@lastshotlabs/bunshot 0.0.16 → 0.0.19

package/dist/routes/oauth.js

@@ -3,14 +3,18 @@ import { createRouter } from "../lib/context";
 import { setCookie } from "hono/cookie";
 import { decodeIdToken } from "arctic";
 import { z } from "zod";
-import { getGoogle, getApple, storeOAuthState, consumeOAuthState, generateState, generateCodeVerifier, } from "../lib/oauth";
+import { getGoogle, getApple, getMicrosoft, getGitHub, storeOAuthState, consumeOAuthState, generateState, generateCodeVerifier, } from "../lib/oauth";
 import { getAuthAdapter } from "../lib/authAdapter";
 import { HttpError } from "../lib/HttpError";
 import { signToken } from "../lib/jwt";
 import { createSession, getActiveSessionCount, evictOldestSession, setRefreshToken } from "../lib/session";
+import { storeOAuthCode, consumeOAuthCode } from "../lib/oauthCode";
 import { COOKIE_TOKEN, COOKIE_REFRESH_TOKEN } from "../lib/constants";
 import { userAuth } from "../middleware/userAuth";
-import { getDefaultRole, getMaxSessions, getRefreshTokenConfig, getAccessTokenExpiry, getRefreshTokenExpiry } from "../lib/appConfig";
+import { getDefaultRole, getMaxSessions, getRefreshTokenConfig, getAccessTokenExpiry, getRefreshTokenExpiry, getCsrfEnabled } from "../lib/appConfig";
+import { refreshCsrfToken } from "../middleware/csrf";
+import { trackAttempt } from "../lib/authRateLimit";
+import { getClientIp } from "../lib/clientIp";
 const isProd = process.env.NODE_ENV === "production";
 const cookieOptions = (maxAge) => ({
     httpOnly: true,
@@ -44,27 +48,30 @@ const finishOAuth = async (c, provider, providerId, profile, postLoginRedirect)
     const rtConfig = getRefreshTokenConfig();
     const expirySeconds = rtConfig ? getAccessTokenExpiry() : undefined;
     const token = await signToken(user.id, sessionId, expirySeconds);
-    const xff = c.req.header("x-forwarded-for");
     const metadata = {
-        ipAddress: (xff ? xff.split(",")[0]?.trim() : undefined) ?? c.req.header("x-real-ip") ?? undefined,
+        ipAddress: getClientIp(c),
         userAgent: c.req.header("user-agent") ?? undefined,
     };
     while (await getActiveSessionCount(user.id) >= getMaxSessions()) {
         await evictOldestSession(user.id);
     }
     await createSession(user.id, token, sessionId, metadata);
-    setCookie(c, COOKIE_TOKEN, token, cookieOptions(rtConfig ? getAccessTokenExpiry() : undefined));
     let refreshTokenValue;
     if (rtConfig) {
         refreshTokenValue = crypto.randomUUID();
         await setRefreshToken(sessionId, refreshTokenValue);
-        setCookie(c, COOKIE_REFRESH_TOKEN, refreshTokenValue, cookieOptions(getRefreshTokenExpiry()));
     }
-    // Append token to redirect so non-browser clients (mobile deep links) can extract it.
-    // Browser apps can safely ignore the query param.
+    // Store a one-time authorization code instead of exposing the token in the redirect URL.
+    // The client exchanges this code via POST /auth/oauth/exchange to get the session token.
+    const code = await storeOAuthCode({
+        token,
+        userId: user.id,
+        email: profile.email,
+        refreshToken: refreshTokenValue,
+    });
     try {
         const url = new URL(postLoginRedirect);
-        url.searchParams.set("token", token);
+        url.searchParams.set("code", code);
         if (profile.email)
             url.searchParams.set("user", profile.email);
         return c.redirect(url.toString());
@@ -73,7 +80,7 @@ const finishOAuth = async (c, provider, providerId, profile, postLoginRedirect)
         // Relative path fallback
         const sep = postLoginRedirect.includes("?") ? "&" : "?";
         const userParam = profile.email ? `&user=${encodeURIComponent(profile.email)}` : "";
-        return c.redirect(`${postLoginRedirect}${sep}token=${token}${userParam}`);
+        return c.redirect(`${postLoginRedirect}${sep}code=${code}${userParam}`);
     }
 };
 export const createOAuthRouter = (providers, postLoginRedirect) => {
@@ -246,5 +253,262 @@ export const createOAuthRouter = (providers, postLoginRedirect) => {
             return c.redirect(url.toString());
         });
     }
+    // ─── Microsoft ──────────────────────────────────────────────────────────
+    if (providers.includes("microsoft")) {
+        router.openapi(createRoute({
+            method: "get",
+            path: "/auth/microsoft",
+            summary: "Initiate Microsoft OAuth",
+            description: "Redirects the user to Microsoft's sign-in page to begin the OAuth login flow. After the user authorizes, Microsoft redirects back to `/auth/microsoft/callback`.",
+            tags,
+            responses: {
+                302: { description: "Redirect to Microsoft's OAuth sign-in page." },
+                500: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "OAuth provider not configured." },
+            },
+        }), async (c) => {
+            const state = generateState();
+            const codeVerifier = generateCodeVerifier();
+            await storeOAuthState(state, codeVerifier);
+            const url = getMicrosoft().createAuthorizationURL(state, codeVerifier, ["openid", "profile", "email"]);
+            return c.redirect(url.toString());
+        });
+        router.openapi(createRoute({
+            method: "get",
+            path: "/auth/microsoft/callback",
+            summary: "Microsoft OAuth callback",
+            description: "Handles the redirect from Microsoft after user authorization. Validates the OAuth state and code, then creates or finds the user account. Sets a session cookie and redirects to the configured post-login URL.",
+            tags,
+            request: {
+                query: z.object({
+                    code: z.string().describe("Authorization code from Microsoft."),
+                    state: z.string().describe("OAuth state parameter for CSRF protection."),
+                }),
+            },
+            responses: {
+                302: { description: "Redirect to the post-login URL with session token." },
+                400: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "Invalid callback parameters or expired state." },
+            },
