@lastshotlabs/bunshot 0.0.25 → 0.0.27

package/dist/lib/appConfig.d.ts

@@ -84,6 +84,10 @@ export interface MfaWebAuthnConfig {
     timeout?: number;
     /** Reject authentication when sign count goes backward (cloned key detection). Default: false (accept + warn). */
     strictSignCount?: boolean;
+    /** Allow passwordless (first-factor) passkey login. When true, mounts POST /auth/passkey/login-options and POST /auth/passkey/login. Default: false. */
+    allowPasswordlessLogin?: boolean;
+    /** When true (default), a verified passkey login satisfies MFA — no subsequent TOTP/OTP prompt even if the user has MFA enabled. Set false to require MFA after passkey login. */
+    passkeyMfaBypass?: boolean;
 }
 export interface MfaConfig {
     /** Issuer name shown in authenticator apps. Defaults to app name. */
@@ -117,6 +121,8 @@ export declare const getMfaEmailOtpConfig: () => MfaEmailOtpConfig | null;
 export declare const getMfaEmailOtpCodeLength: () => number;
 export declare const getMfaWebAuthnConfig: () => MfaWebAuthnConfig | null;
 export declare const getMfaRequired: () => boolean;
+export declare const getMfaWebAuthnAllowPasswordlessLogin: () => boolean;
+export declare const getMfaWebAuthnPasskeyMfaBypass: () => boolean;
 export declare const setCsrfEnabled: (v: boolean) => void;
 export declare const getCsrfEnabled: () => boolean;
 export interface SigningConfig {
@@ -160,3 +166,110 @@ export declare const getSigningConfig: () => SigningConfig | null;
  * Returns null when neither is configured — callers must handle this gracefully.
  */
 export declare const getSigningSecret: () => string | string[] | null;
+export interface JwtConfig {
+    /** JWT issuer claim (`iss`). When set, added to all tokens and validated on verify. */
+    issuer?: string;
+    /** JWT audience claim (`aud`). When set, added to all tokens and validated on verify. */
+    audience?: string | string[];
+    /** JWT signing algorithm. Default: "HS256". Use "RS256" for OIDC. Requires OidcConfig when set to "RS256". */
+    algorithm?: "HS256" | "RS256";
+}
+export declare const setJwtConfig: (config: JwtConfig | null) => void;
+export declare const getJwtConfig: () => JwtConfig | null;
+export declare const getJwtIssuer: () => string | undefined;
+export declare const getJwtAudience: () => string | string[] | undefined;
+export interface BreachedPasswordConfig {
+    /** Block registration/reset when password is breached. Default: true. */
+    block?: boolean;
+    /** Minimum breach count to consider breached. Default: 1. */
+    minBreachCount?: number;
+    /** Request timeout in ms. Default: 3000. */
+    timeout?: number;
+    /** What to do when the HIBP API is unavailable. Default: "allow". */
+    onApiFailure?: "allow" | "block";
+}
+export declare const setBreachedPasswordConfig: (config: BreachedPasswordConfig | null) => void;
+export declare const getBreachedPasswordConfig: () => BreachedPasswordConfig | null;
+export interface StepUpConfig {
+    /** Max age in seconds since last MFA verification. Default: 300 (5 min). */
+    maxAge?: number;
+}
+export declare const setStepUpConfig: (config: StepUpConfig | null) => void;
+export declare const getStepUpConfig: () => StepUpConfig | null;
