npm - @lastshotlabs/bunshot - Versions diffs - 0.0.21 → 0.0.27 - Mend

@lastshotlabs/bunshot 0.0.21 → 0.0.27

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (185) hide show

package/README.md +3035 -1249
package/dist/adapters/localStorage.d.ts +6 -0
package/dist/adapters/localStorage.js +59 -0
package/dist/adapters/memoryAuth.d.ts +13 -0
package/dist/adapters/memoryAuth.js +261 -2
package/dist/adapters/memoryStorage.d.ts +3 -0
package/dist/adapters/memoryStorage.js +44 -0
package/dist/adapters/mongoAuth.js +217 -1
package/dist/adapters/s3Storage.d.ts +14 -0
package/dist/adapters/s3Storage.js +126 -0
package/dist/adapters/sqliteAuth.d.ts +30 -0
package/dist/adapters/sqliteAuth.js +352 -2
package/dist/app.d.ts +203 -3
package/dist/app.js +352 -48
package/dist/cli.js +118 -38
package/dist/index.d.ts +69 -8
package/dist/index.js +46 -5
package/dist/lib/HttpError.d.ts +7 -1
package/dist/lib/HttpError.js +10 -1
package/dist/lib/appConfig.d.ts +157 -0
package/dist/lib/appConfig.js +54 -0
package/dist/lib/auditLog.d.ts +58 -0
package/dist/lib/auditLog.js +218 -0
package/dist/lib/authAdapter.d.ts +140 -1
package/dist/lib/authRateLimit.js +36 -0
package/dist/lib/breachedPassword.d.ts +13 -0
package/dist/lib/breachedPassword.js +48 -0
package/dist/lib/captcha.d.ts +25 -0
package/dist/lib/captcha.js +37 -0
package/dist/lib/constants.d.ts +4 -0
package/dist/lib/constants.js +4 -0
package/dist/lib/context.d.ts +24 -1
package/dist/lib/context.js +17 -3
package/dist/lib/createRoute.d.ts +28 -2
package/dist/lib/createRoute.js +54 -3
package/dist/lib/credentialStuffing.d.ts +31 -0
package/dist/lib/credentialStuffing.js +77 -0
package/dist/lib/deletionCancelToken.d.ts +12 -0
package/dist/lib/deletionCancelToken.js +88 -0
package/dist/lib/emailVerification.d.ts +6 -0
package/dist/lib/emailVerification.js +46 -3
package/dist/lib/groups.d.ts +113 -0
package/dist/lib/groups.js +133 -0
package/dist/lib/idempotency.d.ts +22 -0
package/dist/lib/idempotency.js +182 -0
package/dist/lib/jwks.d.ts +25 -0
package/dist/lib/jwks.js +51 -0
package/dist/lib/jwt.d.ts +15 -2
package/dist/lib/jwt.js +92 -5
package/dist/lib/logger.d.ts +2 -0
package/dist/lib/logger.js +6 -0
package/dist/lib/m2m.d.ts +29 -0
package/dist/lib/m2m.js +48 -0
package/dist/lib/metrics.d.ts +14 -0
package/dist/lib/metrics.js +158 -0
package/dist/lib/mfaChallenge.d.ts +14 -1
package/dist/lib/mfaChallenge.js +111 -6
package/dist/lib/mongo.js +1 -1
package/dist/lib/oauthCode.js +23 -18
package/dist/lib/pagination.d.ts +119 -0
package/dist/lib/pagination.js +166 -0
package/dist/lib/resetPassword.js +3 -1
package/dist/lib/saml.d.ts +25 -0
package/dist/lib/saml.js +64 -0
package/dist/lib/scim.d.ts +44 -0
package/dist/lib/scim.js +54 -0
package/dist/lib/securityEvents.d.ts +28 -0
package/dist/lib/securityEvents.js +26 -0
package/dist/lib/session.d.ts +14 -0
package/dist/lib/session.js +121 -5
package/dist/lib/signing.d.ts +52 -0
package/dist/lib/signing.js +183 -0
package/dist/lib/storageAdapter.d.ts +30 -0
package/dist/lib/storageAdapter.js +1 -0
package/dist/lib/stripUnreferencedSchemas.d.ts +11 -0
package/dist/lib/stripUnreferencedSchemas.js +79 -0
package/dist/lib/suspension.d.ts +13 -0
package/dist/lib/suspension.js +23 -0
package/dist/lib/tenant.js +2 -2
package/dist/lib/upload.d.ts +39 -0
package/dist/lib/upload.js +112 -0
package/dist/lib/uploadRegistry.d.ts +18 -0
package/dist/lib/uploadRegistry.js +83 -0
package/dist/lib/validate.js +2 -2
package/dist/lib/ws.d.ts +1 -0
package/dist/lib/ws.js +28 -0
package/dist/lib/wsHeartbeat.d.ts +12 -0
package/dist/lib/wsHeartbeat.js +57 -0
package/dist/lib/wsMessages.d.ts +40 -0
package/dist/lib/wsMessages.js +330 -0
package/dist/lib/wsPresence.d.ts +25 -0
package/dist/lib/wsPresence.js +99 -0
package/dist/middleware/auditLog.d.ts +22 -0
package/dist/middleware/auditLog.js +39 -0
package/dist/middleware/bearerAuth.js +1 -1