+        }), async (c) => {
+            const { code, state } = c.req.valid("query");
+            if (!code || !state)
+                return c.json({ error: "Invalid callback" }, 400);
+            const stored = await consumeOAuthState(state);
+            if (!stored?.codeVerifier)
+                return c.json({ error: "Invalid or expired state" }, 400);
+            const tokens = await getMicrosoft().validateAuthorizationCode(code, stored.codeVerifier);
+            const info = await fetch("https://graph.microsoft.com/v1.0/me", {
+                headers: { Authorization: `Bearer ${tokens.accessToken()}` },
+            }).then((r) => r.json());
+            if (stored.linkUserId) {
+                const adapter = getAuthAdapter();
+                if (!adapter.linkProvider)
+                    return c.json({ error: "Auth adapter does not support linkProvider" }, 500);
+                await adapter.linkProvider(stored.linkUserId, "microsoft", info.id);
+                const sep = postLoginRedirect.includes("?") ? "&" : "?";
+                return c.redirect(`${postLoginRedirect}${sep}linked=microsoft`);
+            }
+            return finishOAuth(c, "microsoft", info.id, { email: info.mail ?? info.userPrincipalName, name: info.displayName }, postLoginRedirect);
+        });
+        router.use("/auth/microsoft/link", userAuth);
+        router.openapi(withSecurity(createRoute({
+            method: "get",
+            path: "/auth/microsoft/link",
+            summary: "Link Microsoft account",
+            description: "Initiates an OAuth flow to link a Microsoft account to the authenticated user. Requires a valid session. Redirects to Microsoft's sign-in page.",
+            tags,
+            responses: {
+                302: { description: "Redirect to Microsoft's OAuth sign-in page." },
+                401: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "No valid session." },
+            },
+        }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
+            const state = generateState();
+            const codeVerifier = generateCodeVerifier();
+            await storeOAuthState(state, codeVerifier, c.get("authUserId"));
+            const url = getMicrosoft().createAuthorizationURL(state, codeVerifier, ["openid", "profile", "email"]);
+            return c.redirect(url.toString());
+        });
+        router.openapi(withSecurity(createRoute({
+            method: "delete",
+            path: "/auth/microsoft/link",
+            summary: "Unlink Microsoft account",
+            description: "Removes the linked Microsoft OAuth account from the authenticated user. Requires a valid session.",
+            tags,
+            responses: {
+                204: { description: "Microsoft account unlinked successfully." },
+                401: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "No valid session." },
+                500: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "Auth adapter does not support unlinkProvider." },
+            },
+        }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
+            const adapter = getAuthAdapter();
+            if (!adapter.unlinkProvider) {
+                return c.json({ error: "Auth adapter does not support unlinkProvider" }, 500);
+            }
+            await adapter.unlinkProvider(c.get("authUserId"), "microsoft");
+            return c.body(null, 204);
+        });
+    }
+    // ─── GitHub ────────────────────────────────────────────────────────────
+    if (providers.includes("github")) {
+        router.openapi(createRoute({
+            method: "get",
+            path: "/auth/github",
+            summary: "Initiate GitHub OAuth",
+            description: "Redirects the user to GitHub's authorization page to begin the OAuth login flow. After the user authorizes, GitHub redirects back to `/auth/github/callback`.",
+            tags,
+            responses: {
+                302: { description: "Redirect to GitHub's OAuth authorization page." },
+                500: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "OAuth provider not configured." },
+            },
+        }), async (c) => {
+            const state = generateState();
+            await storeOAuthState(state);
+            const url = getGitHub().createAuthorizationURL(state, ["read:user", "user:email"]);
+            return c.redirect(url.toString());
+        });
+        router.openapi(createRoute({
+            method: "get",
+            path: "/auth/github/callback",
+            summary: "GitHub OAuth callback",
+            description: "Handles the redirect from GitHub after user authorization. Validates the OAuth state and code, then creates or finds the user account. Sets a session cookie and redirects to the configured post-login URL.",
+            tags,
+            request: {
+                query: z.object({
+                    code: z.string().describe("Authorization code from GitHub."),
+                    state: z.string().describe("OAuth state parameter for CSRF protection."),
+                }),
+            },
+            responses: {
+                302: { description: "Redirect to the post-login URL with session token." },
+                400: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "Invalid callback parameters or expired state." },
+            },
+        }), async (c) => {
+            const { code, state } = c.req.valid("query");
+            if (!code || !state)
+                return c.json({ error: "Invalid callback" }, 400);
+            const stored = await consumeOAuthState(state);
+            if (!stored)
+                return c.json({ error: "Invalid or expired state" }, 400);
+            const tokens = await getGitHub().validateAuthorizationCode(code);
+            const headers = { Authorization: `Bearer ${tokens.accessToken()}`, "User-Agent": "bunshot" };
+            const info = await fetch("https://api.github.com/user", { headers })
+                .then((r) => r.json());
+            // GitHub may not return email on /user if it's private — fetch from /user/emails
+            let email = info.email;
+            if (!email) {
