@lastshotlabs/bunshot 0.0.16 → 0.0.18

package/dist/lib/oauthCode.d.ts

@@ -0,0 +1,15 @@
+type OAuthCodeStore = "redis" | "mongo" | "sqlite" | "memory";
+export declare const setOAuthCodeStore: (store: OAuthCodeStore) => void;
+export interface OAuthCodePayload {
+    token: string;
+    userId: string;
+    email?: string;
+    refreshToken?: string;
+}
+/** Store a one-time authorization code. Returns the raw code (for the redirect URL).
+ *  Only the SHA-256 hash is persisted. */
+export declare const storeOAuthCode: (payload: OAuthCodePayload) => Promise<string>;
+/** Atomically consume an authorization code — returns its payload and deletes it.
+ *  Returns null if invalid, expired, or already used. */
+export declare const consumeOAuthCode: (code: string) => Promise<OAuthCodePayload | null>;
+export {};

package/dist/lib/oauthCode.js

@@ -0,0 +1,90 @@
+import { getRedis } from "./redis";
+import { appConnection, mongoose } from "./mongo";
+import { getAppName } from "./appConfig";
+import { sha256 } from "./crypto";
+import { memoryStoreOAuthCode, memoryConsumeOAuthCode, } from "../adapters/memoryAuth";
+import { sqliteStoreOAuthCode, sqliteConsumeOAuthCode, } from "../adapters/sqliteAuth";
+function getOAuthCodeModel() {
+    if (appConnection.models["OAuthCode"])
+        return appConnection.models["OAuthCode"];
+    const { Schema } = mongoose;
+    const schema = new Schema({
+        codeHash: { type: String, required: true, unique: true },
+        token: { type: String, required: true },
+        userId: { type: String, required: true },
+        email: { type: String },
+        refreshToken: { type: String },
+        expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
+    }, { collection: "oauth_codes" });
+    return appConnection.model("OAuthCode", schema);
+}
+let _store = "redis";
+export const setOAuthCodeStore = (store) => { _store = store; };
+const CODE_TTL = 60; // 60 seconds
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+/** Store a one-time authorization code. Returns the raw code (for the redirect URL).
+ *  Only the SHA-256 hash is persisted. */
+export const storeOAuthCode = async (payload) => {
+    const code = crypto.randomUUID();
+    const hash = sha256(code);
+    if (_store === "memory") {
+        memoryStoreOAuthCode(hash, payload, CODE_TTL);
+        return code;
+    }
+    if (_store === "sqlite") {
+        sqliteStoreOAuthCode(hash, payload, CODE_TTL);
+        return code;
+    }
+    if (_store === "mongo") {
+        await getOAuthCodeModel().create({
+            codeHash: hash,
+            ...payload,
+            expiresAt: new Date(Date.now() + CODE_TTL * 1000),
+        });
+        return code;
+    }
+    // Redis
+    await getRedis().set(`oauthcode:${getAppName()}:${hash}`, JSON.stringify(payload), "EX", CODE_TTL);
+    return code;
+};
+/** Atomically consume an authorization code — returns its payload and deletes it.
+ *  Returns null if invalid, expired, or already used. */
+export const consumeOAuthCode = async (code) => {
+    const hash = sha256(code);
+    if (_store === "memory")
+        return memoryConsumeOAuthCode(hash);
+    if (_store === "sqlite")
+        return sqliteConsumeOAuthCode(hash);
+    if (_store === "mongo") {
+        const doc = await getOAuthCodeModel()
+            .findOneAndDelete({ codeHash: hash, expiresAt: { $gt: new Date() } })
+            .lean();
+        if (!doc)
+            return null;
+        return { token: doc.token, userId: doc.userId, email: doc.email, refreshToken: doc.refreshToken };
+    }
+    // Redis
+    const key = `oauthcode:${getAppName()}:${hash}`;
+    const redis = getRedis();
+    let raw = null;
+    if (typeof redis.getdel === "function") {
+        try {
+            raw = await redis.getdel(key);
+        }
+        catch {
+            raw = await redis.get(key);
+            if (raw)
+                await redis.del(key);
+        }
+    }
+    else {
+        raw = await redis.get(key);
+        if (raw)
+            await redis.del(key);
+    }
+    if (!raw)
+        return null;
+    return JSON.parse(raw);
+};

