npm - @lastshotlabs/bunshot - Versions diffs - 0.0.10 → 0.0.16 - Mend

@lastshotlabs/bunshot 0.0.10 → 0.0.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (100) hide show

package/README.md +2510 -1580
package/dist/adapters/memoryAuth.d.ts +4 -0
package/dist/adapters/memoryAuth.js +131 -2
package/dist/adapters/mongoAuth.js +56 -0
package/dist/adapters/sqliteAuth.d.ts +6 -0
package/dist/adapters/sqliteAuth.js +137 -2
package/dist/app.d.ts +107 -2
package/dist/app.js +83 -4
package/dist/entrypoints/queue.d.ts +2 -2
package/dist/entrypoints/queue.js +1 -1
package/dist/index.d.ts +15 -5
package/dist/index.js +10 -3
package/dist/lib/appConfig.d.ts +46 -0
package/dist/lib/appConfig.js +20 -0
package/dist/lib/authAdapter.d.ts +30 -0
package/dist/lib/constants.d.ts +2 -0
package/dist/lib/constants.js +2 -0
package/dist/lib/context.d.ts +2 -0
package/dist/lib/createDtoMapper.d.ts +33 -0
package/dist/lib/createDtoMapper.js +69 -0
package/dist/lib/createRoute.d.ts +61 -0
package/dist/lib/createRoute.js +147 -0
package/dist/lib/jwt.d.ts +1 -1
package/dist/lib/jwt.js +2 -2
package/dist/lib/mfaChallenge.d.ts +20 -0
package/dist/lib/mfaChallenge.js +184 -0
package/dist/lib/queue.d.ts +33 -0
package/dist/lib/queue.js +98 -0
package/dist/lib/roles.d.ts +4 -0
package/dist/lib/roles.js +27 -0
package/dist/lib/session.d.ts +12 -0
package/dist/lib/session.js +163 -5
package/dist/lib/tenant.d.ts +15 -0
package/dist/lib/tenant.js +65 -0
package/dist/lib/zodToMongoose.d.ts +38 -0
package/dist/lib/zodToMongoose.js +84 -0
package/dist/middleware/cacheResponse.js +4 -1
package/dist/middleware/rateLimit.d.ts +2 -1
package/dist/middleware/rateLimit.js +5 -2
package/dist/middleware/requireRole.d.ts +14 -3
package/dist/middleware/requireRole.js +46 -6
package/dist/middleware/tenant.d.ts +5 -0
package/dist/middleware/tenant.js +116 -0
package/dist/models/AuthUser.d.ts +8 -0
package/dist/models/AuthUser.js +8 -0
package/dist/models/TenantRole.d.ts +15 -0
package/dist/models/TenantRole.js +23 -0
package/dist/routes/auth.d.ts +5 -3
package/dist/routes/auth.js +253 -80
package/dist/routes/jobs.d.ts +2 -0
package/dist/routes/jobs.js +270 -0
package/dist/routes/mfa.d.ts +1 -0
package/dist/routes/mfa.js +409 -0
package/dist/routes/oauth.js +107 -16
package/dist/server.js +9 -0
package/dist/services/auth.d.ts +21 -2
package/dist/services/auth.js +97 -17
package/dist/services/mfa.d.ts +37 -0
package/dist/services/mfa.js +276 -0
package/docs/sections/adding-middleware/full.md +35 -0
package/docs/sections/adding-models/full.md +125 -0
package/docs/sections/adding-models/overview.md +13 -0
package/docs/sections/adding-routes/full.md +182 -0
package/docs/sections/adding-routes/overview.md +23 -0
package/docs/sections/auth-flow/full.md +456 -0
package/docs/sections/auth-flow/overview.md +10 -0
package/docs/sections/cli/full.md +30 -0
package/docs/sections/configuration/full.md +135 -0
package/docs/sections/configuration/overview.md +17 -0
package/docs/sections/configuration-example/full.md +99 -0
package/docs/sections/configuration-example/overview.md +30 -0
package/docs/sections/documentation/full.md +171 -0
package/docs/sections/environment-variables/full.md +55 -0
package/docs/sections/exports/full.md +83 -0
package/docs/sections/extending-context/full.md +59 -0
package/docs/sections/header.md +3 -0
package/docs/sections/installation/full.md +6 -0
package/docs/sections/jobs/full.md +140 -0
package/docs/sections/jobs/overview.md +15 -0
package/docs/sections/mongodb-connections/full.md +45 -0
package/docs/sections/mongodb-connections/overview.md +7 -0
package/docs/sections/multi-tenancy/full.md +62 -0
package/docs/sections/multi-tenancy/overview.md +15 -0
package/docs/sections/oauth/full.md +119 -0
package/docs/sections/oauth/overview.md +16 -0
package/docs/sections/package-development/full.md +7 -0
package/docs/sections/peer-dependencies/full.md +43 -0
package/docs/sections/quick-start/full.md +43 -0
package/docs/sections/response-caching/full.md +115 -0
package/docs/sections/response-caching/overview.md +13 -0
package/docs/sections/roles/full.md +136 -0
package/docs/sections/roles/overview.md +12 -0
package/docs/sections/running-without-redis/full.md +16 -0
package/docs/sections/running-without-redis-or-mongodb/full.md +60 -0
package/docs/sections/stack/full.md +10 -0
package/docs/sections/websocket/full.md +100 -0
package/docs/sections/websocket/overview.md +5 -0
package/docs/sections/websocket-rooms/full.md +97 -0
package/docs/sections/websocket-rooms/overview.md +5 -0
package/package.json +19 -10

