npm - @lastshotlabs/bunshot - Versions diffs - 0.0.21 → 0.0.27 - Mend

@lastshotlabs/bunshot 0.0.21 → 0.0.27

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (185) hide show

package/README.md +3035 -1249
package/dist/adapters/localStorage.d.ts +6 -0
package/dist/adapters/localStorage.js +59 -0
package/dist/adapters/memoryAuth.d.ts +13 -0
package/dist/adapters/memoryAuth.js +261 -2
package/dist/adapters/memoryStorage.d.ts +3 -0
package/dist/adapters/memoryStorage.js +44 -0
package/dist/adapters/mongoAuth.js +217 -1
package/dist/adapters/s3Storage.d.ts +14 -0
package/dist/adapters/s3Storage.js +126 -0
package/dist/adapters/sqliteAuth.d.ts +30 -0
package/dist/adapters/sqliteAuth.js +352 -2
package/dist/app.d.ts +203 -3
package/dist/app.js +352 -48
package/dist/cli.js +118 -38
package/dist/index.d.ts +69 -8
package/dist/index.js +46 -5
package/dist/lib/HttpError.d.ts +7 -1
package/dist/lib/HttpError.js +10 -1
package/dist/lib/appConfig.d.ts +157 -0
package/dist/lib/appConfig.js +54 -0
package/dist/lib/auditLog.d.ts +58 -0
package/dist/lib/auditLog.js +218 -0
package/dist/lib/authAdapter.d.ts +140 -1
package/dist/lib/authRateLimit.js +36 -0
package/dist/lib/breachedPassword.d.ts +13 -0
package/dist/lib/breachedPassword.js +48 -0
package/dist/lib/captcha.d.ts +25 -0
package/dist/lib/captcha.js +37 -0
package/dist/lib/constants.d.ts +4 -0
package/dist/lib/constants.js +4 -0
package/dist/lib/context.d.ts +24 -1
package/dist/lib/context.js +17 -3
package/dist/lib/createRoute.d.ts +28 -2
package/dist/lib/createRoute.js +54 -3
package/dist/lib/credentialStuffing.d.ts +31 -0
package/dist/lib/credentialStuffing.js +77 -0
package/dist/lib/deletionCancelToken.d.ts +12 -0
package/dist/lib/deletionCancelToken.js +88 -0
package/dist/lib/emailVerification.d.ts +6 -0
package/dist/lib/emailVerification.js +46 -3
package/dist/lib/groups.d.ts +113 -0
package/dist/lib/groups.js +133 -0
package/dist/lib/idempotency.d.ts +22 -0
package/dist/lib/idempotency.js +182 -0
package/dist/lib/jwks.d.ts +25 -0
package/dist/lib/jwks.js +51 -0
package/dist/lib/jwt.d.ts +15 -2
package/dist/lib/jwt.js +92 -5
package/dist/lib/logger.d.ts +2 -0
package/dist/lib/logger.js +6 -0
package/dist/lib/m2m.d.ts +29 -0
package/dist/lib/m2m.js +48 -0
package/dist/lib/metrics.d.ts +14 -0
package/dist/lib/metrics.js +158 -0
package/dist/lib/mfaChallenge.d.ts +14 -1
package/dist/lib/mfaChallenge.js +111 -6
package/dist/lib/mongo.js +1 -1
package/dist/lib/oauthCode.js +23 -18
package/dist/lib/pagination.d.ts +119 -0
package/dist/lib/pagination.js +166 -0
package/dist/lib/resetPassword.js +3 -1
package/dist/lib/saml.d.ts +25 -0
package/dist/lib/saml.js +64 -0
package/dist/lib/scim.d.ts +44 -0
package/dist/lib/scim.js +54 -0
package/dist/lib/securityEvents.d.ts +28 -0
package/dist/lib/securityEvents.js +26 -0
package/dist/lib/session.d.ts +14 -0
package/dist/lib/session.js +121 -5
package/dist/lib/signing.d.ts +52 -0
package/dist/lib/signing.js +183 -0
package/dist/lib/storageAdapter.d.ts +30 -0
package/dist/lib/storageAdapter.js +1 -0
package/dist/lib/stripUnreferencedSchemas.d.ts +11 -0
package/dist/lib/stripUnreferencedSchemas.js +79 -0
package/dist/lib/suspension.d.ts +13 -0
package/dist/lib/suspension.js +23 -0
package/dist/lib/tenant.js +2 -2
package/dist/lib/upload.d.ts +39 -0
package/dist/lib/upload.js +112 -0
package/dist/lib/uploadRegistry.d.ts +18 -0
package/dist/lib/uploadRegistry.js +83 -0
package/dist/lib/validate.js +2 -2
package/dist/lib/ws.d.ts +1 -0
package/dist/lib/ws.js +28 -0
package/dist/lib/wsHeartbeat.d.ts +12 -0
package/dist/lib/wsHeartbeat.js +57 -0
package/dist/lib/wsMessages.d.ts +40 -0
package/dist/lib/wsMessages.js +330 -0
package/dist/lib/wsPresence.d.ts +25 -0
package/dist/lib/wsPresence.js +99 -0
package/dist/middleware/auditLog.d.ts +22 -0
package/dist/middleware/auditLog.js +39 -0
package/dist/middleware/bearerAuth.js +1 -1
package/dist/middleware/cacheResponse.js +5 -1
package/dist/middleware/captcha.d.ts +10 -0
package/dist/middleware/captcha.js +36 -0
package/dist/middleware/csrf.js +18 -4
package/dist/middleware/errorHandler.js +4 -1
package/dist/middleware/identify.js +89 -14
package/dist/middleware/metrics.d.ts +9 -0
package/dist/middleware/metrics.js +26 -0
package/dist/middleware/requestId.d.ts +3 -0
package/dist/middleware/requestId.js +7 -0
package/dist/middleware/requestLogger.d.ts +38 -0
package/dist/middleware/requestLogger.js +68 -0
package/dist/middleware/requestSigning.d.ts +20 -0
package/dist/middleware/requestSigning.js +100 -0
package/dist/middleware/requireMfaSetup.d.ts +16 -0
package/dist/middleware/requireMfaSetup.js +37 -0
package/dist/middleware/requireRole.d.ts +9 -3
package/dist/middleware/requireRole.js +23 -36
package/dist/middleware/requireScope.d.ts +10 -0
package/dist/middleware/requireScope.js +25 -0
package/dist/middleware/requireStepUp.d.ts +18 -0