package/dist/lib/resetPassword.js

@@ -1,24 +1,20 @@
-import { createHash } from "crypto";
 import { getRedis } from "./redis";
-import { appConnection } from "./mongo";
+import { appConnection, mongoose } from "./mongo";
 import { getAppName, getResetTokenExpiry } from "./appConfig";
-import { Schema } from "mongoose";
 import { sqliteCreateResetToken, sqliteConsumeResetToken, } from "../adapters/sqliteAuth";
 import { memoryCreateResetToken, memoryConsumeResetToken, } from "../adapters/memoryAuth";
-// ---------------------------------------------------------------------------
-// Token hashing — store SHA-256(token); raw token is only in the email link.
-// If the store is ever leaked, outstanding tokens cannot be replayed directly.
-// ---------------------------------------------------------------------------
-const hashToken = (token) => createHash("sha256").update(token).digest("hex");
-const resetSchema = new Schema({
-    token: { type: String, required: true, unique: true },
-    userId: { type: String, required: true },
-    email: { type: String, required: true },
-    expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
-}, { collection: "password_resets" });
+import { sha256 as hashToken } from "./crypto";
 function getResetModel() {
-    return appConnection.models["PasswordReset"] ??
-        appConnection.model("PasswordReset", resetSchema);
+    if (appConnection.models["PasswordReset"])
+        return appConnection.models["PasswordReset"];
+    const { Schema } = mongoose;
+    const resetSchema = new Schema({
+        token: { type: String, required: true, unique: true },
+        userId: { type: String, required: true },
+        email: { type: String, required: true },
+        expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
+    }, { collection: "password_resets" });
+    return appConnection.model("PasswordReset", resetSchema);
 }
 // ---------------------------------------------------------------------------
 // Redis helpers

package/dist/lib/session.js

@@ -16,11 +16,11 @@ function getSessionModel() {
         expiresAt: { type: Date, required: true },
         ipAddress: { type: String },
         userAgent: { type: String },
-        refreshToken: { type: String, default: null, sparse: true },
+        refreshToken: { type: String, default: null },
         prevRefreshToken: { type: String, default: null },
         prevTokenExpiresAt: { type: Date, default: null },
     }, { collection: "sessions", timestamps: false });
-    sessionSchema.index({ refreshToken: 1 }, { sparse: true, unique: true });
+    sessionSchema.index({ refreshToken: 1 }, { unique: true, partialFilterExpression: { refreshToken: { $type: "string" } } });
     // Add TTL index only when metadata is not persisted — docs auto-delete at expiresAt.
     // When persisting, token is nulled (soft-delete) but the row is kept indefinitely.
     if (!getPersistSessionMetadata()) {
@@ -234,9 +234,11 @@ async function redisRotateRefreshToken(sessionId, newRefreshToken, newAccessToke
     await redis.set(redisSessionKey(sessionId), JSON.stringify(rec));
     // Set new reverse-lookup with full refresh expiry
     await redis.set(redisRefreshTokenKey(newRefreshToken), sessionId, "EX", refreshExpiry);
-    // Update old reverse-lookup to expire after grace window
+    // Update old reverse-lookup to expire after grace window.
+    // Use a minimum TTL of 60s so that theft detection still works when grace is 0.
     if (oldRefreshToken) {
-        await redis.expire(redisRefreshTokenKey(oldRefreshToken), graceSeconds);
+        const oldKeyTtl = Math.max(graceSeconds, 60);
+        await redis.expire(redisRefreshTokenKey(oldRefreshToken), oldKeyTtl);
     }
 }
 // ---------------------------------------------------------------------------

