@lastshotlabs/bunshot 0.0.13 → 0.0.18

package/dist/app.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
 import type { MiddlewareHandler } from "hono";
 import type { AppEnv } from "./lib/context";
-import type { PrimaryField, EmailVerificationConfig, PasswordResetConfig } from "./lib/appConfig";
+import type { PrimaryField, EmailVerificationConfig, PasswordResetConfig, PasswordPolicyConfig, RefreshTokenConfig, MfaConfig, MfaEmailOtpConfig, MfaWebAuthnConfig } from "./lib/appConfig";
 import type { AuthAdapter } from "./lib/authAdapter";
 import type { OAuthProviderConfig } from "./lib/oauth";
 type StoreType = "redis" | "mongo" | "sqlite" | "memory";
@@ -60,6 +60,9 @@ export interface OAuthConfig {
     providers?: OAuthProviderConfig;
     /** Where to redirect after a successful OAuth login. Defaults to "/" */
     postRedirect?: string;
+    /** Allowlist of redirect URLs. If set, the postRedirect URL is validated against this list.
+     *  Relative paths (e.g., "/") are always allowed. Only absolute URLs are validated. */
+    allowedRedirectUrls?: string[];
 }
 export interface AuthRateLimitConfig {
     /** Max login failures per window before the account is locked. Default: 10 per 15 min. */
@@ -92,6 +95,21 @@ export interface AuthRateLimitConfig {
         windowMs?: number;
         max?: number;
     };
+    /** Max account deletion attempts per user per window. Default: 3 per hour. */
+    deleteAccount?: {
+        windowMs?: number;
+        max?: number;
+    };
+    /** Max MFA verification attempts per IP per window. Default: 10 per 15 min. */
+    mfaVerify?: {
+        windowMs?: number;
+        max?: number;
+    };
+    /** Max MFA email OTP resend attempts per IP per window. Default: 5 per minute. */
+    mfaResend?: {
+        windowMs?: number;
+        max?: number;
+    };
     /**
      * Store backend for auth rate limit counters.
      * Defaults to "redis" when Redis is enabled, otherwise "memory".
@@ -132,10 +150,40 @@ export interface AuthConfig {
      * Mounts POST /auth/forgot-password and POST /auth/reset-password.
      */
     passwordReset?: PasswordResetConfig;
+    /** Password strength policy for registration and reset-password.
+     *  Login is intentionally lenient (min 1) so users under older policies can still sign in.
+     *  Defaults: minLength=8, requireLetter=true, requireDigit=true, requireSpecial=false. */
+    passwordPolicy?: PasswordPolicyConfig;
     /** Rate limit configuration for built-in auth endpoints. */
     rateLimit?: AuthRateLimitConfig;
     /** Session concurrency and metadata persistence policy. */
     sessionPolicy?: AuthSessionPolicyConfig;
+    /** Account deletion configuration. Enables DELETE /auth/me when the adapter supports deleteUser. */
+    accountDeletion?: AccountDeletionConfig;
+    /**
+     * Refresh token configuration. When set, login/register return short-lived access tokens
+     * (default 15 min) alongside long-lived refresh tokens (default 30 days). Mounts POST /auth/refresh.
+     * When not configured, the existing 7-day JWT behavior is unchanged.
+     */
+    refreshTokens?: RefreshTokenConfig;
+    /**
+     * MFA/TOTP configuration. When set, enables MFA setup/verify/disable routes under /auth/mfa/*.
+     * Login returns { mfaRequired: true, mfaToken } when MFA is enabled for the user.
+     * OAuth logins skip MFA (the OAuth provider is treated as the second factor).
+     */
+    mfa?: MfaConfig;
+}
+export interface AccountDeletionConfig {
+    /** Called before deletion. Throw to abort (e.g., active subscription check). */
+    onBeforeDelete?: (userId: string) => Promise<void>;
+    /** Called after auth data is deleted. Runs at execution time — query current state, not a snapshot. */
+    onAfterDelete?: (userId: string) => Promise<void>;
+    /** When true, deletion is queued as a BullMQ job instead of running synchronously. Requires Redis + BullMQ. */
+    queued?: boolean;
+    /** Grace period in seconds before queued deletion executes. Default: 0 (immediate). */
+    gracePeriod?: number;
+    /** Called when deletion is scheduled (queued + gracePeriod > 0). Use to send a confirmation/cancel email. */
+    onDeletionScheduled?: (userId: string, email: string, cancelToken: string) => Promise<void>;
 }
 export interface AuthSessionPolicyConfig {
     /** Max simultaneous active sessions per user. Oldest is evicted when exceeded. Default: 6. */
@@ -156,7 +204,7 @@ export interface AuthSessionPolicyConfig {
      */
     trackLastActive?: boolean;
 }
-export type { PrimaryField, EmailVerificationConfig, PasswordResetConfig };
+export type { PrimaryField, EmailVerificationConfig, PasswordResetConfig, RefreshTokenConfig, MfaConfig, MfaEmailOtpConfig, MfaWebAuthnConfig };
