npm - @lastshotlabs/bunshot - Versions diffs - 0.0.21 → 0.0.27 - Mend

@lastshotlabs/bunshot 0.0.21 → 0.0.27

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (185) hide show

package/README.md +3035 -1249
package/dist/adapters/localStorage.d.ts +6 -0
package/dist/adapters/localStorage.js +59 -0
package/dist/adapters/memoryAuth.d.ts +13 -0
package/dist/adapters/memoryAuth.js +261 -2
package/dist/adapters/memoryStorage.d.ts +3 -0
package/dist/adapters/memoryStorage.js +44 -0
package/dist/adapters/mongoAuth.js +217 -1
package/dist/adapters/s3Storage.d.ts +14 -0
package/dist/adapters/s3Storage.js +126 -0
package/dist/adapters/sqliteAuth.d.ts +30 -0
package/dist/adapters/sqliteAuth.js +352 -2
package/dist/app.d.ts +203 -3
package/dist/app.js +352 -48
package/dist/cli.js +118 -38
package/dist/index.d.ts +69 -8
package/dist/index.js +46 -5
package/dist/lib/HttpError.d.ts +7 -1
package/dist/lib/HttpError.js +10 -1
package/dist/lib/appConfig.d.ts +157 -0
package/dist/lib/appConfig.js +54 -0
package/dist/lib/auditLog.d.ts +58 -0
package/dist/lib/auditLog.js +218 -0
package/dist/lib/authAdapter.d.ts +140 -1
package/dist/lib/authRateLimit.js +36 -0
package/dist/lib/breachedPassword.d.ts +13 -0
package/dist/lib/breachedPassword.js +48 -0
package/dist/lib/captcha.d.ts +25 -0
package/dist/lib/captcha.js +37 -0
package/dist/lib/constants.d.ts +4 -0
package/dist/lib/constants.js +4 -0
package/dist/lib/context.d.ts +24 -1
package/dist/lib/context.js +17 -3
package/dist/lib/createRoute.d.ts +28 -2
package/dist/lib/createRoute.js +54 -3
package/dist/lib/credentialStuffing.d.ts +31 -0
package/dist/lib/credentialStuffing.js +77 -0
package/dist/lib/deletionCancelToken.d.ts +12 -0
package/dist/lib/deletionCancelToken.js +88 -0
package/dist/lib/emailVerification.d.ts +6 -0
package/dist/lib/emailVerification.js +46 -3
package/dist/lib/groups.d.ts +113 -0
package/dist/lib/groups.js +133 -0
package/dist/lib/idempotency.d.ts +22 -0
package/dist/lib/idempotency.js +182 -0
package/dist/lib/jwks.d.ts +25 -0
package/dist/lib/jwks.js +51 -0
package/dist/lib/jwt.d.ts +15 -2
package/dist/lib/jwt.js +92 -5
package/dist/lib/logger.d.ts +2 -0
package/dist/lib/logger.js +6 -0
package/dist/lib/m2m.d.ts +29 -0
package/dist/lib/m2m.js +48 -0
package/dist/lib/metrics.d.ts +14 -0
package/dist/lib/metrics.js +158 -0
package/dist/lib/mfaChallenge.d.ts +14 -1
package/dist/lib/mfaChallenge.js +111 -6
package/dist/lib/mongo.js +1 -1
package/dist/lib/oauthCode.js +23 -18
package/dist/lib/pagination.d.ts +119 -0
package/dist/lib/pagination.js +166 -0
package/dist/lib/resetPassword.js +3 -1
package/dist/lib/saml.d.ts +25 -0
package/dist/lib/saml.js +64 -0
package/dist/lib/scim.d.ts +44 -0
package/dist/lib/scim.js +54 -0
package/dist/lib/securityEvents.d.ts +28 -0
package/dist/lib/securityEvents.js +26 -0
package/dist/lib/session.d.ts +14 -0
package/dist/lib/session.js +121 -5
package/dist/lib/signing.d.ts +52 -0
package/dist/lib/signing.js +183 -0
package/dist/lib/storageAdapter.d.ts +30 -0
package/dist/lib/storageAdapter.js +1 -0
package/dist/lib/stripUnreferencedSchemas.d.ts +11 -0
package/dist/lib/stripUnreferencedSchemas.js +79 -0
package/dist/lib/suspension.d.ts +13 -0
package/dist/lib/suspension.js +23 -0
package/dist/lib/tenant.js +2 -2
package/dist/lib/upload.d.ts +39 -0
package/dist/lib/upload.js +112 -0
package/dist/lib/uploadRegistry.d.ts +18 -0
package/dist/lib/uploadRegistry.js +83 -0
package/dist/lib/validate.js +2 -2
package/dist/lib/ws.d.ts +1 -0
package/dist/lib/ws.js +28 -0
package/dist/lib/wsHeartbeat.d.ts +12 -0
package/dist/lib/wsHeartbeat.js +57 -0
package/dist/lib/wsMessages.d.ts +40 -0
package/dist/lib/wsMessages.js +330 -0
package/dist/lib/wsPresence.d.ts +25 -0
package/dist/lib/wsPresence.js +99 -0
package/dist/middleware/auditLog.d.ts +22 -0
package/dist/middleware/auditLog.js +39 -0
package/dist/middleware/bearerAuth.js +1 -1
