@lastshotlabs/bunshot 0.0.16 → 0.0.18

package/dist/lib/clientIp.js

@@ -0,0 +1,52 @@
+// ---------------------------------------------------------------------------
+// Trust-proxy configuration (set once at startup via setTrustProxy)
+// ---------------------------------------------------------------------------
+let _trustProxy = false;
+export const setTrustProxy = (value) => {
+    _trustProxy = value;
+};
+// ---------------------------------------------------------------------------
+// Centralized client IP extraction
+// ---------------------------------------------------------------------------
+/**
+ * Returns the client IP address, respecting the `trustProxy` setting.
+ *
+ * - When `trustProxy` is `false`: returns the socket-level IP (via Bun's
+ *   `server.requestIP()`), ignoring `X-Forwarded-For` entirely.
+ * - When `trustProxy` is a number N: takes the Nth-from-right entry in the
+ *   `X-Forwarded-For` chain (skipping N trusted proxy hops), falling back to
+ *   the socket-level IP.
+ *
+ * Returns `"unknown"` if no IP can be determined.
+ */
+export const getClientIp = (c) => {
+    // Socket-level IP via Bun's server (passed as c.env by Bun.serve)
+    let socketIp;
+    try {
+        const server = c.env;
+        if (server?.requestIP) {
+            const info = server.requestIP(c.req.raw);
+            if (info)
+                socketIp = info.address;
+        }
+    }
+    catch { /* not running under Bun.serve — e.g. test environment */ }
+    if (_trustProxy === false) {
+        return socketIp ?? "unknown";
+    }
+    // Trust N proxy hops: take the Nth-from-right in XFF
+    const xff = c.req.header("x-forwarded-for");
+    if (xff) {
+        const ips = xff.split(",").map(s => s.trim()).filter(Boolean);
+        // Index from the right: trustProxy=1 means 1 proxy, so take ips[length - 2]
+        const idx = ips.length - _trustProxy - 1;
+        if (idx >= 0 && ips[idx]) {
+            return ips[idx];
+        }
+        // If fewer entries than expected, fall back to leftmost (or socket IP)
+        if (ips.length > 0)
+            return ips[0];
+    }
+    // Fallback: X-Real-IP header, then socket IP
+    return c.req.header("x-real-ip") ?? socketIp ?? "unknown";
+};

package/dist/lib/constants.d.ts

@@ -2,3 +2,5 @@ export declare const COOKIE_TOKEN = "token";
 export declare const HEADER_USER_TOKEN = "x-user-token";
 export declare const COOKIE_REFRESH_TOKEN = "refresh_token";
 export declare const HEADER_REFRESH_TOKEN = "x-refresh-token";
+export declare const COOKIE_CSRF_TOKEN = "csrf_token";
+export declare const HEADER_CSRF_TOKEN = "x-csrf-token";

package/dist/lib/constants.js

@@ -2,3 +2,5 @@ export const COOKIE_TOKEN = "token";
 export const HEADER_USER_TOKEN = "x-user-token";
 export const COOKIE_REFRESH_TOKEN = "refresh_token";
 export const HEADER_REFRESH_TOKEN = "x-refresh-token";
+export const COOKIE_CSRF_TOKEN = "csrf_token";
+export const HEADER_CSRF_TOKEN = "x-csrf-token";

package/dist/lib/crypto.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Constant-time string comparison to prevent timing attacks.
+ * Returns true if both strings are equal, false otherwise.
+ * Always compares the full length even on mismatch.
+ */
+export declare function timingSafeEqual(a: string, b: string): boolean;
+/**
+ * SHA-256 hash a string and return the hex digest.
+ * Centralized to avoid duplicate implementations across modules.
+ */
+export declare function sha256(input: string): string;

