@kyro-cms/core 0.1.1 → 0.1.2

package/dist/chunk-V67YXRBT.js

@@ -0,0 +1,899 @@
+import Redis2 from 'ioredis';
+import bcrypt from 'bcryptjs';
+import { randomBytes } from 'crypto';
+import nodemailer from 'nodemailer';
+
+// src/auth/bootstrap.ts
+var DEFAULT_PREFIX = "kyro:auth:";
+var DEFAULT_TOKEN_EXPIRATION = 86400;
+var DEFAULT_REFRESH_EXPIRATION = 604800;
+var RedisAuthAdapter = class {
+  redis;
+  prefix;
+  tokenExpiration;
+  refreshExpiration;
+  constructor(options = {}) {
+    const url = options.url || `redis://${options.host || "localhost"}:${options.port || 6379}`;
+    this.redis = new Redis2(url, {
+      password: options.password,
+      db: options.db,
+      lazyConnect: true,
+      tls: options.tls ? {} : void 0
+    });
+    this.prefix = options.keyPrefix || DEFAULT_PREFIX;
+    this.tokenExpiration = options.tokenExpiration || DEFAULT_TOKEN_EXPIRATION;
+    this.refreshExpiration = options.refreshTokenExpiration || DEFAULT_REFRESH_EXPIRATION;
+  }
+  async connect() {
+    await this.redis.connect();
+  }
+  async disconnect() {
+    await this.redis.quit();
+  }
+  userKey(userId) {
+    return `${this.prefix}users:${userId}`;
+  }
+  sessionKey(sessionId) {
+    return `${this.prefix}sessions:${sessionId}`;
+  }
+  refreshKey(token) {
+    return `${this.prefix}refresh:${token}`;
+  }
+  userByEmailKey(email) {
+    return `${this.prefix}users:email:${email.toLowerCase()}`;
+  }
+  passwordHistoryKey(userId) {
+    return `${this.prefix}users:${userId}:password_history`;
+  }
+  async createUser(data) {
+    const userId = randomBytes(16).toString("hex");
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const user = {
+      id: userId,
+      email: data.email.toLowerCase(),
+      passwordHash: data.passwordHash,
+      role: data.role || "customer",
+      tenantId: data.tenantId,
+      createdAt: now,
+      updatedAt: now
+    };
+    const pipeline = this.redis.pipeline();
+    pipeline.hset(this.userKey(userId), this.userToHash(user));
+    pipeline.set(this.userByEmailKey(data.email), userId);
+    await pipeline.exec();
+    return user;
+  }
+  async findUserByEmail(email) {
+    const userId = await this.redis.get(
+      this.userByEmailKey(email.toLowerCase())
+    );
+    if (!userId) return null;
+    return this.findUserById(userId);
+  }
+  async findUserById(userId) {
+    const data = await this.redis.hgetall(this.userKey(userId));
+    if (!data || Object.keys(data).length === 0) return null;
+    return this.hashToUser(data);
+  }
+  async updateUser(userId, data) {
+    const existing = await this.findUserById(userId);
+    if (!existing) return null;
+    const updated = {
+      ...existing,
+      ...data,
+      id: userId,
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    if (data.email && data.email !== existing.email) {
+      const pipeline = this.redis.pipeline();
+      pipeline.del(this.userByEmailKey(existing.email));
+      pipeline.set(this.userByEmailKey(data.email), userId);
+      await pipeline.exec();
+    }
+    await this.redis.hset(this.userKey(userId), this.userToHash(updated));
+    return updated;
+  }
+  async deleteUser(userId) {
+    const user = await this.findUserById(userId);
+    if (!user) return false;
+    const pipeline = this.redis.pipeline();
+    pipeline.del(this.userKey(userId));
+    pipeline.del(this.userByEmailKey(user.email));
+    pipeline.del(this.passwordHistoryKey(userId));
+    await pipeline.exec();
+    return true;
+  }
+  async hashPassword(password) {
+    return bcrypt.hash(password, 12);
+  }
+  async verifyPassword(password, hash) {
+    return bcrypt.compare(password, hash);
+  }
+  async createSession(userId, data = {}) {
+    const sessionId = randomBytes(32).toString("hex");
+    const token = randomBytes(32).toString("base64url");
+    const refreshToken = randomBytes(32).toString("base64url");
+    const now = /* @__PURE__ */ new Date();
+    const session = {
+      id: sessionId,
+      userId,
+      token,
+      refreshToken,
+      expiresAt: new Date(
+        now.getTime() + this.tokenExpiration * 1e3
+      ).toISOString(),
+      createdAt: now.toISOString(),
+      ipAddress: data.ipAddress,
+      userAgent: data.userAgent
+    };
+    const pipeline = this.redis.pipeline();
+    pipeline.hset(this.sessionKey(sessionId), this.sessionToHash(session));
+    pipeline.setex(
+      this.refreshKey(refreshToken),
+      this.refreshExpiration,