package/dist/middleware/requireStepUp.js +29 -0
package/dist/middleware/scimAuth.d.ts +8 -0
package/dist/middleware/scimAuth.js +29 -0
package/dist/middleware/upload.d.ts +5 -0
package/dist/middleware/upload.js +27 -0
package/dist/middleware/webhookAuth.d.ts +30 -0
package/dist/middleware/webhookAuth.js +58 -0
package/dist/models/AuditLog.d.ts +30 -0
package/dist/models/AuditLog.js +39 -0
package/dist/models/AuthUser.d.ts +7 -0
package/dist/models/AuthUser.js +7 -0
package/dist/models/Group.d.ts +21 -0
package/dist/models/Group.js +28 -0
package/dist/models/GroupMembership.d.ts +21 -0
package/dist/models/GroupMembership.js +25 -0
package/dist/models/M2MClient.d.ts +18 -0
package/dist/models/M2MClient.js +18 -0
package/dist/routes/auth.d.ts +3 -2
package/dist/routes/auth.js +238 -21
package/dist/routes/groups.d.ts +21 -0
package/dist/routes/groups.js +346 -0
package/dist/routes/jobs.js +66 -46
package/dist/routes/m2m.d.ts +2 -0
package/dist/routes/m2m.js +72 -0
package/dist/routes/metrics.d.ts +8 -0
package/dist/routes/metrics.js +55 -0
package/dist/routes/mfa.js +13 -1
package/dist/routes/oauth.js +6 -0
package/dist/routes/oidc.d.ts +2 -0
package/dist/routes/oidc.js +29 -0
package/dist/routes/passkey.d.ts +1 -0
package/dist/routes/passkey.js +157 -0
package/dist/routes/saml.d.ts +2 -0
package/dist/routes/saml.js +86 -0
package/dist/routes/scim.d.ts +2 -0
package/dist/routes/scim.js +255 -0
package/dist/routes/uploads.d.ts +14 -0
package/dist/routes/uploads.js +227 -0
package/dist/server.d.ts +26 -0
package/dist/server.js +46 -3
package/dist/services/auth.d.ts +2 -0
package/dist/services/auth.js +101 -22
package/dist/services/mfa.js +2 -2
package/dist/ws/index.js +5 -1
package/docs/sections/auth-flow/full.md +203 -47
package/docs/sections/auth-flow/overview.md +2 -2
package/docs/sections/auth-security-examples/full.md +388 -0
package/docs/sections/authentication/full.md +130 -0
package/docs/sections/authentication/overview.md +5 -0
package/docs/sections/cli/full.md +13 -1
package/docs/sections/configuration/full.md +17 -0
package/docs/sections/configuration/overview.md +1 -0
package/docs/sections/exports/full.md +34 -3
package/docs/sections/logging/full.md +83 -0
package/docs/sections/metrics/full.md +131 -0
package/docs/sections/oauth/full.md +189 -189
package/docs/sections/oauth/overview.md +1 -1
package/docs/sections/pagination/full.md +93 -0
package/docs/sections/passkey-login/full.md +90 -0
package/docs/sections/passkey-login/overview.md +1 -0
package/docs/sections/roles/full.md +224 -135
package/docs/sections/roles/overview.md +3 -1
package/docs/sections/signing/full.md +203 -0
package/docs/sections/uploads/full.md +208 -0
package/docs/sections/versioning/full.md +85 -0
package/docs/sections/webhook-auth/full.md +100 -0
package/docs/sections/websocket/full.md +95 -0
package/docs/sections/websocket-rooms/full.md +6 -1
package/package.json +18 -5

package/dist/routes/groups.js ADDED Viewed

@@ -0,0 +1,346 @@
+import { z } from "zod";
+import { createRoute, withSecurity } from "../lib/createRoute";
+import { createRouter } from "../lib/context";
+import { userAuth } from "../middleware/userAuth";
+import { requireRole } from "../middleware/requireRole";
+import { createGroup, deleteGroup, getGroup, listGroups, updateGroup, addGroupMember, updateGroupMembership, removeGroupMember, getGroupMembers, getUserGroups, } from "../lib/groups";
+import { HttpError } from "../lib/HttpError";
+// ---------------------------------------------------------------------------
+// Zod schemas
+// ---------------------------------------------------------------------------
+const SLUG_REGEX = /^[a-z0-9_-]+$/;
+const GroupBody = z.object({
+    name: z.string().min(1).max(100).regex(SLUG_REGEX, "name must be a slug: lowercase letters, digits, underscores, or hyphens"),
+    displayName: z.string().max(200).optional(),
+    description: z.string().max(1000).optional(),
+    roles: z.array(z.string()).default([]),
+    tenantId: z.string().nullable().optional().default(null),
+});
+const GroupUpdateBody = z.object({
+    name: z.string().min(1).max(100).regex(SLUG_REGEX, "name must be a slug").optional(),
+    displayName: z.string().max(200).nullable().optional(),
+    description: z.string().max(1000).nullable().optional(),
+    roles: z.array(z.string()).optional(),
+});
+const MemberBody = z.object({
+    userId: z.string().min(1),
+    roles: z.array(z.string()).default([]),
+});
+const MemberRolesBody = z.object({
+    roles: z.array(z.string()),
+});
+const GroupResponse = z.object({
+    id: z.string(),
+    name: z.string(),
+    displayName: z.string().optional(),
+    description: z.string().optional(),
+    roles: z.array(z.string()),
+    tenantId: z.string().nullable(),
+    createdAt: z.number(),
+    updatedAt: z.number(),
+}).openapi("Group");
+const MemberResponse = z.object({
+    userId: z.string(),
