@lastshotlabs/bunshot 0.0.13 → 0.0.16

package/dist/adapters/memoryAuth.d.ts

@@ -10,6 +10,10 @@ export declare const memoryGetUserSessions: (userId: string) => SessionInfo[];
 export declare const memoryGetActiveSessionCount: (userId: string) => number;
 export declare const memoryEvictOldestSession: (userId: string) => void;
 export declare const memoryUpdateSessionLastActive: (sessionId: string) => void;
+export declare const memorySetRefreshToken: (sessionId: string, refreshToken: string) => void;
+import type { RefreshResult } from "../lib/session";
+export declare const memoryGetSessionByRefreshToken: (refreshToken: string) => RefreshResult | null;
+export declare const memoryRotateRefreshToken: (sessionId: string, newRefreshToken: string, newAccessToken: string) => void;
 export declare const memoryStoreOAuthState: (state: string, codeVerifier?: string, linkUserId?: string) => void;
 export declare const memoryConsumeOAuthState: (state: string) => {
     codeVerifier?: string;

package/dist/adapters/memoryAuth.js

@@ -4,16 +4,20 @@ const _users = new Map();
 const _byEmail = new Map();
 const _sessions = new Map(); // sessionId → session
 const _userSessionIds = new Map(); // userId → Set<sessionId>
+const _refreshTokenIndex = new Map(); // refreshToken → sessionId
 const _oauthStates = new Map();
 const _cache = new Map();
 const _verificationTokens = new Map();
 const _resetTokens = new Map();
+const _tenantRoles = new Map(); // "userId:tenantId" → roles
 /** Reset all in-memory state. Useful for test isolation. */
 export const clearMemoryStore = () => {
     _users.clear();
     _byEmail.clear();
     _sessions.clear();
     _userSessionIds.clear();
+    _refreshTokenIndex.clear();
+    _tenantRoles.clear();
     _oauthStates.clear();
     _cache.clear();
     _verificationTokens.clear();
@@ -37,7 +41,7 @@ export const memoryAuthAdapter = {
         if (_byEmail.has(normalised))
             throw new HttpError(409, "Email already registered");
         const id = crypto.randomUUID();
-        const user = { id, email: normalised, passwordHash, providerIds: [], roles: [], emailVerified: false };
+        const user = { id, email: normalised, passwordHash, providerIds: [], roles: [], emailVerified: false, mfaSecret: null, mfaEnabled: false, recoveryCodes: [], mfaMethods: [] };
         _users.set(id, user);
         _byEmail.set(normalised, id);
         return { id };
@@ -63,7 +67,7 @@ export const memoryAuthAdapter = {
         }
         const id = crypto.randomUUID();
         const email = profile.email ? profile.email.toLowerCase() : null;
-        const user = { id, email, passwordHash: null, providerIds: [key], roles: [], emailVerified: false };
+        const user = { id, email, passwordHash: null, providerIds: [key], roles: [], emailVerified: false, mfaSecret: null, mfaEnabled: false, recoveryCodes: [], mfaMethods: [] };
         _users.set(id, user);
         if (email)
             _byEmail.set(email, id);
@@ -132,6 +136,78 @@ export const memoryAuthAdapter = {
     async getEmailVerified(userId) {
         return _users.get(userId)?.emailVerified ?? false;
     },
+    async deleteUser(userId) {
+        const user = _users.get(userId);
+        if (user?.email)
+            _byEmail.delete(user.email);
+        _users.delete(userId);
+    },
+    async hasPassword(userId) {
+        return !!_users.get(userId)?.passwordHash;
+    },
+    async setMfaSecret(userId, secret) {
+        const user = _users.get(userId);
+        if (user)
+            user.mfaSecret = secret;
+    },
+    async getMfaSecret(userId) {
+        return _users.get(userId)?.mfaSecret ?? null;
+    },
+    async isMfaEnabled(userId) {
+        return _users.get(userId)?.mfaEnabled ?? false;
+    },
+    async setMfaEnabled(userId, enabled) {
+        const user = _users.get(userId);
+        if (user)
+            user.mfaEnabled = enabled;
+    },
+    async setRecoveryCodes(userId, codes) {
+        const user = _users.get(userId);
+        if (user)
+            user.recoveryCodes = [...codes];
+    },
+    async getRecoveryCodes(userId) {
+        return _users.get(userId)?.recoveryCodes ?? [];
+    },
+    async removeRecoveryCode(userId, code) {
+        const user = _users.get(userId);
+        if (user)
+            user.recoveryCodes = user.recoveryCodes.filter((c) => c !== code);
