@lastshotlabs/bunshot 0.0.13 → 0.0.18

package/dist/routes/oauth.js

@@ -1,22 +1,30 @@
+import { createRoute, withSecurity } from "../lib/createRoute";
 import { createRouter } from "../lib/context";
 import { setCookie } from "hono/cookie";
 import { decodeIdToken } from "arctic";
-import { getGoogle, getApple, storeOAuthState, consumeOAuthState, generateState, generateCodeVerifier, } from "../lib/oauth";
+import { z } from "zod";
+import { getGoogle, getApple, getMicrosoft, getGitHub, storeOAuthState, consumeOAuthState, generateState, generateCodeVerifier, } from "../lib/oauth";
 import { getAuthAdapter } from "../lib/authAdapter";
 import { HttpError } from "../lib/HttpError";
 import { signToken } from "../lib/jwt";
-import { createSession, getActiveSessionCount, evictOldestSession } from "../lib/session";
-import { COOKIE_TOKEN } from "../lib/constants";
+import { createSession, getActiveSessionCount, evictOldestSession, setRefreshToken } from "../lib/session";
+import { storeOAuthCode, consumeOAuthCode } from "../lib/oauthCode";
+import { COOKIE_TOKEN, COOKIE_REFRESH_TOKEN } from "../lib/constants";
 import { userAuth } from "../middleware/userAuth";
-import { getDefaultRole, getMaxSessions } from "../lib/appConfig";
+import { getDefaultRole, getMaxSessions, getRefreshTokenConfig, getAccessTokenExpiry, getRefreshTokenExpiry, getCsrfEnabled } from "../lib/appConfig";
+import { refreshCsrfToken } from "../middleware/csrf";
+import { trackAttempt } from "../lib/authRateLimit";
+import { getClientIp } from "../lib/clientIp";
 const isProd = process.env.NODE_ENV === "production";
-const cookieOptions = {
+const cookieOptions = (maxAge) => ({
     httpOnly: true,
     secure: isProd,
     sameSite: "Lax",
     path: "/",
-    maxAge: 60 * 60 * 24 * 7,
-};
+    maxAge: maxAge ?? 60 * 60 * 24 * 7,
+});
+const tags = ["OAuth"];
+const OAuthErrorResponse = z.object({ error: z.string().describe("Human-readable error message.") }).openapi("OAuthErrorResponse");
 const finishOAuth = async (c, provider, providerId, profile, postLoginRedirect) => {
     const adapter = getAuthAdapter();
     if (!adapter.findOrCreateByProvider) {
@@ -37,22 +45,33 @@ const finishOAuth = async (c, provider, providerId, profile, postLoginRedirect)
             await adapter.setRoles(user.id, [role]);
     }
     const sessionId = crypto.randomUUID();
-    const token = await signToken(user.id, sessionId);
-    const xff = c.req.header("x-forwarded-for");
+    const rtConfig = getRefreshTokenConfig();
+    const expirySeconds = rtConfig ? getAccessTokenExpiry() : undefined;
+    const token = await signToken(user.id, sessionId, expirySeconds);
     const metadata = {
-        ipAddress: (xff ? xff.split(",")[0]?.trim() : undefined) ?? c.req.header("x-real-ip") ?? undefined,
+        ipAddress: getClientIp(c),
         userAgent: c.req.header("user-agent") ?? undefined,
     };
     while (await getActiveSessionCount(user.id) >= getMaxSessions()) {
         await evictOldestSession(user.id);
     }
     await createSession(user.id, token, sessionId, metadata);
-    setCookie(c, COOKIE_TOKEN, token, cookieOptions);
-    // Append token to redirect so non-browser clients (mobile deep links) can extract it.
-    // Browser apps can safely ignore the query param.
+    let refreshTokenValue;
+    if (rtConfig) {
+        refreshTokenValue = crypto.randomUUID();
+        await setRefreshToken(sessionId, refreshTokenValue);
+    }
+    // Store a one-time authorization code instead of exposing the token in the redirect URL.
+    // The client exchanges this code via POST /auth/oauth/exchange to get the session token.
