@lastshotlabs/bunshot 0.0.1

package/src/middleware/cacheResponse.ts

@@ -0,0 +1,189 @@
+import type { MiddlewareHandler } from "hono";
+import { getRedis } from "@lib/redis";
+import { getAppName } from "@lib/appConfig";
+import type { AppEnv } from "@lib/context";
+import { appConnection } from "@lib/mongo";
+import { Schema } from "mongoose";
+import { isSqliteReady, sqliteGetCache, sqliteSetCache, sqliteDelCache, sqliteDelCachePattern } from "../adapters/sqliteAuth";
+import { memoryGetCache, memorySetCache, memoryDelCache, memoryDelCachePattern } from "../adapters/memoryAuth";
+
+// ---------------------------------------------------------------------------
+// Mongo cache model (lazy — only registered when "mongo" store is used)
+// ---------------------------------------------------------------------------
+
+interface CacheDoc {
+  key: string;
+  value: string;
+  expiresAt?: Date;
+}
+
+const cacheSchema = new Schema<CacheDoc>(
+  {
+    key: { type: String, required: true, unique: true },
+    value: { type: String, required: true },
+    expiresAt: { type: Date, index: { expireAfterSeconds: 0 } },
+  },
+  { collection: "cache_entries" }
+);
+
+function getCacheModel() {
+  return appConnection.models["CacheEntry"] ??
+    appConnection.model<CacheDoc>("CacheEntry", cacheSchema);
+}
+
+function isMongoReady(): boolean {
+  return appConnection.readyState === 1;
+}
+
+function isRedisReady(): boolean {
+  try { getRedis(); return true; } catch { return false; }
+}
+
+// ---------------------------------------------------------------------------
+// Shared payload type
+// ---------------------------------------------------------------------------
+
+type CachePayload = { status: number; headers: Record<string, string>; body: string };
+
+// ---------------------------------------------------------------------------
+// Store adapters
+// ---------------------------------------------------------------------------
+
+type CacheStore = "redis" | "mongo" | "sqlite" | "memory";
+
+let _defaultCacheStore: CacheStore = "redis";
+export const setCacheStore = (store: CacheStore) => { _defaultCacheStore = store; };
+
+async function storeGet(store: CacheStore, cacheKey: string): Promise<string | null> {
+  if (store === "memory") return memoryGetCache(cacheKey);
+  if (store === "sqlite") {
+    if (!isSqliteReady()) throw new Error(`cacheResponse: store is "sqlite" but SQLite is not initialized. Call setSqliteDb(path) or pass sqliteDb to createServer.`);
+    return sqliteGetCache(cacheKey);
+  }
+  if (store === "mongo") {
+    if (!isMongoReady())
+      throw new Error(`cacheResponse: store is "mongo" but appConnection is not connected. Ensure connectMongo() or connectAppMongo() is called before handling requests.`);
+    const doc = await getCacheModel().findOne({ key: cacheKey }, "value").lean();
+    return doc ? doc.value : null;
+  }
+  return getRedis().get(cacheKey);
+}
+
+async function storeSet(store: CacheStore, cacheKey: string, value: string, ttl?: number): Promise<void> {
+  if (store === "memory") { memorySetCache(cacheKey, value, ttl); return; }
+  if (store === "sqlite") {
+    if (!isSqliteReady()) throw new Error(`cacheResponse: store is "sqlite" but SQLite is not initialized. Call setSqliteDb(path) or pass sqliteDb to createServer.`);
+    sqliteSetCache(cacheKey, value, ttl);
+    return;
+  }
+  if (store === "mongo") {
+    if (!isMongoReady())
+      throw new Error(`cacheResponse: store is "mongo" but appConnection is not connected. Ensure connectMongo() or connectAppMongo() is called before handling requests.`);
