@lastshotlabs/bunshot 0.0.13 → 0.0.18

package/dist/middleware/csrf.js

@@ -0,0 +1,115 @@
+import { getCookie, setCookie, deleteCookie } from "hono/cookie";
+import { timingSafeEqual } from "../lib/crypto";
+import { COOKIE_TOKEN, COOKIE_CSRF_TOKEN, HEADER_CSRF_TOKEN } from "../lib/constants";
+import { createHmac, randomBytes } from "crypto";
+const isProd = process.env.NODE_ENV === "production";
+const STATE_CHANGING_METHODS = new Set(["POST", "PUT", "PATCH", "DELETE"]);
+function getJwtSecret() {
+    const secret = isProd ? process.env.JWT_SECRET_PROD : process.env.JWT_SECRET_DEV;
+    if (!secret)
+        throw new Error("CSRF middleware requires JWT_SECRET_DEV/JWT_SECRET_PROD to be set");
+    return secret;
+}
+function generateCsrfToken(secret) {
+    const token = randomBytes(32).toString("hex");
+    const sig = createHmac("sha256", secret).update(token).digest("hex");
+    return `${token}.${sig}`;
+}
+function verifyCsrfSignature(cookieValue, secret) {
+    const dotIdx = cookieValue.indexOf(".");
+    if (dotIdx === -1)
+        return false;
+    const token = cookieValue.substring(0, dotIdx);
+    const sig = cookieValue.substring(dotIdx + 1);
+    const expected = createHmac("sha256", secret).update(token).digest("hex");
+    return timingSafeEqual(sig, expected);
+}
+const csrfCookieOptions = {
+    httpOnly: false,
+    secure: isProd,
+    sameSite: "Lax",
+    path: "/",
+    maxAge: 60 * 60 * 24 * 365, // 1 year — tied to browser, not session
+};
+/**
+ * Refreshes the CSRF token cookie — call on login/register to prevent
+ * session fixation-adjacent attacks.
+ */
+export function refreshCsrfToken(c) {
+    const secret = getJwtSecret();
+    const token = generateCsrfToken(secret);
+    setCookie(c, COOKIE_CSRF_TOKEN, token, csrfCookieOptions);
+}
+/**
+ * Clears the CSRF token cookie — call on logout.
+ */
+export function clearCsrfToken(c) {
+    deleteCookie(c, COOKIE_CSRF_TOKEN, { path: "/" });
+}
+export const csrfProtection = (options = {}) => {
+    const { exemptPaths = [], checkOrigin = true, allowedOrigins } = options;
+    // Normalize allowed origins for origin validation
+    const originSet = new Set();
+    if (allowedOrigins) {
+        const origins = Array.isArray(allowedOrigins) ? allowedOrigins : [allowedOrigins];
+        for (const o of origins) {
+            if (o !== "*")
+                originSet.add(o.replace(/\/$/, ""));
+        }
+    }
+    return async (c, next) => {
+        const secret = getJwtSecret();
+        // Set CSRF cookie on every response if not already present
+        const existingCsrf = getCookie(c, COOKIE_CSRF_TOKEN);
+        if (!existingCsrf) {
+            const token = generateCsrfToken(secret);
+            setCookie(c, COOKIE_CSRF_TOKEN, token, csrfCookieOptions);
+        }
+        // Only validate state-changing methods
+        if (!STATE_CHANGING_METHODS.has(c.req.method)) {
+            return next();
+        }
+        // Skip if no auth cookie present — not vulnerable to CSRF
+        const authCookie = getCookie(c, COOKIE_TOKEN);
+        if (!authCookie) {
+            return next();
+        }
+        // Skip exempt paths
+        const path = c.req.path;
+        for (const exempt of exemptPaths) {
+            if (exempt.endsWith("*")) {
+                if (path.startsWith(exempt.slice(0, -1)))
+                    return next();
+            }
+            else {
+                if (path === exempt)
+                    return next();
+            }
+        }
+        // Origin validation (secondary layer)
+        if (checkOrigin && originSet.size > 0) {
+            const origin = c.req.header("origin");
+            if (origin) {
+                const normalized = origin.replace(/\/$/, "");
+                if (!originSet.has(normalized)) {
+                    return c.json({ error: "CSRF origin mismatch" }, 403);
+                }
+            }
+        }
+        // Double submit cookie validation
+        const csrfCookie = getCookie(c, COOKIE_CSRF_TOKEN);
+        const csrfHeader = c.req.header(HEADER_CSRF_TOKEN);
+        if (!csrfCookie || !csrfHeader) {
+            return c.json({ error: "CSRF token missing" }, 403);
+        }
+        // Verify the cookie's HMAC signature (prevents cookie injection)
+        if (!verifyCsrfSignature(csrfCookie, secret)) {
+            return c.json({ error: "CSRF token invalid" }, 403);
+        }
+        // Compare header value to cookie value
+        if (!timingSafeEqual(csrfHeader, csrfCookie)) {
+            return c.json({ error: "CSRF token mismatch" }, 403);
+        }
+        return next();
+    };
+};

