@lastshotlabs/bunshot 0.0.16 → 0.0.18

package/dist/schemas/auth.js

@@ -1,9 +1,30 @@
 import { z } from "zod";
+import { getPasswordPolicy } from "../lib/appConfig";
+/** Build a Zod schema for the password field based on the configured policy.
+ *  Applied to registration and reset-password. Login uses min(1) intentionally
+ *  to avoid locking out users registered under older/weaker policies. */
+const passwordSchema = () => {
+    const policy = getPasswordPolicy();
+    const minLen = policy.minLength ?? 8;
+    let schema = z.string().min(minLen, `Password must be at least ${minLen} characters`);
+    if (policy.requireLetter !== false) {
+        schema = schema.regex(/[a-zA-Z]/, "Password must contain at least one letter");
+    }
+    if (policy.requireDigit !== false) {
+        schema = schema.regex(/\d/, "Password must contain at least one digit");
+    }
+    if (policy.requireSpecial) {
+        schema = schema.regex(/[^a-zA-Z0-9]/, "Password must contain at least one special character");
+    }
+    return schema;
+};
 export const makeRegisterSchema = (primaryField) => z.object({
     [primaryField]: primaryField === "email" ? z.string().email() : z.string().min(3),
-    password: z.string().min(8),
+    password: passwordSchema(),
 });
 export const makeLoginSchema = (primaryField) => z.object({
     [primaryField]: primaryField === "email" ? z.string().email() : z.string().min(1),
     password: z.string().min(1),
 });
+/** Password schema for reset-password — same policy as registration. */
+export const resetPasswordSchema = () => passwordSchema();

package/dist/server.d.ts

@@ -12,6 +12,12 @@ export interface WsConfig<T extends object = object> {
      * ws.data.userId is available for auth checks.
      */
     onRoomSubscribe?: (ws: ServerWebSocket<SocketData<T>>, room: string) => boolean | Promise<boolean>;
+    /**
+     * Maximum allowed WebSocket message size in bytes.
+     * Messages exceeding this limit will cause the connection to be closed with code 1009.
+     * Defaults to 65536 (64 KB).
+     */
+    maxMessageSize?: number;
 }
 export interface CreateServerConfig<T extends object = object> extends CreateAppConfig {
     port?: number;

package/dist/server.js

@@ -6,16 +6,23 @@ export const createServer = async (config) => {
     const app = await createApp(config);
     const port = Number(process.env.PORT ?? config.port ?? 3000);
     const { workersDir, enableWorkers = true, ws: wsConfig = {} } = config;
-    const { handler: userWs, upgradeHandler: wsUpgradeHandler, onRoomSubscribe } = wsConfig;
+    const { handler: userWs, upgradeHandler: wsUpgradeHandler, onRoomSubscribe, maxMessageSize = 65_536 } = wsConfig;
     const defaultOpen = defaultWebsocket.open;
-    const defaultMessage = defaultWebsocket.message;
     const defaultClose = defaultWebsocket.close;
     const defaultDrain = defaultWebsocket.drain;
     const ws = {
         open: userWs?.open ?? defaultOpen,
         async message(socket, message) {
+            const size = typeof message === "string" ? message.length : message.byteLength;
+            if (size > maxMessageSize) {
+                socket.close(1009, "Message too large");
+                return;
+            }
             if (!await handleRoomActions(socket, message, onRoomSubscribe)) {
-                (userWs?.message ?? defaultMessage)(socket, message);
+                if (userWs?.message) {
+                    userWs.message(socket, message);
+                }
+                // No default echo — without a custom handler, non-room messages are silently dropped
             }
         },
         close(socket, code, reason) {

package/dist/services/auth.d.ts

@@ -9,6 +9,7 @@ export interface AuthResult {
     mfaRequired?: boolean;
     mfaToken?: string;
     mfaMethods?: string[];
+    webauthnOptions?: Record<string, unknown>;
 }
 /** Create a session for a user (used internally and by MFA verify). */
 export declare const createSessionForUser: (userId: string, metadata?: SessionMetadata) => Promise<{