+    const expiresAt = ttl ? new Date(Date.now() + ttl * 1000) : undefined;
+    await getCacheModel().updateOne(
+      { key: cacheKey },
+      { $set: { value, ...(expiresAt ? { expiresAt } : {}) } },
+      { upsert: true }
+    );
+    return;
+  }
+  if (ttl) {
+    await getRedis().setex(cacheKey, ttl, value);
+  } else {
+    await getRedis().set(cacheKey, value);
+  }
+}
+
+async function storeDel(store: CacheStore, cacheKey: string): Promise<void> {
+  if (store === "memory") { memoryDelCache(cacheKey); return; }
+  if (store === "sqlite") {
+    if (!isSqliteReady()) return;
+    sqliteDelCache(cacheKey);
+    return;
+  }
+  if (store === "mongo") {
+    if (!isMongoReady()) return;
+    await getCacheModel().deleteOne({ key: cacheKey });
+    return;
+  }
+  if (!isRedisReady()) return;
+  await getRedis().del(cacheKey);
+}
+
+async function storeDelPattern(store: CacheStore, fullPattern: string): Promise<void> {
+  if (store === "memory") { memoryDelCachePattern(fullPattern); return; }
+  if (store === "sqlite") {
+    if (!isSqliteReady()) return;
+    sqliteDelCachePattern(fullPattern);
+    return;
+  }
+  if (store === "mongo") {
+    if (!isMongoReady()) return;
+    const regex = new RegExp("^" + fullPattern.replace(/\*/g, ".*") + "$");
+    await getCacheModel().deleteMany({ key: regex });
+    return;
+  }
+  if (!isRedisReady()) return;
+  const redis = getRedis();
+  let cursor = "0";
+  do {
+    const [next, keys] = await redis.scan(cursor, "MATCH", fullPattern, "COUNT", 100);
+    cursor = next;
+    if (keys.length > 0) await redis.del(...keys);
+  } while (cursor !== "0");
+}
+
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+
+export const bustCache = async (key: string) => {
+  const cacheKey = `cache:${getAppName()}:${key}`;
+  await Promise.all([storeDel("redis", cacheKey), storeDel("mongo", cacheKey), storeDel("sqlite", cacheKey), storeDel("memory", cacheKey)]);
+};
+
+export const bustCachePattern = async (pattern: string) => {
+  const fullPattern = `cache:${getAppName()}:${pattern}`;
+  await Promise.all([storeDelPattern("redis", fullPattern), storeDelPattern("mongo", fullPattern), storeDelPattern("sqlite", fullPattern), storeDelPattern("memory", fullPattern)]);
+};
+
+type KeyFn = (c: Parameters<MiddlewareHandler<AppEnv>>[0]) => string;
+
+interface CacheOptions {
+  ttl?: number; // seconds — omit for indefinite
+  key: string | KeyFn;
+  store?: CacheStore; // default: inherits from db.cache config (setCacheStore), falls back to "redis"
+}
+
+export const cacheResponse = ({ ttl, key, store = _defaultCacheStore }: CacheOptions): MiddlewareHandler<AppEnv> => {
+  return async (c, next) => {
+    const appName = getAppName();
+    const rawKey = typeof key === "function" ? key(c) : key;
+    const cacheKey = `cache:${appName}:${rawKey}`;
+
+    const cached = await storeGet(store, cacheKey);
+    if (cached) {
+      const { status, headers, body } = JSON.parse(cached) as CachePayload;
+      return new Response(body, {
+        status,
+        headers: { ...headers, "x-cache": "HIT" },
+      });
+    }
+
+    await next();
+
+    const res = c.res;
+    if (res.status >= 200 && res.status < 300) {
+      const body = await res.text();
+      const headers: Record<string, string> = {};
+      res.headers.forEach((value, name) => { headers[name] = value; });
+
+      await storeSet(store, cacheKey, JSON.stringify({ status: res.status, headers, body }), ttl);
+
+      c.res = new Response(body, {
+        status: res.status,
+        headers: { ...headers, "x-cache": "MISS" },
+      });
+    }
+  };
+};

