@lastshotlabs/bunshot 0.0.21 → 0.0.27

package/dist/adapters/mongoAuth.js

@@ -1,5 +1,8 @@
 import { AuthUser } from "../models/AuthUser";
 import { TenantRole } from "../models/TenantRole";
+import { Group } from "../models/Group";
+import { GroupMembership } from "../models/GroupMembership";
+import { M2MClient } from "../models/M2MClient";
 import { HttpError } from "../lib/HttpError";
 export const mongoAuthAdapter = {
     async findByEmail(email) {
@@ -62,13 +65,19 @@ export const mongoAuthAdapter = {
         await AuthUser.findByIdAndUpdate(userId, { $pull: { roles: role } });
     },
     async getUser(userId) {
-        const user = await AuthUser.findById(userId, "email providerIds emailVerified").lean();
+        const user = await AuthUser.findById(userId, "email providerIds emailVerified displayName firstName lastName externalId suspended suspendedReason").lean();
         if (!user)
             return null;
         return {
             email: user.email,
             providerIds: user.providerIds,
             emailVerified: user.emailVerified ?? false,
+            displayName: user.displayName ?? undefined,
+            firstName: user.firstName ?? undefined,
+            lastName: user.lastName ?? undefined,
+            externalId: user.externalId ?? undefined,
+            suspended: user.suspended ?? false,
+            suspendedReason: user.suspendedReason ?? undefined,
         };
     },
     async unlinkProvider(userId, provider) {
@@ -184,4 +193,211 @@ export const mongoAuthAdapter = {
     async removeTenantRole(userId, tenantId, role) {
         await TenantRole.findOneAndUpdate({ userId, tenantId }, { $pull: { roles: role } });
     },
+    async setSuspended(userId, suspended, reason) {
+        const update = { suspended };
+        if (suspended) {
+            update.suspendedAt = new Date();
+            update.suspendedReason = reason ?? null;
+        }
+        else {
+            update.suspendedAt = null;
+            update.suspendedReason = null;
+        }
+        await AuthUser.updateOne({ _id: userId }, { $set: update });
+    },
+    async getSuspended(userId) {
+        const user = await AuthUser.findById(userId, { suspended: 1, suspendedReason: 1 }).lean();
+        if (!user)
+            return null;
+        return { suspended: user.suspended ?? false, suspendedReason: user.suspendedReason ?? undefined };
+    },
+    async updateProfile(userId, fields) {
+        await AuthUser.updateOne({ _id: userId }, { $set: fields });
+    },
+    async listUsers(query) {
+        const filter = {};
+        if (query.email !== undefined)
+            filter.email = query.email;
+        if (query.externalId !== undefined)
+            filter.externalId = query.externalId;
+        if (query.suspended !== undefined)
+            filter.suspended = query.suspended;
+        const startIndex = query.startIndex ?? 0;
+        const count = query.count ?? 100;
+        const [users, totalResults] = await Promise.all([
+            AuthUser.find(filter, {
+                _id: 1, email: 1, displayName: 1, firstName: 1, lastName: 1,
+                externalId: 1, suspended: 1, suspendedAt: 1, suspendedReason: 1,
+                emailVerified: 1, providerIds: 1,
+            }).skip(startIndex).limit(count).lean(),
+            AuthUser.countDocuments(filter),
+        ]);
+        return {
+            users: users.map((u) => ({
+                id: String(u._id),
+                email: u.email ?? undefined,
+                displayName: u.displayName ?? undefined,
+                firstName: u.firstName ?? undefined,
+                lastName: u.lastName ?? undefined,
+                externalId: u.externalId ?? undefined,
+                suspended: u.suspended ?? false,
+                suspendedAt: u.suspendedAt ?? undefined,
+                suspendedReason: u.suspendedReason ?? undefined,
+                emailVerified: u.emailVerified ?? undefined,
+                providerIds: u.providerIds ?? undefined,
+            })),
+            totalResults,
+        };
+    },
+    // ---------------------------------------------------------------------------
+    // Groups
+    // ---------------------------------------------------------------------------
+    async createGroup(group) {
+        try {
+            const doc = await Group.create(group);
+            return { id: String(doc._id) };
+        }
+        catch (err) {
+            if (err?.code === 11000)
+                throw new HttpError(409, "A group with this name already exists in this scope");
+            throw err;
+        }
+    },
+    async deleteGroup(groupId) {
+        await Group.findByIdAndDelete(groupId);
+        // Explicit cascade (Mongoose middleware hooks are intentionally avoided for visibility)
+        await GroupMembership.deleteMany({ groupId });
+    },
+    async getGroup(groupId) {
+        const doc = await Group.findById(groupId).lean();
+        if (!doc)
+            return null;
+        return mongoGroupToRecord(doc);
+    },
+    async listGroups(tenantId, opts) {
+        const limit = Math.min(opts?.limit ?? 50, 200);
+        const offset = opts?.offset ?? 0;
