@lastshotlabs/bunshot 0.0.13 → 0.0.18

package/dist/lib/roles.js

@@ -20,3 +20,30 @@ export const removeUserRole = async (userId, role) => {
         requireMethod("removeRole");
     await adapter.removeRole(userId, role);
 };
+// ---------------------------------------------------------------------------
+// Tenant-scoped role helpers
+// ---------------------------------------------------------------------------
+export const getTenantRoles = async (userId, tenantId) => {
+    const adapter = getAuthAdapter();
+    if (!adapter.getTenantRoles)
+        requireMethod("getTenantRoles");
+    return adapter.getTenantRoles(userId, tenantId);
+};
+export const setTenantRoles = async (userId, tenantId, roles) => {
+    const adapter = getAuthAdapter();
+    if (!adapter.setTenantRoles)
+        requireMethod("setTenantRoles");
+    await adapter.setTenantRoles(userId, tenantId, roles);
+};
+export const addTenantRole = async (userId, tenantId, role) => {
+    const adapter = getAuthAdapter();
+    if (!adapter.addTenantRole)
+        requireMethod("addTenantRole");
+    await adapter.addTenantRole(userId, tenantId, role);
+};
+export const removeTenantRole = async (userId, tenantId, role) => {
+    const adapter = getAuthAdapter();
+    if (!adapter.removeTenantRole)
+        requireMethod("removeTenantRole");
+    await adapter.removeTenantRole(userId, tenantId, role);
+};

package/dist/lib/session.d.ts

@@ -11,6 +11,11 @@ export interface SessionInfo {
     userAgent?: string;
     isActive: boolean;
 }
+export interface RefreshResult {
+    sessionId: string;
+    userId: string;
+    newRefreshToken: string;
+}
 type SessionStore = "redis" | "mongo" | "sqlite" | "memory";
 export declare const setSessionStore: (store: SessionStore) => void;
 export declare const createSession: (userId: string, token: string, sessionId: string, metadata?: SessionMetadata) => Promise<void>;
@@ -19,5 +24,12 @@ export declare const deleteSession: (sessionId: string) => Promise<void>;
 export declare const getUserSessions: (userId: string) => Promise<SessionInfo[]>;
 export declare const getActiveSessionCount: (userId: string) => Promise<number>;
 export declare const evictOldestSession: (userId: string) => Promise<void>;
+export declare const deleteUserSessions: (userId: string) => Promise<void>;
 export declare const updateSessionLastActive: (sessionId: string) => Promise<void>;
+/** Store a refresh token on an existing session (called after session creation). */
+export declare const setRefreshToken: (sessionId: string, refreshToken: string) => Promise<void>;
+/** Look up a session by refresh token. Handles grace window and theft detection. */
+export declare const getSessionByRefreshToken: (refreshToken: string) => Promise<RefreshResult | null>;
+/** Rotate the refresh token: move current to prev with grace window, set new token + access token. */
+export declare const rotateRefreshToken: (sessionId: string, newRefreshToken: string, newAccessToken: string) => Promise<void>;
 export {};