+      sessionId
+    );
+    await pipeline.exec();
+    return session;
+  }
+  async findSessionByToken(token) {
+    const data = await this.redis.hgetall(this.sessionKey(token));
+    if (!data || Object.keys(data).length === 0) return null;
+    return this.hashToSession(data);
+  }
+  async deleteSession(sessionId) {
+    const session = await this.redis.hgetall(this.sessionKey(sessionId));
+    if (!session || Object.keys(session).length === 0) return false;
+    const pipeline = this.redis.pipeline();
+    pipeline.del(this.sessionKey(sessionId));
+    if (session.refreshToken) {
+      pipeline.del(this.refreshKey(session.refreshToken));
+    }
+    await pipeline.exec();
+    return true;
+  }
+  async deleteUserSessions(userId) {
+    const pattern = `${this.prefix}sessions:*`;
+    let cursor = "0";
+    let deleted = 0;
+    do {
+      const [nextCursor, keys] = await this.redis.scan(
+        cursor,
+        "MATCH",
+        pattern,
+        "COUNT",
+        100
+      );
+      cursor = nextCursor;
+      for (const key of keys) {
+        const sessionData = await this.redis.hgetall(key);
+        if (sessionData.userId === userId) {
+          const sessionId = key.replace(`${this.prefix}sessions:`, "");
+          await this.deleteSession(sessionId);
+          deleted++;
+        }
+      }
+    } while (cursor !== "0");
+    return deleted;
+  }
+  async addPasswordToHistory(userId, passwordHash) {
+    await this.redis.lpush(this.passwordHistoryKey(userId), passwordHash);
+    await this.redis.ltrim(this.passwordHistoryKey(userId), 0, 4);
+  }
+  async getPasswordHistory(userId, count = 5) {
+    return this.redis.lrange(this.passwordHistoryKey(userId), 0, count - 1);
+  }
+  async isPasswordInHistory(password, userId, historyCount = 5) {
+    const history = await this.getPasswordHistory(userId, historyCount);
+    for (const hash of history) {
+      if (await this.verifyPassword(password, hash)) {
+        return true;
+      }
+    }
+    return false;
+  }
+  userToHash(user) {
+    const hash = {
+      id: user.id,
+      email: user.email,
+      passwordHash: user.passwordHash || "",
+      role: user.role,
+      createdAt: user.createdAt,
+      updatedAt: user.updatedAt
+    };
+    if (user.tenantId) hash.tenantId = user.tenantId;
+    if (user.emailVerified !== void 0)
+      hash.emailVerified = String(user.emailVerified);
+    if (user.locked !== void 0) hash.locked = String(user.locked);
+    if (user.lastLogin) hash.lastLogin = user.lastLogin;
+    if (user.failedLoginAttempts !== void 0)
+      hash.failedLoginAttempts = String(user.failedLoginAttempts);
+    return hash;
+  }
+  hashToUser(hash) {
+    return {
+      id: hash.id,
+      email: hash.email,
+      passwordHash: hash.passwordHash,
+      role: hash.role,
+      tenantId: hash.tenantId,
+      createdAt: hash.createdAt,
+      updatedAt: hash.updatedAt,
+      emailVerified: hash.emailVerified === "true",
+      locked: hash.locked === "true",
+      lastLogin: hash.lastLogin,
+      failedLoginAttempts: hash.failedLoginAttempts ? parseInt(hash.failedLoginAttempts, 10) : 0
+    };
+  }
+  sessionToHash(session) {
+    const hash = {
+      id: session.id,
+      userId: session.userId,
+      token: session.token,
+      expiresAt: session.expiresAt,
+      createdAt: session.createdAt
+    };
+    if (session.refreshToken) hash.refreshToken = session.refreshToken;
+    if (session.ipAddress) hash.ipAddress = session.ipAddress;
+    if (session.userAgent) hash.userAgent = session.userAgent;
+    return hash;
+  }
+  hashToSession(hash) {
+    return {
+      id: hash.id,
+      userId: hash.userId,
+      token: hash.token,
+      refreshToken: hash.refreshToken,
+      expiresAt: hash.expiresAt,
+      createdAt: hash.createdAt,
+      ipAddress: hash.ipAddress,
+      userAgent: hash.userAgent
+    };
+  }
+};
+var defaultTemplates = {
+  verifyEmail: (link, userName = "User") => ({
+    subject: "Verify your email address",
+    html: `
+      <!DOCTYPE html>
+      <html>
+      <head>
+        <meta charset="utf-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+        <title>Verify Email</title>
+        <style>
+          body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; }
+          .container { max-width: 600px; margin: 0 auto; padding: 20px; }
+          .button { display: inline-block; padding: 12px 24px; background: #0b1222; color: white; text-decoration: none; border-radius: 6px; font-weight: 600; }