package/src/middleware/cors.ts

@@ -0,0 +1,19 @@
+import type { Middleware } from ".";
+
+export const cors: Middleware = async (req, next) => {
+  if (req.method === "OPTIONS") {
+    return new Response(null, { status: 204, headers: corsHeaders() });
+  }
+  const res = await next(req);
+  const headers = new Headers(res.headers);
+  for (const [k, v] of Object.entries(corsHeaders())) headers.set(k, v);
+  return new Response(res.body, { status: res.status, headers });
+};
+
+const corsHeaders = () => {
+  return {
+    "Access-Control-Allow-Origin": "*",
+    "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
+    "Access-Control-Allow-Headers": "Content-Type, Authorization",
+  };
+}

package/src/middleware/errorHandler.ts

@@ -0,0 +1,14 @@
+import type { Middleware } from ".";
+import { HttpError } from "@lib/HttpError";
+
+export const errorHandler: Middleware = async (req, next) => {
+  try {
+    return await next(req);
+  } catch (err) {
+    console.error(err);
+    if (err instanceof HttpError) {
+      return Response.json({ error: err.message }, { status: err.status });
+    }
+    return Response.json({ error: "Internal Server Error" }, { status: 500 });
+  }
+};

package/src/middleware/identify.ts

@@ -0,0 +1,36 @@
+import type { MiddlewareHandler } from "hono";
+import { getCookie } from "hono/cookie";
+import type { AppEnv } from "@lib/context";
+import { verifyToken } from "@lib/jwt";
+import { getSession } from "@lib/session";
+import { COOKIE_TOKEN, HEADER_USER_TOKEN } from "@lib/constants";
+import { log } from "@lib/logger";
+
+export const identify: MiddlewareHandler<AppEnv> = async (c, next) => {
+  c.set("authUserId", null);
+  c.set("roles", null);
+
+  // cookie for browsers, x-user-token header for non-browser clients
+  const token = getCookie(c, COOKIE_TOKEN) ?? c.req.header(HEADER_USER_TOKEN) ?? null;
+  log(`[identify] token=${token ? "present" : "absent"}`);
+
+  if (token) {
+    try {
+      const payload = await verifyToken(token);
+      const stored = await getSession(payload.sub!);
+      log(`[identify] token for authUserId=${payload.sub} verified, checking session...`);
+      if (stored === token) {
+        c.set("authUserId", payload.sub!);
+        log(`[identify] authUserId=${payload.sub}`);
+      } else {
+        log("[identify] token/session mismatch — unauthenticated");
+      }
+    } catch {
+      log("[identify] invalid token — unauthenticated");
+    }
+  } else {
+    log("[identify] no token — unauthenticated");
+  }
+
+  await next();
+};

package/src/middleware/index.ts

@@ -0,0 +1,8 @@
+export type Handler = (req: Request) => Response | Promise<Response>;
+export type Middleware = (req: Request, next: Handler) => Response | Promise<Response>;
+
+export const applyMiddleware = (handler: Handler, ...middleware: Middleware[]): Handler =>
+  middleware.reduceRight<Handler>(
+    (next, mw) => (req) => mw(req, next),
+    handler
+  );

package/src/middleware/logger.ts

@@ -0,0 +1,9 @@
+import type { Middleware } from ".";
+
+export const logger: Middleware = async (req, next) => {
+  const start = performance.now();
+  const res = await next(req);
+  const ms = (performance.now() - start).toFixed(2);
+  console.log(`${req.method} ${new URL(req.url).pathname} ${res.status} ${ms}ms`);
+  return res;
+};

