@lastshotlabs/bunshot 0.0.2 → 0.0.4

package/README.md

@@ -1407,9 +1407,9 @@ import {
   createServer, createApp,
 
   // DB
-  connectMongo, connectAuthMongo, connectAppMongo,
+  connectMongo, connectAuthMongo, connectAppMongo, disconnectMongo,
   authConnection, appConnection, mongoose,
-  connectRedis, getRedis,
+  connectRedis, disconnectRedis, getRedis,
 
   // Jobs
   createQueue, createWorker,

package/dist/adapters/memoryAuth.d.ts

@@ -0,0 +1,22 @@
+import type { AuthAdapter } from "../lib/authAdapter";
+/** Reset all in-memory state. Useful for test isolation. */
+export declare const clearMemoryStore: () => void;
+export declare const memoryAuthAdapter: AuthAdapter;
+export declare const memoryCreateSession: (userId: string, token: string) => void;
+export declare const memoryGetSession: (userId: string) => string | null;
+export declare const memoryDeleteSession: (userId: string) => void;
+export declare const memoryStoreOAuthState: (state: string, codeVerifier?: string, linkUserId?: string) => void;
+export declare const memoryConsumeOAuthState: (state: string) => {
+    codeVerifier?: string;
+    linkUserId?: string;
+} | null;
+export declare const memoryGetCache: (key: string) => string | null;
+export declare const memorySetCache: (key: string, value: string, ttlSeconds?: number) => void;
+export declare const memoryDelCache: (key: string) => void;
+export declare const memoryDelCachePattern: (pattern: string) => void;
+export declare const memoryCreateVerificationToken: (token: string, userId: string, email: string) => void;
+export declare const memoryGetVerificationToken: (token: string) => {
+    userId: string;
+    email: string;
+} | null;
+export declare const memoryDeleteVerificationToken: (token: string) => void;

package/dist/adapters/mongoAuth.d.ts

@@ -0,0 +1,2 @@
+import type { AuthAdapter } from "../lib/authAdapter";
+export declare const mongoAuthAdapter: AuthAdapter;

package/dist/adapters/sqliteAuth.d.ts

@@ -0,0 +1,23 @@
+import type { AuthAdapter } from "../lib/authAdapter";
+export declare const setSqliteDb: (path: string) => void;
+export declare const sqliteAuthAdapter: AuthAdapter;
+export declare const sqliteCreateSession: (userId: string, token: string) => void;
+export declare const sqliteGetSession: (userId: string) => string | null;
+export declare const sqliteDeleteSession: (userId: string) => void;
+export declare const sqliteStoreOAuthState: (state: string, codeVerifier?: string, linkUserId?: string) => void;
+export declare const sqliteConsumeOAuthState: (state: string) => {
+    codeVerifier?: string;
+    linkUserId?: string;
+} | null;
+export declare const isSqliteReady: () => boolean;
+export declare const sqliteGetCache: (key: string) => string | null;
+export declare const sqliteSetCache: (key: string, value: string, ttlSeconds?: number) => void;
+export declare const sqliteDelCache: (key: string) => void;
+export declare const sqliteDelCachePattern: (pattern: string) => void;
+export declare const sqliteCreateVerificationToken: (token: string, userId: string, email: string) => void;
+export declare const sqliteGetVerificationToken: (token: string) => {
+    userId: string;
+    email: string;
+} | null;
+export declare const sqliteDeleteVerificationToken: (token: string) => void;
+export declare const startSqliteCleanup: (intervalMs?: number) => ReturnType<typeof setInterval>;