package/dist/middleware/cacheResponse.js +5 -1
package/dist/middleware/captcha.d.ts +10 -0
package/dist/middleware/captcha.js +36 -0
package/dist/middleware/csrf.js +18 -4
package/dist/middleware/errorHandler.js +4 -1
package/dist/middleware/identify.js +89 -14
package/dist/middleware/metrics.d.ts +9 -0
package/dist/middleware/metrics.js +26 -0
package/dist/middleware/requestId.d.ts +3 -0
package/dist/middleware/requestId.js +7 -0
package/dist/middleware/requestLogger.d.ts +38 -0
package/dist/middleware/requestLogger.js +68 -0
package/dist/middleware/requestSigning.d.ts +20 -0
package/dist/middleware/requestSigning.js +100 -0
package/dist/middleware/requireMfaSetup.d.ts +16 -0
package/dist/middleware/requireMfaSetup.js +37 -0
package/dist/middleware/requireRole.d.ts +9 -3
package/dist/middleware/requireRole.js +23 -36
package/dist/middleware/requireScope.d.ts +10 -0
package/dist/middleware/requireScope.js +25 -0
package/dist/middleware/requireStepUp.d.ts +18 -0
package/dist/middleware/requireStepUp.js +29 -0
package/dist/middleware/scimAuth.d.ts +8 -0
package/dist/middleware/scimAuth.js +29 -0
package/dist/middleware/upload.d.ts +5 -0
package/dist/middleware/upload.js +27 -0
package/dist/middleware/webhookAuth.d.ts +30 -0
package/dist/middleware/webhookAuth.js +58 -0
package/dist/models/AuditLog.d.ts +30 -0
package/dist/models/AuditLog.js +39 -0
package/dist/models/AuthUser.d.ts +7 -0
package/dist/models/AuthUser.js +7 -0
package/dist/models/Group.d.ts +21 -0
package/dist/models/Group.js +28 -0
package/dist/models/GroupMembership.d.ts +21 -0
package/dist/models/GroupMembership.js +25 -0
package/dist/models/M2MClient.d.ts +18 -0
package/dist/models/M2MClient.js +18 -0
package/dist/routes/auth.d.ts +3 -2
package/dist/routes/auth.js +238 -21
package/dist/routes/groups.d.ts +21 -0
package/dist/routes/groups.js +346 -0
package/dist/routes/jobs.js +66 -46
package/dist/routes/m2m.d.ts +2 -0
package/dist/routes/m2m.js +72 -0
package/dist/routes/metrics.d.ts +8 -0
package/dist/routes/metrics.js +55 -0
package/dist/routes/mfa.js +13 -1
package/dist/routes/oauth.js +6 -0
package/dist/routes/oidc.d.ts +2 -0
package/dist/routes/oidc.js +29 -0
package/dist/routes/passkey.d.ts +1 -0
package/dist/routes/passkey.js +157 -0
package/dist/routes/saml.d.ts +2 -0
package/dist/routes/saml.js +86 -0
package/dist/routes/scim.d.ts +2 -0
package/dist/routes/scim.js +255 -0
package/dist/routes/uploads.d.ts +14 -0
package/dist/routes/uploads.js +227 -0
package/dist/server.d.ts +26 -0
package/dist/server.js +46 -3
package/dist/services/auth.d.ts +2 -0
package/dist/services/auth.js +101 -22
package/dist/services/mfa.js +2 -2
package/dist/ws/index.js +5 -1
package/docs/sections/auth-flow/full.md +203 -47
package/docs/sections/auth-flow/overview.md +2 -2
package/docs/sections/auth-security-examples/full.md +388 -0
package/docs/sections/authentication/full.md +130 -0
package/docs/sections/authentication/overview.md +5 -0
package/docs/sections/cli/full.md +13 -1
package/docs/sections/configuration/full.md +17 -0
package/docs/sections/configuration/overview.md +1 -0
package/docs/sections/exports/full.md +34 -3
package/docs/sections/logging/full.md +83 -0
package/docs/sections/metrics/full.md +131 -0
package/docs/sections/oauth/full.md +189 -189
package/docs/sections/oauth/overview.md +1 -1
package/docs/sections/pagination/full.md +93 -0
package/docs/sections/passkey-login/full.md +90 -0
package/docs/sections/passkey-login/overview.md +1 -0
package/docs/sections/roles/full.md +224 -135
package/docs/sections/roles/overview.md +3 -1
package/docs/sections/signing/full.md +203 -0
package/docs/sections/uploads/full.md +208 -0
package/docs/sections/versioning/full.md +85 -0
package/docs/sections/webhook-auth/full.md +100 -0
package/docs/sections/websocket/full.md +95 -0
package/docs/sections/websocket-rooms/full.md +6 -1
package/package.json +18 -5

