@factiii/auth 0.1.1 → 0.3.0

package/dist/{chunk-2DOUP275.mjs → chunk-PYVDWODF.mjs}

@@ -5,8 +5,10 @@ var signupSchema = z.object({
   username: z.string().min(1, { message: "Username is required" }).max(30, { message: "Username must be 30 characters or less" }).regex(usernameValidationRegex, {
     message: "Username can only contain letters, numbers, and underscores"
   }),
-  email: z.string().email({ message: "Invalid email address" }),
-  password: z.string().min(6, { message: "Password must contain at least 6 characters" })
+  email: z.string().max(254, { message: "Email must be 254 characters or less" }).email({ message: "Invalid email address" }),
+  password: z.string().min(6, { message: "Password must contain at least 6 characters" }).max(72, { message: "Password must be 72 characters or less" }).refine((val) => val.trim().length >= 6, {
+    message: "Password cannot be only whitespace"
+  })
 });
 var loginSchema = z.object({
   username: z.string().min(1, { message: "Username or email is required" }),
@@ -26,14 +28,14 @@ var requestPasswordResetSchema = z.object({
 });
 var resetPasswordSchema = z.object({
   token: z.string().min(1, { message: "Reset token is required" }),
-  password: z.string().min(6, { message: "Password must contain at least 6 characters" })
+  password: z.string().min(6, { message: "Password must contain at least 6 characters" }).max(72, { message: "Password must be 72 characters or less" })
 });
 var checkPasswordResetSchema = z.object({
   token: z.string().min(1, { message: "Reset token is required" })
 });
 var changePasswordSchema = z.object({
   currentPassword: z.string().min(1, { message: "Current password is required" }),
-  newPassword: z.string().min(6, { message: "New password must contain at least 6 characters" })
+  newPassword: z.string().min(6, { message: "New password must contain at least 6 characters" }).max(72, { message: "Password must be 72 characters or less" })
 });
 var twoFaVerifySchema = z.object({
   code: z.string().min(6, { message: "Verification code is required" }),

package/dist/{hooks-CK4f4PHo.d.mts → hooks-B41uikq7.d.mts}

@@ -6,7 +6,7 @@ import { z, AnyZodObject } from 'zod';
 declare const signupSchema: z.ZodObject<{
     username: z.ZodString;
     email: z.ZodString;
-    password: z.ZodString;
+    password: z.ZodEffects<z.ZodString, string, string>;
 }, "strip", z.ZodTypeAny, {
     email: string;
     username: string;

package/dist/{hooks-CK4f4PHo.d.ts → hooks-B41uikq7.d.ts}

@@ -6,7 +6,7 @@ import { z, AnyZodObject } from 'zod';
 declare const signupSchema: z.ZodObject<{
     username: z.ZodString;
     email: z.ZodString;
-    password: z.ZodString;
+    password: z.ZodEffects<z.ZodString, string, string>;
 }, "strip", z.ZodTypeAny, {
     email: string;
     username: string;

package/dist/index.d.mts

@@ -6,8 +6,8 @@ import { PrismaClient } from '@prisma/client';
 import * as _trpc_server from '@trpc/server';
 import * as zod from 'zod';
 import { CreateHTTPContextOptions } from '@trpc/server/adapters/standalone';
-import { S as SchemaExtensions, A as AuthHooks } from './hooks-CK4f4PHo.mjs';
-export { C as ChangePasswordInput, L as LoginInput, a as LogoutInput, O as OAuthLoginInput, R as ResetPasswordInput, b as SignupInput, T as TwoFaVerifyInput, V as VerifyEmailInput, c as biometricVerifySchema, d as changePasswordSchema, e as endAllSessionsSchema, l as loginSchema, f as logoutSchema, o as oAuthLoginSchema, g as otpLoginRequestSchema, h as otpLoginVerifySchema, r as requestPasswordResetSchema, i as resetPasswordSchema, s as signupSchema, t as twoFaResetSchema, j as twoFaSetupSchema, k as twoFaVerifySchema, v as verifyEmailSchema } from './hooks-CK4f4PHo.mjs';
+import { S as SchemaExtensions, A as AuthHooks } from './hooks-B41uikq7.mjs';
+export { C as ChangePasswordInput, L as LoginInput, a as LogoutInput, O as OAuthLoginInput, R as ResetPasswordInput, b as SignupInput, T as TwoFaVerifyInput, V as VerifyEmailInput, c as biometricVerifySchema, d as changePasswordSchema, e as endAllSessionsSchema, l as loginSchema, f as logoutSchema, o as oAuthLoginSchema, g as otpLoginRequestSchema, h as otpLoginVerifySchema, r as requestPasswordResetSchema, i as resetPasswordSchema, s as signupSchema, t as twoFaResetSchema, j as twoFaSetupSchema, k as twoFaVerifySchema, v as verifyEmailSchema } from './hooks-B41uikq7.mjs';
 import { SignOptions } from 'jsonwebtoken';
 
 //# sourceMappingURL=TRPCError.d.ts.map
@@ -232,6 +232,8 @@ interface TokenSettings {
 interface AuthFeatures {
     /** Enable two-factor authentication */
     twoFa?: boolean;
+    /** Require mobile device to enable 2FA (default: true). Set to false for testing. */
+    twoFaRequiresDevice?: boolean;
     /** OAuth providers configuration */
     oauth?: {
         google?: boolean;
@@ -657,19 +659,19 @@ declare function createAuthRouter<TExtensions extends SchemaExtensions = {}>(con
                 input: inferParser<[TExtensions["signup"]] extends [zod.AnyZodObject] ? zod.ZodObject<{
                     username: zod.ZodString;
                     email: zod.ZodString;
-                    password: zod.ZodString;
+                    password: zod.ZodEffects<zod.ZodString, string, string>;
                 } & TExtensions["signup"]["shape"], "strip", zod.ZodTypeAny, zod.objectUtil.addQuestionMarks<zod.baseObjectOutputType<{
                     username: zod.ZodString;
                     email: zod.ZodString;
-                    password: zod.ZodString;
+                    password: zod.ZodEffects<zod.ZodString, string, string>;
                 } & TExtensions["signup"]["shape"]>, any> extends infer T_5 ? { [k_2 in keyof T_5]: T_5[k_2]; } : never, zod.baseObjectInputType<{
                     username: zod.ZodString;
                     email: zod.ZodString;
-                    password: zod.ZodString;
+                    password: zod.ZodEffects<zod.ZodString, string, string>;
                 } & TExtensions["signup"]["shape"]> extends infer T_6 ? { [k_3 in keyof T_6]: T_6[k_3]; } : never> : zod.ZodObject<{
                     username: zod.ZodString;
                     email: zod.ZodString;
-                    password: zod.ZodString;
+                    password: zod.ZodEffects<zod.ZodString, string, string>;
                 }, "strip", zod.ZodTypeAny, {
                     email: string;
                     username: string;
@@ -681,19 +683,19 @@ declare function createAuthRouter<TExtensions extends SchemaExtensions = {}>(con
                 }>>["in"] extends infer T_7 ? T_7 extends inferParser<[TExtensions["signup"]] extends [zod.AnyZodObject] ? zod.ZodObject<{
                     username: zod.ZodString;
                     email: zod.ZodString;
-                    password: zod.ZodString;
+                    password: zod.ZodEffects<zod.ZodString, string, string>;
                 } & TExtensions["signup"]["shape"], "strip", zod.ZodTypeAny, zod.objectUtil.addQuestionMarks<zod.baseObjectOutputType<{
                     username: zod.ZodString;
                     email: zod.ZodString;
-                    password: zod.ZodString;
+                    password: zod.ZodEffects<zod.ZodString, string, string>;
                 } & TExtensions["signup"]["shape"]>, any> extends infer T_8 ? { [k_2 in keyof T_8]: T_8[k_2]; } : never, zod.baseObjectInputType<{
                     username: zod.ZodString;
                     email: zod.ZodString;
-                    password: zod.ZodString;
+                    password: zod.ZodEffects<zod.ZodString, string, string>;
                 } & TExtensions["signup"]["shape"]> extends infer T_9 ? { [k_3 in keyof T_9]: T_9[k_3]; } : never> : zod.ZodObject<{
                     username: zod.ZodString;
                     email: zod.ZodString;
-                    password: zod.ZodString;
+                    password: zod.ZodEffects<zod.ZodString, string, string>;
                 }, "strip", zod.ZodTypeAny, {
                     email: string;
                     username: string;

