@lastshotlabs/bunshot 0.0.16 → 0.0.19

package/dist/adapters/mongoAuth.js

@@ -133,12 +133,50 @@ export const mongoAuthAdapter = {
     async setMfaMethods(userId, methods) {
         await AuthUser.findByIdAndUpdate(userId, { mfaMethods: methods });
     },
+    async getWebAuthnCredentials(userId) {
+        const user = await AuthUser.findById(userId, "webauthnCredentials").lean();
+        const creds = user?.webauthnCredentials ?? [];
+        return creds.map((c) => ({
+            credentialId: c.credentialId,
+            publicKey: c.publicKey,
+            signCount: c.signCount,
+            transports: c.transports,
+            name: c.name,
+            createdAt: c.createdAt instanceof Date ? c.createdAt.getTime() : c.createdAt,
+        }));
+    },
+    async addWebAuthnCredential(userId, credential) {
+        await AuthUser.findByIdAndUpdate(userId, {
+            $push: {
+                webauthnCredentials: {
+                    credentialId: credential.credentialId,
+                    publicKey: credential.publicKey,
+                    signCount: credential.signCount,
+                    transports: credential.transports,
+                    name: credential.name,
+                    createdAt: new Date(credential.createdAt),
+                },
+            },
+        });
+    },
+    async removeWebAuthnCredential(userId, credentialId) {
+        await AuthUser.findByIdAndUpdate(userId, {
+            $pull: { webauthnCredentials: { credentialId } },
+        });
+    },
+    async updateWebAuthnCredentialSignCount(userId, credentialId, signCount) {
+        await AuthUser.findOneAndUpdate({ _id: userId, "webauthnCredentials.credentialId": credentialId }, { $set: { "webauthnCredentials.$.signCount": signCount } });
+    },
+    async findUserByWebAuthnCredentialId(credentialId) {
+        const user = await AuthUser.findOne({ "webauthnCredentials.credentialId": credentialId }, "_id").lean();
+        return user ? String(user._id) : null;
+    },
     async getTenantRoles(userId, tenantId) {
         const doc = await TenantRole.findOne({ userId, tenantId }, "roles").lean();
         return doc?.roles ?? [];
     },
     async setTenantRoles(userId, tenantId, roles) {
-        await TenantRole.findOneAndUpdate({ userId, tenantId }, { roles }, { upsert: true });
+        await TenantRole.findOneAndUpdate({ userId, tenantId }, { $set: { roles } }, { upsert: true });
     },
     async addTenantRole(userId, tenantId, role) {
         await TenantRole.findOneAndUpdate({ userId, tenantId }, { $addToSet: { roles: role } }, { upsert: true });

package/dist/adapters/sqliteAuth.d.ts

@@ -36,4 +36,7 @@ export declare const sqliteConsumeResetToken: (hash: string) => {
     userId: string;
     email: string;
 } | null;
+import type { OAuthCodePayload } from "../lib/oauthCode";
+export declare const sqliteStoreOAuthCode: (hash: string, payload: OAuthCodePayload, ttlSeconds: number) => void;
+export declare const sqliteConsumeOAuthCode: (hash: string) => OAuthCodePayload | null;
 export declare const startSqliteCleanup: (intervalMs?: number) => ReturnType<typeof setInterval>;