package/dist/lib/session.js

@@ -1,8 +1,8 @@
 import { getRedis } from "./redis";
 import { appConnection, mongoose } from "./mongo";
-import { getAppName, getPersistSessionMetadata, getIncludeInactiveSessions } from "./appConfig";
-import { sqliteCreateSession, sqliteGetSession, sqliteDeleteSession, sqliteGetUserSessions, sqliteGetActiveSessionCount, sqliteEvictOldestSession, sqliteUpdateSessionLastActive, } from "../adapters/sqliteAuth";
-import { memoryCreateSession, memoryGetSession, memoryDeleteSession, memoryGetUserSessions, memoryGetActiveSessionCount, memoryEvictOldestSession, memoryUpdateSessionLastActive, } from "../adapters/memoryAuth";
+import { getAppName, getPersistSessionMetadata, getIncludeInactiveSessions, getRotationGraceSeconds, getRefreshTokenExpiry } from "./appConfig";
+import { sqliteCreateSession, sqliteGetSession, sqliteDeleteSession, sqliteGetUserSessions, sqliteGetActiveSessionCount, sqliteEvictOldestSession, sqliteUpdateSessionLastActive, sqliteSetRefreshToken, sqliteGetSessionByRefreshToken, sqliteRotateRefreshToken, } from "../adapters/sqliteAuth";
+import { memoryCreateSession, memoryGetSession, memoryDeleteSession, memoryGetUserSessions, memoryGetActiveSessionCount, memoryEvictOldestSession, memoryUpdateSessionLastActive, memorySetRefreshToken, memoryGetSessionByRefreshToken, memoryRotateRefreshToken, } from "../adapters/memoryAuth";
 function getSessionModel() {
     if (appConnection.models["Session"])
         return appConnection.models["Session"];
@@ -16,7 +16,11 @@ function getSessionModel() {
         expiresAt: { type: Date, required: true },
         ipAddress: { type: String },
         userAgent: { type: String },
+        refreshToken: { type: String, default: null },
+        prevRefreshToken: { type: String, default: null },
+        prevTokenExpiresAt: { type: Date, default: null },
     }, { collection: "sessions", timestamps: false });
+    sessionSchema.index({ refreshToken: 1 }, { unique: true, partialFilterExpression: { refreshToken: { $type: "string" } } });
     // Add TTL index only when metadata is not persisted — docs auto-delete at expiresAt.
     // When persisting, token is nulled (soft-delete) but the row is kept indefinitely.
     if (!getPersistSessionMetadata()) {
@@ -40,6 +44,9 @@ function redisSessionKey(sessionId) {
 function redisUserSessionsKey(userId) {
     return `usersessions:${getAppName()}:${userId}`;
 }
+function redisRefreshTokenKey(refreshToken) {
+    return `refreshtoken:${getAppName()}:${refreshToken}`;
+}
 async function redisCreateSession(userId, token, sessionId, metadata) {
     const now = Date.now();
     const expiresAt = now + TTL_MS;
@@ -78,8 +85,13 @@ async function redisDeleteSession(sessionId) {
         return;
     const rec = JSON.parse(raw);
     const persist = getPersistSessionMetadata();
+    // Clean up refresh token reverse-lookup keys
+    if (rec.refreshToken)
+        await redis.del(redisRefreshTokenKey(rec.refreshToken));
+    if (rec.prevRefreshToken)
+        await redis.del(redisRefreshTokenKey(rec.prevRefreshToken));
     if (persist) {
-        const updated = { ...JSON.parse(raw), token: null };
+        const updated = { ...rec, token: null, refreshToken: null, prevRefreshToken: null, prevTokenExpiresAt: null };
         await redis.set(redisSessionKey(sessionId), JSON.stringify(updated));
     }
     else {
@@ -169,6 +181,66 @@ async function redisUpdateSessionLastActive(sessionId) {
         await redis.set(redisSessionKey(sessionId), JSON.stringify(rec), "EX", ttlRemaining);
     }
 }
+async function redisSetRefreshToken(sessionId, refreshToken) {
+    const redis = getRedis();
+    const raw = await redis.get(redisSessionKey(sessionId));
+    if (!raw)
+        return;
+    const rec = JSON.parse(raw);
+    rec.refreshToken = refreshToken;
+    const refreshExpiry = getRefreshTokenExpiry();
