@lastshotlabs/bunshot 0.0.1

package/src/adapters/sqliteAuth.ts

@@ -0,0 +1,320 @@
+import { Database } from "bun:sqlite";
+import { HttpError } from "@lib/HttpError";
+import type { AuthAdapter } from "@lib/authAdapter";
+
+// ---------------------------------------------------------------------------
+// DB singleton — call setSqliteDb(path) once at startup
+// ---------------------------------------------------------------------------
+
+let _db: Database | null = null;
+
+export const setSqliteDb = (path: string): void => {
+  _db = new Database(path, { create: true });
+  _db.run("PRAGMA journal_mode = WAL");
+  _db.run("PRAGMA foreign_keys = ON");
+  initSchema(_db);
+};
+
+function getDb(): Database {
+  if (!_db) throw new Error("SQLite not initialized — call setSqliteDb(path) before using sqliteAuthAdapter or sessionStore: 'sqlite'");
+  return _db;
+}
+
+// ---------------------------------------------------------------------------
+// Schema
+// ---------------------------------------------------------------------------
+
+function initSchema(db: Database): void {
+  db.run(`CREATE TABLE IF NOT EXISTS users (
+    id            TEXT PRIMARY KEY,
+    email         TEXT UNIQUE,
+    passwordHash  TEXT,
+    providerIds   TEXT NOT NULL DEFAULT '[]',
+    roles         TEXT NOT NULL DEFAULT '[]',
+    emailVerified INTEGER NOT NULL DEFAULT 0
+  )`);
+  // Add emailVerified to pre-existing databases that lack the column
+  try { db.run("ALTER TABLE users ADD COLUMN emailVerified INTEGER NOT NULL DEFAULT 0"); } catch { /* already exists */ }
+  db.run(`CREATE TABLE IF NOT EXISTS sessions (
+    userId    TEXT PRIMARY KEY,
+    token     TEXT NOT NULL,
+    expiresAt INTEGER NOT NULL
+  )`);
+  db.run(`CREATE TABLE IF NOT EXISTS oauth_states (
+    state        TEXT PRIMARY KEY,
+    codeVerifier TEXT,
+    linkUserId   TEXT,
+    expiresAt    INTEGER NOT NULL
+  )`);
+  db.run(`CREATE TABLE IF NOT EXISTS cache_entries (
+    key       TEXT PRIMARY KEY,
+    value     TEXT NOT NULL,
+    expiresAt INTEGER  -- NULL = indefinite
+  )`);
+  db.run(`CREATE TABLE IF NOT EXISTS email_verifications (
+    token     TEXT PRIMARY KEY,
+    userId    TEXT NOT NULL,
+    email     TEXT NOT NULL,
+    expiresAt INTEGER NOT NULL
+  )`);
+}
+
+// ---------------------------------------------------------------------------
+// Auth adapter
+// ---------------------------------------------------------------------------
+
+export const sqliteAuthAdapter: AuthAdapter = {
+  async findByEmail(email) {
+    const row = getDb().query<{ id: string; passwordHash: string }, [string]>(
+      "SELECT id, passwordHash FROM users WHERE email = ?"
+    ).get(email);
+    return row ?? null;
+  },
+
+  async create(email, passwordHash) {
+    const id = crypto.randomUUID();
+    try {
+      getDb().run("INSERT INTO users (id, email, passwordHash) VALUES (?, ?, ?)", [id, email, passwordHash]);
+      return { id };
+    } catch (err: any) {
+      if (err?.code === "SQLITE_CONSTRAINT_UNIQUE") throw new HttpError(409, "Email already registered");
+      throw err;
+    }
+  },
+
+  async setPassword(userId, passwordHash) {
+    getDb().run("UPDATE users SET passwordHash = ? WHERE id = ?", [passwordHash, userId]);
+  },
+
+  async findOrCreateByProvider(provider, providerId, profile) {
+    const key = `${provider}:${providerId}`;
+    const db = getDb();
+
+    // Find by provider key using json_each
+    const existing = db.query<{ id: string }, [string]>(
+      "SELECT u.id FROM users u, json_each(u.providerIds) p WHERE p.value = ?"