+          .footer { margin-top: 30px; font-size: 12px; color: #666; }
+        </style>
+      </head>
+      <body>
+        <div class="container">
+          <h1>Welcome, ${userName}!</h1>
+          <p>Please verify your email address by clicking the button below:</p>
+          <p style="text-align: center; margin: 30px 0;">
+            <a href="${link}" class="button">Verify Email</a>
+          </p>
+          <p>Or copy and paste this link into your browser:</p>
+          <p style="word-break: break-all; color: #666;">${link}</p>
+          <p>This link will expire in 24 hours.</p>
+          <div class="footer">
+            <p>If you didn't create an account, you can safely ignore this email.</p>
+          </div>
+        </div>
+      </body>
+      </html>
+    `,
+    text: `Welcome ${userName}!
+
+Please verify your email by clicking this link: ${link}
+
+This link will expire in 24 hours.
+
+If you didn't create an account, you can safely ignore this email.`
+  }),
+  resetPassword: (link, userName = "User") => ({
+    subject: "Reset your password",
+    html: `
+      <!DOCTYPE html>
+      <html>
+      <head>
+        <meta charset="utf-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+        <title>Reset Password</title>
+        <style>
+          body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; }
+          .container { max-width: 600px; margin: 0 auto; padding: 20px; }
+          .button { display: inline-block; padding: 12px 24px; background: #dc2626; color: white; text-decoration: none; border-radius: 6px; font-weight: 600; }
+          .warning { background: #fef3c7; border: 1px solid #f59e0b; padding: 12px; border-radius: 6px; margin: 20px 0; }
+          .footer { margin-top: 30px; font-size: 12px; color: #666; }
+        </style>
+      </head>
+      <body>
+        <div class="container">
+          <h1>Password Reset Request</h1>
+          <p>Hello ${userName},</p>
+          <p>We received a request to reset your password. Click the button below to create a new password:</p>
+          <p style="text-align: center; margin: 30px 0;">
+            <a href="${link}" class="button">Reset Password</a>
+          </p>
+          <p>Or copy and paste this link into your browser:</p>
+          <p style="word-break: break-all; color: #666;">${link}</p>
+          <div class="warning">
+            <strong>\u26A0\uFE0F Important:</strong> This link will expire in 1 hour. If you didn't request a password reset, please ignore this email or contact support if you have concerns.
+          </div>
+          <div class="footer">
+            <p>For security reasons, please don't share this email with anyone.</p>
+          </div>
+        </div>
+      </body>
+      </html>
+    `,
+    text: `Password Reset Request
+
+Hello ${userName},
+
+We received a request to reset your password. Click this link to create a new password: ${link}
+
+This link will expire in 1 hour.
+
+If you didn't request a password reset, please ignore this email.`
+  }),
+  welcome: (userName = "User") => ({
+    subject: "Welcome to Kyro CMS",
+    html: `
+      <!DOCTYPE html>
+      <html>
+      <head>
+        <meta charset="utf-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+        <title>Welcome</title>
+        <style>
+          body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; }
+          .container { max-width: 600px; margin: 0 auto; padding: 20px; }
+          .button { display: inline-block; padding: 12px 24px; background: #0b1222; color: white; text-decoration: none; border-radius: 6px; font-weight: 600; }
+        </style>
+      </head>
+      <body>
+        <div class="container">
+          <h1>Welcome to Kyro CMS, ${userName}!</h1>
+          <p>Your account has been created successfully.</p>
+          <p>You can now:</p>
+          <ul>
+            <li>Manage your content collections</li>
+            <li>Upload and organize media</li>
+            <li>Configure settings</li>
+            <li>And much more...</li>
+          </ul>
+          <p style="text-align: center; margin: 30px 0;">
+            <a href="#" class="button">Get Started</a>
+          </p>
+          <p>If you have any questions, feel free to reach out to our support team.</p>
+        </div>
+      </body>
+      </html>
+    `,
+    text: `Welcome to Kyro CMS, ${userName}!