package/dist/adapters/sqliteAuth.js

@@ -109,6 +109,24 @@ function initSchema(db) {
     PRIMARY KEY (userId, tenantId, role)
   )`);
     db.run("CREATE INDEX IF NOT EXISTS idx_tenant_roles_tenant ON tenant_roles(tenantId)");
+    db.run(`CREATE TABLE IF NOT EXISTS webauthn_credentials (
+    credentialId TEXT PRIMARY KEY,
+    userId       TEXT NOT NULL,
+    publicKey    TEXT NOT NULL,
+    signCount    INTEGER NOT NULL DEFAULT 0,
+    transports   TEXT NOT NULL DEFAULT '[]',
+    name         TEXT,
+    createdAt    INTEGER NOT NULL
+  )`);
+    db.run("CREATE INDEX IF NOT EXISTS idx_webauthn_userId ON webauthn_credentials(userId)");
+    db.run(`CREATE TABLE IF NOT EXISTS oauth_codes (
+    codeHash     TEXT PRIMARY KEY,
+    token        TEXT NOT NULL,
+    userId       TEXT NOT NULL,
+    email        TEXT,
+    refreshToken TEXT,
+    expiresAt    INTEGER NOT NULL
+  )`);
 }
 // ---------------------------------------------------------------------------
 // Auth adapter
@@ -262,6 +280,30 @@ export const sqliteAuthAdapter = {
     async setMfaMethods(userId, methods) {
         getDb().run("UPDATE users SET mfaMethods = ? WHERE id = ?", [JSON.stringify(methods), userId]);
     },
+    async getWebAuthnCredentials(userId) {
+        const rows = getDb().query("SELECT credentialId, publicKey, signCount, transports, name, createdAt FROM webauthn_credentials WHERE userId = ?").all(userId);
+        return rows.map((r) => ({
+            credentialId: r.credentialId,
+            publicKey: r.publicKey,
+            signCount: r.signCount,
+            transports: JSON.parse(r.transports),
+            name: r.name ?? undefined,
+            createdAt: r.createdAt,
+        }));
+    },
+    async addWebAuthnCredential(userId, credential) {
+        getDb().run("INSERT INTO webauthn_credentials (credentialId, userId, publicKey, signCount, transports, name, createdAt) VALUES (?, ?, ?, ?, ?, ?, ?)", [credential.credentialId, userId, credential.publicKey, credential.signCount, JSON.stringify(credential.transports ?? []), credential.name ?? null, credential.createdAt]);
+    },
+    async removeWebAuthnCredential(userId, credentialId) {
+        getDb().run("DELETE FROM webauthn_credentials WHERE credentialId = ? AND userId = ?", [credentialId, userId]);
+    },
+    async updateWebAuthnCredentialSignCount(userId, credentialId, signCount) {
+        getDb().run("UPDATE webauthn_credentials SET signCount = ? WHERE credentialId = ? AND userId = ?", [signCount, credentialId, userId]);
+    },
+    async findUserByWebAuthnCredentialId(credentialId) {
+        const row = getDb().query("SELECT userId FROM webauthn_credentials WHERE credentialId = ?").get(credentialId);
+        return row?.userId ?? null;
+    },
     async getTenantRoles(userId, tenantId) {
         const rows = getDb().query("SELECT role FROM tenant_roles WHERE userId = ? AND tenantId = ?").all(userId, tenantId);
         return rows.map((r) => r.role);
@@ -433,6 +475,16 @@ export const sqliteConsumeResetToken = (hash) => {
     const row = getDb().query("DELETE FROM password_resets WHERE token = ? AND expiresAt > ? RETURNING userId, email").get(hash, Date.now());
     return row ?? null;
 };
+export const sqliteStoreOAuthCode = (hash, payload, ttlSeconds) => {
+    const expiresAt = Date.now() + ttlSeconds * 1000;
+    getDb().run("INSERT INTO oauth_codes (codeHash, token, userId, email, refreshToken, expiresAt) VALUES (?, ?, ?, ?, ?, ?)", [hash, payload.token, payload.userId, payload.email ?? null, payload.refreshToken ?? null, expiresAt]);
+};
+export const sqliteConsumeOAuthCode = (hash) => {
+    const row = getDb().query("DELETE FROM oauth_codes WHERE codeHash = ? AND expiresAt > ? RETURNING token, userId, email, refreshToken").get(hash, Date.now());
+    if (!row)
+        return null;
+    return { token: row.token, userId: row.userId, email: row.email ?? undefined, refreshToken: row.refreshToken ?? undefined };
+};
 // ---------------------------------------------------------------------------
 // Optional periodic cleanup of expired rows
 // ---------------------------------------------------------------------------
@@ -451,5 +503,6 @@ export const startSqliteCleanup = (intervalMs = 3_600_000) => {
         db.run("DELETE FROM cache_entries WHERE expiresAt IS NOT NULL AND expiresAt <= ?", [now]);
         db.run("DELETE FROM email_verifications WHERE expiresAt <= ?", [now]);
         db.run("DELETE FROM password_resets WHERE expiresAt <= ?", [now]);
+        db.run("DELETE FROM oauth_codes WHERE expiresAt <= ?", [now]);
     }, intervalMs);
 };

