@lastshotlabs/bunshot 0.0.13 → 0.0.18

package/dist/services/auth.js

@@ -1,9 +1,31 @@
 import { getAuthAdapter } from "../lib/authAdapter";
 import { HttpError } from "../lib/HttpError";
 import { signToken, verifyToken } from "../lib/jwt";
-import { createSession, deleteSession, getActiveSessionCount, evictOldestSession } from "../lib/session";
-import { getDefaultRole, getPrimaryField, getEmailVerificationConfig, getMaxSessions } from "../lib/appConfig";
+import { createSession, deleteSession, getActiveSessionCount, evictOldestSession, deleteUserSessions, setRefreshToken, getSessionByRefreshToken, rotateRefreshToken } from "../lib/session";
+import { getDefaultRole, getPrimaryField, getEmailVerificationConfig, getMaxSessions, getRefreshTokenConfig, getAccessTokenExpiry, getMfaConfig, getMfaEmailOtpConfig, getMfaWebAuthnConfig } from "../lib/appConfig";
 import { createVerificationToken } from "../lib/emailVerification";
+import { createMfaChallenge } from "../lib/mfaChallenge";
+import { generateEmailOtpCode, generateWebAuthnAuthenticationOptions } from "./mfa";
+async function createSessionWithRefreshToken(userId, sessionId, metadata) {
+    const rtConfig = getRefreshTokenConfig();
+    const expirySeconds = rtConfig ? getAccessTokenExpiry() : undefined;
+    const token = await signToken(userId, sessionId, expirySeconds);
+    while (await getActiveSessionCount(userId) >= getMaxSessions()) {
+        await evictOldestSession(userId);
+    }
+    await createSession(userId, token, sessionId, metadata);
+    let refreshToken;
+    if (rtConfig) {
+        refreshToken = crypto.randomUUID();
+        await setRefreshToken(sessionId, refreshToken);
+    }
+    return { token, refreshToken, sessionId };
+}
+/** Create a session for a user (used internally and by MFA verify). */
+export const createSessionForUser = async (userId, metadata) => {
+    const sessionId = crypto.randomUUID();
+    return createSessionWithRefreshToken(userId, sessionId, metadata);
+};
 export const register = async (identifier, password, metadata) => {
     const hashed = await Bun.password.hash(password);
     const adapter = getAuthAdapter();
@@ -12,11 +34,7 @@ export const register = async (identifier, password, metadata) => {
     if (role)
         await adapter.setRoles(user.id, [role]);
     const sessionId = crypto.randomUUID();
-    const token = await signToken(user.id, sessionId);
-    while (await getActiveSessionCount(user.id) >= getMaxSessions()) {
-        await evictOldestSession(user.id);
-    }
-    await createSession(user.id, token, sessionId, metadata);
+    const { token, refreshToken } = await createSessionWithRefreshToken(user.id, sessionId, metadata);
     const evConfig = getEmailVerificationConfig();
     if (evConfig && getPrimaryField() === "email") {
         try {
@@ -27,20 +45,21 @@ export const register = async (identifier, password, metadata) => {
             console.error("[email-verification] Failed to send verification email:", e);
         }
     }
-    return { token, userId: user.id, email: identifier };
+    return { token, userId: user.id, email: identifier, refreshToken };
 };
+// Pre-computed dummy hash so non-existent-user login takes the same time as wrong-password login
+const DUMMY_HASH = await Bun.password.hash("dummy-timing-safe-placeholder");
 export const login = async (identifier, password, metadata) => {
     const adapter = getAuthAdapter();
     const findFn = adapter.findByIdentifier ?? adapter.findByEmail.bind(adapter);
     const user = await findFn(identifier);
-    if (!user || !(await Bun.password.verify(password, user.passwordHash))) {
+    // Always verify against a hash to prevent timing-based user enumeration