package/src/middleware/rateLimit.ts

@@ -0,0 +1,37 @@
+import type { MiddlewareHandler } from "hono";
+import { trackAttempt } from "@lib/authRateLimit";
+import { buildFingerprint } from "@lib/fingerprint";
+
+export interface RateLimitOptions {
+  windowMs: number;
+  max: number;
+  /** Also rate-limit by HTTP fingerprint in addition to IP. Default: false */
+  fingerprintLimit?: boolean;
+}
+
+export const rateLimit = ({
+  windowMs,
+  max,
+  fingerprintLimit = false,
+}: RateLimitOptions): MiddlewareHandler => {
+  const opts = { windowMs, max };
+
+  return async (c, next) => {
+    // Take the leftmost (client) IP from x-forwarded-for
+    const raw = c.req.header("x-forwarded-for") ?? "";
+    const ip = raw.split(",")[0]?.trim() || "unknown";
+
+    if (await trackAttempt(`ip:${ip}`, opts)) {
+      return c.json({ error: "Too Many Requests" }, 429);
+    }
+
+    if (fingerprintLimit) {
+      const fp = await buildFingerprint(c.req.raw);
+      if (await trackAttempt(`fp:${fp}`, opts)) {
+        return c.json({ error: "Too Many Requests" }, 429);
+      }
+    }
+
+    await next();
+  };
+};

package/src/middleware/requireRole.ts

@@ -0,0 +1,42 @@
+import type { MiddlewareHandler } from "hono";
+import type { AppEnv } from "@lib/context";
+import { getAuthAdapter } from "@lib/authAdapter";
+
+/**
+ * Middleware factory that enforces role-based access.
+ * Requires `identify` to have run first (authUserId must be set).
+ * Roles are fetched lazily on the first role-checked route and cached on the context.
+ *
+ * The adapter must implement `getRoles` for this to work.
+ *
+ * @example
+ * // Allow any authenticated user with the "admin" role
+ * app.get("/admin", userAuth, requireRole("admin"), handler)
+ *
+ * // Allow users with either "admin" or "moderator"
+ * app.get("/mod", userAuth, requireRole("admin", "moderator"), handler)
+ */
+export const requireRole = (...roles: string[]): MiddlewareHandler<AppEnv> => async (c, next) => {
+  const userId = c.get("authUserId");
+  if (!userId) {
+    return c.json({ error: "Unauthorized" }, 401);
+  }
+
+  // Lazy-fetch roles and cache on context so multiple requireRole calls in a chain only hit the adapter once
+  let userRoles = c.get("roles");
+  if (userRoles === null) {
+    const adapter = getAuthAdapter();
+    if (!adapter.getRoles) {
+      throw new Error("requireRole used but auth adapter does not implement getRoles");
+    }
+    userRoles = await adapter.getRoles(userId);
+    c.set("roles", userRoles);
+  }
+
+  const hasRole = roles.some((role) => userRoles!.includes(role));
+  if (!hasRole) {
+    return c.json({ error: "Forbidden" }, 403);
+  }
+
+  await next();
+};

package/src/middleware/requireVerifiedEmail.ts

@@ -0,0 +1,31 @@
+import type { MiddlewareHandler } from "hono";
+import type { AppEnv } from "@lib/context";
+import { getAuthAdapter } from "@lib/authAdapter";
+
+/**
+ * Middleware that blocks access for users whose email address has not been verified.
+ * Must run after `userAuth` (requires `authUserId` to be set on context).
+ *
+ * The adapter must implement `getEmailVerified` for this to work.
+ *
+ * @example
+ * router.use("/dashboard", userAuth, requireVerifiedEmail);
+ */
+export const requireVerifiedEmail: MiddlewareHandler<AppEnv> = async (c, next) => {
+  const userId = c.get("authUserId");
+  if (!userId) {
+    return c.json({ error: "Unauthorized" }, 401);
+  }
+
+  const adapter = getAuthAdapter();
+  if (!adapter.getEmailVerified) {
+    throw new Error("requireVerifiedEmail used but auth adapter does not implement getEmailVerified");
+  }
+
+  const verified = await adapter.getEmailVerified(userId);
+  if (!verified) {
+    return c.json({ error: "Email not verified" }, 403);
+  }
+
+  await next();
+};

package/src/middleware/userAuth.ts

@@ -0,0 +1,9 @@
+import type { MiddlewareHandler } from "hono";
+import type { AppEnv } from "@lib/context";
+
+export const userAuth: MiddlewareHandler<AppEnv> = async (c, next) => {
+  if (!c.get("authUserId")) {
+    return c.json({ error: "Unauthorized" }, 401);
+  }
+  await next();
+};