package/dist/middleware/cacheResponse.js +5 -1
package/dist/middleware/captcha.d.ts +10 -0
package/dist/middleware/captcha.js +36 -0
package/dist/middleware/csrf.js +18 -4
package/dist/middleware/errorHandler.js +4 -1
package/dist/middleware/identify.js +89 -14
package/dist/middleware/metrics.d.ts +9 -0
package/dist/middleware/metrics.js +26 -0
package/dist/middleware/requestId.d.ts +3 -0
package/dist/middleware/requestId.js +7 -0
package/dist/middleware/requestLogger.d.ts +38 -0
package/dist/middleware/requestLogger.js +68 -0
package/dist/middleware/requestSigning.d.ts +20 -0
package/dist/middleware/requestSigning.js +100 -0
package/dist/middleware/requireMfaSetup.d.ts +16 -0
package/dist/middleware/requireMfaSetup.js +37 -0
package/dist/middleware/requireRole.d.ts +9 -3
package/dist/middleware/requireRole.js +23 -36
package/dist/middleware/requireScope.d.ts +10 -0
package/dist/middleware/requireScope.js +25 -0
package/dist/middleware/requireStepUp.d.ts +18 -0
package/dist/middleware/requireStepUp.js +29 -0
package/dist/middleware/scimAuth.d.ts +8 -0
package/dist/middleware/scimAuth.js +29 -0
package/dist/middleware/upload.d.ts +5 -0
package/dist/middleware/upload.js +27 -0
package/dist/middleware/webhookAuth.d.ts +30 -0
package/dist/middleware/webhookAuth.js +58 -0
package/dist/models/AuditLog.d.ts +30 -0
package/dist/models/AuditLog.js +39 -0
package/dist/models/AuthUser.d.ts +7 -0
package/dist/models/AuthUser.js +7 -0
package/dist/models/Group.d.ts +21 -0
package/dist/models/Group.js +28 -0
package/dist/models/GroupMembership.d.ts +21 -0
package/dist/models/GroupMembership.js +25 -0
package/dist/models/M2MClient.d.ts +18 -0
package/dist/models/M2MClient.js +18 -0
package/dist/routes/auth.d.ts +3 -2
package/dist/routes/auth.js +238 -21
package/dist/routes/groups.d.ts +21 -0
package/dist/routes/groups.js +346 -0
package/dist/routes/jobs.js +66 -46
package/dist/routes/m2m.d.ts +2 -0
package/dist/routes/m2m.js +72 -0
package/dist/routes/metrics.d.ts +8 -0
package/dist/routes/metrics.js +55 -0
package/dist/routes/mfa.js +13 -1
package/dist/routes/oauth.js +6 -0
package/dist/routes/oidc.d.ts +2 -0
package/dist/routes/oidc.js +29 -0
package/dist/routes/passkey.d.ts +1 -0
package/dist/routes/passkey.js +157 -0
package/dist/routes/saml.d.ts +2 -0
package/dist/routes/saml.js +86 -0
package/dist/routes/scim.d.ts +2 -0
package/dist/routes/scim.js +255 -0
package/dist/routes/uploads.d.ts +14 -0
package/dist/routes/uploads.js +227 -0
package/dist/server.d.ts +26 -0
package/dist/server.js +46 -3
package/dist/services/auth.d.ts +2 -0
package/dist/services/auth.js +101 -22
package/dist/services/mfa.js +2 -2
package/dist/ws/index.js +5 -1
package/docs/sections/auth-flow/full.md +203 -47
package/docs/sections/auth-flow/overview.md +2 -2
package/docs/sections/auth-security-examples/full.md +388 -0
package/docs/sections/authentication/full.md +130 -0
package/docs/sections/authentication/overview.md +5 -0
package/docs/sections/cli/full.md +13 -1
package/docs/sections/configuration/full.md +17 -0
package/docs/sections/configuration/overview.md +1 -0
package/docs/sections/exports/full.md +34 -3
package/docs/sections/logging/full.md +83 -0
package/docs/sections/metrics/full.md +131 -0
package/docs/sections/oauth/full.md +189 -189
package/docs/sections/oauth/overview.md +1 -1
package/docs/sections/pagination/full.md +93 -0
package/docs/sections/passkey-login/full.md +90 -0
package/docs/sections/passkey-login/overview.md +1 -0
package/docs/sections/roles/full.md +224 -135
package/docs/sections/roles/overview.md +3 -1
package/docs/sections/signing/full.md +203 -0
package/docs/sections/uploads/full.md +208 -0
package/docs/sections/versioning/full.md +85 -0
package/docs/sections/webhook-auth/full.md +100 -0
package/docs/sections/websocket/full.md +95 -0
package/docs/sections/websocket-rooms/full.md +6 -1
package/package.json +18 -5