+    const code = await storeOAuthCode({
+        token,
+        userId: user.id,
+        email: profile.email,
+        refreshToken: refreshTokenValue,
+    });
     try {
         const url = new URL(postLoginRedirect);
-        url.searchParams.set("token", token);
+        url.searchParams.set("code", code);
         if (profile.email)
             url.searchParams.set("user", profile.email);
         return c.redirect(url.toString());
@@ -61,22 +80,48 @@ const finishOAuth = async (c, provider, providerId, profile, postLoginRedirect)
         // Relative path fallback
         const sep = postLoginRedirect.includes("?") ? "&" : "?";
         const userParam = profile.email ? `&user=${encodeURIComponent(profile.email)}` : "";
-        return c.redirect(`${postLoginRedirect}${sep}token=${token}${userParam}`);
+        return c.redirect(`${postLoginRedirect}${sep}code=${code}${userParam}`);
     }
 };
 export const createOAuthRouter = (providers, postLoginRedirect) => {
     const router = createRouter();
     // ─── Google ───────────────────────────────────────────────────────────────
     if (providers.includes("google")) {
-        router.get("/auth/google", async (c) => {
+        router.openapi(createRoute({
+            method: "get",
+            path: "/auth/google",
+            summary: "Initiate Google OAuth",
+            description: "Redirects the user to Google's consent screen to begin the OAuth login flow. After the user authorizes, Google redirects back to `/auth/google/callback`.",
+            tags,
+            responses: {
+                302: { description: "Redirect to Google's OAuth consent screen." },
+                500: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "OAuth provider not configured." },
+            },
+        }), async (c) => {
             const state = generateState();
             const codeVerifier = generateCodeVerifier();
             await storeOAuthState(state, codeVerifier);
             const url = getGoogle().createAuthorizationURL(state, codeVerifier, ["openid", "profile", "email"]);
             return c.redirect(url.toString());
         });
-        router.get("/auth/google/callback", async (c) => {
-            const { code, state } = c.req.query();
+        router.openapi(createRoute({
+            method: "get",
+            path: "/auth/google/callback",
+            summary: "Google OAuth callback",
+            description: "Handles the redirect from Google after user authorization. Validates the OAuth state and code, then creates or finds the user account. Sets a session cookie and redirects to the configured post-login URL.",
+            tags,
+            request: {
+                query: z.object({
+                    code: z.string().describe("Authorization code from Google."),
+                    state: z.string().describe("OAuth state parameter for CSRF protection."),
+                }),
+            },
+            responses: {
+                302: { description: "Redirect to the post-login URL with session token." },
+                400: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "Invalid callback parameters or expired state." },
+            },
+        }), async (c) => {
+            const { code, state } = c.req.valid("query");
             if (!code || !state)
                 return c.json({ error: "Invalid callback" }, 400);
             const stored = await consumeOAuthState(state);
@@ -96,14 +141,36 @@ export const createOAuthRouter = (providers, postLoginRedirect) => {
             }
             return finishOAuth(c, "google", info.sub, { email: info.email, name: info.name, avatarUrl: info.picture }, postLoginRedirect);
         });
-        router.get("/auth/google/link", userAuth, async (c) => {
+        router.use("/auth/google/link", userAuth);
+        router.openapi(withSecurity(createRoute({
+            method: "get",
+            path: "/auth/google/link",
+            summary: "Link Google account",
+            description: "Initiates an OAuth flow to link a Google account to the authenticated user. Requires a valid session. Redirects to Google's consent screen.",
+            tags,
+            responses: {
+                302: { description: "Redirect to Google's OAuth consent screen." },
+                401: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "No valid session." },
+            },
+        }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
             const state = generateState();
             const codeVerifier = generateCodeVerifier();
             await storeOAuthState(state, codeVerifier, c.get("authUserId"));
             const url = getGoogle().createAuthorizationURL(state, codeVerifier, ["openid", "profile", "email"]);
             return c.redirect(url.toString());
         });
-        router.delete("/auth/google/link", userAuth, async (c) => {
+        router.openapi(withSecurity(createRoute({
+            method: "delete",
+            path: "/auth/google/link",
+            summary: "Unlink Google account",
+            description: "Removes the linked Google OAuth account from the authenticated user. Requires a valid session.",