+    ).get(key);
+    if (existing) return { id: existing.id, created: false };
+
+    // Reject if email belongs to a credential account
+    if (profile.email) {
+      const emailUser = db.query<{ id: string }, [string]>(
+        "SELECT id FROM users WHERE email = ?"
+      ).get(profile.email);
+      if (emailUser) throw new HttpError(409, "An account with this email already exists. Sign in with your credentials, then link Google from your account settings.");
+    }
+
+    const id = crypto.randomUUID();
+    db.run(
+      "INSERT INTO users (id, email, providerIds) VALUES (?, ?, ?)",
+      [id, profile.email ?? null, JSON.stringify([key])]
+    );
+    return { id, created: true };
+  },
+
+  async linkProvider(userId, provider, providerId) {
+    const key = `${provider}:${providerId}`;
+    const db = getDb();
+    const row = db.query<{ id: string; providerIds: string }, [string]>(
+      "SELECT id, providerIds FROM users WHERE id = ?"
+    ).get(userId);
+    if (!row) throw new HttpError(404, "User not found");
+    const ids: string[] = JSON.parse(row.providerIds);
+    if (!ids.includes(key)) {
+      db.run("UPDATE users SET providerIds = ? WHERE id = ?", [JSON.stringify([...ids, key]), userId]);
+    }
+  },
+
+  async getRoles(userId) {
+    const row = getDb().query<{ roles: string }, [string]>(
+      "SELECT roles FROM users WHERE id = ?"
+    ).get(userId);
+    return row ? JSON.parse(row.roles) : [];
+  },
+
+  async setRoles(userId, roles) {
+    getDb().run("UPDATE users SET roles = ? WHERE id = ?", [JSON.stringify(roles), userId]);
+  },
+
+  async addRole(userId, role) {
+    const db = getDb();
+    const row = db.query<{ roles: string }, [string]>("SELECT roles FROM users WHERE id = ?").get(userId);
+    if (!row) return;
+    const roles: string[] = JSON.parse(row.roles);
+    if (!roles.includes(role)) {
+      db.run("UPDATE users SET roles = ? WHERE id = ?", [JSON.stringify([...roles, role]), userId]);
+    }
+  },
+
+  async removeRole(userId, role) {
+    const db = getDb();
+    const row = db.query<{ roles: string }, [string]>("SELECT roles FROM users WHERE id = ?").get(userId);
+    if (!row) return;
+    const roles: string[] = JSON.parse(row.roles);
+    db.run("UPDATE users SET roles = ? WHERE id = ?", [JSON.stringify(roles.filter((r) => r !== role)), userId]);
+  },
+
+  async getUser(userId) {
+    const row = getDb().query<{ email: string | null; providerIds: string; emailVerified: number }, [string]>(
+      "SELECT email, providerIds, emailVerified FROM users WHERE id = ?"
+    ).get(userId);
+    if (!row) return null;
+    return {
+      email: row.email ?? undefined,
+      providerIds: JSON.parse(row.providerIds),
+      emailVerified: row.emailVerified === 1,
+    };
+  },
+
+  async unlinkProvider(userId, provider) {
+    const db = getDb();
+    const row = db.query<{ providerIds: string }, [string]>(
+      "SELECT providerIds FROM users WHERE id = ?"
+    ).get(userId);
+    if (!row) throw new HttpError(404, "User not found");
+    const ids: string[] = JSON.parse(row.providerIds);
+    db.run(
+      "UPDATE users SET providerIds = ? WHERE id = ?",
+      [JSON.stringify(ids.filter((id) => !id.startsWith(`${provider}:`))), userId]
+    );
+  },
+
+  async findByIdentifier(value) {
+    const row = getDb().query<{ id: string; passwordHash: string }, [string]>(
+      "SELECT id, passwordHash FROM users WHERE email = ?"