+    roles: z.array(z.string()),
+}).openapi("GroupMember");
+const PaginatedGroupsResponse = z.object({
+    items: z.array(GroupResponse),
+    total: z.number(),
+    limit: z.number(),
+    offset: z.number(),
+}).openapi("PaginatedGroups");
+const PaginatedMembersResponse = z.object({
+    items: z.array(MemberResponse),
+    total: z.number(),
+    limit: z.number(),
+    offset: z.number(),
+}).openapi("PaginatedGroupMembers");
+const UserGroupEntry = z.object({
+    group: GroupResponse,
+    membershipRoles: z.array(z.string()),
+}).openapi("UserGroupEntry");
+const ErrorResponse = z.object({ error: z.string() });
+const PaginationParams = {
+    limit: z.string().optional().openapi({ description: "Max results (default 50, max 200)" }),
+    offset: z.string().optional().openapi({ description: "Skip this many results (default 0)" }),
+};
+const tags = ["Groups"];
+// ---------------------------------------------------------------------------
+// Router factory
+// ---------------------------------------------------------------------------
+export const createGroupsRouter = (config) => {
+    const router = createRouter();
+    // Normalize: managementRoutes: true is equivalent to managementRoutes: {}
+    const mgmt = config.managementRoutes === true ? {} : (config.managementRoutes ?? {});
+    const guard = mgmt.middleware ?? [userAuth, requireRole.global(mgmt.adminRole ?? "admin")];
+    // Defensive guard warning
+    if (guard.length === 0 && process.env.NODE_ENV !== "production") {
+        console.warn("[bunshot] groups.managementRoutes: resolved auth middleware is empty — management routes are unprotected");
+    }
+    // Apply auth guard to all group management routes
+    router.use("/groups/*", ...guard);
+    router.use("/users/:userId/groups", ...guard);
+    // ---------------------------------------------------------------------------
+    // GET /groups — list groups
+    // ---------------------------------------------------------------------------
+    router.openapi(withSecurity(createRoute({
+        method: "get",
+        path: "/groups",
+        tags,
+        summary: "List groups",
+        description: "List groups. Returns tenant-scoped groups when tenantId is in context, app-wide groups otherwise.",
+        request: { query: z.object(PaginationParams) },
+        responses: {
+            200: { content: { "application/json": { schema: PaginatedGroupsResponse } }, description: "Groups list" },
+            401: { content: { "application/json": { schema: ErrorResponse } }, description: "Unauthorized" },
+            403: { content: { "application/json": { schema: ErrorResponse } }, description: "Forbidden" },
+        },
+    }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
+        const tenantId = c.get("tenantId") ?? null;
+        const { limit, offset } = c.req.valid("query");
+        const result = await listGroups(tenantId, {
+            limit: limit ? Math.min(parseInt(limit, 10), 200) : 50,
+            offset: offset ? parseInt(offset, 10) : 0,
+        });
+        return c.json(result, 200);
+    });
+    // ---------------------------------------------------------------------------
+    // POST /groups — create group
+    // ---------------------------------------------------------------------------
+    router.openapi(withSecurity(createRoute({
+        method: "post",
+        path: "/groups",
+        tags,
+        summary: "Create group",
+        request: { body: { content: { "application/json": { schema: GroupBody } }, required: true } },
+        responses: {
+            201: { content: { "application/json": { schema: z.object({ id: z.string() }) } }, description: "Group created" },
+            401: { content: { "application/json": { schema: ErrorResponse } }, description: "Unauthorized" },
+            403: { content: { "application/json": { schema: ErrorResponse } }, description: "Forbidden" },
+            409: { content: { "application/json": { schema: ErrorResponse } }, description: "Name already exists in scope" },
+            422: { content: { "application/json": { schema: ErrorResponse } }, description: "Validation error" },
+        },
+    }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
+        const body = c.req.valid("json");
+        const result = await createGroup({
+            name: body.name,
+            displayName: body.displayName,
+            description: body.description,
+            roles: body.roles,
+            tenantId: body.tenantId ?? null,
+        });
+        return c.json(result, 201);
+    });
+    // ---------------------------------------------------------------------------
+    // GET /groups/:groupId — get group
+    // ---------------------------------------------------------------------------
+    router.openapi(withSecurity(createRoute({
+        method: "get",