+
+Your account has been created successfully.
+
+You can now:
+- Manage your content collections
+- Upload and organize media
+- Configure settings
+- And much more...
+
+Get started by logging into your dashboard.`
+  }),
+  accountLocked: (attempts, duration, userName = "User") => ({
+    subject: "Account Security Alert - Account Locked",
+    html: `
+      <!DOCTYPE html>
+      <html>
+      <head>
+        <meta charset="utf-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+        <title>Account Locked</title>
+        <style>
+          body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; }
+          .container { max-width: 600px; margin: 0 auto; padding: 20px; }
+          .alert { background: #fef2f2; border: 1px solid #ef4444; padding: 16px; border-radius: 8px; margin: 20px 0; }
+          .footer { margin-top: 30px; font-size: 12px; color: #666; }
+        </style>
+      </head>
+      <body>
+        <div class="container">
+          <h1>Account Security Alert</h1>
+          <p>Hello ${userName},</p>
+          <div class="alert">
+            <p><strong>\u26A0\uFE0F Your account has been temporarily locked due to multiple failed login attempts.</strong></p>
+            <p>Failed attempts: ${attempts}</p>
+            <p>Lockout duration: ${Math.round(duration / 6e4)} minutes</p>
+          </div>
+          <p>Your account will automatically unlock after the lockout period expires.</p>
+          <p>If this wasn't you, we recommend:</p>
+          <ul>
+            <li>Using a strong, unique password</li>
+            <li>Enabling two-factor authentication (coming soon)</li>
+            <li>Reviewing your recent account activity</li>
+          </ul>
+          <div class="footer">
+            <p>If you need immediate assistance, please contact support.</p>
+          </div>
+        </div>
+      </body>
+      </html>
+    `,
+    text: `Account Security Alert
+
+Hello ${userName},
+
+Your account has been temporarily locked due to multiple failed login attempts (${attempts}).
+
+Lockout duration: ${Math.round(duration / 6e4)} minutes
+
+Your account will automatically unlock after this period.
+
+If this wasn't you, we recommend using a strong, unique password.`
+  }),
+  passwordChanged: (userName = "User") => ({
+    subject: "Your password has been changed",
+    html: `
+      <!DOCTYPE html>
+      <html>
+      <head>
+        <meta charset="utf-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+        <title>Password Changed</title>
+        <style>
+          body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; }
+          .container { max-width: 600px; margin: 0 auto; padding: 20px; }
+          .info { background: #f0fdf4; border: 1px solid #22c55e; padding: 12px; border-radius: 6px; margin: 20px 0; }
+        </style>
+      </head>
+      <body>
+        <div class="container">
+          <h1>Password Changed</h1>
+          <p>Hello ${userName},</p>
+          <div class="info">
+            <p>Your password was recently changed.</p>
+          </div>
+          <p>If you did this, you can safely ignore this email.</p>
+          <p><strong>If you didn't change your password</strong>, please contact our support team immediately as your account may have been compromised.</p>
+        </div>
+      </body>
+      </html>
+    `,
+    text: `Password Changed
+
+Hello ${userName},
+
+Your password was recently changed.
+
+If you did this, you can safely ignore this email.