 export interface BotProtectionConfig {
     /**
      * List of IPv4 CIDRs (e.g. "198.51.100.0/24"), IPv4 addresses, or IPv6 addresses to block outright.
@@ -172,9 +220,23 @@ export interface BotProtectionConfig {
      */
     fingerprintRateLimit?: boolean;
 }
+export interface CsrfConfig {
+    /** Enable CSRF protection for cookie-authenticated state-changing requests. */
+    enabled: boolean;
+    /** Paths exempt from CSRF checks (in addition to built-in OAuth callback exemptions). Uses prefix matching when path ends with "*". */
+    exemptPaths?: string[];
+    /** Also validate Origin header against CORS origins. Default: true. */
+    checkOrigin?: boolean;
+}
 export interface SecurityConfig {
     /** CORS origins. Defaults to "*" */
     cors?: string | string[];
+    /** Additional security headers to set via Hono's secureHeaders middleware.
+     *  Pass a Content-Security-Policy, Permissions-Policy, etc. */
+    headers?: {
+        contentSecurityPolicy?: string;
+        permissionsPolicy?: string;
+    };
     /** Global rate limit. Defaults to 100 req / 60s */
     rateLimit?: {
         windowMs: number;
@@ -193,6 +255,18 @@ export interface SecurityConfig {
      * Runs before IP rate limiting so blocked IPs are rejected immediately.
      */
     botProtection?: BotProtectionConfig;
+    /**
+     * Trusted proxy configuration for IP extraction.
+     * - `false` (default): use socket-level IP only, ignore X-Forwarded-For entirely.
+     * - A number N: trust N proxy hops — take the Nth-from-right IP in the X-Forwarded-For chain.
+     */
+    trustProxy?: false | number;
+    /**
+     * CSRF protection for cookie-based auth. Opt-in.
+     * Uses signed double-submit cookie pattern with HMAC-SHA256.
+     * Only validates when the auth cookie is present on state-changing requests.
+     */
+    csrf?: CsrfConfig;
 }
 export interface ModelSchemasConfig {
     /**
@@ -217,6 +291,46 @@ export interface ModelSchemasConfig {
      */
     registration?: "auto" | "explicit";
 }
+export interface JobsConfig {
+    /** Enable the job status endpoint. Default: false. */
+    statusEndpoint?: boolean;
+    /**
+     * Auth protection for job endpoints.
+     * - `"userAuth"` — requires authenticated user session (cookie/token).
+     * - `"none"` — no auth (not recommended for production).
+     * - `MiddlewareHandler[]` — custom middleware stack (e.g., `[userAuth, requireRole("admin")]`).
+     *
+     * Default: `"none"`. You must explicitly configure auth.
+     */
+    auth?: "userAuth" | "none" | import("hono").MiddlewareHandler<AppEnv>[];
+    /** Required roles for accessing job endpoints. Only works when auth includes userAuth. */
+    roles?: string[];
+    /** Whitelist of queue names exposed. Default: [] (nothing exposed). */
+    allowedQueues?: string[];
+    /** When using userAuth, restrict job visibility to the user who created it. Default: false. */
+    scopeToUser?: boolean;
+}
+export interface TenantConfig {
+    [key: string]: unknown;
+}
+export interface TenancyConfig {
+    /** How tenant is identified. */
+    resolution: "header" | "subdomain" | "path";
+    /** Header name when resolution is "header". Default: "x-tenant-id". */
+    headerName?: string;
+    /** Path segment index when resolution is "path". Default: 0. */
+    pathSegment?: number;
+    /** Callback to validate/load tenant. Return null to reject. */
+    onResolve?: (tenantId: string) => Promise<TenantConfig | null>;
+    /** TTL in ms for caching onResolve results (LRU cache). Default: 60_000. Set 0 to disable. */
+    cacheTtlMs?: number;
+    /** Max entries in tenant resolution cache. Default: 500. */
+    cacheMaxSize?: number;
+    /** Paths that skip tenant resolution. Uses startsWith matching. Default: ["/health", "/docs", "/openapi.json"]. */
+    exemptPaths?: string[];
+    /** HTTP status when onResolve returns null. Default: 403. */
+    rejectionStatus?: 403 | 404;
+}
 export interface CreateAppConfig {
     /** Absolute path to the service's routes directory (use import.meta.dir + "/routes") */
     routesDir: string;
@@ -237,5 +351,9 @@ export interface CreateAppConfig {
     middleware?: MiddlewareHandler<AppEnv>[];
     /** Database connection and store routing configuration */
     db?: DbConfig;
+    /** Job status endpoint configuration. Requires BullMQ + Redis. */
+    jobs?: JobsConfig;
+    /** Multi-tenancy configuration. When set, tenant middleware resolves tenant on each request. */
+    tenancy?: TenancyConfig;
 }
 export declare const createApp: (config: CreateAppConfig) => Promise<OpenAPIHono<AppEnv>>;

