userId, config.historyCount);
+      if (!recentResult.ok) return recentResult;
+
+      for (const oldHash of recentResult.value) {
+        const verifyResult = await passwordHasher.verify(password, oldHash);
+        if (!verifyResult.ok) return verifyResult;
+        if (verifyResult.value) {
+          return ok(true); // password was recently used
+        }
+      }
+
+      return ok(false);
+    } catch (e: unknown) {
+      return err(internal("Failed to check password history", e));
+    }
+  },
+
+  isExpired(passwordChangedAt: number | null): boolean {
+    if (config.maxAgeDays <= 0) return false;
+    if (passwordChangedAt === null) return false;
+    const maxAgeMs = config.maxAgeDays * 24 * 60 * 60 * 1000;
+    return Date.now() - passwordChangedAt > maxAgeMs;
+  },
+});

package/src/infrastructure/security/token-blacklist.ts

@@ -0,0 +1,45 @@
+import type { AppError } from "../../core/errors/app-error.js";
+import type { TokenBlacklist } from "../../core/ports/token-blacklist.js";
+import { type Result, ok } from "../../core/types/result.js";
+
+/**
+ * In-memory token blacklist — suitable for single-process deployments.
+ * For multi-process / clustered deployments, swap for Redis-backed adapter.
+ */
+export const createInMemoryTokenBlacklist = (): TokenBlacklist => {
+  const store = new Map<string, number>(); // tokenHash → expiresAt
+  let lastPrune = 0;
+
+  return {
+    async add(tokenHash: string, expiresAt: number): Promise<Result<void, AppError>> {
+      store.set(tokenHash, expiresAt);
+      return ok(undefined);
+    },
+
+    async isBlacklisted(tokenHash: string): Promise<Result<boolean, AppError>> {
+      const expiresAt = store.get(tokenHash);
+      if (expiresAt === undefined) return ok(false);
+      // Auto-remove expired entries on read
+      if (expiresAt <= Date.now()) {
+        store.delete(tokenHash);
+        return ok(false);
+      }
+      return ok(true);
+    },
+
+    async prune(): Promise<Result<number, AppError>> {
+      const now = Date.now();
+      if (now - lastPrune < 60_000) return ok(0); // at most once per minute
+      lastPrune = now;
+
+      let pruned = 0;
+      for (const [hash, expiresAt] of store) {
+        if (expiresAt <= now) {
+          store.delete(hash);
+          pruned++;
+        }
+      }
+      return ok(pruned);
+    },
+  };
+};