package/dist/lib/crypto.js

@@ -0,0 +1,22 @@
+import { createHash, timingSafeEqual as nodeTimingSafeEqual } from "crypto";
+/**
+ * Constant-time string comparison to prevent timing attacks.
+ * Returns true if both strings are equal, false otherwise.
+ * Always compares the full length even on mismatch.
+ */
+export function timingSafeEqual(a, b) {
+    if (a.length !== b.length) {
+        // Compare against self to burn the same time, then return false
+        const buf = Buffer.from(a, "utf-8");
+        nodeTimingSafeEqual(buf, buf);
+        return false;
+    }
+    return nodeTimingSafeEqual(Buffer.from(a, "utf-8"), Buffer.from(b, "utf-8"));
+}
+/**
+ * SHA-256 hash a string and return the hex digest.
+ * Centralized to avoid duplicate implementations across modules.
+ */
+export function sha256(input) {
+    return createHash("sha256").update(input).digest("hex");
+}

package/dist/lib/emailVerification.d.ts

@@ -1,9 +1,13 @@
 type VerificationStore = "redis" | "mongo" | "sqlite" | "memory";
 export declare const setEmailVerificationStore: (store: VerificationStore) => void;
+/** Create a verification token. Returns the raw token (for the email link).
+ *  Only the SHA-256 hash is persisted in the store. */
 export declare const createVerificationToken: (userId: string, email: string) => Promise<string>;
+/** Look up a verification token by its raw value. Hashes before lookup. */
 export declare const getVerificationToken: (token: string) => Promise<{
     userId: string;
     email: string;
 } | null>;
+/** Delete a verification token by its raw value. Hashes before lookup. */
 export declare const deleteVerificationToken: (token: string) => Promise<void>;
 export {};

package/dist/lib/emailVerification.js

@@ -1,6 +1,7 @@
 import { getRedis } from "./redis";
 import { appConnection, mongoose } from "./mongo";
 import { getAppName, getTokenExpiry } from "./appConfig";
+import { sha256 } from "./crypto";
 import { sqliteCreateVerificationToken, sqliteGetVerificationToken, sqliteDeleteVerificationToken, } from "../adapters/sqliteAuth";
 import { memoryCreateVerificationToken, memoryGetVerificationToken, memoryDeleteVerificationToken, } from "../adapters/memoryAuth";
 function getVerificationModel() {
@@ -20,59 +21,66 @@ export const setEmailVerificationStore = (store) => { _store = store; };
 // ---------------------------------------------------------------------------
 // Public API
 // ---------------------------------------------------------------------------
+/** Create a verification token. Returns the raw token (for the email link).
+ *  Only the SHA-256 hash is persisted in the store. */
 export const createVerificationToken = async (userId, email) => {
     const token = crypto.randomUUID();
+    const hash = sha256(token);
     const ttl = getTokenExpiry();
     if (_store === "memory") {
-        memoryCreateVerificationToken(token, userId, email, ttl);
+        memoryCreateVerificationToken(hash, userId, email, ttl);
         return token;
     }
     if (_store === "sqlite") {
-        sqliteCreateVerificationToken(token, userId, email, ttl);
+        sqliteCreateVerificationToken(hash, userId, email, ttl);
         return token;
     }
     if (_store === "mongo") {
         await getVerificationModel().create({
-            token,
+            token: hash,
             userId,
             email,
             expiresAt: new Date(Date.now() + ttl * 1000),
         });
         return token;
     }
-    await getRedis().set(`verify:${getAppName()}:${token}`, JSON.stringify({ userId, email }), "EX", ttl);
+    await getRedis().set(`verify:${getAppName()}:${hash}`, JSON.stringify({ userId, email }), "EX", ttl);
     return token;
 };
+/** Look up a verification token by its raw value. Hashes before lookup. */
 export const getVerificationToken = async (token) => {
+    const hash = sha256(token);
     if (_store === "memory")
-        return memoryGetVerificationToken(token);
+        return memoryGetVerificationToken(hash);
     if (_store === "sqlite")
-        return sqliteGetVerificationToken(token);
+        return sqliteGetVerificationToken(hash);
     if (_store === "mongo") {
         const doc = await getVerificationModel()
-            .findOne({ token, expiresAt: { $gt: new Date() } })
+            .findOne({ token: hash, expiresAt: { $gt: new Date() } })
             .lean();
         if (!doc)
             return null;
         return { userId: doc.userId, email: doc.email };
     }
-    const raw = await getRedis().get(`verify:${getAppName()}:${token}`);
+    const raw = await getRedis().get(`verify:${getAppName()}:${hash}`);
     if (!raw)
         return null;
     return JSON.parse(raw);
 };
+/** Delete a verification token by its raw value. Hashes before lookup. */
 export const deleteVerificationToken = async (token) => {
+    const hash = sha256(token);
     if (_store === "memory") {
-        memoryDeleteVerificationToken(token);
+        memoryDeleteVerificationToken(hash);
         return;
     }
     if (_store === "sqlite") {
-        sqliteDeleteVerificationToken(token);
+        sqliteDeleteVerificationToken(hash);
         return;
     }
     if (_store === "mongo") {
-        await getVerificationModel().deleteOne({ token });
+        await getVerificationModel().deleteOne({ token: hash });
         return;
     }
-    await getRedis().del(`verify:${getAppName()}:${token}`);
+    await getRedis().del(`verify:${getAppName()}:${hash}`);
 };

