@lastshotlabs/bunshot 0.0.21 → 0.0.27

package/dist/routes/uploads.js

@@ -0,0 +1,227 @@
+import { z } from "zod";
+import { createRouter } from "../lib/context";
+import { createRoute } from "../lib/createRoute";
+import { userAuth } from "../middleware/userAuth";
+import { getStorageAdapter, generateUploadKeyFromFilename } from "../lib/upload";
+import { getSigningConfig, getSigningSecret } from "../lib/appConfig";
+import { createPresignedUrl } from "../lib/signing";
+import { getUploadRecord, deleteUploadRecord, registerUpload } from "../lib/uploadRegistry";
+const tags = ["Uploads"];
+async function checkUploadAccess(action, key, userId, tenantId, config) {
+    const record = await getUploadRecord(key);
+    const authorize = config.authorization?.authorize;
+    const allowExternalKeys = config.allowExternalKeys ?? false;
+    if (record) {
+        // If the registry record has a tenantId, the requester must match — period.
+        if (record.tenantId && record.tenantId !== tenantId) {
+            return { allowed: false, notFound: false };
+        }
+        // Owner match → allow
+        if (record.ownerUserId && record.ownerUserId === userId) {
+            return { allowed: true, notFound: false };
+        }
+        // No owner or owner mismatch → try callback
+        if (authorize) {
+            const ok = await authorize({ action, key, userId: userId ?? undefined, tenantId: tenantId ?? undefined });
+            return { allowed: ok, notFound: false };
+        }
+        return { allowed: false, notFound: false };
+    }
+    // Record not in registry
+    if (allowExternalKeys) {
+        if (authorize) {
+            const ok = await authorize({ action, key, userId: userId ?? undefined, tenantId: tenantId ?? undefined });
+            return { allowed: ok, notFound: false };
+        }
+        return { allowed: false, notFound: false };
+    }
+    return { allowed: false, notFound: true };
+}
+export const createUploadsRouter = (config) => {
+    const router = createRouter();
+    const basePath = (config.path ?? "/uploads").replace(/\/$/, "");
+    router.use(`${basePath}/*`, userAuth);
+    const BLOCKED_MIME_TYPES = new Set([
+        "application/x-executable",
+        "application/x-sh",
+        "application/x-msdownload",
+        "text/html",
+        "application/x-httpd-php",
+        "application/javascript",
+        "text/javascript",
+    ]);
+    const presignRoute = createRoute({
+        method: "post",
+        path: `${basePath}/presign`,
+        tags,
+        summary: "Generate presigned upload URL",
+        request: {
+            body: {
+                content: {
+                    "application/json": {
+                        schema: z.object({
+                            filename: z.string().optional().describe("Original filename (used to derive the storage key extension)"),
+                            mimeType: z.string().optional().describe("MIME type of the file"),
+                            expirySeconds: z.number().int().positive().optional().describe("URL expiry in seconds"),
+                            maxBytes: z.number().int().positive().max(100 * 1024 * 1024).optional()
+                                .describe("Maximum allowed file size in bytes (client-enforced via Content-Length header). Defaults to 10MB. Maximum: 100MB."),
+                        }),
+                    },
+                },
+            },
+        },
+        responses: {
+            200: {
+                description: "Presigned URL generated",
+                content: { "application/json": { schema: z.object({ url: z.string(), key: z.string(), maxBytes: z.number().optional() }) } },
+            },
+            400: {
+                description: "File type not allowed",
+                content: { "application/json": { schema: z.object({ error: z.string() }) } },
+            },
+            501: {
+                description: "Not implemented by adapter",
+                content: { "application/json": { schema: z.object({ error: z.string() }) } },
+            },
+        },
+    });
+    router.openapi(presignRoute, async (c) => {
+        const adapter = getStorageAdapter();
+        if (!adapter?.presignPut) {
+            return c.json({ error: "Presigned URLs not supported by the configured storage adapter" }, 501);
+        }
+        const { filename, mimeType, expirySeconds, maxBytes } = c.req.valid("json");
+        if (mimeType && BLOCKED_MIME_TYPES.has(mimeType)) {
+            return c.json({ error: "File type not allowed." }, 400);
+        }
+        const userId = c.get("authUserId") ?? undefined;
+        const tenantId = c.get("tenantId") ?? undefined;
+        // Server-generates the key — client cannot control the storage path
+        const key = generateUploadKeyFromFilename(filename, { userId, tenantId });
+        const expiry = expirySeconds ?? (typeof config.expirySeconds === "number" ? config.expirySeconds : 3600);
+        const url = await adapter.presignPut(key, { expirySeconds: expiry, mimeType });
+        // Register the upload for ownership tracking
+        await registerUpload({
+            key,
+            ownerUserId: userId,
+            tenantId,
+            mimeType,
+            bucket: c.get("uploadBucket") ?? undefined,