+    await redis.set(redisSessionKey(sessionId), JSON.stringify(rec));
+    await redis.set(redisRefreshTokenKey(refreshToken), sessionId, "EX", refreshExpiry);
+}
+async function redisGetSessionByRefreshToken(refreshToken) {
+    const redis = getRedis();
+    const sessionId = await redis.get(redisRefreshTokenKey(refreshToken));
+    if (!sessionId)
+        return null;
+    const raw = await redis.get(redisSessionKey(sessionId));
+    if (!raw)
+        return null;
+    const rec = JSON.parse(raw);
+    // Current refresh token matches
+    if (rec.refreshToken === refreshToken) {
+        return { sessionId: rec.sessionId, userId: rec.userId, newRefreshToken: refreshToken };
+    }
+    // Check grace window: old token used within grace period
+    if (rec.prevRefreshToken === refreshToken && rec.prevTokenExpiresAt && rec.prevTokenExpiresAt > Date.now()) {
+        // Return current refresh token — client missed the rotation response
+        return { sessionId: rec.sessionId, userId: rec.userId, newRefreshToken: rec.refreshToken };
+    }
+    // Old token used after grace window — token family theft detected, invalidate session
+    if (rec.prevRefreshToken === refreshToken) {
+        await redisDeleteSession(sessionId);
+        return null;
+    }
+    return null;
+}
+async function redisRotateRefreshToken(sessionId, newRefreshToken, newAccessToken) {
+    const redis = getRedis();
+    const raw = await redis.get(redisSessionKey(sessionId));
+    if (!raw)
+        return;
+    const rec = JSON.parse(raw);
+    const graceSeconds = getRotationGraceSeconds();
+    const refreshExpiry = getRefreshTokenExpiry();
+    // Move current to prev with grace window
+    const oldRefreshToken = rec.refreshToken;
+    rec.prevRefreshToken = oldRefreshToken;
+    rec.prevTokenExpiresAt = Date.now() + graceSeconds * 1000;
+    rec.refreshToken = newRefreshToken;
+    rec.token = newAccessToken;
+    await redis.set(redisSessionKey(sessionId), JSON.stringify(rec));
+    // Set new reverse-lookup with full refresh expiry
+    await redis.set(redisRefreshTokenKey(newRefreshToken), sessionId, "EX", refreshExpiry);
+    // Update old reverse-lookup to expire after grace window.
+    // Use a minimum TTL of 60s so that theft detection still works when grace is 0.
+    if (oldRefreshToken) {
+        const oldKeyTtl = Math.max(graceSeconds, 60);
+        await redis.expire(redisRefreshTokenKey(oldRefreshToken), oldKeyTtl);
+    }
+}
 // ---------------------------------------------------------------------------
 // Mongo helpers
 // ---------------------------------------------------------------------------
@@ -201,6 +273,45 @@ async function mongoGetUserSessions(userId) {
     }
     return results;
 }
+async function mongoSetRefreshToken(sessionId, refreshToken) {
+    await getSessionModel().updateOne({ sessionId }, { $set: { refreshToken } });
+}
+async function mongoGetSessionByRefreshToken(refreshToken) {
+    const Session = getSessionModel();
+    // Check current refresh token
+    let doc = await Session.findOne({ refreshToken }).lean();
+    if (doc) {
+        return { sessionId: doc.sessionId, userId: doc.userId, newRefreshToken: refreshToken };
+    }
+    // Check previous refresh token (grace window)
+    doc = await Session.findOne({ prevRefreshToken: refreshToken }).lean();
+    if (!doc)
+        return null;
+    if (doc.prevTokenExpiresAt && doc.prevTokenExpiresAt > new Date()) {
+        // Within grace window — return current refresh token
+        return { sessionId: doc.sessionId, userId: doc.userId, newRefreshToken: doc.refreshToken };
+    }
+    // Grace window expired — token family theft detected, invalidate session
+    if (getPersistSessionMetadata()) {
+        await Session.updateOne({ sessionId: doc.sessionId }, { $set: { token: null, refreshToken: null, prevRefreshToken: null, prevTokenExpiresAt: null } });