package/dist/lib/ws.js

@@ -11,9 +11,13 @@ const _roomRegistry = new Map();
 export const getRooms = () => [..._roomRegistry.keys()];
 /** Socket IDs subscribed to a given room */
 export const getRoomSubscribers = (room) => [...(_roomRegistry.get(room) ?? [])];
+const MAX_ROOM_ACTION_SIZE = 4096; // 4 KB — room actions are small JSON payloads
 export const handleRoomActions = async (ws, message, onSubscribe) => {
     try {
-        const data = JSON.parse(typeof message === "string" ? message : Buffer.from(message).toString());
+        const raw = typeof message === "string" ? message : Buffer.from(message).toString();
+        if (raw.length > MAX_ROOM_ACTION_SIZE)
+            return false; // not a room action
+        const data = JSON.parse(raw);
         if (data.action === "subscribe" && typeof data.room === "string") {
             if (onSubscribe && !(await onSubscribe(ws, data.room))) {
                 ws.send(JSON.stringify({ event: "subscribe_denied", room: data.room }));

package/dist/middleware/bearerAuth.js

@@ -1,9 +1,10 @@
-const isProd = process.env.NODE_ENV === "production";
-const validToken = isProd ? process.env.BEARER_TOKEN_PROD : process.env.BEARER_TOKEN_DEV;
+import { timingSafeEqual } from "../lib/crypto";
 export const bearerAuth = async (c, next) => {
+    const isProd = process.env.NODE_ENV === "production";
+    const validToken = isProd ? process.env.BEARER_TOKEN_PROD : process.env.BEARER_TOKEN_DEV;
     const header = c.req.header("Authorization");
     const token = header?.startsWith("Bearer ") ? header.slice(7) : null;
-    if (!token || token !== validToken) {
+    if (!token || !validToken || !timingSafeEqual(token, validToken)) {
         return c.json({ error: "Unauthorized" }, 401);
     }
     await next();

package/dist/middleware/botProtection.js

@@ -1,3 +1,4 @@
+import { getClientIp } from "../lib/clientIp";
 // ---------------------------------------------------------------------------
 // CIDR helpers (IPv4 only; IPv6 exact-match supported)
 // ---------------------------------------------------------------------------
@@ -40,8 +41,7 @@ export const botProtection = ({ blockList = [], }) => {
     if (blockList.length === 0)
         return (_c, next) => next();
     return async (c, next) => {
-        const raw = c.req.header("x-forwarded-for") ?? "";
-        const ip = raw.split(",")[0]?.trim() ?? "unknown";
+        const ip = getClientIp(c);
         if (ip !== "unknown" && isBlocked(ip, blockList)) {
             return c.json({ error: "Forbidden" }, 403);
         }

package/dist/middleware/cacheResponse.d.ts

@@ -1,5 +1,6 @@
 import type { MiddlewareHandler } from "hono";
 import type { AppEnv } from "../lib/context";
+export declare function getCacheModel(): import("mongoose").Model<any, {}, {}, {}, any, any, any>;
 type CacheStore = "redis" | "mongo" | "sqlite" | "memory";
 export declare const setCacheStore: (store: CacheStore) => void;
 export declare const bustCache: (key: string) => Promise<void>;