+    ).get(value);
+    return row ?? null;
+  },
+
+  async setEmailVerified(userId, verified) {
+    getDb().run("UPDATE users SET emailVerified = ? WHERE id = ?", [verified ? 1 : 0, userId]);
+  },
+
+  async getEmailVerified(userId) {
+    const row = getDb().query<{ emailVerified: number }, [string]>(
+      "SELECT emailVerified FROM users WHERE id = ?"
+    ).get(userId);
+    return row?.emailVerified === 1;
+  },
+};
+
+// ---------------------------------------------------------------------------
+// Session helpers (used by src/lib/session.ts)
+// ---------------------------------------------------------------------------
+
+const SESSION_TTL_MS = 60 * 60 * 24 * 7 * 1000; // 7 days
+
+export const sqliteCreateSession = (userId: string, token: string): void => {
+  const expiresAt = Date.now() + SESSION_TTL_MS;
+  getDb().run(
+    "INSERT INTO sessions (userId, token, expiresAt) VALUES (?, ?, ?) ON CONFLICT(userId) DO UPDATE SET token = excluded.token, expiresAt = excluded.expiresAt",
+    [userId, token, expiresAt]
+  );
+};
+
+export const sqliteGetSession = (userId: string): string | null => {
+  const row = getDb().query<{ token: string }, [string, number]>(
+    "SELECT token FROM sessions WHERE userId = ? AND expiresAt > ?"
+  ).get(userId, Date.now());
+  return row?.token ?? null;
+};
+
+export const sqliteDeleteSession = (userId: string): void => {
+  getDb().run("DELETE FROM sessions WHERE userId = ?", [userId]);
+};
+
+// ---------------------------------------------------------------------------
+// OAuth state helpers (used by src/lib/oauth.ts)
+// ---------------------------------------------------------------------------
+
+const OAUTH_STATE_TTL_MS = 5 * 60 * 1000; // 5 minutes
+
+export const sqliteStoreOAuthState = (state: string, codeVerifier?: string, linkUserId?: string): void => {
+  const expiresAt = Date.now() + OAUTH_STATE_TTL_MS;
+  getDb().run(
+    "INSERT INTO oauth_states (state, codeVerifier, linkUserId, expiresAt) VALUES (?, ?, ?, ?)",
+    [state, codeVerifier ?? null, linkUserId ?? null, expiresAt]
+  );
+};
+
+export const sqliteConsumeOAuthState = (state: string): { codeVerifier?: string; linkUserId?: string } | null => {
+  const row = getDb().query<{ codeVerifier: string | null; linkUserId: string | null }, [string, number]>(
+    "DELETE FROM oauth_states WHERE state = ? AND expiresAt > ? RETURNING codeVerifier, linkUserId"
+  ).get(state, Date.now());
+  if (!row) return null;
+  return {
+    codeVerifier: row.codeVerifier ?? undefined,
+    linkUserId: row.linkUserId ?? undefined,
+  };
+};
+
+// ---------------------------------------------------------------------------
+// Cache helpers (used by src/middleware/cacheResponse.ts)
+// ---------------------------------------------------------------------------
+
+export const isSqliteReady = (): boolean => _db !== null;
+
+export const sqliteGetCache = (key: string): string | null => {
+  const row = getDb().query<{ value: string }, [string, number]>(
+    "SELECT value FROM cache_entries WHERE key = ? AND (expiresAt IS NULL OR expiresAt > ?)"