package/dist/lib/jwt.js

@@ -1,11 +1,24 @@
 import { SignJWT, jwtVerify } from "jose";
-const isProd = process.env.NODE_ENV === "production";
-const secret = new TextEncoder().encode(isProd ? process.env.JWT_SECRET_PROD : process.env.JWT_SECRET_DEV);
+let _secret = null;
+function getSecret() {
+    if (_secret)
+        return _secret;
+    const isProd = process.env.NODE_ENV === "production";
+    const envKey = isProd ? "JWT_SECRET_PROD" : "JWT_SECRET_DEV";
+    const rawSecret = process.env[envKey];
+    if (!rawSecret || rawSecret.length < 32) {
+        throw new Error(`[security] ${envKey} is missing or too short (${rawSecret?.length ?? 0} chars). ` +
+            `JWT secrets must be at least 32 characters. Generate one with: ` +
+            `node -e "console.log(require('crypto').randomBytes(64).toString('hex'))"`);
+    }
+    _secret = new TextEncoder().encode(rawSecret);
+    return _secret;
+}
 export const signToken = async (userId, sessionId, expirySeconds) => new SignJWT({ sub: userId, sid: sessionId })
     .setProtectedHeader({ alg: "HS256" })
     .setExpirationTime(expirySeconds ? `${expirySeconds}s` : "7d")
-    .sign(secret);
+    .sign(getSecret());
 export const verifyToken = async (token) => {
-    const { payload } = await jwtVerify(token, secret);
+    const { payload } = await jwtVerify(token, getSecret());
     return payload;
 };

package/dist/lib/mfaChallenge.d.ts

@@ -1,12 +1,21 @@
+export type MfaChallengePurpose = "login" | "webauthn-registration";
+export interface MfaChallengeOptions {
+    emailOtpHash?: string;
+    webauthnChallenge?: string;
+}
 export interface MfaChallengeData {
     userId: string;
+    purpose: MfaChallengePurpose;
     emailOtpHash?: string;
+    webauthnChallenge?: string;
 }
+/** Reset all in-memory MFA challenge state. Called by clearMemoryStore(). */
+export declare const clearMemoryMfaChallenges: () => void;
 /** Must be called when store is "sqlite" to inject the db instance. */
 export declare const setMfaChallengeSqliteDb: (db: any) => void;
 type MfaChallengeStore = "redis" | "mongo" | "sqlite" | "memory";
 export declare const setMfaChallengeStore: (store: MfaChallengeStore) => void;
-export declare const createMfaChallenge: (userId: string, emailOtpHash?: string) => Promise<string>;
+export declare const createMfaChallenge: (userId: string, options?: MfaChallengeOptions) => Promise<string>;
 export declare const consumeMfaChallenge: (token: string) => Promise<MfaChallengeData | null>;
 /**
  * Replace the email OTP hash on an existing challenge without consuming it.
@@ -17,4 +26,17 @@ export declare const replaceMfaChallengeOtp: (token: string, newEmailOtpHash: st
     userId: string;
     resendCount: number;
 } | null>;
+/**
+ * Create a WebAuthn registration challenge token. Separate from the login flow —
+ * uses `purpose: "webauthn-registration"` so it cannot be consumed by `consumeMfaChallenge`.
+ */
+export declare const createWebAuthnRegistrationChallenge: (userId: string, challenge: string) => Promise<string>;
+/**
+ * Consume a WebAuthn registration challenge token.
+ * Only accepts tokens with `purpose: "webauthn-registration"`.
+ */
+export declare const consumeWebAuthnRegistrationChallenge: (token: string) => Promise<{
+    userId: string;
+    challenge: string;
+} | null>;
 export {};

