@lastshotlabs/bunshot 0.0.10 → 0.0.16

package/dist/middleware/tenant.js

@@ -0,0 +1,116 @@
+class LruCache {
+    _map = new Map();
+    _maxSize;
+    _ttlMs;
+    constructor(maxSize, ttlMs) {
+        this._maxSize = maxSize;
+        this._ttlMs = ttlMs;
+    }
+    get(key) {
+        const entry = this._map.get(key);
+        if (!entry)
+            return undefined; // cache miss
+        if (entry.expiresAt <= Date.now()) {
+            this._map.delete(key);
+            return undefined; // expired
+        }
+        // Move to end (most recently used)
+        this._map.delete(key);
+        this._map.set(key, entry);
+        return entry.value;
+    }
+    set(key, value) {
+        // Remove first if exists (for re-insertion at end)
+        this._map.delete(key);
+        // Evict oldest if at capacity
+        if (this._map.size >= this._maxSize) {
+            const oldest = this._map.keys().next().value;
+            if (oldest !== undefined)
+                this._map.delete(oldest);
+        }
+        this._map.set(key, { value, expiresAt: Date.now() + this._ttlMs });
+    }
+    delete(key) {
+        this._map.delete(key);
+    }
+}
+// ---------------------------------------------------------------------------
+// Exported cache invalidation (used by tenant provisioning helpers)
+// ---------------------------------------------------------------------------
+let _cache = null;
+export const invalidateTenantCache = (tenantId) => {
+    _cache?.delete(tenantId);
+};
+// ---------------------------------------------------------------------------
+// Tenant resolution middleware
+// ---------------------------------------------------------------------------
+const DEFAULT_EXEMPT = ["/health", "/docs", "/openapi.json", "/auth/"];
+function extractTenantId(c, config) {
+    if (config.resolution === "header") {
+        const headerName = config.headerName ?? "x-tenant-id";
+        return c.req.header(headerName) ?? null;
+    }
+    if (config.resolution === "subdomain") {
+        const host = c.req.header("host") ?? "";
+        // Extract first subdomain: "acme.myapp.com" → "acme"
+        const parts = host.split(".");
+        if (parts.length < 3)
+            return null; // no subdomain
+        return parts[0] || null;
+    }
+    if (config.resolution === "path") {
+        const segmentIndex = config.pathSegment ?? 0;
+        // Path: "/acme/api/users" → segments after split: ["", "acme", "api", "users"]
+        const segments = c.req.path.split("/").filter(Boolean);
+        return segments[segmentIndex] ?? null;
+    }
+    return null;
+}
+export const createTenantMiddleware = (config) => {
+    const exemptPaths = [...DEFAULT_EXEMPT, ...(config.exemptPaths ?? [])];
+    const rejectionStatus = config.rejectionStatus ?? 403;
+    const cacheTtlMs = config.cacheTtlMs ?? 60_000;
+    const cacheMaxSize = config.cacheMaxSize ?? 500;
+    // Initialize LRU cache if caching is enabled and onResolve is provided
+    if (config.onResolve && cacheTtlMs > 0) {
+        _cache = new LruCache(cacheMaxSize, cacheTtlMs);
+    }
+    return async (c, next) => {
+        const path = c.req.path;
+        // Check exempt paths using startsWith
+        for (const exempt of exemptPaths) {
+            if (path === exempt || path.startsWith(exempt)) {
+                c.set("tenantId", null);
+                c.set("tenantConfig", null);
+                return next();
+            }
+        }
+        const tenantId = extractTenantId(c, config);
+        if (!tenantId) {
+            return c.json({ error: "Tenant ID required" }, 400);
+        }
+        // Validate via onResolve (with caching)
+        if (config.onResolve) {
+            let tenantConfig;
+            if (_cache) {
+                tenantConfig = _cache.get(tenantId);
+            }
+            // undefined = cache miss, null = onResolve returned null (rejected)
+            if (tenantConfig === undefined) {
+                tenantConfig = await config.onResolve(tenantId);
+                _cache?.set(tenantId, tenantConfig);
+            }
+            if (tenantConfig === null) {
+                return c.json({ error: "Access denied" }, rejectionStatus);
+            }
+            c.set("tenantId", tenantId);
+            c.set("tenantConfig", tenantConfig);
+        }
+        else {
+            // No onResolve — trust the tenant ID
+            c.set("tenantId", tenantId);
+            c.set("tenantConfig", null);
+        }
+        return next();
+    };
+};