+        path: "/groups/:groupId",
+        tags,
+        summary: "Get group",
+        request: { params: z.object({ groupId: z.string() }) },
+        responses: {
+            200: { content: { "application/json": { schema: GroupResponse } }, description: "Group" },
+            401: { content: { "application/json": { schema: ErrorResponse } }, description: "Unauthorized" },
+            403: { content: { "application/json": { schema: ErrorResponse } }, description: "Forbidden" },
+            404: { content: { "application/json": { schema: ErrorResponse } }, description: "Not found" },
+        },
+    }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
+        const { groupId } = c.req.valid("param");
+        const group = await getGroup(groupId);
+        if (!group)
+            return c.json({ error: "Group not found" }, 404);
+        return c.json(group, 200);
+    });
+    // ---------------------------------------------------------------------------
+    // PATCH /groups/:groupId — update group
+    // ---------------------------------------------------------------------------
+    router.openapi(withSecurity(createRoute({
+        method: "patch",
+        path: "/groups/:groupId",
+        tags,
+        summary: "Update group",
+        request: {
+            params: z.object({ groupId: z.string() }),
+            body: { content: { "application/json": { schema: GroupUpdateBody } }, required: true },
+        },
+        responses: {
+            204: { description: "Updated" },
+            401: { content: { "application/json": { schema: ErrorResponse } }, description: "Unauthorized" },
+            403: { content: { "application/json": { schema: ErrorResponse } }, description: "Forbidden" },
+            404: { content: { "application/json": { schema: ErrorResponse } }, description: "Not found" },
+            409: { content: { "application/json": { schema: ErrorResponse } }, description: "Name conflict" },
+            422: { content: { "application/json": { schema: ErrorResponse } }, description: "Validation error" },
+        },
+    }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
+        const { groupId } = c.req.valid("param");
+        const body = c.req.valid("json");
+        const group = await getGroup(groupId);
+        if (!group)
+            return c.json({ error: "Group not found" }, 404);
+        const updates = {};
+        if (body.name !== undefined)
+            updates.name = body.name;
+        if ("displayName" in body)
+            updates.displayName = body.displayName ?? undefined;
+        if ("description" in body)
+            updates.description = body.description ?? undefined;
+        if (body.roles !== undefined)
+            updates.roles = body.roles;
+        await updateGroup(groupId, updates);
+        return c.body(null, 204);
+    });
+    // ---------------------------------------------------------------------------
+    // DELETE /groups/:groupId — delete group
+    // ---------------------------------------------------------------------------
+    router.openapi(withSecurity(createRoute({
+        method: "delete",
+        path: "/groups/:groupId",
+        tags,
+        summary: "Delete group",
+        description: "Delete a group. All memberships are cascade-deleted.",
+        request: { params: z.object({ groupId: z.string() }) },
+        responses: {
+            204: { description: "Deleted" },
+            401: { content: { "application/json": { schema: ErrorResponse } }, description: "Unauthorized" },
+            403: { content: { "application/json": { schema: ErrorResponse } }, description: "Forbidden" },
+            404: { content: { "application/json": { schema: ErrorResponse } }, description: "Not found" },
+        },
+    }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
+        const { groupId } = c.req.valid("param");
+        const group = await getGroup(groupId);
+        if (!group)
+            return c.json({ error: "Group not found" }, 404);
+        await deleteGroup(groupId);
+        return c.body(null, 204);
+    });
+    // ---------------------------------------------------------------------------
+    // GET /groups/:groupId/members — list members
+    // ---------------------------------------------------------------------------
+    router.openapi(withSecurity(createRoute({
+        method: "get",
+        path: "/groups/:groupId/members",
+        tags,
+        summary: "List group members",
+        request: {
+            params: z.object({ groupId: z.string() }),
+            query: z.object(PaginationParams),
+        },
+        responses: {
+            200: { content: { "application/json": { schema: PaginatedMembersResponse } }, description: "Members list" },
+            401: { content: { "application/json": { schema: ErrorResponse } }, description: "Unauthorized" },