+            createdAt: Date.now(),
+        });
+        return c.json({ url, key, ...(maxBytes !== undefined ? { maxBytes } : {}) }, 200);
+    });
+    const presignGetRoute = createRoute({
+        method: "get",
+        path: `${basePath}/presign/:key{.+}`,
+        tags,
+        summary: "Generate presigned download URL",
+        request: {
+            params: z.object({ key: z.string() }),
+            query: z.object({
+                expiry: z.string().optional().describe("URL expiry in seconds (default: 3600)"),
+            }),
+        },
+        responses: {
+            200: {
+                description: "Presigned download URL",
+                content: {
+                    "application/json": {
+                        schema: z.object({
+                            url: z.string(),
+                            expiresAt: z.number().describe("Unix timestamp (seconds) when the URL expires"),
+                        }),
+                    },
+                },
+            },
+            403: {
+                description: "Forbidden — not the owner or unauthorized",
+                content: { "application/json": { schema: z.object({ error: z.string() }) } },
+            },
+            404: {
+                description: "Key not found in upload registry",
+                content: { "application/json": { schema: z.object({ error: z.string() }) } },
+            },
+            501: {
+                description: "Not implemented",
+                content: { "application/json": { schema: z.object({ error: z.string() }) } },
+            },
+        },
+    });
+    router.openapi(presignGetRoute, async (c) => {
+        const { key } = c.req.valid("param");
+        const { expiry: expiryStr } = c.req.valid("query");
+        const userId = c.get("authUserId");
+        const tenantId = c.get("tenantId");
+        const { allowed, notFound } = await checkUploadAccess("read", key, userId, tenantId, config);
+        if (notFound)
+            return c.json({ error: "Not found" }, 404);
+        if (!allowed)
+            return c.json({ error: "Forbidden" }, 403);
+        const expirySeconds = expiryStr ? parseInt(expiryStr, 10) : (typeof config.expirySeconds === "number" ? config.expirySeconds : 3600);
+        const signingCfg = getSigningConfig();
+        if (signingCfg?.presignedUrls) {
+            const secret = getSigningSecret();
+            if (!secret)
+                return c.json({ error: "Signing secret not configured" }, 501);
+            const defaultExpiry = typeof signingCfg.presignedUrls === "object"
+                ? (signingCfg.presignedUrls.defaultExpiry ?? expirySeconds)
+                : expirySeconds;
+            const base = new URL(c.req.url);
+            base.pathname = `${basePath}/download/${key}`;
+            base.search = "";
+            const url = createPresignedUrl(base.toString(), key, { method: "GET", expiry: defaultExpiry }, secret);
+            const expiresAt = Math.floor(Date.now() / 1000) + defaultExpiry;
+            return c.json({ url, expiresAt }, 200);
+        }
+        // Fallback: adapter.presignGet (S3 only)
+        const adapter = getStorageAdapter();
+        if (!adapter?.presignGet) {
+            return c.json({ error: "Presigned download URLs not supported. Enable signing.presignedUrls or use an S3 adapter." }, 501);
+        }
+        const url = await adapter.presignGet(key, { expirySeconds });
+        const expiresAt = Math.floor(Date.now() / 1000) + expirySeconds;
+        return c.json({ url, expiresAt }, 200);
+    });
+    const deleteRoute = createRoute({
+        method: "delete",
+        path: `${basePath}/:key{.+}`,
+        tags,
+        summary: "Delete an uploaded file",
+        request: {
+            params: z.object({ key: z.string() }),
+        },
+        responses: {
+            204: { description: "Deleted" },
+            403: {
+                description: "Forbidden — not the owner or unauthorized",
+                content: { "application/json": { schema: z.object({ error: z.string() }) } },
+            },
+            404: {
+                description: "Key not found in upload registry",
+                content: { "application/json": { schema: z.object({ error: z.string() }) } },
+            },
+            500: {
+                description: "No storage adapter configured",
+                content: { "application/json": { schema: z.object({ error: z.string() }) } },
+            },
+        },
+    });
+    router.openapi(deleteRoute, async (c) => {
+        const adapter = getStorageAdapter();
+        if (!adapter)
+            return c.json({ error: "No storage adapter configured" }, 500);
+        const { key } = c.req.valid("param");
+        const userId = c.get("authUserId");
+        const tenantId = c.get("tenantId");
+        const { allowed, notFound } = await checkUploadAccess("delete", key, userId, tenantId, config);
+        if (notFound)
+            return c.json({ error: "Not found" }, 404);
+        if (!allowed)
+            return c.json({ error: "Forbidden" }, 403);
+        await adapter.delete(key);
+        await deleteUploadRecord(key);
+        return c.body(null, 204);
+    });
+    return router;
+};