package/dist/services/auth.js

@@ -2,10 +2,10 @@ import { getAuthAdapter } from "../lib/authAdapter";
 import { HttpError } from "../lib/HttpError";
 import { signToken, verifyToken } from "../lib/jwt";
 import { createSession, deleteSession, getActiveSessionCount, evictOldestSession, deleteUserSessions, setRefreshToken, getSessionByRefreshToken, rotateRefreshToken } from "../lib/session";
-import { getDefaultRole, getPrimaryField, getEmailVerificationConfig, getMaxSessions, getRefreshTokenConfig, getAccessTokenExpiry, getMfaConfig, getMfaEmailOtpConfig } from "../lib/appConfig";
+import { getDefaultRole, getPrimaryField, getEmailVerificationConfig, getMaxSessions, getRefreshTokenConfig, getAccessTokenExpiry, getMfaConfig, getMfaEmailOtpConfig, getMfaWebAuthnConfig } from "../lib/appConfig";
 import { createVerificationToken } from "../lib/emailVerification";
 import { createMfaChallenge } from "../lib/mfaChallenge";
-import { generateEmailOtpCode } from "./mfa";
+import { generateEmailOtpCode, generateWebAuthnAuthenticationOptions } from "./mfa";
 async function createSessionWithRefreshToken(userId, sessionId, metadata) {
     const rtConfig = getRefreshTokenConfig();
     const expirySeconds = rtConfig ? getAccessTokenExpiry() : undefined;
@@ -47,11 +47,16 @@ export const register = async (identifier, password, metadata) => {
     }
     return { token, userId: user.id, email: identifier, refreshToken };
 };
+// Pre-computed dummy hash so non-existent-user login takes the same time as wrong-password login
+const DUMMY_HASH = await Bun.password.hash("dummy-timing-safe-placeholder");
 export const login = async (identifier, password, metadata) => {
     const adapter = getAuthAdapter();
     const findFn = adapter.findByIdentifier ?? adapter.findByEmail.bind(adapter);
     const user = await findFn(identifier);
-    if (!user || !(await Bun.password.verify(password, user.passwordHash))) {
+    // Always verify against a hash to prevent timing-based user enumeration
+    const hashToVerify = user?.passwordHash ?? DUMMY_HASH;
+    const passwordValid = await Bun.password.verify(password, hashToVerify);
+    if (!user || !passwordValid) {
         throw new HttpError(401, "Invalid credentials");
     }
     // Check email verification before MFA to avoid leaking MFA status to unverified users
@@ -79,8 +84,19 @@ export const login = async (identifier, password, metadata) => {
             if (email)
                 await emailOtpConfig.onSend(email, code);
         }
-        const mfaToken = await createMfaChallenge(user.id, emailOtpHash);
-        return { token: "", userId: user.id, mfaRequired: true, mfaToken, mfaMethods: methods };
+        // Generate WebAuthn authentication options if enabled
+        let webauthnChallenge;
+        let webauthnOptions;
+        const webauthnConfig = getMfaWebAuthnConfig();
+        if (methods.includes("webauthn") && webauthnConfig && adapter.getWebAuthnCredentials) {
+            const result = await generateWebAuthnAuthenticationOptions(user.id);
+            if (result) {
+                webauthnChallenge = result.challenge;
+                webauthnOptions = result.options;
+            }
+        }
+        const mfaToken = await createMfaChallenge(user.id, { emailOtpHash, webauthnChallenge });
+        return { token: "", userId: user.id, mfaRequired: true, mfaToken, mfaMethods: methods, webauthnOptions };
     }
     const sessionId = crypto.randomUUID();
     const { token, refreshToken } = await createSessionWithRefreshToken(user.id, sessionId, metadata);