+            tags,
+            responses: {
+                204: { description: "Google account unlinked successfully." },
+                401: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "No valid session." },
+                500: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "Auth adapter does not support unlinkProvider." },
+            },
+        }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
             const adapter = getAuthAdapter();
             if (!adapter.unlinkProvider) {
                 return c.json({ error: "Auth adapter does not support unlinkProvider" }, 500);
@@ -114,14 +181,34 @@ export const createOAuthRouter = (providers, postLoginRedirect) => {
     }
     // ─── Apple ────────────────────────────────────────────────────────────────
     if (providers.includes("apple")) {
-        router.get("/auth/apple", async (c) => {
+        router.openapi(createRoute({
+            method: "get",
+            path: "/auth/apple",
+            summary: "Initiate Apple OAuth",
+            description: "Redirects the user to Apple's sign-in page to begin the OAuth login flow. After the user authorizes, Apple posts back to `/auth/apple/callback`.",
+            tags,
+            responses: {
+                302: { description: "Redirect to Apple's OAuth sign-in page." },
+                500: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "OAuth provider not configured." },
+            },
+        }), async (c) => {
             const state = generateState();
             await storeOAuthState(state);
             const url = getApple().createAuthorizationURL(state, ["name", "email"]);
             return c.redirect(url.toString());
         });
         // Apple sends a POST with form data to the callback URL
-        router.post("/auth/apple/callback", async (c) => {
+        router.openapi(createRoute({
+            method: "post",
+            path: "/auth/apple/callback",
+            summary: "Apple OAuth callback",
+            description: "Handles the POST redirect from Apple after user authorization. Apple sends form-encoded data containing the authorization code and state. Validates the OAuth state, exchanges the code for tokens, then creates or finds the user account. Sets a session cookie and redirects to the configured post-login URL.",
+            tags,
+            responses: {
+                302: { description: "Redirect to the post-login URL with session token." },
+                400: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "Invalid callback parameters or expired state." },
+            },
+        }), async (c) => {
             const form = await c.req.formData();
             const code = form.get("code");
             const state = form.get("state");
@@ -148,12 +235,280 @@ export const createOAuthRouter = (providers, postLoginRedirect) => {
                 : undefined;
             return finishOAuth(c, "apple", claims.sub, { email: claims.email, name }, postLoginRedirect);
         });
-        router.get("/auth/apple/link", userAuth, async (c) => {
+        router.use("/auth/apple/link", userAuth);
+        router.openapi(withSecurity(createRoute({
+            method: "get",
+            path: "/auth/apple/link",
+            summary: "Link Apple account",
+            description: "Initiates an OAuth flow to link an Apple account to the authenticated user. Requires a valid session. Redirects to Apple's sign-in page.",
+            tags,
+            responses: {
+                302: { description: "Redirect to Apple's OAuth sign-in page." },
+                401: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "No valid session." },
+            },
+        }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
             const state = generateState();
             await storeOAuthState(state, undefined, c.get("authUserId"));
             const url = getApple().createAuthorizationURL(state, ["name", "email"]);
             return c.redirect(url.toString());
         });
     }
+    // ─── Microsoft ──────────────────────────────────────────────────────────
+    if (providers.includes("microsoft")) {
+        router.openapi(createRoute({
+            method: "get",
+            path: "/auth/microsoft",
+            summary: "Initiate Microsoft OAuth",
+            description: "Redirects the user to Microsoft's sign-in page to begin the OAuth login flow. After the user authorizes, Microsoft redirects back to `/auth/microsoft/callback`.",
+            tags,
+            responses: {
+                302: { description: "Redirect to Microsoft's OAuth sign-in page." },
+                500: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "OAuth provider not configured." },
+            },
+        }), async (c) => {
+            const state = generateState();
+            const codeVerifier = generateCodeVerifier();
+            await storeOAuthState(state, codeVerifier);
+            const url = getMicrosoft().createAuthorizationURL(state, codeVerifier, ["openid", "profile", "email"]);