+    },
+    async getMfaMethods(userId) {
+        const user = _users.get(userId);
+        if (!user)
+            return [];
+        // Backward compat: if mfaEnabled but no methods recorded, assume TOTP
+        if (user.mfaMethods.length === 0 && user.mfaEnabled)
+            return ["totp"];
+        return [...user.mfaMethods];
+    },
+    async setMfaMethods(userId, methods) {
+        const user = _users.get(userId);
+        if (user)
+            user.mfaMethods = [...methods];
+    },
+    async getTenantRoles(userId, tenantId) {
+        return _tenantRoles.get(`${userId}:${tenantId}`) ?? [];
+    },
+    async setTenantRoles(userId, tenantId, roles) {
+        _tenantRoles.set(`${userId}:${tenantId}`, [...roles]);
+    },
+    async addTenantRole(userId, tenantId, role) {
+        const key = `${userId}:${tenantId}`;
+        const current = _tenantRoles.get(key) ?? [];
+        if (!current.includes(role)) {
+            _tenantRoles.set(key, [...current, role]);
+        }
+    },
+    async removeTenantRole(userId, tenantId, role) {
+        const key = `${userId}:${tenantId}`;
+        const current = _tenantRoles.get(key);
+        if (current) {
+            _tenantRoles.set(key, current.filter((r) => r !== role));
+        }
+    },
 };
 // ---------------------------------------------------------------------------
 // Session helpers (used by src/lib/session.ts)
@@ -160,8 +236,16 @@ export const memoryDeleteSession = (sessionId) => {
     const entry = _sessions.get(sessionId);
     if (!entry)
         return;
+    // Clean up refresh token reverse-lookup keys
+    if (entry.refreshToken)
+        _refreshTokenIndex.delete(entry.refreshToken);
+    if (entry.prevRefreshToken)
+        _refreshTokenIndex.delete(entry.prevRefreshToken);
     if (getPersistSessionMetadata()) {
         entry.token = null;
+        entry.refreshToken = null;
+        entry.prevRefreshToken = null;
+        entry.prevTokenExpiresAt = null;
     }
     else {
         _sessions.delete(sessionId);
@@ -231,6 +315,51 @@ export const memoryUpdateSessionLastActive = (sessionId) => {
     if (entry)
         entry.lastActiveAt = Date.now();
 };
+export const memorySetRefreshToken = (sessionId, refreshToken) => {
+    const entry = _sessions.get(sessionId);
+    if (!entry)
+        return;
+    entry.refreshToken = refreshToken;
+    _refreshTokenIndex.set(refreshToken, sessionId);
+};
+import { getRotationGraceSeconds } from "../lib/appConfig";
+export const memoryGetSessionByRefreshToken = (refreshToken) => {
+    const sessionId = _refreshTokenIndex.get(refreshToken);
+    if (!sessionId)
+        return null;
+    const entry = _sessions.get(sessionId);
+    if (!entry)
+        return null;
+    // Current refresh token matches
+    if (entry.refreshToken === refreshToken) {
+        return { sessionId: entry.sessionId, userId: entry.userId, newRefreshToken: refreshToken };
+    }
+    // Check grace window
+    if (entry.prevRefreshToken === refreshToken && entry.prevTokenExpiresAt && entry.prevTokenExpiresAt > Date.now()) {
+        return { sessionId: entry.sessionId, userId: entry.userId, newRefreshToken: entry.refreshToken };
+    }
+    // Grace window expired — theft detected, invalidate session
+    if (entry.prevRefreshToken === refreshToken) {
+        memoryDeleteSession(sessionId);
+        return null;
+    }
+    return null;
+};
+export const memoryRotateRefreshToken = (sessionId, newRefreshToken, newAccessToken) => {
+    const entry = _sessions.get(sessionId);
+    if (!entry)
+        return;
+    const graceSeconds = getRotationGraceSeconds();
+    // Move current to prev
+    const oldRefreshToken = entry.refreshToken;
+    entry.prevRefreshToken = oldRefreshToken;
+    entry.prevTokenExpiresAt = Date.now() + graceSeconds * 1000;
+    entry.refreshToken = newRefreshToken;
+    entry.token = newAccessToken;
+    // Update reverse-lookup index
+    _refreshTokenIndex.set(newRefreshToken, sessionId);
+    // Old token stays in index during grace window — cleaned up on next lookup or session delete
+};
 // ---------------------------------------------------------------------------
 // OAuth state helpers (used by src/lib/oauth.ts)
 // ---------------------------------------------------------------------------