package/dist/index.d.ts

@@ -6,8 +6,8 @@ import { PrismaClient } from '@prisma/client';
 import * as _trpc_server from '@trpc/server';
 import * as zod from 'zod';
 import { CreateHTTPContextOptions } from '@trpc/server/adapters/standalone';
-import { S as SchemaExtensions, A as AuthHooks } from './hooks-CK4f4PHo.js';
-export { C as ChangePasswordInput, L as LoginInput, a as LogoutInput, O as OAuthLoginInput, R as ResetPasswordInput, b as SignupInput, T as TwoFaVerifyInput, V as VerifyEmailInput, c as biometricVerifySchema, d as changePasswordSchema, e as endAllSessionsSchema, l as loginSchema, f as logoutSchema, o as oAuthLoginSchema, g as otpLoginRequestSchema, h as otpLoginVerifySchema, r as requestPasswordResetSchema, i as resetPasswordSchema, s as signupSchema, t as twoFaResetSchema, j as twoFaSetupSchema, k as twoFaVerifySchema, v as verifyEmailSchema } from './hooks-CK4f4PHo.js';
+import { S as SchemaExtensions, A as AuthHooks } from './hooks-B41uikq7.js';
+export { C as ChangePasswordInput, L as LoginInput, a as LogoutInput, O as OAuthLoginInput, R as ResetPasswordInput, b as SignupInput, T as TwoFaVerifyInput, V as VerifyEmailInput, c as biometricVerifySchema, d as changePasswordSchema, e as endAllSessionsSchema, l as loginSchema, f as logoutSchema, o as oAuthLoginSchema, g as otpLoginRequestSchema, h as otpLoginVerifySchema, r as requestPasswordResetSchema, i as resetPasswordSchema, s as signupSchema, t as twoFaResetSchema, j as twoFaSetupSchema, k as twoFaVerifySchema, v as verifyEmailSchema } from './hooks-B41uikq7.js';
 import { SignOptions } from 'jsonwebtoken';
 
 //# sourceMappingURL=TRPCError.d.ts.map
@@ -232,6 +232,8 @@ interface TokenSettings {
 interface AuthFeatures {
     /** Enable two-factor authentication */
     twoFa?: boolean;
+    /** Require mobile device to enable 2FA (default: true). Set to false for testing. */
+    twoFaRequiresDevice?: boolean;
     /** OAuth providers configuration */
     oauth?: {
         google?: boolean;
@@ -657,19 +659,19 @@ declare function createAuthRouter<TExtensions extends SchemaExtensions = {}>(con
                 input: inferParser<[TExtensions["signup"]] extends [zod.AnyZodObject] ? zod.ZodObject<{
                     username: zod.ZodString;
                     email: zod.ZodString;
-                    password: zod.ZodString;
+                    password: zod.ZodEffects<zod.ZodString, string, string>;
                 } & TExtensions["signup"]["shape"], "strip", zod.ZodTypeAny, zod.objectUtil.addQuestionMarks<zod.baseObjectOutputType<{
                     username: zod.ZodString;
                     email: zod.ZodString;
-                    password: zod.ZodString;
+                    password: zod.ZodEffects<zod.ZodString, string, string>;
                 } & TExtensions["signup"]["shape"]>, any> extends infer T_5 ? { [k_2 in keyof T_5]: T_5[k_2]; } : never, zod.baseObjectInputType<{
                     username: zod.ZodString;
                     email: zod.ZodString;
-                    password: zod.ZodString;
+                    password: zod.ZodEffects<zod.ZodString, string, string>;
                 } & TExtensions["signup"]["shape"]> extends infer T_6 ? { [k_3 in keyof T_6]: T_6[k_3]; } : never> : zod.ZodObject<{
                     username: zod.ZodString;
                     email: zod.ZodString;
-                    password: zod.ZodString;
+                    password: zod.ZodEffects<zod.ZodString, string, string>;
                 }, "strip", zod.ZodTypeAny, {
                     email: string;
                     username: string;
@@ -681,19 +683,19 @@ declare function createAuthRouter<TExtensions extends SchemaExtensions = {}>(con
                 }>>["in"] extends infer T_7 ? T_7 extends inferParser<[TExtensions["signup"]] extends [zod.AnyZodObject] ? zod.ZodObject<{
                     username: zod.ZodString;
                     email: zod.ZodString;
-                    password: zod.ZodString;
+                    password: zod.ZodEffects<zod.ZodString, string, string>;
                 } & TExtensions["signup"]["shape"], "strip", zod.ZodTypeAny, zod.objectUtil.addQuestionMarks<zod.baseObjectOutputType<{
                     username: zod.ZodString;
                     email: zod.ZodString;
-                    password: zod.ZodString;
+                    password: zod.ZodEffects<zod.ZodString, string, string>;
                 } & TExtensions["signup"]["shape"]>, any> extends infer T_8 ? { [k_2 in keyof T_8]: T_8[k_2]; } : never, zod.baseObjectInputType<{
                     username: zod.ZodString;
                     email: zod.ZodString;
-                    password: zod.ZodString;
+                    password: zod.ZodEffects<zod.ZodString, string, string>;
                 } & TExtensions["signup"]["shape"]> extends infer T_9 ? { [k_3 in keyof T_9]: T_9[k_3]; } : never> : zod.ZodObject<{
                     username: zod.ZodString;
                     email: zod.ZodString;
-                    password: zod.ZodString;
+                    password: zod.ZodEffects<zod.ZodString, string, string>;
                 }, "strip", zod.ZodTypeAny, {
                     email: string;
                     username: string;

