@lastshotlabs/bunshot 0.0.21 → 0.0.27

package/dist/routes/auth.js

@@ -1,4 +1,5 @@
 import { createRoute, withSecurity } from "../lib/createRoute";
+import { HttpError } from "../lib/HttpError";
 import { z } from "zod";
 import { setCookie, getCookie, deleteCookie } from "hono/cookie";
 import * as AuthService from "../services/auth";
@@ -6,14 +7,18 @@ import { makeRegisterSchema, makeLoginSchema, resetPasswordSchema } from "../sch
 import { COOKIE_TOKEN, HEADER_USER_TOKEN, COOKIE_REFRESH_TOKEN, HEADER_REFRESH_TOKEN } from "../lib/constants";
 import { userAuth } from "../middleware/userAuth";
 import { isLimited, trackAttempt, bustAuthLimit } from "../lib/authRateLimit";
+import { isStuffingBlocked, trackFailedLogin } from "../lib/credentialStuffing";
 import { getAuthAdapter } from "../lib/authAdapter";
 import { createRouter } from "../lib/context";
-import { getVerificationToken, deleteVerificationToken, createVerificationToken } from "../lib/emailVerification";
+import { consumeVerificationToken, createVerificationToken } from "../lib/emailVerification";
 import { createResetToken, consumeResetToken } from "../lib/resetPassword";
-import { getRefreshTokenExpiry, getAccessTokenExpiry, getCsrfEnabled } from "../lib/appConfig";
+import { createDeletionCancelToken, consumeDeletionCancelToken } from "../lib/deletionCancelToken";
+import { getRefreshTokenExpiry, getAccessTokenExpiry, getCsrfEnabled, getAppName, getBreachedPasswordConfig } from "../lib/appConfig";
+import { checkBreachedPassword } from "../lib/breachedPassword";
 import { refreshCsrfToken, clearCsrfToken } from "../middleware/csrf";
-import { getUserSessions, deleteSession, deleteUserSessions } from "../lib/session";
+import { getUserSessions, deleteSession, deleteUserSessions, setMfaVerifiedAt } from "../lib/session";
 import { getClientIp } from "../lib/clientIp";
+import { emitSecurityEvent } from "../lib/securityEvents";
 const isProd = process.env.NODE_ENV === "production";
 const TokenResponse = z.object({
     token: z.string().describe("JWT session token. Also set as an HttpOnly session cookie. Empty string when mfaRequired is true."),
@@ -24,7 +29,8 @@ const TokenResponse = z.object({
     refreshToken: z.string().optional().describe("Refresh token (present when refreshTokens is configured). Also set as an HttpOnly cookie."),
     mfaRequired: z.boolean().optional().describe("When true, complete MFA via POST /auth/mfa/verify before accessing the API."),
     mfaToken: z.string().optional().describe("MFA challenge token. Pass to POST /auth/mfa/verify with a TOTP or recovery code."),
-    mfaMethods: z.array(z.string()).optional().describe("Available MFA methods when mfaRequired is true (e.g., 'totp', 'emailOtp')."),
+    mfaMethods: z.array(z.string()).optional().describe("Available MFA methods when mfaRequired is true (e.g., 'totp', 'emailOtp', 'webauthn')."),
+    webauthnOptions: z.record(z.string(), z.unknown()).optional().describe("WebAuthn assertion options (present when mfaMethods includes 'webauthn'). Pass directly to navigator.credentials.get()."),
 }).openapi("TokenResponse");
 const ErrorResponse = z.object({ error: z.string().describe("Human-readable error message.") }).openapi("ErrorResponse");
 const tags = ["Auth"];
@@ -35,7 +41,7 @@ const cookieOptions = (maxAge) => ({
     path: "/",
     maxAge: maxAge ?? 60 * 60 * 24 * 7, // 7 days
 });
-export const createAuthRouter = ({ primaryField, emailVerification, passwordReset, rateLimit, accountDeletion, refreshTokens }) => {
+export const createAuthRouter = ({ primaryField, emailVerification, passwordReset, rateLimit, accountDeletion, refreshTokens, stepUp }) => {
     const router = createRouter();
     const RegisterSchema = makeRegisterSchema(primaryField);
     const LoginSchema = makeLoginSchema(primaryField);
@@ -64,10 +70,18 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
     }), async (c) => {
         const ip = getClientIp(c);
         if (await trackAttempt(`register:${ip}`, registerOpts)) {
+            emitSecurityEvent({ eventType: "security.rate_limit.exceeded", severity: "warn", timestamp: new Date().toISOString(), meta: { path: c.req.path } });
             return c.json({ error: "Too many registration attempts. Try again later." }, 429);
         }
         const body = c.req.valid("json");
         const identifier = body[primaryField];
+        const breachConfig = getBreachedPasswordConfig();
+        if (breachConfig) {
+            const { breached } = await checkBreachedPassword(body.password, breachConfig);
+            if (breached && breachConfig.block !== false) {
+                throw new HttpError(400, "This password has appeared in a data breach. Please choose a different password.", "BREACHED_PASSWORD");
+            }
+        }
         const metadata = {
             ipAddress: ip !== "unknown" ? ip : undefined,
             userAgent: c.req.header("user-agent") ?? undefined,
@@ -79,7 +93,8 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
         }
         if (getCsrfEnabled())
             refreshCsrfToken(c);
-        return c.json(result, 201);
+        const { refreshToken: _rt, ...safeResult } = result;
+        return c.json(result.refreshToken ? safeResult : result, 201);
     });
     router.openapi(createRoute({
         method: "post",