package/dist/routes/mfa.js CHANGED Viewed

@@ -8,10 +8,12 @@ import * as AuthService from "../services/auth";
 import { consumeMfaChallenge, replaceMfaChallengeOtp } from "../lib/mfaChallenge";
 import { COOKIE_TOKEN, COOKIE_REFRESH_TOKEN } from "../lib/constants";
 import { getRefreshTokenConfig, getAccessTokenExpiry, getRefreshTokenExpiry, getMfaEmailOtpConfig, getMfaWebAuthnConfig, getCsrfEnabled } from "../lib/appConfig";
+import { setMfaVerifiedAt } from "../lib/session";
 import { refreshCsrfToken } from "../middleware/csrf";
 import { getAuthAdapter } from "../lib/authAdapter";
 import { trackAttempt } from "../lib/authRateLimit";
 import { getClientIp } from "../lib/clientIp";
+import { emitSecurityEvent } from "../lib/securityEvents";
 const isProd = process.env.NODE_ENV === "production";
 const cookieOptions = (maxAge) => ({
     httpOnly: true,
@@ -56,10 +58,14 @@ export const createMfaRouter = ({ rateLimit } = {}) => {
                 description: "TOTP secret generated. Scan the QR code with an authenticator app.",
             },
             401: { content: { "application/json": { schema: ErrorResponse } }, description: "No valid session." },
+            429: { content: { "application/json": { schema: ErrorResponse } }, description: "Too many MFA setup attempts. Try again later." },
             501: { content: { "application/json": { schema: ErrorResponse } }, description: "Auth adapter does not support MFA." },
         },
     }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
         const userId = c.get("authUserId");
+        if (await trackAttempt(`mfa-setup:${userId}`, { windowMs: 15 * 60 * 1000, max: 5 })) {
+            return c.json({ error: "Too many MFA setup attempts. Try again later." }, 429);
+        }
         const result = await MfaService.setupMfa(userId);
         return c.json(result, 200);
     });
@@ -101,6 +107,7 @@ export const createMfaRouter = ({ rateLimit } = {}) => {
         const userId = c.get("authUserId");
         const { code } = c.req.valid("json");
         const recoveryCodes = await MfaService.verifySetup(userId, code);
+        emitSecurityEvent({ eventType: "auth.mfa.setup", severity: "info", timestamp: new Date().toISOString(), userId: c.get("authUserId") ?? undefined });
         return c.json({ message: "MFA enabled", recoveryCodes }, 200);
     });
     // ─── Verify (complete login after password) ───────────────────────────────
@@ -181,13 +188,17 @@ export const createMfaRouter = ({ rateLimit } = {}) => {
         if (!valid && code) {
             valid = await MfaService.verifyRecoveryCode(userId, code);
         }
-        if (!valid)
+        if (!valid) {
+            emitSecurityEvent({ eventType: "auth.mfa.verify.failure", severity: "warn", timestamp: new Date().toISOString() });
             return c.json({ error: "Invalid MFA code" }, 401);
+        }
         // Create session — reuse the service helper for refresh token support
         const result = await AuthService.createSessionForUser(userId, {
             ipAddress: getClientIp(c),
             userAgent: c.req.header("user-agent") ?? undefined,
         });
+        // Mark MFA as verified on the new session so step-up is satisfied immediately
+        await setMfaVerifiedAt(result.sessionId);
         const rtConfig = getRefreshTokenConfig();
         setCookie(c, COOKIE_TOKEN, result.token, cookieOptions(rtConfig ? getAccessTokenExpiry() : undefined));
         if (result.refreshToken) {
@@ -195,6 +206,7 @@ export const createMfaRouter = ({ rateLimit } = {}) => {
         }
         if (getCsrfEnabled())
             refreshCsrfToken(c);
+        emitSecurityEvent({ eventType: "auth.mfa.verify.success", severity: "info", timestamp: new Date().toISOString() });
         return c.json({ token: result.token, userId, refreshToken: result.refreshToken }, 200);
     });
     // ─── Disable MFA ──────────────────────────────────────────────────────────