package/dist/app.d.ts

@@ -0,0 +1,174 @@
+import { OpenAPIHono } from "@hono/zod-openapi";
+import type { MiddlewareHandler } from "hono";
+import type { AppEnv } from "./lib/context";
+import type { PrimaryField, EmailVerificationConfig } from "./lib/appConfig";
+import type { AuthAdapter } from "./lib/authAdapter";
+import type { OAuthProviderConfig } from "./lib/oauth";
+type StoreType = "redis" | "mongo" | "sqlite" | "memory";
+export interface DbConfig {
+    /**
+     * Absolute path to the SQLite database file.
+     * Required when any store is "sqlite".
+     * Example: import.meta.dir + "/../data.db"
+     */
+    sqlite?: string;
+    /**
+     * MongoDB auto-connect mode.
+     * - "single" (default): calls connectMongo() — auth and app share one server (MONGO_* env vars)
+     * - "separate": calls connectAuthMongo() + connectAppMongo() — auth on MONGO_AUTH_* server, app on MONGO_* server
+     * - false: skip auto-connect (call connectMongo / connectAuthMongo / connectAppMongo yourself)
+     */
+    mongo?: "single" | "separate" | false;
+    /**
+     * Auto-connect Redis before starting. Defaults to true.
+     * Set false to skip (e.g. when using sqlite or memory stores only).
+     */
+    redis?: boolean;
+    /**
+     * Where to store JWT sessions. Default: "redis".
+     * Sessions are stored on appConnection (not authConnection) so they are isolated per-app
+     * in "separate" mongo mode.
+     */
+    sessions?: StoreType;
+    /**
+     * Where to store OAuth state (PKCE code verifier, link user ID). Default: follows `sessions`.
+     */
+    oauthState?: StoreType;
+    /**
+     * Global default store for cacheResponse middleware. Default: "redis".
+     * Can be overridden per-route via cacheResponse({ store: "..." }).
+     */
+    cache?: StoreType;
+    /**
+     * Which built-in auth adapter to use for /auth/* routes.
+     * - "mongo" (default when mongo is enabled): Mongoose adapter (requires connectMongo)
+     * - "sqlite": bun:sqlite adapter (requires sqlite path)
+     * - "memory": in-memory Maps (ephemeral, great for tests)
+     * When `mongo: false`, defaults to the same store as `sessions`.
+     * Ignored when `auth.adapter` is explicitly passed in CreateAppConfig.
+     */
+    auth?: "mongo" | "sqlite" | "memory";
+}
+export interface AppMeta {
+    /** App name shown in the root endpoint and OpenAPI docs title. Defaults to "Bun Core API" */
+    name?: string;
+    /** Version shown in OpenAPI docs. Defaults to "1.0.0" */
+    version?: string;
+}
+export interface OAuthConfig {
+    /** OAuth provider credentials. Configured providers get automatic /auth/{provider} routes. */
+    providers?: OAuthProviderConfig;
+    /** Where to redirect after a successful OAuth login. Defaults to "/" */
+    postRedirect?: string;
+}
+export interface AuthRateLimitConfig {
+    /** Max login failures per window before the account is locked. Default: 10 per 15 min. */
+    login?: {
+        windowMs?: number;
+        max?: number;
+    };
+    /** Max registration attempts per IP per window. Default: 5 per hour. */
+    register?: {
+        windowMs?: number;
+        max?: number;
+    };
+    /** Max email verification attempts per IP per window. Default: 10 per 15 min. */
+    verifyEmail?: {
+        windowMs?: number;
+        max?: number;
+    };
+    /** Max resend-verification attempts per user per window. Default: 3 per hour. */
+    resendVerification?: {
+        windowMs?: number;
+        max?: number;
+    };
+    /**
+     * Store backend for auth rate limit counters.
+     * Defaults to "redis" when Redis is enabled, otherwise "memory".
+     * Use "redis" for multi-instance deployments so limits are shared across servers.
+     */
+    store?: "memory" | "redis";
+}
+export interface AuthConfig {
+    /** Set false to skip mounting /auth/* routes. Defaults to true */
+    enabled?: boolean;
+    /**
+     * Custom auth adapter for the built-in /auth/* routes.
+     * Use this for fully custom backends (e.g. Postgres).
+     * For built-in backends prefer `db.auth: "mongo" | "sqlite" | "memory"`.
+     * When both are set, this takes precedence.
+     */
+    adapter?: AuthAdapter;
+    /** Valid roles for this app (e.g. ["admin", "editor", "user"]). Used by requireRole middleware. */
+    roles?: string[];
+    /** Role automatically assigned to new users on registration. Must be one of roles. */
+    defaultRole?: string;
+    /** OAuth provider and redirect configuration */
+    oauth?: OAuthConfig;
+    /**
+     * The primary identifier field used for registration and login.
+     * Defaults to "email". Use "username" or "phone" for apps that identify users differently.
+     * Email verification is only available when primaryField is "email".
+     */
+    primaryField?: PrimaryField;
+    /**
+     * Email verification configuration. Only active when primaryField is "email".
+     * Provide an onSend callback to send the verification email via any provider (Resend, SendGrid, etc.).
+     */
+    emailVerification?: EmailVerificationConfig;
+    /** Rate limit configuration for built-in auth endpoints. */
+    rateLimit?: AuthRateLimitConfig;
+}
+export type { PrimaryField, EmailVerificationConfig };
+export interface BotProtectionConfig {
+    /**
+     * List of IPv4 CIDRs (e.g. "198.51.100.0/24"), IPv4 addresses, or IPv6 addresses to block outright.
+     * Matched requests receive a 403 before any other processing.
+     * Example: ["198.51.100.0/24", "203.0.113.42"]
+     */
+    blockList?: string[];
+    /**
+     * Also rate-limit by HTTP fingerprint (User-Agent, Accept-*, Connection, browser header presence)
+     * in addition to IP. Bots that rotate IPs but use the same HTTP client share a bucket.
+     * Uses the same store as auth rate limiting (Redis or memory).
+     * Default: false
+     */
+    fingerprintRateLimit?: boolean;
+}
+export interface SecurityConfig {
+    /** CORS origins. Defaults to "*" */
+    cors?: string | string[];
+    /** Global rate limit. Defaults to 100 req / 60s */
+    rateLimit?: {
+        windowMs: number;
+        max: number;
+    };
+    /**
+     * Bearer auth check. Set false to disable entirely.
+     * Pass an object with bypass paths (merged with built-in defaults: /docs, /health, /openapi.json, etc.).
+     * Defaults to enabled with no extra bypass paths.
+     */
+    bearerAuth?: boolean | {
+        bypass?: string[];
+    };
+    /**
+     * Bot protection: CIDR blocklist and fingerprint-based rate limiting.
+     * Runs before IP rate limiting so blocked IPs are rejected immediately.
+     */
+    botProtection?: BotProtectionConfig;
+}
+export interface CreateAppConfig {
+    /** Absolute path to the service's routes directory (use import.meta.dir + "/routes") */
+    routesDir: string;
+    /** App name and version for the root endpoint and OpenAPI docs */
+    app?: AppMeta;
+    /** Auth, roles, and OAuth configuration */
+    auth?: AuthConfig;
+    /** Security: CORS, rate limiting, bearer auth */
+    security?: SecurityConfig;
+    /** Extra middleware injected after identify, before route matching */
+    middleware?: MiddlewareHandler<AppEnv>[];
+    /** Database connection and store routing configuration */
+    db?: DbConfig;
+}
+export declare const createApp: (config: CreateAppConfig) => Promise<OpenAPIHono<AppEnv>>;