package/dist/app.js

@@ -7,8 +7,8 @@ import { HttpError } from "./lib/HttpError";
 import { rateLimit } from "./middleware/rateLimit";
 import { bearerAuth } from "./middleware/bearerAuth";
 import { identify } from "./middleware/identify";
-import { HEADER_USER_TOKEN } from "./lib/constants";
-import { setAppName, setAppRoles, setDefaultRole, setPrimaryField, setEmailVerificationConfig, setPasswordResetConfig, setMaxSessions, setPersistSessionMetadata, setIncludeInactiveSessions, setTrackLastActive } from "./lib/appConfig";
+import { HEADER_USER_TOKEN, HEADER_REFRESH_TOKEN, HEADER_CSRF_TOKEN } from "./lib/constants";
+import { setAppName, setAppRoles, setDefaultRole, setPrimaryField, setEmailVerificationConfig, setPasswordResetConfig, setPasswordPolicy, setMaxSessions, setPersistSessionMetadata, setIncludeInactiveSessions, setTrackLastActive, setRefreshTokenConfig, setMfaConfig, setCsrfEnabled } from "./lib/appConfig";
 import { setEmailVerificationStore } from "./lib/emailVerification";
 import { setPasswordResetStore } from "./lib/resetPassword";
 import { setAuthRateLimitStore } from "./lib/authRateLimit";
@@ -16,6 +16,7 @@ import { setAuthAdapter } from "./lib/authAdapter";
 import { mongoAuthAdapter } from "./adapters/mongoAuth";
 import { memoryAuthAdapter } from "./adapters/memoryAuth";
 import { initOAuthProviders, getConfiguredOAuthProviders, setOAuthStateStore } from "./lib/oauth";
+import { setOAuthCodeStore } from "./lib/oauthCode";
 import { createOAuthRouter } from "./routes/oauth";
 import { connectMongo, connectAuthMongo, connectAppMongo } from "./lib/mongo";
 import { connectRedis } from "./lib/redis";
@@ -26,7 +27,13 @@ export const createApp = async (config) => {
     const { routesDir, app: appConfig = {}, auth: authConfig = {}, security: securityConfig = {}, middleware = [], db = {}, } = config;
     const appName = appConfig.name ?? "Bun Core API";
     const openApiVersion = appConfig.version ?? "1.0.0";
+    // Trust-proxy for IP extraction
+    const { setTrustProxy } = await import("./lib/clientIp");
+    setTrustProxy(securityConfig.trustProxy ?? false);
     const corsOrigins = securityConfig.cors ?? "*";
+    if (corsOrigins === "*" && process.env.NODE_ENV === "production") {
+        console.warn("[security] CORS is set to wildcard (*) in production. Configure security.cors with specific origins to restrict cross-origin access.");
+    }
     const rlConfig = securityConfig.rateLimit ?? { windowMs: 60_000, max: 100 };
     const botCfg = securityConfig.botProtection ?? {};
     const enableBearerAuth = securityConfig.bearerAuth !== false;
@@ -37,6 +44,29 @@ export const createApp = async (config) => {
     const explicitAuthAdapter = authConfig.adapter;
     const oauthProviders = authConfig.oauth?.providers;
     const postOAuthRedirect = authConfig.oauth?.postRedirect ?? "/";
+    const allowedRedirectUrls = authConfig.oauth?.allowedRedirectUrls;
+    // Validate postRedirect against allowlist at startup (not per-request)
+    if (allowedRedirectUrls && postOAuthRedirect !== "/") {
+        try {
+            const redirectUrl = new URL(postOAuthRedirect);
+            const allowed = allowedRedirectUrls.some((u) => {
+                try {
+                    return new URL(u).origin === redirectUrl.origin;
+                }
+                catch {
+                    return false;
+                }
+            });
+            if (!allowed) {
+                throw new Error(`createApp: oauth.postRedirect "${postOAuthRedirect}" is not in the allowedRedirectUrls list. Add its origin to oauth.allowedRedirectUrls.`);
+            }
+        }
+        catch (e) {
+            if (e instanceof Error && e.message.startsWith("createApp:"))
+                throw e;
+            // Relative path — always allowed
+        }
+    }
     const roles = authConfig.roles ?? [];
     const defaultRole = authConfig.defaultRole;
     const primaryField = authConfig.primaryField ?? "email";
@@ -63,6 +93,7 @@ export const createApp = async (config) => {
     }
     setSessionStore(sessions);
     setOAuthStateStore(oauthState);
+    setOAuthCodeStore(oauthState);
     setCacheStore(cache);
     if (mongo === "single")
         await connectMongo();
@@ -104,12 +135,15 @@ export const createApp = async (config) => {
     setEmailVerificationConfig(emailVerification ?? null);
     setEmailVerificationStore(sessions);
     setPasswordResetConfig(passwordReset ?? null);
+    setPasswordPolicy(authConfig.passwordPolicy ?? {});
     setPasswordResetStore(sessions);
     setAuthRateLimitStore(authRateLimit?.store ?? (enableRedis ? "redis" : "memory"));
     setMaxSessions(sessionPolicy.maxSessions ?? 6);
     setPersistSessionMetadata(sessionPolicy.persistSessionMetadata ?? true);
     setIncludeInactiveSessions(sessionPolicy.includeInactiveSessions ?? false);
     setTrackLastActive(sessionPolicy.trackLastActive ?? false);
+    setRefreshTokenConfig(authConfig.refreshTokens ?? null);
+    setMfaConfig(authConfig.mfa ?? null);
     if (oauthProviders)
         initOAuthProviders(oauthProviders);
     const configuredOAuth = getConfiguredOAuthProviders();