package/dist/adapters/mongoAuth.js

@@ -1,4 +1,5 @@
 import { AuthUser } from "../models/AuthUser";
+import { TenantRole } from "../models/TenantRole";
 import { HttpError } from "../lib/HttpError";
 export const mongoAuthAdapter = {
     async findByEmail(email) {
@@ -90,4 +91,59 @@ export const mongoAuthAdapter = {
         const user = await AuthUser.findById(userId, "emailVerified").lean();
         return user?.emailVerified ?? false;
     },
+    async deleteUser(userId) {
+        await AuthUser.findByIdAndDelete(userId);
+    },
+    async hasPassword(userId) {
+        const user = await AuthUser.findById(userId, "password").lean();
+        return !!user?.password;
+    },
+    async setMfaSecret(userId, secret) {
+        await AuthUser.findByIdAndUpdate(userId, { mfaSecret: secret });
+    },
+    async getMfaSecret(userId) {
+        const user = await AuthUser.findById(userId, "mfaSecret").lean();
+        return user?.mfaSecret ?? null;
+    },
+    async isMfaEnabled(userId) {
+        const user = await AuthUser.findById(userId, "mfaEnabled").lean();
+        return user?.mfaEnabled ?? false;
+    },
+    async setMfaEnabled(userId, enabled) {
+        await AuthUser.findByIdAndUpdate(userId, { mfaEnabled: enabled });
+    },
+    async setRecoveryCodes(userId, codes) {
+        await AuthUser.findByIdAndUpdate(userId, { recoveryCodes: codes });
+    },
+    async getRecoveryCodes(userId) {
+        const user = await AuthUser.findById(userId, "recoveryCodes").lean();
+        return user?.recoveryCodes ?? [];
+    },
+    async removeRecoveryCode(userId, code) {
+        await AuthUser.findByIdAndUpdate(userId, { $pull: { recoveryCodes: code } });
+    },
+    async getMfaMethods(userId) {
+        const user = await AuthUser.findById(userId, "mfaMethods mfaEnabled").lean();
+        const methods = user?.mfaMethods ?? [];
+        // Backward compat: if mfaEnabled but no methods recorded, assume TOTP
+        if (methods.length === 0 && user?.mfaEnabled)
+            return ["totp"];
+        return methods;
+    },
+    async setMfaMethods(userId, methods) {
+        await AuthUser.findByIdAndUpdate(userId, { mfaMethods: methods });
+    },
+    async getTenantRoles(userId, tenantId) {
+        const doc = await TenantRole.findOne({ userId, tenantId }, "roles").lean();
+        return doc?.roles ?? [];
+    },
+    async setTenantRoles(userId, tenantId, roles) {
+        await TenantRole.findOneAndUpdate({ userId, tenantId }, { roles }, { upsert: true });
+    },
+    async addTenantRole(userId, tenantId, role) {
+        await TenantRole.findOneAndUpdate({ userId, tenantId }, { $addToSet: { roles: role } }, { upsert: true });
+    },
+    async removeTenantRole(userId, tenantId, role) {
+        await TenantRole.findOneAndUpdate({ userId, tenantId }, { $pull: { roles: role } });
+    },
 };

package/dist/adapters/sqliteAuth.d.ts

@@ -1,5 +1,7 @@
+import { Database } from "bun:sqlite";
 import type { AuthAdapter } from "../lib/authAdapter";
 export declare const setSqliteDb: (path: string) => void;
+export declare function getDb(): Database;
 export declare const sqliteAuthAdapter: AuthAdapter;
 import type { SessionMetadata, SessionInfo } from "../lib/session";
 export declare const sqliteCreateSession: (userId: string, token: string, sessionId: string, metadata?: SessionMetadata) => void;
@@ -9,6 +11,10 @@ export declare const sqliteGetUserSessions: (userId: string) => SessionInfo[];
 export declare const sqliteGetActiveSessionCount: (userId: string) => number;
 export declare const sqliteEvictOldestSession: (userId: string) => void;
 export declare const sqliteUpdateSessionLastActive: (sessionId: string) => void;
+import type { RefreshResult } from "../lib/session";
+export declare const sqliteSetRefreshToken: (sessionId: string, refreshToken: string) => void;
+export declare const sqliteGetSessionByRefreshToken: (refreshToken: string) => RefreshResult | null;
+export declare const sqliteRotateRefreshToken: (sessionId: string, newRefreshToken: string, newAccessToken: string) => void;
 export declare const sqliteStoreOAuthState: (state: string, codeVerifier?: string, linkUserId?: string) => void;
 export declare const sqliteConsumeOAuthState: (state: string) => {
     codeVerifier?: string;