package/dist/middleware/rateLimit.d.ts

@@ -1,8 +1,9 @@
 import type { MiddlewareHandler } from "hono";
+import type { AppEnv } from "../lib/context";
 export interface RateLimitOptions {
     windowMs: number;
     max: number;
     /** Also rate-limit by HTTP fingerprint in addition to IP. Default: false */
     fingerprintLimit?: boolean;
 }
-export declare const rateLimit: ({ windowMs, max, fingerprintLimit, }: RateLimitOptions) => MiddlewareHandler;
+export declare const rateLimit: ({ windowMs, max, fingerprintLimit, }: RateLimitOptions) => MiddlewareHandler<AppEnv>;

package/dist/middleware/rateLimit.js

@@ -1,17 +1,19 @@
 import { trackAttempt } from "../lib/authRateLimit";
 import { buildFingerprint } from "../lib/fingerprint";
+import { getClientIp } from "../lib/clientIp";
 export const rateLimit = ({ windowMs, max, fingerprintLimit = false, }) => {
     const opts = { windowMs, max };
     return async (c, next) => {
-        // Take the leftmost (client) IP from x-forwarded-for
-        const raw = c.req.header("x-forwarded-for") ?? "";
-        const ip = raw.split(",")[0]?.trim() || "unknown";
-        if (await trackAttempt(`ip:${ip}`, opts)) {
+        const ip = getClientIp(c);
+        // Per-tenant namespacing: each tenant gets independent rate limit buckets
+        const tenantId = c.get("tenantId");
+        const prefix = tenantId ? `t:${tenantId}:` : "";
+        if (await trackAttempt(`${prefix}ip:${ip}`, opts)) {
             return c.json({ error: "Too Many Requests" }, 429);
         }
         if (fingerprintLimit) {
             const fp = await buildFingerprint(c.req.raw);
-            if (await trackAttempt(`fp:${fp}`, opts)) {
+            if (await trackAttempt(`${prefix}fp:${fp}`, opts)) {
                 return c.json({ error: "Too Many Requests" }, 429);
             }
         }

package/dist/middleware/requireRole.d.ts

@@ -3,9 +3,11 @@ import type { AppEnv } from "../lib/context";
 /**
  * Middleware factory that enforces role-based access.
  * Requires `identify` to have run first (authUserId must be set).
- * Roles are fetched lazily on the first role-checked route and cached on the context.
  *
- * The adapter must implement `getRoles` for this to work.
+ * When tenant context exists (`tenantId` set on context), checks tenant-scoped roles.
+ * Falls back to app-wide roles when no tenant context is present.
+ *
+ * The adapter must implement `getRoles` (and `getTenantRoles` for tenant-scoped checks).
  *
  * @example
  * // Allow any authenticated user with the "admin" role
@@ -14,4 +16,13 @@ import type { AppEnv } from "../lib/context";
  * // Allow users with either "admin" or "moderator"
  * app.get("/mod", userAuth, requireRole("admin", "moderator"), handler)
  */
-export declare const requireRole: (...roles: string[]) => MiddlewareHandler<AppEnv>;
+export declare const requireRole: ((...roles: string[]) => MiddlewareHandler<AppEnv>) & {
+    /**
+     * Always checks app-wide roles regardless of tenant context.
+     * Use for super-admin gates that should ignore tenant scoping.
+     *
+     * @example
+     * app.get("/super-admin", userAuth, requireRole.global("superadmin"), handler)
+     */
+    global: (...roles: string[]) => MiddlewareHandler<AppEnv>;
+};