+    }
+    else {
+        await Session.deleteOne({ sessionId: doc.sessionId });
+    }
+    return null;
+}
+async function mongoRotateRefreshToken(sessionId, newRefreshToken, newAccessToken) {
+    const graceSeconds = getRotationGraceSeconds();
+    const Session = getSessionModel();
+    const doc = await Session.findOne({ sessionId });
+    if (!doc)
+        return;
+    doc.prevRefreshToken = doc.refreshToken;
+    doc.prevTokenExpiresAt = new Date(Date.now() + graceSeconds * 1000);
+    doc.refreshToken = newRefreshToken;
+    doc.token = newAccessToken;
+    await doc.save();
+}
 // ---------------------------------------------------------------------------
 // Public API
 // ---------------------------------------------------------------------------
@@ -255,7 +366,7 @@ export const deleteSession = async (sessionId) => {
     }
     // mongo
     if (getPersistSessionMetadata()) {
-        await getSessionModel().updateOne({ sessionId }, { $set: { token: null } });
+        await getSessionModel().updateOne({ sessionId }, { $set: { token: null, refreshToken: null, prevRefreshToken: null, prevTokenExpiresAt: null } });
     }
     else {
         await getSessionModel().deleteOne({ sessionId });
@@ -303,6 +414,10 @@ export const evictOldestSession = async (userId) => {
     if (oldest)
         await deleteSession(oldest.sessionId);
 };
+export const deleteUserSessions = async (userId) => {
+    const sessions = await getUserSessions(userId);
+    await Promise.all(sessions.map((s) => deleteSession(s.sessionId)));
+};
 export const updateSessionLastActive = async (sessionId) => {
     if (_store === "memory") {
         memoryUpdateSessionLastActive(sessionId);
@@ -319,3 +434,48 @@ export const updateSessionLastActive = async (sessionId) => {
     // mongo
     await getSessionModel().updateOne({ sessionId }, { $set: { lastActiveAt: new Date() } });
 };
+// ---------------------------------------------------------------------------
+// Refresh token API
+// ---------------------------------------------------------------------------
+/** Store a refresh token on an existing session (called after session creation). */
+export const setRefreshToken = async (sessionId, refreshToken) => {
+    if (_store === "memory") {
+        memorySetRefreshToken(sessionId, refreshToken);
+        return;
+    }
+    if (_store === "sqlite") {
+        sqliteSetRefreshToken(sessionId, refreshToken);
+        return;
+    }
+    if (_store === "redis") {
+        await redisSetRefreshToken(sessionId, refreshToken);
+        return;
+    }
+    await mongoSetRefreshToken(sessionId, refreshToken);
+};
+/** Look up a session by refresh token. Handles grace window and theft detection. */
+export const getSessionByRefreshToken = async (refreshToken) => {
+    if (_store === "memory")
+        return memoryGetSessionByRefreshToken(refreshToken);
+    if (_store === "sqlite")
+        return sqliteGetSessionByRefreshToken(refreshToken);
+    if (_store === "redis")
+        return redisGetSessionByRefreshToken(refreshToken);
+    return mongoGetSessionByRefreshToken(refreshToken);
+};
+/** Rotate the refresh token: move current to prev with grace window, set new token + access token. */
+export const rotateRefreshToken = async (sessionId, newRefreshToken, newAccessToken) => {
+    if (_store === "memory") {
+        memoryRotateRefreshToken(sessionId, newRefreshToken, newAccessToken);
+        return;
+    }
+    if (_store === "sqlite") {
+        sqliteRotateRefreshToken(sessionId, newRefreshToken, newAccessToken);
+        return;
+    }
+    if (_store === "redis") {
+        await redisRotateRefreshToken(sessionId, newRefreshToken, newAccessToken);
+        return;
+    }
+    await mongoRotateRefreshToken(sessionId, newRefreshToken, newAccessToken);
+};