package/dist/index.js

@@ -86,22 +86,20 @@ var import_server = require("@trpc/server");
 function createNoopEmailAdapter() {
   return {
     async sendVerificationEmail(email, code) {
-      console.log(
+      console.debug(
         `[NoopEmailAdapter] Would send verification email to ${email} with code ${code}`
       );
     },
     async sendPasswordResetEmail(email, token) {
-      console.log(
+      console.debug(
         `[NoopEmailAdapter] Would send password reset email to ${email} with token ${token}`
       );
     },
     async sendOTPEmail(email, otp) {
-      console.log(
-        `[NoopEmailAdapter] Would send OTP email to ${email} with code ${otp}`
-      );
+      console.debug(`[NoopEmailAdapter] Would send OTP email to ${email} with code ${otp}`);
     },
     async sendLoginNotification(email, browserName, ip) {
-      console.log(
+      console.debug(
         `[NoopEmailAdapter] Would send login notification to ${email} from ${browserName} (${ip})`
       );
     }
@@ -160,6 +158,7 @@ var defaultStorageKeys = {
 };
 var defaultFeatures = {
   twoFa: true,
+  twoFaRequiresDevice: true,
   oauth: { google: true, apple: true },
   biometric: false,
   emailVerification: true,
@@ -307,9 +306,7 @@ function decodeToken(token) {
   }
 }
 function isJwtError(error) {
-  return error instanceof Error && ["TokenExpiredError", "JsonWebTokenError", "NotBeforeError"].includes(
-    error.name
-  );
+  return error instanceof Error && ["TokenExpiredError", "JsonWebTokenError", "NotBeforeError"].includes(error.name);
 }
 function isTokenExpiredError(error) {
   return isJwtError(error) && error.name === "TokenExpiredError";
@@ -326,6 +323,7 @@ function createAuthGuard(config, t) {
     clearAuthCookies(ctx.res, cookieSettings, storageKeys);
     if (config.hooks?.logError) {
       try {
+        const cookieHeader = ctx.headers.cookie;
         const contextInfo = {
           reason: description,
           sessionId,
@@ -333,6 +331,11 @@ function createAuthGuard(config, t) {
           ip: ctx.ip,
           userAgent: ctx.headers["user-agent"],
           ...path ? { path } : {},
+          // Diagnostic: was Cookie header present at all, and which keys were sent?
+          hasCookieHeader: Boolean(cookieHeader),
+          cookieKeys: cookieHeader ? cookieHeader.split(";").map((c) => c.trim().split("=")[0]).filter(Boolean) : [],
+          origin: ctx.headers.origin ?? null,
+          referer: ctx.headers.referer ?? null,
           timestamp: (/* @__PURE__ */ new Date()).toISOString()
         };
         const combinedStack = [
@@ -363,11 +366,7 @@ ${errorStack}` : null,
             select: { id: true, userId: true, socketId: true }
           });
           if (session) {
-            await config.hooks.onSessionRevoked(
-              session.userId,
-              session.socketId,
-              description
-            );
+            await config.hooks.onSessionRevoked(session.userId, session.socketId, description);
           }
         }
       } catch {
@@ -436,13 +435,7 @@ ${errorStack}` : null,
           });
         }
         if (session.user.status === "BANNED") {
-          await revokeSession(
-            ctx,
-            session.id,
-            "Session revoked: User banned",
-            void 0,
-            path
-          );
+          await revokeSession(ctx, session.id, "Session revoked: User banned", void 0, path);
           throw new import_server.TRPCError({
             message: "Unauthorized",
             code: "UNAUTHORIZED"
@@ -450,9 +443,7 @@ ${errorStack}` : null,
         }
         if (config.features?.biometric && config.hooks?.getBiometricTimeout) {
           const timeoutMs = await config.hooks.getBiometricTimeout();
-          if (timeoutMs !== null && !["auth.refresh", "auth.verifyBiometric", "auth.logout"].includes(
-            path
-          )) {
+          if (timeoutMs !== null && !["auth.refresh", "auth.verifyBiometric", "auth.logout"].includes(path)) {
             if (!session.user.verifiedHumanAt) {
               throw new import_server.TRPCError({
                 message: "Biometric verification not completed. Please verify again.",
@@ -460,9 +451,7 @@ ${errorStack}` : null,
               });
             }
             const now = /* @__PURE__ */ new Date();
-            const verificationExpiry = new Date(
-              session.user.verifiedHumanAt.getTime() + timeoutMs
-            );
+            const verificationExpiry = new Date(session.user.verifiedHumanAt.getTime() + timeoutMs);
             if (now > verificationExpiry) {
               throw new import_server.TRPCError({
                 message: "Biometric verification expired. Please verify again.",
@@ -534,13 +523,7 @@ ${errorStack}` : null,
           });
         }
         if (err instanceof import_server.TRPCError && err.code === "UNAUTHORIZED") {
-          await revokeSession(
-            ctx,
-            null,
-            "Session revoked: Unauthorized",
-            errorStack,
-            path
-          );
+          await revokeSession(ctx, null, "Session revoked: Unauthorized", errorStack, path);
           throw new import_server.TRPCError({
             message: "Unauthorized",
             code: "UNAUTHORIZED"
@@ -552,13 +535,7 @@ ${errorStack}` : null,
       if (!meta?.authRequired) {
         return next({ ctx: { ...ctx, userId: 0 } });
       }
-      await revokeSession(
-        ctx,
-        null,
-        "Session revoked: No token sent",
-        void 0,
-        path
-      );
+      await revokeSession(ctx, null, "Session revoked: No token sent", void 0, path);
       throw new import_server.TRPCError({ message: "Unauthorized", code: "UNAUTHORIZED" });
     }
   });
@@ -579,25 +556,19 @@ function detectBrowser(userAgent) {
     return "iOS Browser (Chrome)";
   if (/iphone|ipad|ipod/i.test(userAgent) && /fxios/i.test(userAgent))
     return "iOS Browser (Firefox)";
-  if (/iphone|ipad|ipod/i.test(userAgent) && /edg\//i.test(userAgent))
-    return "iOS Browser (Edge)";
+  if (/iphone|ipad|ipod/i.test(userAgent) && /edg\//i.test(userAgent)) return "iOS Browser (Edge)";
   if (/android/i.test(userAgent) && !/chrome|firefox|samsungbrowser|opr\/|edg\//i.test(userAgent)) {
     return "Android App";
   }
-  if (/android/i.test(userAgent) && /chrome/i.test(userAgent))
-    return "Android Browser (Chrome)";
-  if (/android/i.test(userAgent) && /firefox/i.test(userAgent))
-    return "Android Browser (Firefox)";
+  if (/android/i.test(userAgent) && /chrome/i.test(userAgent)) return "Android Browser (Chrome)";
+  if (/android/i.test(userAgent) && /firefox/i.test(userAgent)) return "Android Browser (Firefox)";
   if (/android/i.test(userAgent) && /samsungbrowser/i.test(userAgent))
     return "Android Browser (Samsung)";
-  if (/android/i.test(userAgent) && /opr\//i.test(userAgent))
-    return "Android Browser (Opera)";
-  if (/android/i.test(userAgent) && /edg\//i.test(userAgent))
-    return "Android Browser (Edge)";
+  if (/android/i.test(userAgent) && /opr\//i.test(userAgent)) return "Android Browser (Opera)";
+  if (/android/i.test(userAgent) && /edg\//i.test(userAgent)) return "Android Browser (Edge)";
   if (/chrome|chromium/i.test(userAgent)) return "Chrome";
   if (/firefox/i.test(userAgent)) return "Firefox";
-  if (/safari/i.test(userAgent) && !/chrome|chromium|crios/i.test(userAgent))