package/dist/routes/oauth.js CHANGED Viewed

@@ -25,6 +25,12 @@ const cookieOptions = (maxAge) => ({
 });
 const tags = ["OAuth"];
 const OAuthErrorResponse = z.object({ error: z.string().describe("Human-readable error message.") }).openapi("OAuthErrorResponse");
+// `postLoginRedirect` is always sourced from server-side config (passed into
+// `createOAuthRouter` at startup) and is never derived from user-supplied input
+// or OAuth callback query parameters. No runtime allowlist validation is required
+// because the value is not attacker-controlled. The `auth.oauth.allowedRedirectUrls`
+// config is available for consuming apps that want to enforce an explicit allowlist
+// at the framework level if they ever pass a dynamic value here.
 const finishOAuth = async (c, provider, providerId, profile, postLoginRedirect) => {
     const adapter = getAuthAdapter();
     if (!adapter.findOrCreateByProvider) {

package/dist/routes/oidc.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import { Hono } from "hono";
2	+ export declare function createOidcRouter(): Hono<import("hono/types").BlankEnv, import("hono/types").BlankSchema, "/">;

package/dist/routes/oidc.js ADDED Viewed

@@ -0,0 +1,29 @@
+import { Hono } from "hono";
+import { getJwks } from "../lib/jwks";
+import { getOidcConfig } from "../lib/appConfig";
+export function createOidcRouter() {
+    const router = new Hono();
+    router.get("/.well-known/openid-configuration", (c) => {
+        const config = getOidcConfig();
+        if (!config)
+            return c.json({ error: "OIDC not configured" }, 404);
+        const issuer = config.issuer;
+        const tokenEndpoint = config.tokenEndpoint ?? `${issuer}/oauth/token`;
+        return c.json({
+            issuer,
+            authorization_endpoint: `${issuer}/auth/oauth`,
+            token_endpoint: tokenEndpoint,
+            jwks_uri: `${issuer}/.well-known/jwks.json`,
+            response_types_supported: ["code"],
+            subject_types_supported: ["public"],
+            id_token_signing_alg_values_supported: ["RS256"],
+            scopes_supported: config.scopes ?? ["openid"],
+            token_endpoint_auth_methods_supported: ["client_secret_post"],
+            claims_supported: ["sub", "iss", "aud", "exp", "iat"],
+        });
+    });
+    router.get("/.well-known/jwks.json", (c) => {
+        return c.json(getJwks());
+    });
+    return router;
+}

package/dist/routes/passkey.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export declare const createPasskeyRouter: () => import("@hono/zod-openapi").OpenAPIHono<import("../lib/context").AppEnv, {}, "/">;