+  ).get(key, Date.now());
+  return row?.value ?? null;
+};
+
+export const sqliteSetCache = (key: string, value: string, ttlSeconds?: number): void => {
+  const expiresAt = ttlSeconds ? Date.now() + ttlSeconds * 1000 : null;
+  getDb().run(
+    "INSERT INTO cache_entries (key, value, expiresAt) VALUES (?, ?, ?) ON CONFLICT(key) DO UPDATE SET value = excluded.value, expiresAt = excluded.expiresAt",
+    [key, value, expiresAt]
+  );
+};
+
+export const sqliteDelCache = (key: string): void => {
+  getDb().run("DELETE FROM cache_entries WHERE key = ?", [key]);
+};
+
+export const sqliteDelCachePattern = (pattern: string): void => {
+  // Convert glob pattern (* wildcard) to a SQL LIKE pattern (% wildcard)
+  const likePattern = pattern.replace(/%/g, "\\%").replace(/_/g, "\\_").replace(/\*/g, "%");
+  getDb().run("DELETE FROM cache_entries WHERE key LIKE ? ESCAPE '\\'", [likePattern]);
+};
+
+// ---------------------------------------------------------------------------
+// Email verification token helpers (used by src/lib/emailVerification.ts)
+// ---------------------------------------------------------------------------
+
+const EMAIL_VERIFICATION_TTL_MS = 60 * 60 * 24 * 1000; // 24 hours
+
+export const sqliteCreateVerificationToken = (token: string, userId: string, email: string): void => {
+  const expiresAt = Date.now() + EMAIL_VERIFICATION_TTL_MS;
+  getDb().run(
+    "INSERT INTO email_verifications (token, userId, email, expiresAt) VALUES (?, ?, ?, ?)",
+    [token, userId, email, expiresAt]
+  );
+};
+
+export const sqliteGetVerificationToken = (token: string): { userId: string; email: string } | null => {
+  const row = getDb().query<{ userId: string; email: string }, [string, number]>(
+    "SELECT userId, email FROM email_verifications WHERE token = ? AND expiresAt > ?"
+  ).get(token, Date.now());
+  return row ?? null;
+};
+
+export const sqliteDeleteVerificationToken = (token: string): void => {
+  getDb().run("DELETE FROM email_verifications WHERE token = ?", [token]);
+};
+
+// ---------------------------------------------------------------------------
+// Optional periodic cleanup of expired rows
+// ---------------------------------------------------------------------------
+
+export const startSqliteCleanup = (intervalMs = 3_600_000): ReturnType<typeof setInterval> => {
+  return setInterval(() => {
+    const db = getDb();
+    const now = Date.now();
+    db.run("DELETE FROM sessions WHERE expiresAt <= ?", [now]);
+    db.run("DELETE FROM oauth_states WHERE expiresAt <= ?", [now]);
+    db.run("DELETE FROM cache_entries WHERE expiresAt IS NOT NULL AND expiresAt <= ?", [now]);
+    db.run("DELETE FROM email_verifications WHERE expiresAt <= ?", [now]);
+  }, intervalMs);
+};

package/src/app.ts

@@ -0,0 +1,368 @@
+import { OpenAPIHono } from "@hono/zod-openapi";
+import { cors } from "hono/cors";
+import { logger } from "hono/logger";
+import { secureHeaders } from "hono/secure-headers";
+import { Scalar } from "@scalar/hono-api-reference";
+import type { MiddlewareHandler } from "hono";
+import { HttpError } from "@lib/HttpError";
+import { rateLimit } from "@middleware/rateLimit";
+import { bearerAuth } from "@middleware/bearerAuth";
+import { identify } from "@middleware/identify";
+import type { AppEnv } from "@lib/context";
+import { HEADER_USER_TOKEN } from "@lib/constants";
+import { setAppName, setAppRoles, setDefaultRole, setPrimaryField, setEmailVerificationConfig } from "@lib/appConfig";
+import type { PrimaryField, EmailVerificationConfig } from "@lib/appConfig";
+import { setEmailVerificationStore } from "@lib/emailVerification";
+import { setAuthRateLimitStore } from "@lib/authRateLimit";
+import { setAuthAdapter } from "@lib/authAdapter";
+import { mongoAuthAdapter } from "./adapters/mongoAuth";
+import type { AuthAdapter } from "@lib/authAdapter";
+import { memoryAuthAdapter } from "./adapters/memoryAuth";
+import { initOAuthProviders, getConfiguredOAuthProviders, setOAuthStateStore } from "@lib/oauth";
+import type { OAuthProviderConfig } from "@lib/oauth";
+import { createOAuthRouter } from "@routes/oauth";
+import { connectMongo, connectAuthMongo, connectAppMongo } from "@lib/mongo";
+import { connectRedis } from "@lib/redis";
+import { setSessionStore } from "@lib/session";
+import { setCacheStore } from "@middleware/cacheResponse";
+
+type StoreType = "redis" | "mongo" | "sqlite" | "memory";
+
+export interface DbConfig {
+  /**
+   * Absolute path to the SQLite database file.