+
+If you didn't change your password, please contact support immediately.`
+  }),
+  newLogin: (location, time, userName = "User") => ({
+    subject: "New login to your account",
+    html: `
+      <!DOCTYPE html>
+      <html>
+      <head>
+        <meta charset="utf-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+        <title>New Login</title>
+        <style>
+          body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; }
+          .container { max-width: 600px; margin: 0 auto; padding: 20px; }
+          .info-box { background: #f8fafc; border: 1px solid #e2e8f0; padding: 16px; border-radius: 8px; margin: 20px 0; }
+          .footer { margin-top: 30px; font-size: 12px; color: #666; }
+        </style>
+      </head>
+      <body>
+        <div class="container">
+          <h1>New Login Detected</h1>
+          <p>Hello ${userName},</p>
+          <p>We detected a new login to your account:</p>
+          <div class="info-box">
+            <p><strong>Location:</strong> ${location}</p>
+            <p><strong>Time:</strong> ${time}</p>
+          </div>
+          <p><strong>If this was you</strong>, no action is needed.</p>
+          <p><strong>If this wasn't you</strong>, your account may be compromised. Please:</p>
+          <ol>
+            <li>Change your password immediately</li>
+            <li>Review your recent account activity</li>
+            <li>Contact support if needed</li>
+          </ol>
+          <div class="footer">
+            <p>This is an automated security notification.</p>
+          </div>
+        </div>
+      </body>
+      </html>
+    `,
+    text: `New Login Detected
+
+Hello ${userName},
+
+We detected a new login to your account:
+
+Location: ${location}
+Time: ${time}
+
+If this wasn't you, please change your password immediately and contact support.`
+  })
+};
+var EmailTransport = class _EmailTransport {
+  transporter;
+  from;
+  fromName;
+  templates;
+  constructor(config, templates) {
+    this.transporter = nodemailer.createTransport({
+      host: config.host,
+      port: config.port,
+      secure: config.secure,
+      auth: config.auth
+    });
+    this.from = config.from;
+    this.fromName = config.fromName || "Kyro CMS";
+    this.templates = { ...defaultTemplates, ...templates };
+  }
+  async send(options) {
+    return this.transporter.sendMail({
+      from: `"${this.fromName}" <${this.from}>`,
+      to: Array.isArray(options.to) ? options.to.join(", ") : options.to,
+      subject: options.subject,
+      html: options.html,
+      text: options.text
+    });
+  }
+  getTemplates() {
+    return this.templates;
+  }
+  async verifyConnection() {
+    try {
+      await this.transporter.verify();
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  static fromEnv() {
+    const host = process.env.SMTP_HOST;
+    const port = parseInt(process.env.SMTP_PORT || "587", 10);
+    const secure = process.env.SMTP_SECURE === "true";
+    const user = process.env.SMTP_USER;
+    const pass = process.env.SMTP_PASS;
+    const from = process.env.SMTP_FROM || process.env.DEFAULT_FROM || "noreply@example.com";
+    const fromName = process.env.SMTP_FROM_NAME || "Kyro CMS";
+    if (!host || !user || !pass) {
+      return null;
+    }
+    return new _EmailTransport({
+      host,
+      port,
+      secure,
+      auth: { user, pass },
+      from,
+      fromName
+    });
+  }
+};
+
+// src/auth/security/password-policy.ts
+var DEFAULT_PASSWORD_POLICY = {
+  minLength: 12,
+  requireUppercase: true,
+  requireLowercase: true,
+  requireNumbers: true,
+  requireSpecialChars: true,
+  preventReuse: 5,
+  maxLength: 128
+};
+var PasswordPolicy = class {
+  config;
+  constructor(config = {}) {
+    this.config = { ...DEFAULT_PASSWORD_POLICY, ...config };
+  }
+  validate(password) {
+    const errors = [];
+    if (this.config.maxLength && password.length > this.config.maxLength) {
+      errors.push(
+        `Password must not exceed ${this.config.maxLength} characters`
+      );
+    }
+    if (password.length < this.config.minLength) {
+      errors.push(
+        `Password must be at least ${this.config.minLength} characters`
+      );
+    }
+    if (this.config.requireUppercase && !/[A-Z]/.test(password)) {
+      errors.push("Password must contain at least one uppercase letter");
+    }
+    if (this.config.requireLowercase && !/[a-z]/.test(password)) {