package/dist/app.js CHANGED Viewed

@@ -7,8 +7,8 @@ import { HttpError } from "./lib/HttpError";
 import { rateLimit } from "./middleware/rateLimit";
 import { bearerAuth } from "./middleware/bearerAuth";
 import { identify } from "./middleware/identify";
-import { HEADER_USER_TOKEN } from "./lib/constants";
-import { setAppName, setAppRoles, setDefaultRole, setPrimaryField, setEmailVerificationConfig, setPasswordResetConfig, setMaxSessions, setPersistSessionMetadata, setIncludeInactiveSessions, setTrackLastActive } from "./lib/appConfig";
+import { HEADER_USER_TOKEN, HEADER_REFRESH_TOKEN } from "./lib/constants";
+import { setAppName, setAppRoles, setDefaultRole, setPrimaryField, setEmailVerificationConfig, setPasswordResetConfig, setMaxSessions, setPersistSessionMetadata, setIncludeInactiveSessions, setTrackLastActive, setRefreshTokenConfig, setMfaConfig } from "./lib/appConfig";
 import { setEmailVerificationStore } from "./lib/emailVerification";
 import { setPasswordResetStore } from "./lib/resetPassword";
 import { setAuthRateLimitStore } from "./lib/authRateLimit";
@@ -21,6 +21,7 @@ import { connectMongo, connectAuthMongo, connectAppMongo } from "./lib/mongo";
 import { connectRedis } from "./lib/redis";
 import { setSessionStore } from "./lib/session";
 import { setCacheStore } from "./middleware/cacheResponse";
+import { maybeAutoRegister } from "./lib/createRoute";
 export const createApp = async (config) => {
     const { routesDir, app: appConfig = {}, auth: authConfig = {}, security: securityConfig = {}, middleware = [], db = {}, } = config;
     const appName = appConfig.name ?? "Bun Core API";
@@ -109,6 +110,8 @@ export const createApp = async (config) => {
     setPersistSessionMetadata(sessionPolicy.persistSessionMetadata ?? true);
     setIncludeInactiveSessions(sessionPolicy.includeInactiveSessions ?? false);
     setTrackLastActive(sessionPolicy.trackLastActive ?? false);
+    setRefreshTokenConfig(authConfig.refreshTokens ?? null);
+    setMfaConfig(authConfig.mfa ?? null);
     if (oauthProviders)
         initOAuthProviders(oauthProviders);
     const configuredOAuth = getConfiguredOAuthProviders();
@@ -124,7 +127,7 @@ export const createApp = async (config) => {
     const app = new OpenAPIHono();
     app.use(logger());
     app.use(secureHeaders());
-    app.use(cors({ origin: corsOrigins, allowHeaders: ["Content-Type", "Authorization", HEADER_USER_TOKEN], exposeHeaders: ["x-cache"], credentials: true }));
+    app.use(cors({ origin: corsOrigins, allowHeaders: ["Content-Type", "Authorization", HEADER_USER_TOKEN, HEADER_REFRESH_TOKEN], exposeHeaders: ["x-cache"], credentials: true }));
     if ((botCfg.blockList?.length ?? 0) > 0) {
         const { botProtection } = await import("./middleware/botProtection");
         app.use(botProtection({ blockList: botCfg.blockList }));
@@ -140,9 +143,50 @@ export const createApp = async (config) => {
         });
     }
     app.use(identify);
+    // Tenant resolution middleware (after identify, before user middleware + routes)
+    if (config.tenancy) {
+        const { createTenantMiddleware } = await import("./middleware/tenant");
+        app.use(createTenantMiddleware(config.tenancy));
+    }
     for (const mw of middleware)
         app.use(mw);
     setAppName(appName);
+    // Schema pre-loading — import shared schema files before routes so registerSchema /
+    // registerSchemas calls run first, guaranteeing $ref instead of inline shapes.
+    const msConfig = config.modelSchemas;
+    if (msConfig) {
+        const { paths, registration = "auto" } = typeof msConfig === "string" || Array.isArray(msConfig)
+            ? { paths: msConfig, registration: "auto" }
+            : msConfig;
+        const pathArray = paths ? (Array.isArray(paths) ? paths : [paths]) : [];
+        for (const entry of pathArray) {
+            // Normalize to forward slashes so splitting works on both Windows and Unix.
+            const normalized = entry.replaceAll("\\", "/");
+            // Split glob patterns: everything before the first wildcard segment is the cwd.
+            let cwd;
+            let pattern;
+            if (!normalized.includes("*")) {
+                cwd = normalized;
+                pattern = "**/*.ts";