package/dist/app.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
 import type { MiddlewareHandler } from "hono";
 import type { AppEnv } from "./lib/context";
-import type { PrimaryField, EmailVerificationConfig, PasswordResetConfig, RefreshTokenConfig, MfaConfig, MfaEmailOtpConfig } from "./lib/appConfig";
+import type { PrimaryField, EmailVerificationConfig, PasswordResetConfig, PasswordPolicyConfig, RefreshTokenConfig, MfaConfig, MfaEmailOtpConfig, MfaWebAuthnConfig } from "./lib/appConfig";
 import type { AuthAdapter } from "./lib/authAdapter";
 import type { OAuthProviderConfig } from "./lib/oauth";
 type StoreType = "redis" | "mongo" | "sqlite" | "memory";
@@ -60,6 +60,9 @@ export interface OAuthConfig {
     providers?: OAuthProviderConfig;
     /** Where to redirect after a successful OAuth login. Defaults to "/" */
     postRedirect?: string;
+    /** Allowlist of redirect URLs. If set, the postRedirect URL is validated against this list.
+     *  Relative paths (e.g., "/") are always allowed. Only absolute URLs are validated. */
+    allowedRedirectUrls?: string[];
 }
 export interface AuthRateLimitConfig {
     /** Max login failures per window before the account is locked. Default: 10 per 15 min. */
@@ -97,6 +100,16 @@ export interface AuthRateLimitConfig {
         windowMs?: number;
         max?: number;
     };
+    /** Max MFA verification attempts per IP per window. Default: 10 per 15 min. */
+    mfaVerify?: {
+        windowMs?: number;
+        max?: number;
+    };
+    /** Max MFA email OTP resend attempts per IP per window. Default: 5 per minute. */
+    mfaResend?: {
+        windowMs?: number;
+        max?: number;
+    };
     /**
      * Store backend for auth rate limit counters.
      * Defaults to "redis" when Redis is enabled, otherwise "memory".
@@ -137,6 +150,10 @@ export interface AuthConfig {
      * Mounts POST /auth/forgot-password and POST /auth/reset-password.
      */
     passwordReset?: PasswordResetConfig;
+    /** Password strength policy for registration and reset-password.
+     *  Login is intentionally lenient (min 1) so users under older policies can still sign in.
+     *  Defaults: minLength=8, requireLetter=true, requireDigit=true, requireSpecial=false. */
+    passwordPolicy?: PasswordPolicyConfig;
     /** Rate limit configuration for built-in auth endpoints. */
     rateLimit?: AuthRateLimitConfig;
     /** Session concurrency and metadata persistence policy. */
@@ -187,7 +204,7 @@ export interface AuthSessionPolicyConfig {
      */
     trackLastActive?: boolean;
 }
-export type { PrimaryField, EmailVerificationConfig, PasswordResetConfig, RefreshTokenConfig, MfaConfig, MfaEmailOtpConfig };
+export type { PrimaryField, EmailVerificationConfig, PasswordResetConfig, RefreshTokenConfig, MfaConfig, MfaEmailOtpConfig, MfaWebAuthnConfig };
 export interface BotProtectionConfig {
     /**
      * List of IPv4 CIDRs (e.g. "198.51.100.0/24"), IPv4 addresses, or IPv6 addresses to block outright.
@@ -203,9 +220,23 @@ export interface BotProtectionConfig {
      */
     fingerprintRateLimit?: boolean;
 }
+export interface CsrfConfig {
+    /** Enable CSRF protection for cookie-authenticated state-changing requests. */
+    enabled: boolean;
+    /** Paths exempt from CSRF checks (in addition to built-in OAuth callback exemptions). Uses prefix matching when path ends with "*". */
+    exemptPaths?: string[];
+    /** Also validate Origin header against CORS origins. Default: true. */
+    checkOrigin?: boolean;
+}
 export interface SecurityConfig {
     /** CORS origins. Defaults to "*" */
     cors?: string | string[];
+    /** Additional security headers to set via Hono's secureHeaders middleware.
+     *  Pass a Content-Security-Policy, Permissions-Policy, etc. */
+    headers?: {
+        contentSecurityPolicy?: string;
+        permissionsPolicy?: string;
+    };
     /** Global rate limit. Defaults to 100 req / 60s */
     rateLimit?: {
         windowMs: number;
@@ -224,6 +255,18 @@ export interface SecurityConfig {
      * Runs before IP rate limiting so blocked IPs are rejected immediately.
      */
     botProtection?: BotProtectionConfig;
+    /**
+     * Trusted proxy configuration for IP extraction.
+     * - `false` (default): use socket-level IP only, ignore X-Forwarded-For entirely.
+     * - A number N: trust N proxy hops — take the Nth-from-right IP in the X-Forwarded-For chain.
+     */
+    trustProxy?: false | number;
+    /**
+     * CSRF protection for cookie-based auth. Opt-in.
+     * Uses signed double-submit cookie pattern with HMAC-SHA256.
+     * Only validates when the auth cookie is present on state-changing requests.
+     */
+    csrf?: CsrfConfig;
 }
 export interface ModelSchemasConfig {
     /**