-    return "Safari";
+  if (/safari/i.test(userAgent) && !/chrome|chromium|crios/i.test(userAgent)) return "Safari";
   if (/opr\//i.test(userAgent)) return "Opera";
   if (/edg\//i.test(userAgent)) return "Edge";
   return "Unknown";
@@ -631,16 +602,10 @@ function createOAuthVerifier(keys) {
   return async function verifyOAuthToken(provider, token, extra) {
     if (provider === "GOOGLE") {
       if (!keys.google?.clientId) {
-        throw new OAuthVerificationError(
-          "Google OAuth configuration missing",
-          500
-        );
+        throw new OAuthVerificationError("Google OAuth configuration missing", 500);
       }
       if (!googleClient) {
-        throw new OAuthVerificationError(
-          "Google OAuth client not initialized",
-          500
-        );
+        throw new OAuthVerificationError("Google OAuth client not initialized", 500);
       }
       const audience = [keys.google.clientId];
       if (keys.google.iosClientId) {
@@ -661,10 +626,7 @@ function createOAuthVerifier(keys) {
     }
     if (provider === "APPLE") {
       if (!keys.apple?.clientId) {
-        throw new OAuthVerificationError(
-          "Apple OAuth configuration missing",
-          500
-        );
+        throw new OAuthVerificationError("Apple OAuth configuration missing", 500);
       }
       const audience = [keys.apple.clientId];
       if (keys.apple.iosClientId) {
@@ -744,8 +706,10 @@ var signupSchema = import_zod.z.object({
   username: import_zod.z.string().min(1, { message: "Username is required" }).max(30, { message: "Username must be 30 characters or less" }).regex(usernameValidationRegex, {
     message: "Username can only contain letters, numbers, and underscores"
   }),
-  email: import_zod.z.string().email({ message: "Invalid email address" }),
-  password: import_zod.z.string().min(6, { message: "Password must contain at least 6 characters" })
+  email: import_zod.z.string().max(254, { message: "Email must be 254 characters or less" }).email({ message: "Invalid email address" }),
+  password: import_zod.z.string().min(6, { message: "Password must contain at least 6 characters" }).max(72, { message: "Password must be 72 characters or less" }).refine((val) => val.trim().length >= 6, {
+    message: "Password cannot be only whitespace"
+  })
 });
 var loginSchema = import_zod.z.object({
   username: import_zod.z.string().min(1, { message: "Username or email is required" }),
@@ -765,14 +729,14 @@ var requestPasswordResetSchema = import_zod.z.object({
 });
 var resetPasswordSchema = import_zod.z.object({
   token: import_zod.z.string().min(1, { message: "Reset token is required" }),
-  password: import_zod.z.string().min(6, { message: "Password must contain at least 6 characters" })
+  password: import_zod.z.string().min(6, { message: "Password must contain at least 6 characters" }).max(72, { message: "Password must be 72 characters or less" })
 });
 var checkPasswordResetSchema = import_zod.z.object({
   token: import_zod.z.string().min(1, { message: "Reset token is required" })
 });
 var changePasswordSchema = import_zod.z.object({
   currentPassword: import_zod.z.string().min(1, { message: "Current password is required" }),
-  newPassword: import_zod.z.string().min(6, { message: "New password must contain at least 6 characters" })
+  newPassword: import_zod.z.string().min(6, { message: "New password must contain at least 6 characters" }).max(72, { message: "Password must be 72 characters or less" })
 });
 var twoFaVerifySchema = import_zod.z.object({
   code: import_zod.z.string().min(6, { message: "Verification code is required" }),
@@ -1162,7 +1126,11 @@ var BaseProcedureFactory = class {
       });
       for (const session of sessionsToRevoke) {
         if (this.config.hooks?.onSessionRevoked) {
-          await this.config.hooks.onSessionRevoked(session.id, session.socketId, "End all sessions");
+          await this.config.hooks.onSessionRevoked(
+            session.id,
+            session.socketId,
+            "End all sessions"
+          );
         }
       }
       if (!skipCurrentSession) {
@@ -1491,14 +1459,14 @@ var OAuthLoginProcedureFactory = class {
       }
       const { email, oauthId } = await this.verifyOAuthToken(provider, idToken, appleUser);
       if (!email) {
-        throw new import_server5.TRPCError({ code: "BAD_REQUEST", message: "Email not provided by OAuth provider" });
+        throw new import_server5.TRPCError({
+          code: "BAD_REQUEST",
+          message: "Email not provided by OAuth provider"
+        });
       }
       let user = await this.config.prisma.user.findFirst({
         where: {
-          OR: [
-            { email: { equals: email, mode: "insensitive" } },
-            { oauthId: { equals: oauthId } }
-          ]
+          OR: [{ email: { equals: email, mode: "insensitive" } }, { oauthId: { equals: oauthId } }]
         },
         select: {
           id: true,
@@ -1648,15 +1616,17 @@ var TwoFaProcedureFactory = class {
       if (user.twoFaEnabled) {
         throw new import_server6.TRPCError({ code: "BAD_REQUEST", message: "2FA already enabled." });
       }
-      const checkSession = await this.config.prisma.session.findFirst({
-        where: { userId, id: sessionId },
-        select: { deviceId: true }
-      });
-      if (!checkSession?.deviceId) {
-        throw new import_server6.TRPCError({
-          code: "BAD_REQUEST",
-          message: "You must be logged in on mobile to enable 2FA."
+      if (this.config.features.twoFaRequiresDevice !== false) {
+        const checkSession = await this.config.prisma.session.findFirst({
+          where: { userId, id: sessionId },
+          select: { deviceId: true }
         });
+        if (!checkSession?.deviceId) {
+          throw new import_server6.TRPCError({
+            code: "BAD_REQUEST",
+            message: "You must be logged in on mobile to enable 2FA."
+          });
+        }
       }
       await this.config.prisma.session.updateMany({
         where: { userId, revokedAt: null, NOT: { id: sessionId } },
@@ -1880,15 +1850,29 @@ var TwoFaProcedureFactory = class {
       const { pushToken } = input;
       const device = await this.config.prisma.device.findFirst({
         where: {
-          ...userId !== 0 && { users: { some: { id: userId } } },
+          users: { some: { id: userId } },
           pushToken
         },
         select: { id: true }
       });
       if (device) {
-        await this.config.prisma.device.delete({
-          where: { id: device.id }
+        await this.config.prisma.session.updateMany({
+          where: { userId, deviceId: device.id },
+          data: { deviceId: null }
+        });
+        await this.config.prisma.device.update({
+          where: { id: device.id },
+          data: { users: { disconnect: { id: userId } } }
         });
+        const remainingUsers = await this.config.prisma.device.findUnique({
+          where: { id: device.id },
+          select: { users: { select: { id: true }, take: 1 } }
+        });
+        if (!remainingUsers?.users.length) {
+          await this.config.prisma.device.delete({
+            where: { id: device.id }
+          });
+        }
       }
       return { deregistered: true };
     });
@@ -1975,10 +1959,7 @@ function getClientIp(req) {
 }
 