package/dist/adapters/sqliteAuth.js

@@ -10,7 +10,7 @@ export const setSqliteDb = (path) => {
     _db.run("PRAGMA foreign_keys = ON");
     initSchema(_db);
 };
-function getDb() {
+export function getDb() {
     if (!_db)
         throw new Error("SQLite not initialized — call setSqliteDb(path) before using sqliteAuthAdapter or sessionStore: 'sqlite'");
     return _db;
@@ -32,6 +32,23 @@ function initSchema(db) {
         db.run("ALTER TABLE users ADD COLUMN emailVerified INTEGER NOT NULL DEFAULT 0");
     }
     catch { /* already exists */ }
+    // Add MFA columns to pre-existing databases
+    try {
+        db.run("ALTER TABLE users ADD COLUMN mfaSecret TEXT");
+    }
+    catch { /* already exists */ }
+    try {
+        db.run("ALTER TABLE users ADD COLUMN mfaEnabled INTEGER NOT NULL DEFAULT 0");
+    }
+    catch { /* already exists */ }
+    try {
+        db.run("ALTER TABLE users ADD COLUMN recoveryCodes TEXT NOT NULL DEFAULT '[]'");
+    }
+    catch { /* already exists */ }
+    try {
+        db.run("ALTER TABLE users ADD COLUMN mfaMethods TEXT NOT NULL DEFAULT '[]'");
+    }
+    catch { /* already exists */ }
     // Migrate legacy sessions table (userId PK) to new multi-session schema (sessionId PK)
     try {
         db.run("ALTER TABLE sessions RENAME TO sessions_legacy");
@@ -48,6 +65,20 @@ function initSchema(db) {
     userAgent    TEXT
   )`);
     db.run("CREATE INDEX IF NOT EXISTS idx_sessions_userId ON sessions(userId)");
+    // Add refresh token columns to pre-existing databases
+    try {
+        db.run("ALTER TABLE sessions ADD COLUMN refreshToken TEXT");
+    }
+    catch { /* already exists */ }
+    try {
+        db.run("ALTER TABLE sessions ADD COLUMN prevRefreshToken TEXT");
+    }
+    catch { /* already exists */ }
+    try {
+        db.run("ALTER TABLE sessions ADD COLUMN prevTokenExpiresAt INTEGER");
+    }
+    catch { /* already exists */ }
+    db.run("CREATE UNIQUE INDEX IF NOT EXISTS idx_sessions_refreshToken ON sessions(refreshToken) WHERE refreshToken IS NOT NULL");
     db.run(`CREATE TABLE IF NOT EXISTS oauth_states (
     state        TEXT PRIMARY KEY,
     codeVerifier TEXT,
@@ -71,6 +102,13 @@ function initSchema(db) {
     email     TEXT NOT NULL,
     expiresAt INTEGER NOT NULL
   )`);
+    db.run(`CREATE TABLE IF NOT EXISTS tenant_roles (
+    userId    TEXT NOT NULL,
+    tenantId  TEXT NOT NULL,
+    role      TEXT NOT NULL,
+    PRIMARY KEY (userId, tenantId, role)
+  )`);
+    db.run("CREATE INDEX IF NOT EXISTS idx_tenant_roles_tenant ON tenant_roles(tenantId)");
 }
 // ---------------------------------------------------------------------------
 // Auth adapter
@@ -177,6 +215,74 @@ export const sqliteAuthAdapter = {
         const row = getDb().query("SELECT emailVerified FROM users WHERE id = ?").get(userId);
         return row?.emailVerified === 1;
     },
+    async deleteUser(userId) {
+        getDb().run("DELETE FROM users WHERE id = ?", [userId]);
+    },
+    async hasPassword(userId) {
+        const row = getDb().query("SELECT passwordHash FROM users WHERE id = ?").get(userId);
+        return !!row?.passwordHash;
+    },
+    async setMfaSecret(userId, secret) {
+        getDb().run("UPDATE users SET mfaSecret = ? WHERE id = ?", [secret, userId]);
+    },
+    async getMfaSecret(userId) {
+        const row = getDb().query("SELECT mfaSecret FROM users WHERE id = ?").get(userId);
+        return row?.mfaSecret ?? null;
+    },
+    async isMfaEnabled(userId) {
+        const row = getDb().query("SELECT mfaEnabled FROM users WHERE id = ?").get(userId);
+        return row?.mfaEnabled === 1;
+    },
+    async setMfaEnabled(userId, enabled) {
+        getDb().run("UPDATE users SET mfaEnabled = ? WHERE id = ?", [enabled ? 1 : 0, userId]);
+    },
+    async setRecoveryCodes(userId, codes) {
+        getDb().run("UPDATE users SET recoveryCodes = ? WHERE id = ?", [JSON.stringify(codes), userId]);
+    },
+    async getRecoveryCodes(userId) {
+        const row = getDb().query("SELECT recoveryCodes FROM users WHERE id = ?").get(userId);
+        return row?.recoveryCodes ? JSON.parse(row.recoveryCodes) : [];
+    },
+    async removeRecoveryCode(userId, code) {
+        const current = await sqliteAuthAdapter.getRecoveryCodes(userId);
+        const idx = current.indexOf(code);
+        if (idx !== -1) {
+            current.splice(idx, 1);
+            await sqliteAuthAdapter.setRecoveryCodes(userId, current);