package/dist/lib/mfaChallenge.js

@@ -1,6 +1,7 @@
 import { getRedis } from "./redis";
 import { appConnection, mongoose } from "./mongo";
 import { getAppName, getMfaChallengeTtl } from "./appConfig";
+import { sha256 } from "./crypto";
 const MAX_RESENDS = 3;
 function getMfaChallengeModel() {
     if (appConnection.models["MfaChallenge"])
@@ -9,7 +10,9 @@ function getMfaChallengeModel() {
     const schema = new Schema({
         token: { type: String, required: true, unique: true },
         userId: { type: String, required: true },
+        purpose: { type: String, required: true, default: "login" },
         emailOtpHash: { type: String },
+        webauthnChallenge: { type: String },
         createdAt: { type: Date, required: true },
         resendCount: { type: Number, required: true, default: 0 },
         expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
@@ -20,6 +23,8 @@ function getMfaChallengeModel() {
 // In-memory store
 // ---------------------------------------------------------------------------
 const _memoryChallenges = new Map();
+/** Reset all in-memory MFA challenge state. Called by clearMemoryStore(). */
+export const clearMemoryMfaChallenges = () => { _memoryChallenges.clear(); };
 // ---------------------------------------------------------------------------
 // SQLite store (reuses the existing SQLite DB instance)
 // ---------------------------------------------------------------------------
@@ -31,14 +36,16 @@ function ensureSqliteMfaTable() {
     if (_sqliteTableCreated || !_sqliteDb)
         return;
     _sqliteDb.run(`CREATE TABLE IF NOT EXISTS mfa_challenges (
-    token        TEXT PRIMARY KEY,
-    userId       TEXT NOT NULL,
-    emailOtpHash TEXT,
-    createdAt    INTEGER NOT NULL,
-    resendCount  INTEGER NOT NULL DEFAULT 0,
-    expiresAt    INTEGER NOT NULL
+    token             TEXT PRIMARY KEY,
+    userId            TEXT NOT NULL,
+    purpose           TEXT NOT NULL DEFAULT 'login',
+    emailOtpHash      TEXT,
+    webauthnChallenge TEXT,
+    createdAt         INTEGER NOT NULL,
+    resendCount       INTEGER NOT NULL DEFAULT 0,
+    expiresAt         INTEGER NOT NULL
   )`);
-    // Migrate pre-existing tables that lack the new columns
+    // Migrate pre-existing tables that lack newer columns
     try {
         _sqliteDb.run("ALTER TABLE mfa_challenges ADD COLUMN emailOtpHash TEXT");
     }
@@ -51,6 +58,14 @@ function ensureSqliteMfaTable() {
         _sqliteDb.run("ALTER TABLE mfa_challenges ADD COLUMN resendCount INTEGER NOT NULL DEFAULT 0");
     }
     catch { /* already exists */ }
+    try {
+        _sqliteDb.run("ALTER TABLE mfa_challenges ADD COLUMN purpose TEXT NOT NULL DEFAULT 'login'");
+    }
+    catch { /* already exists */ }
+    try {
+        _sqliteDb.run("ALTER TABLE mfa_challenges ADD COLUMN webauthnChallenge TEXT");
+    }
+    catch { /* already exists */ }
     _sqliteTableCreated = true;
 }
 let _store = "redis";
@@ -58,24 +73,30 @@ export const setMfaChallengeStore = (store) => { _store = store; };
 // ---------------------------------------------------------------------------
 // Public API
 // ---------------------------------------------------------------------------
-export const createMfaChallenge = async (userId, emailOtpHash) => {
+export const createMfaChallenge = async (userId, options) => {
     const token = crypto.randomUUID();
+    const hash = sha256(token);
     const ttl = getMfaChallengeTtl();
     const now = Date.now();
+    const purpose = "login";
+    const emailOtpHash = options?.emailOtpHash;
+    const webauthnChallenge = options?.webauthnChallenge;
     if (_store === "memory") {
-        _memoryChallenges.set(token, { userId, emailOtpHash, createdAt: now, resendCount: 0, expiresAt: now + ttl * 1000 });
+        _memoryChallenges.set(hash, { userId, purpose, emailOtpHash, webauthnChallenge, createdAt: now, resendCount: 0, expiresAt: now + ttl * 1000 });