+        const filter = { tenantId: tenantId ?? null };
+        const [docs, total] = await Promise.all([
+            Group.find(filter).skip(offset).limit(limit).lean(),
+            Group.countDocuments(filter),
+        ]);
+        return { items: docs.map(mongoGroupToRecord), total, limit, offset };
+    },
+    async updateGroup(groupId, updates) {
+        await Group.findByIdAndUpdate(groupId, { $set: updates });
+    },
+    async addGroupMember(groupId, userId, roles = []) {
+        // Look up group to get tenantId for denormalization
+        const group = await Group.findById(groupId, "tenantId").lean();
+        if (!group)
+            throw new HttpError(404, "Group not found");
+        try {
+            await GroupMembership.create({ groupId, userId, roles, tenantId: group.tenantId ?? null });
+        }
+        catch (err) {
+            if (err?.code === 11000)
+                throw new HttpError(409, "User is already a member of this group");
+            throw err;
+        }
+    },
+    async updateGroupMembership(groupId, userId, roles) {
+        await GroupMembership.findOneAndUpdate({ groupId, userId }, { $set: { roles } });
+    },
+    async removeGroupMember(groupId, userId) {
+        await GroupMembership.deleteOne({ groupId, userId });
+    },
+    async getGroupMembers(groupId, opts) {
+        const limit = Math.min(opts?.limit ?? 50, 200);
+        const offset = opts?.offset ?? 0;
+        const [docs, total] = await Promise.all([
+            GroupMembership.find({ groupId }, "userId roles").skip(offset).limit(limit).lean(),
+            GroupMembership.countDocuments({ groupId }),
+        ]);
+        return {
+            items: docs.map((d) => ({ userId: d.userId, roles: d.roles ?? [] })),
+            total, limit, offset,
+        };
+    },
+    async getUserGroups(userId, tenantId) {
+        const memberships = await GroupMembership.find({ userId, tenantId: tenantId ?? null }, "groupId roles").lean();
+        if (memberships.length === 0)
+            return [];
+        const groupIds = memberships.map((m) => m.groupId);
+        const groups = await Group.find({ _id: { $in: groupIds } }).lean();
+        const groupMap = new Map(groups.map((g) => [String(g._id), g]));
+        return memberships.map((m) => ({
+            group: mongoGroupToRecord(groupMap.get(m.groupId)),
+            membershipRoles: m.roles ?? [],
+        })).filter((r) => r.group);
+    },
+    async getEffectiveRoles(userId, tenantId) {
+        // Direct roles
+        let direct = [];
+        if (tenantId) {
+            const doc = await TenantRole.findOne({ userId, tenantId }, "roles").lean();
+            direct = doc?.roles ?? [];
+        }
+        else {
+            const user = await AuthUser.findById(userId, "roles").lean();
+            direct = user?.roles ?? [];
+        }
+        // Group roles via memberships
+        const memberships = await GroupMembership.find({ userId, tenantId: tenantId ?? null }, "groupId roles").lean();
+        if (memberships.length === 0)
+            return [...new Set(direct)];
+        const groupIds = memberships.map((m) => m.groupId);
+        const groups = await Group.find({ _id: { $in: groupIds } }, "roles").lean();
+        const groupMap = new Map(groups.map((g) => [String(g._id), g.roles ?? []]));
+        const groupRoles = memberships.flatMap((m) => [
+            ...(groupMap.get(m.groupId) ?? []),
+            ...(m.roles ?? []),
+        ]);
+        return [...new Set([...direct, ...groupRoles])];
+    },
+    // ---------------------------------------------------------------------------
+    // M2M client credentials
+    // ---------------------------------------------------------------------------
+    async getM2MClient(clientId) {
+        const client = await M2MClient.findOne({ clientId, active: true }).lean();
+        if (!client)
+            return null;
+        return {
+            id: String(client._id),
+            clientId: client.clientId,
+            name: client.name,
+            scopes: client.scopes,
+            active: client.active,
+            clientSecretHash: client.clientSecretHash,
+        };
+    },
+    async createM2MClient(data) {
+        const client = await M2MClient.create(data);
+        return { id: String(client._id) };
+    },
+    async deleteM2MClient(clientId) {
+        await M2MClient.deleteOne({ clientId });
+    },
+    async listM2MClients() {
+        const clients = await M2MClient.find({}).lean();
+        return clients.map((c) => ({
+            id: String(c._id),
+            clientId: c.clientId,
+            name: c.name,
+            scopes: c.scopes,
+            active: c.active,
+        }));
+    },
 };
+function mongoGroupToRecord(doc) {
+    return {
+        id: String(doc._id),
+        name: doc.name,
+        displayName: doc.displayName,
+        description: doc.description,
+        roles: doc.roles ?? [],
+        tenantId: doc.tenantId ?? null,
+        createdAt: doc.createdAt instanceof Date ? doc.createdAt.getTime() : doc.createdAt,
+        updatedAt: doc.updatedAt instanceof Date ? doc.updatedAt.getTime() : doc.updatedAt,
+    };
+}