package/dist/app.js

@@ -7,8 +7,8 @@ import { HttpError } from "./lib/HttpError";
 import { rateLimit } from "./middleware/rateLimit";
 import { bearerAuth } from "./middleware/bearerAuth";
 import { identify } from "./middleware/identify";
-import { HEADER_USER_TOKEN, HEADER_REFRESH_TOKEN } from "./lib/constants";
-import { setAppName, setAppRoles, setDefaultRole, setPrimaryField, setEmailVerificationConfig, setPasswordResetConfig, setMaxSessions, setPersistSessionMetadata, setIncludeInactiveSessions, setTrackLastActive, setRefreshTokenConfig, setMfaConfig } from "./lib/appConfig";
+import { HEADER_USER_TOKEN, HEADER_REFRESH_TOKEN, HEADER_CSRF_TOKEN } from "./lib/constants";
+import { setAppName, setAppRoles, setDefaultRole, setPrimaryField, setEmailVerificationConfig, setPasswordResetConfig, setPasswordPolicy, setMaxSessions, setPersistSessionMetadata, setIncludeInactiveSessions, setTrackLastActive, setRefreshTokenConfig, setMfaConfig, setCsrfEnabled } from "./lib/appConfig";
 import { setEmailVerificationStore } from "./lib/emailVerification";
 import { setPasswordResetStore } from "./lib/resetPassword";
 import { setAuthRateLimitStore } from "./lib/authRateLimit";
@@ -16,6 +16,7 @@ import { setAuthAdapter } from "./lib/authAdapter";
 import { mongoAuthAdapter } from "./adapters/mongoAuth";
 import { memoryAuthAdapter } from "./adapters/memoryAuth";
 import { initOAuthProviders, getConfiguredOAuthProviders, setOAuthStateStore } from "./lib/oauth";
+import { setOAuthCodeStore } from "./lib/oauthCode";
 import { createOAuthRouter } from "./routes/oauth";
 import { connectMongo, connectAuthMongo, connectAppMongo } from "./lib/mongo";
 import { connectRedis } from "./lib/redis";
@@ -26,7 +27,13 @@ export const createApp = async (config) => {
     const { routesDir, app: appConfig = {}, auth: authConfig = {}, security: securityConfig = {}, middleware = [], db = {}, } = config;
     const appName = appConfig.name ?? "Bun Core API";
     const openApiVersion = appConfig.version ?? "1.0.0";
+    // Trust-proxy for IP extraction
+    const { setTrustProxy } = await import("./lib/clientIp");
+    setTrustProxy(securityConfig.trustProxy ?? false);
     const corsOrigins = securityConfig.cors ?? "*";
+    if (corsOrigins === "*" && process.env.NODE_ENV === "production") {
+        console.warn("[security] CORS is set to wildcard (*) in production. Configure security.cors with specific origins to restrict cross-origin access.");
+    }
     const rlConfig = securityConfig.rateLimit ?? { windowMs: 60_000, max: 100 };
     const botCfg = securityConfig.botProtection ?? {};
     const enableBearerAuth = securityConfig.bearerAuth !== false;
@@ -37,6 +44,29 @@ export const createApp = async (config) => {
     const explicitAuthAdapter = authConfig.adapter;
     const oauthProviders = authConfig.oauth?.providers;
     const postOAuthRedirect = authConfig.oauth?.postRedirect ?? "/";
+    const allowedRedirectUrls = authConfig.oauth?.allowedRedirectUrls;
+    // Validate postRedirect against allowlist at startup (not per-request)
+    if (allowedRedirectUrls && postOAuthRedirect !== "/") {
+        try {
+            const redirectUrl = new URL(postOAuthRedirect);
+            const allowed = allowedRedirectUrls.some((u) => {
+                try {
+                    return new URL(u).origin === redirectUrl.origin;
+                }
+                catch {
+                    return false;
+                }
+            });
+            if (!allowed) {
+                throw new Error(`createApp: oauth.postRedirect "${postOAuthRedirect}" is not in the allowedRedirectUrls list. Add its origin to oauth.allowedRedirectUrls.`);
+            }
+        }
+        catch (e) {
+            if (e instanceof Error && e.message.startsWith("createApp:"))
+                throw e;
+            // Relative path — always allowed
+        }
+    }
     const roles = authConfig.roles ?? [];
     const defaultRole = authConfig.defaultRole;
     const primaryField = authConfig.primaryField ?? "email";
@@ -63,6 +93,7 @@ export const createApp = async (config) => {
     }
     setSessionStore(sessions);
     setOAuthStateStore(oauthState);
+    setOAuthCodeStore(oauthState);
     setCacheStore(cache);
     if (mongo === "single")
         await connectMongo();
@@ -104,6 +135,7 @@ export const createApp = async (config) => {
     setEmailVerificationConfig(emailVerification ?? null);
     setEmailVerificationStore(sessions);
     setPasswordResetConfig(passwordReset ?? null);
+    setPasswordPolicy(authConfig.passwordPolicy ?? {});
     setPasswordResetStore(sessions);
     setAuthRateLimitStore(authRateLimit?.store ?? (enableRedis ? "redis" : "memory"));
     setMaxSessions(sessionPolicy.maxSessions ?? 6);
@@ -126,8 +158,26 @@ export const createApp = async (config) => {
     const bearerAuthBypass = [...DEFAULT_BYPASS, ...oauthBypass, ...extraBypass];
     const app = new OpenAPIHono();
     app.use(logger());
+    const headerOpts = {};
+    if (securityConfig.headers?.contentSecurityPolicy) {
+        headerOpts["Content-Security-Policy"] = securityConfig.headers.contentSecurityPolicy;
+    }
+    if (securityConfig.headers?.permissionsPolicy) {
+        headerOpts["Permissions-Policy"] = securityConfig.headers.permissionsPolicy;
+    }
     app.use(secureHeaders());
-    app.use(cors({ origin: corsOrigins, allowHeaders: ["Content-Type", "Authorization", HEADER_USER_TOKEN, HEADER_REFRESH_TOKEN], exposeHeaders: ["x-cache"], credentials: true }));
+    if (Object.keys(headerOpts).length > 0) {
+        app.use(async (c, next) => {
+            await next();
+            for (const [k, v] of Object.entries(headerOpts)) {
+                c.res.headers.set(k, v);
+            }
+        });
+    }
+    const corsAllowHeaders = ["Content-Type", "Authorization", HEADER_USER_TOKEN, HEADER_REFRESH_TOKEN];
+    if (securityConfig.csrf?.enabled)
+        corsAllowHeaders.push(HEADER_CSRF_TOKEN);
+    app.use(cors({ origin: corsOrigins, allowHeaders: corsAllowHeaders, exposeHeaders: ["x-cache"], credentials: true }));
     if ((botCfg.blockList?.length ?? 0) > 0) {
         const { botProtection } = await import("./middleware/botProtection");
         app.use(botProtection({ blockList: botCfg.blockList }));
@@ -143,8 +193,33 @@ export const createApp = async (config) => {
         });
     }
     app.use(identify);
+    // CSRF protection (after identify so we can check for auth cookie presence)
+    if (securityConfig.csrf?.enabled) {
+        setCsrfEnabled(true);
+        const { csrfProtection } = await import("./middleware/csrf");
+        const csrfExemptPaths = [
+            ...oauthBypass.filter(p => p.includes("/callback")),
+            ...(securityConfig.csrf.exemptPaths ?? []),
+        ];
+        app.use(csrfProtection({
+            exemptPaths: csrfExemptPaths,
+            checkOrigin: securityConfig.csrf.checkOrigin ?? true,
+            allowedOrigins: corsOrigins,
+        }));
+    }
     // Tenant resolution middleware (after identify, before user middleware + routes)
     if (config.tenancy) {
+        if (!config.tenancy.onResolve) {
+            if (process.env.NODE_ENV === "production") {
+                throw new Error("[security] Tenancy is configured without an onResolve callback. " +
+                    "In production, onResolve is required to validate tenant IDs and prevent cross-tenant access. " +
+                    "Provide tenancy.onResolve or remove the tenancy config.");
+            }
+            else {
+                console.warn("[security] Tenancy is configured without an onResolve callback — " +
+                    "tenant IDs will be trusted without validation. This is unsafe in production.");
+            }
+        }
         const { createTenantMiddleware } = await import("./middleware/tenant");
         app.use(createTenantMiddleware(config.tenancy));
     }
@@ -218,7 +293,7 @@ export const createApp = async (config) => {
             setMfaChallengeSqliteDb(getDb());
         }
         const { createMfaRouter } = await import(`${coreRoutesDir}/mfa`);
-        app.route("/", createMfaRouter());
+        app.route("/", createMfaRouter({ rateLimit: authRateLimit }));
     }
     if (config.jobs?.statusEndpoint) {
         const { createJobsRouter } = await import(`${coreRoutesDir}/jobs`);