package/dist/middleware/requireStepUp.js ADDED Viewed

@@ -0,0 +1,29 @@
+import { getMfaVerifiedAt } from "../lib/session";
+import { HttpError } from "../lib/HttpError";
+/**
+ * Middleware that requires the user to have recently completed step-up MFA.
+ *
+ * Attach to sensitive routes that require fresh MFA verification:
+ * ```
+ * router.post("/transfer", userAuth, requireStepUp(), transferHandler);
+ * ```
+ *
+ * The user completes step-up via POST /auth/step-up.
+ * After successful step-up, mfaVerifiedAt is stored in their session.
+ */
+export const requireStepUp = (opts) => async (c, next) => {
+    const sessionId = c.get("sessionId");
+    if (!sessionId) {
+        throw new HttpError(401, "Authentication required");
+    }
+    const maxAge = opts?.maxAge ?? 300;
+    const verifiedAt = await getMfaVerifiedAt(sessionId);
+    if (verifiedAt === null) {
+        throw new HttpError(403, "Step-up authentication required", "STEP_UP_REQUIRED");
+    }
+    const now = Math.floor(Date.now() / 1000);
+    if (now - verifiedAt > maxAge) {
+        throw new HttpError(403, "Step-up authentication expired", "STEP_UP_REQUIRED");
+    }
+    await next();
+};

package/dist/middleware/scimAuth.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+import type { MiddlewareHandler } from "hono";
+import type { AppEnv } from "../lib/context";
+export declare function setScimTokens(tokens: string | string[]): void;
+/**
+ * Middleware that validates SCIM bearer tokens.
+ * Tokens are checked with timingSafeEqual to prevent timing attacks.
+ */
+export declare const scimAuth: MiddlewareHandler<AppEnv>;

package/dist/middleware/scimAuth.js ADDED Viewed

@@ -0,0 +1,29 @@
+import { timingSafeEqual } from "../lib/crypto";
+import { HttpError } from "../lib/HttpError";
+let _scimTokens = [];
+export function setScimTokens(tokens) {
+    _scimTokens = Array.isArray(tokens) ? tokens : [tokens];
+}
+/**
+ * Middleware that validates SCIM bearer tokens.
+ * Tokens are checked with timingSafeEqual to prevent timing attacks.
+ */
+export const scimAuth = async (c, next) => {
+    const authHeader = c.req.header("authorization") ?? "";
+    if (!authHeader.startsWith("Bearer ")) {
+        throw new HttpError(401, "SCIM bearer token required");
+    }
+    const provided = authHeader.slice(7);
+    const valid = _scimTokens.some((token) => {
+        try {
+            return timingSafeEqual(provided, token);
+        }
+        catch {
+            return false;
+        }
+    });
+    if (!valid) {
+        throw new HttpError(401, "Invalid SCIM token");
+    }
+    await next();
+};