+            }
+            else {
+                const parts = normalized.split("/");
+                const starIdx = parts.findIndex((p) => p.includes("*"));
+                cwd = parts.slice(0, starIdx).join("/");
+                pattern = parts.slice(starIdx).join("/");
+            }
+            const schemaGlob = new Bun.Glob(pattern);
+            for await (const file of schemaGlob.scan({ cwd })) {
+                const mod = await import(`${cwd}/${file}`);
+                if (registration === "auto") {
+                    for (const [exportName, value] of Object.entries(mod)) {
+                        maybeAutoRegister(exportName, value);
+                    }
+                }
+                // "explicit": file imported; any registerSchema/registerSchemas calls inside already ran
+            }
+        }
+    }
     // Core routes (auth, etc.)
     const coreRoutesDir = import.meta.dir + "/routes";
     const coreGlob = new Bun.Glob("*.ts");
@@ -151,17 +195,35 @@ export const createApp = async (config) => {
             continue; // mounted separately below via createAuthRouter
         if (file === "oauth.ts")
             continue; // mounted separately below
+        if (file === "mfa.ts")
+            continue; // mounted separately below when mfa is configured
+        if (file === "jobs.ts")
+            continue; // mounted separately below when jobs.statusEndpoint is true
         const mod = await import(`${coreRoutesDir}/${file}`);
         if (mod.router)
             app.route("/", mod.router);
     }
     if (enableAuthRoutes) {
         const { createAuthRouter } = await import(`${coreRoutesDir}/auth`);
-        app.route("/", createAuthRouter({ primaryField, emailVerification, passwordReset, rateLimit: authRateLimit }));
+        app.route("/", createAuthRouter({ primaryField, emailVerification, passwordReset, rateLimit: authRateLimit, accountDeletion: authConfig.accountDeletion, refreshTokens: authConfig.refreshTokens }));
     }
     if (configuredOAuth.length > 0) {
         app.route("/", createOAuthRouter(configuredOAuth, postOAuthRedirect));
     }
+    if (authConfig.mfa && enableAuthRoutes) {
+        const { setMfaChallengeStore, setMfaChallengeSqliteDb } = await import("./lib/mfaChallenge");
+        setMfaChallengeStore(sessions);
+        if (sessions === "sqlite") {
+            const { getDb } = await import("./adapters/sqliteAuth");
+            setMfaChallengeSqliteDb(getDb());
+        }
+        const { createMfaRouter } = await import(`${coreRoutesDir}/mfa`);
+        app.route("/", createMfaRouter());
+    }
+    if (config.jobs?.statusEndpoint) {
+        const { createJobsRouter } = await import(`${coreRoutesDir}/jobs`);
+        app.route("/", createJobsRouter(config.jobs));
+    }
     // Service routes — collect all, sort by optional exported `priority`, then mount
     const serviceGlob = new Bun.Glob("**/*.ts");
     const serviceFiles = [];
@@ -186,6 +248,23 @@ export const createApp = async (config) => {
         return c.json({ error: "Internal Server Error" }, 500);
     });
     app.notFound((c) => c.json({ error: "Not Found" }, 404));
+    app.openAPIRegistry.registerComponent("securitySchemes", "cookieAuth", {
+        type: "apiKey",
+        in: "cookie",
+        name: "token",
+        description: "Session cookie set automatically on login/register.",
+    });
+    app.openAPIRegistry.registerComponent("securitySchemes", "userToken", {
+        type: "apiKey",
+        in: "header",
+        name: "x-user-token",
+        description: "JWT session token passed as the x-user-token request header (alternative to the session cookie).",
+    });
+    app.openAPIRegistry.registerComponent("securitySchemes", "bearerAuth", {
+        type: "http",
+        scheme: "bearer",
+        description: "API key passed as Authorization: Bearer <token>. Required on all endpoints unless bearer auth is disabled in CreateAppConfig or the path is in the bypass list.",
+    });
     app.doc("/openapi.json", { openapi: "3.0.0", info: { title: appName, version: openApiVersion } });
     app.get("/docs", Scalar({ url: "/openapi.json" }));
     app.get("/sw.js", (c) => c.body("", 200, { "Content-Type": "application/javascript" }));