package/dist/server.d.ts

@@ -1,6 +1,8 @@
 import type { Server, ServerWebSocket, WebSocketHandler } from "bun";
 import { type CreateAppConfig } from "./app";
 import { type SocketData } from "./ws/index";
+import { type HeartbeatConfig } from "./lib/wsHeartbeat";
+import { type WsMessageStore, type WsMessageDefaults } from "./lib/wsMessages";
 export interface WsConfig<T extends object = object> {
     /** Override or extend the default WebSocket handler */
     handler?: WebSocketHandler<SocketData<T>>;
@@ -18,6 +20,25 @@ export interface WsConfig<T extends object = object> {
      * Defaults to 65536 (64 KB).
      */
     maxMessageSize?: number;
+    /**
+     * Heartbeat / ping-pong keepalive. Set `true` for defaults (30s interval, 10s timeout)
+     * or provide an object to customize intervals.
+     */
+    heartbeat?: boolean | HeartbeatConfig;
+    /**
+     * Presence tracking. Set `true` for defaults or provide config.
+     * When enabled, `presence_join`/`presence_leave` events are broadcast to rooms.
+     */
+    presence?: boolean | {
+        broadcastEvents?: boolean;
+    };
+    /**
+     * Message persistence. Opt rooms in via `configureRoom()`.
+     */
+    persistence?: {
+        store?: WsMessageStore;
+        defaults?: WsMessageDefaults;
+    };
 }
 export interface CreateServerConfig<T extends object = object> extends CreateAppConfig {
     port?: number;
@@ -27,5 +48,10 @@ export interface CreateServerConfig<T extends object = object> extends CreateApp
     enableWorkers?: boolean;
     /** WebSocket configuration */
     ws?: WsConfig<T>;
+    /**
+     * Maximum request body size in bytes. Defaults to the upload config limit when present
+     * (maxFileSize * maxFiles), otherwise Bun's default (128 MB).
+     */
+    maxRequestBodySize?: number;
 }
 export declare const createServer: <T extends object = object>(config: CreateServerConfig<T>) => Promise<Server<SocketData<T>>>;