+export declare const setCheckSuspensionOnIdentify: (v: boolean) => void;
+export declare const getCheckSuspensionOnIdentify: () => boolean;
+export declare const setCaptchaConfig: (config: import("./captcha").CaptchaConfig | null) => void;
+export declare const getCaptchaConfig: () => import("./captcha").CaptchaConfig | null;
+export interface M2MConfig {
+    enabled?: boolean;
+    /** Access token expiry in seconds. Default: 3600 (1 hour). */
+    tokenExpiry?: number;
+    /** Allowed scopes for M2M clients. */
+    scopes?: string[];
+}
+export declare const setM2MConfig: (config: M2MConfig | null) => void;
+export declare const getM2MConfig: () => M2MConfig | null;
+export declare const getM2MTokenExpiry: () => number;
+export interface SamlConfig {
+    /** Service Provider entity ID (e.g. "https://yourapp.com/auth/saml"). */
+    entityId: string;
+    /** Assertion Consumer Service URL. */
+    acsUrl: string;
+    /** IdP metadata — XML string or URL. */
+    idpMetadata: string;
+    /** SP signing private key PEM. Optional. */
+    signingKey?: string;
+    /** SP signing certificate PEM. Optional. */
+    signingCert?: string;
+    /** Map IdP attribute names to profile fields. */
+    attributeMapping?: {
+        email?: string;
+        firstName?: string;
+        lastName?: string;
+        groups?: string;
+    };
+    /** Custom user lookup/creation. When provided, takes precedence over findOrCreateByProvider. */
+    onLogin?: (profile: SamlProfile) => Promise<{
+        userId: string;
+    }>;
+    /** Where to redirect after successful SAML login. Default: "/". */
+    postLoginRedirect?: string;
+}
+import type { SamlProfile } from "./saml";
+export declare const setSamlConfig: (config: SamlConfig | null) => void;
+export declare const getSamlConfig: () => SamlConfig | null;
+export interface OidcConfig {
+    enabled?: boolean;
+    /** JWT issuer — included in all tokens and OIDC discovery doc. Required. */
+    issuer: string;
+    /** RSA signing key. If not provided, a key pair is auto-generated on startup. */
+    signingKey?: {
+        privateKey: string;
+        publicKey: string;
+        kid?: string;
+    };
+    /** Previous signing keys for rotation (verification only). */
+    previousKeys?: Array<{
+        publicKey: string;
+        kid?: string;
+    }>;
+    /** Scopes advertised in the discovery document. Default: ["openid"]. */
+    scopes?: string[];
+    /** Token endpoint URL. Defaults to `${issuer}/oauth/token`. */
+    tokenEndpoint?: string;
+}
+export declare const setOidcConfig: (config: OidcConfig | null) => void;
+export declare const getOidcConfig: () => OidcConfig | null;
+export interface ScimConfig {
+    enabled?: boolean;
+    /** Bearer token(s) for SCIM endpoint authentication. Required. */
+    bearerTokens: string | string[];
+    /** Username mapping strategy. Default: "email". */
+    userMapping?: {
+        userName?: "email" | "username";
+    };
+    /** What to do when a user is deleted via SCIM. Default: "suspend". */
+    onDeprovision?: "suspend" | "delete" | ((userId: string) => Promise<void>);
+}
+export declare const setScimConfig: (config: ScimConfig | null) => void;
+export declare const getScimConfig: () => ScimConfig | null;