package/dist/lib/tenant.d.ts

@@ -0,0 +1,15 @@
+export interface TenantInfo {
+    tenantId: string;
+    displayName?: string;
+    config?: Record<string, unknown>;
+    createdAt: Date;
+    deletedAt?: Date | null;
+}
+export interface CreateTenantOptions {
+    displayName?: string;
+    config?: Record<string, unknown>;
+}
+export declare const createTenant: (tenantId: string, options?: CreateTenantOptions) => Promise<void>;
+export declare const deleteTenant: (tenantId: string) => Promise<void>;
+export declare const getTenant: (tenantId: string) => Promise<TenantInfo | null>;
+export declare const listTenants: () => Promise<TenantInfo[]>;

package/dist/lib/tenant.js

@@ -0,0 +1,65 @@
+import { authConnection, mongoose } from "./mongo";
+let _TenantModel = null;
+function getTenantModel() {
+    if (!_TenantModel) {
+        const { Schema } = mongoose;
+        const schema = new Schema({
+            tenantId: { type: String, required: true, unique: true },
+            displayName: { type: String },
+            config: { type: Schema.Types.Mixed },
+            deletedAt: { type: Date, default: null },
+        }, { timestamps: true });
+        _TenantModel = authConnection.model("Tenant", schema);
+    }
+    return _TenantModel;
+}
+// Proxy for lazy model resolution (same pattern as AuthUser)
+const Tenant = new Proxy({}, {
+    get(_, prop) {
+        const model = getTenantModel();
+        const val = model[prop];
+        return typeof val === "function" ? val.bind(model) : val;
+    },
+});
+export const createTenant = async (tenantId, options) => {
+    const existing = await Tenant.findOne({ tenantId }).lean();
+    if (existing && !existing.deletedAt) {
+        throw new Error(`Tenant "${tenantId}" already exists`);
+    }
+    if (existing && existing.deletedAt) {
+        // Reactivate soft-deleted tenant
+        await Tenant.findOneAndUpdate({ tenantId }, { deletedAt: null, displayName: options?.displayName, config: options?.config });
+        return;
+    }
+    await Tenant.create({
+        tenantId,
+        displayName: options?.displayName,
+        config: options?.config,
+    });
+};
+export const deleteTenant = async (tenantId) => {
+    const { invalidateTenantCache } = await import("../middleware/tenant");
+    // Soft-delete
+    await Tenant.findOneAndUpdate({ tenantId }, { deletedAt: new Date() });
+    invalidateTenantCache(tenantId);
+};
+export const getTenant = async (tenantId) => {
+    const doc = await Tenant.findOne({ tenantId, deletedAt: null }).lean();
+    if (!doc)
+        return null;
+    return {
+        tenantId: doc.tenantId,
+        displayName: doc.displayName,
+        config: doc.config,
+        createdAt: doc.createdAt,
+    };
+};
+export const listTenants = async () => {
+    const docs = await Tenant.find({ deletedAt: null }).lean();
+    return docs.map((doc) => ({
+        tenantId: doc.tenantId,
+        displayName: doc.displayName,
+        config: doc.config,
+        createdAt: doc.createdAt,
+    }));
+};

package/dist/lib/ws.js

@@ -11,9 +11,13 @@ const _roomRegistry = new Map();
 export const getRooms = () => [..._roomRegistry.keys()];
 /** Socket IDs subscribed to a given room */
 export const getRoomSubscribers = (room) => [...(_roomRegistry.get(room) ?? [])];
+const MAX_ROOM_ACTION_SIZE = 4096; // 4 KB — room actions are small JSON payloads
 export const handleRoomActions = async (ws, message, onSubscribe) => {
     try {
-        const data = JSON.parse(typeof message === "string" ? message : Buffer.from(message).toString());
+        const raw = typeof message === "string" ? message : Buffer.from(message).toString();
+        if (raw.length > MAX_ROOM_ACTION_SIZE)
+            return false; // not a room action
+        const data = JSON.parse(raw);
         if (data.action === "subscribe" && typeof data.room === "string") {
             if (onSubscribe && !(await onSubscribe(ws, data.room))) {
                 ws.send(JSON.stringify({ event: "subscribe_denied", room: data.room }));