package/dist/server.js

@@ -1,17 +1,44 @@
 import { createApp } from "./app";
 import { websocket as defaultWebsocket, createWsUpgradeHandler } from "./ws/index";
-import { setWsServer, handleRoomActions, cleanupSocket } from "./lib/ws";
+import { setWsServer, handleRoomActions, cleanupSocket, setPresenceEnabled } from "./lib/ws";
+import { registerSocket, deregisterSocket, handlePong, startHeartbeat, stopHeartbeat } from "./lib/wsHeartbeat";
+import { trackSocket, untrackSocket } from "./lib/wsPresence";
+import { setWsMessageStore, setWsMessageDefaults } from "./lib/wsMessages";
 import { log } from "./lib/logger";
 export const createServer = async (config) => {
     const app = await createApp(config);
     const port = Number(process.env.PORT ?? config.port ?? 3000);
     const { workersDir, enableWorkers = true, ws: wsConfig = {} } = config;
-    const { handler: userWs, upgradeHandler: wsUpgradeHandler, onRoomSubscribe, maxMessageSize = 65_536 } = wsConfig;
+    // Compute maxRequestBodySize: explicit config wins, else derive from upload config
+    let maxRequestBodySize = config.maxRequestBodySize;
+    if (maxRequestBodySize === undefined && config.upload) {
+        const maxFileSize = config.upload.maxFileSize ?? 10 * 1024 * 1024;
+        const maxFiles = config.upload.maxFiles ?? 10;
+        maxRequestBodySize = maxFileSize * maxFiles;
+    }
+    const { handler: userWs, upgradeHandler: wsUpgradeHandler, onRoomSubscribe, maxMessageSize = 65_536, heartbeat: heartbeatConfig, presence: presenceConfig, persistence: persistenceConfig, } = wsConfig;
+    // Configure presence
+    if (presenceConfig)
+        setPresenceEnabled(true);
+    // Configure message persistence
+    if (persistenceConfig) {
+        if (persistenceConfig.store)
+            setWsMessageStore(persistenceConfig.store);
+        if (persistenceConfig.defaults)
+            setWsMessageDefaults(persistenceConfig.defaults);
+    }
     const defaultOpen = defaultWebsocket.open;
     const defaultClose = defaultWebsocket.close;
     const defaultDrain = defaultWebsocket.drain;
+    const heartbeatEnabled = !!heartbeatConfig;
     const ws = {
-        open: userWs?.open ?? defaultOpen,
+        open(socket) {
+            if (heartbeatEnabled)
+                registerSocket(socket, socket.data.id);
+            if (presenceConfig)
+                trackSocket(socket.data.id, socket.data.userId);
+            (userWs?.open ?? defaultOpen)(socket);
+        },
         async message(socket, message) {
             const size = typeof message === "string" ? message.length : message.byteLength;
             if (size > maxMessageSize) {
@@ -26,10 +53,18 @@ export const createServer = async (config) => {
             }
         },
         close(socket, code, reason) {
+            if (heartbeatEnabled)
+                deregisterSocket(socket.data.id);
+            if (presenceConfig)
+                untrackSocket(socket.data.id);
             cleanupSocket(socket.data.id, socket.data.rooms);
             socket.data.rooms.clear();
             (userWs?.close ?? defaultClose)(socket, code, reason);
         },
+        pong(socket) {
+            if (heartbeatEnabled)
+                handlePong(socket.data.id);
+        },
         drain: userWs?.drain ?? defaultDrain,
     };
     let server;
@@ -42,12 +77,20 @@ export const createServer = async (config) => {
         },
         fetch: app.fetch,
         websocket: ws,
+        ...(maxRequestBodySize !== undefined ? { maxRequestBodySize } : {}),
         error(err) {
             console.error(err);
             return Response.json({ error: "Internal Server Error" }, { status: 500 });
         },
     });
     setWsServer(server);
+    // Start heartbeat after server is ready
+    if (heartbeatEnabled)
+        startHeartbeat(heartbeatConfig);
+    // Graceful shutdown — stop heartbeat alongside existing cleanup
+    const gracefulShutdown = () => { stopHeartbeat(); };
+    process.on("SIGTERM", gracefulShutdown);
+    process.on("SIGINT", gracefulShutdown);
     if (enableWorkers && workersDir) {
         const glob = new Bun.Glob("**/*.ts");
         for await (const file of glob.scan({ cwd: workersDir })) {

package/dist/services/auth.d.ts

@@ -15,6 +15,7 @@ export interface AuthResult {
 export declare const createSessionForUser: (userId: string, metadata?: SessionMetadata) => Promise<{
     token: string;
     refreshToken?: string;
+    sessionId: string;
 }>;
 export declare const register: (identifier: string, password: string, metadata?: SessionMetadata) => Promise<AuthResult>;
 export declare const login: (identifier: string, password: string, metadata?: SessionMetadata) => Promise<AuthResult>;
@@ -25,3 +26,4 @@ export declare const refresh: (refreshTokenValue: string) => Promise<{
 }>;
 export declare const deleteAccount: (userId: string, password?: string) => Promise<void>;
 export declare const logout: (token: string | null) => Promise<void>;
+export declare const passkeyLogin: (passkeyToken: string, assertionResponse: any, metadata?: SessionMetadata) => Promise<AuthResult>;