package/dist/middleware/upload.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+import type { MiddlewareHandler } from "hono";
+import type { AppEnv } from "../lib/context";
+import type { UploadOpts } from "../lib/upload";
+export type UploadMiddlewareOptions = UploadOpts;
+export declare const handleUpload: (opts?: UploadMiddlewareOptions) => MiddlewareHandler<AppEnv>;

package/dist/middleware/upload.js ADDED Viewed

@@ -0,0 +1,27 @@
+import { parseUpload, getUploadConfig } from "../lib/upload";
+export const handleUpload = (opts) => {
+    return async (c, next) => {
+        const config = getUploadConfig();
+        const merged = { ...config, ...opts };
+        const maxFileSize = merged.maxFileSize ?? 10 * 1024 * 1024;
+        const maxFiles = merged.maxFiles ?? 10;
+        // Content-Length pre-check to avoid Bun killing the connection
+        const contentLength = Number(c.req.header("content-length") ?? 0);
+        if (contentLength > 0 && contentLength > maxFileSize * maxFiles) {
+            return c.json({ error: `Request body too large. Maximum is ${maxFileSize * maxFiles} bytes` }, 413);
+        }
+        let results;
+        try {
+            results = await parseUpload(c, opts);
+        }
+        catch (err) {
+            if (err?.status === 400)
+                return c.json({ error: err.message }, 400);
+            if (err?.status === 413)
+                return c.json({ error: err.message }, 413);
+            throw err;
+        }
+        c.set("uploadResults", results);
+        await next();
+    };
+};

package/dist/middleware/webhookAuth.d.ts ADDED Viewed

@@ -0,0 +1,30 @@
+import type { MiddlewareHandler, Context } from "hono";
+import type { AppEnv } from "../lib/context";
+export interface WebhookTimestampOptions {
+    /** Header name containing the Unix timestamp (seconds or ms). */
+    header: string;
+    /**
+     * Allowed age of the timestamp in milliseconds.
+     * Values below 1e10 in the header are treated as Unix seconds and auto-converted.
+     */
+    tolerance: number;
+}
+export interface WebhookAuthOptions {
+    /**
+     * Shared HMAC secret. Pass a function for dynamic resolution
+     * (e.g. per-tenant secret lookup). If the function throws, a 500 is returned.
+     */
+    secret: string | ((c: Context<AppEnv>) => string | Promise<string>);
+    /** Header that carries the signature. Default: `"x-webhook-signature"`. */
+    header?: string;
+    /** HMAC algorithm. Default: `"sha256"`. */
+    algorithm?: "sha256" | "sha512";
+    /**
+     * Strip this prefix from the signature header value before comparing.
+     * e.g. `"sha256="` for GitHub-style `X-Hub-Signature-256: sha256=<hex>`.
+     */
+    prefix?: string;
+    /** Optional replay-protection via a timestamp header. */
+    timestamp?: WebhookTimestampOptions;
+}
+export declare const webhookAuth: (options: WebhookAuthOptions) => MiddlewareHandler<AppEnv>;