package/dist/entrypoints/queue.d.ts CHANGED Viewed

@@ -1,2 +1,2 @@
-export { createQueue, createWorker } from "../lib/queue";
-export type { Job } from "../lib/queue";
+export { createQueue, createWorker, createCronWorker, cleanupStaleSchedulers, getRegisteredCronNames, createDLQHandler } from "../lib/queue";
+export type { Job, CronSchedule, DLQOptions } from "../lib/queue";

package/dist/entrypoints/queue.js CHANGED Viewed

	@@ -1 +1 @@
1	- export { createQueue, createWorker } from "../lib/queue";
1	+ export { createQueue, createWorker, createCronWorker, cleanupStaleSchedulers, getRegisteredCronNames, createDLQHandler } from "../lib/queue";

package/dist/index.d.ts CHANGED Viewed

@@ -1,20 +1,27 @@
 export { createApp } from "./app";
 export { createServer } from "./server";
-export type { CreateAppConfig, DbConfig, AppMeta, AuthConfig, AuthRateLimitConfig, OAuthConfig, SecurityConfig, BotProtectionConfig, PrimaryField, EmailVerificationConfig, PasswordResetConfig } from "./app";
+export type { CreateAppConfig, ModelSchemasConfig, DbConfig, AppMeta, AuthConfig, AuthRateLimitConfig, AccountDeletionConfig, OAuthConfig, SecurityConfig, BotProtectionConfig, PrimaryField, EmailVerificationConfig, PasswordResetConfig, RefreshTokenConfig, MfaConfig, MfaEmailOtpConfig, JobsConfig, TenancyConfig, TenantConfig } from "./app";
 export type { CreateServerConfig, WsConfig } from "./server";
 export { appConnection, authConnection, mongoose, connectMongo, connectAuthMongo, connectAppMongo, disconnectMongo } from "./lib/mongo";
 export { connectRedis, disconnectRedis, getRedis } from "./lib/redis";
 export { getAppRoles } from "./lib/appConfig";
 export { HttpError } from "./lib/HttpError";
-export { COOKIE_TOKEN, HEADER_USER_TOKEN } from "./lib/constants";
+export { COOKIE_TOKEN, HEADER_USER_TOKEN, COOKIE_REFRESH_TOKEN, HEADER_REFRESH_TOKEN } from "./lib/constants";
 export { createRouter } from "./lib/context";
+export { createRoute, withSecurity, registerSchema, registerSchemas } from "./lib/createRoute";
+export { zodToMongoose } from "./lib/zodToMongoose";
+export type { ZodToMongooseConfig, ZodToMongooseRefConfig } from "./lib/zodToMongoose";
+export { createDtoMapper } from "./lib/createDtoMapper";
+export type { DtoMapperConfig } from "./lib/createDtoMapper";
 export type { AppEnv, AppVariables } from "./lib/context";
 export { signToken, verifyToken } from "./lib/jwt";
 export { log } from "./lib/logger";
 export { createResetToken, consumeResetToken, setPasswordResetStore } from "./lib/resetPassword";
-export { createSession, getSession, deleteSession, getUserSessions, getActiveSessionCount, evictOldestSession, updateSessionLastActive, setSessionStore } from "./lib/session";
-export type { SessionMetadata, SessionInfo } from "./lib/session";
+export { createSession, getSession, deleteSession, getUserSessions, getActiveSessionCount, evictOldestSession, updateSessionLastActive, setSessionStore, deleteUserSessions, setRefreshToken, getSessionByRefreshToken, rotateRefreshToken } from "./lib/session";
+export type { SessionMetadata, SessionInfo, RefreshResult } from "./lib/session";
 export { createVerificationToken, getVerificationToken, deleteVerificationToken } from "./lib/emailVerification";
+export { createMfaChallenge, consumeMfaChallenge, replaceMfaChallengeOtp, setMfaChallengeStore } from "./lib/mfaChallenge";
+export type { MfaChallengeData } from "./lib/mfaChallenge";
 export { bustAuthLimit, trackAttempt, isLimited } from "./lib/authRateLimit";
 export type { LimitOpts } from "./lib/authRateLimit";
 export { validate } from "./lib/validate";
@@ -31,9 +38,12 @@ export { cacheResponse, bustCache, bustCachePattern, setCacheStore } from "./mid
 export { buildFingerprint } from "./lib/fingerprint";
 export { sqliteAuthAdapter, setSqliteDb, startSqliteCleanup } from "./adapters/sqliteAuth";
 export { memoryAuthAdapter, clearMemoryStore } from "./adapters/memoryAuth";
-export { setUserRoles, addUserRole, removeUserRole } from "./lib/roles";
+export { setUserRoles, addUserRole, removeUserRole, getTenantRoles, setTenantRoles, addTenantRole, removeTenantRole } from "./lib/roles";
 export type { AuthAdapter, OAuthProfile } from "./lib/authAdapter";
 export type { OAuthProviderConfig } from "./lib/oauth";
 export { websocket, createWsUpgradeHandler } from "./ws/index";
 export type { SocketData } from "./ws/index";
 export { publish, subscribe, unsubscribe, getSubscriptions, handleRoomActions, getRooms, getRoomSubscribers } from "./lib/ws";
+export { createTenant, deleteTenant, getTenant, listTenants } from "./lib/tenant";
+export type { TenantInfo, CreateTenantOptions } from "./lib/tenant";
+export { invalidateTenantCache } from "./middleware/tenant";