package/dist/routes/passkey.js ADDED Viewed

@@ -0,0 +1,157 @@
+import { createRoute } from "../lib/createRoute";
+import { z } from "zod";
+import { setCookie } from "hono/cookie";
+import { createRouter } from "../lib/context";
+import * as AuthService from "../services/auth";
+import { getAuthAdapter } from "../lib/authAdapter";
+import { getMfaWebAuthnConfig, getRefreshTokenConfig, getAccessTokenExpiry, getRefreshTokenExpiry, getCsrfEnabled } from "../lib/appConfig";
+import { createPasskeyLoginChallenge } from "../lib/mfaChallenge";
+import { trackAttempt } from "../lib/authRateLimit";
+import { getClientIp } from "../lib/clientIp";
+import { COOKIE_TOKEN, COOKIE_REFRESH_TOKEN } from "../lib/constants";
+import { refreshCsrfToken } from "../middleware/csrf";
+const isProd = process.env.NODE_ENV === "production";
+const cookieOptions = (maxAge) => ({
+    httpOnly: true,
+    secure: isProd,
+    sameSite: "Lax",
+    path: "/",
+    maxAge: maxAge ?? 60 * 60 * 24 * 7,
+});
+const tags = ["Passkey"];
+const ErrorResponse = z.object({ error: z.string() }).openapi("PasskeyErrorResponse");
+export const createPasskeyRouter = () => {
+    const router = createRouter();
+    // ─── POST /auth/passkey/login-options ──────────────────────────────────────
+    router.openapi(createRoute({
+        method: "post",
+        path: "/auth/passkey/login-options",
+        summary: "Get passkey login options",
+        description: "Returns WebAuthn authentication options for passwordless login. Always returns valid-looking options regardless of whether the email exists (enumeration prevention).",
+        tags,
+        request: {
+            body: {
+                content: {
+                    "application/json": {
+                        schema: z.object({
+                            email: z.string().optional().describe("Optional email hint. When provided and found, restricts the credential list for a faster prompt. Never reveals whether the email exists."),
+                        }),
+                    },
+                },
+                required: false,
+            },
+        },
+        responses: {
+            200: {
+                content: {
+                    "application/json": {
+                        schema: z.object({
+                            options: z.unknown().describe("PublicKeyCredentialRequestOptionsJSON — pass to @simplewebauthn/browser startAuthentication()."),
+                            passkeyToken: z.string().describe("Short-lived single-use challenge token (120s). Pass to POST /auth/passkey/login."),
+                        }),
+                    },
+                },
+                description: "WebAuthn authentication options.",
+            },
+            429: { content: { "application/json": { schema: ErrorResponse } }, description: "Rate limit exceeded." },
+        },
+    }), async (c) => {
+        const ip = getClientIp(c);
+        if (await trackAttempt(`passkey-login-options:${ip}`, { windowMs: 60 * 1000, max: 5 })) {
+            return c.json({ error: "Too many requests. Try again later." }, 429);
+        }
+        const webauthnConfig = getMfaWebAuthnConfig();
+        const adapter = getAuthAdapter();
+        // Resolve credential hints for the email (enumeration-safe: ignore all errors/misses)
+        let allowCredentials = [];
+        try {
+            const body = await c.req.json().catch(() => ({}));
+            const email = body?.email;
+            if (email && adapter.getWebAuthnCredentials) {
+                const findFn = adapter.findByIdentifier ?? adapter.findByEmail.bind(adapter);
+                const user = await findFn(email);
+                if (user) {
+                    const creds = await adapter.getWebAuthnCredentials(user.id);
+                    allowCredentials = creds.map((cr) => ({ id: cr.credentialId, transports: cr.transports }));
+                }
+            }
+        }
+        catch {
+            // Enumeration protection: swallow all errors, proceed with empty credential list
+        }
+        const { generateAuthenticationOptions } = await import("@simplewebauthn/server");
+        const options = await generateAuthenticationOptions({
+            rpID: webauthnConfig.rpId,
+            allowCredentials: allowCredentials.length > 0
+                ? allowCredentials.map((ac) => ({ id: ac.id, transports: ac.transports }))
+                : undefined,
+            userVerification: webauthnConfig.userVerification ?? "required",
+            timeout: webauthnConfig.timeout ?? 60000,
+        });
+        const passkeyToken = await createPasskeyLoginChallenge(options.challenge);
+        return c.json({ options: options, passkeyToken }, 200);
+    });
+    // ─── POST /auth/passkey/login ──────────────────────────────────────────────
+    router.openapi(createRoute({
+        method: "post",
+        path: "/auth/passkey/login",
+        summary: "Complete passkey login",
+        description: "Verifies the WebAuthn assertion and returns a session token. Satisfies both factors by default — no MFA prompt unless passkeyMfaBypass is disabled.",
+        tags,
+        request: {
+            body: {
+                content: {
+                    "application/json": {
+                        schema: z.object({
+                            passkeyToken: z.string().describe("Token from POST /auth/passkey/login-options."),
+                            assertionResponse: z.record(z.string(), z.unknown()).describe("AuthenticationResponseJSON from @simplewebauthn/browser startAuthentication()."),
+                        }),
+                    },
+                },
+                required: true,
+            },
+        },
+        responses: {
+            200: {
+                content: {
+                    "application/json": {
+                        schema: z.object({
+                            token: z.string(),
+                            userId: z.string(),
+                            email: z.string().optional(),
+                            refreshToken: z.string().optional(),
+                            mfaRequired: z.boolean().optional(),
+                            mfaToken: z.string().optional(),
+                            mfaMethods: z.array(z.string()).optional(),
+                        }),
+                    },
+                },
+                description: "Session token returned. Also set as HttpOnly cookie.",
+            },
+            401: { content: { "application/json": { schema: ErrorResponse } }, description: "Authentication failed." },
+            429: { content: { "application/json": { schema: ErrorResponse } }, description: "Rate limit exceeded." },
+        },
+    }), async (c) => {
+        const ip = getClientIp(c);
+        if (await trackAttempt(`passkey-login:${ip}`, { windowMs: 15 * 60 * 1000, max: 10 })) {
+            return c.json({ error: "Too many requests. Try again later." }, 429);
+        }
+        const { passkeyToken, assertionResponse } = c.req.valid("json");
+        const metadata = {
+            ipAddress: ip,
+            userAgent: c.req.header("user-agent") ?? undefined,
+        };
+        const result = await AuthService.passkeyLogin(passkeyToken, assertionResponse, metadata);
+        if (!result.mfaRequired) {
+            const rtConfig = getRefreshTokenConfig();
+            setCookie(c, COOKIE_TOKEN, result.token, cookieOptions(rtConfig ? getAccessTokenExpiry() : undefined));
+            if (result.refreshToken) {
+                setCookie(c, COOKIE_REFRESH_TOKEN, result.refreshToken, cookieOptions(getRefreshTokenExpiry()));
+            }
+            if (getCsrfEnabled())
+                refreshCsrfToken(c);
+        }
+        return c.json(result);
+    });
+    return router;
+};

package/dist/routes/saml.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import { Hono } from "hono";
2	+ export declare function createSamlRouter(): Hono<import("hono/types").BlankEnv, import("hono/types").BlankSchema, "/">;