+            return c.redirect(url.toString());
+        });
+        router.openapi(createRoute({
+            method: "get",
+            path: "/auth/microsoft/callback",
+            summary: "Microsoft OAuth callback",
+            description: "Handles the redirect from Microsoft after user authorization. Validates the OAuth state and code, then creates or finds the user account. Sets a session cookie and redirects to the configured post-login URL.",
+            tags,
+            request: {
+                query: z.object({
+                    code: z.string().describe("Authorization code from Microsoft."),
+                    state: z.string().describe("OAuth state parameter for CSRF protection."),
+                }),
+            },
+            responses: {
+                302: { description: "Redirect to the post-login URL with session token." },
+                400: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "Invalid callback parameters or expired state." },
+            },
+        }), async (c) => {
+            const { code, state } = c.req.valid("query");
+            if (!code || !state)
+                return c.json({ error: "Invalid callback" }, 400);
+            const stored = await consumeOAuthState(state);
+            if (!stored?.codeVerifier)
+                return c.json({ error: "Invalid or expired state" }, 400);
+            const tokens = await getMicrosoft().validateAuthorizationCode(code, stored.codeVerifier);
+            const info = await fetch("https://graph.microsoft.com/v1.0/me", {
+                headers: { Authorization: `Bearer ${tokens.accessToken()}` },
+            }).then((r) => r.json());
+            if (stored.linkUserId) {
+                const adapter = getAuthAdapter();
+                if (!adapter.linkProvider)
+                    return c.json({ error: "Auth adapter does not support linkProvider" }, 500);
+                await adapter.linkProvider(stored.linkUserId, "microsoft", info.id);
+                const sep = postLoginRedirect.includes("?") ? "&" : "?";
+                return c.redirect(`${postLoginRedirect}${sep}linked=microsoft`);
+            }
+            return finishOAuth(c, "microsoft", info.id, { email: info.mail ?? info.userPrincipalName, name: info.displayName }, postLoginRedirect);
+        });
+        router.use("/auth/microsoft/link", userAuth);
+        router.openapi(withSecurity(createRoute({
+            method: "get",
+            path: "/auth/microsoft/link",
+            summary: "Link Microsoft account",
+            description: "Initiates an OAuth flow to link a Microsoft account to the authenticated user. Requires a valid session. Redirects to Microsoft's sign-in page.",
+            tags,
+            responses: {
+                302: { description: "Redirect to Microsoft's OAuth sign-in page." },
+                401: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "No valid session." },
+            },
+        }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
+            const state = generateState();
+            const codeVerifier = generateCodeVerifier();
+            await storeOAuthState(state, codeVerifier, c.get("authUserId"));
+            const url = getMicrosoft().createAuthorizationURL(state, codeVerifier, ["openid", "profile", "email"]);
+            return c.redirect(url.toString());
+        });
+        router.openapi(withSecurity(createRoute({
+            method: "delete",
+            path: "/auth/microsoft/link",
+            summary: "Unlink Microsoft account",
+            description: "Removes the linked Microsoft OAuth account from the authenticated user. Requires a valid session.",
+            tags,
+            responses: {
+                204: { description: "Microsoft account unlinked successfully." },
+                401: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "No valid session." },
+                500: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "Auth adapter does not support unlinkProvider." },
+            },
+        }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
+            const adapter = getAuthAdapter();
+            if (!adapter.unlinkProvider) {
+                return c.json({ error: "Auth adapter does not support unlinkProvider" }, 500);
+            }
+            await adapter.unlinkProvider(c.get("authUserId"), "microsoft");
+            return c.body(null, 204);
+        });
+    }
+    // ─── GitHub ────────────────────────────────────────────────────────────
+    if (providers.includes("github")) {
+        router.openapi(createRoute({
+            method: "get",
+            path: "/auth/github",
+            summary: "Initiate GitHub OAuth",
+            description: "Redirects the user to GitHub's authorization page to begin the OAuth login flow. After the user authorizes, GitHub redirects back to `/auth/github/callback`.",
+            tags,
+            responses: {
+                302: { description: "Redirect to GitHub's OAuth authorization page." },
+                500: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "OAuth provider not configured." },