package/dist/middleware/cacheResponse.js

@@ -3,7 +3,7 @@ import { getAppName } from "../lib/appConfig";
 import { appConnection, mongoose } from "../lib/mongo";
 import { isSqliteReady, sqliteGetCache, sqliteSetCache, sqliteDelCache, sqliteDelCachePattern } from "../adapters/sqliteAuth";
 import { memoryGetCache, memorySetCache, memoryDelCache, memoryDelCachePattern } from "../adapters/memoryAuth";
-function getCacheModel() {
+export function getCacheModel() {
     if (appConnection.models["CacheEntry"])
         return appConnection.models["CacheEntry"];
     const { Schema } = mongoose;
@@ -130,6 +130,14 @@ export const bustCachePattern = async (pattern) => {
     const fullPattern = `cache:${getAppName()}:${pattern}`;
     await Promise.all([storeDelPattern("redis", fullPattern), storeDelPattern("mongo", fullPattern), storeDelPattern("sqlite", fullPattern), storeDelPattern("memory", fullPattern)]);
 };
+/** Headers that must never be cached — storing these can cause session fixation or auth bypass. */
+const UNCACHEABLE_HEADERS = new Set([
+    "set-cookie",
+    "www-authenticate",
+    "authorization",
+    "x-csrf-token",
+    "proxy-authenticate",
+]);
 export const cacheResponse = ({ ttl, key, store = _defaultCacheStore }) => {
     return async (c, next) => {
         const appName = getAppName();
@@ -151,7 +159,11 @@ export const cacheResponse = ({ ttl, key, store = _defaultCacheStore }) => {
         if (res.status >= 200 && res.status < 300) {
             const body = await res.text();
             const headers = {};
-            res.headers.forEach((value, name) => { headers[name] = value; });
+            res.headers.forEach((value, name) => {
+                if (!UNCACHEABLE_HEADERS.has(name.toLowerCase())) {
+                    headers[name] = value;
+                }
+            });
             await storeSet(store, cacheKey, JSON.stringify({ status: res.status, headers, body }), ttl);
             c.res = new Response(body, {
                 status: res.status,

package/dist/middleware/cors.d.ts

@@ -1,2 +1,4 @@
 import type { Middleware } from ".";
+/** Configure the allowed CORS origins. Call once at startup. */
+export declare const setCorsOrigins: (origins: string | string[]) => void;
 export declare const cors: Middleware;

package/dist/middleware/cors.js

@@ -1,17 +1,31 @@
+let _allowedOrigins = "*";
+/** Configure the allowed CORS origins. Call once at startup. */
+export const setCorsOrigins = (origins) => { _allowedOrigins = origins; };
 export const cors = async (req, next) => {
+    const origin = req.headers.get("Origin");
+    const headers = corsHeaders(origin);
     if (req.method === "OPTIONS") {
-        return new Response(null, { status: 204, headers: corsHeaders() });
+        return new Response(null, { status: 204, headers });
     }
     const res = await next(req);
-    const headers = new Headers(res.headers);
-    for (const [k, v] of Object.entries(corsHeaders()))
-        headers.set(k, v);
-    return new Response(res.body, { status: res.status, headers });
+    const resHeaders = new Headers(res.headers);
+    for (const [k, v] of Object.entries(headers))
+        resHeaders.set(k, v);
+    return new Response(res.body, { status: res.status, headers: resHeaders });
 };
-const corsHeaders = () => {
+function corsHeaders(requestOrigin) {
+    let allowOrigin;
+    if (_allowedOrigins === "*") {
+        allowOrigin = "*";
+    }
+    else {
+        const origins = Array.isArray(_allowedOrigins) ? _allowedOrigins : [_allowedOrigins];
+        allowOrigin = requestOrigin && origins.includes(requestOrigin) ? requestOrigin : origins[0];
+    }
     return {
-        "Access-Control-Allow-Origin": "*",
+        "Access-Control-Allow-Origin": allowOrigin,
         "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
         "Access-Control-Allow-Headers": "Content-Type, Authorization",
+        ...(allowOrigin !== "*" ? { Vary: "Origin" } : {}),
     };
-};
+}

package/dist/middleware/csrf.d.ts

@@ -0,0 +1,18 @@
+import type { MiddlewareHandler } from "hono";
+import { setCookie, deleteCookie } from "hono/cookie";
+import type { AppEnv } from "../lib/context";
+export interface CsrfMiddlewareOptions {
+    exemptPaths?: string[];
+    checkOrigin?: boolean;
+    allowedOrigins?: string | string[];
+}
+/**
+ * Refreshes the CSRF token cookie — call on login/register to prevent
+ * session fixation-adjacent attacks.
+ */
+export declare function refreshCsrfToken(c: Parameters<typeof setCookie>[0]): void;
+/**
+ * Clears the CSRF token cookie — call on logout.
+ */
+export declare function clearCsrfToken(c: Parameters<typeof deleteCookie>[0]): void;
+export declare const csrfProtection: (options?: CsrfMiddlewareOptions) => MiddlewareHandler<AppEnv>;