package/dist/index.d.ts

@@ -1,12 +1,13 @@
 export { createApp } from "./app";
 export { createServer } from "./server";
-export type { CreateAppConfig, ModelSchemasConfig, DbConfig, AppMeta, AuthConfig, AuthRateLimitConfig, AccountDeletionConfig, OAuthConfig, SecurityConfig, BotProtectionConfig, PrimaryField, EmailVerificationConfig, PasswordResetConfig, RefreshTokenConfig, MfaConfig, MfaEmailOtpConfig, JobsConfig, TenancyConfig, TenantConfig } from "./app";
+export type { CreateAppConfig, ModelSchemasConfig, DbConfig, AppMeta, AuthConfig, AuthRateLimitConfig, AccountDeletionConfig, OAuthConfig, SecurityConfig, CsrfConfig, BotProtectionConfig, PrimaryField, EmailVerificationConfig, PasswordResetConfig, RefreshTokenConfig, MfaConfig, MfaEmailOtpConfig, MfaWebAuthnConfig, JobsConfig, TenancyConfig, TenantConfig } from "./app";
+export type { PasswordPolicyConfig } from "./lib/appConfig";
 export type { CreateServerConfig, WsConfig } from "./server";
 export { appConnection, authConnection, mongoose, connectMongo, connectAuthMongo, connectAppMongo, disconnectMongo } from "./lib/mongo";
 export { connectRedis, disconnectRedis, getRedis } from "./lib/redis";
 export { getAppRoles } from "./lib/appConfig";
 export { HttpError } from "./lib/HttpError";
-export { COOKIE_TOKEN, HEADER_USER_TOKEN, COOKIE_REFRESH_TOKEN, HEADER_REFRESH_TOKEN } from "./lib/constants";
+export { COOKIE_TOKEN, HEADER_USER_TOKEN, COOKIE_REFRESH_TOKEN, HEADER_REFRESH_TOKEN, COOKIE_CSRF_TOKEN, HEADER_CSRF_TOKEN } from "./lib/constants";
 export { createRouter } from "./lib/context";
 export { createRoute, withSecurity, registerSchema, registerSchemas } from "./lib/createRoute";
 export { zodToMongoose } from "./lib/zodToMongoose";
@@ -17,12 +18,16 @@ export type { AppEnv, AppVariables } from "./lib/context";
 export { signToken, verifyToken } from "./lib/jwt";
 export { log } from "./lib/logger";
 export { createResetToken, consumeResetToken, setPasswordResetStore } from "./lib/resetPassword";
+export { timingSafeEqual, sha256 } from "./lib/crypto";
+export { getClientIp, setTrustProxy } from "./lib/clientIp";
+export { storeOAuthCode, consumeOAuthCode, setOAuthCodeStore } from "./lib/oauthCode";
+export type { OAuthCodePayload } from "./lib/oauthCode";
 export { createSession, getSession, deleteSession, getUserSessions, getActiveSessionCount, evictOldestSession, updateSessionLastActive, setSessionStore, deleteUserSessions, setRefreshToken, getSessionByRefreshToken, rotateRefreshToken } from "./lib/session";
 export type { SessionMetadata, SessionInfo, RefreshResult } from "./lib/session";
 export { createVerificationToken, getVerificationToken, deleteVerificationToken } from "./lib/emailVerification";
-export { createMfaChallenge, consumeMfaChallenge, replaceMfaChallengeOtp, setMfaChallengeStore } from "./lib/mfaChallenge";
-export type { MfaChallengeData } from "./lib/mfaChallenge";
-export { bustAuthLimit, trackAttempt, isLimited } from "./lib/authRateLimit";
+export { createMfaChallenge, consumeMfaChallenge, replaceMfaChallengeOtp, setMfaChallengeStore, createWebAuthnRegistrationChallenge, consumeWebAuthnRegistrationChallenge, clearMemoryMfaChallenges } from "./lib/mfaChallenge";
+export type { MfaChallengeData, MfaChallengeOptions, MfaChallengePurpose } from "./lib/mfaChallenge";
+export { bustAuthLimit, trackAttempt, isLimited, clearMemoryRateLimitStore } from "./lib/authRateLimit";
 export type { LimitOpts } from "./lib/authRateLimit";
 export { validate } from "./lib/validate";
 export { bearerAuth } from "./middleware/bearerAuth";
@@ -34,12 +39,14 @@ export type { RateLimitOptions } from "./middleware/rateLimit";
 export { userAuth } from "./middleware/userAuth";
 export { requireRole } from "./middleware/requireRole";
 export { requireVerifiedEmail } from "./middleware/requireVerifiedEmail";
-export { cacheResponse, bustCache, bustCachePattern, setCacheStore } from "./middleware/cacheResponse";
+export { csrfProtection, refreshCsrfToken, clearCsrfToken } from "./middleware/csrf";
+export type { CsrfMiddlewareOptions } from "./middleware/csrf";
+export { cacheResponse, bustCache, bustCachePattern, setCacheStore, getCacheModel } from "./middleware/cacheResponse";
 export { buildFingerprint } from "./lib/fingerprint";
 export { sqliteAuthAdapter, setSqliteDb, startSqliteCleanup } from "./adapters/sqliteAuth";
 export { memoryAuthAdapter, clearMemoryStore } from "./adapters/memoryAuth";
 export { setUserRoles, addUserRole, removeUserRole, getTenantRoles, setTenantRoles, addTenantRole, removeTenantRole } from "./lib/roles";
-export type { AuthAdapter, OAuthProfile } from "./lib/authAdapter";
+export type { AuthAdapter, OAuthProfile, WebAuthnCredential } from "./lib/authAdapter";
 export type { OAuthProviderConfig } from "./lib/oauth";
 export { websocket, createWsUpgradeHandler } from "./ws/index";
 export type { SocketData } from "./ws/index";