package/dist/services/mfa.d.ts

@@ -35,3 +35,50 @@ export declare const disableEmailOtp: (userId: string, params: {
 }) => Promise<void>;
 /** Get the MFA methods enabled for a user. */
 export declare const getMfaMethods: (userId: string) => Promise<string[]>;
+/**
+ * Eager startup check — call at route mount time to fail fast if the peer dependency is missing.
+ */
+export declare const assertWebAuthnDependency: () => Promise<void>;
+/**
+ * Generate WebAuthn authentication options for the login MFA flow.
+ * Called from auth.ts login when the user has "webauthn" in their methods.
+ */
+export declare const generateWebAuthnAuthenticationOptions: (userId: string) => Promise<{
+    challenge: string;
+    options: Record<string, unknown>;
+} | null>;
+/**
+ * Initiate WebAuthn registration: generates registration options for the client.
+ * Returns options + a registration challenge token.
+ */
+export declare const initiateWebAuthnRegistration: (userId: string) => Promise<{
+    options: Record<string, unknown>;
+    registrationToken: string;
+}>;
+/**
+ * Complete WebAuthn registration: verifies attestation and stores the credential.
+ * Returns recovery codes if this is the first MFA method.
+ */
+export declare const completeWebAuthnRegistration: (userId: string, registrationToken: string, attestationResponse: any, name?: string) => Promise<{
+    credentialId: string;
+    recoveryCodes: string[] | null;
+}>;
+/**
+ * Verify a WebAuthn authentication assertion during login MFA.
+ */
+export declare const verifyWebAuthn: (userId: string, assertionResponse: any, expectedChallenge: string) => Promise<boolean>;
+/**
+ * Remove a single WebAuthn credential.
+ * Only requires identity verification when removing the last credential of the last MFA method.
+ */
+export declare const removeWebAuthnCredential: (userId: string, credentialId: string, params: {
+    code?: string;
+    password?: string;
+}) => Promise<void>;
+/**
+ * Disable WebAuthn entirely: removes all credentials and the method.
+ */
+export declare const disableWebAuthn: (userId: string, params: {
+    code?: string;
+    password?: string;
+}) => Promise<void>;