 // src/router.ts
-var createContext = ({
-  req,
-  res
-}) => ({
+var createContext = ({ req, res }) => ({
   headers: req.headers,
   userId: null,
   sessionId: null,
@@ -1991,9 +1972,7 @@ var AuthRouterFactory = class {
   constructor(userConfig) {
     this.userConfig = userConfig;
     this.config = createAuthConfig(this.userConfig);
-    this.schemas = createSchemas(
-      this.config.schemaExtensions
-    );
+    this.schemas = createSchemas(this.config.schemaExtensions);
     this.t = createTrpcBuilder(this.config);
     this.authGuard = createAuthGuard(this.config, this.t);
     this.procedure = createBaseProcedure(this.t, this.authGuard);
@@ -2005,10 +1984,7 @@ var AuthRouterFactory = class {
       this.procedure,
       this.authProcedure
     );
-    const biometricRoutes = new BiometricProcedureFactory(
-      this.config,
-      this.authProcedure
-    );
+    const biometricRoutes = new BiometricProcedureFactory(this.config, this.authProcedure);
     const emailVerificationRoutes = new EmailVerificationProcedureFactory(
       this.config,
       this.authProcedure
@@ -2017,11 +1993,7 @@ var AuthRouterFactory = class {
       this.config,
       this.procedure
     );
-    const twoFaRoutes = new TwoFaProcedureFactory(
-      this.config,
-      this.procedure,
-      this.authProcedure
-    );
+    const twoFaRoutes = new TwoFaProcedureFactory(this.config, this.procedure, this.authProcedure);
     return this.t.router({
       ...baseRoutes.createBaseProcedures(this.schemas),
       ...oAuthLoginRoutes.createOAuthLoginProcedures(this.schemas),

package/dist/index.mjs

@@ -21,7 +21,7 @@ import {
   twoFaSetupSchema,
   twoFaVerifySchema,
   verifyEmailSchema
-} from "./chunk-2DOUP275.mjs";
+} from "./chunk-PYVDWODF.mjs";
 