package/dist/index.js

@@ -7,7 +7,7 @@ export { connectRedis, disconnectRedis, getRedis } from "./lib/redis";
 // Lib utilities
 export { getAppRoles } from "./lib/appConfig";
 export { HttpError } from "./lib/HttpError";
-export { COOKIE_TOKEN, HEADER_USER_TOKEN, COOKIE_REFRESH_TOKEN, HEADER_REFRESH_TOKEN } from "./lib/constants";
+export { COOKIE_TOKEN, HEADER_USER_TOKEN, COOKIE_REFRESH_TOKEN, HEADER_REFRESH_TOKEN, COOKIE_CSRF_TOKEN, HEADER_CSRF_TOKEN } from "./lib/constants";
 export { createRouter } from "./lib/context";
 export { createRoute, withSecurity, registerSchema, registerSchemas } from "./lib/createRoute";
 export { zodToMongoose } from "./lib/zodToMongoose";
@@ -15,10 +15,13 @@ export { createDtoMapper } from "./lib/createDtoMapper";
 export { signToken, verifyToken } from "./lib/jwt";
 export { log } from "./lib/logger";
 export { createResetToken, consumeResetToken, setPasswordResetStore } from "./lib/resetPassword";
+export { timingSafeEqual, sha256 } from "./lib/crypto";
+export { getClientIp, setTrustProxy } from "./lib/clientIp";
+export { storeOAuthCode, consumeOAuthCode, setOAuthCodeStore } from "./lib/oauthCode";
 export { createSession, getSession, deleteSession, getUserSessions, getActiveSessionCount, evictOldestSession, updateSessionLastActive, setSessionStore, deleteUserSessions, setRefreshToken, getSessionByRefreshToken, rotateRefreshToken } from "./lib/session";
 export { createVerificationToken, getVerificationToken, deleteVerificationToken } from "./lib/emailVerification";
-export { createMfaChallenge, consumeMfaChallenge, replaceMfaChallengeOtp, setMfaChallengeStore } from "./lib/mfaChallenge";
-export { bustAuthLimit, trackAttempt, isLimited } from "./lib/authRateLimit";
+export { createMfaChallenge, consumeMfaChallenge, replaceMfaChallengeOtp, setMfaChallengeStore, createWebAuthnRegistrationChallenge, consumeWebAuthnRegistrationChallenge, clearMemoryMfaChallenges } from "./lib/mfaChallenge";
+export { bustAuthLimit, trackAttempt, isLimited, clearMemoryRateLimitStore } from "./lib/authRateLimit";
 export { validate } from "./lib/validate";
 // Middleware
 export { bearerAuth } from "./middleware/bearerAuth";
@@ -28,7 +31,8 @@ export { rateLimit } from "./middleware/rateLimit";
 export { userAuth } from "./middleware/userAuth";
 export { requireRole } from "./middleware/requireRole";
 export { requireVerifiedEmail } from "./middleware/requireVerifiedEmail";
-export { cacheResponse, bustCache, bustCachePattern, setCacheStore } from "./middleware/cacheResponse";
+export { csrfProtection, refreshCsrfToken, clearCsrfToken } from "./middleware/csrf";
+export { cacheResponse, bustCache, bustCachePattern, setCacheStore, getCacheModel } from "./middleware/cacheResponse";
 // Lib utilities (bot protection)
 export { buildFingerprint } from "./lib/fingerprint";
 // Models