+            },
+        }), async (c) => {
+            const state = generateState();
+            await storeOAuthState(state);
+            const url = getGitHub().createAuthorizationURL(state, ["read:user", "user:email"]);
+            return c.redirect(url.toString());
+        });
+        router.openapi(createRoute({
+            method: "get",
+            path: "/auth/github/callback",
+            summary: "GitHub OAuth callback",
+            description: "Handles the redirect from GitHub after user authorization. Validates the OAuth state and code, then creates or finds the user account. Sets a session cookie and redirects to the configured post-login URL.",
+            tags,
+            request: {
+                query: z.object({
+                    code: z.string().describe("Authorization code from GitHub."),
+                    state: z.string().describe("OAuth state parameter for CSRF protection."),
+                }),
+            },
+            responses: {
+                302: { description: "Redirect to the post-login URL with session token." },
+                400: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "Invalid callback parameters or expired state." },
+            },
+        }), async (c) => {
+            const { code, state } = c.req.valid("query");
+            if (!code || !state)
+                return c.json({ error: "Invalid callback" }, 400);
+            const stored = await consumeOAuthState(state);
+            if (!stored)
+                return c.json({ error: "Invalid or expired state" }, 400);
+            const tokens = await getGitHub().validateAuthorizationCode(code);
+            const headers = { Authorization: `Bearer ${tokens.accessToken()}`, "User-Agent": "bunshot" };
+            const info = await fetch("https://api.github.com/user", { headers })
+                .then((r) => r.json());
+            // GitHub may not return email on /user if it's private — fetch from /user/emails
+            let email = info.email;
+            if (!email) {
+                const emails = await fetch("https://api.github.com/user/emails", { headers })
+                    .then((r) => r.json());
+                email = emails.find((e) => e.primary && e.verified)?.email ?? emails.find((e) => e.verified)?.email;
+            }
+            if (stored.linkUserId) {
+                const adapter = getAuthAdapter();
+                if (!adapter.linkProvider)
+                    return c.json({ error: "Auth adapter does not support linkProvider" }, 500);
+                await adapter.linkProvider(stored.linkUserId, "github", String(info.id));
+                const sep = postLoginRedirect.includes("?") ? "&" : "?";
+                return c.redirect(`${postLoginRedirect}${sep}linked=github`);
+            }
+            return finishOAuth(c, "github", String(info.id), { email, name: info.name, avatarUrl: info.avatar_url }, postLoginRedirect);
+        });
+        router.use("/auth/github/link", userAuth);
+        router.openapi(withSecurity(createRoute({
+            method: "get",
+            path: "/auth/github/link",
+            summary: "Link GitHub account",
+            description: "Initiates an OAuth flow to link a GitHub account to the authenticated user. Requires a valid session. Redirects to GitHub's authorization page.",
+            tags,
+            responses: {
+                302: { description: "Redirect to GitHub's OAuth authorization page." },
+                401: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "No valid session." },
+            },
+        }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
+            const state = generateState();
+            await storeOAuthState(state, undefined, c.get("authUserId"));
+            const url = getGitHub().createAuthorizationURL(state, ["read:user", "user:email"]);
+            return c.redirect(url.toString());
+        });
+        router.openapi(withSecurity(createRoute({
+            method: "delete",
+            path: "/auth/github/link",
+            summary: "Unlink GitHub account",
+            description: "Removes the linked GitHub OAuth account from the authenticated user. Requires a valid session.",
+            tags,
+            responses: {
+                204: { description: "GitHub account unlinked successfully." },
+                401: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "No valid session." },
+                500: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "Auth adapter does not support unlinkProvider." },
+            },
+        }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
+            const adapter = getAuthAdapter();
+            if (!adapter.unlinkProvider) {
+                return c.json({ error: "Auth adapter does not support unlinkProvider" }, 500);
+            }
+            await adapter.unlinkProvider(c.get("authUserId"), "github");
+            return c.body(null, 204);
+        });
+    }
+    // ─── Code Exchange ─────────────────────────────────────────────────────
+    router.openapi(createRoute({
+        method: "post",