package/dist/middleware/requireRole.js

@@ -2,9 +2,11 @@ import { getAuthAdapter } from "../lib/authAdapter";
 /**
  * Middleware factory that enforces role-based access.
  * Requires `identify` to have run first (authUserId must be set).
- * Roles are fetched lazily on the first role-checked route and cached on the context.
  *
- * The adapter must implement `getRoles` for this to work.
+ * When tenant context exists (`tenantId` set on context), checks tenant-scoped roles.
+ * Falls back to app-wide roles when no tenant context is present.
+ *
+ * The adapter must implement `getRoles` (and `getTenantRoles` for tenant-scoped checks).
  *
  * @example
  * // Allow any authenticated user with the "admin" role
@@ -13,15 +15,25 @@ import { getAuthAdapter } from "../lib/authAdapter";
  * // Allow users with either "admin" or "moderator"
  * app.get("/mod", userAuth, requireRole("admin", "moderator"), handler)
  */
-export const requireRole = (...roles) => async (c, next) => {
+export const requireRole = Object.assign((...roles) => async (c, next) => {
     const userId = c.get("authUserId");
     if (!userId) {
         return c.json({ error: "Unauthorized" }, 401);
     }
-    // Lazy-fetch roles and cache on context so multiple requireRole calls in a chain only hit the adapter once
+    const adapter = getAuthAdapter();
+    const tenantId = c.get("tenantId");
+    // When tenant context exists and adapter supports tenant roles, check tenant-scoped roles
+    if (tenantId && adapter.getTenantRoles) {
+        const tenantRoles = await adapter.getTenantRoles(userId, tenantId);
+        const hasRole = roles.some((role) => tenantRoles.includes(role));
+        if (!hasRole) {
+            return c.json({ error: "Forbidden" }, 403);
+        }
+        return next();
+    }
+    // Fall back to app-wide roles
     let userRoles = c.get("roles");
     if (userRoles === null) {
-        const adapter = getAuthAdapter();
         if (!adapter.getRoles) {
             throw new Error("requireRole used but auth adapter does not implement getRoles");
         }
@@ -33,4 +45,32 @@ export const requireRole = (...roles) => async (c, next) => {
         return c.json({ error: "Forbidden" }, 403);
     }
     await next();
-};
+}, {
+    /**
+     * Always checks app-wide roles regardless of tenant context.
+     * Use for super-admin gates that should ignore tenant scoping.
+     *
+     * @example
+     * app.get("/super-admin", userAuth, requireRole.global("superadmin"), handler)
+     */
+    global: (...roles) => async (c, next) => {
+        const userId = c.get("authUserId");
+        if (!userId) {
+            return c.json({ error: "Unauthorized" }, 401);
+        }
+        let userRoles = c.get("roles");
+        if (userRoles === null) {
+            const adapter = getAuthAdapter();
+            if (!adapter.getRoles) {
+                throw new Error("requireRole.global used but auth adapter does not implement getRoles");
+            }
+            userRoles = await adapter.getRoles(userId);
+            c.set("roles", userRoles);
+        }
+        const hasRole = roles.some((role) => userRoles.includes(role));
+        if (!hasRole) {
+            return c.json({ error: "Forbidden" }, 403);
+        }
+        await next();
+    },
+});

package/dist/middleware/tenant.d.ts

@@ -0,0 +1,5 @@
+import type { MiddlewareHandler } from "hono";
+import type { AppEnv } from "../lib/context";
+import type { TenancyConfig } from "../app";
+export declare const invalidateTenantCache: (tenantId: string) => void;
+export declare const createTenantMiddleware: (config: TenancyConfig) => MiddlewareHandler<AppEnv>;