package/dist/index.js CHANGED Viewed

@@ -7,13 +7,17 @@ export { connectRedis, disconnectRedis, getRedis } from "./lib/redis";
 // Lib utilities
 export { getAppRoles } from "./lib/appConfig";
 export { HttpError } from "./lib/HttpError";
-export { COOKIE_TOKEN, HEADER_USER_TOKEN } from "./lib/constants";
+export { COOKIE_TOKEN, HEADER_USER_TOKEN, COOKIE_REFRESH_TOKEN, HEADER_REFRESH_TOKEN } from "./lib/constants";
 export { createRouter } from "./lib/context";
+export { createRoute, withSecurity, registerSchema, registerSchemas } from "./lib/createRoute";
+export { zodToMongoose } from "./lib/zodToMongoose";
+export { createDtoMapper } from "./lib/createDtoMapper";
 export { signToken, verifyToken } from "./lib/jwt";
 export { log } from "./lib/logger";
 export { createResetToken, consumeResetToken, setPasswordResetStore } from "./lib/resetPassword";
-export { createSession, getSession, deleteSession, getUserSessions, getActiveSessionCount, evictOldestSession, updateSessionLastActive, setSessionStore } from "./lib/session";
+export { createSession, getSession, deleteSession, getUserSessions, getActiveSessionCount, evictOldestSession, updateSessionLastActive, setSessionStore, deleteUserSessions, setRefreshToken, getSessionByRefreshToken, rotateRefreshToken } from "./lib/session";
 export { createVerificationToken, getVerificationToken, deleteVerificationToken } from "./lib/emailVerification";
+export { createMfaChallenge, consumeMfaChallenge, replaceMfaChallengeOtp, setMfaChallengeStore } from "./lib/mfaChallenge";
 export { bustAuthLimit, trackAttempt, isLimited } from "./lib/authRateLimit";
 export { validate } from "./lib/validate";
 // Middleware
@@ -30,7 +34,10 @@ export { buildFingerprint } from "./lib/fingerprint";
 // Models
 export { sqliteAuthAdapter, setSqliteDb, startSqliteCleanup } from "./adapters/sqliteAuth";
 export { memoryAuthAdapter, clearMemoryStore } from "./adapters/memoryAuth";
-export { setUserRoles, addUserRole, removeUserRole } from "./lib/roles";
+export { setUserRoles, addUserRole, removeUserRole, getTenantRoles, setTenantRoles, addTenantRole, removeTenantRole } from "./lib/roles";
 // WebSocket
 export { websocket, createWsUpgradeHandler } from "./ws/index";
 export { publish, subscribe, unsubscribe, getSubscriptions, handleRoomActions, getRooms, getRoomSubscribers } from "./lib/ws";
+// Tenancy
+export { createTenant, deleteTenant, getTenant, listTenants } from "./lib/tenant";
+export { invalidateTenantCache } from "./middleware/tenant";