package/dist/adapters/s3Storage.d.ts

@@ -0,0 +1,14 @@
+import type { StorageAdapter } from "../lib/storageAdapter";
+export interface S3StorageConfig {
+    bucket: string;
+    region?: string;
+    endpoint?: string;
+    credentials?: {
+        accessKeyId: string;
+        secretAccessKey: string;
+    };
+    publicUrl?: string;
+    forcePathStyle?: boolean;
+    streaming?: boolean;
+}
+export declare const s3Storage: (config: S3StorageConfig) => StorageAdapter;

package/dist/adapters/s3Storage.js

@@ -0,0 +1,126 @@
+function requireS3Client() {
+    try {
+        // eslint-disable-next-line @typescript-eslint/no-require-imports
+        return require("@aws-sdk/client-s3");
+    }
+    catch {
+        throw new Error("@aws-sdk/client-s3 is not installed. Run: bun add @aws-sdk/client-s3");
+    }
+}
+function requirePresigner() {
+    try {
+        // eslint-disable-next-line @typescript-eslint/no-require-imports
+        return require("@aws-sdk/s3-request-presigner");
+    }
+    catch {
+        throw new Error("@aws-sdk/s3-request-presigner is not installed. Run: bun add @aws-sdk/s3-request-presigner");
+    }
+}
+function requireLibStorage() {
+    try {
+        // eslint-disable-next-line @typescript-eslint/no-require-imports
+        return require("@aws-sdk/lib-storage");
+    }
+    catch {
+        throw new Error("@aws-sdk/lib-storage is not installed. Run: bun add @aws-sdk/lib-storage");
+    }
+}
+export const s3Storage = (config) => {
+    let _client = null;
+    const getClient = () => {
+        if (!_client) {
+            const { S3Client } = requireS3Client();
+            _client = new S3Client({
+                region: config.region ?? "us-east-1",
+                ...(config.endpoint ? { endpoint: config.endpoint } : {}),
+                ...(config.credentials ? { credentials: config.credentials } : {}),
+                ...(config.forcePathStyle !== undefined ? { forcePathStyle: config.forcePathStyle } : {}),
+            });
+        }
+        return _client;
+    };
+    return {
+        async put(key, data, meta) {
+            const bucket = meta.bucket ?? config.bucket;
+            const client = getClient();
+            if (config.streaming && data instanceof ReadableStream) {
+                const { Upload } = requireLibStorage();
+                const upload = new Upload({
+                    client,
+                    params: {
+                        Bucket: bucket,
+                        Key: key,
+                        Body: data,
+                        ContentType: meta.mimeType,
+                    },
+                });
+                await upload.done();
+            }
+            else {
+                const { PutObjectCommand } = requireS3Client();
+                let body;
+                if (data instanceof ReadableStream) {
+                    const response = new Response(data);
+                    body = Buffer.from(await response.arrayBuffer());
+                }
+                else if (data instanceof Blob) {
+                    body = Buffer.from(await data.arrayBuffer());
+                }
+                else {
+                    body = data;
+                }
+                await client.send(new PutObjectCommand({
+                    Bucket: bucket,
+                    Key: key,
+                    Body: body,
+                    ContentType: meta.mimeType,
+                    ContentLength: meta.size,
+                }));
+            }
+            const url = config.publicUrl
+                ? `${config.publicUrl.replace(/\/$/, "")}/${key}`
+                : undefined;
+            return { ...(url !== undefined ? { url } : {}) };
+        },
+        async get(key) {
+            const { GetObjectCommand } = requireS3Client();
+            const client = getClient();
+            const bucket = config.bucket;
+            try {
+                const result = await client.send(new GetObjectCommand({ Bucket: bucket, Key: key }));
+                return {
+                    stream: result.Body,
+                    mimeType: result.ContentType,
+                    size: result.ContentLength,
+                };
+            }
+            catch (err) {
+                if (err?.name === "NoSuchKey" || err?.$metadata?.httpStatusCode === 404)
+                    return null;
+                throw err;
+            }
+        },
+        async delete(key) {
+            const { DeleteObjectCommand } = requireS3Client();
+            const client = getClient();
+            await client.send(new DeleteObjectCommand({ Bucket: config.bucket, Key: key }));
+        },
+        async presignPut(key, opts) {
+            const { PutObjectCommand } = requireS3Client();
+            const { getSignedUrl } = requirePresigner();
+            const client = getClient();
+            const params = {
+                Bucket: config.bucket,
+                Key: key,
+                ...(opts.mimeType ? { ContentType: opts.mimeType } : {}),
+            };
+            return getSignedUrl(client, new PutObjectCommand(params), { expiresIn: opts.expirySeconds });
+        },
+        async presignGet(key, opts) {
+            const { GetObjectCommand } = requireS3Client();
+            const { getSignedUrl } = requirePresigner();
+            const client = getClient();
+            return getSignedUrl(client, new GetObjectCommand({ Bucket: config.bucket, Key: key }), { expiresIn: opts.expirySeconds });
+        },
+    };
+};