+      errors.push("Password must contain at least one lowercase letter");
+    }
+    if (this.config.requireNumbers && !/[0-9]/.test(password)) {
+      errors.push("Password must contain at least one number");
+    }
+    if (this.config.requireSpecialChars && !/[!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]/.test(password)) {
+      errors.push("Password must contain at least one special character");
+    }
+    const commonPasswords = [
+      "password",
+      "123456",
+      "12345678",
+      "qwerty",
+      "abc123",
+      "monkey",
+      "1234567",
+      "letmein",
+      "trustno1",
+      "dragon",
+      "baseball",
+      "iloveyou",
+      "master",
+      "sunshine",
+      "ashley",
+      "football",
+      "password1",
+      "shadow",
+      "123123",
+      "654321"
+    ];
+    if (commonPasswords.includes(password.toLowerCase())) {
+      errors.push(
+        "This password is too common. Please choose a more secure password"
+      );
+    }
+    if (/^[a-zA-Z]+$/.test(password) || /^[0-9]+$/.test(password)) {
+      errors.push(
+        "Password must contain a mix of letters, numbers, and/or special characters"
+      );
+    }
+    if (/(.)\1{2,}/.test(password)) {
+      errors.push(
+        "Password must not contain more than 2 consecutive identical characters"
+      );
+    }
+    if (/^(012|123|234|345|456|567|678|789|890|098|987|876|765|654|543|432|321|210)+$/i.test(
+      password
+    )) {
+      errors.push("Password must not contain sequential numbers or letters");
+    }
+    return {
+      valid: errors.length === 0,
+      errors
+    };
+  }
+  async checkReuse(passwordHash, history, verifyFn) {
+    return {
+      valid: true,
+      errors: []
+    };
+  }
+  async isInHistory(password, history, verifyFn) {
+    for (const hash of history) {
+      if (await verifyFn(password, hash)) {
+        return true;
+      }
+    }
+    return false;
+  }
+  generatePassword(length = 16) {
+    const uppercase = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+    const lowercase = "abcdefghijklmnopqrstuvwxyz";
+    const numbers = "0123456789";
+    const special = "!@#$%^&*()_+-=[]{}|;:,.<>?";
+    let password = "";
+    password += uppercase[Math.floor(Math.random() * uppercase.length)];
+    password += lowercase[Math.floor(Math.random() * lowercase.length)];
+    password += numbers[Math.floor(Math.random() * numbers.length)];
+    password += special[Math.floor(Math.random() * special.length)];
+    const allChars = uppercase + lowercase + numbers + special;
+    for (let i = password.length; i < length; i++) {
+      password += allChars[Math.floor(Math.random() * allChars.length)];
+    }
+    return password.split("").sort(() => Math.random() - 0.5).join("");
+  }
+  getStrength(password) {
+    let score = 0;
+    const feedback = [];
+    if (password.length >= 8) score += 1;
+    if (password.length >= 12) score += 1;
+    if (password.length >= 16) score += 1;
+    if (/[a-z]/.test(password)) score += 1;
+    if (/[A-Z]/.test(password)) score += 1;
+    if (/[0-9]/.test(password)) score += 1;
+    if (/[!@#$%^&*()_+\-=\[\]{}|;:,.<>?]/.test(password)) score += 1;
+    if (password.length > 8) score += 1;
+    if (password.length > 12) score += 1;
+    const uniqueChars = new Set(password).size;
+    if (uniqueChars > 6) score += 1;
+    if (uniqueChars > 10) score += 1;
+    let label;
+    if (score <= 3) {
+      label = "Weak";
+      feedback.push("Add more characters");
+      feedback.push("Include uppercase and lowercase letters");
+    } else if (score <= 5) {
+      label = "Fair";
+      feedback.push("Add special characters");
+      feedback.push("Consider making it longer");
+    } else if (score <= 7) {
+      label = "Good";
+      feedback.push("Consider making it longer for extra security");
+    } else {
+      label = "Strong";
+    }
+    return { score, label, feedback };
+  }
+  setConfig(config) {
+    this.config = { ...this.config, ...config };
+  }
+  getConfig() {
+    return { ...this.config };
+  }
+};
+
+// src/auth/bootstrap.ts
+async function bootstrapAdmin(config) {
+  const {
+    redisUrl,
+    redisHost,
+    redisPort,
+    redisPassword,
+    adminEmail,
+    adminPassword,
+    adminRole = "super_admin",
+    tenantId,
+    emailConfig,
+    sendWelcomeEmail = false