package/dist/lib/zodToMongoose.d.ts

@@ -0,0 +1,38 @@
+import { Schema } from "mongoose";
+type ZodSchema = any;
+export type ZodToMongooseRefConfig = {
+    /** DB field name (e.g., "account") */
+    dbField: string;
+    /** Referenced model name (e.g., "Account") */
+    ref: string;
+};
+export type ZodToMongooseConfig = {
+    /** DB-only fields not in the Zod schema (e.g., user ref) */
+    dbFields?: Record<string, unknown>;
+    /** API fields that map to ObjectId refs: { accountId: { dbField: "account", ref: "Account" } } */
+    refs?: Record<string, ZodToMongooseRefConfig>;
+    /** Override Mongoose type for specific fields (e.g., { date: { type: Date, required: true } }) */
+    typeOverrides?: Record<string, unknown>;
+    /** Subdocument array fields: { items: mongooseSubSchema } */
+    subdocSchemas?: Record<string, Schema>;
+};
+/**
+ * Derive a Mongoose SchemaDefinition from a Zod object schema.
+ *
+ * Business fields are auto-converted from Zod types to Mongoose types.
+ * DB-specific concerns (ObjectId refs, type overrides, subdocuments) are declared via config.
+ *
+ * The `id` field is automatically excluded (Mongoose provides `_id`).
+ *
+ * @example
+ * ```ts
+ * const AccountMongoSchema = new Schema(
+ *   zodToMongoose(AccountSchema, {
+ *     dbFields: { user: { type: Schema.Types.ObjectId, ref: "UserProfile", required: true } },
+ *   }),
+ *   { timestamps: true }
+ * );
+ * ```
+ */
+export declare function zodToMongoose(zodSchema: ZodSchema, config?: ZodToMongooseConfig): Record<string, unknown>;
+export {};

package/dist/lib/zodToMongoose.js

@@ -0,0 +1,84 @@
+import { Schema } from "mongoose";
+/** Unwrap nullable, optional, and default wrappers to get the core Zod type */
+function unwrap(zodType) {
+    let t = zodType;
+    let required = true;
+    while (true) {
+        const defType = t._zod?.def?.type;
+        if (defType === "nullable") {
+            t = t._zod.def.innerType;
+            required = false;
+        }
+        else if (defType === "optional") {
+            t = t._zod.def.innerType;
+            required = false;
+        }
+        else if (defType === "default") {
+            t = t._zod.def.innerType;
+            required = false;
+        }
+        else
+            break;
+    }
+    return { core: t, required };
+}
+/** Convert a single Zod type to a Mongoose field definition */
+function toMongooseField(zodType) {
+    const { core, required } = unwrap(zodType);
+    const defType = core._zod?.def?.type;
+    if (defType === "string")
+        return { type: String, required };
+    if (defType === "number")
+        return { type: Number, required };
+    if (defType === "boolean")
+        return { type: Boolean, required };
+    if (defType === "date")
+        return { type: Date, required };
+    if (defType === "enum")
+        return { type: String, enum: core.options, required };
+    return { type: Schema.Types.Mixed, required };
+}
+/**
+ * Derive a Mongoose SchemaDefinition from a Zod object schema.
+ *
+ * Business fields are auto-converted from Zod types to Mongoose types.
+ * DB-specific concerns (ObjectId refs, type overrides, subdocuments) are declared via config.
+ *
+ * The `id` field is automatically excluded (Mongoose provides `_id`).
+ *
+ * @example
+ * ```ts
+ * const AccountMongoSchema = new Schema(
+ *   zodToMongoose(AccountSchema, {
+ *     dbFields: { user: { type: Schema.Types.ObjectId, ref: "UserProfile", required: true } },
+ *   }),
+ *   { timestamps: true }
+ * );
+ * ```
+ */
+export function zodToMongoose(zodSchema, config = {}) {
+    const shape = zodSchema.shape;
+    const fields = {};
+    for (const [apiField, zodType] of Object.entries(shape)) {
+        if (apiField === "id")
+            continue;
+        if (config.refs?.[apiField]) {
+            const { dbField, ref } = config.refs[apiField];
+            fields[dbField] = { type: Schema.Types.ObjectId, ref, required: true };
+            continue;
+        }
+        if (config.typeOverrides?.[apiField]) {
+            fields[apiField] = config.typeOverrides[apiField];
+            continue;
+        }
+        if (config.subdocSchemas?.[apiField]) {
+            fields[apiField] = [config.subdocSchemas[apiField]];
+            continue;
+        }
+        fields[apiField] = toMongooseField(zodType);
+    }
+    if (config.dbFields) {
+        Object.assign(fields, config.dbFields);
+    }
+    return fields;
+}