package/dist/models/AuthUser.d.ts

@@ -8,6 +8,14 @@ interface IAuthUser {
     roles: string[];
     /** Whether the user's email address has been verified. */
     emailVerified: boolean;
+    /** TOTP secret for MFA. Null when MFA is not set up. */
+    mfaSecret?: string | null;
+    /** Whether MFA is enabled (secret stored + confirmed via TOTP code). */
+    mfaEnabled?: boolean;
+    /** SHA-256 hashed recovery codes for MFA. */
+    recoveryCodes?: string[];
+    /** MFA methods enabled for this user (e.g., ["totp"], ["emailOtp"], ["totp", "emailOtp"]). */
+    mfaMethods?: string[];
 }
 type AuthUserDocument = IAuthUser & Document;
 export declare const AuthUser: Model<AuthUserDocument, {}, {}, {}, Document<unknown, {}, AuthUserDocument, {}, import("mongoose").DefaultSchemaOptions> & IAuthUser & Document<import("mongoose").Types.ObjectId, any, any, Record<string, any>, {}> & Required<{

package/dist/models/AuthUser.js

@@ -14,6 +14,14 @@ function getAuthUser() {
             roles: [{ type: String }],
             /** Whether the user's email address has been verified. */
             emailVerified: { type: Boolean, default: false },
+            /** TOTP secret for MFA. */
+            mfaSecret: { type: String, default: null },
+            /** Whether MFA is enabled. */
+            mfaEnabled: { type: Boolean, default: false },
+            /** SHA-256 hashed recovery codes for MFA. */
+            recoveryCodes: [{ type: String }],
+            /** MFA methods enabled for this user. */
+            mfaMethods: [{ type: String }],
         }, { timestamps: true });
         schema.index({ providerIds: 1 });
         _AuthUser = authConnection.model("AuthUser", schema);

package/dist/models/TenantRole.d.ts

@@ -0,0 +1,15 @@
+import type { Document, Model } from "mongoose";
+interface ITenantRole {
+    userId: string;
+    tenantId: string;
+    roles: string[];
+}
+type TenantRoleDocument = ITenantRole & Document;
+export declare const TenantRole: Model<TenantRoleDocument, {}, {}, {}, Document<unknown, {}, TenantRoleDocument, {}, import("mongoose").DefaultSchemaOptions> & ITenantRole & Document<import("mongoose").Types.ObjectId, any, any, Record<string, any>, {}> & Required<{
+    _id: import("mongoose").Types.ObjectId;
+}> & {
+    __v: number;
+} & {
+    id: string;
+}, any, TenantRoleDocument>;
+export {};

package/dist/models/TenantRole.js

@@ -0,0 +1,23 @@
+import { authConnection, mongoose } from "../lib/mongo";
+let _TenantRole = null;
+function getTenantRole() {
+    if (!_TenantRole) {
+        const { Schema } = mongoose;
+        const schema = new Schema({
+            userId: { type: String, required: true },
+            tenantId: { type: String, required: true },
+            roles: [{ type: String }],
+        }, { timestamps: true });
+        schema.index({ userId: 1, tenantId: 1 }, { unique: true });
+        schema.index({ tenantId: 1 });
+        _TenantRole = authConnection.model("TenantRole", schema);
+    }
+    return _TenantRole;
+}
+export const TenantRole = new Proxy({}, {
+    get(_, prop) {
+        const model = getTenantRole();
+        const val = model[prop];
+        return typeof val === "function" ? val.bind(model) : val;
+    },
+});

package/dist/routes/auth.d.ts

@@ -1,9 +1,11 @@
-import type { PrimaryField, EmailVerificationConfig, PasswordResetConfig } from "../lib/appConfig";
-import type { AuthRateLimitConfig } from "../app";
+import type { PrimaryField, EmailVerificationConfig, PasswordResetConfig, RefreshTokenConfig } from "../lib/appConfig";
+import type { AuthRateLimitConfig, AccountDeletionConfig } from "../app";
 export interface AuthRouterOptions {
     primaryField: PrimaryField;
     emailVerification?: EmailVerificationConfig;
     passwordReset?: PasswordResetConfig;
     rateLimit?: AuthRateLimitConfig;
+    accountDeletion?: AccountDeletionConfig;
+    refreshTokens?: RefreshTokenConfig;
 }
-export declare const createAuthRouter: ({ primaryField, emailVerification, passwordReset, rateLimit }: AuthRouterOptions) => import("@hono/zod-openapi").OpenAPIHono<import("../lib/context").AppEnv, {}, "/">;
+export declare const createAuthRouter: ({ primaryField, emailVerification, passwordReset, rateLimit, accountDeletion, refreshTokens }: AuthRouterOptions) => import("@hono/zod-openapi").OpenAPIHono<import("../lib/context").AppEnv, {}, "/">;