         return token;
     }
     if (_store === "sqlite") {
         ensureSqliteMfaTable();
-        _sqliteDb.run("INSERT INTO mfa_challenges (token, userId, emailOtpHash, createdAt, resendCount, expiresAt) VALUES (?, ?, ?, ?, 0, ?)", [token, userId, emailOtpHash ?? null, now, now + ttl * 1000]);
+        _sqliteDb.run("INSERT INTO mfa_challenges (token, userId, purpose, emailOtpHash, webauthnChallenge, createdAt, resendCount, expiresAt) VALUES (?, ?, ?, ?, ?, ?, 0, ?)", [hash, userId, purpose, emailOtpHash ?? null, webauthnChallenge ?? null, now, now + ttl * 1000]);
         return token;
     }
     if (_store === "mongo") {
         await getMfaChallengeModel().create({
-            token,
+            token: hash,
             userId,
+            purpose,
             emailOtpHash,
+            webauthnChallenge,
             createdAt: new Date(now),
             resendCount: 0,
             expiresAt: new Date(now + ttl * 1000),
@@ -83,36 +104,45 @@ export const createMfaChallenge = async (userId, emailOtpHash) => {
         return token;
     }
     // redis
-    await getRedis().set(`mfachallenge:${getAppName()}:${token}`, JSON.stringify({ userId, emailOtpHash, createdAt: now, resendCount: 0 }), "EX", ttl);
+    await getRedis().set(`mfachallenge:${getAppName()}:${hash}`, JSON.stringify({ userId, purpose, emailOtpHash, webauthnChallenge, createdAt: now, resendCount: 0 }), "EX", ttl);
     return token;
 };
 export const consumeMfaChallenge = async (token) => {
+    const hash = sha256(token);
     if (_store === "memory") {
-        const entry = _memoryChallenges.get(token);
+        const entry = _memoryChallenges.get(hash);
         if (!entry || entry.expiresAt <= Date.now()) {
-            _memoryChallenges.delete(token);
+            _memoryChallenges.delete(hash);
             return null;
         }
-        _memoryChallenges.delete(token);
-        return { userId: entry.userId, emailOtpHash: entry.emailOtpHash };
+        _memoryChallenges.delete(hash);
+        if (entry.purpose !== "login")
+            return null;
+        return { userId: entry.userId, purpose: entry.purpose, emailOtpHash: entry.emailOtpHash, webauthnChallenge: entry.webauthnChallenge };
     }
     if (_store === "sqlite") {
         ensureSqliteMfaTable();
-        const row = _sqliteDb.query("DELETE FROM mfa_challenges WHERE token = ? AND expiresAt > ? RETURNING userId, emailOtpHash").get(token, Date.now());
-        return row ? { userId: row.userId, emailOtpHash: row.emailOtpHash ?? undefined } : null;
+        const row = _sqliteDb.query("DELETE FROM mfa_challenges WHERE token = ? AND expiresAt > ? RETURNING userId, purpose, emailOtpHash, webauthnChallenge").get(hash, Date.now());
+        if (!row || row.purpose !== "login")
+            return null;
+        return { userId: row.userId, purpose: "login", emailOtpHash: row.emailOtpHash ?? undefined, webauthnChallenge: row.webauthnChallenge ?? undefined };
     }
     if (_store === "mongo") {
-        const doc = await getMfaChallengeModel().findOneAndDelete({ token, expiresAt: { $gt: new Date() } });
-        return doc ? { userId: doc.userId, emailOtpHash: doc.emailOtpHash } : null;
+        const doc = await getMfaChallengeModel().findOneAndDelete({ token: hash, expiresAt: { $gt: new Date() } });
+        if (!doc || doc.purpose !== "login")
+            return null;
+        return { userId: doc.userId, purpose: "login", emailOtpHash: doc.emailOtpHash, webauthnChallenge: doc.webauthnChallenge };
     }
     // redis
-    const key = `mfachallenge:${getAppName()}:${token}`;
+    const key = `mfachallenge:${getAppName()}:${hash}`;
     const raw = await getRedis().get(key);
     if (!raw)
         return null;
     await getRedis().del(key);
     const data = JSON.parse(raw);