package/dist/middleware/tenant.js

@@ -0,0 +1,116 @@
+class LruCache {
+    _map = new Map();
+    _maxSize;
+    _ttlMs;
+    constructor(maxSize, ttlMs) {
+        this._maxSize = maxSize;
+        this._ttlMs = ttlMs;
+    }
+    get(key) {
+        const entry = this._map.get(key);
+        if (!entry)
+            return undefined; // cache miss
+        if (entry.expiresAt <= Date.now()) {
+            this._map.delete(key);
+            return undefined; // expired
+        }
+        // Move to end (most recently used)
+        this._map.delete(key);
+        this._map.set(key, entry);
+        return entry.value;
+    }
+    set(key, value) {
+        // Remove first if exists (for re-insertion at end)
+        this._map.delete(key);
+        // Evict oldest if at capacity
+        if (this._map.size >= this._maxSize) {
+            const oldest = this._map.keys().next().value;
+            if (oldest !== undefined)
+                this._map.delete(oldest);
+        }
+        this._map.set(key, { value, expiresAt: Date.now() + this._ttlMs });
+    }
+    delete(key) {
+        this._map.delete(key);
+    }
+}
+// ---------------------------------------------------------------------------
+// Exported cache invalidation (used by tenant provisioning helpers)
+// ---------------------------------------------------------------------------
+let _cache = null;
+export const invalidateTenantCache = (tenantId) => {
+    _cache?.delete(tenantId);
+};
+// ---------------------------------------------------------------------------
+// Tenant resolution middleware
+// ---------------------------------------------------------------------------
+const DEFAULT_EXEMPT = ["/health", "/docs", "/openapi.json", "/auth/"];
+function extractTenantId(c, config) {
+    if (config.resolution === "header") {
+        const headerName = config.headerName ?? "x-tenant-id";
+        return c.req.header(headerName) ?? null;
+    }
+    if (config.resolution === "subdomain") {
+        const host = c.req.header("host") ?? "";
+        // Extract first subdomain: "acme.myapp.com" → "acme"
+        const parts = host.split(".");
+        if (parts.length < 3)
+            return null; // no subdomain
+        return parts[0] || null;
+    }
+    if (config.resolution === "path") {
+        const segmentIndex = config.pathSegment ?? 0;
+        // Path: "/acme/api/users" → segments after split: ["", "acme", "api", "users"]
+        const segments = c.req.path.split("/").filter(Boolean);
+        return segments[segmentIndex] ?? null;
+    }
+    return null;
+}
+export const createTenantMiddleware = (config) => {
+    const exemptPaths = [...DEFAULT_EXEMPT, ...(config.exemptPaths ?? [])];
+    const rejectionStatus = config.rejectionStatus ?? 403;
+    const cacheTtlMs = config.cacheTtlMs ?? 60_000;
+    const cacheMaxSize = config.cacheMaxSize ?? 500;
+    // Initialize LRU cache if caching is enabled and onResolve is provided
+    if (config.onResolve && cacheTtlMs > 0) {
+        _cache = new LruCache(cacheMaxSize, cacheTtlMs);
+    }
+    return async (c, next) => {
+        const path = c.req.path;
+        // Check exempt paths using startsWith
+        for (const exempt of exemptPaths) {
+            if (path === exempt || path.startsWith(exempt)) {
+                c.set("tenantId", null);
+                c.set("tenantConfig", null);
+                return next();
+            }
+        }
+        const tenantId = extractTenantId(c, config);
+        if (!tenantId) {
+            return c.json({ error: "Tenant ID required" }, 400);
+        }
+        // Validate via onResolve (with caching)
+        if (config.onResolve) {
+            let tenantConfig;
+            if (_cache) {
+                tenantConfig = _cache.get(tenantId);
+            }
+            // undefined = cache miss, null = onResolve returned null (rejected)
+            if (tenantConfig === undefined) {
+                tenantConfig = await config.onResolve(tenantId);
+                _cache?.set(tenantId, tenantConfig);
+            }
+            if (tenantConfig === null) {
+                return c.json({ error: "Access denied" }, rejectionStatus);
+            }
+            c.set("tenantId", tenantId);
+            c.set("tenantConfig", tenantConfig);
+        }
+        else {
+            // No onResolve — trust the tenant ID
+            c.set("tenantId", tenantId);
+            c.set("tenantConfig", null);
+        }
+        return next();
+    };
+};

package/dist/models/AuthUser.d.ts

@@ -8,6 +8,23 @@ interface IAuthUser {
     roles: string[];
     /** Whether the user's email address has been verified. */
     emailVerified: boolean;
+    /** TOTP secret for MFA. Null when MFA is not set up. */
+    mfaSecret?: string | null;
+    /** Whether MFA is enabled (secret stored + confirmed via TOTP code). */
+    mfaEnabled?: boolean;
+    /** SHA-256 hashed recovery codes for MFA. */
+    recoveryCodes?: string[];
+    /** MFA methods enabled for this user (e.g., ["totp"], ["emailOtp"], ["totp", "emailOtp"]). */
+    mfaMethods?: string[];
+    /** WebAuthn credentials (security keys / platform authenticators). */
+    webauthnCredentials?: Array<{
+        credentialId: string;
+        publicKey: string;
+        signCount: number;
+        transports?: string[];
+        name?: string;
+        createdAt: Date;
+    }>;
 }
 type AuthUserDocument = IAuthUser & Document;
 export declare const AuthUser: Model<AuthUserDocument, {}, {}, {}, Document<unknown, {}, AuthUserDocument, {}, import("mongoose").DefaultSchemaOptions> & IAuthUser & Document<import("mongoose").Types.ObjectId, any, any, Record<string, any>, {}> & Required<{