+    const hashToVerify = user?.passwordHash ?? DUMMY_HASH;
+    const passwordValid = await Bun.password.verify(password, hashToVerify);
+    if (!user || !passwordValid) {
         throw new HttpError(401, "Invalid credentials");
     }
-    const sessionId = crypto.randomUUID();
-    const token = await signToken(user.id, sessionId);
-    while (await getActiveSessionCount(user.id) >= getMaxSessions()) {
-        await evictOldestSession(user.id);
-    }
+    // Check email verification before MFA to avoid leaking MFA status to unverified users
     const fullUser = adapter.getUser ? await adapter.getUser(user.id) : null;
     const googleLinked = fullUser?.providerIds?.some((id) => id.startsWith("google:")) ?? false;
     const evConfig = getEmailVerificationConfig();
@@ -49,11 +68,86 @@ export const login = async (identifier, password, metadata) => {
         if (evConfig.required && !verified) {
             throw new HttpError(403, "Email not verified");
         }
-        await createSession(user.id, token, sessionId, metadata);
-        return { token, userId: user.id, email: fullUser?.email, emailVerified: verified, googleLinked };
     }
-    await createSession(user.id, token, sessionId, metadata);
-    return { token, userId: user.id, email: fullUser?.email, googleLinked };
+    // Check MFA — if enabled, return challenge token instead of session
+    if (getMfaConfig() && adapter.isMfaEnabled && await adapter.isMfaEnabled(user.id)) {
+        const methods = adapter.getMfaMethods
+            ? await adapter.getMfaMethods(user.id)
+            : ["totp"];
+        // Auto-send email OTP if enabled
+        let emailOtpHash;
+        const emailOtpConfig = getMfaEmailOtpConfig();
+        if (methods.includes("emailOtp") && emailOtpConfig) {
+            const { code, hash } = generateEmailOtpCode();
+            emailOtpHash = hash;
+            const email = fullUser?.email;
+            if (email)
+                await emailOtpConfig.onSend(email, code);
+        }
+        // Generate WebAuthn authentication options if enabled
+        let webauthnChallenge;
+        let webauthnOptions;
+        const webauthnConfig = getMfaWebAuthnConfig();
+        if (methods.includes("webauthn") && webauthnConfig && adapter.getWebAuthnCredentials) {
+            const result = await generateWebAuthnAuthenticationOptions(user.id);
+            if (result) {
+                webauthnChallenge = result.challenge;
+                webauthnOptions = result.options;
+            }
+        }
+        const mfaToken = await createMfaChallenge(user.id, { emailOtpHash, webauthnChallenge });
+        return { token: "", userId: user.id, mfaRequired: true, mfaToken, mfaMethods: methods, webauthnOptions };
+    }
+    const sessionId = crypto.randomUUID();
+    const { token, refreshToken } = await createSessionWithRefreshToken(user.id, sessionId, metadata);
+    if (evConfig && getPrimaryField() === "email" && adapter.getEmailVerified) {
+        const verified = await adapter.getEmailVerified(user.id);
+        return { token, userId: user.id, email: fullUser?.email, emailVerified: verified, googleLinked, refreshToken };
+    }
+    return { token, userId: user.id, email: fullUser?.email, googleLinked, refreshToken };
+};
+export const refresh = async (refreshTokenValue) => {
+    const result = await getSessionByRefreshToken(refreshTokenValue);
+    if (!result) {
+        throw new HttpError(401, "Invalid or expired refresh token");
+    }
+    const { sessionId, userId, newRefreshToken } = result;
+    // If the returned newRefreshToken differs from what was sent, we're in a grace window replay.
+    // Return the current tokens without rotating again.