@@ -98,11 +113,23 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
         const body = c.req.valid("json");
         const identifier = body[primaryField];
         const limitKey = `login:${identifier}`;
+        const clientIp = getClientIp(c) ?? "unknown";
+        if (isStuffingBlocked(clientIp, identifier)) {
+            emitSecurityEvent({
+                eventType: "security.credential_stuffing.detected",
+                severity: "critical",
+                timestamp: new Date().toISOString(),
+                ip: clientIp,
+                meta: { identifier },
+            });
+            throw new HttpError(429, "Too many login attempts from this source", "CREDENTIAL_STUFFING_BLOCKED");
+        }
         if (await isLimited(limitKey, loginOpts)) {
+            emitSecurityEvent({ eventType: "security.rate_limit.exceeded", severity: "warn", timestamp: new Date().toISOString(), meta: { path: c.req.path } });
             return c.json({ error: "Too many failed login attempts. Try again later." }, 429);
         }
         const metadata = {
-            ipAddress: getClientIp(c),
+            ipAddress: clientIp !== "unknown" ? clientIp : undefined,
             userAgent: c.req.header("user-agent") ?? undefined,
         };
         try {
@@ -116,9 +143,13 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
                 if (getCsrfEnabled())
                     refreshCsrfToken(c);
             }
-            return c.json(result, 200);
+            const { refreshToken: _rt, ...safeResult } = result;
+            return c.json(result.refreshToken ? safeResult : result, 200);
         }
         catch (err) {
+            if (err instanceof HttpError && err.status === 401) {
+                trackFailedLogin(clientIp, identifier);
+            }
             await trackAttempt(limitKey, loginOpts); // failure — count it
             throw err;
         }
@@ -212,6 +243,33 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
         if (accountDeletion?.onBeforeDelete) {
             await accountDeletion.onBeforeDelete(authUserId);
         }
+        // Queued deletion via BullMQ
+        if (accountDeletion?.queued) {
+            const { createQueue } = await import("../lib/queue");
+            const appName = getAppName();
+            const queue = createQueue(`${appName}:account-deletions`);
+            const delayMs = (accountDeletion.gracePeriod ?? 0) * 1000;
+            const job = await queue.add("delete-account", { userId: authUserId }, {
+                delay: delayMs,
+                attempts: 3,
+                backoff: { type: "exponential", delay: 1000 },
+                removeOnComplete: true,
+                removeOnFail: 100,
+            });
+            await queue.close();
+            // Revoke sessions immediately so the user is logged out
+            await deleteUserSessions(authUserId);
+            if (accountDeletion.gracePeriod && accountDeletion.onDeletionScheduled) {
+                const user = adapter.getUser ? await adapter.getUser(authUserId) : null;
+                const email = user?.email ?? "";
+                if (email) {
+                    const cancelToken = await createDeletionCancelToken(authUserId, job.id, accountDeletion.gracePeriod);
+                    await accountDeletion.onDeletionScheduled(authUserId, email, cancelToken);
+                }
+            }
+            deleteCookie(c, COOKIE_TOKEN, { path: "/" });
+            return c.json({ message: "Account deletion scheduled" }, 202);
+        }
         // Synchronous deletion (default)
         await deleteUserSessions(authUserId);
         await adapter.deleteUser(authUserId);
@@ -226,13 +284,25 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
         method: "post",
         path: "/auth/set-password",
         summary: "Set or update password",
-        description: "Sets or updates the password for the authenticated user. Useful for OAuth-only users who want to add a password. Requires a valid session.",
+        description: "Sets or updates the password for the authenticated user. Useful for OAuth-only users who want to add a password. If the account already has a password set, `currentPassword` is required. Requires a valid session.",
         tags,
-        request: { body: { content: { "application/json": { schema: z.object({ password: z.string().min(8).describe("New password. Minimum 8 characters.") }) } }, description: "New password." } },
+        request: {
+            body: {
+                content: {
+                    "application/json": {
+                        schema: z.object({
+                            password: z.string().min(8).describe("New password."),
+                            currentPassword: z.string().optional().describe("Current password. Required if the account already has a password set."),
+                        }),
+                    },
+                },
+                description: "New password.",
+            },
+        },
         responses: {
             200: { content: { "application/json": { schema: z.object({ message: z.string() }) } }, description: "Password updated successfully." },
-            400: { content: { "application/json": { schema: ErrorResponse } }, description: "Validation error (e.g. password too short)." },