package/dist/cli.js

@@ -0,0 +1,149 @@
+#!/usr/bin/env bun
+// @bun
+var R=import.meta.require;import{existsSync as V,mkdirSync as E,writeFileSync as J,readSync as v,rmSync as I}from"fs";import{join as z}from"path";import{spawnSync as Q}from"child_process";function W($){process.stdout.write($);let L=Buffer.alloc(1024),_=v(0,L,0,L.length,null);return L.subarray(0,_).toString().trim().replace(/\r/g,"")}var X=process.argv[2],q=process.argv[3],K=X||W("App name: ");if(!K)console.error("App name is required."),process.exit(1);var M=K.toLowerCase().replace(/\s+/g,"-").replace(/[^a-z0-9-]/g,""),A=q||(X?M:W(`Directory (${M}): `))||M,B=z(process.cwd(),A),G=z(B,"src"),b=z(G,"routes"),C=z(G,"workers"),x=z(G,"queues"),F=z(G,"ws"),P=z(G,"services");if(V(B))console.error(`Directory "${A}" already exists.`),process.exit(1);var T=`import { createServer, type CreateServerConfig } from "@lastshotlabs/bunshot";
+
+const roles = {
+  admin: "admin",
+  user: "user",
+};
+
+const config: CreateServerConfig = {
+  routesDir: import.meta.dir + "/routes",
+  workersDir: import.meta.dir + "/workers",
+  app: {
+    name: "${K}",
+    version: "1.0.0",
+  },
+  auth: {
+    roles: Object.values(roles),
+    defaultRole: roles.user,
+  },
+  security: {
+    cors: ["*"],
+  },
+  db: {
+    mongo: "single",
+  },
+  port: process.env.PORT ? parseInt(process.env.PORT) : 3000,
+};
+
+await createServer(config);
+`,h=`# ${K}
+
+Built with [@lastshotlabs/bunshot](https://github.com/Last-Shot-Labs/bunshot).
+
+## Getting started
+
+\`\`\`bash
+# fill in .env with your values
+bun dev
+\`\`\`
+
+| Endpoint | Description |
+|---|---|
+| \`POST /auth/register\` | Create account |
+| \`POST /auth/login\` | Sign in, returns JWT |
+| \`GET  /docs\` | OpenAPI docs (Scalar) |
+| \`GET  /health\` | Health check |
+
+## Project structure
+
+\`\`\`
+src/
+  index.ts        # server entry point
+  routes/         # file-based routing (each file = a router)
+  workers/        # BullMQ workers (auto-imported on start)
+\`\`\`
+
+## Adding routes
+
+Create a file in \`src/routes/\`:
+
+\`\`\`ts
+// src/routes/products.ts
+import { createRouter } from "@lastshotlabs/bunshot";
+import { z } from "zod";
+
+export const router = createRouter();
+
+router.get("/products", (c) => c.json({ products: [] }));
+\`\`\`
+
+## Adding models
+
+\`\`\`ts
+// src/models/Product.ts
+import { appConnection, mongoose } from "@lastshotlabs/bunshot";
+
+const ProductSchema = new mongoose.Schema({
+  name: { type: String, required: true },
+  price: { type: Number, required: true },
+}, { timestamps: true });
+
+export const Product = appConnection.model("Product", ProductSchema);
+\`\`\`
+
+## Environment variables
+
+See \`.env\` \u2014 fill in MongoDB, Redis, JWT, Bearer token, and OAuth provider values before running.
+`,w=`NODE_ENV=development