@@ -124,8 +158,26 @@ export const createApp = async (config) => {
     const bearerAuthBypass = [...DEFAULT_BYPASS, ...oauthBypass, ...extraBypass];
     const app = new OpenAPIHono();
     app.use(logger());
+    const headerOpts = {};
+    if (securityConfig.headers?.contentSecurityPolicy) {
+        headerOpts["Content-Security-Policy"] = securityConfig.headers.contentSecurityPolicy;
+    }
+    if (securityConfig.headers?.permissionsPolicy) {
+        headerOpts["Permissions-Policy"] = securityConfig.headers.permissionsPolicy;
+    }
     app.use(secureHeaders());
-    app.use(cors({ origin: corsOrigins, allowHeaders: ["Content-Type", "Authorization", HEADER_USER_TOKEN], exposeHeaders: ["x-cache"], credentials: true }));
+    if (Object.keys(headerOpts).length > 0) {
+        app.use(async (c, next) => {
+            await next();
+            for (const [k, v] of Object.entries(headerOpts)) {
+                c.res.headers.set(k, v);
+            }
+        });
+    }
+    const corsAllowHeaders = ["Content-Type", "Authorization", HEADER_USER_TOKEN, HEADER_REFRESH_TOKEN];
+    if (securityConfig.csrf?.enabled)
+        corsAllowHeaders.push(HEADER_CSRF_TOKEN);
+    app.use(cors({ origin: corsOrigins, allowHeaders: corsAllowHeaders, exposeHeaders: ["x-cache"], credentials: true }));
     if ((botCfg.blockList?.length ?? 0) > 0) {
         const { botProtection } = await import("./middleware/botProtection");
         app.use(botProtection({ blockList: botCfg.blockList }));
@@ -141,6 +193,36 @@ export const createApp = async (config) => {
         });
     }
     app.use(identify);
+    // CSRF protection (after identify so we can check for auth cookie presence)
+    if (securityConfig.csrf?.enabled) {
+        setCsrfEnabled(true);
+        const { csrfProtection } = await import("./middleware/csrf");
+        const csrfExemptPaths = [
+            ...oauthBypass.filter(p => p.includes("/callback")),
+            ...(securityConfig.csrf.exemptPaths ?? []),
+        ];
+        app.use(csrfProtection({
+            exemptPaths: csrfExemptPaths,
+            checkOrigin: securityConfig.csrf.checkOrigin ?? true,
+            allowedOrigins: corsOrigins,
+        }));
+    }
+    // Tenant resolution middleware (after identify, before user middleware + routes)
+    if (config.tenancy) {
+        if (!config.tenancy.onResolve) {
+            if (process.env.NODE_ENV === "production") {
+                throw new Error("[security] Tenancy is configured without an onResolve callback. " +
+                    "In production, onResolve is required to validate tenant IDs and prevent cross-tenant access. " +
+                    "Provide tenancy.onResolve or remove the tenancy config.");
+            }
+            else {
+                console.warn("[security] Tenancy is configured without an onResolve callback — " +
+                    "tenant IDs will be trusted without validation. This is unsafe in production.");
+            }
+        }
+        const { createTenantMiddleware } = await import("./middleware/tenant");
+        app.use(createTenantMiddleware(config.tenancy));
+    }
     for (const mw of middleware)
         app.use(mw);
     setAppName(appName);
@@ -188,17 +270,35 @@ export const createApp = async (config) => {
             continue; // mounted separately below via createAuthRouter
         if (file === "oauth.ts")
             continue; // mounted separately below
+        if (file === "mfa.ts")
+            continue; // mounted separately below when mfa is configured
+        if (file === "jobs.ts")
+            continue; // mounted separately below when jobs.statusEndpoint is true
         const mod = await import(`${coreRoutesDir}/${file}`);
         if (mod.router)
             app.route("/", mod.router);
     }
     if (enableAuthRoutes) {
         const { createAuthRouter } = await import(`${coreRoutesDir}/auth`);
-        app.route("/", createAuthRouter({ primaryField, emailVerification, passwordReset, rateLimit: authRateLimit }));
+        app.route("/", createAuthRouter({ primaryField, emailVerification, passwordReset, rateLimit: authRateLimit, accountDeletion: authConfig.accountDeletion, refreshTokens: authConfig.refreshTokens }));
     }
     if (configuredOAuth.length > 0) {
         app.route("/", createOAuthRouter(configuredOAuth, postOAuthRedirect));
     }
+    if (authConfig.mfa && enableAuthRoutes) {
+        const { setMfaChallengeStore, setMfaChallengeSqliteDb } = await import("./lib/mfaChallenge");
+        setMfaChallengeStore(sessions);
+        if (sessions === "sqlite") {
+            const { getDb } = await import("./adapters/sqliteAuth");
+            setMfaChallengeSqliteDb(getDb());
+        }
+        const { createMfaRouter } = await import(`${coreRoutesDir}/mfa`);
+        app.route("/", createMfaRouter({ rateLimit: authRateLimit }));
+    }
+    if (config.jobs?.statusEndpoint) {
+        const { createJobsRouter } = await import(`${coreRoutesDir}/jobs`);
+        app.route("/", createJobsRouter(config.jobs));
+    }
     // Service routes — collect all, sort by optional exported `priority`, then mount
     const serviceGlob = new Bun.Glob("**/*.ts");
     const serviceFiles = [];