+        }
+    },
+    async getMfaMethods(userId) {
+        const row = getDb().query("SELECT mfaMethods, mfaEnabled FROM users WHERE id = ?").get(userId);
+        const methods = row?.mfaMethods ? JSON.parse(row.mfaMethods) : [];
+        // Backward compat: if mfaEnabled but no methods recorded, assume TOTP
+        if (methods.length === 0 && row?.mfaEnabled === 1)
+            return ["totp"];
+        return methods;
+    },
+    async setMfaMethods(userId, methods) {
+        getDb().run("UPDATE users SET mfaMethods = ? WHERE id = ?", [JSON.stringify(methods), userId]);
+    },
+    async getTenantRoles(userId, tenantId) {
+        const rows = getDb().query("SELECT role FROM tenant_roles WHERE userId = ? AND tenantId = ?").all(userId, tenantId);
+        return rows.map((r) => r.role);
+    },
+    async setTenantRoles(userId, tenantId, roles) {
+        const db = getDb();
+        db.run("DELETE FROM tenant_roles WHERE userId = ? AND tenantId = ?", [userId, tenantId]);
+        const stmt = db.prepare("INSERT INTO tenant_roles (userId, tenantId, role) VALUES (?, ?, ?)");
+        for (const role of roles) {
+            stmt.run(userId, tenantId, role);
+        }
+    },
+    async addTenantRole(userId, tenantId, role) {
+        try {
+            getDb().run("INSERT INTO tenant_roles (userId, tenantId, role) VALUES (?, ?, ?)", [userId, tenantId, role]);
+        }
+        catch { /* already exists */ }
+    },
+    async removeTenantRole(userId, tenantId, role) {
+        getDb().run("DELETE FROM tenant_roles WHERE userId = ? AND tenantId = ? AND role = ?", [userId, tenantId, role]);
+    },
 };
 import { getPersistSessionMetadata, getIncludeInactiveSessions } from "../lib/appConfig";
 const SESSION_TTL_MS = 60 * 60 * 24 * 7 * 1000; // 7 days
@@ -193,7 +299,7 @@ export const sqliteGetSession = (sessionId) => {
 };
 export const sqliteDeleteSession = (sessionId) => {
     if (getPersistSessionMetadata()) {
-        getDb().run("UPDATE sessions SET token = NULL WHERE sessionId = ?", [sessionId]);
+        getDb().run("UPDATE sessions SET token = NULL, refreshToken = NULL, prevRefreshToken = NULL, prevTokenExpiresAt = NULL WHERE sessionId = ?", [sessionId]);
     }
     else {
         getDb().run("DELETE FROM sessions WHERE sessionId = ?", [sessionId]);
@@ -236,6 +342,35 @@ export const sqliteEvictOldestSession = (userId) => {
 export const sqliteUpdateSessionLastActive = (sessionId) => {
     getDb().run("UPDATE sessions SET lastActiveAt = ? WHERE sessionId = ?", [Date.now(), sessionId]);
 };
+import { getRotationGraceSeconds } from "../lib/appConfig";
+export const sqliteSetRefreshToken = (sessionId, refreshToken) => {
+    getDb().run("UPDATE sessions SET refreshToken = ? WHERE sessionId = ?", [refreshToken, sessionId]);
+};
+export const sqliteGetSessionByRefreshToken = (refreshToken) => {
+    const db = getDb();
+    // Check current refresh token
+    let row = db.query("SELECT sessionId, userId, refreshToken FROM sessions WHERE refreshToken = ?").get(refreshToken);
+    if (row) {
+        return { sessionId: row.sessionId, userId: row.userId, newRefreshToken: refreshToken };
+    }
+    // Check previous refresh token (grace window)
+    row = db.query("SELECT sessionId, userId, refreshToken, prevTokenExpiresAt FROM sessions WHERE prevRefreshToken = ?").get(refreshToken);
+    if (!row)
+        return null;
+    const prevExpiry = row.prevTokenExpiresAt;
+    if (prevExpiry && prevExpiry > Date.now()) {
+        // Within grace window — return current refresh token
+        return { sessionId: row.sessionId, userId: row.userId, newRefreshToken: row.refreshToken };
+    }
+    // Grace window expired — theft detected, invalidate session
+    sqliteDeleteSession(row.sessionId);
+    return null;
+};
+export const sqliteRotateRefreshToken = (sessionId, newRefreshToken, newAccessToken) => {
+    const graceSeconds = getRotationGraceSeconds();
+    const prevTokenExpiresAt = Date.now() + graceSeconds * 1000;
+    getDb().run("UPDATE sessions SET prevRefreshToken = refreshToken, prevTokenExpiresAt = ?, refreshToken = ?, token = ? WHERE sessionId = ?", [prevTokenExpiresAt, newRefreshToken, newAccessToken, sessionId]);
+};
 // ---------------------------------------------------------------------------
 // OAuth state helpers (used by src/lib/oauth.ts)
 // ---------------------------------------------------------------------------