package/dist/lib/appConfig.js

@@ -60,6 +60,8 @@ export const getMfaEmailOtpConfig = () => _mfaConfig?.emailOtp ?? null;
 export const getMfaEmailOtpCodeLength = () => _mfaConfig?.emailOtp?.codeLength ?? 6;
 export const getMfaWebAuthnConfig = () => _mfaConfig?.webauthn ?? null;
 export const getMfaRequired = () => _mfaConfig?.required ?? false;
+export const getMfaWebAuthnAllowPasswordlessLogin = () => _mfaConfig?.webauthn?.allowPasswordlessLogin ?? false;
+export const getMfaWebAuthnPasskeyMfaBypass = () => _mfaConfig?.webauthn?.passkeyMfaBypass ?? true;
 // ---------------------------------------------------------------------------
 // CSRF config
 // ---------------------------------------------------------------------------
@@ -81,3 +83,39 @@ export const getSigningSecret = () => {
     const rawSecret = process.env[envKey];
     return rawSecret ?? null;
 };
+let _jwtConfig = null;
+export const setJwtConfig = (config) => { _jwtConfig = config; };
+export const getJwtConfig = () => _jwtConfig;
+export const getJwtIssuer = () => _jwtConfig?.issuer;
+export const getJwtAudience = () => _jwtConfig?.audience;
+let _breachedPasswordConfig = null;
+export const setBreachedPasswordConfig = (config) => { _breachedPasswordConfig = config; };
+export const getBreachedPasswordConfig = () => _breachedPasswordConfig;
+let _stepUpConfig = null;
+export const setStepUpConfig = (config) => { _stepUpConfig = config; };
+export const getStepUpConfig = () => _stepUpConfig;
+// ---------------------------------------------------------------------------
+// Suspension config
+// ---------------------------------------------------------------------------
+let _checkSuspensionOnIdentify = false;
+export const setCheckSuspensionOnIdentify = (v) => { _checkSuspensionOnIdentify = v; };
+export const getCheckSuspensionOnIdentify = () => _checkSuspensionOnIdentify;
+// ---------------------------------------------------------------------------
+// CAPTCHA config
+// ---------------------------------------------------------------------------
+let _captchaConfig = null;
+export const setCaptchaConfig = (config) => { _captchaConfig = config; };
+export const getCaptchaConfig = () => _captchaConfig;
+let _m2mConfig = null;
+export const setM2MConfig = (config) => { _m2mConfig = config; };
+export const getM2MConfig = () => _m2mConfig;
+export const getM2MTokenExpiry = () => _m2mConfig?.tokenExpiry ?? 3600;
+let _samlConfig = null;
+export const setSamlConfig = (config) => { _samlConfig = config; };
+export const getSamlConfig = () => _samlConfig;
+let _oidcConfig = null;
+export const setOidcConfig = (config) => { _oidcConfig = config; };
+export const getOidcConfig = () => _oidcConfig;
+let _scimConfig = null;
+export const setScimConfig = (config) => { _scimConfig = config; };
+export const getScimConfig = () => _scimConfig;

package/dist/lib/auditLog.d.ts

@@ -42,6 +42,12 @@ export declare function clearAuditLogMemoryStore(): void;
  * storage failures never fail the HTTP request.
  */
 export declare function logAuditEntry(entry: AuditLogEntry, options: AuditLogOptions): Promise<void>;
+/**
+ * Blocking variant of logAuditEntry for critical events (e.g. account deletion,
+ * password changes). Awaits the write and logs errors, but never rethrows —
+ * a logging failure must not break the HTTP response.
+ */
+export declare function logAuditEntryBlocking(entry: AuditLogEntry, options: AuditLogOptions): Promise<void>;
 /**
  * Query audit log entries from the configured store.
  * Returns `{ items, total }` where `total` is the filtered count before pagination.

package/dist/lib/auditLog.js

@@ -88,6 +88,23 @@ export async function logAuditEntry(entry, options) {
     }
 }
 // ---------------------------------------------------------------------------
+// logAuditEntryBlocking
+// ---------------------------------------------------------------------------
+/**
+ * Blocking variant of logAuditEntry for critical events (e.g. account deletion,
+ * password changes). Awaits the write and logs errors, but never rethrows —
+ * a logging failure must not break the HTTP response.
+ */
+export async function logAuditEntryBlocking(entry, options) {
+    try {
+        await logAuditEntry(entry, options);
+    }
+    catch (err) {
+        console.error("[auditLog] CRITICAL: blocking audit write failed:", err);
+        // Don't rethrow — we never want a logging failure to break the response
+    }
+}
+// ---------------------------------------------------------------------------
 // getAuditLogs
 // ---------------------------------------------------------------------------
 /**