package/dist/models/AuthUser.js

@@ -14,6 +14,23 @@ function getAuthUser() {
             roles: [{ type: String }],
             /** Whether the user's email address has been verified. */
             emailVerified: { type: Boolean, default: false },
+            /** TOTP secret for MFA. */
+            mfaSecret: { type: String, default: null },
+            /** Whether MFA is enabled. */
+            mfaEnabled: { type: Boolean, default: false },
+            /** SHA-256 hashed recovery codes for MFA. */
+            recoveryCodes: [{ type: String }],
+            /** MFA methods enabled for this user. */
+            mfaMethods: [{ type: String }],
+            /** WebAuthn credentials (security keys / platform authenticators). */
+            webauthnCredentials: [{
+                    credentialId: { type: String, required: true },
+                    publicKey: { type: String, required: true },
+                    signCount: { type: Number, required: true, default: 0 },
+                    transports: [{ type: String }],
+                    name: { type: String },
+                    createdAt: { type: Date, default: Date.now },
+                }],
         }, { timestamps: true });
         schema.index({ providerIds: 1 });
         _AuthUser = authConnection.model("AuthUser", schema);

package/dist/models/TenantRole.d.ts

@@ -0,0 +1,15 @@
+import type { Document, Model } from "mongoose";
+interface ITenantRole {
+    userId: string;
+    tenantId: string;
+    roles: string[];
+}
+type TenantRoleDocument = ITenantRole & Document;
+export declare const TenantRole: Model<TenantRoleDocument, {}, {}, {}, Document<unknown, {}, TenantRoleDocument, {}, import("mongoose").DefaultSchemaOptions> & ITenantRole & Document<import("mongoose").Types.ObjectId, any, any, Record<string, any>, {}> & Required<{
+    _id: import("mongoose").Types.ObjectId;
+}> & {
+    __v: number;
+} & {
+    id: string;
+}, any, TenantRoleDocument>;
+export {};

package/dist/models/TenantRole.js

@@ -0,0 +1,23 @@
+import { authConnection, mongoose } from "../lib/mongo";
+let _TenantRole = null;
+function getTenantRole() {
+    if (!_TenantRole) {
+        const { Schema } = mongoose;
+        const schema = new Schema({
+            userId: { type: String, required: true },
+            tenantId: { type: String, required: true },
+            roles: [{ type: String }],
+        }, { timestamps: true });
+        schema.index({ userId: 1, tenantId: 1 }, { unique: true });
+        schema.index({ tenantId: 1 });
+        _TenantRole = authConnection.model("TenantRole", schema);
+    }
+    return _TenantRole;
+}
+export const TenantRole = new Proxy({}, {
+    get(_, prop) {
+        const model = getTenantRole();
+        const val = model[prop];
+        return typeof val === "function" ? val.bind(model) : val;
+    },
+});

package/dist/routes/auth.d.ts

@@ -1,9 +1,11 @@
-import type { PrimaryField, EmailVerificationConfig, PasswordResetConfig } from "../lib/appConfig";
-import type { AuthRateLimitConfig } from "../app";
+import type { PrimaryField, EmailVerificationConfig, PasswordResetConfig, RefreshTokenConfig } from "../lib/appConfig";
+import type { AuthRateLimitConfig, AccountDeletionConfig } from "../app";
 export interface AuthRouterOptions {
     primaryField: PrimaryField;
     emailVerification?: EmailVerificationConfig;
     passwordReset?: PasswordResetConfig;
     rateLimit?: AuthRateLimitConfig;
+    accountDeletion?: AccountDeletionConfig;
+    refreshTokens?: RefreshTokenConfig;
 }
-export declare const createAuthRouter: ({ primaryField, emailVerification, passwordReset, rateLimit }: AuthRouterOptions) => import("@hono/zod-openapi").OpenAPIHono<import("../lib/context").AppEnv, {}, "/">;
+export declare const createAuthRouter: ({ primaryField, emailVerification, passwordReset, rateLimit, accountDeletion, refreshTokens }: AuthRouterOptions) => import("@hono/zod-openapi").OpenAPIHono<import("../lib/context").AppEnv, {}, "/">;