+PORT=3000
+
+# MongoDB (single connection)
+MONGO_USER_DEV=
+MONGO_PW_DEV=
+MONGO_HOST_DEV=
+MONGO_DB_DEV=
+MONGO_USER_PROD=
+MONGO_PW_PROD=
+MONGO_HOST_PROD=
+MONGO_DB_PROD=
+
+# MongoDB auth connection (only needed if mongo: "separate")
+MONGO_AUTH_USER_DEV=
+MONGO_AUTH_PW_DEV=
+MONGO_AUTH_HOST_DEV=
+MONGO_AUTH_DB_DEV=
+MONGO_AUTH_USER_PROD=
+MONGO_AUTH_PW_PROD=
+MONGO_AUTH_HOST_PROD=
+MONGO_AUTH_DB_PROD=
+
+# Redis
+REDIS_HOST_DEV=
+REDIS_USER_DEV=
+REDIS_PW_DEV=
+REDIS_HOST_PROD=
+REDIS_USER_PROD=
+REDIS_PW_PROD=
+
+# JWT
+JWT_SECRET_DEV=
+JWT_SECRET_PROD=
+
+# Bearer API key
+BEARER_TOKEN_DEV=
+BEARER_TOKEN_PROD=
+
+# OAuth \u2014 Google (optional)
+GOOGLE_CLIENT_ID=
+GOOGLE_CLIENT_SECRET=
+GOOGLE_REDIRECT_URI=
+
+# OAuth \u2014 Apple (optional)
+APPLE_CLIENT_ID=
+APPLE_TEAM_ID=
+APPLE_KEY_ID=
+APPLE_PRIVATE_KEY=
+APPLE_REDIRECT_URI=
+`;console.log(`
+@lastshotlabs/bunshot \u2014 creating ${A}
+`);E(B,{recursive:!0});console.log("  Running bun init...");Q("bun",["init","-y"],{cwd:B,stdio:"inherit"});var U=z(B,"index.ts");if(V(U))I(U);var Y=z(B,"package.json"),H=JSON.parse(R("fs").readFileSync(Y,"utf-8"));H.module="src/index.ts";H.scripts={dev:"bun --watch src/index.ts",start:"bun src/index.ts"};H.dependencies={...H.dependencies,"@lastshotlabs/bunshot":"*"};J(Y,JSON.stringify(H,null,2)+`
+`,"utf-8");var Z=z(B,"tsconfig.json"),O=JSON.parse(R("fs").readFileSync(Z,"utf-8"));O.compilerOptions={...O.compilerOptions,paths:{"@lib/*":["./src/lib/*"],"@middleware/*":["./src/middleware/*"],"@models/*":["./src/models/*"],"@queues/*":["./src/queues/*"],"@routes/*":["./src/routes/*"],"@scripts/*":["./src/scripts/*"],"@services/*":["./src/services/*"],"@workers/*":["./src/workers/*"],"@queues":["./src/queues/index.ts"],"@jobs":["./src/queues/jobs.ts"],"@ws":["./src/ws/index.ts"]}};J(Z,JSON.stringify(O,null,2)+`
+`,"utf-8");E(b,{recursive:!0});E(C,{recursive:!0});E(x,{recursive:!0});E(F,{recursive:!0});E(P,{recursive:!0});J(z(G,"index.ts"),T,"utf-8");J(z(B,".env"),w,"utf-8");J(z(B,"README.md"),h,"utf-8");console.log("  Created:");console.log(`    + ${A}/src/index.ts`);console.log(`    + ${A}/src/routes/`);console.log(`    + ${A}/src/workers/`);console.log(`    + ${A}/src/queues/`);console.log(`    + ${A}/src/ws/`);console.log(`    + ${A}/src/services/`);console.log(`    + ${A}/.env`);console.log(`    + ${A}/README.md`);console.log(`
+  Initializing git...`);var N=Q("git",["init"],{cwd:B,stdio:"inherit"});if(N.status!==0)console.error("  git init failed \u2014 skipping.");console.log(`
+  Installing dependencies...`);var u=Q("bun",["install"],{cwd:B,stdio:"inherit"});if(u.status!==0)console.error(`
+  bun install failed. Run it manually inside the directory.`),process.exit(1);console.log(`
+Done! Next steps:
+`);console.log(`  cd ${A}`);console.log("  # fill in .env");console.log(`  bun dev
+`);