package/dist/lib/appConfig.d.ts CHANGED Viewed

@@ -35,3 +35,49 @@ export declare const setIncludeInactiveSessions: (v: boolean) => void;
 export declare const getIncludeInactiveSessions: () => boolean;
 export declare const setTrackLastActive: (v: boolean) => void;
 export declare const getTrackLastActive: () => boolean;
+export interface RefreshTokenConfig {
+    /** Access token expiry in seconds. Default: 900 (15 min). */
+    accessTokenExpiry?: number;
+    /** Refresh token expiry in seconds. Default: 2_592_000 (30 days). */
+    refreshTokenExpiry?: number;
+    /** Grace window in seconds where the old refresh token still works after rotation.
+     *  Prevents lockout when the client's network drops mid-refresh. Default: 30. */
+    rotationGraceSeconds?: number;
+}
+export declare const setRefreshTokenConfig: (config: RefreshTokenConfig | null) => void;
+export declare const getRefreshTokenConfig: () => RefreshTokenConfig | null;
+export declare const getAccessTokenExpiry: () => number;
+export declare const getRefreshTokenExpiry: () => number;
+export declare const getRotationGraceSeconds: () => number;
+export interface MfaEmailOtpConfig {
+    /** Called with the user's email and the OTP code. Use to send the email. */
+    onSend: (email: string, code: string) => Promise<void>;
+    /** OTP code length. Default: 6. */
+    codeLength?: number;
+}
+export interface MfaConfig {
+    /** Issuer name shown in authenticator apps. Defaults to app name. */
+    issuer?: string;
+    /** TOTP algorithm. Default: "SHA1" (most compatible). */
+    algorithm?: "SHA1" | "SHA256" | "SHA512";
+    /** TOTP digits. Default: 6. */
+    digits?: number;
+    /** TOTP period in seconds. Default: 30. */
+    period?: number;
+    /** Number of recovery codes to generate. Default: 10. */
+    recoveryCodes?: number;
+    /** MFA challenge window in seconds. Default: 300 (5 min). */
+    challengeTtlSeconds?: number;
+    /** Email OTP configuration. When set, enables email-based MFA as an option. */
+    emailOtp?: MfaEmailOtpConfig;
+}
+export declare const setMfaConfig: (config: MfaConfig | null) => void;
+export declare const getMfaConfig: () => MfaConfig | null;
+export declare const getMfaIssuer: () => string;
+export declare const getMfaAlgorithm: () => string;
+export declare const getMfaDigits: () => number;
+export declare const getMfaPeriod: () => number;
+export declare const getMfaRecoveryCodeCount: () => number;
+export declare const getMfaChallengeTtl: () => number;
+export declare const getMfaEmailOtpConfig: () => MfaEmailOtpConfig | null;
+export declare const getMfaEmailOtpCodeLength: () => number;

package/dist/lib/appConfig.js CHANGED Viewed

@@ -35,3 +35,23 @@ export const setIncludeInactiveSessions = (v) => { _includeInactiveSessions = v;
 export const getIncludeInactiveSessions = () => _includeInactiveSessions;
 export const setTrackLastActive = (v) => { _trackLastActive = v; };
 export const getTrackLastActive = () => _trackLastActive;
+let _refreshTokenConfig = null;
+export const setRefreshTokenConfig = (config) => { _refreshTokenConfig = config; };
+export const getRefreshTokenConfig = () => _refreshTokenConfig;
+const DEFAULT_ACCESS_TOKEN_EXPIRY = 900; // 15 min
+const DEFAULT_REFRESH_TOKEN_EXPIRY = 2_592_000; // 30 days
+const DEFAULT_ROTATION_GRACE_SECONDS = 30;
+export const getAccessTokenExpiry = () => _refreshTokenConfig?.accessTokenExpiry ?? DEFAULT_ACCESS_TOKEN_EXPIRY;
+export const getRefreshTokenExpiry = () => _refreshTokenConfig?.refreshTokenExpiry ?? DEFAULT_REFRESH_TOKEN_EXPIRY;
+export const getRotationGraceSeconds = () => _refreshTokenConfig?.rotationGraceSeconds ?? DEFAULT_ROTATION_GRACE_SECONDS;
+let _mfaConfig = null;
+export const setMfaConfig = (config) => { _mfaConfig = config; };
+export const getMfaConfig = () => _mfaConfig;
+export const getMfaIssuer = () => _mfaConfig?.issuer ?? getAppName();
+export const getMfaAlgorithm = () => _mfaConfig?.algorithm ?? "SHA1";
+export const getMfaDigits = () => _mfaConfig?.digits ?? 6;
+export const getMfaPeriod = () => _mfaConfig?.period ?? 30;
+export const getMfaRecoveryCodeCount = () => _mfaConfig?.recoveryCodes ?? 10;
+export const getMfaChallengeTtl = () => _mfaConfig?.challengeTtlSeconds ?? 300;
+export const getMfaEmailOtpConfig = () => _mfaConfig?.emailOtp ?? null;
+export const getMfaEmailOtpCodeLength = () => _mfaConfig?.emailOtp?.codeLength ?? 6;