package/dist/middleware/csrf.js

@@ -0,0 +1,115 @@
+import { getCookie, setCookie, deleteCookie } from "hono/cookie";
+import { timingSafeEqual } from "../lib/crypto";
+import { COOKIE_TOKEN, COOKIE_CSRF_TOKEN, HEADER_CSRF_TOKEN } from "../lib/constants";
+import { createHmac, randomBytes } from "crypto";
+const isProd = process.env.NODE_ENV === "production";
+const STATE_CHANGING_METHODS = new Set(["POST", "PUT", "PATCH", "DELETE"]);
+function getJwtSecret() {
+    const secret = isProd ? process.env.JWT_SECRET_PROD : process.env.JWT_SECRET_DEV;
+    if (!secret)
+        throw new Error("CSRF middleware requires JWT_SECRET_DEV/JWT_SECRET_PROD to be set");
+    return secret;
+}
+function generateCsrfToken(secret) {
+    const token = randomBytes(32).toString("hex");
+    const sig = createHmac("sha256", secret).update(token).digest("hex");
+    return `${token}.${sig}`;
+}
+function verifyCsrfSignature(cookieValue, secret) {
+    const dotIdx = cookieValue.indexOf(".");
+    if (dotIdx === -1)
+        return false;
+    const token = cookieValue.substring(0, dotIdx);
+    const sig = cookieValue.substring(dotIdx + 1);
+    const expected = createHmac("sha256", secret).update(token).digest("hex");
+    return timingSafeEqual(sig, expected);
+}
+const csrfCookieOptions = {
+    httpOnly: false,
+    secure: isProd,
+    sameSite: "Lax",
+    path: "/",
+    maxAge: 60 * 60 * 24 * 365, // 1 year — tied to browser, not session
+};
+/**
+ * Refreshes the CSRF token cookie — call on login/register to prevent
+ * session fixation-adjacent attacks.
+ */
+export function refreshCsrfToken(c) {
+    const secret = getJwtSecret();
+    const token = generateCsrfToken(secret);
+    setCookie(c, COOKIE_CSRF_TOKEN, token, csrfCookieOptions);
+}
+/**
+ * Clears the CSRF token cookie — call on logout.
+ */
+export function clearCsrfToken(c) {
+    deleteCookie(c, COOKIE_CSRF_TOKEN, { path: "/" });
+}
+export const csrfProtection = (options = {}) => {
+    const { exemptPaths = [], checkOrigin = true, allowedOrigins } = options;
+    // Normalize allowed origins for origin validation
+    const originSet = new Set();
+    if (allowedOrigins) {
+        const origins = Array.isArray(allowedOrigins) ? allowedOrigins : [allowedOrigins];
+        for (const o of origins) {
+            if (o !== "*")
+                originSet.add(o.replace(/\/$/, ""));
+        }
+    }
+    return async (c, next) => {
+        const secret = getJwtSecret();
+        // Set CSRF cookie on every response if not already present
+        const existingCsrf = getCookie(c, COOKIE_CSRF_TOKEN);
+        if (!existingCsrf) {
+            const token = generateCsrfToken(secret);
+            setCookie(c, COOKIE_CSRF_TOKEN, token, csrfCookieOptions);
+        }
+        // Only validate state-changing methods
+        if (!STATE_CHANGING_METHODS.has(c.req.method)) {
+            return next();
+        }
+        // Skip if no auth cookie present — not vulnerable to CSRF
+        const authCookie = getCookie(c, COOKIE_TOKEN);
+        if (!authCookie) {
+            return next();
+        }
+        // Skip exempt paths
+        const path = c.req.path;
+        for (const exempt of exemptPaths) {
+            if (exempt.endsWith("*")) {
+                if (path.startsWith(exempt.slice(0, -1)))
+                    return next();
+            }
+            else {
+                if (path === exempt)
+                    return next();
+            }
+        }
+        // Origin validation (secondary layer)
+        if (checkOrigin && originSet.size > 0) {
+            const origin = c.req.header("origin");
+            if (origin) {
+                const normalized = origin.replace(/\/$/, "");
+                if (!originSet.has(normalized)) {
+                    return c.json({ error: "CSRF origin mismatch" }, 403);
+                }
+            }
+        }
+        // Double submit cookie validation
+        const csrfCookie = getCookie(c, COOKIE_CSRF_TOKEN);
+        const csrfHeader = c.req.header(HEADER_CSRF_TOKEN);
+        if (!csrfCookie || !csrfHeader) {
+            return c.json({ error: "CSRF token missing" }, 403);
+        }
+        // Verify the cookie's HMAC signature (prevents cookie injection)
+        if (!verifyCsrfSignature(csrfCookie, secret)) {
+            return c.json({ error: "CSRF token invalid" }, 403);
+        }
+        // Compare header value to cookie value
+        if (!timingSafeEqual(csrfHeader, csrfCookie)) {
+            return c.json({ error: "CSRF token mismatch" }, 403);
+        }
+        return next();
+    };
+};