package/dist/index.d.ts

@@ -0,0 +1,41 @@
+export { createApp } from "./app";
+export { createServer } from "./server";
+export type { CreateAppConfig, DbConfig, AppMeta, AuthConfig, AuthRateLimitConfig, OAuthConfig, SecurityConfig, BotProtectionConfig, PrimaryField, EmailVerificationConfig } from "./app";
+export type { CreateServerConfig, WsConfig } from "./server";
+export { getAppRoles } from "./lib/appConfig";
+export { HttpError } from "./lib/HttpError";
+export { COOKIE_TOKEN, HEADER_USER_TOKEN } from "./lib/constants";
+export { createRouter } from "./lib/context";
+export type { AppEnv, AppVariables } from "./lib/context";
+export { signToken, verifyToken } from "./lib/jwt";
+export { log } from "./lib/logger";
+export { connectMongo, connectAuthMongo, connectAppMongo, disconnectMongo, authConnection, appConnection, mongoose } from "./lib/mongo";
+export { connectRedis, disconnectRedis, getRedis } from "./lib/redis";
+export { createQueue, createWorker } from "./lib/queue";
+export type { Job } from "./lib/queue";
+export { createSession, getSession, deleteSession, setSessionStore } from "./lib/session";
+export { createVerificationToken, getVerificationToken, deleteVerificationToken } from "./lib/emailVerification";
+export { bustAuthLimit, trackAttempt, isLimited } from "./lib/authRateLimit";
+export type { LimitOpts } from "./lib/authRateLimit";
+export { validate } from "./lib/validate";
+export { bearerAuth } from "./middleware/bearerAuth";
+export { botProtection } from "./middleware/botProtection";
+export type { BotProtectionOptions } from "./middleware/botProtection";
+export { identify } from "./middleware/identify";
+export { rateLimit } from "./middleware/rateLimit";
+export type { RateLimitOptions } from "./middleware/rateLimit";
+export { userAuth } from "./middleware/userAuth";
+export { requireRole } from "./middleware/requireRole";
+export { requireVerifiedEmail } from "./middleware/requireVerifiedEmail";
+export { cacheResponse, bustCache, bustCachePattern, setCacheStore } from "./middleware/cacheResponse";
+export { buildFingerprint } from "./lib/fingerprint";
+export { AuthUser } from "./models/AuthUser";
+export { mongoAuthAdapter } from "./adapters/mongoAuth";
+export { sqliteAuthAdapter, setSqliteDb, startSqliteCleanup } from "./adapters/sqliteAuth";
+export { memoryAuthAdapter, clearMemoryStore } from "./adapters/memoryAuth";
+export { setUserRoles, addUserRole, removeUserRole } from "./lib/roles";
+export type { AuthAdapter, OAuthProfile } from "./lib/authAdapter";
+export type { OAuthProviderConfig } from "./lib/oauth";
+export { websocket, createWsUpgradeHandler } from "./ws/index";
+export type { SocketData } from "./ws/index";
+export { publish, subscribe, unsubscribe, getSubscriptions, handleRoomActions, getRooms, getRoomSubscribers } from "./lib/ws";