+  } = config;
+  let redis;
+  if (redisUrl) {
+    redis = new Redis2(redisUrl);
+  } else {
+    redis = new Redis2({
+      host: redisHost || "localhost",
+      port: redisPort || 6379,
+      password: redisPassword,
+      lazyConnect: true
+    });
+  }
+  try {
+    await redis.connect();
+  } catch (error) {
+    return {
+      success: false,
+      error: "Failed to connect to Redis"
+    };
+  }
+  const authAdapter = new RedisAuthAdapter({
+    url: redisUrl,
+    host: redisHost,
+    port: redisPort,
+    password: redisPassword
+  });
+  const passwordPolicy = new PasswordPolicy();
+  const passwordValidation = passwordPolicy.validate(adminPassword);
+  if (!passwordValidation.valid) {
+    return {
+      success: false,
+      error: `Invalid password: ${passwordValidation.errors.join(", ")}`
+    };
+  }
+  const existingUser = await authAdapter.findUserByEmail(adminEmail);
+  if (existingUser) {
+    return {
+      success: false,
+      error: "Admin user already exists"
+    };
+  }
+  try {
+    const passwordHash = await authAdapter.hashPassword(adminPassword);
+    const user = await authAdapter.createUser({
+      email: adminEmail,
+      passwordHash,
+      role: adminRole || "admin",
+      tenantId
+    });
+    if (sendWelcomeEmail && emailConfig) {
+      const emailTransport = new EmailTransport(emailConfig);
+      const templates = emailTransport.getTemplates();
+      const welcomeTemplate = templates.welcome(adminEmail.split("@")[0]);
+      await emailTransport.send({
+        to: adminEmail,
+        ...welcomeTemplate
+      });
+    }
+    return {
+      success: true,
+      user
+    };
+  } catch (error) {
+    return {
+      success: false,
+      error: error instanceof Error ? error.message : "Failed to create admin user"
+    };
+  } finally {
+    await redis.quit();
+  }
+}
+async function checkBootstrapRequired(redis, adminEmail) {
+  const existingUser = await redis.get(
+    `kyro:auth:users:email:${adminEmail.toLowerCase()}`
+  );
+  return !existingUser;
+}
+function getBootstrapFromEnv() {
+  const email = process.env.KYRO_ADMIN_EMAIL;
+  const password = process.env.KYRO_ADMIN_PASSWORD;
+  if (!email || !password) {
+    return null;
+  }
+  return {
+    redisUrl: process.env.REDIS_URL,
+    redisHost: process.env.REDIS_HOST,
+    redisPort: process.env.REDIS_PORT ? parseInt(process.env.REDIS_PORT, 10) : void 0,
+    redisPassword: process.env.REDIS_PASSWORD,
+    adminEmail: email,
+    adminPassword: password,
+    adminRole: process.env.KYRO_ADMIN_ROLE || "super_admin",
+    tenantId: process.env.KYRO_ADMIN_TENANT_ID,
+    emailConfig: process.env.SMTP_HOST ? {
+      host: process.env.SMTP_HOST,
+      port: parseInt(process.env.SMTP_PORT || "587", 10),
+      secure: process.env.SMTP_SECURE === "true",
+      auth: {
+        user: process.env.SMTP_USER || "",
+        pass: process.env.SMTP_PASS || ""
+      },
+      from: process.env.SMTP_FROM || "noreply@example.com",
+      fromName: process.env.SMTP_FROM_NAME
+    } : void 0,
+    sendWelcomeEmail: process.env.KYRO_ADMIN_SEND_WELCOME === "true"
+  };
+}
+async function autoBootstrap() {
+  const config = getBootstrapFromEnv();
+  if (!config) {
+    return null;
+  }
+  console.log("Auto-bootstrapping admin user...");
+  const result = await bootstrapAdmin(config);
+  if (result.success) {
+    console.log(`Admin user created: ${config.adminEmail}`);
+  } else {
+    console.error(`Bootstrap failed: ${result.error}`);
+  }
+  return result;
+}
+async function bootstrapWithRetry(config, maxRetries = 3, retryDelayMs = 2e3) {
+  let lastError = "";
+  for (let i = 0; i < maxRetries; i++) {
+    const result = await bootstrapAdmin(config);
+    if (result.success) {
+      return result;
+    }
+    lastError = result.error || "Unknown error";
+    if (lastError.includes("already exists")) {
+      return result;
+    }
+    if (i < maxRetries - 1) {
+      await new Promise((resolve) => setTimeout(resolve, retryDelayMs));
+    }
+  }
+  return {
+    success: false,
+    error: `Failed after ${maxRetries} retries: ${lastError}`
+  };
+}
+
+export { EmailTransport, PasswordPolicy, RedisAuthAdapter, autoBootstrap, bootstrapAdmin, bootstrapWithRetry, checkBootstrapRequired, getBootstrapFromEnv };
+//# sourceMappingURL=chunk-V67YXRBT.js.map
+//# sourceMappingURL=chunk-V67YXRBT.js.map