@lastshotlabs/bunshot 0.0.21 → 0.0.25

package/dist/models/AuditLog.d.ts

@@ -0,0 +1,30 @@
+import type { Document, Model } from "mongoose";
+interface IAuditLog {
+    /** UUID assigned by the caller — stable cross-store identifier. */
+    id: string;
+    userId: string | null;
+    sessionId: string | null;
+    tenantId: string | null;
+    method: string;
+    path: string;
+    status: number;
+    ip: string | null;
+    userAgent: string | null;
+    action?: string;
+    resource?: string;
+    resourceId?: string;
+    meta?: Record<string, unknown>;
+    createdAt: Date;
+    /**
+     * Optional TTL field. MongoDB will automatically delete the document
+     * once this date is in the past (via `expireAfterSeconds: 0` index).
+     */
+    expiresAt?: Date;
+}
+type AuditLogDocument = IAuditLog & Document;
+export declare const AuditLog: Model<AuditLogDocument, {}, {}, {}, Document<unknown, {}, AuditLogDocument, {}, import("mongoose").DefaultSchemaOptions> & IAuditLog & Document<import("mongoose").Types.ObjectId, any, any, Record<string, any>, {}> & Required<{
+    _id: import("mongoose").Types.ObjectId;
+}> & {
+    __v: number;
+}, any, AuditLogDocument>;
+export {};

package/dist/models/AuditLog.js

@@ -0,0 +1,39 @@
+import { authConnection, mongoose } from "../lib/mongo";
+let _AuditLog = null;
+function getAuditLogModel() {
+    if (!_AuditLog) {
+        const { Schema } = mongoose;
+        const schema = new Schema({
+            id: { type: String, required: true, unique: true },
+            userId: { type: String, default: null },
+            sessionId: { type: String, default: null },
+            tenantId: { type: String, default: null },
+            method: { type: String, required: true },
+            path: { type: String, required: true },
+            status: { type: Number, required: true },
+            ip: { type: String, default: null },
+            userAgent: { type: String, default: null },
+            action: { type: String },
+            resource: { type: String },
+            resourceId: { type: String },
+            meta: { type: Schema.Types.Mixed },
+            expiresAt: { type: Date, index: { expireAfterSeconds: 0 } },
+        }, {
+            collection: "audit_logs",
+            // Mongoose manages createdAt; no updatedAt needed for immutable log entries.
+            timestamps: { createdAt: "createdAt", updatedAt: false },
+        });
+        schema.index({ userId: 1, createdAt: 1 });
+        schema.index({ tenantId: 1, createdAt: 1 });
+        schema.index({ path: 1 });
+        _AuditLog = authConnection.model("AuditLog", schema);
+    }
+    return _AuditLog;
+}
+export const AuditLog = new Proxy({}, {
+    get(_, prop) {
+        const model = getAuditLogModel();
+        const val = model[prop];
+        return typeof val === "function" ? val.bind(model) : val;
+    },
+});

package/dist/models/Group.d.ts

@@ -0,0 +1,21 @@
+import type { Document, Model } from "mongoose";
+interface IGroup {
+    name: string;
+    displayName?: string;
+    description?: string;
+    roles: string[];
+    /**
+     * null = app-wide group, string = tenant-scoped group.
+     * Immutable after creation — adapters must reject updates that include tenantId.
+     */
+    tenantId: string | null;
+}
+type GroupDocument = IGroup & Document;
+export declare const Group: Model<GroupDocument, {}, {}, {}, Document<unknown, {}, GroupDocument, {}, import("mongoose").DefaultSchemaOptions> & IGroup & Document<import("mongoose").Types.ObjectId, any, any, Record<string, any>, {}> & Required<{
+    _id: import("mongoose").Types.ObjectId;
+}> & {
+    __v: number;
+} & {
+    id: string;
+}, any, GroupDocument>;
+export {};