+                const emails = await fetch("https://api.github.com/user/emails", { headers })
+                    .then((r) => r.json());
+                email = emails.find((e) => e.primary && e.verified)?.email ?? emails.find((e) => e.verified)?.email;
+            }
+            if (stored.linkUserId) {
+                const adapter = getAuthAdapter();
+                if (!adapter.linkProvider)
+                    return c.json({ error: "Auth adapter does not support linkProvider" }, 500);
+                await adapter.linkProvider(stored.linkUserId, "github", String(info.id));
+                const sep = postLoginRedirect.includes("?") ? "&" : "?";
+                return c.redirect(`${postLoginRedirect}${sep}linked=github`);
+            }
+            return finishOAuth(c, "github", String(info.id), { email, name: info.name, avatarUrl: info.avatar_url }, postLoginRedirect);
+        });
+        router.use("/auth/github/link", userAuth);
+        router.openapi(withSecurity(createRoute({
+            method: "get",
+            path: "/auth/github/link",
+            summary: "Link GitHub account",
+            description: "Initiates an OAuth flow to link a GitHub account to the authenticated user. Requires a valid session. Redirects to GitHub's authorization page.",
+            tags,
+            responses: {
+                302: { description: "Redirect to GitHub's OAuth authorization page." },
+                401: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "No valid session." },
+            },
+        }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
+            const state = generateState();
+            await storeOAuthState(state, undefined, c.get("authUserId"));
+            const url = getGitHub().createAuthorizationURL(state, ["read:user", "user:email"]);
+            return c.redirect(url.toString());
+        });
+        router.openapi(withSecurity(createRoute({
+            method: "delete",
+            path: "/auth/github/link",
+            summary: "Unlink GitHub account",
+            description: "Removes the linked GitHub OAuth account from the authenticated user. Requires a valid session.",
+            tags,
+            responses: {
+                204: { description: "GitHub account unlinked successfully." },
+                401: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "No valid session." },
+                500: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "Auth adapter does not support unlinkProvider." },
+            },
+        }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
+            const adapter = getAuthAdapter();
+            if (!adapter.unlinkProvider) {
+                return c.json({ error: "Auth adapter does not support unlinkProvider" }, 500);
+            }
+            await adapter.unlinkProvider(c.get("authUserId"), "github");
+            return c.body(null, 204);
+        });
+    }
+    // ─── Code Exchange ─────────────────────────────────────────────────────
+    router.openapi(createRoute({
+        method: "post",
+        path: "/auth/oauth/exchange",
+        summary: "Exchange OAuth authorization code for session token",
+        description: "Exchanges a one-time authorization code (received from the OAuth redirect) for a session token. The code is single-use and expires after 60 seconds. Sets session cookies for browser clients; returns the token in the JSON response for mobile/SPA clients.",
+        tags,
+        request: {
+            body: {
+                content: {
+                    "application/json": {
+                        schema: z.object({
+                            code: z.string().describe("One-time authorization code from the OAuth redirect."),
+                        }),
+                    },
+                },
+            },
+        },
+        responses: {
+            200: {
+                content: {
+                    "application/json": {
+                        schema: z.object({
+                            token: z.string().describe("Session JWT."),
+                            userId: z.string().describe("Authenticated user ID."),
+                            email: z.string().optional().describe("User email if available."),
+                            refreshToken: z.string().optional().describe("Refresh token if refresh tokens are configured."),
+                        }),
+                    },
+                },
+                description: "Session token and user info.",
+            },
+            400: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "Missing code parameter." },
+            401: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "Invalid, expired, or already-used code." },
+            429: { content: { "application/json": { schema: OAuthErrorResponse } }, description: "Rate limit exceeded." },
+        },
+    }), async (c) => {
+        // Rate limit by IP to prevent brute-forcing codes within the 60s TTL
+        const ip = getClientIp(c);
+        const limited = await trackAttempt(`oauth-exchange:ip:${ip}`, { max: 20, windowMs: 60_000 });
+        if (limited) {
+            return c.json({ error: "Too many requests" }, 429);
+        }
+        const { code } = c.req.valid("json");
+        if (!code)
+            return c.json({ error: "Missing code" }, 400);
+        const payload = await consumeOAuthCode(code);
+        if (!payload)
+            return c.json({ error: "Invalid or expired code" }, 401);
+        // Set session cookies for browser clients
+        const rtConfig = getRefreshTokenConfig();
+        setCookie(c, COOKIE_TOKEN, payload.token, cookieOptions(rtConfig ? getAccessTokenExpiry() : undefined));
+        if (payload.refreshToken && rtConfig) {
+            setCookie(c, COOKIE_REFRESH_TOKEN, payload.refreshToken, cookieOptions(getRefreshTokenExpiry()));
+        }
+        if (getCsrfEnabled())
+            refreshCsrfToken(c);
+        return c.json({
+            token: payload.token,
+            userId: payload.userId,
+            email: payload.email,
+            refreshToken: payload.refreshToken,
+        }, 200);
+    });
     return router;
 };