package/dist/services/mfa.js

@@ -1,6 +1,6 @@
 import { getAuthAdapter } from "../lib/authAdapter";
 import { HttpError } from "../lib/HttpError";
-import { getMfaIssuer, getMfaAlgorithm, getMfaDigits, getMfaPeriod, getMfaRecoveryCodeCount, getMfaEmailOtpConfig, getMfaEmailOtpCodeLength } from "../lib/appConfig";
+import { getMfaIssuer, getMfaAlgorithm, getMfaDigits, getMfaPeriod, getMfaRecoveryCodeCount, getMfaEmailOtpConfig, getMfaEmailOtpCodeLength, getMfaWebAuthnConfig, getAppName } from "../lib/appConfig";
 import { createMfaChallenge } from "../lib/mfaChallenge";
 // Lazy-load otpauth to keep it as an optional peer dependency
 let _otpauth = null;
@@ -9,11 +9,7 @@ async function getOtpAuth() {
         _otpauth = await import("otpauth");
     return _otpauth;
 }
-function sha256(input) {
-    const hash = new Bun.CryptoHasher("sha256");
-    hash.update(input);
-    return hash.digest("hex");
-}
+import { sha256, timingSafeEqual } from "../lib/crypto";
 function generateRandomCode(length) {
     const chars = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789"; // no ambiguous chars: I/1/O/0
     let code = "";
@@ -110,7 +106,7 @@ export const verifyRecoveryCode = async (userId, code) => {
         return false;
     const hashedCodes = await adapter.getRecoveryCodes(userId);
     const hashedInput = sha256(code.toUpperCase());
-    const match = hashedCodes.find((h) => h === hashedInput);
+    const match = hashedCodes.find((h) => timingSafeEqual(h, hashedInput));
     if (!match)
         return false;
     await adapter.removeRecoveryCode(userId, match);
@@ -158,7 +154,7 @@ export const generateEmailOtpCode = (length) => {
 };
 /** Verify an email OTP code against a stored hash. */
 export const verifyEmailOtp = (emailOtpHash, code) => {
-    return sha256(code) === emailOtpHash;
+    return timingSafeEqual(sha256(code), emailOtpHash);
 };
 /**
  * Initiate email OTP setup: sends a verification code to the user's email.
@@ -175,7 +171,7 @@ export const initiateEmailOtp = async (userId) => {
     const { code, hash } = generateEmailOtpCode();
     await emailOtpConfig.onSend(user.email, code);
     // Store the hash in a challenge token for verification
-    const setupToken = await createMfaChallenge(userId, hash);
+    const setupToken = await createMfaChallenge(userId, { emailOtpHash: hash });
     return setupToken;
 };
 /**
@@ -274,3 +270,274 @@ export const getMfaMethods = async (userId) => {
         return ["totp"];
     return [];
 };
+// ---------------------------------------------------------------------------
+// WebAuthn / FIDO2
+// ---------------------------------------------------------------------------
+// Lazy-load @simplewebauthn/server to keep it as an optional peer dependency
+let _simplewebauthn = null;
+async function getSimpleWebAuthn() {
+    if (!_simplewebauthn)
+        _simplewebauthn = await import("@simplewebauthn/server");
+    return _simplewebauthn;
+}
+/**
+ * Eager startup check — call at route mount time to fail fast if the peer dependency is missing.
+ */
+export const assertWebAuthnDependency = async () => {
+    try {
+        await import("@simplewebauthn/server");
+    }
+    catch {
+        throw new Error("@simplewebauthn/server is required when mfa.webauthn is configured. Install it: bun add @simplewebauthn/server");
+    }
+};
+/**
+ * Generate WebAuthn authentication options for the login MFA flow.
+ * Called from auth.ts login when the user has "webauthn" in their methods.
+ */
+export const generateWebAuthnAuthenticationOptions = async (userId) => {
+    const config = getMfaWebAuthnConfig();
+    if (!config)
+        return null;
+    const adapter = getAuthAdapter();
+    if (!adapter.getWebAuthnCredentials)
+        return null;
+    const credentials = await adapter.getWebAuthnCredentials(userId);
+    if (credentials.length === 0)
+        return null;
+    const { generateAuthenticationOptions } = await getSimpleWebAuthn();
+    const options = await generateAuthenticationOptions({
+        rpID: config.rpId,
+        allowCredentials: credentials.map((c) => ({
+            id: c.credentialId,
+            transports: c.transports,
+        })),
+        userVerification: config.userVerification ?? "preferred",
+        timeout: config.timeout ?? 60000,
+    });
+    return { challenge: options.challenge, options: options };
+};
+/**
+ * Initiate WebAuthn registration: generates registration options for the client.
+ * Returns options + a registration challenge token.
+ */
+export const initiateWebAuthnRegistration = async (userId) => {
+    const config = getMfaWebAuthnConfig();
+    if (!config)
+        throw new HttpError(501, "WebAuthn is not configured");
+    const adapter = getAuthAdapter();
+    if (!adapter.getWebAuthnCredentials)
+        throw new HttpError(501, "Auth adapter does not support WebAuthn");
+    const user = adapter.getUser ? await adapter.getUser(userId) : null;
+    // Get existing credentials to exclude (prevent re-registration)
+    const existingCreds = await adapter.getWebAuthnCredentials(userId);
+    const { generateRegistrationOptions } = await getSimpleWebAuthn();