package/dist/lib/appConfig.d.ts

@@ -13,6 +13,16 @@ export interface PasswordResetConfig {
     /** Called with the user's email and the reset token. Use to send the reset email. */
     onSend: (email: string, token: string) => Promise<void>;
 }
+export interface PasswordPolicyConfig {
+    /** Minimum password length. Defaults to 8. */
+    minLength?: number;
+    /** Require at least one letter (a–z or A–Z). Defaults to true. */
+    requireLetter?: boolean;
+    /** Require at least one digit (0–9). Defaults to true. */
+    requireDigit?: boolean;
+    /** Require at least one special character. Defaults to false. */
+    requireSpecial?: boolean;
+}
 export declare const setAppName: (name: string) => void;
 export declare const getAppName: () => string;
 export declare const setAppRoles: (roles: string[]) => void;
@@ -26,6 +36,8 @@ export declare const getEmailVerificationConfig: () => EmailVerificationConfig |
 export declare const getTokenExpiry: () => number;
 export declare const setPasswordResetConfig: (config: PasswordResetConfig | null) => void;
 export declare const getPasswordResetConfig: () => PasswordResetConfig | null;
+export declare const setPasswordPolicy: (config: PasswordPolicyConfig) => void;
+export declare const getPasswordPolicy: () => PasswordPolicyConfig;
 export declare const getResetTokenExpiry: () => number;
 export declare const setMaxSessions: (n: number) => void;
 export declare const getMaxSessions: () => number;
@@ -55,6 +67,24 @@ export interface MfaEmailOtpConfig {
     /** OTP code length. Default: 6. */
     codeLength?: number;
 }
+export interface MfaWebAuthnConfig {
+    /** Relying Party ID — typically the domain (e.g. "example.com"). Required. */
+    rpId: string;
+    /** Relying Party name shown in browser prompts. Defaults to app name. */
+    rpName?: string;
+    /** Expected origin(s) — full origin URL(s) like "https://example.com". Required. */
+    origin: string | string[];
+    /** Supported attestation conveyance preference. Default: "none". */
+    attestationType?: "none" | "direct" | "enterprise";
+    /** Authenticator attachment preference. Default: undefined (allows both platform + cross-platform). */
+    authenticatorAttachment?: "platform" | "cross-platform";
+    /** User verification requirement. Default: "preferred". */
+    userVerification?: "required" | "preferred" | "discouraged";
+    /** Timeout for ceremonies in milliseconds. Default: 60000 (60s). */
+    timeout?: number;
+    /** Reject authentication when sign count goes backward (cloned key detection). Default: false (accept + warn). */
+    strictSignCount?: boolean;
+}
 export interface MfaConfig {
     /** Issuer name shown in authenticator apps. Defaults to app name. */
     issuer?: string;
@@ -70,6 +100,8 @@ export interface MfaConfig {
     challengeTtlSeconds?: number;
     /** Email OTP configuration. When set, enables email-based MFA as an option. */
     emailOtp?: MfaEmailOtpConfig;
+    /** WebAuthn/FIDO2 configuration. When set, enables security key MFA routes. */
+    webauthn?: MfaWebAuthnConfig;
 }
 export declare const setMfaConfig: (config: MfaConfig | null) => void;
 export declare const getMfaConfig: () => MfaConfig | null;
@@ -81,3 +113,6 @@ export declare const getMfaRecoveryCodeCount: () => number;
 export declare const getMfaChallengeTtl: () => number;
 export declare const getMfaEmailOtpConfig: () => MfaEmailOtpConfig | null;
 export declare const getMfaEmailOtpCodeLength: () => number;
+export declare const getMfaWebAuthnConfig: () => MfaWebAuthnConfig | null;
+export declare const setCsrfEnabled: (v: boolean) => void;
+export declare const getCsrfEnabled: () => boolean;