package/dist/adapters/sqliteAuth.d.ts

@@ -15,6 +15,10 @@ import type { RefreshResult } from "../lib/session";
 export declare const sqliteSetRefreshToken: (sessionId: string, refreshToken: string) => void;
 export declare const sqliteGetSessionByRefreshToken: (refreshToken: string) => RefreshResult | null;
 export declare const sqliteRotateRefreshToken: (sessionId: string, newRefreshToken: string, newAccessToken: string) => void;
+export declare const sqliteGetSessionFingerprint: (sessionId: string) => string | null;
+export declare const sqliteSetSessionFingerprint: (sessionId: string, fingerprint: string) => void;
+export declare const sqliteGetMfaVerifiedAt: (sessionId: string) => number | null;
+export declare const sqliteSetMfaVerifiedAt: (sessionId: string, ts: number) => void;
 export declare const sqliteStoreOAuthState: (state: string, codeVerifier?: string, linkUserId?: string) => void;
 export declare const sqliteConsumeOAuthState: (state: string) => {
     codeVerifier?: string;
@@ -31,12 +35,38 @@ export declare const sqliteGetVerificationToken: (token: string) => {
     email: string;
 } | null;
 export declare const sqliteDeleteVerificationToken: (token: string) => void;
+export declare const sqliteConsumeVerificationToken: (token: string) => {
+    userId: string;
+    email: string;
+} | null;
 export declare const sqliteCreateResetToken: (token: string, userId: string, email: string, ttlSeconds: number) => void;
 export declare const sqliteConsumeResetToken: (hash: string) => {
     userId: string;
     email: string;
 } | null;
+export declare const sqliteCreateDeletionCancelToken: (token: string, userId: string, jobId: string, ttlSeconds: number) => void;
+export declare const sqliteConsumeDeletionCancelToken: (hash: string) => {
+    userId: string;
+    jobId: string;
+} | null;
 import type { OAuthCodePayload } from "../lib/oauthCode";
 export declare const sqliteStoreOAuthCode: (hash: string, payload: OAuthCodePayload, ttlSeconds: number) => void;
 export declare const sqliteConsumeOAuthCode: (hash: string) => OAuthCodePayload | null;
 export declare const startSqliteCleanup: (intervalMs?: number) => ReturnType<typeof setInterval>;
+export declare const sqliteRegisterUpload: (record: {
+    key: string;
+    ownerUserId?: string;
+    tenantId?: string;
+    mimeType?: string;
+    bucket?: string;
+    createdAt: number;
+}) => void;
+export declare const sqliteGetUploadRecord: (key: string) => {
+    key: string;
+    ownerUserId?: string;
+    tenantId?: string;
+    mimeType?: string;
+    bucket?: string;
+    createdAt: number;
+} | null;
+export declare const sqliteDeleteUploadRecord: (key: string) => boolean;