+    if (newRefreshToken !== refreshTokenValue) {
+        const accessToken = await signToken(userId, sessionId, getAccessTokenExpiry());
+        return { token: accessToken, refreshToken: newRefreshToken, userId };
+    }
+    // Normal rotation: generate new refresh + access tokens
+    const newRT = crypto.randomUUID();
+    const newAccessToken = await signToken(userId, sessionId, getAccessTokenExpiry());
+    await rotateRefreshToken(sessionId, newRT, newAccessToken);
+    return { token: newAccessToken, refreshToken: newRT, userId };
+};
+export const deleteAccount = async (userId, password) => {
+    const adapter = getAuthAdapter();
+    if (!adapter.deleteUser) {
+        throw new HttpError(501, "Auth adapter does not support deleteUser");
+    }
+    // Verify password for credential accounts
+    if (password) {
+        const user = adapter.getUser ? await adapter.getUser(userId) : null;
+        const email = user?.email;
+        if (email) {
+            const findFn = adapter.findByIdentifier ?? adapter.findByEmail.bind(adapter);
+            const found = await findFn(email);
+            if (found && !(await Bun.password.verify(password, found.passwordHash))) {
+                throw new HttpError(401, "Invalid password");
+            }
+        }
+    }
+    else if (adapter.hasPassword && await adapter.hasPassword(userId)) {
+        throw new HttpError(400, "Password is required to delete a credential account");
+    }
+    // Revoke all sessions
+    await deleteUserSessions(userId);
+    // Delete the user
+    await adapter.deleteUser(userId);
 };
 export const logout = async (token) => {
     if (token) {

package/dist/services/mfa.d.ts

@@ -0,0 +1,84 @@
+export interface MfaSetupResult {
+    secret: string;
+    uri: string;
+}
+export declare const setupMfa: (userId: string) => Promise<MfaSetupResult>;
+export declare const verifySetup: (userId: string, code: string) => Promise<string[]>;
+export declare const verifyTotp: (userId: string, code: string) => Promise<boolean>;
+export declare const verifyRecoveryCode: (userId: string, code: string) => Promise<boolean>;
+export declare const disableMfa: (userId: string, code: string) => Promise<void>;
+export declare const regenerateRecoveryCodes: (userId: string, code: string) => Promise<string[]>;
+/** Generate a cryptographically random numeric OTP code. Returns { code, hash }. */
+export declare const generateEmailOtpCode: (length?: number) => {
+    code: string;
+    hash: string;
+};
+/** Verify an email OTP code against a stored hash. */
+export declare const verifyEmailOtp: (emailOtpHash: string, code: string) => boolean;
+/**
+ * Initiate email OTP setup: sends a verification code to the user's email.
+ * Returns a setup challenge token that must be confirmed via confirmEmailOtp.
+ */
+export declare const initiateEmailOtp: (userId: string) => Promise<string>;
+/**
+ * Confirm email OTP setup: verifies the code sent during initiateEmailOtp.
+ * Enables email OTP as an MFA method. Returns recovery codes if MFA was not previously active.
+ */
+export declare const confirmEmailOtp: (userId: string, setupToken: string, code: string) => Promise<string[] | null>;
+/**
+ * Disable email OTP for a user.
+ * If TOTP is also enabled, requires a TOTP code. Otherwise requires password.
+ */
+export declare const disableEmailOtp: (userId: string, params: {
+    code?: string;
+    password?: string;
+}) => Promise<void>;
+/** Get the MFA methods enabled for a user. */
+export declare const getMfaMethods: (userId: string) => Promise<string[]>;
+/**
+ * Eager startup check — call at route mount time to fail fast if the peer dependency is missing.
+ */
+export declare const assertWebAuthnDependency: () => Promise<void>;
+/**
+ * Generate WebAuthn authentication options for the login MFA flow.
+ * Called from auth.ts login when the user has "webauthn" in their methods.
+ */
+export declare const generateWebAuthnAuthenticationOptions: (userId: string) => Promise<{
+    challenge: string;
+    options: Record<string, unknown>;
+} | null>;
+/**
+ * Initiate WebAuthn registration: generates registration options for the client.
+ * Returns options + a registration challenge token.
+ */
+export declare const initiateWebAuthnRegistration: (userId: string) => Promise<{
+    options: Record<string, unknown>;
+    registrationToken: string;
+}>;
+/**
+ * Complete WebAuthn registration: verifies attestation and stores the credential.
+ * Returns recovery codes if this is the first MFA method.
+ */
+export declare const completeWebAuthnRegistration: (userId: string, registrationToken: string, attestationResponse: any, name?: string) => Promise<{
+    credentialId: string;
+    recoveryCodes: string[] | null;
+}>;
+/**
+ * Verify a WebAuthn authentication assertion during login MFA.
+ */
+export declare const verifyWebAuthn: (userId: string, assertionResponse: any, expectedChallenge: string) => Promise<boolean>;
+/**
+ * Remove a single WebAuthn credential.
+ * Only requires identity verification when removing the last credential of the last MFA method.
+ */
+export declare const removeWebAuthnCredential: (userId: string, credentialId: string, params: {
+    code?: string;
+    password?: string;
+}) => Promise<void>;
+/**
+ * Disable WebAuthn entirely: removes all credentials and the method.
+ */
+export declare const disableWebAuthn: (userId: string, params: {
+    code?: string;
+    password?: string;
+}) => Promise<void>;