-    return { userId: data.userId, emailOtpHash: data.emailOtpHash };
+    if (data.purpose !== "login")
+        return null;
+    return { userId: data.userId, purpose: "login", emailOtpHash: data.emailOtpHash, webauthnChallenge: data.webauthnChallenge };
 };
 /**
  * Replace the email OTP hash on an existing challenge without consuming it.
@@ -120,11 +150,12 @@ export const consumeMfaChallenge = async (token) => {
  * Returns { userId, resendCount } on success, null if challenge not found/expired/max resends reached.
  */
 export const replaceMfaChallengeOtp = async (token, newEmailOtpHash) => {
+    const hash = sha256(token);
     const ttl = getMfaChallengeTtl();
     if (_store === "memory") {
-        const entry = _memoryChallenges.get(token);
+        const entry = _memoryChallenges.get(hash);
         if (!entry || entry.expiresAt <= Date.now()) {
-            _memoryChallenges.delete(token);
+            _memoryChallenges.delete(hash);
             return null;
         }
         if (entry.resendCount >= MAX_RESENDS)
@@ -139,34 +170,33 @@ export const replaceMfaChallengeOtp = async (token, newEmailOtpHash) => {
     if (_store === "sqlite") {
         ensureSqliteMfaTable();
         const now = Date.now();
-        const existing = _sqliteDb.query("SELECT createdAt, resendCount FROM mfa_challenges WHERE token = ? AND expiresAt > ?").get(token, now);
+        const existing = _sqliteDb.query("SELECT createdAt, resendCount FROM mfa_challenges WHERE token = ? AND expiresAt > ?").get(hash, now);
         if (!existing || existing.resendCount >= MAX_RESENDS)
             return null;
         const newExpiry = Math.min(now + ttl * 1000, existing.createdAt + ttl * 3 * 1000);
         const newCount = existing.resendCount + 1;
-        const row = _sqliteDb.query("UPDATE mfa_challenges SET emailOtpHash = ?, resendCount = ?, expiresAt = ? WHERE token = ? RETURNING userId").get(newEmailOtpHash, newCount, newExpiry, token);
+        const row = _sqliteDb.query("UPDATE mfa_challenges SET emailOtpHash = ?, resendCount = ?, expiresAt = ? WHERE token = ? RETURNING userId").get(newEmailOtpHash, newCount, newExpiry, hash);
         return row ? { userId: row.userId, resendCount: newCount } : null;
     }
     if (_store === "mongo") {
         const now = new Date();
-        const doc = await getMfaChallengeModel().findOneAndUpdate({ token, expiresAt: { $gt: now }, resendCount: { $lt: MAX_RESENDS } }, [
-            {
-                $set: {
-                    emailOtpHash: newEmailOtpHash,
-                    resendCount: { $add: ["$resendCount", 1] },
-                    expiresAt: {
-                        $min: [
-                            new Date(Date.now() + ttl * 1000),
-                            { $add: ["$createdAt", ttl * 3 * 1000] },
-                        ],
-                    },
-                },
-            },
-        ], { new: true });
-        return doc ? { userId: doc.userId, resendCount: doc.resendCount } : null;
+        const existing = await getMfaChallengeModel().findOne({
+            token: hash,
+            expiresAt: { $gt: now },
+            resendCount: { $lt: MAX_RESENDS },
+        });
+        if (!existing)
+            return null;
+        const newCount = existing.resendCount + 1;
+        const newExpiry = new Date(Math.min(Date.now() + ttl * 1000, existing.createdAt.getTime() + ttl * 3 * 1000));
+        existing.emailOtpHash = newEmailOtpHash;
+        existing.resendCount = newCount;
+        existing.expiresAt = newExpiry;
+        await existing.save();
+        return { userId: existing.userId, resendCount: newCount };
     }
     // redis
-    const key = `mfachallenge:${getAppName()}:${token}`;
+    const key = `mfachallenge:${getAppName()}:${hash}`;
     const raw = await getRedis().get(key);
     if (!raw)
         return null;