package/dist/routes/saml.js ADDED Viewed

@@ -0,0 +1,86 @@
+import { Hono } from "hono";
+import { HttpError } from "../lib/HttpError";
+import { getSamlConfig } from "../lib/appConfig";
+import { getAuthAdapter } from "../lib/authAdapter";
+import { storeOAuthState, consumeOAuthState } from "../lib/oauth";
+import { createSessionForUser } from "../services/auth";
+import { setCookie } from "hono/cookie";
+import { COOKIE_TOKEN } from "../lib/constants";
+export function createSamlRouter() {
+    const router = new Hono();
+    // GET /auth/saml/login — initiate SAML login, redirect to IdP
+    router.get("/auth/saml/login", async (c) => {
+        const config = getSamlConfig();
+        if (!config)
+            throw new HttpError(404, "SAML not configured");
+        const { initSaml, createAuthnRequest } = await import("../lib/saml");
+        await initSaml(config);
+        // Store relay state — use codeVerifier slot to carry redirectUrl
+        const relayState = crypto.randomUUID();
+        const redirectAfter = c.req.query("redirect") ?? config.postLoginRedirect ?? "/";
+        await storeOAuthState(relayState, redirectAfter);
+        const { redirectUrl } = createAuthnRequest();
+        return c.redirect(`${redirectUrl}&RelayState=${encodeURIComponent(relayState)}`);
+    });
+    // POST /auth/saml/acs — handle SAML assertion from IdP
+    router.post("/auth/saml/acs", async (c) => {
+        const config = getSamlConfig();
+        if (!config)
+            throw new HttpError(404, "SAML not configured");
+        let formData;
+        try {
+            formData = await c.req.formData();
+        }
+        catch {
+            throw new HttpError(400, "Invalid SAML response");
+        }
+        const samlResponse = formData.get("SAMLResponse");
+        const relayState = formData.get("RelayState");
+        if (!samlResponse)
+            throw new HttpError(400, "Missing SAMLResponse");
+        const { initSaml, validateSamlResponse, samlProfileToIdentityProfile } = await import("../lib/saml");
+        await initSaml(config);
+        let samlProfile;
+        try {
+            samlProfile = await validateSamlResponse(samlResponse, config);
+        }
+        catch (err) {
+            throw new HttpError(401, "Invalid SAML assertion");
+        }
+        let userId;
+        if (config.onLogin) {
+            const result = await config.onLogin(samlProfile);
+            userId = result.userId;
+        }
+        else {
+            const adapter = getAuthAdapter();
+            if (!adapter.findOrCreateByProvider)
+                throw new HttpError(500, "Auth adapter missing findOrCreateByProvider");
+            const profile = samlProfileToIdentityProfile(samlProfile);
+            const result = await adapter.findOrCreateByProvider("saml", samlProfile.nameId, profile);
+            userId = result.id;
+            // Update profile fields from SAML attributes
+            if (adapter.updateProfile && (profile.firstName || profile.lastName || profile.displayName)) {
+                await adapter.updateProfile(userId, profile).catch(() => { });
+            }
+        }
+        const { token } = await createSessionForUser(userId);
+        // consumeOAuthState returns { codeVerifier?, linkUserId? } — redirectUrl was stored in codeVerifier
+        const redirectUrl = relayState
+            ? (await consumeOAuthState(relayState))?.codeVerifier ?? config.postLoginRedirect ?? "/"
+            : config.postLoginRedirect ?? "/";
+        setCookie(c, COOKIE_TOKEN, token, { httpOnly: true, path: "/", sameSite: "Lax" });
+        return c.redirect(redirectUrl);
+    });
+    // GET /auth/saml/metadata — serve SP metadata XML
+    router.get("/auth/saml/metadata", async (c) => {
+        const config = getSamlConfig();
+        if (!config)
+            throw new HttpError(404, "SAML not configured");
+        const { initSaml, getSamlSpMetadata } = await import("../lib/saml");
+        await initSaml(config);
+        const metadata = getSamlSpMetadata();
+        return c.body(metadata, 200, { "Content-Type": "application/xml" });
+    });
+    return router;
+}

package/dist/routes/scim.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import { Hono } from "hono";
2	+ export declare function createScimRouter(): Hono<import("hono/types").BlankEnv, import("hono/types").BlankSchema, "/">;