+            403: { content: { "application/json": { schema: ErrorResponse } }, description: "Forbidden" },
+            404: { content: { "application/json": { schema: ErrorResponse } }, description: "Group not found" },
+        },
+    }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
+        const { groupId } = c.req.valid("param");
+        const { limit, offset } = c.req.valid("query");
+        const group = await getGroup(groupId);
+        if (!group)
+            return c.json({ error: "Group not found" }, 404);
+        const result = await getGroupMembers(groupId, {
+            limit: limit ? Math.min(parseInt(limit, 10), 200) : 50,
+            offset: offset ? parseInt(offset, 10) : 0,
+        });
+        return c.json(result, 200);
+    });
+    // ---------------------------------------------------------------------------
+    // POST /groups/:groupId/members — add member
+    // ---------------------------------------------------------------------------
+    router.openapi(withSecurity(createRoute({
+        method: "post",
+        path: "/groups/:groupId/members",
+        tags,
+        summary: "Add group member",
+        request: {
+            params: z.object({ groupId: z.string() }),
+            body: { content: { "application/json": { schema: MemberBody } }, required: true },
+        },
+        responses: {
+            201: { description: "Member added" },
+            401: { content: { "application/json": { schema: ErrorResponse } }, description: "Unauthorized" },
+            403: { content: { "application/json": { schema: ErrorResponse } }, description: "Forbidden" },
+            404: { content: { "application/json": { schema: ErrorResponse } }, description: "Group not found" },
+            409: { content: { "application/json": { schema: ErrorResponse } }, description: "User already a member" },
+        },
+    }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
+        const { groupId } = c.req.valid("param");
+        const body = c.req.valid("json");
+        try {
+            await addGroupMember(groupId, body.userId, body.roles);
+        }
+        catch (err) {
+            if (err instanceof HttpError) {
+                return c.json({ error: err.message }, err.status);
+            }
+            throw err;
+        }
+        return c.body(null, 201);
+    });
+    // ---------------------------------------------------------------------------
+    // PATCH /groups/:groupId/members/:userId — update member roles
+    // ---------------------------------------------------------------------------
+    router.openapi(withSecurity(createRoute({
+        method: "patch",
+        path: "/groups/:groupId/members/:userId",
+        tags,
+        summary: "Update member roles",
+        description: "Update the per-membership roles for an existing group member.",
+        request: {
+            params: z.object({ groupId: z.string(), userId: z.string() }),
+            body: { content: { "application/json": { schema: MemberRolesBody } }, required: true },
+        },
+        responses: {
+            204: { description: "Updated" },
+            401: { content: { "application/json": { schema: ErrorResponse } }, description: "Unauthorized" },
+            403: { content: { "application/json": { schema: ErrorResponse } }, description: "Forbidden" },
+        },
+    }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
+        const { groupId, userId } = c.req.valid("param");
+        const { roles } = c.req.valid("json");
+        await updateGroupMembership(groupId, userId, roles);
+        return c.body(null, 204);
+    });
+    // ---------------------------------------------------------------------------
+    // DELETE /groups/:groupId/members/:userId — remove member
+    // ---------------------------------------------------------------------------
+    router.openapi(withSecurity(createRoute({
+        method: "delete",
+        path: "/groups/:groupId/members/:userId",
+        tags,
+        summary: "Remove group member",
+        request: { params: z.object({ groupId: z.string(), userId: z.string() }) },
+        responses: {
+            204: { description: "Removed" },
+            401: { content: { "application/json": { schema: ErrorResponse } }, description: "Unauthorized" },
+            403: { content: { "application/json": { schema: ErrorResponse } }, description: "Forbidden" },
+        },
+    }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
+        const { groupId, userId } = c.req.valid("param");
+        await removeGroupMember(groupId, userId);
+        return c.body(null, 204);
+    });
+    // ---------------------------------------------------------------------------
+    // GET /users/:userId/groups — list user's groups
+    // ---------------------------------------------------------------------------