package/dist/services/auth.js

@@ -2,14 +2,16 @@ import { getAuthAdapter } from "../lib/authAdapter";
 import { HttpError } from "../lib/HttpError";
 import { signToken, verifyToken } from "../lib/jwt";
 import { createSession, deleteSession, getActiveSessionCount, evictOldestSession, deleteUserSessions, setRefreshToken, getSessionByRefreshToken, rotateRefreshToken } from "../lib/session";
-import { getDefaultRole, getPrimaryField, getEmailVerificationConfig, getMaxSessions, getRefreshTokenConfig, getAccessTokenExpiry, getMfaConfig, getMfaEmailOtpConfig, getMfaWebAuthnConfig } from "../lib/appConfig";
+import { getDefaultRole, getPrimaryField, getEmailVerificationConfig, getMaxSessions, getRefreshTokenConfig, getAccessTokenExpiry, getMfaConfig, getMfaEmailOtpConfig, getMfaWebAuthnConfig, getMfaWebAuthnPasskeyMfaBypass } from "../lib/appConfig";
+import { getSuspended } from "../lib/suspension";
 import { createVerificationToken } from "../lib/emailVerification";
 import { createMfaChallenge } from "../lib/mfaChallenge";
 import { generateEmailOtpCode, generateWebAuthnAuthenticationOptions } from "./mfa";
+import { emitSecurityEvent } from "../lib/securityEvents";
 async function createSessionWithRefreshToken(userId, sessionId, metadata) {
     const rtConfig = getRefreshTokenConfig();
     const expirySeconds = rtConfig ? getAccessTokenExpiry() : undefined;
-    const token = await signToken(userId, sessionId, expirySeconds);
+    const token = await signToken({ sub: userId, sid: sessionId }, expirySeconds);
     while (await getActiveSessionCount(userId) >= getMaxSessions()) {
         await evictOldestSession(userId);
     }
@@ -27,25 +29,32 @@ export const createSessionForUser = async (userId, metadata) => {
     return createSessionWithRefreshToken(userId, sessionId, metadata);
 };
 export const register = async (identifier, password, metadata) => {
-    const hashed = await Bun.password.hash(password);
-    const adapter = getAuthAdapter();
-    const user = await adapter.create(identifier, hashed);
-    const role = getDefaultRole();
-    if (role)
-        await adapter.setRoles(user.id, [role]);
-    const sessionId = crypto.randomUUID();
-    const { token, refreshToken } = await createSessionWithRefreshToken(user.id, sessionId, metadata);
-    const evConfig = getEmailVerificationConfig();
-    if (evConfig && getPrimaryField() === "email") {
-        try {
-            const verificationToken = await createVerificationToken(user.id, identifier);
-            await evConfig.onSend(identifier, verificationToken);
-        }
-        catch (e) {
-            console.error("[email-verification] Failed to send verification email:", e);
+    try {
+        const hashed = await Bun.password.hash(password);
+        const adapter = getAuthAdapter();
+        const user = await adapter.create(identifier, hashed);
+        const role = getDefaultRole();
+        if (role)
+            await adapter.setRoles(user.id, [role]);
+        const sessionId = crypto.randomUUID();
+        const { token, refreshToken } = await createSessionWithRefreshToken(user.id, sessionId, metadata);
+        const evConfig = getEmailVerificationConfig();
+        if (evConfig && getPrimaryField() === "email") {
+            try {
+                const verificationToken = await createVerificationToken(user.id, identifier);
+                await evConfig.onSend(identifier, verificationToken);
+            }
+            catch (e) {
+                console.error("[email-verification] Failed to send verification email:", e);
+            }
         }
+        emitSecurityEvent({ eventType: "auth.register.success", severity: "info", timestamp: new Date().toISOString(), userId: user.id });
+        return { token, userId: user.id, email: identifier, refreshToken };
+    }
+    catch (err) {
+        emitSecurityEvent({ eventType: "auth.register.failure", severity: "warn", timestamp: new Date().toISOString() });
+        throw err;
     }
-    return { token, userId: user.id, email: identifier, refreshToken };
 };
 // Pre-computed dummy hash so non-existent-user login takes the same time as wrong-password login
 const DUMMY_HASH = await Bun.password.hash("dummy-timing-safe-placeholder");
@@ -57,8 +66,15 @@ export const login = async (identifier, password, metadata) => {
     const hashToVerify = user?.passwordHash ?? DUMMY_HASH;
     const passwordValid = await Bun.password.verify(password, hashToVerify);
     if (!user || !passwordValid) {
+        emitSecurityEvent({ eventType: "auth.login.failure", severity: "warn", timestamp: new Date().toISOString(), meta: { identifier } });
         throw new HttpError(401, "Invalid credentials");
     }
+    // Check suspension
+    const suspensionStatus = await getSuspended(user.id);
+    if (suspensionStatus.suspended) {
+        emitSecurityEvent({ eventType: "auth.login.blocked", severity: "critical", timestamp: new Date().toISOString(), meta: { reason: "suspended" } });
+        throw new HttpError(403, "Account suspended", "ACCOUNT_SUSPENDED");
+    }
     // Check email verification before MFA to avoid leaking MFA status to unverified users
     const fullUser = adapter.getUser ? await adapter.getUser(user.id) : null;
     const googleLinked = fullUser?.providerIds?.some((id) => id.startsWith("google:")) ?? false;
@@ -100,6 +116,7 @@ export const login = async (identifier, password, metadata) => {