package/dist/routes/scim.js ADDED Viewed

@@ -0,0 +1,255 @@
+import { Hono } from "hono";
+import { getAuthAdapter } from "../lib/authAdapter";
+import { scimAuth } from "../middleware/scimAuth";
+import { userRecordToScim, parseScimFilter, scimError } from "../lib/scim";
+import { getScimConfig } from "../lib/appConfig";
+export function createScimRouter() {
+    const router = new Hono();
+    // All SCIM routes require SCIM bearer auth
+    router.use("/scim/v2/*", scimAuth);
+    // GET /scim/v2/Users — list/search users
+    router.get("/scim/v2/Users", async (c) => {
+        const config = getScimConfig();
+        if (!config)
+            return scimError(404, "SCIM not configured");
+        const adapter = getAuthAdapter();
+        if (!adapter.listUsers)
+            return scimError(501, "Auth adapter does not support listUsers");
+        const filter = c.req.query("filter");
+        const startIndex = parseInt(c.req.query("startIndex") ?? "1", 10);
+        const count = parseInt(c.req.query("count") ?? "100", 10);
+        const query = parseScimFilter(filter);
+        query.startIndex = Math.max(0, startIndex - 1); // SCIM is 1-based
+        query.count = Math.min(count, 200);
+        const { users, totalResults } = await adapter.listUsers(query);
+        const response = {
+            schemas: ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
+            totalResults,
+            startIndex,
+            itemsPerPage: users.length,
+            Resources: users.map((u) => userRecordToScim(u, config.userMapping)),
+        };
+        return c.json(response, 200);
+    });
+    // GET /scim/v2/Users/:id — get a user
+    router.get("/scim/v2/Users/:id", async (c) => {
+        const config = getScimConfig();
+        if (!config)
+            return scimError(404, "SCIM not configured");
+        const adapter = getAuthAdapter();
+        if (!adapter.getUser)
+            return scimError(501, "Auth adapter does not support getUser");
+        const user = await adapter.getUser(c.req.param("id"));
+        if (!user)
+            return scimError(404, "User not found");
+        const scimUser = userRecordToScim({
+            id: c.req.param("id"),
+            email: user.email,
+            displayName: user.displayName,
+            firstName: user.firstName,
+            lastName: user.lastName,
+            externalId: user.externalId,
+            suspended: user.suspended ?? false,
+            suspendedReason: user.suspendedReason,
+        }, config.userMapping);
+        return c.json(scimUser, 200);
+    });
+    // POST /scim/v2/Users — create a user (provision)
+    router.post("/scim/v2/Users", async (c) => {
+        const config = getScimConfig();
+        if (!config)
+            return scimError(404, "SCIM not configured");
+        const adapter = getAuthAdapter();
+        if (!adapter.create)
+            return scimError(501, "Auth adapter does not support create");
+        let body;
+        try {
+            body = await c.req.json();
+        }
+        catch {
+            return scimError(400, "Invalid JSON");
+        }
+        const email = body.userName ?? body.emails?.[0]?.value;
+        if (!email)
+            return scimError(400, "userName is required");
+        const existingByEmail = await (adapter.findByEmail?.(email));
+        if (existingByEmail)
+            return scimError(409, "User already exists");
+        // Create user with a random placeholder password (SCIM users authenticate via SSO)
+        const { sha256 } = await import("../lib/crypto");
+        const placeholderHash = sha256(crypto.randomUUID());
+        const { id } = await adapter.create(email, placeholderHash);
+        // Set profile fields
+        if (adapter.updateProfile) {
+            const fields = {};
+            if (body.name?.givenName)
+                fields.firstName = body.name.givenName;
+            if (body.name?.familyName)
+                fields.lastName = body.name.familyName;
+            if (body.displayName)
+                fields.displayName = body.displayName;
+            if (body.externalId)
+                fields.externalId = body.externalId;
+            if (Object.keys(fields).length > 0)
+                await adapter.updateProfile(id, fields);
+        }
+        const scimUser = userRecordToScim({
+            id,
+            email,
+            displayName: body.displayName,
+            firstName: body.name?.givenName,
+            lastName: body.name?.familyName,
+            externalId: body.externalId,
+            suspended: body.active === false,
+        }, config.userMapping);
+        return c.json(scimUser, 201);
+    });
+    // PUT /scim/v2/Users/:id — replace a user
+    router.put("/scim/v2/Users/:id", async (c) => {
+        const config = getScimConfig();
+        if (!config)
+            return scimError(404, "SCIM not configured");
+        const adapter = getAuthAdapter();
+        const userId = c.req.param("id");
+        let body;
+        try {
+            body = await c.req.json();
+        }
+        catch {
+            return scimError(400, "Invalid JSON");
+        }
+        if (adapter.updateProfile) {
+            const fields = {};
+            if (body.name?.givenName !== undefined)
+                fields.firstName = body.name.givenName;
+            if (body.name?.familyName !== undefined)
+                fields.lastName = body.name.familyName;
+            if (body.displayName !== undefined)
+                fields.displayName = body.displayName;
+            if (body.externalId !== undefined)
+                fields.externalId = body.externalId;
+            if (Object.keys(fields).length > 0)
+                await adapter.updateProfile(userId, fields);