package/dist/index.js

@@ -0,0 +1,2 @@
+// @bun
+import{createApp as v}from"./app";import{createServer as B}from"./server";import{getAppRoles as D}from"./lib/appConfig";import{HttpError as G}from"./lib/HttpError";import{COOKIE_TOKEN as I,HEADER_USER_TOKEN as J}from"./lib/constants";import{createRouter as L}from"./lib/context";import{signToken as N,verifyToken as O}from"./lib/jwt";import{log as Q}from"./lib/logger";import{connectMongo as T,connectAuthMongo as W,connectAppMongo as X,disconnectMongo as Y,authConnection as Z,appConnection as _,mongoose as $}from"./lib/mongo";import{connectRedis as y,disconnectRedis as E,getRedis as R}from"./lib/redis";import{createQueue as V,createWorker as c}from"./lib/queue";import{createSession as g,getSession as q,deleteSession as b,setSessionStore as w}from"./lib/session";import{createVerificationToken as h,getVerificationToken as n,deleteVerificationToken as p}from"./lib/emailVerification";import{bustAuthLimit as o,trackAttempt as m,isLimited as l}from"./lib/authRateLimit";import{validate as a}from"./lib/validate";import{bearerAuth as s}from"./middleware/bearerAuth";import{botProtection as r}from"./middleware/botProtection";import{identify as jj}from"./middleware/identify";import{rateLimit as vj}from"./middleware/rateLimit";import{userAuth as Bj}from"./middleware/userAuth";import{requireRole as Dj}from"./middleware/requireRole";import{requireVerifiedEmail as Gj}from"./middleware/requireVerifiedEmail";import{cacheResponse as Ij,bustCache as Jj,bustCachePattern as Kj,setCacheStore as Lj}from"./middleware/cacheResponse";import{buildFingerprint as Nj}from"./lib/fingerprint";import{AuthUser as Pj}from"./models/AuthUser";import{mongoAuthAdapter as Sj}from"./adapters/mongoAuth";import{sqliteAuthAdapter as Wj,setSqliteDb as Xj,startSqliteCleanup as Yj}from"./adapters/sqliteAuth";import{memoryAuthAdapter as _j,clearMemoryStore as $j}from"./adapters/memoryAuth";import{setUserRoles as yj,addUserRole as Ej,removeUserRole as Rj}from"./lib/roles";import{websocket as Vj,createWsUpgradeHandler as cj}from"./ws/index";import{publish as gj,subscribe as qj,unsubscribe as bj,getSubscriptions as wj,handleRoomActions as Aj,getRooms as hj,getRoomSubscribers as nj}from"./lib/ws";export{Vj as websocket,O as verifyToken,a as validate,Bj as userAuth,bj as unsubscribe,m as trackAttempt,qj as subscribe,Yj as startSqliteCleanup,Wj as sqliteAuthAdapter,N as signToken,yj as setUserRoles,Xj as setSqliteDb,w as setSessionStore,Lj as setCacheStore,Gj as requireVerifiedEmail,Dj as requireRole,Rj as removeUserRole,vj as rateLimit,gj as publish,$ as mongoose,Sj as mongoAuthAdapter,_j as memoryAuthAdapter,Q as log,l as isLimited,jj as identify,Aj as handleRoomActions,n as getVerificationToken,wj as getSubscriptions,q as getSession,hj as getRooms,nj as getRoomSubscribers,R as getRedis,D as getAppRoles,E as disconnectRedis,Y as disconnectMongo,p as deleteVerificationToken,b as deleteSession,cj as createWsUpgradeHandler,c as createWorker,h as createVerificationToken,g as createSession,B as createServer,L as createRouter,V as createQueue,v as createApp,y as connectRedis,T as connectMongo,W as connectAuthMongo,X as connectAppMongo,$j as clearMemoryStore,Ij as cacheResponse,Kj as bustCachePattern,Jj as bustCache,o as bustAuthLimit,Nj as buildFingerprint,r as botProtection,s as bearerAuth,Z as authConnection,_ as appConnection,Ej as addUserRole,G as HttpError,J as HEADER_USER_TOKEN,I as COOKIE_TOKEN,Pj as AuthUser};

package/dist/lib/HttpError.d.ts

@@ -0,0 +1,4 @@
+export declare class HttpError extends Error {
+    status: number;
+    constructor(status: number, message: string);
+}

package/dist/lib/appConfig.d.ts

@@ -0,0 +1,17 @@
+export type PrimaryField = "email" | "username" | "phone";
+export interface EmailVerificationConfig {
+    /** Block login until email is verified. Defaults to false (soft gate — emailVerified returned in login response). */
+    required?: boolean;
+    /** Called after registration with the identifier and verification token. Use to send the email. */
+    onSend: (email: string, token: string) => Promise<void>;
+}
+export declare const setAppName: (name: string) => void;
+export declare const getAppName: () => string;
+export declare const setAppRoles: (roles: string[]) => void;
+export declare const getAppRoles: () => string[];
+export declare const setDefaultRole: (role: string | null) => void;
+export declare const getDefaultRole: () => string | null;
+export declare const setPrimaryField: (field: PrimaryField) => void;
+export declare const getPrimaryField: () => PrimaryField;
+export declare const setEmailVerificationConfig: (config: EmailVerificationConfig | null) => void;
+export declare const getEmailVerificationConfig: () => EmailVerificationConfig | null;