@@ -182,3 +212,82 @@ export const replaceMfaChallengeOtp = async (token, newEmailOtpHash) => {
     await getRedis().set(key, JSON.stringify(data), "EX", remainingTtl);
     return { userId: data.userId, resendCount: data.resendCount };
 };
+// ---------------------------------------------------------------------------
+// WebAuthn registration challenge helpers
+// ---------------------------------------------------------------------------
+/**
+ * Create a WebAuthn registration challenge token. Separate from the login flow —
+ * uses `purpose: "webauthn-registration"` so it cannot be consumed by `consumeMfaChallenge`.
+ */
+export const createWebAuthnRegistrationChallenge = async (userId, challenge) => {
+    const token = crypto.randomUUID();
+    const hash = sha256(token);
+    const ttl = getMfaChallengeTtl();
+    const now = Date.now();
+    const purpose = "webauthn-registration";
+    if (_store === "memory") {
+        _memoryChallenges.set(hash, { userId, purpose, webauthnChallenge: challenge, createdAt: now, resendCount: 0, expiresAt: now + ttl * 1000 });
+        return token;
+    }
+    if (_store === "sqlite") {
+        ensureSqliteMfaTable();
+        _sqliteDb.run("INSERT INTO mfa_challenges (token, userId, purpose, webauthnChallenge, createdAt, resendCount, expiresAt) VALUES (?, ?, ?, ?, ?, 0, ?)", [hash, userId, purpose, challenge, now, now + ttl * 1000]);
+        return token;
+    }
+    if (_store === "mongo") {
+        await getMfaChallengeModel().create({
+            token: hash,
+            userId,
+            purpose,
+            webauthnChallenge: challenge,
+            createdAt: new Date(now),
+            resendCount: 0,
+            expiresAt: new Date(now + ttl * 1000),
+        });
+        return token;
+    }
+    // redis
+    await getRedis().set(`mfachallenge:${getAppName()}:${hash}`, JSON.stringify({ userId, purpose, webauthnChallenge: challenge, createdAt: now, resendCount: 0 }), "EX", ttl);
+    return token;
+};
+/**
+ * Consume a WebAuthn registration challenge token.
+ * Only accepts tokens with `purpose: "webauthn-registration"`.
+ */
+export const consumeWebAuthnRegistrationChallenge = async (token) => {
+    const hash = sha256(token);
+    if (_store === "memory") {
+        const entry = _memoryChallenges.get(hash);
+        if (!entry || entry.expiresAt <= Date.now()) {
+            _memoryChallenges.delete(hash);
+            return null;
+        }
+        _memoryChallenges.delete(hash);
+        if (entry.purpose !== "webauthn-registration" || !entry.webauthnChallenge)
+            return null;
+        return { userId: entry.userId, challenge: entry.webauthnChallenge };
+    }
+    if (_store === "sqlite") {
+        ensureSqliteMfaTable();
+        const row = _sqliteDb.query("DELETE FROM mfa_challenges WHERE token = ? AND expiresAt > ? RETURNING userId, purpose, webauthnChallenge").get(hash, Date.now());
+        if (!row || row.purpose !== "webauthn-registration" || !row.webauthnChallenge)
+            return null;
+        return { userId: row.userId, challenge: row.webauthnChallenge };
+    }
+    if (_store === "mongo") {
+        const doc = await getMfaChallengeModel().findOneAndDelete({ token: hash, expiresAt: { $gt: new Date() } });
+        if (!doc || doc.purpose !== "webauthn-registration" || !doc.webauthnChallenge)
+            return null;
+        return { userId: doc.userId, challenge: doc.webauthnChallenge };
+    }
+    // redis
+    const key = `mfachallenge:${getAppName()}:${hash}`;
+    const raw = await getRedis().get(key);
+    if (!raw)
+        return null;
+    await getRedis().del(key);
+    const data = JSON.parse(raw);
+    if (data.purpose !== "webauthn-registration" || !data.webauthnChallenge)
+        return null;
+    return { userId: data.userId, challenge: data.webauthnChallenge };
+};