package/src/infrastructure/security/token-service.ts

@@ -0,0 +1,144 @@
+import type { UserRole } from "../../core/entities/user.entity.js";
+import { type AppError, internal, unauthorized } from "../../core/errors/app-error.js";
+import type { TokenPair, TokenPayload, TokenService } from "../../core/ports/token-service.js";
+import type { UserId } from "../../core/types/brand.js";
+import { type Result, err, ok } from "../../core/types/result.js";
+
+/**
+ * JWT token service using Web Crypto API (Bun-native, zero deps).
+ * Signs with HMAC-SHA256.
+ */
+
+interface JwtConfig {
+  readonly secret: string;
+  readonly expiresIn: string;
+  readonly refreshExpiresIn: string;
+}
+
+const parseDuration = (duration: string): number => {
+  const match = duration.match(/^(\d+)([smhd])$/);
+  if (!match) throw new Error(`Invalid duration format: ${duration}`);
+  const value = Number(match[1]);
+  const unit = match[2];
+  const multipliers: Record<string, number> = { s: 1, m: 60, h: 3600, d: 86400 };
+  return value * (multipliers[unit ?? "m"] ?? 60);
+};
+
+const base64url = (buf: ArrayBuffer): string =>
+  btoa(String.fromCharCode(...new Uint8Array(buf)))
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_")
+    .replace(/=+$/, "");
+
+const base64urlEncode = (str: string): string =>
+  base64url(new TextEncoder().encode(str).buffer as ArrayBuffer);
+
+const base64urlDecode = (str: string): string => {
+  const padded = str.replace(/-/g, "+").replace(/_/g, "/");
+  return atob(padded);
+};
+
+const importKey = async (secret: string): Promise<CryptoKey> =>
+  crypto.subtle.importKey(
+    "raw",
+    new TextEncoder().encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign", "verify"],
+  );
+
+const createJwt = async (
+  payload: Record<string, unknown>,
+  secret: string,
+  expiresInSeconds: number,
+): Promise<string> => {
+  const header = base64urlEncode(JSON.stringify({ alg: "HS256", typ: "JWT" }));
+  const now = Math.floor(Date.now() / 1000);
+  const body = base64urlEncode(
+    JSON.stringify({ ...payload, iat: now, exp: now + expiresInSeconds }),
+  );
+  const data = `${header}.${body}`;
+  const key = await importKey(secret);
+  const sig = await crypto.subtle.sign("HMAC", key, new TextEncoder().encode(data));
+  return `${data}.${base64url(sig)}`;
+};
+
+const verifyJwt = async (
+  token: string,
+  secret: string,
+): Promise<Record<string, unknown> | null> => {
+  const parts = token.split(".");
+  if (parts.length !== 3) return null;
+  const [header, body, sig] = parts as [string, string, string];
+  const key = await importKey(secret);
+  const data = `${header}.${body}`;
+
+  // Reconstruct signature buffer
+  const sigStr = sig.replace(/-/g, "+").replace(/_/g, "/");
+  const sigBuf = Uint8Array.from(atob(sigStr), (c) => c.charCodeAt(0));
+
+  const valid = await crypto.subtle.verify("HMAC", key, sigBuf, new TextEncoder().encode(data));
+  if (!valid) return null;
+
+  const payload = JSON.parse(base64urlDecode(body)) as Record<string, unknown>;
+  const now = Math.floor(Date.now() / 1000);
+  if (typeof payload["exp"] === "number" && payload["exp"] < now) return null;
+
+  return payload;
+};
+
+export const createTokenService = (config: JwtConfig): TokenService => {
+  const accessTtl = parseDuration(config.expiresIn);
+  const refreshTtl = parseDuration(config.refreshExpiresIn);
+
+  return {
+    async sign(payload: TokenPayload): Promise<Result<TokenPair, AppError>> {
+      try {
+        const claims = { sub: payload.sub, role: payload.role, type: "access" };
+        const refreshClaims = { sub: payload.sub, role: payload.role, type: "refresh" };
+        const [accessToken, refreshToken] = await Promise.all([
+          createJwt(claims, config.secret, accessTtl),
+          createJwt(refreshClaims, config.secret, refreshTtl),
+        ]);
+        return ok({ accessToken, refreshToken });
+      } catch (e: unknown) {
+        return err(internal("Failed to sign token", e));
+      }
+    },
+
+    async verify(token: string): Promise<Result<TokenPayload, AppError>> {
+      try {
+        const payload = await verifyJwt(token, config.secret);
+        if (!payload) return err(unauthorized("Invalid or expired token"));
+        return ok({
+          sub: payload["sub"] as UserId,
+          role: payload["role"] as UserRole,
+        });
+      } catch (e: unknown) {
+        return err(unauthorized("Token verification failed"));
+      }
+    },
+
+    async refresh(refreshToken: string): Promise<Result<TokenPair, AppError>> {
+      try {
+        const payload = await verifyJwt(refreshToken, config.secret);
+        if (!payload || payload["type"] !== "refresh") {
+          return err(unauthorized("Invalid refresh token"));
+        }
+        const newClaims = {
+          sub: payload["sub"] as UserId,
+          role: payload["role"] as UserRole,
+        };
+        const refreshClaims = { ...newClaims, type: "refresh" };
+        const accessClaims = { ...newClaims, type: "access" };
+        const [accessTk, refreshTk] = await Promise.all([
+          createJwt(accessClaims, config.secret, accessTtl),
+          createJwt(refreshClaims, config.secret, refreshTtl),
+        ]);
+        return ok({ accessToken: accessTk, refreshToken: refreshTk });
+      } catch (e: unknown) {
+        return err(internal("Failed to refresh token", e));
+      }
+    },
+  };
+};