+    router.openapi(withSecurity(createRoute({
+        method: "get",
+        path: "/users/:userId/groups",
+        tags,
+        summary: "List user's groups",
+        description: "List groups a user belongs to. Scoped to tenant context when present, app-wide otherwise.",
+        request: { params: z.object({ userId: z.string() }) },
+        responses: {
+            200: { content: { "application/json": { schema: z.array(UserGroupEntry) } }, description: "User's groups" },
+            401: { content: { "application/json": { schema: ErrorResponse } }, description: "Unauthorized" },
+            403: { content: { "application/json": { schema: ErrorResponse } }, description: "Forbidden" },
+        },
+    }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
+        const { userId } = c.req.valid("param");
+        const tenantId = c.get("tenantId") ?? null;
+        const groups = await getUserGroups(userId, tenantId);
+        return c.json(groups, 200);
+    });
+    return router;
+};

package/dist/routes/jobs.js CHANGED Viewed

@@ -21,6 +21,9 @@ export const createJobsRouter = (config) => {
     const allowedQueues = new Set(config.allowedQueues ?? []);
     const authConfig = config.auth ?? "none";
     const scopeToUser = config.scopeToUser ?? false;
+    if (process.env.NODE_ENV === "production" && authConfig === "none" && !config.unsafePublic) {
+        throw new Error("[security] jobs.auth is required in production. Set jobs.auth or set unsafePublic: true.");
+    }
     // Determine if userAuth is involved (for scopeToUser and OpenAPI security schemes)
     const hasUserAuth = authConfig === "userAuth" || Array.isArray(authConfig);
     // Apply middleware based on config
@@ -141,7 +144,63 @@ export const createJobsRouter = (config) => {
             filteredJobs = jobs.filter((job) => job.data?.userId === userId);
         }
         const result = await Promise.all(filteredJobs.map(jobToResponse));
-        return c.json({ jobs: result, total }, 200);
+        // NOTE: When scopeToUser is active, total is a page-local filtered count, not a
+        // globally accurate total. BullMQ does not support server-side user filtering.
+        return c.json({ jobs: result, total: scopeToUser && hasUserAuth ? filteredJobs.length : total }, 200);
+    });
+    // ─── Dead letter queue ────────────────────────────────────────────────
+    // Must be registered BEFORE getJobRoute so that the literal path segment
+    // "dead-letters" is matched before the parameterised {id} segment.
+    const getDlqRoute = createRoute({
+        method: "get",
+        path: "/jobs/{queue}/dead-letters",
+        summary: "List dead letter queue jobs",
+        description: "Returns paginated list of jobs in the dead letter queue for a given source queue.",
+        tags,
+        request: {
+            params: z.object({ queue: z.string().describe("Source queue name (DLQ name is {queue}-dlq).") }),
+            query: z.object({
+                start: z.string().optional().describe("Start index. Default: 0."),
+                end: z.string().optional().describe("End index. Default: 19."),
+            }),
+        },
+        responses: {
+            200: {
+                content: {
+                    "application/json": {
+                        schema: z.object({
+                            jobs: z.array(JobStatusResponse),
+                            total: z.number().describe("Total jobs in DLQ."),
+                        }),
+                    },
+                },
+                description: "DLQ jobs.",
+            },
+            403: { content: { "application/json": { schema: ErrorResponse } }, description: "Queue not allowed." },
+        },
+    });
+    router.openapi(applyRouteSecurity(getDlqRoute), async (c) => {
+        const { queue: queueName } = c.req.valid("param");
+        if (!isQueueAllowed(queueName)) {
+            return c.json({ error: "Queue not allowed" }, 403);
+        }
+        const { start: startStr, end: endStr } = c.req.valid("query");
+        const start = startStr ? parseInt(startStr) : 0;
+        const end = endStr ? parseInt(endStr) : 19;
+        const dlqQueue = createQueue(`${queueName}-dlq`);
+        const [jobs, total] = await Promise.all([
+            dlqQueue.getWaiting(start, end),
+            dlqQueue.getWaitingCount(),
+        ]);
+        let filteredJobs = jobs;
+        if (scopeToUser && hasUserAuth) {
+            const userId = c.get("authUserId");
+            filteredJobs = jobs.filter((job) => job.data?.userId === userId);
+        }
+        const result = await Promise.all(filteredJobs.map(jobToResponse));
+        // NOTE: When scopeToUser is active, total is a page-local filtered count, not a
+        // globally accurate total. BullMQ does not support server-side user filtering.