package/dist/lib/authAdapter.d.ts CHANGED Viewed

@@ -48,6 +48,36 @@ export interface AuthAdapter {
     setEmailVerified?(userId: string, verified: boolean): Promise<void>;
     /** Optional. Return whether a user's email address has been verified. */
     getEmailVerified?(userId: string): Promise<boolean>;
+    /** Optional. Permanently delete a user account. Used by DELETE /auth/me. */
+    deleteUser?(userId: string): Promise<void>;
+    /** Optional. Check whether a user has a password set (credential account vs OAuth-only). */
+    hasPassword?(userId: string): Promise<boolean>;
+    /** Optional. Store the TOTP secret for MFA setup (encrypted or plaintext, adapter decides). */
+    setMfaSecret?(userId: string, secret: string | null): Promise<void>;
+    /** Optional. Retrieve the TOTP secret for MFA verification. */
+    getMfaSecret?(userId: string): Promise<string | null>;
+    /** Optional. Check whether MFA is enabled for a user. */
+    isMfaEnabled?(userId: string): Promise<boolean>;
+    /** Optional. Enable or disable MFA for a user. */
+    setMfaEnabled?(userId: string, enabled: boolean): Promise<void>;
+    /** Optional. Store hashed recovery codes for MFA. */
+    setRecoveryCodes?(userId: string, codes: string[]): Promise<void>;
+    /** Optional. Retrieve hashed recovery codes for MFA. */
+    getRecoveryCodes?(userId: string): Promise<string[]>;
+    /** Optional. Remove a single recovery code after use. */
+    removeRecoveryCode?(userId: string, code: string): Promise<void>;
+    /** Optional. Get the MFA methods enabled for a user (e.g., ["totp"], ["emailOtp"], ["totp", "emailOtp"]). */
+    getMfaMethods?(userId: string): Promise<string[]>;
+    /** Optional. Set the MFA methods enabled for a user. */
+    setMfaMethods?(userId: string, methods: string[]): Promise<void>;
+    /** Optional. Get roles for a user within a specific tenant. */
+    getTenantRoles?(userId: string, tenantId: string): Promise<string[]>;
+    /** Optional. Set roles for a user within a specific tenant (replaces existing). */
+    setTenantRoles?(userId: string, tenantId: string, roles: string[]): Promise<void>;
+    /** Optional. Add a single role to a user within a specific tenant. */
+    addTenantRole?(userId: string, tenantId: string, role: string): Promise<void>;
+    /** Optional. Remove a single role from a user within a specific tenant. */
+    removeTenantRole?(userId: string, tenantId: string, role: string): Promise<void>;
 }
 export declare const setAuthAdapter: (adapter: AuthAdapter) => void;
 export declare const getAuthAdapter: () => AuthAdapter;

package/dist/lib/constants.d.ts CHANGED Viewed

@@ -1,2 +1,4 @@
 export declare const COOKIE_TOKEN = "token";
 export declare const HEADER_USER_TOKEN = "x-user-token";
+export declare const COOKIE_REFRESH_TOKEN = "refresh_token";
+export declare const HEADER_REFRESH_TOKEN = "x-refresh-token";

package/dist/lib/constants.js CHANGED Viewed

@@ -1,2 +1,4 @@
 export const COOKIE_TOKEN = "token";
 export const HEADER_USER_TOKEN = "x-user-token";
+export const COOKIE_REFRESH_TOKEN = "refresh_token";
+export const HEADER_REFRESH_TOKEN = "x-refresh-token";

package/dist/lib/context.d.ts CHANGED Viewed

@@ -3,6 +3,8 @@ export type AppVariables = {
     authUserId: string | null;
     roles: string[] | null;
     sessionId: string | null;
+    tenantId: string | null;
+    tenantConfig: Record<string, unknown> | null;
 };
 export type AppEnv = {
     Variables: AppVariables;

package/dist/lib/createDtoMapper.d.ts ADDED Viewed

@@ -0,0 +1,33 @@
+type ZodSchema = any;
+export type DtoMapperConfig = {
+    /** DB field name → API field name for ObjectId refs (e.g., { account: "accountId" }) */
+    refs?: Record<string, string>;
+    /** API field names that are Date in DB, string in DTO */
+    dates?: string[];
+    /** Subdocument array fields mapped with a sub-mapper: { items: itemMapper } */
+    subdocs?: Record<string, (item: any) => any>;
+};
+/**
+ * Create a toDto mapper function from a Zod schema.
+ *
+ * The Zod schema defines which fields exist in the DTO. The config declares
+ * how to transform DB-specific types (ObjectId refs, Dates, subdocuments).
+ *
+ * Handles automatically:
+ * - `_id` → `id` (toString)
+ * - ObjectId refs → string (toString), with field renaming via `refs`
+ * - Date fields → ISO string via `dates`
+ * - Subdocument arrays via `subdocs`
+ * - Nullable/optional fields → `null` coercion (from `undefined`)
+ * - All other fields → passthrough
+ *
+ * @example
+ * ```ts
+ * const toDto = createDtoMapper<LedgerItemDto>(LedgerItemSchema, {
+ *   refs: { account: "accountId" },
+ *   dates: ["date"],
+ * });
+ * ```
+ */
+export declare function createDtoMapper<TDto>(zodSchema: ZodSchema, config?: DtoMapperConfig): (doc: any) => TDto;
+export {};