package/dist/middleware/webhookAuth.js ADDED Viewed

@@ -0,0 +1,58 @@
+import { createHmac } from "crypto";
+import { timingSafeEqual } from "../lib/crypto";
+import { HttpError } from "../lib/HttpError";
+export const webhookAuth = (options) => async (c, next) => {
+    const algorithm = options.algorithm ?? "sha256";
+    const sigHeader = options.header ?? "x-webhook-signature";
+    // --- Optional timestamp replay protection ---
+    if (options.timestamp) {
+        const { header: tsHeader, tolerance } = options.timestamp;
+        const rawTs = c.req.header(tsHeader);
+        const tsNum = rawTs !== undefined ? parseInt(rawTs, 10) : NaN;
+        if (isNaN(tsNum)) {
+            throw new HttpError(401, "Unauthorized", "EXPIRED_TIMESTAMP");
+        }
+        // Auto-detect Unix seconds (< 1e10) vs milliseconds
+        const tsMs = tsNum < 1e10 ? tsNum * 1000 : tsNum;
+        if (Math.abs(Date.now() - tsMs) > tolerance) {
+            throw new HttpError(401, "Unauthorized", "EXPIRED_TIMESTAMP");
+        }
+    }
+    // --- Signature header ---
+    const rawSig = c.req.header(sigHeader);
+    if (!rawSig) {
+        throw new HttpError(401, "Unauthorized", "INVALID_SIGNATURE");
+    }
+    const provided = options.prefix && rawSig.startsWith(options.prefix)
+        ? rawSig.slice(options.prefix.length)
+        : rawSig;
+    // --- Secret resolution ---
+    let secret;
+    if (typeof options.secret === "function") {
+        try {
+            secret = await options.secret(c);
+        }
+        catch {
+            throw new HttpError(500, "Internal Server Error", "WEBHOOK_SECRET_ERROR");
+        }
+    }
+    else {
+        secret = options.secret;
+    }
+    // --- Body reading (Hono caches this — downstream c.req.json() still works) ---
+    const body = await c.req.text();
+    // --- HMAC computation & comparison ---
+    const computed = createHmac(algorithm, secret).update(body).digest("hex");
+    let valid;
+    try {
+        valid = timingSafeEqual(computed, provided);
+    }
+    catch {
+        // timingSafeEqual can throw if buffer byte lengths differ (e.g. multi-byte Unicode in sig)
+        valid = false;
+    }
+    if (!valid) {
+        throw new HttpError(401, "Unauthorized", "INVALID_SIGNATURE");
+    }
+    await next();
+};

package/dist/models/AuditLog.d.ts ADDED Viewed

@@ -0,0 +1,30 @@
+import type { Document, Model } from "mongoose";
+interface IAuditLog {
+    /** UUID assigned by the caller — stable cross-store identifier. */
+    id: string;
+    userId: string | null;
+    sessionId: string | null;
+    tenantId: string | null;
+    method: string;
+    path: string;
+    status: number;
+    ip: string | null;
+    userAgent: string | null;
+    action?: string;
+    resource?: string;
+    resourceId?: string;
+    meta?: Record<string, unknown>;
+    createdAt: Date;
+    /**
+     * Optional TTL field. MongoDB will automatically delete the document
+     * once this date is in the past (via `expireAfterSeconds: 0` index).
+     */
+    expiresAt?: Date;
+}
+type AuditLogDocument = IAuditLog & Document;
+export declare const AuditLog: Model<AuditLogDocument, {}, {}, {}, Document<unknown, {}, AuditLogDocument, {}, import("mongoose").DefaultSchemaOptions> & IAuditLog & Document<import("mongoose").Types.ObjectId, any, any, Record<string, any>, {}> & Required<{
+    _id: import("mongoose").Types.ObjectId;
+}> & {
+    __v: number;
+}, any, AuditLogDocument>;
+export {};

package/dist/models/AuditLog.js ADDED Viewed

@@ -0,0 +1,39 @@
+import { authConnection, mongoose } from "../lib/mongo";
+let _AuditLog = null;
+function getAuditLogModel() {
+    if (!_AuditLog) {
+        const { Schema } = mongoose;
+        const schema = new Schema({
+            id: { type: String, required: true, unique: true },
+            userId: { type: String, default: null },
+            sessionId: { type: String, default: null },
+            tenantId: { type: String, default: null },
+            method: { type: String, required: true },
+            path: { type: String, required: true },
+            status: { type: Number, required: true },
+            ip: { type: String, default: null },
+            userAgent: { type: String, default: null },
+            action: { type: String },
+            resource: { type: String },
+            resourceId: { type: String },
+            meta: { type: Schema.Types.Mixed },
+            expiresAt: { type: Date, index: { expireAfterSeconds: 0 } },
+        }, {
+            collection: "audit_logs",
+            // Mongoose manages createdAt; no updatedAt needed for immutable log entries.
+            timestamps: { createdAt: "createdAt", updatedAt: false },
+        });
+        schema.index({ userId: 1, createdAt: 1 });
+        schema.index({ tenantId: 1, createdAt: 1 });
+        schema.index({ path: 1 });
+        _AuditLog = authConnection.model("AuditLog", schema);
+    }
+    return _AuditLog;
+}
+export const AuditLog = new Proxy({}, {
+    get(_, prop) {
+        const model = getAuditLogModel();
+        const val = model[prop];
+        return typeof val === "function" ? val.bind(model) : val;
+    },
+});