+        path: "/auth/oauth/exchange",
+        summary: "Exchange OAuth authorization code for session token",
+        description: "Exchanges a one-time authorization code (received from the OAuth redirect) for a session token. The code is single-use and expires after 60 seconds. Sets session cookies for browser clients; returns the token in the JSON response for mobile/SPA clients.",
+        tags,
+        request: {
+            body: {
+                content: {
+                    "application/json": {
+                        schema: z.object({
+                            code: z.string().describe("One-time authorization code from the OAuth redirect."),
+                        }),
+                    },
+                },
+            },
+        },
+        responses: {
+            200: {
+                content: {
+                    "application/json": {
+                        schema: z.object({
+                            token: z.string().describe("Session JWT."),
+                            userId: z.string().describe("Authenticated user ID."),
+                            email: z.string().optional().describe("User email if available."),
+                            refreshToken: z.string().optional().describe("Refresh token if refresh tokens are configured."),
+                        }),
+                    },
+                },
+                description: "Session token and user info.",
+            },
+            400: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "Missing code parameter." },
+            401: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "Invalid, expired, or already-used code." },
+            429: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "Rate limit exceeded." },
+        },
+    }), async (c) => {
+        // Rate limit by IP to prevent brute-forcing codes within the 60s TTL
+        const ip = getClientIp(c);
+        const limited = await trackAttempt(`oauth-exchange:ip:${ip}`, { max: 20, windowMs: 60_000 });
+        if (limited) {
+            return c.json({ error: "Too many requests" }, 429);
+        }
+        const { code } = c.req.valid("json");
+        if (!code)
+            return c.json({ error: "Missing code" }, 400);
+        const payload = await consumeOAuthCode(code);
+        if (!payload)
+            return c.json({ error: "Invalid or expired code" }, 401);
+        // Set session cookies for browser clients
+        const rtConfig = getRefreshTokenConfig();
+        setCookie(c, COOKIE_TOKEN, payload.token, cookieOptions(rtConfig ? getAccessTokenExpiry() : undefined));
+        if (payload.refreshToken && rtConfig) {
+            setCookie(c, COOKIE_REFRESH_TOKEN, payload.refreshToken, cookieOptions(getRefreshTokenExpiry()));
+        }
+        if (getCsrfEnabled())
+            refreshCsrfToken(c);
+        return c.json({
+            token: payload.token,
+            userId: payload.userId,
+            email: payload.email,
+            refreshToken: payload.refreshToken,
+        }, 200);
+    });
     return router;
 };

package/dist/schemas/auth.d.ts

@@ -8,3 +8,5 @@ export declare const makeLoginSchema: (primaryField: PrimaryField) => z.ZodObjec
     [x: string]: z.ZodString;
     password: z.ZodString;
 }, z.core.$strip>;
+/** Password schema for reset-password — same policy as registration. */
+export declare const resetPasswordSchema: () => z.ZodString;

package/dist/schemas/auth.js

@@ -1,9 +1,30 @@
 import { z } from "zod";
+import { getPasswordPolicy } from "../lib/appConfig";
+/** Build a Zod schema for the password field based on the configured policy.
+ *  Applied to registration and reset-password. Login uses min(1) intentionally
+ *  to avoid locking out users registered under older/weaker policies. */
+const passwordSchema = () => {
+    const policy = getPasswordPolicy();
+    const minLen = policy.minLength ?? 8;
+    let schema = z.string().min(minLen, `Password must be at least ${minLen} characters`);
+    if (policy.requireLetter !== false) {
+        schema = schema.regex(/[a-zA-Z]/, "Password must contain at least one letter");
+    }
+    if (policy.requireDigit !== false) {
+        schema = schema.regex(/\d/, "Password must contain at least one digit");
+    }
+    if (policy.requireSpecial) {
+        schema = schema.regex(/[^a-zA-Z0-9]/, "Password must contain at least one special character");
+    }
+    return schema;
+};
 export const makeRegisterSchema = (primaryField) => z.object({
     [primaryField]: primaryField === "email" ? z.string().email() : z.string().min(3),
-    password: z.string().min(8),
+    password: passwordSchema(),
 });
 export const makeLoginSchema = (primaryField) => z.object({
     [primaryField]: primaryField === "email" ? z.string().email() : z.string().min(1),
     password: z.string().min(1),
 });
+/** Password schema for reset-password — same policy as registration. */
+export const resetPasswordSchema = () => passwordSchema();

package/dist/server.d.ts

@@ -12,6 +12,12 @@ export interface WsConfig<T extends object = object> {
      * ws.data.userId is available for auth checks.