package/dist/middleware/bearerAuth.js

@@ -1,9 +1,10 @@
-const isProd = process.env.NODE_ENV === "production";
-const validToken = isProd ? process.env.BEARER_TOKEN_PROD : process.env.BEARER_TOKEN_DEV;
+import { timingSafeEqual } from "../lib/crypto";
 export const bearerAuth = async (c, next) => {
+    const isProd = process.env.NODE_ENV === "production";
+    const validToken = isProd ? process.env.BEARER_TOKEN_PROD : process.env.BEARER_TOKEN_DEV;
     const header = c.req.header("Authorization");
     const token = header?.startsWith("Bearer ") ? header.slice(7) : null;
-    if (!token || token !== validToken) {
+    if (!token || !validToken || !timingSafeEqual(token, validToken)) {
         return c.json({ error: "Unauthorized" }, 401);
     }
     await next();

package/dist/middleware/botProtection.js

@@ -1,3 +1,4 @@
+import { getClientIp } from "../lib/clientIp";
 // ---------------------------------------------------------------------------
 // CIDR helpers (IPv4 only; IPv6 exact-match supported)
 // ---------------------------------------------------------------------------
@@ -40,8 +41,7 @@ export const botProtection = ({ blockList = [], }) => {
     if (blockList.length === 0)
         return (_c, next) => next();
     return async (c, next) => {
-        const raw = c.req.header("x-forwarded-for") ?? "";
-        const ip = raw.split(",")[0]?.trim() ?? "unknown";
+        const ip = getClientIp(c);
         if (ip !== "unknown" && isBlocked(ip, blockList)) {
             return c.json({ error: "Forbidden" }, 403);
         }

package/dist/middleware/cacheResponse.d.ts

@@ -1,5 +1,6 @@
 import type { MiddlewareHandler } from "hono";
 import type { AppEnv } from "../lib/context";
+export declare function getCacheModel(): import("mongoose").Model<any, {}, {}, {}, any, any, any>;
 type CacheStore = "redis" | "mongo" | "sqlite" | "memory";
 export declare const setCacheStore: (store: CacheStore) => void;
 export declare const bustCache: (key: string) => Promise<void>;

package/dist/middleware/cacheResponse.js

@@ -3,7 +3,7 @@ import { getAppName } from "../lib/appConfig";
 import { appConnection, mongoose } from "../lib/mongo";
 import { isSqliteReady, sqliteGetCache, sqliteSetCache, sqliteDelCache, sqliteDelCachePattern } from "../adapters/sqliteAuth";
 import { memoryGetCache, memorySetCache, memoryDelCache, memoryDelCachePattern } from "../adapters/memoryAuth";
-function getCacheModel() {
+export function getCacheModel() {
     if (appConnection.models["CacheEntry"])
         return appConnection.models["CacheEntry"];
     const { Schema } = mongoose;
@@ -130,11 +130,22 @@ export const bustCachePattern = async (pattern) => {
     const fullPattern = `cache:${getAppName()}:${pattern}`;
     await Promise.all([storeDelPattern("redis", fullPattern), storeDelPattern("mongo", fullPattern), storeDelPattern("sqlite", fullPattern), storeDelPattern("memory", fullPattern)]);
 };
+/** Headers that must never be cached — storing these can cause session fixation or auth bypass. */
+const UNCACHEABLE_HEADERS = new Set([
+    "set-cookie",
+    "www-authenticate",
+    "authorization",
+    "x-csrf-token",
+    "proxy-authenticate",
+]);
 export const cacheResponse = ({ ttl, key, store = _defaultCacheStore }) => {
     return async (c, next) => {
         const appName = getAppName();
         const rawKey = typeof key === "function" ? key(c) : key;
-        const cacheKey = `cache:${appName}:${rawKey}`;
+        // Per-tenant namespacing: prevents two tenants caching the same key from colliding
+        const tenantId = c.get("tenantId");
+        const tenantSegment = tenantId ? `${tenantId}:` : "";
+        const cacheKey = `cache:${appName}:${tenantSegment}${rawKey}`;
         const cached = await storeGet(store, cacheKey);
         if (cached) {
             const { status, headers, body } = JSON.parse(cached);
@@ -148,7 +159,11 @@ export const cacheResponse = ({ ttl, key, store = _defaultCacheStore }) => {
         if (res.status >= 200 && res.status < 300) {
             const body = await res.text();
             const headers = {};
-            res.headers.forEach((value, name) => { headers[name] = value; });
+            res.headers.forEach((value, name) => {
+                if (!UNCACHEABLE_HEADERS.has(name.toLowerCase())) {
+                    headers[name] = value;
+                }
+            });
             await storeSet(store, cacheKey, JSON.stringify({ status: res.status, headers, body }), ttl);
             c.res = new Response(body, {
                 status: res.status,

