@lastshotlabs/bunshot 0.0.1

package/src/routes/health.ts

@@ -0,0 +1,27 @@
+import { createRoute } from "@hono/zod-openapi";
+import { z } from "zod";
+import { createRouter } from "@lib/context";
+
+export const router = createRouter();
+
+router.openapi(
+  createRoute({
+    method: "get",
+    path: "/health",
+    tags: ["Core"],
+    responses: {
+      200: {
+        content: {
+          "application/json": {
+            schema: z.object({
+              status: z.enum(["ok"]),
+              timestamp: z.string(),
+            }),
+          },
+        },
+        description: "Service health check",
+      },
+    },
+  }),
+  (c) => c.json({ status: "ok" as "ok", timestamp: new Date().toISOString() })
+);

package/src/routes/home.ts

@@ -0,0 +1,21 @@
+import { createRoute } from "@hono/zod-openapi";
+import { z } from "zod";
+import { getAppName } from "@lib/appConfig";
+import { createRouter } from "@lib/context";
+
+export const router = createRouter();
+
+router.openapi(
+  createRoute({
+    method: "get",
+    path: "/",
+    tags: ["Core"],
+    responses: {
+      200: {
+        content: { "application/json": { schema: z.object({ message: z.string() }) } },
+        description: "API is running",
+      },
+    },
+  }),
+  (c) => c.json({ message: `${getAppName()} is running` })
+);