package/dist/entrypoints/queue.d.ts

@@ -1,2 +1,2 @@
-export { createQueue, createWorker } from "../lib/queue";
-export type { Job } from "../lib/queue";
+export { createQueue, createWorker, createCronWorker, cleanupStaleSchedulers, getRegisteredCronNames, createDLQHandler } from "../lib/queue";
+export type { Job, CronSchedule, DLQOptions } from "../lib/queue";

package/dist/entrypoints/queue.js

@@ -1 +1 @@
-export { createQueue, createWorker } from "../lib/queue";
+export { createQueue, createWorker, createCronWorker, cleanupStaleSchedulers, getRegisteredCronNames, createDLQHandler } from "../lib/queue";

package/dist/index.d.ts

@@ -1,22 +1,33 @@
 export { createApp } from "./app";
 export { createServer } from "./server";
-export type { CreateAppConfig, ModelSchemasConfig, DbConfig, AppMeta, AuthConfig, AuthRateLimitConfig, OAuthConfig, SecurityConfig, BotProtectionConfig, PrimaryField, EmailVerificationConfig, PasswordResetConfig } from "./app";
+export type { CreateAppConfig, ModelSchemasConfig, DbConfig, AppMeta, AuthConfig, AuthRateLimitConfig, AccountDeletionConfig, OAuthConfig, SecurityConfig, CsrfConfig, BotProtectionConfig, PrimaryField, EmailVerificationConfig, PasswordResetConfig, RefreshTokenConfig, MfaConfig, MfaEmailOtpConfig, MfaWebAuthnConfig, JobsConfig, TenancyConfig, TenantConfig } from "./app";
+export type { PasswordPolicyConfig } from "./lib/appConfig";
 export type { CreateServerConfig, WsConfig } from "./server";
 export { appConnection, authConnection, mongoose, connectMongo, connectAuthMongo, connectAppMongo, disconnectMongo } from "./lib/mongo";
 export { connectRedis, disconnectRedis, getRedis } from "./lib/redis";
 export { getAppRoles } from "./lib/appConfig";
 export { HttpError } from "./lib/HttpError";
-export { COOKIE_TOKEN, HEADER_USER_TOKEN } from "./lib/constants";
+export { COOKIE_TOKEN, HEADER_USER_TOKEN, COOKIE_REFRESH_TOKEN, HEADER_REFRESH_TOKEN, COOKIE_CSRF_TOKEN, HEADER_CSRF_TOKEN } from "./lib/constants";
 export { createRouter } from "./lib/context";
 export { createRoute, withSecurity, registerSchema, registerSchemas } from "./lib/createRoute";
+export { zodToMongoose } from "./lib/zodToMongoose";
+export type { ZodToMongooseConfig, ZodToMongooseRefConfig } from "./lib/zodToMongoose";
+export { createDtoMapper } from "./lib/createDtoMapper";
+export type { DtoMapperConfig } from "./lib/createDtoMapper";
 export type { AppEnv, AppVariables } from "./lib/context";
 export { signToken, verifyToken } from "./lib/jwt";
 export { log } from "./lib/logger";
 export { createResetToken, consumeResetToken, setPasswordResetStore } from "./lib/resetPassword";
-export { createSession, getSession, deleteSession, getUserSessions, getActiveSessionCount, evictOldestSession, updateSessionLastActive, setSessionStore } from "./lib/session";
-export type { SessionMetadata, SessionInfo } from "./lib/session";
+export { timingSafeEqual, sha256 } from "./lib/crypto";
+export { getClientIp, setTrustProxy } from "./lib/clientIp";
+export { storeOAuthCode, consumeOAuthCode, setOAuthCodeStore } from "./lib/oauthCode";
+export type { OAuthCodePayload } from "./lib/oauthCode";
+export { createSession, getSession, deleteSession, getUserSessions, getActiveSessionCount, evictOldestSession, updateSessionLastActive, setSessionStore, deleteUserSessions, setRefreshToken, getSessionByRefreshToken, rotateRefreshToken } from "./lib/session";
+export type { SessionMetadata, SessionInfo, RefreshResult } from "./lib/session";
 export { createVerificationToken, getVerificationToken, deleteVerificationToken } from "./lib/emailVerification";
-export { bustAuthLimit, trackAttempt, isLimited } from "./lib/authRateLimit";
+export { createMfaChallenge, consumeMfaChallenge, replaceMfaChallengeOtp, setMfaChallengeStore, createWebAuthnRegistrationChallenge, consumeWebAuthnRegistrationChallenge, clearMemoryMfaChallenges } from "./lib/mfaChallenge";
+export type { MfaChallengeData, MfaChallengeOptions, MfaChallengePurpose } from "./lib/mfaChallenge";
+export { bustAuthLimit, trackAttempt, isLimited, clearMemoryRateLimitStore } from "./lib/authRateLimit";
 export type { LimitOpts } from "./lib/authRateLimit";
 export { validate } from "./lib/validate";
 export { bearerAuth } from "./middleware/bearerAuth";
@@ -28,13 +39,18 @@ export type { RateLimitOptions } from "./middleware/rateLimit";
 export { userAuth } from "./middleware/userAuth";
 export { requireRole } from "./middleware/requireRole";
 export { requireVerifiedEmail } from "./middleware/requireVerifiedEmail";
-export { cacheResponse, bustCache, bustCachePattern, setCacheStore } from "./middleware/cacheResponse";
+export { csrfProtection, refreshCsrfToken, clearCsrfToken } from "./middleware/csrf";
+export type { CsrfMiddlewareOptions } from "./middleware/csrf";
+export { cacheResponse, bustCache, bustCachePattern, setCacheStore, getCacheModel } from "./middleware/cacheResponse";
 export { buildFingerprint } from "./lib/fingerprint";
 export { sqliteAuthAdapter, setSqliteDb, startSqliteCleanup } from "./adapters/sqliteAuth";
 export { memoryAuthAdapter, clearMemoryStore } from "./adapters/memoryAuth";
-export { setUserRoles, addUserRole, removeUserRole } from "./lib/roles";
-export type { AuthAdapter, OAuthProfile } from "./lib/authAdapter";
+export { setUserRoles, addUserRole, removeUserRole, getTenantRoles, setTenantRoles, addTenantRole, removeTenantRole } from "./lib/roles";
+export type { AuthAdapter, OAuthProfile, WebAuthnCredential } from "./lib/authAdapter";
 export type { OAuthProviderConfig } from "./lib/oauth";
 export { websocket, createWsUpgradeHandler } from "./ws/index";
 export type { SocketData } from "./ws/index";
 export { publish, subscribe, unsubscribe, getSubscriptions, handleRoomActions, getRooms, getRoomSubscribers } from "./lib/ws";
+export { createTenant, deleteTenant, getTenant, listTenants } from "./lib/tenant";
+export type { TenantInfo, CreateTenantOptions } from "./lib/tenant";
+export { invalidateTenantCache } from "./middleware/tenant";