package/dist/models/AuthUser.d.ts CHANGED Viewed

@@ -25,6 +25,13 @@ interface IAuthUser {
         name?: string;
         createdAt: Date;
     }>;
+    displayName?: string;
+    firstName?: string;
+    lastName?: string;
+    externalId?: string;
+    suspended: boolean;
+    suspendedAt?: Date;
+    suspendedReason?: string;
 }
 type AuthUserDocument = IAuthUser & Document;
 export declare const AuthUser: Model<AuthUserDocument, {}, {}, {}, Document<unknown, {}, AuthUserDocument, {}, import("mongoose").DefaultSchemaOptions> & IAuthUser & Document<import("mongoose").Types.ObjectId, any, any, Record<string, any>, {}> & Required<{

package/dist/models/AuthUser.js CHANGED Viewed

@@ -31,6 +31,13 @@ function getAuthUser() {
                     name: { type: String },
                     createdAt: { type: Date, default: Date.now },
                 }],
+            displayName: { type: String, default: null },
+            firstName: { type: String, default: null },
+            lastName: { type: String, default: null },
+            externalId: { type: String, default: null, index: true, sparse: true },
+            suspended: { type: Boolean, default: false },
+            suspendedAt: { type: Date, default: null },
+            suspendedReason: { type: String, default: null },
         }, { timestamps: true });
         schema.index({ providerIds: 1 });
         _AuthUser = authConnection.model("AuthUser", schema);

package/dist/models/Group.d.ts ADDED Viewed

@@ -0,0 +1,21 @@
+import type { Document, Model } from "mongoose";
+interface IGroup {
+    name: string;
+    displayName?: string;
+    description?: string;
+    roles: string[];
+    /**
+     * null = app-wide group, string = tenant-scoped group.
+     * Immutable after creation — adapters must reject updates that include tenantId.
+     */
+    tenantId: string | null;
+}
+type GroupDocument = IGroup & Document;
+export declare const Group: Model<GroupDocument, {}, {}, {}, Document<unknown, {}, GroupDocument, {}, import("mongoose").DefaultSchemaOptions> & IGroup & Document<import("mongoose").Types.ObjectId, any, any, Record<string, any>, {}> & Required<{
+    _id: import("mongoose").Types.ObjectId;
+}> & {
+    __v: number;
+} & {
+    id: string;
+}, any, GroupDocument>;
+export {};

package/dist/models/Group.js ADDED Viewed

@@ -0,0 +1,28 @@
+import { authConnection, mongoose } from "../lib/mongo";
+let _Group = null;
+function getGroup() {
+    if (!_Group) {
+        const { Schema } = mongoose;
+        const schema = new Schema({
+            name: { type: String, required: true },
+            displayName: { type: String },
+            description: { type: String },
+            roles: [{ type: String }],
+            tenantId: { type: String, default: null },
+        }, { timestamps: true });
+        // Name is unique within scope (app-wide or per-tenant).
+        // MongoDB treats null as a value, so this compound index correctly enforces uniqueness
+        // for app-wide groups (both have tenantId: null) and per-tenant groups separately.
+        schema.index({ name: 1, tenantId: 1 }, { unique: true });
+        schema.index({ tenantId: 1 });
+        _Group = authConnection.model("Group", schema);
+    }
+    return _Group;
+}
+export const Group = new Proxy({}, {
+    get(_, prop) {
+        const model = getGroup();
+        const val = model[prop];
+        return typeof val === "function" ? val.bind(model) : val;
+    },
+});

package/dist/models/GroupMembership.d.ts ADDED Viewed

@@ -0,0 +1,21 @@
+import type { Document, Model } from "mongoose";
+interface IGroupMembership {
+    userId: string;
+    groupId: string;
+    /** Per-member extra roles on top of the group's baseline roles. */
+    roles: string[];
+    /**
+     * Denormalized from the group at insert time for efficient tenant-scoped queries.
+     * Immutable: group.tenantId cannot change after creation, so this is always consistent.
+     */
+    tenantId: string | null;
+}
+type GroupMembershipDocument = IGroupMembership & Document;
+export declare const GroupMembership: Model<GroupMembershipDocument, {}, {}, {}, Document<unknown, {}, GroupMembershipDocument, {}, import("mongoose").DefaultSchemaOptions> & IGroupMembership & Document<import("mongoose").Types.ObjectId, any, any, Record<string, any>, {}> & Required<{
+    _id: import("mongoose").Types.ObjectId;
+}> & {
+    __v: number;
+} & {
+    id: string;
+}, any, GroupMembershipDocument>;
+export {};