+   * Required when any store is "sqlite".
+   * Example: import.meta.dir + "/../data.db"
+   */
+  sqlite?: string;
+  /**
+   * MongoDB auto-connect mode.
+   * - "single" (default): calls connectMongo() — auth and app share one server (MONGO_* env vars)
+   * - "separate": calls connectAuthMongo() + connectAppMongo() — auth on MONGO_AUTH_* server, app on MONGO_* server
+   * - false: skip auto-connect (call connectMongo / connectAuthMongo / connectAppMongo yourself)
+   */
+  mongo?: "single" | "separate" | false;
+  /**
+   * Auto-connect Redis before starting. Defaults to true.
+   * Set false to skip (e.g. when using sqlite or memory stores only).
+   */
+  redis?: boolean;
+  /**
+   * Where to store JWT sessions. Default: "redis".
+   * Sessions are stored on appConnection (not authConnection) so they are isolated per-app
+   * in "separate" mongo mode.
+   */
+  sessions?: StoreType;
+  /**
+   * Where to store OAuth state (PKCE code verifier, link user ID). Default: follows `sessions`.
+   */
+  oauthState?: StoreType;
+  /**
+   * Global default store for cacheResponse middleware. Default: "redis".
+   * Can be overridden per-route via cacheResponse({ store: "..." }).
+   */
+  cache?: StoreType;
+  /**
+   * Which built-in auth adapter to use for /auth/* routes.
+   * - "mongo" (default when mongo is enabled): Mongoose adapter (requires connectMongo)
+   * - "sqlite": bun:sqlite adapter (requires sqlite path)
+   * - "memory": in-memory Maps (ephemeral, great for tests)
+   * When `mongo: false`, defaults to the same store as `sessions`.
+   * Ignored when `auth.adapter` is explicitly passed in CreateAppConfig.
+   */
+  auth?: "mongo" | "sqlite" | "memory";
+}
+
+export interface AppMeta {
+  /** App name shown in the root endpoint and OpenAPI docs title. Defaults to "Bun Core API" */
+  name?: string;
+  /** Version shown in OpenAPI docs. Defaults to "1.0.0" */
+  version?: string;
+}
+
+export interface OAuthConfig {
+  /** OAuth provider credentials. Configured providers get automatic /auth/{provider} routes. */
+  providers?: OAuthProviderConfig;
+  /** Where to redirect after a successful OAuth login. Defaults to "/" */
+  postRedirect?: string;
+}
+
+export interface AuthRateLimitConfig {
+  /** Max login failures per window before the account is locked. Default: 10 per 15 min. */
+  login?: { windowMs?: number; max?: number };
+  /** Max registration attempts per IP per window. Default: 5 per hour. */
+  register?: { windowMs?: number; max?: number };
+  /** Max email verification attempts per IP per window. Default: 10 per 15 min. */
+  verifyEmail?: { windowMs?: number; max?: number };
+  /** Max resend-verification attempts per user per window. Default: 3 per hour. */
+  resendVerification?: { windowMs?: number; max?: number };
+  /**
+   * Store backend for auth rate limit counters.
+   * Defaults to "redis" when Redis is enabled, otherwise "memory".