     }
     const sessionId = crypto.randomUUID();
     const { token, refreshToken } = await createSessionWithRefreshToken(user.id, sessionId, metadata);
+    emitSecurityEvent({ eventType: "auth.login.success", severity: "info", timestamp: new Date().toISOString(), userId: user.id });
     if (evConfig && getPrimaryField() === "email" && adapter.getEmailVerified) {
         const verified = await adapter.getEmailVerified(user.id);
         return { token, userId: user.id, email: fullUser?.email, emailVerified: verified, googleLinked, refreshToken };
@@ -115,12 +132,12 @@ export const refresh = async (refreshTokenValue) => {
     // If the returned newRefreshToken differs from what was sent, we're in a grace window replay.
     // Return the current tokens without rotating again.
     if (newRefreshToken !== refreshTokenValue) {
-        const accessToken = await signToken(userId, sessionId, getAccessTokenExpiry());
+        const accessToken = await signToken({ sub: userId, sid: sessionId }, getAccessTokenExpiry());
         return { token: accessToken, refreshToken: newRefreshToken, userId };
     }
     // Normal rotation: generate new refresh + access tokens
     const newRT = crypto.randomUUID();
-    const newAccessToken = await signToken(userId, sessionId, getAccessTokenExpiry());
+    const newAccessToken = await signToken({ sub: userId, sid: sessionId }, getAccessTokenExpiry());
     await rotateRefreshToken(sessionId, newRT, newAccessToken);
     return { token: newAccessToken, refreshToken: newRT, userId };
 };
@@ -148,12 +165,74 @@ export const deleteAccount = async (userId, password) => {
     await deleteUserSessions(userId);
     // Delete the user
     await adapter.deleteUser(userId);
+    emitSecurityEvent({ eventType: "auth.account.deleted", severity: "warn", timestamp: new Date().toISOString(), userId });
 };
 export const logout = async (token) => {
     if (token) {
         const payload = await verifyToken(token);
         const sessionId = payload.sid;
-        if (sessionId)
+        if (sessionId) {
             await deleteSession(sessionId);
+            emitSecurityEvent({ eventType: "auth.logout", severity: "info", timestamp: new Date().toISOString(), sessionId });
+        }
+    }
+};
+export const passkeyLogin = async (passkeyToken, assertionResponse, metadata) => {
+    const adapter = getAuthAdapter();
+    if (!adapter.findUserByWebAuthnCredentialId || !adapter.getWebAuthnCredentials) {
+        throw new HttpError(501, "Auth adapter does not support passkey login");
+    }
+    const { consumePasskeyLoginChallenge } = await import("../lib/mfaChallenge");
+    const challengeData = await consumePasskeyLoginChallenge(passkeyToken);
+    if (!challengeData) {
+        throw new HttpError(401, "Invalid or expired passkey token");
+    }
+    const credentialId = assertionResponse?.id;
+    if (!credentialId) {
+        throw new HttpError(401, "Invalid assertion response");
+    }
+    const userId = await adapter.findUserByWebAuthnCredentialId(credentialId);
+    if (!userId) {
+        throw new HttpError(401, "Invalid credentials");
+    }
+    const { verifyWebAuthn } = await import("./mfa");
+    const verified = await verifyWebAuthn(userId, assertionResponse, challengeData.webauthnChallenge);
+    if (!verified) {
+        throw new HttpError(401, "WebAuthn verification failed");
+    }
+    // Check suspension
+    const suspensionStatus = await getSuspended(userId);
+    if (suspensionStatus.suspended) {
+        throw new HttpError(403, "Account suspended", "ACCOUNT_SUSPENDED");
+    }
+    // passkeyMfaBypass=true (default): passkey with userVerification=required satisfies both factors
+    const mfaBypass = getMfaWebAuthnPasskeyMfaBypass();
+    if (!mfaBypass && getMfaConfig() && adapter.isMfaEnabled && await adapter.isMfaEnabled(userId)) {
+        const methods = adapter.getMfaMethods ? await adapter.getMfaMethods(userId) : ["totp"];
+        let emailOtpHash;
+        const emailOtpConfig = getMfaEmailOtpConfig();
+        if (methods.includes("emailOtp") && emailOtpConfig) {
+            const { generateEmailOtpCode } = await import("./mfa");
+            const { code, hash } = generateEmailOtpCode();
+            emailOtpHash = hash;
+            const fullUser = adapter.getUser ? await adapter.getUser(userId) : null;
+            if (fullUser?.email)
+                await emailOtpConfig.onSend(fullUser.email, code);
+        }
+        let webauthnChallenge2;
+        let webauthnOptions;
+        if (methods.includes("webauthn") && getMfaWebAuthnConfig()) {
+            const { generateWebAuthnAuthenticationOptions } = await import("./mfa");
+            const result = await generateWebAuthnAuthenticationOptions(userId);
+            if (result) {
+                webauthnChallenge2 = result.challenge;
+                webauthnOptions = result.options;
+            }
+        }
+        const mfaToken = await createMfaChallenge(userId, { emailOtpHash, webauthnChallenge: webauthnChallenge2 });
+        return { token: "", userId, mfaRequired: true, mfaToken, mfaMethods: methods, webauthnOptions };
     }
+    const { token, refreshToken } = await createSessionForUser(userId, metadata);
+    const fullUser = adapter.getUser ? await adapter.getUser(userId) : null;
+    return { token, userId, email: fullUser?.email, refreshToken };
 };