package/src/routes/oauth.ts

@@ -0,0 +1,174 @@
+import { createRouter } from "@lib/context";
+import { setCookie } from "hono/cookie";
+import { decodeIdToken } from "arctic";
+import type { Context } from "hono";
+import type { AppEnv } from "@lib/context";
+import {
+  getGoogle, getApple,
+  storeOAuthState, consumeOAuthState,
+  generateState, generateCodeVerifier,
+} from "@lib/oauth";
+import { getAuthAdapter } from "@lib/authAdapter";
+import { HttpError } from "@lib/HttpError";
+import { signToken } from "@lib/jwt";
+import { createSession } from "@lib/session";
+import { COOKIE_TOKEN } from "@lib/constants";
+import { userAuth } from "@middleware/userAuth";
+import { getDefaultRole } from "@lib/appConfig";
+
+const isProd = process.env.NODE_ENV === "production";
+
+const cookieOptions = {
+  httpOnly: true,
+  secure: isProd,
+  sameSite: "Lax" as const,
+  path: "/",
+  maxAge: 60 * 60 * 24 * 7,
+};
+
+const finishOAuth = async (
+  c: Context<AppEnv>,
+  provider: string,
+  providerId: string,
+  profile: { email?: string; name?: string; avatarUrl?: string },
+  postLoginRedirect: string,
+) => {
+  const adapter = getAuthAdapter();
+  if (!adapter.findOrCreateByProvider) {
+    return c.json({ error: "Auth adapter does not support social login" }, 500);
+  }
+  let user: { id: string; created: boolean };
+  try {
+    user = await adapter.findOrCreateByProvider(provider, providerId, profile);
+  } catch (err) {
+    const message = err instanceof HttpError ? err.message : "Authentication failed";
+    const sep = postLoginRedirect.includes("?") ? "&" : "?";
+    return c.redirect(`${postLoginRedirect}${sep}error=${encodeURIComponent(message)}`);
+  }
+  if (user.created) {
+    const role = getDefaultRole();
+    if (role && adapter.setRoles) await adapter.setRoles(user.id, [role]);
+  }
+  const token = await signToken(user.id);
+  await createSession(user.id, token);
+  setCookie(c, COOKIE_TOKEN, token, cookieOptions);
+
+  // Append token to redirect so non-browser clients (mobile deep links) can extract it.
+  // Browser apps can safely ignore the query param.
+  try {
+    const url = new URL(postLoginRedirect);
+    url.searchParams.set("token", token);
+    if (profile.email) url.searchParams.set("user", profile.email);
+    return c.redirect(url.toString());
+  } catch {
+    // Relative path fallback
+    const sep = postLoginRedirect.includes("?") ? "&" : "?";
+    const userParam = profile.email ? `&user=${encodeURIComponent(profile.email)}` : "";
+    return c.redirect(`${postLoginRedirect}${sep}token=${token}${userParam}`);
+  }
+};
+
+export const createOAuthRouter = (providers: string[], postLoginRedirect: string) => {
+  const router = createRouter();
+
+  // ─── Google ───────────────────────────────────────────────────────────────
+  if (providers.includes("google")) {
+    router.get("/auth/google", async (c) => {
+      const state = generateState();
+      const codeVerifier = generateCodeVerifier();
+      await storeOAuthState(state, codeVerifier);
+      const url = getGoogle().createAuthorizationURL(state, codeVerifier, ["openid", "profile", "email"]);
+      return c.redirect(url.toString());
+    });
+
+    router.get("/auth/google/callback", async (c) => {
+      const { code, state } = c.req.query();
+      if (!code || !state) return c.json({ error: "Invalid callback" }, 400);
+
+      const stored = await consumeOAuthState(state);
+      if (!stored?.codeVerifier) return c.json({ error: "Invalid or expired state" }, 400);
+
+      const tokens = await getGoogle().validateAuthorizationCode(code, stored.codeVerifier);
+      const info = await fetch("https://openidconnect.googleapis.com/v1/userinfo", {
+        headers: { Authorization: `Bearer ${tokens.accessToken()}` },
+      }).then((r) => r.json()) as { sub: string; email?: string; name?: string; picture?: string };
+
+      if (stored.linkUserId) {
+        const adapter = getAuthAdapter();
+        if (!adapter.linkProvider) return c.json({ error: "Auth adapter does not support linkProvider" }, 500);
+        await adapter.linkProvider(stored.linkUserId, "google", info.sub);
+        const sep = postLoginRedirect.includes("?") ? "&" : "?";
+        return c.redirect(`${postLoginRedirect}${sep}linked=google`);
+      }
+
+      return finishOAuth(c, "google", info.sub, { email: info.email, name: info.name, avatarUrl: info.picture }, postLoginRedirect);
+    });
+
+    router.get("/auth/google/link", userAuth, async (c) => {
+      const state = generateState();
+      const codeVerifier = generateCodeVerifier();
+      await storeOAuthState(state, codeVerifier, c.get("authUserId")!);
+      const url = getGoogle().createAuthorizationURL(state, codeVerifier, ["openid", "profile", "email"]);
+      return c.redirect(url.toString());
+    });
+
+    router.delete("/auth/google/link", userAuth, async (c) => {
+      const adapter = getAuthAdapter();
+      if (!adapter.unlinkProvider) {
+        return c.json({ error: "Auth adapter does not support unlinkProvider" }, 500);
+      }
+      await adapter.unlinkProvider(c.get("authUserId")!, "google");
+      return c.body(null, 204);
+    });
+  }
+
+  // ─── Apple ────────────────────────────────────────────────────────────────
+  if (providers.includes("apple")) {
+    router.get("/auth/apple", async (c) => {
+      const state = generateState();
+      await storeOAuthState(state);
+      const url = getApple().createAuthorizationURL(state, ["name", "email"]);
+      return c.redirect(url.toString());
+    });
+
+    // Apple sends a POST with form data to the callback URL
+    router.post("/auth/apple/callback", async (c) => {
+      const form = await c.req.formData();
+      const code = form.get("code") as string | null;
+      const state = form.get("state") as string | null;
+      if (!code || !state) return c.json({ error: "Invalid callback" }, 400);
+
+      const stored = await consumeOAuthState(state);
+      if (!stored) return c.json({ error: "Invalid or expired state" }, 400);
+
+      const tokens = await getApple().validateAuthorizationCode(code);
+      const claims = decodeIdToken(tokens.idToken()) as { sub: string; email?: string };
+
+      if (stored.linkUserId) {
+        const adapter = getAuthAdapter();
+        if (!adapter.linkProvider) return c.json({ error: "Auth adapter does not support linkProvider" }, 500);
+        await adapter.linkProvider(stored.linkUserId, "apple", claims.sub);
+        const sep = postLoginRedirect.includes("?") ? "&" : "?";
+        return c.redirect(`${postLoginRedirect}${sep}linked=apple`);
+      }
+
+      // Apple only sends name on the very first sign-in
+      const userJSON = form.get("user") as string | null;
+      const userInfo = userJSON ? JSON.parse(userJSON) as { name?: { firstName?: string; lastName?: string } } : {};
+      const name = userInfo.name
+        ? `${userInfo.name.firstName ?? ""} ${userInfo.name.lastName ?? ""}`.trim() || undefined
+        : undefined;
+
+      return finishOAuth(c, "apple", claims.sub, { email: claims.email, name }, postLoginRedirect);
+    });
+
+    router.get("/auth/apple/link", userAuth, async (c) => {
+      const state = generateState();
+      await storeOAuthState(state, undefined, c.get("authUserId")!);
+      const url = getApple().createAuthorizationURL(state, ["name", "email"]);
+      return c.redirect(url.toString());
+    });
+  }
+
+  return router;
+};

package/src/schemas/auth.ts

@@ -0,0 +1,14 @@
+import { z } from "zod";
+import type { PrimaryField } from "@lib/appConfig";
+
+export const makeRegisterSchema = (primaryField: PrimaryField) =>
+  z.object({
+    [primaryField]: primaryField === "email" ? z.string().email() : z.string().min(3),
+    password: z.string().min(8),
+  });
+
+export const makeLoginSchema = (primaryField: PrimaryField) =>
+  z.object({
+    [primaryField]: primaryField === "email" ? z.string().email() : z.string().min(1),
+    password: z.string().min(1),
+  });