package/dist/index.js

@@ -7,15 +7,21 @@ export { connectRedis, disconnectRedis, getRedis } from "./lib/redis";
 // Lib utilities
 export { getAppRoles } from "./lib/appConfig";
 export { HttpError } from "./lib/HttpError";
-export { COOKIE_TOKEN, HEADER_USER_TOKEN } from "./lib/constants";
+export { COOKIE_TOKEN, HEADER_USER_TOKEN, COOKIE_REFRESH_TOKEN, HEADER_REFRESH_TOKEN, COOKIE_CSRF_TOKEN, HEADER_CSRF_TOKEN } from "./lib/constants";
 export { createRouter } from "./lib/context";
 export { createRoute, withSecurity, registerSchema, registerSchemas } from "./lib/createRoute";
+export { zodToMongoose } from "./lib/zodToMongoose";
+export { createDtoMapper } from "./lib/createDtoMapper";
 export { signToken, verifyToken } from "./lib/jwt";
 export { log } from "./lib/logger";
 export { createResetToken, consumeResetToken, setPasswordResetStore } from "./lib/resetPassword";
-export { createSession, getSession, deleteSession, getUserSessions, getActiveSessionCount, evictOldestSession, updateSessionLastActive, setSessionStore } from "./lib/session";
+export { timingSafeEqual, sha256 } from "./lib/crypto";
+export { getClientIp, setTrustProxy } from "./lib/clientIp";
+export { storeOAuthCode, consumeOAuthCode, setOAuthCodeStore } from "./lib/oauthCode";
+export { createSession, getSession, deleteSession, getUserSessions, getActiveSessionCount, evictOldestSession, updateSessionLastActive, setSessionStore, deleteUserSessions, setRefreshToken, getSessionByRefreshToken, rotateRefreshToken } from "./lib/session";
 export { createVerificationToken, getVerificationToken, deleteVerificationToken } from "./lib/emailVerification";
-export { bustAuthLimit, trackAttempt, isLimited } from "./lib/authRateLimit";
+export { createMfaChallenge, consumeMfaChallenge, replaceMfaChallengeOtp, setMfaChallengeStore, createWebAuthnRegistrationChallenge, consumeWebAuthnRegistrationChallenge, clearMemoryMfaChallenges } from "./lib/mfaChallenge";
+export { bustAuthLimit, trackAttempt, isLimited, clearMemoryRateLimitStore } from "./lib/authRateLimit";
 export { validate } from "./lib/validate";
 // Middleware
 export { bearerAuth } from "./middleware/bearerAuth";
@@ -25,13 +31,17 @@ export { rateLimit } from "./middleware/rateLimit";
 export { userAuth } from "./middleware/userAuth";
 export { requireRole } from "./middleware/requireRole";
 export { requireVerifiedEmail } from "./middleware/requireVerifiedEmail";
-export { cacheResponse, bustCache, bustCachePattern, setCacheStore } from "./middleware/cacheResponse";
+export { csrfProtection, refreshCsrfToken, clearCsrfToken } from "./middleware/csrf";
+export { cacheResponse, bustCache, bustCachePattern, setCacheStore, getCacheModel } from "./middleware/cacheResponse";
 // Lib utilities (bot protection)
 export { buildFingerprint } from "./lib/fingerprint";
 // Models
 export { sqliteAuthAdapter, setSqliteDb, startSqliteCleanup } from "./adapters/sqliteAuth";
 export { memoryAuthAdapter, clearMemoryStore } from "./adapters/memoryAuth";
-export { setUserRoles, addUserRole, removeUserRole } from "./lib/roles";
+export { setUserRoles, addUserRole, removeUserRole, getTenantRoles, setTenantRoles, addTenantRole, removeTenantRole } from "./lib/roles";
 // WebSocket
 export { websocket, createWsUpgradeHandler } from "./ws/index";
 export { publish, subscribe, unsubscribe, getSubscriptions, handleRoomActions, getRooms, getRoomSubscribers } from "./lib/ws";
+// Tenancy
+export { createTenant, deleteTenant, getTenant, listTenants } from "./lib/tenant";
+export { invalidateTenantCache } from "./middleware/tenant";