+        return c.json({ jobs: result, total: scopeToUser && hasUserAuth ? filteredJobs.length : total }, 200);
     });
     // ─── Get job status ─────────────────────────────────────────────────────
     const getJobRoute = createRoute({
@@ -218,53 +277,14 @@ export const createJobsRouter = (config) => {
         const job = await queue.getJob(id);
         if (!job)
             return c.json({ error: "Job not found" }, 404);
+        if (scopeToUser && hasUserAuth) {
+            const userId = c.get("authUserId");
+            if (job.data?.userId !== userId) {
+                return c.json({ error: "Job not found" }, 404);
+            }
+        }
         const { logs, count } = await queue.getJobLogs(id);
         return c.json({ logs, count }, 200);
     });
-    // ─── Dead letter queue ────────────────────────────────────────────────
-    const getDlqRoute = createRoute({
-        method: "get",
-        path: "/jobs/{queue}/dead-letters",
-        summary: "List dead letter queue jobs",
-        description: "Returns paginated list of jobs in the dead letter queue for a given source queue.",
-        tags,
-        request: {
-            params: z.object({ queue: z.string().describe("Source queue name (DLQ name is {queue}-dlq).") }),
-            query: z.object({
-                start: z.string().optional().describe("Start index. Default: 0."),
-                end: z.string().optional().describe("End index. Default: 19."),
-            }),
-        },
-        responses: {
-            200: {
-                content: {
-                    "application/json": {
-                        schema: z.object({
-                            jobs: z.array(JobStatusResponse),
-                            total: z.number().describe("Total jobs in DLQ."),
-                        }),
-                    },
-                },
-                description: "DLQ jobs.",
-            },
-            403: { content: { "application/json": { schema: ErrorResponse } }, description: "Queue not allowed." },
-        },
-    });
-    router.openapi(applyRouteSecurity(getDlqRoute), async (c) => {
-        const { queue: queueName } = c.req.valid("param");
-        if (!isQueueAllowed(queueName)) {
-            return c.json({ error: "Queue not allowed" }, 403);
-        }
-        const { start: startStr, end: endStr } = c.req.valid("query");
-        const start = startStr ? parseInt(startStr) : 0;
-        const end = endStr ? parseInt(endStr) : 19;
-        const dlqQueue = createQueue(`${queueName}-dlq`);
-        const [jobs, total] = await Promise.all([
-            dlqQueue.getWaiting(start, end),
-            dlqQueue.getWaitingCount(),
-        ]);
-        const result = await Promise.all(jobs.map(jobToResponse));
-        return c.json({ jobs: result, total }, 200);
-    });
     return router;
 };

package/dist/routes/m2m.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import { Hono } from "hono";
2	+ export declare function createM2MRouter(): Hono<import("hono/types").BlankEnv, import("hono/types").BlankSchema, "/">;

package/dist/routes/m2m.js ADDED Viewed

@@ -0,0 +1,72 @@
+import { Hono } from "hono";
+import { getAuthAdapter } from "../lib/authAdapter";
+import { signToken } from "../lib/jwt";
+import { HttpError } from "../lib/HttpError";
+import { getM2MTokenExpiry } from "../lib/appConfig";
+export function createM2MRouter() {
+    const router = new Hono();
+    /**
+     * POST /oauth/token
+     * OAuth 2.0 client_credentials grant
+     */
+    router.post("/oauth/token", async (c) => {
+        let body;
+        const contentType = c.req.header("content-type") ?? "";
+        if (contentType.includes("application/x-www-form-urlencoded")) {
+            const text = await c.req.text();
+            const params = new URLSearchParams(text);
+            body = {
+                grant_type: params.get("grant_type") ?? undefined,
+                client_id: params.get("client_id") ?? undefined,
+                client_secret: params.get("client_secret") ?? undefined,
+                scope: params.get("scope") ?? undefined,
+            };
+        }
+        else {
+            try {
+                body = await c.req.json();
+            }
+            catch {
+                throw new HttpError(400, "Invalid request body");
+            }
+        }
+        if (body.grant_type !== "client_credentials") {
+            throw new HttpError(400, "Unsupported grant type", "UNSUPPORTED_GRANT_TYPE");