 // src/middleware/authGuard.ts
 import { TRPCError } from "@trpc/server";
@@ -30,22 +30,20 @@ import { TRPCError } from "@trpc/server";
 function createNoopEmailAdapter() {
   return {
     async sendVerificationEmail(email, code) {
-      console.log(
+      console.debug(
         `[NoopEmailAdapter] Would send verification email to ${email} with code ${code}`
       );
     },
     async sendPasswordResetEmail(email, token) {
-      console.log(
+      console.debug(
         `[NoopEmailAdapter] Would send password reset email to ${email} with token ${token}`
       );
     },
     async sendOTPEmail(email, otp) {
-      console.log(
-        `[NoopEmailAdapter] Would send OTP email to ${email} with code ${otp}`
-      );
+      console.debug(`[NoopEmailAdapter] Would send OTP email to ${email} with code ${otp}`);
     },
     async sendLoginNotification(email, browserName, ip) {
-      console.log(
+      console.debug(
         `[NoopEmailAdapter] Would send login notification to ${email} from ${browserName} (${ip})`
       );
     }
@@ -104,6 +102,7 @@ var defaultStorageKeys = {
 };
 var defaultFeatures = {
   twoFa: true,
+  twoFaRequiresDevice: true,
   oauth: { google: true, apple: true },
   biometric: false,
   emailVerification: true,
@@ -251,9 +250,7 @@ function decodeToken(token) {
   }
 }
 function isJwtError(error) {
-  return error instanceof Error && ["TokenExpiredError", "JsonWebTokenError", "NotBeforeError"].includes(
-    error.name
-  );
+  return error instanceof Error && ["TokenExpiredError", "JsonWebTokenError", "NotBeforeError"].includes(error.name);
 }
 function isTokenExpiredError(error) {
   return isJwtError(error) && error.name === "TokenExpiredError";
@@ -270,6 +267,7 @@ function createAuthGuard(config, t) {
     clearAuthCookies(ctx.res, cookieSettings, storageKeys);
     if (config.hooks?.logError) {
       try {
+        const cookieHeader = ctx.headers.cookie;
         const contextInfo = {
           reason: description,
           sessionId,
@@ -277,6 +275,11 @@ function createAuthGuard(config, t) {
           ip: ctx.ip,
           userAgent: ctx.headers["user-agent"],
           ...path ? { path } : {},
+          // Diagnostic: was Cookie header present at all, and which keys were sent?
+          hasCookieHeader: Boolean(cookieHeader),
+          cookieKeys: cookieHeader ? cookieHeader.split(";").map((c) => c.trim().split("=")[0]).filter(Boolean) : [],
+          origin: ctx.headers.origin ?? null,
+          referer: ctx.headers.referer ?? null,
           timestamp: (/* @__PURE__ */ new Date()).toISOString()
         };
         const combinedStack = [
@@ -307,11 +310,7 @@ ${errorStack}` : null,
             select: { id: true, userId: true, socketId: true }
           });
           if (session) {
-            await config.hooks.onSessionRevoked(
-              session.userId,
-              session.socketId,
-              description
-            );
+            await config.hooks.onSessionRevoked(session.userId, session.socketId, description);
           }
         }
       } catch {
@@ -380,13 +379,7 @@ ${errorStack}` : null,
           });
         }
         if (session.user.status === "BANNED") {
-          await revokeSession(
-            ctx,
-            session.id,
-            "Session revoked: User banned",
-            void 0,
-            path
-          );
+          await revokeSession(ctx, session.id, "Session revoked: User banned", void 0, path);
           throw new TRPCError({
             message: "Unauthorized",
             code: "UNAUTHORIZED"
@@ -394,9 +387,7 @@ ${errorStack}` : null,
         }
         if (config.features?.biometric && config.hooks?.getBiometricTimeout) {
           const timeoutMs = await config.hooks.getBiometricTimeout();
-          if (timeoutMs !== null && !["auth.refresh", "auth.verifyBiometric", "auth.logout"].includes(
-            path
-          )) {
+          if (timeoutMs !== null && !["auth.refresh", "auth.verifyBiometric", "auth.logout"].includes(path)) {
             if (!session.user.verifiedHumanAt) {
               throw new TRPCError({
                 message: "Biometric verification not completed. Please verify again.",
@@ -404,9 +395,7 @@ ${errorStack}` : null,
               });
             }
             const now = /* @__PURE__ */ new Date();
-            const verificationExpiry = new Date(
-              session.user.verifiedHumanAt.getTime() + timeoutMs
-            );
+            const verificationExpiry = new Date(session.user.verifiedHumanAt.getTime() + timeoutMs);
             if (now > verificationExpiry) {
               throw new TRPCError({
                 message: "Biometric verification expired. Please verify again.",
@@ -478,13 +467,7 @@ ${errorStack}` : null,
           });
         }
         if (err instanceof TRPCError && err.code === "UNAUTHORIZED") {
-          await revokeSession(
-            ctx,
-            null,
-            "Session revoked: Unauthorized",
-            errorStack,
-            path
-          );
+          await revokeSession(ctx, null, "Session revoked: Unauthorized", errorStack, path);
           throw new TRPCError({
             message: "Unauthorized",
             code: "UNAUTHORIZED"
@@ -496,13 +479,7 @@ ${errorStack}` : null,
       if (!meta?.authRequired) {
         return next({ ctx: { ...ctx, userId: 0 } });
       }
-      await revokeSession(
-        ctx,
-        null,
-        "Session revoked: No token sent",
-        void 0,
-        path
-      );
+      await revokeSession(ctx, null, "Session revoked: No token sent", void 0, path);
       throw new TRPCError({ message: "Unauthorized", code: "UNAUTHORIZED" });
     }
   });
@@ -523,25 +500,19 @@ function detectBrowser(userAgent) {
     return "iOS Browser (Chrome)";
   if (/iphone|ipad|ipod/i.test(userAgent) && /fxios/i.test(userAgent))
     return "iOS Browser (Firefox)";
-  if (/iphone|ipad|ipod/i.test(userAgent) && /edg\//i.test(userAgent))
-    return "iOS Browser (Edge)";
+  if (/iphone|ipad|ipod/i.test(userAgent) && /edg\//i.test(userAgent)) return "iOS Browser (Edge)";
   if (/android/i.test(userAgent) && !/chrome|firefox|samsungbrowser|opr\/|edg\//i.test(userAgent)) {
     return "Android App";
   }
-  if (/android/i.test(userAgent) && /chrome/i.test(userAgent))
-    return "Android Browser (Chrome)";
-  if (/android/i.test(userAgent) && /firefox/i.test(userAgent))
-    return "Android Browser (Firefox)";
+  if (/android/i.test(userAgent) && /chrome/i.test(userAgent)) return "Android Browser (Chrome)";
+  if (/android/i.test(userAgent) && /firefox/i.test(userAgent)) return "Android Browser (Firefox)";
   if (/android/i.test(userAgent) && /samsungbrowser/i.test(userAgent))
     return "Android Browser (Samsung)";
-  if (/android/i.test(userAgent) && /opr\//i.test(userAgent))
-    return "Android Browser (Opera)";
-  if (/android/i.test(userAgent) && /edg\//i.test(userAgent))
-    return "Android Browser (Edge)";
+  if (/android/i.test(userAgent) && /opr\//i.test(userAgent)) return "Android Browser (Opera)";
+  if (/android/i.test(userAgent) && /edg\//i.test(userAgent)) return "Android Browser (Edge)";
   if (/chrome|chromium/i.test(userAgent)) return "Chrome";
   if (/firefox/i.test(userAgent)) return "Firefox";
-  if (/safari/i.test(userAgent) && !/chrome|chromium|crios/i.test(userAgent))
-    return "Safari";
+  if (/safari/i.test(userAgent) && !/chrome|chromium|crios/i.test(userAgent)) return "Safari";
   if (/opr\//i.test(userAgent)) return "Opera";
   if (/edg\//i.test(userAgent)) return "Edge";
   return "Unknown";
@@ -575,16 +546,10 @@ function createOAuthVerifier(keys) {
   return async function verifyOAuthToken(provider, token, extra) {
     if (provider === "GOOGLE") {
       if (!keys.google?.clientId) {
-        throw new OAuthVerificationError(
-          "Google OAuth configuration missing",
-          500
-        );
+        throw new OAuthVerificationError("Google OAuth configuration missing", 500);
       }
       if (!googleClient) {
-        throw new OAuthVerificationError(
-          "Google OAuth client not initialized",
-          500
-        );
+        throw new OAuthVerificationError("Google OAuth client not initialized", 500);
       }
       const audience = [keys.google.clientId];
       if (keys.google.iosClientId) {
@@ -605,10 +570,7 @@ function createOAuthVerifier(keys) {
     }
     if (provider === "APPLE") {
       if (!keys.apple?.clientId) {
-        throw new OAuthVerificationError(
-          "Apple OAuth configuration missing",
-          500
-        );
+        throw new OAuthVerificationError("Apple OAuth configuration missing", 500);
       }
       const audience = [keys.apple.clientId];
       if (keys.apple.iosClientId) {
@@ -1014,7 +976,11 @@ var BaseProcedureFactory = class {
       });
       for (const session of sessionsToRevoke) {
         if (this.config.hooks?.onSessionRevoked) {
-          await this.config.hooks.onSessionRevoked(session.id, session.socketId, "End all sessions");
+          await this.config.hooks.onSessionRevoked(
+            session.id,
+            session.socketId,
+            "End all sessions"
+          );
         }
       }
       if (!skipCurrentSession) {
@@ -1343,14 +1309,14 @@ var OAuthLoginProcedureFactory = class {
       }
       const { email, oauthId } = await this.verifyOAuthToken(provider, idToken, appleUser);
       if (!email) {
-        throw new TRPCError5({ code: "BAD_REQUEST", message: "Email not provided by OAuth provider" });
+        throw new TRPCError5({
+          code: "BAD_REQUEST",
+          message: "Email not provided by OAuth provider"
+        });
       }
       let user = await this.config.prisma.user.findFirst({
         where: {
-          OR: [
-            { email: { equals: email, mode: "insensitive" } },
-            { oauthId: { equals: oauthId } }
-          ]
+          OR: [{ email: { equals: email, mode: "insensitive" } }, { oauthId: { equals: oauthId } }]
         },
         select: {
           id: true,
@@ -1500,15 +1466,17 @@ var TwoFaProcedureFactory = class {
       if (user.twoFaEnabled) {
         throw new TRPCError6({ code: "BAD_REQUEST", message: "2FA already enabled." });
       }
-      const checkSession = await this.config.prisma.session.findFirst({
-        where: { userId, id: sessionId },
-        select: { deviceId: true }
-      });
-      if (!checkSession?.deviceId) {
-        throw new TRPCError6({
-          code: "BAD_REQUEST",
-          message: "You must be logged in on mobile to enable 2FA."
+      if (this.config.features.twoFaRequiresDevice !== false) {
+        const checkSession = await this.config.prisma.session.findFirst({
+          where: { userId, id: sessionId },
+          select: { deviceId: true }
         });
+        if (!checkSession?.deviceId) {
+          throw new TRPCError6({
+            code: "BAD_REQUEST",
+            message: "You must be logged in on mobile to enable 2FA."
+          });
+        }
       }
       await this.config.prisma.session.updateMany({
         where: { userId, revokedAt: null, NOT: { id: sessionId } },
@@ -1732,15 +1700,29 @@ var TwoFaProcedureFactory = class {
       const { pushToken } = input;
       const device = await this.config.prisma.device.findFirst({
         where: {
-          ...userId !== 0 && { users: { some: { id: userId } } },
+          users: { some: { id: userId } },
           pushToken
         },
         select: { id: true }
       });
       if (device) {
-        await this.config.prisma.device.delete({
-          where: { id: device.id }
+        await this.config.prisma.session.updateMany({
+          where: { userId, deviceId: device.id },
+          data: { deviceId: null }
+        });
+        await this.config.prisma.device.update({
+          where: { id: device.id },
+          data: { users: { disconnect: { id: userId } } }
         });
+        const remainingUsers = await this.config.prisma.device.findUnique({
+          where: { id: device.id },
+          select: { users: { select: { id: true }, take: 1 } }
+        });
+        if (!remainingUsers?.users.length) {
+          await this.config.prisma.device.delete({
+            where: { id: device.id }
+          });
+        }
       }
       return { deregistered: true };
     });
@@ -1827,10 +1809,7 @@ function getClientIp(req) {
 }
 