package/dist/app.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
 import type { MiddlewareHandler } from "hono";
 import type { AppEnv } from "./lib/context";
-import type { PrimaryField, EmailVerificationConfig, PasswordResetConfig } from "./lib/appConfig";
+import type { PrimaryField, EmailVerificationConfig, PasswordResetConfig, RefreshTokenConfig, MfaConfig, MfaEmailOtpConfig } from "./lib/appConfig";
 import type { AuthAdapter } from "./lib/authAdapter";
 import type { OAuthProviderConfig } from "./lib/oauth";
 type StoreType = "redis" | "mongo" | "sqlite" | "memory";
@@ -92,6 +92,11 @@ export interface AuthRateLimitConfig {
         windowMs?: number;
         max?: number;
     };
+    /** Max account deletion attempts per user per window. Default: 3 per hour. */
+    deleteAccount?: {
+        windowMs?: number;
+        max?: number;
+    };
     /**
      * Store backend for auth rate limit counters.
      * Defaults to "redis" when Redis is enabled, otherwise "memory".
@@ -136,6 +141,32 @@ export interface AuthConfig {
     rateLimit?: AuthRateLimitConfig;
     /** Session concurrency and metadata persistence policy. */
     sessionPolicy?: AuthSessionPolicyConfig;
+    /** Account deletion configuration. Enables DELETE /auth/me when the adapter supports deleteUser. */
+    accountDeletion?: AccountDeletionConfig;
+    /**
+     * Refresh token configuration. When set, login/register return short-lived access tokens
+     * (default 15 min) alongside long-lived refresh tokens (default 30 days). Mounts POST /auth/refresh.
+     * When not configured, the existing 7-day JWT behavior is unchanged.
+     */
+    refreshTokens?: RefreshTokenConfig;
+    /**
+     * MFA/TOTP configuration. When set, enables MFA setup/verify/disable routes under /auth/mfa/*.
+     * Login returns { mfaRequired: true, mfaToken } when MFA is enabled for the user.
+     * OAuth logins skip MFA (the OAuth provider is treated as the second factor).
+     */
+    mfa?: MfaConfig;
+}
+export interface AccountDeletionConfig {
+    /** Called before deletion. Throw to abort (e.g., active subscription check). */
+    onBeforeDelete?: (userId: string) => Promise<void>;
+    /** Called after auth data is deleted. Runs at execution time — query current state, not a snapshot. */
+    onAfterDelete?: (userId: string) => Promise<void>;
+    /** When true, deletion is queued as a BullMQ job instead of running synchronously. Requires Redis + BullMQ. */
+    queued?: boolean;
+    /** Grace period in seconds before queued deletion executes. Default: 0 (immediate). */
+    gracePeriod?: number;
+    /** Called when deletion is scheduled (queued + gracePeriod > 0). Use to send a confirmation/cancel email. */
+    onDeletionScheduled?: (userId: string, email: string, cancelToken: string) => Promise<void>;
 }
 export interface AuthSessionPolicyConfig {
     /** Max simultaneous active sessions per user. Oldest is evicted when exceeded. Default: 6. */
@@ -156,7 +187,7 @@ export interface AuthSessionPolicyConfig {
      */
     trackLastActive?: boolean;