+    const options = await generateRegistrationOptions({
+        rpName: config.rpName ?? getAppName(),
+        rpID: config.rpId,
+        userName: user?.email ?? userId,
+        attestationType: config.attestationType ?? "none",
+        excludeCredentials: existingCreds.map((c) => ({
+            id: c.credentialId,
+            transports: c.transports,
+        })),
+        authenticatorSelection: {
+            authenticatorAttachment: config.authenticatorAttachment,
+            userVerification: config.userVerification ?? "preferred",
+            residentKey: "preferred",
+        },
+        timeout: config.timeout ?? 60000,
+    });
+    const { createWebAuthnRegistrationChallenge } = await import("../lib/mfaChallenge");
+    const registrationToken = await createWebAuthnRegistrationChallenge(userId, options.challenge);
+    return { options: options, registrationToken };
+};
+/**
+ * Complete WebAuthn registration: verifies attestation and stores the credential.
+ * Returns recovery codes if this is the first MFA method.
+ */
+export const completeWebAuthnRegistration = async (userId, registrationToken, attestationResponse, name) => {
+    const config = getMfaWebAuthnConfig();
+    if (!config)
+        throw new HttpError(501, "WebAuthn is not configured");
+    const adapter = getAuthAdapter();
+    if (!adapter.addWebAuthnCredential || !adapter.setMfaEnabled || !adapter.setRecoveryCodes) {
+        throw new HttpError(501, "Auth adapter does not support WebAuthn");
+    }
+    const { consumeWebAuthnRegistrationChallenge } = await import("../lib/mfaChallenge");
+    const challenge = await consumeWebAuthnRegistrationChallenge(registrationToken);
+    if (!challenge)
+        throw new HttpError(401, "Invalid or expired registration token");
+    if (challenge.userId !== userId)
+        throw new HttpError(401, "Token does not match user");
+    const { verifyRegistrationResponse } = await getSimpleWebAuthn();
+    const verification = await verifyRegistrationResponse({
+        response: attestationResponse,
+        expectedChallenge: challenge.challenge,
+        expectedOrigin: Array.isArray(config.origin) ? config.origin : [config.origin],
+        expectedRPID: config.rpId,
+    });
+    if (!verification.verified || !verification.registrationInfo) {
+        throw new HttpError(401, "WebAuthn registration verification failed");
+    }
+    const { credential } = verification.registrationInfo;
+    const credentialId = credential.id;
+    // Cross-user uniqueness check
+    if (adapter.findUserByWebAuthnCredentialId) {
+        const existingOwner = await adapter.findUserByWebAuthnCredentialId(credentialId);
+        if (existingOwner && existingOwner !== userId) {
+            throw new HttpError(409, "This security key is already registered to another account");
+        }
+    }
+    const newCredential = {
+        credentialId,
+        publicKey: Buffer.from(credential.publicKey).toString("base64url"),
+        signCount: credential.counter,
+        transports: attestationResponse.response?.transports ?? [],
+        name: name ?? undefined,
+        createdAt: Date.now(),
+    };
+    await adapter.addWebAuthnCredential(userId, newCredential);
+    // Add "webauthn" to methods
+    if (adapter.getMfaMethods && adapter.setMfaMethods) {
+        const methods = await adapter.getMfaMethods(userId);
+        if (!methods.includes("webauthn")) {
+            await adapter.setMfaMethods(userId, [...methods, "webauthn"]);
+        }
+    }
+    // Enable MFA + generate/regenerate recovery codes
+    await adapter.setMfaEnabled(userId, true);
+    const { plainCodes, hashedCodes } = generateRecoveryCodes();
+    await adapter.setRecoveryCodes(userId, hashedCodes);
+    return { credentialId, recoveryCodes: plainCodes };
+};
+/**
+ * Verify a WebAuthn authentication assertion during login MFA.
+ */
+export const verifyWebAuthn = async (userId, assertionResponse, expectedChallenge) => {
+    const config = getMfaWebAuthnConfig();
+    if (!config)
+        return false;
+    const adapter = getAuthAdapter();
+    if (!adapter.getWebAuthnCredentials || !adapter.updateWebAuthnCredentialSignCount)
+        return false;
+    const credentials = await adapter.getWebAuthnCredentials(userId);
+    const credentialId = assertionResponse.id;
+    const matchedCred = credentials.find((c) => c.credentialId === credentialId);
+    if (!matchedCred)
+        return false;
+    const { verifyAuthenticationResponse } = await getSimpleWebAuthn();
+    try {
+        const verification = await verifyAuthenticationResponse({
+            response: assertionResponse,
+            expectedChallenge,
+            expectedOrigin: Array.isArray(config.origin) ? config.origin : [config.origin],
+            expectedRPID: config.rpId,
+            credential: {
+                id: matchedCred.credentialId,
+                publicKey: new Uint8Array(Buffer.from(matchedCred.publicKey, "base64url")),
+                counter: matchedCred.signCount,
+                transports: matchedCred.transports,
+            },
+        });
+        if (!verification.verified)
+            return false;