 // src/router.ts
-var createContext = ({
-  req,
-  res
-}) => ({
+var createContext = ({ req, res }) => ({
   headers: req.headers,
   userId: null,
   sessionId: null,
@@ -1843,9 +1822,7 @@ var AuthRouterFactory = class {
   constructor(userConfig) {
     this.userConfig = userConfig;
     this.config = createAuthConfig(this.userConfig);
-    this.schemas = createSchemas(
-      this.config.schemaExtensions
-    );
+    this.schemas = createSchemas(this.config.schemaExtensions);
     this.t = createTrpcBuilder(this.config);
     this.authGuard = createAuthGuard(this.config, this.t);
     this.procedure = createBaseProcedure(this.t, this.authGuard);
@@ -1857,10 +1834,7 @@ var AuthRouterFactory = class {
       this.procedure,
       this.authProcedure
     );
-    const biometricRoutes = new BiometricProcedureFactory(
-      this.config,
-      this.authProcedure
-    );
+    const biometricRoutes = new BiometricProcedureFactory(this.config, this.authProcedure);
     const emailVerificationRoutes = new EmailVerificationProcedureFactory(
       this.config,
       this.authProcedure
@@ -1869,11 +1843,7 @@ var AuthRouterFactory = class {
       this.config,
       this.procedure
     );
-    const twoFaRoutes = new TwoFaProcedureFactory(
-      this.config,
-      this.procedure,
-      this.authProcedure
-    );
+    const twoFaRoutes = new TwoFaProcedureFactory(this.config, this.procedure, this.authProcedure);
     return this.t.router({
       ...baseRoutes.createBaseProcedures(this.schemas),
       ...oAuthLoginRoutes.createOAuthLoginProcedures(this.schemas),

package/dist/validators.d.mts

@@ -1,2 +1,2 @@
 import 'zod';
-export { m as AuthSchemas, C as ChangePasswordInput, n as CreatedSchemas, L as LoginInput, p as LoginSchemaInput, a as LogoutInput, O as OAuthLoginInput, q as OAuthSchemaInput, R as ResetPasswordInput, b as SignupInput, u as SignupSchemaInput, T as TwoFaVerifyInput, V as VerifyEmailInput, c as biometricVerifySchema, d as changePasswordSchema, w as checkPasswordResetSchema, x as createSchemas, y as deregisterPushTokenSchema, z as disableTwofaSchema, e as endAllSessionsSchema, B as getTwofaSecretSchema, l as loginSchema, f as logoutSchema, o as oAuthLoginSchema, g as otpLoginRequestSchema, h as otpLoginVerifySchema, D as registerPushTokenSchema, r as requestPasswordResetSchema, E as resendVerificationSchema, i as resetPasswordSchema, s as signupSchema, t as twoFaResetSchema, F as twoFaResetVerifySchema, j as twoFaSetupSchema, k as twoFaVerifySchema, v as verifyEmailSchema } from './hooks-CK4f4PHo.mjs';
+export { m as AuthSchemas, C as ChangePasswordInput, n as CreatedSchemas, L as LoginInput, p as LoginSchemaInput, a as LogoutInput, O as OAuthLoginInput, q as OAuthSchemaInput, R as ResetPasswordInput, b as SignupInput, u as SignupSchemaInput, T as TwoFaVerifyInput, V as VerifyEmailInput, c as biometricVerifySchema, d as changePasswordSchema, w as checkPasswordResetSchema, x as createSchemas, y as deregisterPushTokenSchema, z as disableTwofaSchema, e as endAllSessionsSchema, B as getTwofaSecretSchema, l as loginSchema, f as logoutSchema, o as oAuthLoginSchema, g as otpLoginRequestSchema, h as otpLoginVerifySchema, D as registerPushTokenSchema, r as requestPasswordResetSchema, E as resendVerificationSchema, i as resetPasswordSchema, s as signupSchema, t as twoFaResetSchema, F as twoFaResetVerifySchema, j as twoFaSetupSchema, k as twoFaVerifySchema, v as verifyEmailSchema } from './hooks-B41uikq7.mjs';