package/dist/middleware/rateLimit.js

@@ -1,11 +1,10 @@
 import { trackAttempt } from "../lib/authRateLimit";
 import { buildFingerprint } from "../lib/fingerprint";
+import { getClientIp } from "../lib/clientIp";
 export const rateLimit = ({ windowMs, max, fingerprintLimit = false, }) => {
     const opts = { windowMs, max };
     return async (c, next) => {
-        // Take the leftmost (client) IP from x-forwarded-for
-        const raw = c.req.header("x-forwarded-for") ?? "";
-        const ip = raw.split(",")[0]?.trim() || "unknown";
+        const ip = getClientIp(c);
         // Per-tenant namespacing: each tenant gets independent rate limit buckets
         const tenantId = c.get("tenantId");
         const prefix = tenantId ? `t:${tenantId}:` : "";

package/dist/models/AuthUser.d.ts

@@ -16,6 +16,15 @@ interface IAuthUser {
     recoveryCodes?: string[];
     /** MFA methods enabled for this user (e.g., ["totp"], ["emailOtp"], ["totp", "emailOtp"]). */
     mfaMethods?: string[];
+    /** WebAuthn credentials (security keys / platform authenticators). */
+    webauthnCredentials?: Array<{
+        credentialId: string;
+        publicKey: string;
+        signCount: number;
+        transports?: string[];
+        name?: string;
+        createdAt: Date;
+    }>;
 }
 type AuthUserDocument = IAuthUser & Document;
 export declare const AuthUser: Model<AuthUserDocument, {}, {}, {}, Document<unknown, {}, AuthUserDocument, {}, import("mongoose").DefaultSchemaOptions> & IAuthUser & Document<import("mongoose").Types.ObjectId, any, any, Record<string, any>, {}> & Required<{

package/dist/models/AuthUser.js

@@ -22,6 +22,15 @@ function getAuthUser() {
             recoveryCodes: [{ type: String }],
             /** MFA methods enabled for this user. */
             mfaMethods: [{ type: String }],
+            /** WebAuthn credentials (security keys / platform authenticators). */
+            webauthnCredentials: [{
+                    credentialId: { type: String, required: true },
+                    publicKey: { type: String, required: true },
+                    signCount: { type: Number, required: true, default: 0 },
+                    transports: [{ type: String }],
+                    name: { type: String },
+                    createdAt: { type: Date, default: Date.now },
+                }],
         }, { timestamps: true });
         schema.index({ providerIds: 1 });
         _AuthUser = authConnection.model("AuthUser", schema);