-            401: { content: { "application/json": { schema: ErrorResponse } }, description: "No valid session." },
+            400: { content: { "application/json": { schema: ErrorResponse } }, description: "Validation error, or current password is required when one is already set." },
+            401: { content: { "application/json": { schema: ErrorResponse } }, description: "No valid session, or current password is incorrect." },
             501: { content: { "application/json": { schema: ErrorResponse } }, description: "The configured auth adapter does not support setPassword." },
         },
     }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
@@ -240,10 +310,27 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
         if (!adapter.setPassword) {
             return c.json({ error: "Auth adapter does not support setPassword" }, 501);
         }
-        const { password } = c.req.valid("json");
+        const { password, currentPassword } = c.req.valid("json");
         const authUserId = c.get("authUserId");
+        // If the user already has a password, require currentPassword to change it
+        const user = adapter.getUser ? await adapter.getUser(authUserId) : null;
+        if (user) {
+            const findFn = adapter.findByIdentifier ?? (user.email ? adapter.findByEmail.bind(adapter) : null);
+            if (findFn && user.email) {
+                const found = await findFn(user.email);
+                if (found?.passwordHash) {
+                    if (!currentPassword) {
+                        return c.json({ error: "Current password is required to change an existing password." }, 400);
+                    }
+                    if (!(await Bun.password.verify(currentPassword, found.passwordHash))) {
+                        return c.json({ error: "Current password is incorrect." }, 401);
+                    }
+                }
+            }
+        }
         const passwordHash = await Bun.password.hash(password);
         await adapter.setPassword(authUserId, passwordHash);
+        emitSecurityEvent({ eventType: "auth.password.change", severity: "info", timestamp: new Date().toISOString() });
         return c.json({ message: "Password updated" }, 200);
     });
     router.openapi(createRoute({
@@ -285,24 +372,25 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
             }
             const { token } = c.req.valid("json");
             const adapter = getAuthAdapter();
-            const entry = await getVerificationToken(token);
+            const entry = await consumeVerificationToken(token);
             if (!entry)
                 return c.json({ error: "Invalid or expired verification token" }, 400);
             if (adapter.setEmailVerified)
                 await adapter.setEmailVerified(entry.userId, true);
-            await deleteVerificationToken(token);
+            if (getCsrfEnabled())
+                refreshCsrfToken(c);
             return c.json({ message: "Email verified" }, 200);
         });
         router.openapi(createRoute({
             method: "post",
             path: "/auth/resend-verification",
             summary: "Resend verification email",
-            description: "Authenticates with credentials and sends a new verification email. Returns 400 if already verified. Rate-limited per identifier. Does not require a session.",
+            description: "Authenticates with credentials and sends a new verification email. Always returns 200 for valid credentials regardless of verification status, to prevent user enumeration. Rate-limited per identifier. Does not require a session.",
             tags,
             request: { body: { content: { "application/json": { schema: LoginSchema } }, description: "Login credentials to identify the account." } },
             responses: {
-                200: { content: { "application/json": { schema: z.object({ message: z.string() }) } }, description: "Verification email sent." },
-                400: { content: { "application/json": { schema: ErrorResponse } }, description: "Email is already verified, or no email address on file." },
+                200: { content: { "application/json": { schema: z.object({ message: z.string() }) } }, description: "Verification email sent, or account is already verified (indistinguishable by design)." },
+                400: { content: { "application/json": { schema: ErrorResponse } }, description: "No email address on file for this account." },
                 401: { content: { "application/json": { schema: ErrorResponse } }, description: "Invalid credentials." },
                 429: { content: { "application/json": { schema: ErrorResponse } }, description: "Too many resend attempts for this identifier. Try again later." },
                 501: { content: { "application/json": { schema: ErrorResponse } }, description: "The configured auth adapter does not support email verification." },
@@ -323,8 +411,10 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
                 return c.json({ error: "Invalid credentials" }, 401);
             }
             const alreadyVerified = await adapter.getEmailVerified(user.id);
+            // Return 200 (not 400) to avoid revealing whether the account is verified —
+            // distinguishing verified vs unverified would let attackers confirm valid credentials.