package/src/models/AuthUser.ts

@@ -0,0 +1,17 @@
+import mongoose from "mongoose";
+import { authConnection } from "@lib/mongo";
+
+const AuthUserSchema = new mongoose.Schema({
+  email: { type: String, unique: true, sparse: true, lowercase: true },
+  password: { type: String },
+  /** Compound provider keys: ["google:123456", "apple:000111"] */
+  providerIds: [{ type: String }],
+  /** App-defined roles assigned to this user: ["admin", "editor", ...] */
+  roles: [{ type: String }],
+  /** Whether the user's email address has been verified. */
+  emailVerified: { type: Boolean, default: false },
+}, { timestamps: true });
+
+AuthUserSchema.index({ providerIds: 1 });
+
+export const AuthUser = authConnection.model("AuthUser", AuthUserSchema);

package/src/routes/auth.ts

@@ -0,0 +1,245 @@
+import { createRoute } from "@hono/zod-openapi";
+import { z } from "zod";
+import { setCookie, getCookie, deleteCookie } from "hono/cookie";
+import * as AuthService from "@services/auth";
+import { makeRegisterSchema, makeLoginSchema } from "@schemas/auth";
+import { COOKIE_TOKEN, HEADER_USER_TOKEN } from "@lib/constants";
+import { userAuth } from "@middleware/userAuth";
+import { isLimited, trackAttempt, bustAuthLimit } from "@lib/authRateLimit";
+import { getAuthAdapter } from "@lib/authAdapter";
+import { createRouter } from "@lib/context";
+import { getVerificationToken, deleteVerificationToken, createVerificationToken } from "@lib/emailVerification";
+import type { PrimaryField, EmailVerificationConfig } from "@lib/appConfig";
+import type { AuthRateLimitConfig } from "../app";
+
+const isProd = process.env.NODE_ENV === "production";
+const TokenResponse = z.object({ token: z.string(), emailVerified: z.boolean().optional() });
+const ErrorResponse = z.object({ error: z.string() });
+
+const cookieOptions = {
+  httpOnly: true,
+  secure: isProd,
+  sameSite: "Lax" as const,
+  path: "/",
+  maxAge: 60 * 60 * 24 * 7, // 7 days
+};
+
+export interface AuthRouterOptions {
+  primaryField: PrimaryField;
+  emailVerification?: EmailVerificationConfig;
+  rateLimit?: AuthRateLimitConfig;
+}
+
+export const createAuthRouter = ({ primaryField, emailVerification, rateLimit }: AuthRouterOptions) => {
+  const router = createRouter();
+  const RegisterSchema = makeRegisterSchema(primaryField);
+  const LoginSchema = makeLoginSchema(primaryField);
+  const fieldLabel = primaryField.charAt(0).toUpperCase() + primaryField.slice(1);
+  const alreadyRegisteredMsg = `${fieldLabel} already registered`;
+
+  // Resolve limits with defaults
+  const loginOpts    = { windowMs: rateLimit?.login?.windowMs               ?? 15 * 60 * 1000, max: rateLimit?.login?.max               ?? 10 };
+  const registerOpts = { windowMs: rateLimit?.register?.windowMs            ?? 60 * 60 * 1000, max: rateLimit?.register?.max            ?? 5  };
+  const verifyOpts   = { windowMs: rateLimit?.verifyEmail?.windowMs         ?? 15 * 60 * 1000, max: rateLimit?.verifyEmail?.max         ?? 10 };
+  const resendOpts   = { windowMs: rateLimit?.resendVerification?.windowMs  ?? 60 * 60 * 1000, max: rateLimit?.resendVerification?.max  ?? 3  };
+
+  router.openapi(
+    createRoute({
+      method: "post",
+      path: "/auth/register",
+      tags: ["Core"],
+      request: { body: { content: { "application/json": { schema: RegisterSchema } } } },
+      responses: {
+        201: { content: { "application/json": { schema: TokenResponse } }, description: "Registered" },
+        400: { content: { "application/json": { schema: ErrorResponse } }, description: "Validation error" },
+        409: { content: { "application/json": { schema: ErrorResponse } }, description: alreadyRegisteredMsg },
+        429: { content: { "application/json": { schema: ErrorResponse } }, description: "Too many attempts" },
+      },
+    }),
+    async (c) => {
+      const ip = c.req.header("x-forwarded-for") ?? "unknown";
+      if (await trackAttempt(`register:${ip}`, registerOpts)) {