package/dist/models/GroupMembership.js ADDED Viewed

@@ -0,0 +1,25 @@
+import { authConnection, mongoose } from "../lib/mongo";
+let _GroupMembership = null;
+function getGroupMembership() {
+    if (!_GroupMembership) {
+        const { Schema } = mongoose;
+        const schema = new Schema({
+            userId: { type: String, required: true },
+            groupId: { type: String, required: true },
+            roles: [{ type: String }],
+            tenantId: { type: String, default: null },
+        }, { timestamps: { createdAt: true, updatedAt: false } });
+        schema.index({ userId: 1, groupId: 1 }, { unique: true });
+        schema.index({ groupId: 1 });
+        schema.index({ userId: 1, tenantId: 1 });
+        _GroupMembership = authConnection.model("GroupMembership", schema);
+    }
+    return _GroupMembership;
+}
+export const GroupMembership = new Proxy({}, {
+    get(_, prop) {
+        const model = getGroupMembership();
+        const val = model[prop];
+        return typeof val === "function" ? val.bind(model) : val;
+    },
+});

package/dist/models/M2MClient.d.ts ADDED Viewed

@@ -0,0 +1,18 @@
+import mongoose from "mongoose";
+export interface IM2MClient {
+    _id: string;
+    clientId: string;
+    clientSecretHash: string;
+    name: string;
+    scopes: string[];
+    active: boolean;
+    createdAt: Date;
+    updatedAt: Date;
+}
+export declare const M2MClient: mongoose.Model<IM2MClient, {}, {}, {}, mongoose.Document<unknown, {}, IM2MClient, {}, mongoose.DefaultSchemaOptions> & IM2MClient & Required<{
+    _id: string;
+}> & {
+    __v: number;
+} & {
+    id: string;
+}, any, IM2MClient>;

package/dist/models/M2MClient.js ADDED Viewed

@@ -0,0 +1,18 @@
+import mongoose from "mongoose";
+const m2mClientSchema = new mongoose.Schema({
+    clientId: { type: String, required: true, unique: true },
+    clientSecretHash: { type: String, required: true },
+    name: { type: String, required: true },
+    scopes: { type: [String], default: [] },
+    active: { type: Boolean, default: true },
+}, { timestamps: true });
+// Lazy proxy pattern (same as AuthUser.ts)
+export const M2MClient = new Proxy({}, {
+    get(_, prop) {
+        const { authConnection } = require("../lib/mongo");
+        if (!authConnection)
+            throw new Error("authConnection not initialized — call connectAuthMongo() or connectMongo() first");
+        const model = authConnection.models["M2MClient"] ?? authConnection.model("M2MClient", m2mClientSchema);
+        return model[prop];
+    },
+});

package/dist/routes/auth.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import type { PrimaryField, EmailVerificationConfig, PasswordResetConfig, RefreshTokenConfig } from "../lib/appConfig";
+import type { PrimaryField, EmailVerificationConfig, PasswordResetConfig, RefreshTokenConfig, StepUpConfig } from "../lib/appConfig";
 import type { AuthRateLimitConfig, AccountDeletionConfig } from "../app";
 export interface AuthRouterOptions {
     primaryField: PrimaryField;
@@ -7,5 +7,6 @@ export interface AuthRouterOptions {
     rateLimit?: AuthRateLimitConfig;
     accountDeletion?: AccountDeletionConfig;
     refreshTokens?: RefreshTokenConfig;
+    stepUp?: StepUpConfig;
 }
-export declare const createAuthRouter: ({ primaryField, emailVerification, passwordReset, rateLimit, accountDeletion, refreshTokens }: AuthRouterOptions) => import("@hono/zod-openapi").OpenAPIHono<import("../lib/context").AppEnv, {}, "/">;
+export declare const createAuthRouter: ({ primaryField, emailVerification, passwordReset, rateLimit, accountDeletion, refreshTokens, stepUp }: AuthRouterOptions) => import("@hono/zod-openapi").OpenAPIHono<import("../lib/context").AppEnv, {}, "/">;