package/dist/services/mfa.js

@@ -343,8 +343,8 @@ export const initiateWebAuthnRegistration = async (userId) => {
         })),
         authenticatorSelection: {
             authenticatorAttachment: config.authenticatorAttachment,
-            userVerification: config.userVerification ?? "preferred",
-            residentKey: "preferred",
+            userVerification: config.userVerification ?? "required",
+            residentKey: "required",
         },
         timeout: config.timeout ?? 60000,
     });

package/dist/ws/index.js

@@ -1,6 +1,8 @@
 import { verifyToken } from "../lib/jwt";
 import { getSession } from "../lib/session";
 import { COOKIE_TOKEN } from "../lib/constants";
+import { trackSocket, untrackSocket } from "../lib/wsPresence";
+import { timingSafeEqual } from "../lib/crypto";
 export const createWsUpgradeHandler = (server) => async (req) => {
     let userId = null;
     try {
@@ -11,7 +13,7 @@ export const createWsUpgradeHandler = (server) => async (req) => {
             const sessionId = payload.sid;
             if (sessionId) {
                 const stored = await getSession(sessionId);
-                if (stored === token)
+                if (timingSafeEqual(stored ?? "", token))
                     userId = payload.sub;
             }
         }
@@ -22,6 +24,7 @@ export const createWsUpgradeHandler = (server) => async (req) => {
 };
 export const websocket = {
     open(ws) {
+        trackSocket(ws.data.id, ws.data.userId);
         console.log(`[ws] connected: ${ws.data.id}`);
         ws.send(JSON.stringify({ event: "connected", id: ws.data.id }));
     },
@@ -30,6 +33,7 @@ export const websocket = {
         // Override ws.handler.message in WsConfig for custom message handling.
     },
     close(ws) {
+        untrackSocket(ws.data.id);
         console.log(`[ws] disconnected: ${ws.data.id}`);
     },
 };