+   * Use "redis" for multi-instance deployments so limits are shared across servers.
+   */
+  store?: "memory" | "redis";
+}
+
+export interface AuthConfig {
+  /** Set false to skip mounting /auth/* routes. Defaults to true */
+  enabled?: boolean;
+  /**
+   * Custom auth adapter for the built-in /auth/* routes.
+   * Use this for fully custom backends (e.g. Postgres).
+   * For built-in backends prefer `db.auth: "mongo" | "sqlite" | "memory"`.
+   * When both are set, this takes precedence.
+   */
+  adapter?: AuthAdapter;
+  /** Valid roles for this app (e.g. ["admin", "editor", "user"]). Used by requireRole middleware. */
+  roles?: string[];
+  /** Role automatically assigned to new users on registration. Must be one of roles. */
+  defaultRole?: string;
+  /** OAuth provider and redirect configuration */
+  oauth?: OAuthConfig;
+  /**
+   * The primary identifier field used for registration and login.
+   * Defaults to "email". Use "username" or "phone" for apps that identify users differently.
+   * Email verification is only available when primaryField is "email".
+   */
+  primaryField?: PrimaryField;
+  /**
+   * Email verification configuration. Only active when primaryField is "email".
+   * Provide an onSend callback to send the verification email via any provider (Resend, SendGrid, etc.).
+   */
+  emailVerification?: EmailVerificationConfig;
+  /** Rate limit configuration for built-in auth endpoints. */
+  rateLimit?: AuthRateLimitConfig;
+}
+
+export type { PrimaryField, EmailVerificationConfig };
+
+export interface BotProtectionConfig {
+  /**
+   * List of IPv4 CIDRs (e.g. "198.51.100.0/24"), IPv4 addresses, or IPv6 addresses to block outright.
+   * Matched requests receive a 403 before any other processing.
+   * Example: ["198.51.100.0/24", "203.0.113.42"]
+   */
+  blockList?: string[];
+  /**
+   * Also rate-limit by HTTP fingerprint (User-Agent, Accept-*, Connection, browser header presence)
+   * in addition to IP. Bots that rotate IPs but use the same HTTP client share a bucket.
+   * Uses the same store as auth rate limiting (Redis or memory).
+   * Default: false
+   */
+  fingerprintRateLimit?: boolean;
+}
+
+export interface SecurityConfig {
+  /** CORS origins. Defaults to "*" */
+  cors?: string | string[];
+  /** Global rate limit. Defaults to 100 req / 60s */
+  rateLimit?: { windowMs: number; max: number };
+  /**
+   * Bearer auth check. Set false to disable entirely.
+   * Pass an object with bypass paths (merged with built-in defaults: /docs, /health, /openapi.json, etc.).
+   * Defaults to enabled with no extra bypass paths.
+   */
+  bearerAuth?: boolean | { bypass?: string[] };
+  /**
+   * Bot protection: CIDR blocklist and fingerprint-based rate limiting.
+   * Runs before IP rate limiting so blocked IPs are rejected immediately.