package/src/server.ts

@@ -0,0 +1,91 @@
+import type { Server, ServerWebSocket, WebSocketHandler } from "bun";
+import { createApp, type CreateAppConfig } from "./app";
+import { websocket as defaultWebsocket, createWsUpgradeHandler, type SocketData } from "@ws/index";
+import { setWsServer, handleRoomActions, cleanupSocket } from "@lib/ws";
+import { log } from "@lib/logger";
+
+export interface WsConfig<T extends object = object> {
+  /** Override or extend the default WebSocket handler */
+  handler?: WebSocketHandler<SocketData<T>>;
+  /** Override the default /ws upgrade handler (auth + upgrade logic) */
+  upgradeHandler?: (req: Request, server: Server<SocketData<T>>) => Promise<Response | undefined>;
+  /**
+   * Guard called before a socket joins a room via the subscribe action.
+   * Return true to allow, false to deny (client receives { event: "subscribe_denied", room }).
+   * ws.data.userId is available for auth checks.
+   */
+  onRoomSubscribe?: (ws: ServerWebSocket<SocketData<T>>, room: string) => boolean | Promise<boolean>;
+}
+
+export interface CreateServerConfig<T extends object = object> extends CreateAppConfig {
+  port?: number;
+  /** Absolute path to the service's workers directory — auto-imports all .ts files */
+  workersDir?: string;
+  /** Set false to disable auto-loading workers. Defaults to true */
+  enableWorkers?: boolean;
+  /** WebSocket configuration */
+  ws?: WsConfig<T>;
+}
+
+export const createServer = async <T extends object = object>(
+  config: CreateServerConfig<T>
+): Promise<Server<SocketData<T>>> => {
+  const app = await createApp(config);
+  const port = Number(process.env.PORT ?? config.port ?? 3000);
+  const { workersDir, enableWorkers = true, ws: wsConfig = {} } = config;
+  const { handler: userWs, upgradeHandler: wsUpgradeHandler, onRoomSubscribe } = wsConfig;
+
+  // Default handlers are typed for the base SocketData — cast is safe because
+  // they only access id/userId/rooms which exist in every SocketData<T>.
+  type SD = SocketData<T>;
+  const defaultOpen = defaultWebsocket.open as WebSocketHandler<SD>["open"];
+  const defaultMessage = defaultWebsocket.message as WebSocketHandler<SD>["message"];
+  const defaultClose = defaultWebsocket.close as WebSocketHandler<SD>["close"];
+  const defaultDrain = defaultWebsocket.drain as WebSocketHandler<SD>["drain"];
+
+  const ws: WebSocketHandler<SD> = {
+    open: userWs?.open ?? defaultOpen,
+    async message(socket, message) {
+      if (!await handleRoomActions(socket, message, onRoomSubscribe)) {
+        (userWs?.message ?? defaultMessage!)(socket, message);
+      }
+    },
+    close(socket, code, reason) {
+      cleanupSocket(socket.data.id, socket.data.rooms);
+      socket.data.rooms.clear();
+      (userWs?.close ?? defaultClose!)(socket, code, reason);
+    },
+    drain: userWs?.drain ?? defaultDrain,
+  };
+
+  let server: Server<SD>;
+
+  server = Bun.serve<SD>({
+    port,
+    routes: {
+      "/ws": (req: Request) => wsUpgradeHandler
+        ? wsUpgradeHandler(req, server)
+        : createWsUpgradeHandler(server as Server<SocketData>)(req),
+    },
+    fetch: app.fetch,
+    websocket: ws,
+    error(err) {
+      console.error(err);
+      return Response.json({ error: "Internal Server Error" }, { status: 500 });
+    },
+  });
+
+  setWsServer(server);
+
+  if (enableWorkers && workersDir) {
+    const glob = new Bun.Glob("**/*.ts");
+    for await (const file of glob.scan({ cwd: workersDir })) {
+      await import(`${workersDir}/${file}`);
+    }
+  }
+
+  log(`[server] running at http://localhost:${server.port}`);
+  log(`[server] API docs at http://localhost:${server.port}/docs`);
+
+  return server;
+};