package/dist/lib/createDtoMapper.js ADDED Viewed

@@ -0,0 +1,69 @@
+/** Check if a Zod type is nullable or optional */
+function isNullable(zodType) {
+    const defType = zodType?._zod?.def?.type;
+    if (defType === "nullable")
+        return true;
+    if (defType === "optional")
+        return true;
+    if (defType === "default")
+        return isNullable(zodType._zod.def.innerType);
+    return false;
+}
+/**
+ * Create a toDto mapper function from a Zod schema.
+ *
+ * The Zod schema defines which fields exist in the DTO. The config declares
+ * how to transform DB-specific types (ObjectId refs, Dates, subdocuments).
+ *
+ * Handles automatically:
+ * - `_id` → `id` (toString)
+ * - ObjectId refs → string (toString), with field renaming via `refs`
+ * - Date fields → ISO string via `dates`
+ * - Subdocument arrays via `subdocs`
+ * - Nullable/optional fields → `null` coercion (from `undefined`)
+ * - All other fields → passthrough
+ *
+ * @example
+ * ```ts
+ * const toDto = createDtoMapper<LedgerItemDto>(LedgerItemSchema, {
+ *   refs: { account: "accountId" },
+ *   dates: ["date"],
+ * });
+ * ```
+ */
+export function createDtoMapper(zodSchema, config = {}) {
+    const apiFields = Object.keys(zodSchema.shape);
+    const shape = zodSchema.shape;
+    // Build reverse lookup: apiField → dbField for refs
+    const refByApiField = new Map();
+    if (config.refs) {
+        for (const [dbField, apiField] of Object.entries(config.refs)) {
+            refByApiField.set(apiField, dbField);
+        }
+    }
+    const dateSet = new Set(config.dates ?? []);
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    return (doc) => {
+        const dto = {};
+        for (const field of apiFields) {
+            if (field === "id") {
+                dto.id = doc._id.toString();
+                continue;
+            }
+            if (refByApiField.has(field)) {
+                dto[field] = doc[refByApiField.get(field)].toString();
+                continue;
+            }
+            if (dateSet.has(field)) {
+                dto[field] = doc[field].toISOString();
+                continue;
+            }
+            if (config.subdocs?.[field]) {
+                dto[field] = (doc[field] ?? []).map(config.subdocs[field]);
+                continue;
+            }
+            dto[field] = isNullable(shape[field]) ? (doc[field] ?? null) : doc[field];
+        }
+        return dto;
+    };
+}

package/dist/lib/createRoute.d.ts ADDED Viewed

@@ -0,0 +1,61 @@
+import type { RouteConfig } from "@hono/zod-openapi";
+import type { ZodType } from "zod";
+/**
+ * Registers a Zod schema as a named entry in `components/schemas`.
+ *
+ * Use this for shared schemas (e.g. shared error types, reusable response shapes)
+ * that aren't directly attached to a specific route. Schemas already registered
+ * under the same name are silently skipped.
+ *
+ * @example
+ * export const MySchema = registerSchema("MySchema", z.object({ id: z.string() }));
+ */
+export declare const registerSchema: <T extends ZodType>(name: string, schema: T) => T;
+/**
+ * Registers multiple Zod schemas at once as named entries in `components/schemas`.
+ * Object keys become the schema names. Returns the same object so you can
+ * destructure or re-export the schemas normally.
+ *
+ * Schemas already registered (e.g. via a prior `registerSchema` call) are skipped.
+ *
+ * @example
+ * export const { LedgerItem, Product } = registerSchemas({
+ *   LedgerItem: z.object({ id: z.string(), amount: z.number() }),
+ *   Product:    z.object({ id: z.string(), price: z.number() }),
+ * });
+ */
+export declare const registerSchemas: <T extends Record<string, ZodType>>(schemas: T) => T;
+/**
+ * Auto-registers a module export as a named OpenAPI schema.
+ * Used internally by modelSchemas auto-discovery in createApp.
+ * Strips a trailing "Schema" suffix from the export name.
+ * Skips non-Zod values and already-registered schemas.
+ */
+export declare function maybeAutoRegister(exportName: string, value: unknown): void;
+/**
+ * Adds an OpenAPI `security` requirement to a route without affecting TypeScript
+ * type inference on the handler. Pass each security scheme as a separate object.
+ *
+ * Use this instead of inlining `security` in `createRoute(...)` — inlining a
+ * field typed as `{ [name: string]: string[] }` breaks `c.req.valid()` inference.
+ *
+ * @example
+ * router.openapi(
+ *   withSecurity(createRoute({ method: "get", path: "/me", ... }), { cookieAuth: [] }, { userToken: [] }),
+ *   async (c) => { ... }
+ * )
+ */
+export declare const withSecurity: <T extends RouteConfig>(route: T, ...schemes: Array<Record<string, string[]>>) => T;
+/**
+ * Drop-in replacement for `createRoute` from `@hono/zod-openapi`.
+ *
+ * Automatically registers unnamed request body and response schemas as named
+ * OpenAPI components so they appear in `components/schemas` instead of being
+ * inlined at every use site. Generated names follow the convention:
+ *
+ *   {Method}{PathSegments}Body         — request body
+ *   {Method}{PathSegments}{StatusCode} — response body
+ *
+ * Schemas already named via `.openapi("Name")` are never overwritten.
+ */
+export declare const createRoute: <T extends RouteConfig>(config: T) => T;