package/dist/schemas/auth.d.ts

@@ -8,3 +8,5 @@ export declare const makeLoginSchema: (primaryField: PrimaryField) => z.ZodObjec
     [x: string]: z.ZodString;
     password: z.ZodString;
 }, z.core.$strip>;
+/** Password schema for reset-password — same policy as registration. */
+export declare const resetPasswordSchema: () => z.ZodString;

package/dist/schemas/auth.js

@@ -1,9 +1,30 @@
 import { z } from "zod";
+import { getPasswordPolicy } from "../lib/appConfig";
+/** Build a Zod schema for the password field based on the configured policy.
+ *  Applied to registration and reset-password. Login uses min(1) intentionally
+ *  to avoid locking out users registered under older/weaker policies. */
+const passwordSchema = () => {
+    const policy = getPasswordPolicy();
+    const minLen = policy.minLength ?? 8;
+    let schema = z.string().min(minLen, `Password must be at least ${minLen} characters`);
+    if (policy.requireLetter !== false) {
+        schema = schema.regex(/[a-zA-Z]/, "Password must contain at least one letter");
+    }
+    if (policy.requireDigit !== false) {
+        schema = schema.regex(/\d/, "Password must contain at least one digit");
+    }
+    if (policy.requireSpecial) {
+        schema = schema.regex(/[^a-zA-Z0-9]/, "Password must contain at least one special character");
+    }
+    return schema;
+};
 export const makeRegisterSchema = (primaryField) => z.object({
     [primaryField]: primaryField === "email" ? z.string().email() : z.string().min(3),
-    password: z.string().min(8),
+    password: passwordSchema(),
 });
 export const makeLoginSchema = (primaryField) => z.object({
     [primaryField]: primaryField === "email" ? z.string().email() : z.string().min(1),
     password: z.string().min(1),
 });
+/** Password schema for reset-password — same policy as registration. */
+export const resetPasswordSchema = () => passwordSchema();