package/dist/lib/appConfig.d.ts

@@ -13,6 +13,16 @@ export interface PasswordResetConfig {
     /** Called with the user's email and the reset token. Use to send the reset email. */
     onSend: (email: string, token: string) => Promise<void>;
 }
+export interface PasswordPolicyConfig {
+    /** Minimum password length. Defaults to 8. */
+    minLength?: number;
+    /** Require at least one letter (a–z or A–Z). Defaults to true. */
+    requireLetter?: boolean;
+    /** Require at least one digit (0–9). Defaults to true. */
+    requireDigit?: boolean;
+    /** Require at least one special character. Defaults to false. */
+    requireSpecial?: boolean;
+}
 export declare const setAppName: (name: string) => void;
 export declare const getAppName: () => string;
 export declare const setAppRoles: (roles: string[]) => void;
@@ -26,6 +36,8 @@ export declare const getEmailVerificationConfig: () => EmailVerificationConfig |
 export declare const getTokenExpiry: () => number;
 export declare const setPasswordResetConfig: (config: PasswordResetConfig | null) => void;
 export declare const getPasswordResetConfig: () => PasswordResetConfig | null;
+export declare const setPasswordPolicy: (config: PasswordPolicyConfig) => void;
+export declare const getPasswordPolicy: () => PasswordPolicyConfig;
 export declare const getResetTokenExpiry: () => number;
 export declare const setMaxSessions: (n: number) => void;
 export declare const getMaxSessions: () => number;
@@ -35,3 +47,72 @@ export declare const setIncludeInactiveSessions: (v: boolean) => void;
 export declare const getIncludeInactiveSessions: () => boolean;
 export declare const setTrackLastActive: (v: boolean) => void;
 export declare const getTrackLastActive: () => boolean;
+export interface RefreshTokenConfig {
+    /** Access token expiry in seconds. Default: 900 (15 min). */
+    accessTokenExpiry?: number;
+    /** Refresh token expiry in seconds. Default: 2_592_000 (30 days). */
+    refreshTokenExpiry?: number;
+    /** Grace window in seconds where the old refresh token still works after rotation.
+     *  Prevents lockout when the client's network drops mid-refresh. Default: 30. */
+    rotationGraceSeconds?: number;
+}
+export declare const setRefreshTokenConfig: (config: RefreshTokenConfig | null) => void;
+export declare const getRefreshTokenConfig: () => RefreshTokenConfig | null;
+export declare const getAccessTokenExpiry: () => number;
+export declare const getRefreshTokenExpiry: () => number;
+export declare const getRotationGraceSeconds: () => number;
+export interface MfaEmailOtpConfig {
+    /** Called with the user's email and the OTP code. Use to send the email. */
+    onSend: (email: string, code: string) => Promise<void>;
+    /** OTP code length. Default: 6. */
+    codeLength?: number;
+}
+export interface MfaWebAuthnConfig {
+    /** Relying Party ID — typically the domain (e.g. "example.com"). Required. */
+    rpId: string;
+    /** Relying Party name shown in browser prompts. Defaults to app name. */
+    rpName?: string;
+    /** Expected origin(s) — full origin URL(s) like "https://example.com". Required. */
+    origin: string | string[];
+    /** Supported attestation conveyance preference. Default: "none". */
+    attestationType?: "none" | "direct" | "enterprise";
+    /** Authenticator attachment preference. Default: undefined (allows both platform + cross-platform). */
+    authenticatorAttachment?: "platform" | "cross-platform";
+    /** User verification requirement. Default: "preferred". */
+    userVerification?: "required" | "preferred" | "discouraged";
+    /** Timeout for ceremonies in milliseconds. Default: 60000 (60s). */
+    timeout?: number;
+    /** Reject authentication when sign count goes backward (cloned key detection). Default: false (accept + warn). */
+    strictSignCount?: boolean;
+}
+export interface MfaConfig {
+    /** Issuer name shown in authenticator apps. Defaults to app name. */
+    issuer?: string;
+    /** TOTP algorithm. Default: "SHA1" (most compatible). */
+    algorithm?: "SHA1" | "SHA256" | "SHA512";
+    /** TOTP digits. Default: 6. */
+    digits?: number;
+    /** TOTP period in seconds. Default: 30. */
+    period?: number;
+    /** Number of recovery codes to generate. Default: 10. */
+    recoveryCodes?: number;
+    /** MFA challenge window in seconds. Default: 300 (5 min). */
+    challengeTtlSeconds?: number;
+    /** Email OTP configuration. When set, enables email-based MFA as an option. */
+    emailOtp?: MfaEmailOtpConfig;
+    /** WebAuthn/FIDO2 configuration. When set, enables security key MFA routes. */
+    webauthn?: MfaWebAuthnConfig;
+}
+export declare const setMfaConfig: (config: MfaConfig | null) => void;
+export declare const getMfaConfig: () => MfaConfig | null;
+export declare const getMfaIssuer: () => string;
+export declare const getMfaAlgorithm: () => string;
+export declare const getMfaDigits: () => number;
+export declare const getMfaPeriod: () => number;
+export declare const getMfaRecoveryCodeCount: () => number;
+export declare const getMfaChallengeTtl: () => number;
+export declare const getMfaEmailOtpConfig: () => MfaEmailOtpConfig | null;
+export declare const getMfaEmailOtpCodeLength: () => number;
+export declare const getMfaWebAuthnConfig: () => MfaWebAuthnConfig | null;
+export declare const setCsrfEnabled: (v: boolean) => void;
+export declare const getCsrfEnabled: () => boolean;