package/dist/models/Group.js

@@ -0,0 +1,28 @@
+import { authConnection, mongoose } from "../lib/mongo";
+let _Group = null;
+function getGroup() {
+    if (!_Group) {
+        const { Schema } = mongoose;
+        const schema = new Schema({
+            name: { type: String, required: true },
+            displayName: { type: String },
+            description: { type: String },
+            roles: [{ type: String }],
+            tenantId: { type: String, default: null },
+        }, { timestamps: true });
+        // Name is unique within scope (app-wide or per-tenant).
+        // MongoDB treats null as a value, so this compound index correctly enforces uniqueness
+        // for app-wide groups (both have tenantId: null) and per-tenant groups separately.
+        schema.index({ name: 1, tenantId: 1 }, { unique: true });
+        schema.index({ tenantId: 1 });
+        _Group = authConnection.model("Group", schema);
+    }
+    return _Group;
+}
+export const Group = new Proxy({}, {
+    get(_, prop) {
+        const model = getGroup();
+        const val = model[prop];
+        return typeof val === "function" ? val.bind(model) : val;
+    },
+});

package/dist/models/GroupMembership.d.ts

@@ -0,0 +1,21 @@
+import type { Document, Model } from "mongoose";
+interface IGroupMembership {
+    userId: string;
+    groupId: string;
+    /** Per-member extra roles on top of the group's baseline roles. */
+    roles: string[];
+    /**
+     * Denormalized from the group at insert time for efficient tenant-scoped queries.
+     * Immutable: group.tenantId cannot change after creation, so this is always consistent.
+     */
+    tenantId: string | null;
+}
+type GroupMembershipDocument = IGroupMembership & Document;
+export declare const GroupMembership: Model<GroupMembershipDocument, {}, {}, {}, Document<unknown, {}, GroupMembershipDocument, {}, import("mongoose").DefaultSchemaOptions> & IGroupMembership & Document<import("mongoose").Types.ObjectId, any, any, Record<string, any>, {}> & Required<{
+    _id: import("mongoose").Types.ObjectId;
+}> & {
+    __v: number;
+} & {
+    id: string;
+}, any, GroupMembershipDocument>;
+export {};

package/dist/models/GroupMembership.js

@@ -0,0 +1,25 @@
+import { authConnection, mongoose } from "../lib/mongo";
+let _GroupMembership = null;
+function getGroupMembership() {
+    if (!_GroupMembership) {
+        const { Schema } = mongoose;
+        const schema = new Schema({
+            userId: { type: String, required: true },
+            groupId: { type: String, required: true },
+            roles: [{ type: String }],
+            tenantId: { type: String, default: null },
+        }, { timestamps: { createdAt: true, updatedAt: false } });
+        schema.index({ userId: 1, groupId: 1 }, { unique: true });
+        schema.index({ groupId: 1 });
+        schema.index({ userId: 1, tenantId: 1 });
+        _GroupMembership = authConnection.model("GroupMembership", schema);
+    }
+    return _GroupMembership;
+}
+export const GroupMembership = new Proxy({}, {
+    get(_, prop) {
+        const model = getGroupMembership();
+        const val = model[prop];
+        return typeof val === "function" ? val.bind(model) : val;
+    },
+});