package/dist/server.d.ts

@@ -12,6 +12,12 @@ export interface WsConfig<T extends object = object> {
      * ws.data.userId is available for auth checks.
      */
     onRoomSubscribe?: (ws: ServerWebSocket<SocketData<T>>, room: string) => boolean | Promise<boolean>;
+    /**
+     * Maximum allowed WebSocket message size in bytes.
+     * Messages exceeding this limit will cause the connection to be closed with code 1009.
+     * Defaults to 65536 (64 KB).
+     */
+    maxMessageSize?: number;
 }
 export interface CreateServerConfig<T extends object = object> extends CreateAppConfig {
     port?: number;

package/dist/server.js

@@ -6,16 +6,23 @@ export const createServer = async (config) => {
     const app = await createApp(config);
     const port = Number(process.env.PORT ?? config.port ?? 3000);
     const { workersDir, enableWorkers = true, ws: wsConfig = {} } = config;
-    const { handler: userWs, upgradeHandler: wsUpgradeHandler, onRoomSubscribe } = wsConfig;
+    const { handler: userWs, upgradeHandler: wsUpgradeHandler, onRoomSubscribe, maxMessageSize = 65_536 } = wsConfig;
     const defaultOpen = defaultWebsocket.open;
-    const defaultMessage = defaultWebsocket.message;
     const defaultClose = defaultWebsocket.close;
     const defaultDrain = defaultWebsocket.drain;
     const ws = {
         open: userWs?.open ?? defaultOpen,
         async message(socket, message) {
+            const size = typeof message === "string" ? message.length : message.byteLength;
+            if (size > maxMessageSize) {
+                socket.close(1009, "Message too large");
+                return;
+            }
             if (!await handleRoomActions(socket, message, onRoomSubscribe)) {
-                (userWs?.message ?? defaultMessage)(socket, message);
+                if (userWs?.message) {
+                    userWs.message(socket, message);
+                }
+                // No default echo — without a custom handler, non-room messages are silently dropped
             }
         },
         close(socket, code, reason) {

package/dist/services/auth.d.ts

@@ -9,6 +9,7 @@ export interface AuthResult {
     mfaRequired?: boolean;
     mfaToken?: string;
     mfaMethods?: string[];
+    webauthnOptions?: Record<string, unknown>;
 }
 /** Create a session for a user (used internally and by MFA verify). */
 export declare const createSessionForUser: (userId: string, metadata?: SessionMetadata) => Promise<{