package/dist/routes/auth.js

@@ -2,7 +2,7 @@ import { createRoute, withSecurity } from "../lib/createRoute";
 import { z } from "zod";
 import { setCookie, getCookie, deleteCookie } from "hono/cookie";
 import * as AuthService from "../services/auth";
-import { makeRegisterSchema, makeLoginSchema } from "../schemas/auth";
+import { makeRegisterSchema, makeLoginSchema, resetPasswordSchema } from "../schemas/auth";
 import { COOKIE_TOKEN, HEADER_USER_TOKEN, COOKIE_REFRESH_TOKEN, HEADER_REFRESH_TOKEN } from "../lib/constants";
 import { userAuth } from "../middleware/userAuth";
 import { isLimited, trackAttempt, bustAuthLimit } from "../lib/authRateLimit";
@@ -10,8 +10,10 @@ import { getAuthAdapter } from "../lib/authAdapter";
 import { createRouter } from "../lib/context";
 import { getVerificationToken, deleteVerificationToken, createVerificationToken } from "../lib/emailVerification";
 import { createResetToken, consumeResetToken } from "../lib/resetPassword";
-import { getRefreshTokenExpiry, getAccessTokenExpiry } from "../lib/appConfig";
+import { getRefreshTokenExpiry, getAccessTokenExpiry, getCsrfEnabled } from "../lib/appConfig";
+import { refreshCsrfToken, clearCsrfToken } from "../middleware/csrf";
 import { getUserSessions, deleteSession, deleteUserSessions } from "../lib/session";
+import { getClientIp } from "../lib/clientIp";
 const isProd = process.env.NODE_ENV === "production";
 const TokenResponse = z.object({
     token: z.string().describe("JWT session token. Also set as an HttpOnly session cookie. Empty string when mfaRequired is true."),
@@ -33,7 +35,6 @@ const cookieOptions = (maxAge) => ({
     path: "/",
     maxAge: maxAge ?? 60 * 60 * 24 * 7, // 7 days
 });
-const clientIp = (xff, xri) => (xff ? xff.split(",")[0]?.trim() : undefined) ?? xri ?? undefined;
 export const createAuthRouter = ({ primaryField, emailVerification, passwordReset, rateLimit, accountDeletion, refreshTokens }) => {
     const router = createRouter();
     const RegisterSchema = makeRegisterSchema(primaryField);
@@ -61,7 +62,7 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
             429: { content: { "application/json": { schema: ErrorResponse } }, description: "Too many registration attempts from this IP. Try again later." },
         },
     }), async (c) => {
-        const ip = clientIp(c.req.header("x-forwarded-for"), c.req.header("x-real-ip")) ?? "unknown";
+        const ip = getClientIp(c);
         if (await trackAttempt(`register:${ip}`, registerOpts)) {
             return c.json({ error: "Too many registration attempts. Try again later." }, 429);
         }
@@ -76,6 +77,8 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
         if (result.refreshToken) {
             setCookie(c, COOKIE_REFRESH_TOKEN, result.refreshToken, cookieOptions(getRefreshTokenExpiry()));
         }
+        if (getCsrfEnabled())
+            refreshCsrfToken(c);
         return c.json(result, 201);
     });
     router.openapi(createRoute({
@@ -99,7 +102,7 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
             return c.json({ error: "Too many failed login attempts. Try again later." }, 429);
         }
         const metadata = {
-            ipAddress: clientIp(c.req.header("x-forwarded-for"), c.req.header("x-real-ip")),
+            ipAddress: getClientIp(c),
             userAgent: c.req.header("user-agent") ?? undefined,
         };
         try {
@@ -110,6 +113,8 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
                 if (result.refreshToken) {
                     setCookie(c, COOKIE_REFRESH_TOKEN, result.refreshToken, cookieOptions(getRefreshTokenExpiry()));
                 }
+                if (getCsrfEnabled())
+                    refreshCsrfToken(c);
             }
             return c.json(result, 200);
         }
@@ -255,6 +260,8 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
         await AuthService.logout(token);
         deleteCookie(c, COOKIE_TOKEN, { path: "/" });
         deleteCookie(c, COOKIE_REFRESH_TOKEN, { path: "/" });
+        if (getCsrfEnabled())