package/dist/middleware/cors.d.ts

@@ -1,2 +1,4 @@
 import type { Middleware } from ".";
+/** Configure the allowed CORS origins. Call once at startup. */
+export declare const setCorsOrigins: (origins: string | string[]) => void;
 export declare const cors: Middleware;

package/dist/middleware/cors.js

@@ -1,17 +1,31 @@
+let _allowedOrigins = "*";
+/** Configure the allowed CORS origins. Call once at startup. */
+export const setCorsOrigins = (origins) => { _allowedOrigins = origins; };
 export const cors = async (req, next) => {
+    const origin = req.headers.get("Origin");
+    const headers = corsHeaders(origin);
     if (req.method === "OPTIONS") {
-        return new Response(null, { status: 204, headers: corsHeaders() });
+        return new Response(null, { status: 204, headers });
     }
     const res = await next(req);
-    const headers = new Headers(res.headers);
-    for (const [k, v] of Object.entries(corsHeaders()))
-        headers.set(k, v);
-    return new Response(res.body, { status: res.status, headers });
+    const resHeaders = new Headers(res.headers);
+    for (const [k, v] of Object.entries(headers))
+        resHeaders.set(k, v);
+    return new Response(res.body, { status: res.status, headers: resHeaders });
 };
-const corsHeaders = () => {
+function corsHeaders(requestOrigin) {
+    let allowOrigin;
+    if (_allowedOrigins === "*") {
+        allowOrigin = "*";
+    }
+    else {
+        const origins = Array.isArray(_allowedOrigins) ? _allowedOrigins : [_allowedOrigins];
+        allowOrigin = requestOrigin && origins.includes(requestOrigin) ? requestOrigin : origins[0];
+    }
     return {
-        "Access-Control-Allow-Origin": "*",
+        "Access-Control-Allow-Origin": allowOrigin,
         "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
         "Access-Control-Allow-Headers": "Content-Type, Authorization",
+        ...(allowOrigin !== "*" ? { Vary: "Origin" } : {}),
     };
-};
+}

package/dist/middleware/csrf.d.ts

@@ -0,0 +1,18 @@
+import type { MiddlewareHandler } from "hono";
+import { setCookie, deleteCookie } from "hono/cookie";
+import type { AppEnv } from "../lib/context";
+export interface CsrfMiddlewareOptions {
+    exemptPaths?: string[];
+    checkOrigin?: boolean;
+    allowedOrigins?: string | string[];
+}
+/**
+ * Refreshes the CSRF token cookie — call on login/register to prevent
+ * session fixation-adjacent attacks.
+ */
+export declare function refreshCsrfToken(c: Parameters<typeof setCookie>[0]): void;
+/**
+ * Clears the CSRF token cookie — call on logout.
+ */
+export declare function clearCsrfToken(c: Parameters<typeof deleteCookie>[0]): void;
+export declare const csrfProtection: (options?: CsrfMiddlewareOptions) => MiddlewareHandler<AppEnv>;