package/dist/lib/authAdapter.d.ts

@@ -0,0 +1,53 @@
+export interface OAuthProfile {
+    email?: string;
+    name?: string;
+    avatarUrl?: string;
+}
+export interface AuthAdapter {
+    findByEmail(email: string): Promise<{
+        id: string;
+        passwordHash: string;
+    } | null>;
+    create(email: string, passwordHash: string): Promise<{
+        id: string;
+    }>;
+    /** Required when using OAuth providers. Find or create a user by provider + provider user ID. */
+    findOrCreateByProvider?(provider: string, providerId: string, profile: OAuthProfile): Promise<{
+        id: string;
+        created: boolean;
+    }>;
+    /** Optional. Set or update the password hash for a user (used by /auth/set-password). */
+    setPassword?(userId: string, passwordHash: string): Promise<void>;
+    /** Optional. Link a provider identity to an existing user (used by /auth/:provider/link). */
+    linkProvider?(userId: string, provider: string, providerId: string): Promise<void>;
+    /** Optional. Return the roles assigned to a user (used by requireRole middleware). */
+    getRoles?(userId: string): Promise<string[]>;
+    /** Optional. Set the roles for a user, replacing any existing roles. */
+    setRoles?(userId: string, roles: string[]): Promise<void>;
+    /** Optional. Add a single role to a user without affecting their other roles. */
+    addRole?(userId: string, role: string): Promise<void>;
+    /** Optional. Remove a single role from a user without affecting their other roles. */
+    removeRole?(userId: string, role: string): Promise<void>;
+    /** Optional. Return basic profile info for a user by ID (used by GET /auth/me). */
+    getUser?(userId: string): Promise<{
+        email?: string;
+        providerIds?: string[];
+        emailVerified?: boolean;
+    } | null>;
+    /** Optional. Unlink a provider identity from a user (used by DELETE /auth/:provider/link). */
+    unlinkProvider?(userId: string, provider: string): Promise<void>;
+    /**
+     * Optional. Look up a user by their primary identifier (email, username, or phone depending on config).
+     * When provided, used instead of findByEmail for credential login/register flows.
+     */
+    findByIdentifier?(value: string): Promise<{
+        id: string;
+        passwordHash: string;
+    } | null>;
+    /** Optional. Mark a user's email address as verified (used by POST /auth/verify-email). */
+    setEmailVerified?(userId: string, verified: boolean): Promise<void>;
+    /** Optional. Return whether a user's email address has been verified. */
+    getEmailVerified?(userId: string): Promise<boolean>;
+}
+export declare const setAuthAdapter: (adapter: AuthAdapter) => void;
+export declare const getAuthAdapter: () => AuthAdapter;

package/dist/lib/authRateLimit.d.ts

@@ -0,0 +1,11 @@
+export declare const setAuthRateLimitStore: (store: "memory" | "redis") => void;
+export interface LimitOpts {
+    windowMs: number;
+    max: number;
+}
+/** Returns true if the key is currently over the limit (read-only, no increment). */
+export declare const isLimited: (key: string, opts: LimitOpts) => Promise<boolean>;
+/** Increments the counter and returns true if now over the limit. */
+export declare const trackAttempt: (key: string, opts: LimitOpts) => Promise<boolean>;
+/** Resets a rate limit key. Use on login success or for admin unlock. */
+export declare const bustAuthLimit: (key: string) => Promise<void>;

package/dist/lib/constants.d.ts

@@ -0,0 +1,2 @@
+export declare const COOKIE_TOKEN = "token";
+export declare const HEADER_USER_TOKEN = "x-user-token";

package/dist/lib/context.d.ts

@@ -0,0 +1,9 @@
+import { OpenAPIHono } from "@hono/zod-openapi";
+export type AppVariables = {
+    authUserId: string | null;
+    roles: string[] | null;
+};
+export type AppEnv = {
+    Variables: AppVariables;
+};
+export declare const createRouter: () => OpenAPIHono<AppEnv, {}, "/">;