package/src/services/auth.ts

@@ -0,0 +1,59 @@
+import { getAuthAdapter } from "@lib/authAdapter";
+import { HttpError } from "@lib/HttpError";
+import { signToken, verifyToken } from "@lib/jwt";
+import { createSession, deleteSession } from "@lib/session";
+import { getDefaultRole, getPrimaryField, getEmailVerificationConfig } from "@lib/appConfig";
+import { createVerificationToken } from "@lib/emailVerification";
+
+export const register = async (identifier: string, password: string): Promise<string> => {
+  const hashed = await Bun.password.hash(password);
+  const adapter = getAuthAdapter();
+  const user = await adapter.create(identifier, hashed);
+  const role = getDefaultRole();
+  if (role) await adapter.setRoles!(user.id, [role]);
+  const token = await signToken(user.id);
+  await createSession(user.id, token);
+
+  const evConfig = getEmailVerificationConfig();
+  if (evConfig && getPrimaryField() === "email") {
+    try {
+      const verificationToken = await createVerificationToken(user.id, identifier);
+      await evConfig.onSend(identifier, verificationToken);
+    } catch (e) {
+      console.error("[email-verification] Failed to send verification email:", e);
+    }
+  }
+
+  return token;
+};
+
+export const login = async (identifier: string, password: string): Promise<{ token: string; emailVerified?: boolean }> => {
+  const adapter = getAuthAdapter();
+  const findFn = adapter.findByIdentifier ?? adapter.findByEmail.bind(adapter);
+  const user = await findFn(identifier);
+  if (!user || !(await Bun.password.verify(password, user.passwordHash))) {
+    throw new HttpError(401, "Invalid credentials");
+  }
+
+  const evConfig = getEmailVerificationConfig();
+  if (evConfig && getPrimaryField() === "email" && adapter.getEmailVerified) {
+    const verified = await adapter.getEmailVerified(user.id);
+    if (evConfig.required && !verified) {
+      throw new HttpError(403, "Email not verified");
+    }
+    const token = await signToken(user.id);
+    await createSession(user.id, token);
+    return { token, emailVerified: verified };
+  }
+
+  const token = await signToken(user.id);
+  await createSession(user.id, token);
+  return { token };
+};
+
+export const logout = async (token: string | null) => {
+  if (token) {
+    const payload = await verifyToken(token);
+    await deleteSession(payload.sub!);
+  }
+};

package/src/ws/index.ts

@@ -0,0 +1,42 @@
+import type { Server, WebSocketHandler } from "bun";
+import { verifyToken } from "@lib/jwt";
+import { getSession } from "@lib/session";
+import { COOKIE_TOKEN } from "@lib/constants";
+
+export type SocketData<T extends object = object> = {
+  id: string;
+  userId: string | null;
+  rooms: Set<string>;
+} & T;
+
+type BaseSocketData = SocketData<object>;
+
+export const createWsUpgradeHandler = (server: Server<BaseSocketData>) =>
+  async (req: Request): Promise<Response | undefined> => {
+    let userId: string | null = null;
+    try {
+      const token = req.headers.get("cookie")
+        ?.match(new RegExp(`(?:^|;\\s*)${COOKIE_TOKEN}=([^;]+)`))?.[1] ?? null;
+      if (token) {
+        const payload = await verifyToken(token);
+        const stored = await getSession(payload.sub!);
+        if (stored === token) userId = payload.sub!;
+      }
+    } catch { /* unauthenticated — userId stays null */ }
+
+    const upgraded = server.upgrade(req, { data: { id: crypto.randomUUID(), userId, rooms: new Set() } });
+    return upgraded ? undefined : Response.json({ error: "Upgrade failed" }, { status: 400 });
+  };
+
+export const websocket: WebSocketHandler<BaseSocketData> = {
+  open(ws) {
+    console.log(`[ws] connected: ${ws.data.id}`);
+    ws.send(JSON.stringify({ event: "connected", id: ws.data.id }));
+  },
+  message(ws, message) {
+    ws.send(message);
+  },
+  close(ws) {
+    console.log(`[ws] disconnected: ${ws.data.id}`);
+  },
+};

package/tsconfig.json

@@ -0,0 +1,43 @@
+{
+  "compilerOptions": {
+    "types": [
+      "bun"
+    ],
+    "strict": true,
+    "moduleResolution": "bundler",
+    "module": "ESNext",
+    "target": "ESNext",
+    "paths": {
+      "@lib/*": [
+        "./src/lib/*"
+      ],
+      "@middleware/*": [
+        "./src/middleware/*"
+      ],
+      "@models/*": [
+        "./src/models/*"
+      ],
+      "@queues/*": [
+        "./src/queues/*"
+      ],
+      "@routes/*": [
+        "./src/routes/*"
+      ],
+      "@scripts/*": [
+        "./src/scripts/*"
+      ],
+      "@services/*": [
+        "./src/services/*"
+      ],
+      "@workers/*": [
+        "./src/workers/*"
+      ],
+      "@ws/*": [
+        "./src/ws/*"
+      ],
+      "@schemas/*": [
+        "./src/schemas/*"
+      ]
+    },
+  }
+}