+        const { authenticationInfo } = verification;
+        // Sign count policy
+        if (authenticationInfo.newCounter < matchedCred.signCount) {
+            if (config.strictSignCount) {
+                console.warn(`[webauthn] Sign count went backward for credential ${credentialId} (user ${userId}) — rejecting (strictSignCount enabled)`);
+                return false;
+            }
+            console.warn(`[webauthn] Sign count went backward for credential ${credentialId} (user ${userId}) — possible cloned authenticator`);
+        }
+        await adapter.updateWebAuthnCredentialSignCount(userId, credentialId, authenticationInfo.newCounter);
+        return true;
+    }
+    catch {
+        return false;
+    }
+};
+/**
+ * Remove a single WebAuthn credential.
+ * Only requires identity verification when removing the last credential of the last MFA method.
+ */
+export const removeWebAuthnCredential = async (userId, credentialId, params) => {
+    const adapter = getAuthAdapter();
+    if (!adapter.getWebAuthnCredentials || !adapter.removeWebAuthnCredential) {
+        throw new HttpError(501, "Auth adapter does not support WebAuthn");
+    }
+    const credentials = await adapter.getWebAuthnCredentials(userId);
+    if (!credentials.some((c) => c.credentialId === credentialId)) {
+        throw new HttpError(404, "Credential not found");
+    }
+    const methods = adapter.getMfaMethods ? await adapter.getMfaMethods(userId) : [];
+    const otherMethodsExist = methods.some((m) => m !== "webauthn");
+    const otherCredsExist = credentials.length > 1;
+    // Only require verification when removing the last credential of the last method
+    if (!otherMethodsExist && !otherCredsExist) {
+        await verifyIdentity(userId, params);
+    }
+    await adapter.removeWebAuthnCredential(userId, credentialId);
+    // If that was the last credential, remove "webauthn" from methods
+    if (!otherCredsExist && adapter.setMfaMethods) {
+        const updated = methods.filter((m) => m !== "webauthn");
+        await adapter.setMfaMethods(userId, updated);
+        // If no methods remain, disable MFA entirely
+        if (updated.length === 0 && adapter.setMfaEnabled) {
+            await adapter.setMfaEnabled(userId, false);
+            if (adapter.setRecoveryCodes)
+                await adapter.setRecoveryCodes(userId, []);
+        }
+    }
+};
+/**
+ * Disable WebAuthn entirely: removes all credentials and the method.
+ */
+export const disableWebAuthn = async (userId, params) => {
+    const adapter = getAuthAdapter();
+    if (!adapter.getWebAuthnCredentials || !adapter.removeWebAuthnCredential) {
+        throw new HttpError(501, "Auth adapter does not support WebAuthn");
+    }
+    await verifyIdentity(userId, params);
+    const credentials = await adapter.getWebAuthnCredentials(userId);
+    for (const cred of credentials) {
+        await adapter.removeWebAuthnCredential(userId, cred.credentialId);
+    }
+    // Remove "webauthn" from methods
+    if (adapter.getMfaMethods && adapter.setMfaMethods) {
+        const methods = await adapter.getMfaMethods(userId);
+        const updated = methods.filter((m) => m !== "webauthn");
+        await adapter.setMfaMethods(userId, updated);
+        if (updated.length === 0 && adapter.setMfaEnabled) {
+            await adapter.setMfaEnabled(userId, false);
+            if (adapter.setRecoveryCodes)
+                await adapter.setRecoveryCodes(userId, []);
+        }
+    }
+};
+/** Internal: verify identity via TOTP code or password. */
+async function verifyIdentity(userId, params) {
+    const adapter = getAuthAdapter();
+    const methods = adapter.getMfaMethods ? await adapter.getMfaMethods(userId) : [];
+    const hasTotpEnabled = methods.includes("totp");
+    if (hasTotpEnabled) {
+        if (!params.code)
+            throw new HttpError(400, "TOTP code required");
+        const valid = await verifyTotp(userId, params.code);
+        if (!valid)
+            throw new HttpError(401, "Invalid TOTP code");
+    }
+    else {
+        if (!params.password)
+            throw new HttpError(400, "Password required");
+        const user = adapter.findByIdentifier
+            ? await adapter.findByIdentifier((await adapter.getUser?.(userId))?.email ?? "")
+            : await adapter.findByEmail((await adapter.getUser?.(userId))?.email ?? "");
+        if (!user)
+            throw new HttpError(404, "User not found");
+        const valid = await Bun.password.verify(params.password, user.passwordHash);
+        if (!valid)
+            throw new HttpError(401, "Invalid password");
+    }
+}

package/dist/ws/index.js

@@ -25,8 +25,9 @@ export const websocket = {
         console.log(`[ws] connected: ${ws.data.id}`);
         ws.send(JSON.stringify({ event: "connected", id: ws.data.id }));
     },
-    message(ws, message) {
-        ws.send(message);
+    message(_ws, _message) {
+        // No-op: room actions are handled by server.ts via handleRoomActions.
+        // Override ws.handler.message in WsConfig for custom message handling.
     },
     close(ws) {
         console.log(`[ws] disconnected: ${ws.data.id}`);