package/dist/lib/emailVerification.d.ts

@@ -0,0 +1,9 @@
+type VerificationStore = "redis" | "mongo" | "sqlite" | "memory";
+export declare const setEmailVerificationStore: (store: VerificationStore) => void;
+export declare const createVerificationToken: (userId: string, email: string) => Promise<string>;
+export declare const getVerificationToken: (token: string) => Promise<{
+    userId: string;
+    email: string;
+} | null>;
+export declare const deleteVerificationToken: (token: string) => Promise<void>;
+export {};

package/dist/lib/fingerprint.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Builds a 12-hex-char fingerprint from stable HTTP headers.
+ * IP-independent: bots that rotate IPs but use the same HTTP client
+ * will produce the same fingerprint and share a rate-limit bucket.
+ */
+export declare function buildFingerprint(req: Request): Promise<string>;

package/dist/lib/jwt.d.ts

@@ -0,0 +1,2 @@
+export declare const signToken: (userId: string) => Promise<string>;
+export declare const verifyToken: (token: string) => Promise<import("jose").JWTPayload>;

package/dist/lib/logger.d.ts

@@ -0,0 +1 @@
+export declare const log: (...args: unknown[]) => void;

package/dist/lib/mongo.d.ts

@@ -0,0 +1,34 @@
+import mongoose from "mongoose";
+/**
+ * Named connection used exclusively for auth data (AuthUser model).
+ * Connected via connectAuthMongo() or connectMongo() (backward compat).
+ */
+export declare const authConnection: mongoose.Connection;
+/**
+ * Named connection for app/tenant data.
+ * Connected via connectAppMongo() or connectMongo() (backward compat).
+ * Use this when registering your own models: appConnection.model("Product", schema).
+ */
+export declare const appConnection: mongoose.Connection;
+/**
+ * Connect the auth connection to its dedicated MongoDB server.
+ * Uses MONGO_AUTH_USER_*, MONGO_AUTH_PW_*, MONGO_AUTH_HOST_*, MONGO_AUTH_DB_* env vars.
+ */
+export declare const connectAuthMongo: () => Promise<void>;
+/**
+ * Connect the app connection to its MongoDB server.
+ * Uses MONGO_USER_*, MONGO_PW_*, MONGO_HOST_*, MONGO_DB_* env vars.
+ */
+export declare const connectAppMongo: () => Promise<void>;
+/**
+ * Connect both auth and app connections to the same MongoDB server.
+ * Backward-compatible shorthand for single-DB setups.
+ * Uses MONGO_USER_*, MONGO_PW_*, MONGO_HOST_*, MONGO_DB_* env vars.
+ */
+export declare const connectMongo: () => Promise<void>;
+/**
+ * Close both auth and app Mongo connections.
+ * Useful for one-off scripts that need a clean exit.
+ */
+export declare const disconnectMongo: () => Promise<void>;
+export { mongoose };

package/dist/lib/oauth.d.ts

@@ -0,0 +1,27 @@
+import { Google, Apple, generateState, generateCodeVerifier } from "arctic";
+export type OAuthProviderConfig = {
+    google?: {
+        clientId: string;
+        clientSecret: string;
+        redirectUri: string;
+    };
+    apple?: {
+        clientId: string;
+        teamId: string;
+        keyId: string;
+        privateKey: string;
+        redirectUri: string;
+    };
+};
+export declare const initOAuthProviders: (config: OAuthProviderConfig) => void;
+export declare const getGoogle: () => Google;
+export declare const getApple: () => Apple;
+export declare const getConfiguredOAuthProviders: () => string[];
+type OAuthStateStore = "redis" | "mongo" | "sqlite" | "memory";
+export declare const setOAuthStateStore: (store: OAuthStateStore) => void;
+export declare const storeOAuthState: (state: string, codeVerifier?: string, linkUserId?: string) => Promise<void>;
+export declare const consumeOAuthState: (state: string) => Promise<{
+    codeVerifier?: string;
+    linkUserId?: string;
+} | null>;
+export { generateState, generateCodeVerifier };

package/dist/lib/queue.d.ts

@@ -0,0 +1,5 @@
+import { Queue, Worker } from "bullmq";
+import type { Processor, QueueOptions, WorkerOptions, Job } from "bullmq";
+export declare const createQueue: <T = unknown, R = unknown>(name: string, options?: Omit<QueueOptions, "connection">) => Queue<T, R>;
+export declare const createWorker: <T = unknown, R = unknown>(name: string, processor: Processor<T, R>, options?: Omit<WorkerOptions, "connection">) => Worker<T, R>;
+export type { Job };