             if (alreadyVerified)
-                return c.json({ error: "Email already verified" }, 400);
+                return c.json({ message: "Verification email sent if not already verified" }, 200);
             const fullUser = await adapter.getUser(user.id);
             if (!fullUser?.email)
                 return c.json({ error: "No email address on file" }, 400);
@@ -405,6 +495,13 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
                 return c.json({ error: "Too many attempts. Try again later." }, 429);
             }
             const { token, password } = c.req.valid("json");
+            const breachConfig = getBreachedPasswordConfig();
+            if (breachConfig) {
+                const { breached } = await checkBreachedPassword(password, breachConfig);
+                if (breached && breachConfig.block !== false) {
+                    throw new HttpError(400, "This password has appeared in a data breach. Please choose a different password.", "BREACHED_PASSWORD");
+                }
+            }
             // consumeResetToken atomically gets and deletes — prevents concurrent replay
             const entry = await consumeResetToken(token);
             if (!entry)
@@ -418,6 +515,7 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
             // Revoke all sessions so stolen JWTs can't stay valid after a reset
             const sessions = await getUserSessions(entry.userId);
             await Promise.all(sessions.map((s) => deleteSession(s.sessionId)));
+            emitSecurityEvent({ eventType: "auth.password.reset", severity: "info", timestamp: new Date().toISOString() });
             return c.json({ message: "Password reset successfully" }, 200);
         });
     }
@@ -427,7 +525,6 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
     if (refreshTokens) {
         const RefreshResponse = z.object({
             token: z.string().describe("New short-lived JWT access token."),
-            refreshToken: z.string().describe("New refresh token (rotation). The previous token is valid for a short grace window."),
             userId: z.string().describe("Unique user ID."),
         }).openapi("RefreshResponse");
         router.openapi(createRoute({
@@ -466,7 +563,127 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
             const result = await AuthService.refresh(rt);
             setCookie(c, COOKIE_TOKEN, result.token, cookieOptions(getAccessTokenExpiry()));
             setCookie(c, COOKIE_REFRESH_TOKEN, result.refreshToken, cookieOptions(getRefreshTokenExpiry()));
-            return c.json(result, 200);
+            const { refreshToken: _rt, ...safeResult } = result;
+            return c.json(safeResult, 200);
+        });
+    }
+    // ---------------------------------------------------------------------------
+    // Account deletion cancellation — only mounted when queued: true + gracePeriod > 0
+    // ---------------------------------------------------------------------------
+    if (accountDeletion?.queued && accountDeletion.gracePeriod) {
+        router.openapi(createRoute({
+            method: "post",
+            path: "/auth/cancel-deletion",
+            summary: "Cancel scheduled account deletion",
+            description: "Cancels a pending queued account deletion using the cancel token sent via the onDeletionScheduled callback. Must be called before the grace period expires.",
+            tags,
+            request: {
+                body: {
+                    content: {
+                        "application/json": {
+                            schema: z.object({
+                                token: z.string().describe("Cancel token received in the deletion scheduled notification."),
+                            }),
+                        },
+                    },
+                    description: "Cancel token.",
+                },
+            },
+            responses: {
+                200: { content: { "application/json": { schema: z.object({ message: z.string() }) } }, description: "Account deletion cancelled." },
+                400: { content: { "application/json": { schema: ErrorResponse } }, description: "Invalid or expired cancel token." },
+            },
+        }), async (c) => {
+            const { token } = c.req.valid("json");
+            const entry = await consumeDeletionCancelToken(token);
+            if (!entry)
+                return c.json({ error: "Invalid or expired cancel token" }, 400);
+            // Remove the pending BullMQ job
+            try {
+                const { createQueue } = await import("../lib/queue");
+                const appName = getAppName();
+                const queue = createQueue(`${appName}:account-deletions`);
+                const job = await queue.getJob(entry.jobId);
+                if (job)
+                    await job.remove();
+                await queue.close();
+            }
+            catch {
+                // Job may have already executed — that's an error case but we still consumed the token
+            }
+            return c.json({ message: "Account deletion cancelled" }, 200);
+        });
+    }