      */
     onRoomSubscribe?: (ws: ServerWebSocket<SocketData<T>>, room: string) => boolean | Promise<boolean>;
+    /**
+     * Maximum allowed WebSocket message size in bytes.
+     * Messages exceeding this limit will cause the connection to be closed with code 1009.
+     * Defaults to 65536 (64 KB).
+     */
+    maxMessageSize?: number;
 }
 export interface CreateServerConfig<T extends object = object> extends CreateAppConfig {
     port?: number;

package/dist/server.js

@@ -6,16 +6,23 @@ export const createServer = async (config) => {
     const app = await createApp(config);
     const port = Number(process.env.PORT ?? config.port ?? 3000);
     const { workersDir, enableWorkers = true, ws: wsConfig = {} } = config;
-    const { handler: userWs, upgradeHandler: wsUpgradeHandler, onRoomSubscribe } = wsConfig;
+    const { handler: userWs, upgradeHandler: wsUpgradeHandler, onRoomSubscribe, maxMessageSize = 65_536 } = wsConfig;
     const defaultOpen = defaultWebsocket.open;
-    const defaultMessage = defaultWebsocket.message;
     const defaultClose = defaultWebsocket.close;
     const defaultDrain = defaultWebsocket.drain;
     const ws = {
         open: userWs?.open ?? defaultOpen,
         async message(socket, message) {
+            const size = typeof message === "string" ? message.length : message.byteLength;
+            if (size > maxMessageSize) {
+                socket.close(1009, "Message too large");
+                return;
+            }
             if (!await handleRoomActions(socket, message, onRoomSubscribe)) {
-                (userWs?.message ?? defaultMessage)(socket, message);
+                if (userWs?.message) {
+                    userWs.message(socket, message);
+                }
+                // No default echo — without a custom handler, non-room messages are silently dropped
             }
         },
         close(socket, code, reason) {
@@ -46,6 +53,15 @@ export const createServer = async (config) => {
         for await (const file of glob.scan({ cwd: workersDir })) {
             await import(`${workersDir}/${file}`);
         }
+        // Clean up ghost cron schedulers after all workers are loaded
+        try {
+            const { getRegisteredCronNames, cleanupStaleSchedulers } = await import("./lib/queue");
+            const activeNames = [...getRegisteredCronNames()];
+            if (activeNames.length > 0) {
+                await cleanupStaleSchedulers(activeNames);
+            }
+        }
+        catch { /* bullmq not installed or no cron workers */ }
     }
     log(`[server] running at http://localhost:${server.port}`);
     log(`[server] API docs at http://localhost:${server.port}/docs`);

package/dist/services/auth.d.ts

@@ -1,14 +1,27 @@
 import type { SessionMetadata } from "../lib/session";
-export declare const register: (identifier: string, password: string, metadata?: SessionMetadata) => Promise<{
+export interface AuthResult {
     token: string;
     userId: string;
     email?: string;
+    emailVerified?: boolean;
+    googleLinked?: boolean;
+    refreshToken?: string;
+    mfaRequired?: boolean;
+    mfaToken?: string;
+    mfaMethods?: string[];
+    webauthnOptions?: Record<string, unknown>;
+}
+/** Create a session for a user (used internally and by MFA verify). */
+export declare const createSessionForUser: (userId: string, metadata?: SessionMetadata) => Promise<{
+    token: string;
+    refreshToken?: string;
 }>;
-export declare const login: (identifier: string, password: string, metadata?: SessionMetadata) => Promise<{
+export declare const register: (identifier: string, password: string, metadata?: SessionMetadata) => Promise<AuthResult>;
+export declare const login: (identifier: string, password: string, metadata?: SessionMetadata) => Promise<AuthResult>;
+export declare const refresh: (refreshTokenValue: string) => Promise<{
     token: string;
+    refreshToken: string;
     userId: string;
-    email?: string;
-    emailVerified?: boolean;
-    googleLinked?: boolean;
 }>;
+export declare const deleteAccount: (userId: string, password?: string) => Promise<void>;
 export declare const logout: (token: string | null) => Promise<void>;