 }
-export type { PrimaryField, EmailVerificationConfig, PasswordResetConfig };
+export type { PrimaryField, EmailVerificationConfig, PasswordResetConfig, RefreshTokenConfig, MfaConfig, MfaEmailOtpConfig };
 export interface BotProtectionConfig {
     /**
      * List of IPv4 CIDRs (e.g. "198.51.100.0/24"), IPv4 addresses, or IPv6 addresses to block outright.
@@ -217,6 +248,46 @@ export interface ModelSchemasConfig {
      */
     registration?: "auto" | "explicit";
 }
+export interface JobsConfig {
+    /** Enable the job status endpoint. Default: false. */
+    statusEndpoint?: boolean;
+    /**
+     * Auth protection for job endpoints.
+     * - `"userAuth"` — requires authenticated user session (cookie/token).
+     * - `"none"` — no auth (not recommended for production).
+     * - `MiddlewareHandler[]` — custom middleware stack (e.g., `[userAuth, requireRole("admin")]`).
+     *
+     * Default: `"none"`. You must explicitly configure auth.
+     */
+    auth?: "userAuth" | "none" | import("hono").MiddlewareHandler<AppEnv>[];
+    /** Required roles for accessing job endpoints. Only works when auth includes userAuth. */
+    roles?: string[];
+    /** Whitelist of queue names exposed. Default: [] (nothing exposed). */
+    allowedQueues?: string[];
+    /** When using userAuth, restrict job visibility to the user who created it. Default: false. */
+    scopeToUser?: boolean;
+}
+export interface TenantConfig {
+    [key: string]: unknown;
+}
+export interface TenancyConfig {
+    /** How tenant is identified. */
+    resolution: "header" | "subdomain" | "path";
+    /** Header name when resolution is "header". Default: "x-tenant-id". */
+    headerName?: string;
+    /** Path segment index when resolution is "path". Default: 0. */
+    pathSegment?: number;
+    /** Callback to validate/load tenant. Return null to reject. */
+    onResolve?: (tenantId: string) => Promise<TenantConfig | null>;
+    /** TTL in ms for caching onResolve results (LRU cache). Default: 60_000. Set 0 to disable. */
+    cacheTtlMs?: number;
+    /** Max entries in tenant resolution cache. Default: 500. */
+    cacheMaxSize?: number;
+    /** Paths that skip tenant resolution. Uses startsWith matching. Default: ["/health", "/docs", "/openapi.json"]. */
+    exemptPaths?: string[];
+    /** HTTP status when onResolve returns null. Default: 403. */
+    rejectionStatus?: 403 | 404;
+}
 export interface CreateAppConfig {
     /** Absolute path to the service's routes directory (use import.meta.dir + "/routes") */
     routesDir: string;
@@ -237,5 +308,9 @@ export interface CreateAppConfig {
     middleware?: MiddlewareHandler<AppEnv>[];
     /** Database connection and store routing configuration */
     db?: DbConfig;
+    /** Job status endpoint configuration. Requires BullMQ + Redis. */
+    jobs?: JobsConfig;
+    /** Multi-tenancy configuration. When set, tenant middleware resolves tenant on each request. */
+    tenancy?: TenancyConfig;
 }
 export declare const createApp: (config: CreateAppConfig) => Promise<OpenAPIHono<AppEnv>>;