package/dist/lib/oauth.d.ts

@@ -1,4 +1,4 @@
-import { Google, Apple, generateState, generateCodeVerifier } from "arctic";
+import { Google, Apple, MicrosoftEntraId, GitHub, generateState, generateCodeVerifier } from "arctic";
 export type OAuthProviderConfig = {
     google?: {
         clientId: string;
@@ -12,10 +12,23 @@ export type OAuthProviderConfig = {
         privateKey: string;
         redirectUri: string;
     };
+    microsoft?: {
+        tenantId: string;
+        clientId: string;
+        clientSecret: string;
+        redirectUri: string;
+    };
+    github?: {
+        clientId: string;
+        clientSecret: string;
+        redirectUri: string;
+    };
 };
 export declare const initOAuthProviders: (config: OAuthProviderConfig) => void;
 export declare const getGoogle: () => Google;
 export declare const getApple: () => Apple;
+export declare const getMicrosoft: () => MicrosoftEntraId;
+export declare const getGitHub: () => GitHub;
 export declare const getConfiguredOAuthProviders: () => string[];
 type OAuthStateStore = "redis" | "mongo" | "sqlite" | "memory";
 export declare const setOAuthStateStore: (store: OAuthStateStore) => void;

package/dist/lib/oauth.js

@@ -1,4 +1,4 @@
-import { Google, Apple, generateState, generateCodeVerifier } from "arctic";
+import { Google, Apple, MicrosoftEntraId, GitHub, generateState, generateCodeVerifier } from "arctic";
 import { getRedis } from "./redis";
 import { appConnection, mongoose } from "./mongo";
 import { getAppName } from "./appConfig";
@@ -14,6 +14,14 @@ export const initOAuthProviders = (config) => {
         const { clientId, teamId, keyId, privateKey, redirectUri } = config.apple;
         _providers.apple = new Apple(clientId, teamId, keyId, new TextEncoder().encode(privateKey), redirectUri);
     }
+    if (config.microsoft) {
+        const { tenantId, clientId, clientSecret, redirectUri } = config.microsoft;
+        _providers.microsoft = new MicrosoftEntraId(tenantId, clientId, clientSecret, redirectUri);
+    }
+    if (config.github) {
+        const { clientId, clientSecret, redirectUri } = config.github;
+        _providers.github = new GitHub(clientId, clientSecret, redirectUri);
+    }
 };
 export const getGoogle = () => {
     if (!_providers.google)
@@ -25,6 +33,16 @@ export const getApple = () => {
         throw new Error("Apple OAuth not configured");
     return _providers.apple;
 };
+export const getMicrosoft = () => {
+    if (!_providers.microsoft)
+        throw new Error("Microsoft Entra ID OAuth not configured");
+    return _providers.microsoft;
+};
+export const getGitHub = () => {
+    if (!_providers.github)
+        throw new Error("GitHub OAuth not configured");
+    return _providers.github;
+};
 export const getConfiguredOAuthProviders = () => Object.entries(_providers)
     .filter(([, v]) => v != null)
     .map(([k]) => k);