+        return c.json({ error: "Too many registration attempts. Try again later." }, 429);
+      }
+      const body = c.req.valid("json") as Record<string, string>;
+      const identifier = body[primaryField];
+      const token = await AuthService.register(identifier, body.password);
+      setCookie(c, COOKIE_TOKEN, token, cookieOptions);
+      return c.json({ token }, 201);
+    }
+  );
+
+  router.openapi(
+    createRoute({
+      method: "post",
+      path: "/auth/login",
+      tags: ["Core"],
+      request: { body: { content: { "application/json": { schema: LoginSchema } } } },
+      responses: {
+        200: { content: { "application/json": { schema: TokenResponse } }, description: "Logged in" },
+        401: { content: { "application/json": { schema: ErrorResponse } }, description: "Invalid credentials" },
+        403: { content: { "application/json": { schema: ErrorResponse } }, description: "Email not verified" },
+        429: { content: { "application/json": { schema: ErrorResponse } }, description: "Too many attempts" },
+      },
+    }),
+    async (c) => {
+      const body = c.req.valid("json") as Record<string, string>;
+      const identifier = body[primaryField];
+      const limitKey = `login:${identifier}`;
+      if (await isLimited(limitKey, loginOpts)) {
+        return c.json({ error: "Too many failed login attempts. Try again later." }, 429);
+      }
+      try {
+        const result = await AuthService.login(identifier, body.password);
+        await bustAuthLimit(limitKey); // success — clear failure count
+        setCookie(c, COOKIE_TOKEN, result.token, cookieOptions);
+        return c.json(result, 200);
+      } catch (err) {
+        await trackAttempt(limitKey, loginOpts); // failure — count it
+        throw err;
+      }
+    }
+  );
+
+  router.use("/auth/me", userAuth);
+
+  router.openapi(
+    createRoute({
+      method: "get",
+      path: "/auth/me",
+      tags: ["Core"],
+      responses: {
+        200: {
+          content: {
+            "application/json": {
+              schema: z.object({
+                userId: z.string(),
+                email: z.string().optional(),
+                emailVerified: z.boolean().optional(),
+                googleLinked: z.boolean().optional(),
+              }),
+            },
+          },
+          description: "Current user",
+        },
+        401: { content: { "application/json": { schema: ErrorResponse } }, description: "Unauthorized" },
+      },
+    }),
+    async (c) => {
+      const authUserId = c.get("authUserId")!;
+      const adapter = getAuthAdapter();
+      const user = adapter.getUser ? await adapter.getUser(authUserId) : null;
+      const googleLinked = user?.providerIds?.some((id) => id.startsWith("google:")) ?? false;
+      return c.json({ userId: authUserId, email: user?.email, emailVerified: user?.emailVerified, googleLinked }, 200);
+    }
+  );
+
+  router.use("/auth/set-password", userAuth);
+
+  router.openapi(
+    createRoute({
+      method: "post",
+      path: "/auth/set-password",
+      tags: ["Core"],
+      request: { body: { content: { "application/json": { schema: z.object({ password: z.string().min(8) }) } } } },
+      responses: {
+        200: { content: { "application/json": { schema: z.object({ message: z.string() }) } }, description: "Password set" },
+        400: { content: { "application/json": { schema: ErrorResponse } }, description: "Validation error" },
+        501: { content: { "application/json": { schema: ErrorResponse } }, description: "Not supported by adapter" },
+      },
+    }),
+    async (c) => {
+      const adapter = getAuthAdapter();
+      if (!adapter.setPassword) {
+        return c.json({ error: "Auth adapter does not support setPassword" }, 501);
+      }
+      const { password } = c.req.valid("json");
+      const authUserId = c.get("authUserId")!;
+      const passwordHash = await Bun.password.hash(password);