+            clearCsrfToken(c);
         return c.json({ message: "Logged out" }, 200);
     });
     // Email verification routes — only mounted when emailVerification is configured and primaryField is "email"
@@ -272,7 +279,7 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
                 429: { content: { "application/json": { schema: ErrorResponse } }, description: "Too many verification attempts from this IP. Try again later." },
             },
         }), async (c) => {
-            const ip = c.req.header("x-forwarded-for") ?? "unknown";
+            const ip = getClientIp(c);
             if (await trackAttempt(`verify:${ip}`, verifyOpts)) {
                 return c.json({ error: "Too many verification attempts. Try again later." }, 429);
             }
@@ -341,7 +348,7 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
                 429: { content: { "application/json": { schema: ErrorResponse } }, description: "Too many attempts from this IP or for this email address. Try again later." },
             },
         }), async (c) => {
-            const ip = clientIp(c.req.header("x-forwarded-for"), c.req.header("x-real-ip")) ?? "unknown";
+            const ip = getClientIp(c);
             const { email } = c.req.valid("json");
             // Rate-limit by both IP and email to prevent distributed email-bombing
             const ipLimited = await trackAttempt(`forgot:ip:${ip}`, forgotOpts);
@@ -379,7 +386,7 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
                         "application/json": {
                             schema: z.object({
                                 token: z.string().describe("Single-use reset token received via email."),
-                                password: z.string().min(8).describe("New password. Minimum 8 characters."),
+                                password: resetPasswordSchema().describe("New password."),
                             }),
                         },
                     },
@@ -393,7 +400,7 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
                 501: { content: { "application/json": { schema: ErrorResponse } }, description: "The configured auth adapter does not support setPassword." },
             },
         }), async (c) => {
-            const ip = clientIp(c.req.header("x-forwarded-for"), c.req.header("x-real-ip")) ?? "unknown";
+            const ip = getClientIp(c);
             if (await trackAttempt(`reset:${ip}`, resetOpts)) {
                 return c.json({ error: "Too many attempts. Try again later." }, 429);
             }
@@ -444,8 +451,13 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
             responses: {
                 200: { content: { "application/json": { schema: RefreshResponse } }, description: "New access and refresh tokens." },
                 401: { content: { "application/json": { schema: ErrorResponse } }, description: "Invalid or expired refresh token, or session invalidated due to token theft detection." },
+                429: { content: { "application/json": { schema: ErrorResponse } }, description: "Too many refresh attempts. Try again later." },
             },
         }), async (c) => {
+            const ip = getClientIp(c);
+            if (await trackAttempt(`refresh:ip:${ip}`, { max: 30, windowMs: 60_000 })) {
+                return c.json({ error: "Too many refresh attempts. Try again later." }, 429);
+            }
             const body = c.req.valid("json");
             const rt = body.refreshToken ?? getCookie(c, COOKIE_REFRESH_TOKEN) ?? c.req.header(HEADER_REFRESH_TOKEN) ?? null;
             if (!rt) {

package/dist/routes/mfa.d.ts

@@ -1 +1,5 @@
-export declare const createMfaRouter: () => import("@hono/zod-openapi").OpenAPIHono<import("../lib/context").AppEnv, {}, "/">;
+import type { AuthRateLimitConfig } from "../app";
+export interface MfaRouterOptions {
+    rateLimit?: AuthRateLimitConfig;
+}
+export declare const createMfaRouter: ({ rateLimit }?: MfaRouterOptions) => import("@hono/zod-openapi").OpenAPIHono<import("../lib/context").AppEnv, {}, "/">;