+        }
+        const { client_id: clientId, client_secret: clientSecret } = body;
+        if (!clientId || !clientSecret) {
+            throw new HttpError(400, "client_id and client_secret are required");
+        }
+        const adapter = getAuthAdapter();
+        if (!adapter.getM2MClient) {
+            throw new HttpError(501, "M2M client credentials not supported by auth adapter");
+        }
+        const client = await adapter.getM2MClient(clientId);
+        if (!client) {
+            throw new HttpError(401, "Invalid client credentials");
+        }
+        const secretValid = await Bun.password.verify(clientSecret, client.clientSecretHash);
+        if (!secretValid) {
+            throw new HttpError(401, "Invalid client credentials");
+        }
+        // Validate requested scopes against client's allowed scopes
+        let grantedScopes = client.scopes;
+        if (body.scope) {
+            const requested = body.scope.split(" ");
+            const invalid = requested.filter((s) => !client.scopes.includes(s));
+            if (invalid.length > 0) {
+                throw new HttpError(400, `Scope not allowed: ${invalid.join(", ")}`, "INVALID_SCOPE");
+            }
+            grantedScopes = requested;
+        }
+        const expiry = getM2MTokenExpiry();
+        const token = await signToken({ sub: clientId, scope: grantedScopes.join(" ") }, expiry);
+        return c.json({
+            access_token: token,
+            token_type: "Bearer",
+            expires_in: expiry,
+            scope: grantedScopes.join(" "),
+        });
+    });
+    return router;
+}

package/dist/routes/metrics.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+import type { MiddlewareHandler } from "hono";
+import type { AppEnv } from "../lib/context";
+export interface MetricsRouteConfig {
+    auth?: "userAuth" | "none" | MiddlewareHandler<AppEnv>[];
+    queues?: string[];
+    unsafePublic?: boolean;
+}
+export declare const createMetricsRouter: (config: MetricsRouteConfig) => import("@hono/zod-openapi").OpenAPIHono<AppEnv, {}, "/">;

package/dist/routes/metrics.js ADDED Viewed

@@ -0,0 +1,55 @@
+import { createRouter } from "../lib/context";
+import { serializeMetrics, registerGaugeCallback, setMetricsQueues } from "../lib/metrics";
+import { userAuth } from "../middleware/userAuth";
+export const createMetricsRouter = (config) => {
+    const router = createRouter();
+    const authConfig = config.auth ?? "none";
+    if (process.env.NODE_ENV === "production" && authConfig === "none" && !config.unsafePublic) {
+        throw new Error("[security] metrics.auth is required in production. Set metrics.auth or set unsafePublic: true.");
+    }
+    // Apply auth middleware
+    if (authConfig === "userAuth") {
+        router.use("/metrics", userAuth);
+    }
+    else if (Array.isArray(authConfig)) {
+        for (const mw of authConfig) {
+            router.use("/metrics", mw);
+        }
+    }
+    // Register BullMQ queue depth gauges if configured
+    if (config.queues?.length) {
+        const queueNames = config.queues;
+        const cachedQueues = new Map();
+        setMetricsQueues(cachedQueues);
+        registerGaugeCallback("bullmq_queue_depth", async () => {
+            const { createQueue } = await import("../lib/queue");
+            const results = [];
+            for (const name of queueNames) {
+                let queue = cachedQueues.get(name);
+                try {
+                    if (!queue) {
+                        queue = createQueue(name);
+                        cachedQueues.set(name, queue);
+                    }
+                    const counts = await queue.getJobCounts("waiting", "active", "delayed", "failed");
+                    for (const [state, count] of Object.entries(counts)) {
+                        results.push({ labels: { queue: name, state }, value: count });
+                    }
+                }
+                catch {
+                    // Discard cached instance on error so it's recreated next scrape
+                    cachedQueues.delete(name);
+                }
+            }
+            return results;
+        });
+    }
+    // Plain GET /metrics (not OpenAPI — infrastructure endpoint)
+    router.get("/metrics", async (c) => {
+        const body = await serializeMetrics();
+        return c.body(body, 200, {
+            "Content-Type": "text/plain; version=0.0.4; charset=utf-8",
+        });
+    });
+    return router;
+};