+   */
+  botProtection?: BotProtectionConfig;
+}
+
+export interface CreateAppConfig {
+  /** Absolute path to the service's routes directory (use import.meta.dir + "/routes") */
+  routesDir: string;
+  /** App name and version for the root endpoint and OpenAPI docs */
+  app?: AppMeta;
+  /** Auth, roles, and OAuth configuration */
+  auth?: AuthConfig;
+  /** Security: CORS, rate limiting, bearer auth */
+  security?: SecurityConfig;
+  /** Extra middleware injected after identify, before route matching */
+  middleware?: MiddlewareHandler<AppEnv>[];
+  /** Database connection and store routing configuration */
+  db?: DbConfig;
+}
+
+export const createApp = async (config: CreateAppConfig): Promise<OpenAPIHono<AppEnv>> => {
+  const {
+    routesDir,
+    app: appConfig = {},
+    auth: authConfig = {},
+    security: securityConfig = {},
+    middleware = [],
+    db = {},
+  } = config;
+
+  const appName = appConfig.name ?? "Bun Core API";
+  const openApiVersion = appConfig.version ?? "1.0.0";
+
+  const corsOrigins = securityConfig.cors ?? "*";
+  const rlConfig = securityConfig.rateLimit ?? { windowMs: 60_000, max: 100 };
+  const botCfg = securityConfig.botProtection ?? {};
+  const enableBearerAuth = securityConfig.bearerAuth !== false;
+  const extraBypass =
+    typeof securityConfig.bearerAuth === "object" && securityConfig.bearerAuth !== null
+      ? (securityConfig.bearerAuth.bypass ?? [])
+      : [];
+
+  const enableAuthRoutes = authConfig.enabled !== false;
+  const explicitAuthAdapter = authConfig.adapter;
+  const oauthProviders = authConfig.oauth?.providers;
+  const postOAuthRedirect = authConfig.oauth?.postRedirect ?? "/";
+  const roles = authConfig.roles ?? [];
+  const defaultRole = authConfig.defaultRole;
+  const primaryField = authConfig.primaryField ?? "email";
+  const emailVerification = authConfig.emailVerification;
+  const authRateLimit = authConfig.rateLimit;
+
+  const { sqlite, mongo = "single", redis: enableRedis = true } = db;
+
+  // Smart fallback: pick the best available store rather than blindly defaulting to "redis"
+  const defaultStore: StoreType = enableRedis
+    ? "redis"
+    : sqlite
+    ? "sqlite"
+    : mongo !== false
+    ? "mongo"
+    : "memory";
+
+  const sessions   = db.sessions   ?? defaultStore;
+  const oauthState = db.oauthState ?? sessions;
+  const cache      = db.cache      ?? defaultStore;
+  const authStore  = db.auth       ?? (mongo !== false ? "mongo" : sessions);
+
+  if (sqlite || sessions === "sqlite" || oauthState === "sqlite" || authStore === "sqlite") {
+    const { setSqliteDb } = await import("./adapters/sqliteAuth");
+    setSqliteDb(sqlite ?? "./data.db");
+  }
+
+  setSessionStore(sessions);
+  setOAuthStateStore(oauthState);
+  setCacheStore(cache);
+
+  if (mongo === "single") await connectMongo();
+  else if (mongo === "separate") await Promise.all([connectAuthMongo(), connectAppMongo()]);
+
+  if (enableRedis) await connectRedis();
+
+  // Resolve auth adapter: explicit prop wins, then db.auth, then mongo default
+  let authAdapter: AuthAdapter;
+  if (explicitAuthAdapter) {
+    authAdapter = explicitAuthAdapter;
+  } else if (authStore === "sqlite") {
+    const { sqliteAuthAdapter } = await import("./adapters/sqliteAuth");
+    authAdapter = sqliteAuthAdapter;
+  } else if (authStore === "memory") {
+    authAdapter = memoryAuthAdapter;
+  } else {
+    authAdapter = mongoAuthAdapter;
+  }
+
+  setAuthAdapter(authAdapter);
+  setAppRoles(roles);
+  setDefaultRole(defaultRole ?? null);
+  setPrimaryField(primaryField);
+  setEmailVerificationConfig(emailVerification ?? null);
+  setEmailVerificationStore(sessions);
+  setAuthRateLimitStore(authRateLimit?.store ?? (enableRedis ? "redis" : "memory"));
+
+  if (defaultRole && !authAdapter.setRoles) {
+    throw new Error(`createApp: "defaultRole" is set to "${defaultRole}" but the auth adapter does not implement setRoles. Add setRoles to your adapter or remove defaultRole.`);
+  }
+
+  if (oauthProviders) initOAuthProviders(oauthProviders);
+  const configuredOAuth = getConfiguredOAuthProviders();
+
+  // OAuth paths must bypass bearer auth — initiation and link routes are browser redirects,
+  // callbacks come from external providers; none can send a bearer token header.