+        }
+        if (adapter.setSuspended && body.active !== undefined) {
+            await adapter.setSuspended(userId, !body.active);
+        }
+        const user = await adapter.getUser?.(userId);
+        if (!user)
+            return scimError(404, "User not found");
+        return c.json(userRecordToScim({
+            id: userId,
+            email: user.email,
+            displayName: user.displayName,
+            firstName: user.firstName,
+            lastName: user.lastName,
+            externalId: user.externalId,
+            suspended: user.suspended ?? false,
+        }, config.userMapping), 200);
+    });
+    // PATCH /scim/v2/Users/:id — partial update
+    router.patch("/scim/v2/Users/:id", async (c) => {
+        const config = getScimConfig();
+        if (!config)
+            return scimError(404, "SCIM not configured");
+        const adapter = getAuthAdapter();
+        const userId = c.req.param("id");
+        let body;
+        try {
+            body = await c.req.json();
+        }
+        catch {
+            return scimError(400, "Invalid JSON");
+        }
+        const operations = body.Operations ?? [];
+        for (const op of operations) {
+            const opType = op.op?.toLowerCase();
+            if (opType === "replace" || opType === "add") {
+                const value = op.value;
+                if (op.path === "active" && adapter.setSuspended) {
+                    await adapter.setSuspended(userId, !value);
+                }
+                else if (!op.path && typeof value === "object" && adapter.updateProfile) {
+                    // Bulk replace — map SCIM fields to profile fields
+                    const fields = {};
+                    if (value.displayName !== undefined)
+                        fields.displayName = value.displayName;
+                    if (value["name.givenName"] !== undefined)
+                        fields.firstName = value["name.givenName"];
+                    if (value["name.familyName"] !== undefined)
+                        fields.lastName = value["name.familyName"];
+                    if (value.externalId !== undefined)
+                        fields.externalId = value.externalId;
+                    if (value.active !== undefined && adapter.setSuspended) {
+                        await adapter.setSuspended(userId, !value.active);
+                    }
+                    if (Object.keys(fields).length > 0)
+                        await adapter.updateProfile(userId, fields);
+                }
+            }
+            else if (opType === "remove" && op.path === "active" && adapter.setSuspended) {
+                await adapter.setSuspended(userId, true);
+            }
+        }
+        const user = await adapter.getUser?.(userId);
+        if (!user)
+            return scimError(404, "User not found");
+        return c.json(userRecordToScim({
+            id: userId,
+            email: user.email,
+            displayName: user.displayName,
+            firstName: user.firstName,
+            lastName: user.lastName,
+            externalId: user.externalId,
+            suspended: user.suspended ?? false,
+        }, config.userMapping), 200);
+    });
+    // DELETE /scim/v2/Users/:id — deprovision
+    router.delete("/scim/v2/Users/:id", async (c) => {
+        const config = getScimConfig();
+        if (!config)
+            return scimError(404, "SCIM not configured");
+        const adapter = getAuthAdapter();
+        const userId = c.req.param("id");
+        const onDeprovision = config.onDeprovision ?? "suspend";
+        if (typeof onDeprovision === "function") {
+            await onDeprovision(userId);
+        }
+        else if (onDeprovision === "delete") {
+            if (adapter.deleteUser)
+                await adapter.deleteUser(userId);
+        }
+        else {
+            // Default: suspend
+            if (adapter.setSuspended)
+                await adapter.setSuspended(userId, true, "SCIM deprovisioned");
+        }
+        return c.body(null, 204);
+    });
+    // Discovery endpoints
+    router.get("/scim/v2/ServiceProviderConfig", (c) => {
+        return c.json({
+            schemas: ["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"],
+            patch: { supported: true },
+            bulk: { supported: false, maxOperations: 0, maxPayloadSize: 0 },
+            filter: { supported: true, maxResults: 200 },
+            changePassword: { supported: false },
+            sort: { supported: false },
+            etag: { supported: false },
+        });
+    });
+    router.get("/scim/v2/ResourceTypes", (c) => {
+        return c.json({
+            schemas: ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
+            totalResults: 1,
+            Resources: [{
+                    schemas: ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
+                    id: "User",
+                    name: "User",
+                    endpoint: "/scim/v2/Users",
+                    schema: "urn:ietf:params:scim:schemas:core:2.0:User",
+                }],
+        });
+    });
+    return router;
+}

package/dist/routes/uploads.d.ts ADDED Viewed

@@ -0,0 +1,14 @@
+import type { PresignedUrlConfig } from "../app";
+interface UploadsRouterConfig extends PresignedUrlConfig {
+    authorization?: {
+        authorize?: (input: {
+            action: "read" | "delete";
+            key: string;
+            userId?: string;
+            tenantId?: string;
+        }) => boolean | Promise<boolean>;
+    };
+    allowExternalKeys?: boolean;
+}
+export declare const createUploadsRouter: (config: UploadsRouterConfig) => import("@hono/zod-openapi").OpenAPIHono<import("../lib/context").AppEnv, {}, "/">;
+export {};