+    // ---------------------------------------------------------------------------
+    // Step-up MFA re-authentication — only mounted when stepUp is configured
+    // ---------------------------------------------------------------------------
+    if (stepUp) {
+        const stepUpOpts = { windowMs: rateLimit?.mfaVerify?.windowMs ?? 15 * 60 * 1000, max: rateLimit?.mfaVerify?.max ?? 10 };
+        const stepUpSchema = z.object({
+            mfaCode: z.string().optional().describe("6-digit TOTP code or recovery code."),
+            password: z.string().optional().describe("Account password."),
+        }).refine(data => data.mfaCode || data.password, {
+            message: "Either mfaCode or password is required",
+        });
+        router.use("/auth/step-up", userAuth);
+        router.openapi(withSecurity(createRoute({
+            method: "post",
+            path: "/auth/step-up",
+            summary: "Step-up MFA re-authentication",
+            description: "Re-authenticates the current session via TOTP code or password to satisfy step-up requirements for sensitive operations. On success, sets mfaVerifiedAt in the session.",
+            tags,
+            request: {
+                body: {
+                    content: {
+                        "application/json": {
+                            schema: stepUpSchema,
+                        },
+                    },
+                    description: "TOTP code or password for re-authentication.",
+                },
+            },
+            responses: {
+                200: { content: { "application/json": { schema: z.object({ ok: z.literal(true) }) } }, description: "Step-up authentication successful." },
+                400: { content: { "application/json": { schema: ErrorResponse } }, description: "Neither mfaCode nor password provided." },
+                401: { content: { "application/json": { schema: ErrorResponse } }, description: "Invalid code or password, or no valid session." },
+                429: { content: { "application/json": { schema: ErrorResponse } }, description: "Too many step-up attempts. Try again later." },
+            },
+        }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
+            const ip = getClientIp(c);
+            if (await trackAttempt(`step-up:${ip}`, stepUpOpts)) {
+                return c.json({ error: "Too many step-up attempts. Try again later." }, 429);
+            }
+            const userId = c.get("authUserId");
+            const sessionId = c.get("sessionId");
+            const { mfaCode, password } = c.req.valid("json");
+            let valid = false;
+            if (mfaCode) {
+                const { verifyTotp, verifyRecoveryCode } = await import("../services/mfa");
+                valid = await verifyTotp(userId, mfaCode);
+                if (!valid)
+                    valid = await verifyRecoveryCode(userId, mfaCode);
+            }
+            else if (password) {
+                const adapter = getAuthAdapter();
+                const findFn = adapter.findByIdentifier ?? (adapter.findByEmail ? adapter.findByEmail.bind(adapter) : null);
+                if (findFn) {
+                    const user = adapter.getUser ? await adapter.getUser(userId) : null;
+                    const identifier = user?.email ?? "";
+                    if (identifier) {
+                        const found = await findFn(identifier);
+                        if (found?.passwordHash) {
+                            valid = await Bun.password.verify(password, found.passwordHash);
+                        }
+                    }
+                }
+            }
+            if (!valid) {
+                emitSecurityEvent({ eventType: "auth.step_up.failure", severity: "warn", timestamp: new Date().toISOString(), userId });
+                return c.json({ error: "Invalid credentials" }, 401);
+            }
+            await setMfaVerifiedAt(sessionId);
+            emitSecurityEvent({ eventType: "auth.step_up.success", severity: "info", timestamp: new Date().toISOString(), userId });
+            return c.json({ ok: true }, 200);
         });
     }
     // ---------------------------------------------------------------------------

package/dist/routes/groups.d.ts

@@ -0,0 +1,21 @@
+import type { MiddlewareHandler } from "hono";
+import type { AppEnv } from "../lib/context";
+export interface GroupsManagementConfig {
+    /**
+     * Role required to access all management routes.
+     * Applied via requireRole.global(adminRole). Default: "admin".
+     * Ignored if `middleware` is provided.
+     */
+    adminRole?: string;
+    /**
+     * Fully replaces the default auth middleware stack [userAuth, requireRole.global(adminRole)].
+     * Use only when a single role check is insufficient.
+     * When provided, `adminRole` is ignored.
+     */
+    middleware?: MiddlewareHandler<AppEnv>[];
+}
+export interface GroupsConfig {
+    /** Mount group management routes. Pass `true` to use all defaults. */
+    managementRoutes?: GroupsManagementConfig | true;
+}
+export declare const createGroupsRouter: (config: GroupsConfig) => import("@hono/zod-openapi").OpenAPIHono<AppEnv, {}, "/">;