+      await adapter.setPassword(authUserId, passwordHash);
+      return c.json({ message: "Password updated" }, 200);
+    }
+  );
+
+  router.openapi(
+    createRoute({
+      method: "post",
+      path: "/auth/logout",
+      tags: ["Core"],
+      responses: {
+        200: { content: { "application/json": { schema: z.object({ message: z.string() }) } }, description: "Logged out" },
+      },
+    }),
+    async (c) => {
+      const token = getCookie(c, COOKIE_TOKEN) ?? c.req.header(HEADER_USER_TOKEN) ?? null;
+      await AuthService.logout(token);
+      deleteCookie(c, COOKIE_TOKEN, { path: "/" });
+      return c.json({ message: "Logged out" }, 200);
+    }
+  );
+
+  // Email verification routes — only mounted when emailVerification is configured and primaryField is "email"
+  if (emailVerification && primaryField === "email") {
+    router.openapi(
+      createRoute({
+        method: "post",
+        path: "/auth/verify-email",
+        tags: ["Core"],
+        request: { body: { content: { "application/json": { schema: z.object({ token: z.string() }) } } } },
+        responses: {
+          200: { content: { "application/json": { schema: z.object({ message: z.string() }) } }, description: "Email verified" },
+          400: { content: { "application/json": { schema: ErrorResponse } }, description: "Invalid or expired token" },
+          429: { content: { "application/json": { schema: ErrorResponse } }, description: "Too many attempts" },
+        },
+      }),
+      async (c) => {
+        const ip = c.req.header("x-forwarded-for") ?? "unknown";
+        if (await trackAttempt(`verify:${ip}`, verifyOpts)) {
+          return c.json({ error: "Too many verification attempts. Try again later." }, 429);
+        }
+        const { token } = c.req.valid("json");
+        const adapter = getAuthAdapter();
+        const entry = await getVerificationToken(token);
+        if (!entry) return c.json({ error: "Invalid or expired verification token" }, 400);
+        if (adapter.setEmailVerified) await adapter.setEmailVerified(entry.userId, true);
+        await deleteVerificationToken(token);
+        return c.json({ message: "Email verified" }, 200);
+      }
+    );
+
+    router.use("/auth/resend-verification", userAuth);
+
+    router.openapi(
+      createRoute({
+        method: "post",
+        path: "/auth/resend-verification",
+        tags: ["Core"],
+        responses: {
+          200: { content: { "application/json": { schema: z.object({ message: z.string() }) } }, description: "Verification email sent" },
+          400: { content: { "application/json": { schema: ErrorResponse } }, description: "Already verified" },
+          429: { content: { "application/json": { schema: ErrorResponse } }, description: "Too many attempts" },
+          501: { content: { "application/json": { schema: ErrorResponse } }, description: "Not supported by adapter" },
+        },
+      }),
+      async (c) => {
+        const adapter = getAuthAdapter();
+        if (!adapter.getEmailVerified || !adapter.getUser) {
+          return c.json({ error: "Auth adapter does not support email verification" }, 501);
+        }
+        const authUserId = c.get("authUserId")!;
+        if (await trackAttempt(`resend:${authUserId}`, resendOpts)) {
+          return c.json({ error: "Too many resend attempts. Try again later." }, 429);
+        }
+        const alreadyVerified = await adapter.getEmailVerified(authUserId);
+        if (alreadyVerified) return c.json({ error: "Email already verified" }, 400);
+        const user = await adapter.getUser(authUserId);
+        if (!user?.email) return c.json({ error: "No email address on file" }, 400);
+        const verificationToken = await createVerificationToken(authUserId, user.email);
+        await emailVerification.onSend(user.email, verificationToken);
+        return c.json({ message: "Verification email sent" }, 200);
+      }
+    );
+  }
+
+  return router;
+};