package/dist/app.js

@@ -7,8 +7,8 @@ import { HttpError } from "./lib/HttpError";
 import { rateLimit } from "./middleware/rateLimit";
 import { bearerAuth } from "./middleware/bearerAuth";
 import { identify } from "./middleware/identify";
-import { HEADER_USER_TOKEN } from "./lib/constants";
-import { setAppName, setAppRoles, setDefaultRole, setPrimaryField, setEmailVerificationConfig, setPasswordResetConfig, setMaxSessions, setPersistSessionMetadata, setIncludeInactiveSessions, setTrackLastActive } from "./lib/appConfig";
+import { HEADER_USER_TOKEN, HEADER_REFRESH_TOKEN } from "./lib/constants";
+import { setAppName, setAppRoles, setDefaultRole, setPrimaryField, setEmailVerificationConfig, setPasswordResetConfig, setMaxSessions, setPersistSessionMetadata, setIncludeInactiveSessions, setTrackLastActive, setRefreshTokenConfig, setMfaConfig } from "./lib/appConfig";
 import { setEmailVerificationStore } from "./lib/emailVerification";
 import { setPasswordResetStore } from "./lib/resetPassword";
 import { setAuthRateLimitStore } from "./lib/authRateLimit";
@@ -110,6 +110,8 @@ export const createApp = async (config) => {
     setPersistSessionMetadata(sessionPolicy.persistSessionMetadata ?? true);
     setIncludeInactiveSessions(sessionPolicy.includeInactiveSessions ?? false);
     setTrackLastActive(sessionPolicy.trackLastActive ?? false);
+    setRefreshTokenConfig(authConfig.refreshTokens ?? null);
+    setMfaConfig(authConfig.mfa ?? null);
     if (oauthProviders)
         initOAuthProviders(oauthProviders);
     const configuredOAuth = getConfiguredOAuthProviders();
@@ -125,7 +127,7 @@ export const createApp = async (config) => {
     const app = new OpenAPIHono();
     app.use(logger());
     app.use(secureHeaders());
-    app.use(cors({ origin: corsOrigins, allowHeaders: ["Content-Type", "Authorization", HEADER_USER_TOKEN], exposeHeaders: ["x-cache"], credentials: true }));
+    app.use(cors({ origin: corsOrigins, allowHeaders: ["Content-Type", "Authorization", HEADER_USER_TOKEN, HEADER_REFRESH_TOKEN], exposeHeaders: ["x-cache"], credentials: true }));
     if ((botCfg.blockList?.length ?? 0) > 0) {
         const { botProtection } = await import("./middleware/botProtection");
         app.use(botProtection({ blockList: botCfg.blockList }));
@@ -141,6 +143,11 @@ export const createApp = async (config) => {
         });
     }
     app.use(identify);
+    // Tenant resolution middleware (after identify, before user middleware + routes)
+    if (config.tenancy) {
+        const { createTenantMiddleware } = await import("./middleware/tenant");
+        app.use(createTenantMiddleware(config.tenancy));
+    }
     for (const mw of middleware)
         app.use(mw);
     setAppName(appName);
@@ -188,17 +195,35 @@ export const createApp = async (config) => {
             continue; // mounted separately below via createAuthRouter
         if (file === "oauth.ts")
             continue; // mounted separately below
+        if (file === "mfa.ts")
+            continue; // mounted separately below when mfa is configured
+        if (file === "jobs.ts")
+            continue; // mounted separately below when jobs.statusEndpoint is true
         const mod = await import(`${coreRoutesDir}/${file}`);
         if (mod.router)
             app.route("/", mod.router);
     }
     if (enableAuthRoutes) {
         const { createAuthRouter } = await import(`${coreRoutesDir}/auth`);
-        app.route("/", createAuthRouter({ primaryField, emailVerification, passwordReset, rateLimit: authRateLimit }));
+        app.route("/", createAuthRouter({ primaryField, emailVerification, passwordReset, rateLimit: authRateLimit, accountDeletion: authConfig.accountDeletion, refreshTokens: authConfig.refreshTokens }));
     }
     if (configuredOAuth.length > 0) {
         app.route("/", createOAuthRouter(configuredOAuth, postOAuthRedirect));
     }
+    if (authConfig.mfa && enableAuthRoutes) {
+        const { setMfaChallengeStore, setMfaChallengeSqliteDb } = await import("./lib/mfaChallenge");
+        setMfaChallengeStore(sessions);
+        if (sessions === "sqlite") {
+            const { getDb } = await import("./adapters/sqliteAuth");
+            setMfaChallengeSqliteDb(getDb());
+        }
+        const { createMfaRouter } = await import(`${coreRoutesDir}/mfa`);
+        app.route("/", createMfaRouter());
+    }
+    if (config.jobs?.statusEndpoint) {
+        const { createJobsRouter } = await import(`${coreRoutesDir}/jobs`);
+        app.route("/", createJobsRouter(config.jobs));
+    }
     // Service routes — collect all, sort by optional exported `priority`, then mount
     const serviceGlob = new Bun.Glob("**/*.ts");
     const serviceFiles = [];

package/dist/entrypoints/queue.d.ts

@@ -1,2 +1,2 @@
-export { createQueue, createWorker } from "../lib/queue";
-export type { Job } from "../lib/queue";
+export { createQueue, createWorker, createCronWorker, cleanupStaleSchedulers, getRegisteredCronNames, createDLQHandler } from "../lib/queue";
+export type { Job, CronSchedule, DLQOptions } from "../lib/queue";