package/dist/validators.d.ts

@@ -1,2 +1,2 @@
 import 'zod';
-export { m as AuthSchemas, C as ChangePasswordInput, n as CreatedSchemas, L as LoginInput, p as LoginSchemaInput, a as LogoutInput, O as OAuthLoginInput, q as OAuthSchemaInput, R as ResetPasswordInput, b as SignupInput, u as SignupSchemaInput, T as TwoFaVerifyInput, V as VerifyEmailInput, c as biometricVerifySchema, d as changePasswordSchema, w as checkPasswordResetSchema, x as createSchemas, y as deregisterPushTokenSchema, z as disableTwofaSchema, e as endAllSessionsSchema, B as getTwofaSecretSchema, l as loginSchema, f as logoutSchema, o as oAuthLoginSchema, g as otpLoginRequestSchema, h as otpLoginVerifySchema, D as registerPushTokenSchema, r as requestPasswordResetSchema, E as resendVerificationSchema, i as resetPasswordSchema, s as signupSchema, t as twoFaResetSchema, F as twoFaResetVerifySchema, j as twoFaSetupSchema, k as twoFaVerifySchema, v as verifyEmailSchema } from './hooks-CK4f4PHo.js';
+export { m as AuthSchemas, C as ChangePasswordInput, n as CreatedSchemas, L as LoginInput, p as LoginSchemaInput, a as LogoutInput, O as OAuthLoginInput, q as OAuthSchemaInput, R as ResetPasswordInput, b as SignupInput, u as SignupSchemaInput, T as TwoFaVerifyInput, V as VerifyEmailInput, c as biometricVerifySchema, d as changePasswordSchema, w as checkPasswordResetSchema, x as createSchemas, y as deregisterPushTokenSchema, z as disableTwofaSchema, e as endAllSessionsSchema, B as getTwofaSecretSchema, l as loginSchema, f as logoutSchema, o as oAuthLoginSchema, g as otpLoginRequestSchema, h as otpLoginVerifySchema, D as registerPushTokenSchema, r as requestPasswordResetSchema, E as resendVerificationSchema, i as resetPasswordSchema, s as signupSchema, t as twoFaResetSchema, F as twoFaResetVerifySchema, j as twoFaSetupSchema, k as twoFaVerifySchema, v as verifyEmailSchema } from './hooks-B41uikq7.js';

package/dist/validators.js

@@ -51,8 +51,10 @@ var signupSchema = import_zod.z.object({
   username: import_zod.z.string().min(1, { message: "Username is required" }).max(30, { message: "Username must be 30 characters or less" }).regex(usernameValidationRegex, {
     message: "Username can only contain letters, numbers, and underscores"
   }),
-  email: import_zod.z.string().email({ message: "Invalid email address" }),
-  password: import_zod.z.string().min(6, { message: "Password must contain at least 6 characters" })
+  email: import_zod.z.string().max(254, { message: "Email must be 254 characters or less" }).email({ message: "Invalid email address" }),
+  password: import_zod.z.string().min(6, { message: "Password must contain at least 6 characters" }).max(72, { message: "Password must be 72 characters or less" }).refine((val) => val.trim().length >= 6, {
+    message: "Password cannot be only whitespace"
+  })
 });
 var loginSchema = import_zod.z.object({
   username: import_zod.z.string().min(1, { message: "Username or email is required" }),
@@ -72,14 +74,14 @@ var requestPasswordResetSchema = import_zod.z.object({
 });
 var resetPasswordSchema = import_zod.z.object({
   token: import_zod.z.string().min(1, { message: "Reset token is required" }),
-  password: import_zod.z.string().min(6, { message: "Password must contain at least 6 characters" })
+  password: import_zod.z.string().min(6, { message: "Password must contain at least 6 characters" }).max(72, { message: "Password must be 72 characters or less" })
 });
 var checkPasswordResetSchema = import_zod.z.object({
   token: import_zod.z.string().min(1, { message: "Reset token is required" })
 });
 var changePasswordSchema = import_zod.z.object({
   currentPassword: import_zod.z.string().min(1, { message: "Current password is required" }),
-  newPassword: import_zod.z.string().min(6, { message: "New password must contain at least 6 characters" })
+  newPassword: import_zod.z.string().min(6, { message: "New password must contain at least 6 characters" }).max(72, { message: "Password must be 72 characters or less" })
 });
 var twoFaVerifySchema = import_zod.z.object({
   code: import_zod.z.string().min(6, { message: "Verification code is required" }),

package/dist/validators.mjs

@@ -22,7 +22,7 @@ import {
   twoFaSetupSchema,
   twoFaVerifySchema,
   verifyEmailSchema
-} from "./chunk-2DOUP275.mjs";
+} from "./chunk-PYVDWODF.mjs";
 export {
   biometricVerifySchema,
   changePasswordSchema,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@factiii/auth",
-  "version": "0.1.1",
+  "version": "0.3.0",
   "publishConfig": {
     "access": "public"
   },
@@ -53,10 +53,16 @@
     "build": "tsup",
     "dev": "tsup --watch",
     "check-types": "tsc --noEmit",
-    "lint": "eslint src --ext .ts,.tsx",
-    "lint:fix": "eslint src --ext .ts,.tsx --fix",
+    "lint": "eslint src",
+    "lint:fix": "eslint src --fix",
+    "format": "prettier --check src",
+    "format:fix": "prettier --write src",
     "clean": "rm -rf dist node_modules/.cache .turbo",
-    "prepublishOnly": "npm run build"
+    "prepublishOnly": "npm run build",
+    "e2e": "pnpm e2e:db:up && playwright test --reporter=list; pnpm e2e:db:down",
+    "e2e:ui": "pnpm e2e:db:up && playwright test --ui",
+    "e2e:db:up": "docker compose -f e2e/docker-compose.yml up -d --wait && prisma generate --schema=e2e/server/schema.prisma --config=e2e/server/prisma.config.ts && prisma migrate reset --schema=e2e/server/schema.prisma --config=e2e/server/prisma.config.ts --force",
+    "e2e:db:down": "docker compose -f e2e/docker-compose.yml down"
   },
   "dependencies": {
     "@trpc/server": "11.8.0",
@@ -83,22 +89,39 @@
     }
   },
   "devDependencies": {
+    "@playwright/test": "^1.58.1",
+    "@prisma/adapter-better-sqlite3": "^7.3.0",
+    "@prisma/adapter-pg": "^7.3.0",
     "@prisma/client": "^7.1.0",
+    "@trpc/client": "^11.8.0",
     "@trpc/server": "11.8.0",
     "@types/bcryptjs": "^2.4.6",
+    "@types/better-sqlite3": "^7.6.13",
     "@types/jsonwebtoken": "^9.0.9",
     "@types/node": "^20.19.0",
+    "@types/pg": "^8.16.0",
+    "@types/react": "^19.2.11",
+    "@types/react-dom": "^19.2.3",
     "@typescript-eslint/eslint-plugin": "^7.18.0",
     "@typescript-eslint/parser": "^7.18.0",
+    "@vitejs/plugin-react": "^5.1.3",
+    "better-sqlite3": "^12.6.2",
     "eslint": "^8.57.0",
+    "pg": "^8.18.0",
+    "prettier": "^3.8.1",
     "prisma": "^7.1.0",
+    "react": "^19.2.4",
+    "react-dom": "^19.2.4",
+    "react-router-dom": "^7.2.0",
     "superjson": "^1.13.3",
     "tsup": "^8.3.5",
+    "tsx": "^4.21.0",
     "typescript": "5.9.3",
+    "vite": "^7.3.1",
     "zod": "3.24.2"
   },
   "engines": {
     "node": ">=18.0.0"
   },
-  "packageManager": "pnpm@10.26.0+sha512.3b3f6c725ebe712506c0ab1ad4133cf86b1f4b687effce62a9b38b4d72e3954242e643190fc51fa1642949c735f403debd44f5cb0edd657abe63a8b6a7e1e402"
+  "packageManager": "pnpm@10.26.0"
 }