package/dist/routes/auth.js

@@ -10,7 +10,8 @@ import { getAuthAdapter } from "../lib/authAdapter";
 import { createRouter } from "../lib/context";
 import { getVerificationToken, deleteVerificationToken, createVerificationToken } from "../lib/emailVerification";
 import { createResetToken, consumeResetToken } from "../lib/resetPassword";
-import { getRefreshTokenExpiry, getAccessTokenExpiry, getCsrfEnabled } from "../lib/appConfig";
+import { createDeletionCancelToken, consumeDeletionCancelToken } from "../lib/deletionCancelToken";
+import { getRefreshTokenExpiry, getAccessTokenExpiry, getCsrfEnabled, getAppName } from "../lib/appConfig";
 import { refreshCsrfToken, clearCsrfToken } from "../middleware/csrf";
 import { getUserSessions, deleteSession, deleteUserSessions } from "../lib/session";
 import { getClientIp } from "../lib/clientIp";
@@ -24,7 +25,8 @@ const TokenResponse = z.object({
     refreshToken: z.string().optional().describe("Refresh token (present when refreshTokens is configured). Also set as an HttpOnly cookie."),
     mfaRequired: z.boolean().optional().describe("When true, complete MFA via POST /auth/mfa/verify before accessing the API."),
     mfaToken: z.string().optional().describe("MFA challenge token. Pass to POST /auth/mfa/verify with a TOTP or recovery code."),
-    mfaMethods: z.array(z.string()).optional().describe("Available MFA methods when mfaRequired is true (e.g., 'totp', 'emailOtp')."),
+    mfaMethods: z.array(z.string()).optional().describe("Available MFA methods when mfaRequired is true (e.g., 'totp', 'emailOtp', 'webauthn')."),
+    webauthnOptions: z.record(z.string(), z.unknown()).optional().describe("WebAuthn assertion options (present when mfaMethods includes 'webauthn'). Pass directly to navigator.credentials.get()."),
 }).openapi("TokenResponse");
 const ErrorResponse = z.object({ error: z.string().describe("Human-readable error message.") }).openapi("ErrorResponse");
 const tags = ["Auth"];
@@ -212,6 +214,33 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
         if (accountDeletion?.onBeforeDelete) {
             await accountDeletion.onBeforeDelete(authUserId);
         }
+        // Queued deletion via BullMQ
+        if (accountDeletion?.queued) {
+            const { createQueue } = await import("../lib/queue");
+            const appName = getAppName();
+            const queue = createQueue(`${appName}:account-deletions`);
+            const delayMs = (accountDeletion.gracePeriod ?? 0) * 1000;
+            const job = await queue.add("delete-account", { userId: authUserId }, {
+                delay: delayMs,
+                attempts: 3,
+                backoff: { type: "exponential", delay: 1000 },
+                removeOnComplete: true,
+                removeOnFail: 100,
+            });
+            await queue.close();
+            // Revoke sessions immediately so the user is logged out
+            await deleteUserSessions(authUserId);
+            if (accountDeletion.gracePeriod && accountDeletion.onDeletionScheduled) {
+                const user = adapter.getUser ? await adapter.getUser(authUserId) : null;
+                const email = user?.email ?? "";
+                if (email) {
+                    const cancelToken = await createDeletionCancelToken(authUserId, job.id, accountDeletion.gracePeriod);
+                    await accountDeletion.onDeletionScheduled(authUserId, email, cancelToken);
+                }
+            }
+            deleteCookie(c, COOKIE_TOKEN, { path: "/" });
+            return c.json({ message: "Account deletion scheduled" }, 202);
+        }
         // Synchronous deletion (default)
         await deleteUserSessions(authUserId);
         await adapter.deleteUser(authUserId);
@@ -297,12 +326,12 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
             method: "post",
             path: "/auth/resend-verification",
             summary: "Resend verification email",
-            description: "Authenticates with credentials and sends a new verification email. Returns 400 if already verified. Rate-limited per identifier. Does not require a session.",
+            description: "Authenticates with credentials and sends a new verification email. Always returns 200 for valid credentials regardless of verification status, to prevent user enumeration. Rate-limited per identifier. Does not require a session.",
             tags,
             request: { body: { content: { "application/json": { schema: LoginSchema } }, description: "Login credentials to identify the account." } },
             responses: {
-                200: { content: { "application/json": { schema: z.object({ message: z.string() }) } }, description: "Verification email sent." },
-                400: { content: { "application/json": { schema: ErrorResponse } }, description: "Email is already verified, or no email address on file." },
+                200: { content: { "application/json": { schema: z.object({ message: z.string() }) } }, description: "Verification email sent, or account is already verified (indistinguishable by design)." },