package/dist/lib/appConfig.js

@@ -4,6 +4,7 @@ let defaultRole = null;
 let _primaryField = "email";
 let _emailVerificationConfig = null;
 let _passwordResetConfig = null;
+let _passwordPolicy = {};
 export const setAppName = (name) => { appName = name; };
 export const getAppName = () => appName;
 export const setAppRoles = (roles) => { appRoles = roles; };
@@ -18,6 +19,8 @@ const DEFAULT_TOKEN_EXPIRY = 60 * 60 * 24; // 24 hours
 export const getTokenExpiry = () => _emailVerificationConfig?.tokenExpiry ?? DEFAULT_TOKEN_EXPIRY;
 export const setPasswordResetConfig = (config) => { _passwordResetConfig = config; };
 export const getPasswordResetConfig = () => _passwordResetConfig;
+export const setPasswordPolicy = (config) => { _passwordPolicy = config; };
+export const getPasswordPolicy = () => _passwordPolicy;
 const DEFAULT_RESET_TOKEN_EXPIRY = 60 * 60; // 1 hour
 export const getResetTokenExpiry = () => _passwordResetConfig?.tokenExpiry ?? DEFAULT_RESET_TOKEN_EXPIRY;
 // ---------------------------------------------------------------------------
@@ -55,3 +58,10 @@ export const getMfaRecoveryCodeCount = () => _mfaConfig?.recoveryCodes ?? 10;
 export const getMfaChallengeTtl = () => _mfaConfig?.challengeTtlSeconds ?? 300;
 export const getMfaEmailOtpConfig = () => _mfaConfig?.emailOtp ?? null;
 export const getMfaEmailOtpCodeLength = () => _mfaConfig?.emailOtp?.codeLength ?? 6;
+export const getMfaWebAuthnConfig = () => _mfaConfig?.webauthn ?? null;
+// ---------------------------------------------------------------------------
+// CSRF config
+// ---------------------------------------------------------------------------
+let _csrfEnabled = false;
+export const setCsrfEnabled = (v) => { _csrfEnabled = v; };
+export const getCsrfEnabled = () => _csrfEnabled;

package/dist/lib/authAdapter.d.ts

@@ -3,6 +3,20 @@ export interface OAuthProfile {
     name?: string;
     avatarUrl?: string;
 }
+export interface WebAuthnCredential {
+    /** Base64url-encoded credential ID. */
+    credentialId: string;
+    /** Base64url-encoded public key. */
+    publicKey: string;
+    /** Counter for signature verification (replay protection). */
+    signCount: number;
+    /** Transport hints from the authenticator (usb, ble, nfc, internal). */
+    transports?: string[];
+    /** User-assigned name for the key (e.g. "YubiKey 5"). */
+    name?: string;
+    /** When the credential was registered (epoch ms). */
+    createdAt: number;
+}
 export interface AuthAdapter {
     findByEmail(email: string): Promise<{
         id: string;
@@ -78,6 +92,16 @@ export interface AuthAdapter {
     addTenantRole?(userId: string, tenantId: string, role: string): Promise<void>;
     /** Optional. Remove a single role from a user within a specific tenant. */
     removeTenantRole?(userId: string, tenantId: string, role: string): Promise<void>;
+    /** Optional. Get all WebAuthn credentials for a user. */
+    getWebAuthnCredentials?(userId: string): Promise<WebAuthnCredential[]>;
+    /** Optional. Add a WebAuthn credential for a user. */
+    addWebAuthnCredential?(userId: string, credential: WebAuthnCredential): Promise<void>;
+    /** Optional. Remove a WebAuthn credential by its credential ID. */
+    removeWebAuthnCredential?(userId: string, credentialId: string): Promise<void>;
+    /** Optional. Update the sign count for a WebAuthn credential after successful authentication. */
+    updateWebAuthnCredentialSignCount?(userId: string, credentialId: string, signCount: number): Promise<void>;
+    /** Optional. Find the user who owns a WebAuthn credential. Returns userId or null. Used for cross-user uniqueness checks. */
+    findUserByWebAuthnCredentialId?(credentialId: string): Promise<string | null>;
 }
 export declare const setAuthAdapter: (adapter: AuthAdapter) => void;
 export declare const getAuthAdapter: () => AuthAdapter;

package/dist/lib/authRateLimit.d.ts

@@ -9,3 +9,5 @@ export declare const isLimited: (key: string, opts: LimitOpts) => Promise<boolea
 export declare const trackAttempt: (key: string, opts: LimitOpts) => Promise<boolean>;
 /** Resets a rate limit key. Use on login success or for admin unlock. */
 export declare const bustAuthLimit: (key: string) => Promise<void>;
+/** Clears all in-memory rate limit entries. Called by clearMemoryStore(). */
+export declare const clearMemoryRateLimitStore: () => void;

package/dist/lib/authRateLimit.js

@@ -75,3 +75,7 @@ export const trackAttempt = async (key, opts) => {
 export const bustAuthLimit = async (key) => {
     await _store.delete(key);
 };
+/** Clears all in-memory rate limit entries. Called by clearMemoryStore(). */
+export const clearMemoryRateLimitStore = () => {
+    _memoryStore.clear();
+};

package/dist/lib/clientIp.d.ts

@@ -0,0 +1,14 @@
+import type { Context } from "hono";
+export declare const setTrustProxy: (value: false | number) => void;
+/**
+ * Returns the client IP address, respecting the `trustProxy` setting.
+ *
+ * - When `trustProxy` is `false`: returns the socket-level IP (via Bun's
+ *   `server.requestIP()`), ignoring `X-Forwarded-For` entirely.
+ * - When `trustProxy` is a number N: takes the Nth-from-right entry in the
+ *   `X-Forwarded-For` chain (skipping N trusted proxy hops), falling back to
+ *   the socket-level IP.
+ *
+ * Returns `"unknown"` if no IP can be determined.
+ */
+export declare const getClientIp: (c: Context<any>) => string;