package/dist/services/auth.js

@@ -2,10 +2,10 @@ import { getAuthAdapter } from "../lib/authAdapter";
 import { HttpError } from "../lib/HttpError";
 import { signToken, verifyToken } from "../lib/jwt";
 import { createSession, deleteSession, getActiveSessionCount, evictOldestSession, deleteUserSessions, setRefreshToken, getSessionByRefreshToken, rotateRefreshToken } from "../lib/session";
-import { getDefaultRole, getPrimaryField, getEmailVerificationConfig, getMaxSessions, getRefreshTokenConfig, getAccessTokenExpiry, getMfaConfig, getMfaEmailOtpConfig } from "../lib/appConfig";
+import { getDefaultRole, getPrimaryField, getEmailVerificationConfig, getMaxSessions, getRefreshTokenConfig, getAccessTokenExpiry, getMfaConfig, getMfaEmailOtpConfig, getMfaWebAuthnConfig } from "../lib/appConfig";
 import { createVerificationToken } from "../lib/emailVerification";
 import { createMfaChallenge } from "../lib/mfaChallenge";
-import { generateEmailOtpCode } from "./mfa";
+import { generateEmailOtpCode, generateWebAuthnAuthenticationOptions } from "./mfa";
 async function createSessionWithRefreshToken(userId, sessionId, metadata) {
     const rtConfig = getRefreshTokenConfig();
     const expirySeconds = rtConfig ? getAccessTokenExpiry() : undefined;
@@ -47,11 +47,16 @@ export const register = async (identifier, password, metadata) => {
     }
     return { token, userId: user.id, email: identifier, refreshToken };
 };
+// Pre-computed dummy hash so non-existent-user login takes the same time as wrong-password login
+const DUMMY_HASH = await Bun.password.hash("dummy-timing-safe-placeholder");
 export const login = async (identifier, password, metadata) => {
     const adapter = getAuthAdapter();
     const findFn = adapter.findByIdentifier ?? adapter.findByEmail.bind(adapter);
     const user = await findFn(identifier);
-    if (!user || !(await Bun.password.verify(password, user.passwordHash))) {
+    // Always verify against a hash to prevent timing-based user enumeration
+    const hashToVerify = user?.passwordHash ?? DUMMY_HASH;
+    const passwordValid = await Bun.password.verify(password, hashToVerify);
+    if (!user || !passwordValid) {
         throw new HttpError(401, "Invalid credentials");
     }
     // Check email verification before MFA to avoid leaking MFA status to unverified users
@@ -79,8 +84,19 @@ export const login = async (identifier, password, metadata) => {
             if (email)
                 await emailOtpConfig.onSend(email, code);
         }
-        const mfaToken = await createMfaChallenge(user.id, emailOtpHash);
-        return { token: "", userId: user.id, mfaRequired: true, mfaToken, mfaMethods: methods };
+        // Generate WebAuthn authentication options if enabled
+        let webauthnChallenge;
+        let webauthnOptions;
+        const webauthnConfig = getMfaWebAuthnConfig();
+        if (methods.includes("webauthn") && webauthnConfig && adapter.getWebAuthnCredentials) {
+            const result = await generateWebAuthnAuthenticationOptions(user.id);
+            if (result) {
+                webauthnChallenge = result.challenge;
+                webauthnOptions = result.options;
+            }
+        }
+        const mfaToken = await createMfaChallenge(user.id, { emailOtpHash, webauthnChallenge });
+        return { token: "", userId: user.id, mfaRequired: true, mfaToken, mfaMethods: methods, webauthnOptions };
     }
     const sessionId = crypto.randomUUID();
     const { token, refreshToken } = await createSessionWithRefreshToken(user.id, sessionId, metadata);

package/dist/services/mfa.d.ts

@@ -35,3 +35,50 @@ export declare const disableEmailOtp: (userId: string, params: {
 }) => Promise<void>;
 /** Get the MFA methods enabled for a user. */
 export declare const getMfaMethods: (userId: string) => Promise<string[]>;
+/**
+ * Eager startup check — call at route mount time to fail fast if the peer dependency is missing.
+ */
+export declare const assertWebAuthnDependency: () => Promise<void>;
+/**
+ * Generate WebAuthn authentication options for the login MFA flow.
+ * Called from auth.ts login when the user has "webauthn" in their methods.
+ */
+export declare const generateWebAuthnAuthenticationOptions: (userId: string) => Promise<{
+    challenge: string;
+    options: Record<string, unknown>;
+} | null>;
+/**
+ * Initiate WebAuthn registration: generates registration options for the client.
+ * Returns options + a registration challenge token.
+ */
+export declare const initiateWebAuthnRegistration: (userId: string) => Promise<{
+    options: Record<string, unknown>;
+    registrationToken: string;
+}>;
+/**
+ * Complete WebAuthn registration: verifies attestation and stores the credential.
+ * Returns recovery codes if this is the first MFA method.
+ */
+export declare const completeWebAuthnRegistration: (userId: string, registrationToken: string, attestationResponse: any, name?: string) => Promise<{
+    credentialId: string;
+    recoveryCodes: string[] | null;
+}>;
+/**
+ * Verify a WebAuthn authentication assertion during login MFA.
+ */
+export declare const verifyWebAuthn: (userId: string, assertionResponse: any, expectedChallenge: string) => Promise<boolean>;
+/**
+ * Remove a single WebAuthn credential.
+ * Only requires identity verification when removing the last credential of the last MFA method.
+ */
+export declare const removeWebAuthnCredential: (userId: string, credentialId: string, params: {
+    code?: string;
+    password?: string;
+}) => Promise<void>;
+/**
+ * Disable WebAuthn entirely: removes all credentials and the method.
+ */
+export declare const disableWebAuthn: (userId: string, params: {
+    code?: string;
+    password?: string;
+}) => Promise<void>;