+                400: { content: { "application/json": { schema: ErrorResponse } }, description: "No email address on file for this account." },
                 401: { content: { "application/json": { schema: ErrorResponse } }, description: "Invalid credentials." },
                 429: { content: { "application/json": { schema: ErrorResponse } }, description: "Too many resend attempts for this identifier. Try again later." },
                 501: { content: { "application/json": { schema: ErrorResponse } }, description: "The configured auth adapter does not support email verification." },
@@ -323,8 +352,10 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
                 return c.json({ error: "Invalid credentials" }, 401);
             }
             const alreadyVerified = await adapter.getEmailVerified(user.id);
+            // Return 200 (not 400) to avoid revealing whether the account is verified —
+            // distinguishing verified vs unverified would let attackers confirm valid credentials.
             if (alreadyVerified)
-                return c.json({ error: "Email already verified" }, 400);
+                return c.json({ message: "Verification email sent if not already verified" }, 200);
             const fullUser = await adapter.getUser(user.id);
             if (!fullUser?.email)
                 return c.json({ error: "No email address on file" }, 400);
@@ -470,6 +501,53 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
         });
     }
     // ---------------------------------------------------------------------------
+    // Account deletion cancellation — only mounted when queued: true + gracePeriod > 0
+    // ---------------------------------------------------------------------------
+    if (accountDeletion?.queued && accountDeletion.gracePeriod) {
+        router.openapi(createRoute({
+            method: "post",
+            path: "/auth/cancel-deletion",
+            summary: "Cancel scheduled account deletion",
+            description: "Cancels a pending queued account deletion using the cancel token sent via the onDeletionScheduled callback. Must be called before the grace period expires.",
+            tags,
+            request: {
+                body: {
+                    content: {
+                        "application/json": {
+                            schema: z.object({
+                                token: z.string().describe("Cancel token received in the deletion scheduled notification."),
+                            }),
+                        },
+                    },
+                    description: "Cancel token.",
+                },
+            },
+            responses: {
+                200: { content: { "application/json": { schema: z.object({ message: z.string() }) } }, description: "Account deletion cancelled." },
+                400: { content: { "application/json": { schema: ErrorResponse } }, description: "Invalid or expired cancel token." },
+            },
+        }), async (c) => {
+            const { token } = c.req.valid("json");
+            const entry = await consumeDeletionCancelToken(token);
+            if (!entry)
+                return c.json({ error: "Invalid or expired cancel token" }, 400);
+            // Remove the pending BullMQ job
+            try {
+                const { createQueue } = await import("../lib/queue");
+                const appName = getAppName();
+                const queue = createQueue(`${appName}:account-deletions`);
+                const job = await queue.getJob(entry.jobId);
+                if (job)
+                    await job.remove();
+                await queue.close();
+            }
+            catch {
+                // Job may have already executed — that's an error case but we still consumed the token
+            }
+            return c.json({ message: "Account deletion cancelled" }, 200);
+        });
+    }
+    // ---------------------------------------------------------------------------
     // Session management
     // ---------------------------------------------------------------------------
     const SessionInfoSchema = z.object({

package/dist/routes/groups.d.ts

@@ -0,0 +1,21 @@
+import type { MiddlewareHandler } from "hono";
+import type { AppEnv } from "../lib/context";
+export interface GroupsManagementConfig {
+    /**
+     * Role required to access all management routes.
+     * Applied via requireRole.global(adminRole). Default: "admin".
+     * Ignored if `middleware` is provided.
+     */
+    adminRole?: string;
+    /**
+     * Fully replaces the default auth middleware stack [userAuth, requireRole.global(adminRole)].
+     * Use only when a single role check is insufficient.
+     * When provided, `adminRole` is ignored.
+     */
+    middleware?: MiddlewareHandler<AppEnv>[];
+}
+export interface GroupsConfig {
+    /** Mount group management routes. Pass `true` to use all defaults. */
+    managementRoutes?: GroupsManagementConfig | true;
+}
+export declare const createGroupsRouter: (config: GroupsConfig) => import("@hono/zod-openapi").OpenAPIHono<AppEnv, {}, "/">;