package/dist/lib/appConfig.js

@@ -4,6 +4,7 @@ let defaultRole = null;
 let _primaryField = "email";
 let _emailVerificationConfig = null;
 let _passwordResetConfig = null;
+let _passwordPolicy = {};
 export const setAppName = (name) => { appName = name; };
 export const getAppName = () => appName;
 export const setAppRoles = (roles) => { appRoles = roles; };
@@ -18,6 +19,8 @@ const DEFAULT_TOKEN_EXPIRY = 60 * 60 * 24; // 24 hours
 export const getTokenExpiry = () => _emailVerificationConfig?.tokenExpiry ?? DEFAULT_TOKEN_EXPIRY;
 export const setPasswordResetConfig = (config) => { _passwordResetConfig = config; };
 export const getPasswordResetConfig = () => _passwordResetConfig;
+export const setPasswordPolicy = (config) => { _passwordPolicy = config; };
+export const getPasswordPolicy = () => _passwordPolicy;
 const DEFAULT_RESET_TOKEN_EXPIRY = 60 * 60; // 1 hour
 export const getResetTokenExpiry = () => _passwordResetConfig?.tokenExpiry ?? DEFAULT_RESET_TOKEN_EXPIRY;
 // ---------------------------------------------------------------------------
@@ -35,3 +38,30 @@ export const setIncludeInactiveSessions = (v) => { _includeInactiveSessions = v;
 export const getIncludeInactiveSessions = () => _includeInactiveSessions;
 export const setTrackLastActive = (v) => { _trackLastActive = v; };
 export const getTrackLastActive = () => _trackLastActive;
+let _refreshTokenConfig = null;
+export const setRefreshTokenConfig = (config) => { _refreshTokenConfig = config; };
+export const getRefreshTokenConfig = () => _refreshTokenConfig;
+const DEFAULT_ACCESS_TOKEN_EXPIRY = 900; // 15 min
+const DEFAULT_REFRESH_TOKEN_EXPIRY = 2_592_000; // 30 days
+const DEFAULT_ROTATION_GRACE_SECONDS = 30;
+export const getAccessTokenExpiry = () => _refreshTokenConfig?.accessTokenExpiry ?? DEFAULT_ACCESS_TOKEN_EXPIRY;
+export const getRefreshTokenExpiry = () => _refreshTokenConfig?.refreshTokenExpiry ?? DEFAULT_REFRESH_TOKEN_EXPIRY;
+export const getRotationGraceSeconds = () => _refreshTokenConfig?.rotationGraceSeconds ?? DEFAULT_ROTATION_GRACE_SECONDS;
+let _mfaConfig = null;
+export const setMfaConfig = (config) => { _mfaConfig = config; };
+export const getMfaConfig = () => _mfaConfig;
+export const getMfaIssuer = () => _mfaConfig?.issuer ?? getAppName();
+export const getMfaAlgorithm = () => _mfaConfig?.algorithm ?? "SHA1";
+export const getMfaDigits = () => _mfaConfig?.digits ?? 6;
+export const getMfaPeriod = () => _mfaConfig?.period ?? 30;
+export const getMfaRecoveryCodeCount = () => _mfaConfig?.recoveryCodes ?? 10;
+export const getMfaChallengeTtl = () => _mfaConfig?.challengeTtlSeconds ?? 300;
+export const getMfaEmailOtpConfig = () => _mfaConfig?.emailOtp ?? null;
+export const getMfaEmailOtpCodeLength = () => _mfaConfig?.emailOtp?.codeLength ?? 6;
+export const getMfaWebAuthnConfig = () => _mfaConfig?.webauthn ?? null;
+// ---------------------------------------------------------------------------
+// CSRF config
+// ---------------------------------------------------------------------------
+let _csrfEnabled = false;
+export const setCsrfEnabled = (v) => { _csrfEnabled = v; };
+export const getCsrfEnabled = () => _csrfEnabled;