+  const oauthBypass = configuredOAuth.flatMap((p) => [
+    `/auth/${p}`,
+    `/auth/${p}/callback`,
+    `/auth/${p}/link`,
+  ]);
+
+  const DEFAULT_BYPASS = ["/docs", "/openapi.json", "/sw.js", "/health", "/"];
+  const bearerAuthBypass = [...DEFAULT_BYPASS, ...oauthBypass, ...extraBypass];
+
+  const app = new OpenAPIHono<AppEnv>();
+
+  app.use(logger());
+  app.use(secureHeaders());
+  app.use(cors({ origin: corsOrigins, allowHeaders: ["Content-Type", "Authorization", HEADER_USER_TOKEN], exposeHeaders: ["x-cache"], credentials: true }));
+  if ((botCfg.blockList?.length ?? 0) > 0) {
+    const { botProtection } = await import("@middleware/botProtection");
+    app.use(botProtection({ blockList: botCfg.blockList }));
+  }
+  app.use(rateLimit({ ...rlConfig, fingerprintLimit: botCfg.fingerprintRateLimit ?? false }));
+  if (enableBearerAuth) {
+    app.use(async (c, next) => {
+      const path = c.req.path;
+      if (bearerAuthBypass.includes(path)) {
+        return next();
+      }
+      return bearerAuth(c, next);
+    });
+  }
+  app.use(identify);
+  for (const mw of middleware) app.use(mw);
+
+  setAppName(appName);
+
+  // Core routes (auth, etc.)
+  const coreRoutesDir = import.meta.dir + "/routes";
+  const coreGlob = new Bun.Glob("*.ts");
+  for await (const file of coreGlob.scan({ cwd: coreRoutesDir })) {
+    if (file === "auth.ts") continue; // mounted separately below via createAuthRouter
+    if (file === "oauth.ts") continue; // mounted separately below
+    const mod = await import(`${coreRoutesDir}/${file}`);
+    if (mod.router) app.route("/", mod.router);
+  }
+
+  if (enableAuthRoutes) {
+    const { createAuthRouter } = await import(`${coreRoutesDir}/auth`);
+    app.route("/", createAuthRouter({ primaryField, emailVerification, rateLimit: authRateLimit }));
+  }
+
+  if (configuredOAuth.length > 0) {
+    app.route("/", createOAuthRouter(configuredOAuth, postOAuthRedirect));
+  }
+
+  // Service routes — collect all, sort by optional exported `priority`, then mount
+  const serviceGlob = new Bun.Glob("**/*.ts");
+  const serviceFiles: string[] = [];
+  for await (const file of serviceGlob.scan({ cwd: routesDir })) {
+    serviceFiles.push(file);
+  }
+
+  const serviceMods = await Promise.all(
+    serviceFiles.map(async (file) => ({
+      file,
+      mod: await import(`${routesDir}/${file}`),
+    }))
+  );
+
+  serviceMods
+    .sort((a, b) => (a.mod.priority ?? Infinity) - (b.mod.priority ?? Infinity))
+    .forEach(({ mod }) => {
+      if (mod.router) app.route("/", mod.router);
+    });
+
+  app.onError((err, c) => {
+    if (err instanceof HttpError) {
+      return c.json({ error: err.message }, err.status as 400 | 401 | 403 | 404 | 409 | 418 | 429 | 500);
+    }
+    console.error(err);
+    return c.json({ error: "Internal Server Error" }, 500);
+  });
+
+  app.notFound((c) => c.json({ error: "Not Found" }, 404));
+
+  app.doc("/openapi.json", { openapi: "3.0.0", info: { title: appName, version: openApiVersion } });
+  app.get("/docs", Scalar({ url: "/openapi.json" }));
+  app.get("/sw.js", (c) => c.body("", 200, { "Content-Type": "application/javascript" }));
+
+  return app;
+};