package/dist/lib/authAdapter.d.ts

@@ -1,10 +1,23 @@
 import type { GroupRecord, GroupMembershipRecord, PaginationOpts, PaginatedResult } from "./groups";
 export type { GroupRecord, GroupMembershipRecord, PaginationOpts, PaginatedResult };
-export interface OAuthProfile {
+export interface M2MClientRecord {
+    id: string;
+    clientId: string;
+    name: string;
+    scopes: string[];
+    active: boolean;
+}
+export interface IdentityProfile {
     email?: string;
     name?: string;
+    firstName?: string;
+    lastName?: string;
+    displayName?: string;
     avatarUrl?: string;
+    externalId?: string;
 }
+/** @deprecated Use IdentityProfile */
+export type OAuthProfile = IdentityProfile;
 export interface WebAuthnCredential {
     /** Base64url-encoded credential ID. */
     credentialId: string;
@@ -49,6 +62,12 @@ export interface AuthAdapter {
         email?: string;
         providerIds?: string[];
         emailVerified?: boolean;
+        displayName?: string;
+        firstName?: string;
+        lastName?: string;
+        externalId?: string;
+        suspended?: boolean;
+        suspendedReason?: string;
     } | null>;
     /** Optional. Unlink a provider identity from a user (used by DELETE /auth/:provider/link). */
     unlinkProvider?(userId: string, provider: string): Promise<void>;
@@ -104,6 +123,20 @@ export interface AuthAdapter {
     updateWebAuthnCredentialSignCount?(userId: string, credentialId: string, signCount: number): Promise<void>;
     /** Optional. Find the user who owns a WebAuthn credential. Returns userId or null. Used for cross-user uniqueness checks. */
     findUserByWebAuthnCredentialId?(credentialId: string): Promise<string | null>;
+    /** Suspend or unsuspend a user. */
+    setSuspended?(userId: string, suspended: boolean, reason?: string): Promise<void>;
+    /** Get suspension status. Returns false if adapter doesn't track it. */
+    getSuspended?(userId: string): Promise<{
+        suspended: boolean;
+        suspendedReason?: string;
+    } | null>;
+    /** Update profile fields. */
+    updateProfile?(userId: string, fields: Partial<Pick<IdentityProfile, "displayName" | "firstName" | "lastName" | "externalId">>): Promise<void>;
+    /** List users matching a normalized query. */
+    listUsers?(query: UserQuery): Promise<{
+        users: UserRecord[];
+        totalResults: number;
+    }>;
     /**
      * Create a new group. Returns the new group's id.
      * The name must be a slug (/^[a-z0-9_-]+$/) and unique within its scope.
@@ -171,6 +204,43 @@ export interface AuthAdapter {
      * Tenant-scoped group roles NEVER satisfy app-wide role checks and vice versa.
      */
     getEffectiveRoles?(userId: string, tenantId: string | null): Promise<string[]>;
+    /** Optional. Look up an active M2M client by clientId (includes clientSecretHash for verification). */
+    getM2MClient?(clientId: string): Promise<(M2MClientRecord & {
+        clientSecretHash: string;
+    }) | null>;
+    /** Optional. Create a new M2M client. Returns the new client's id. */
+    createM2MClient?(client: {
+        clientId: string;
+        clientSecretHash: string;
+        name: string;
+        scopes: string[];
+    }): Promise<{
+        id: string;
+    }>;
+    /** Optional. Delete an M2M client by clientId. */
+    deleteM2MClient?(clientId: string): Promise<void>;
+    /** Optional. List all M2M clients (without secrets). */
+    listM2MClients?(): Promise<M2MClientRecord[]>;
+}
+export interface UserQuery {
+    email?: string;
+    externalId?: string;
+    suspended?: boolean;
+    startIndex?: number;
+    count?: number;
+}
+export interface UserRecord {
+    id: string;
+    email?: string;
+    displayName?: string;
+    firstName?: string;
+    lastName?: string;
+    externalId?: string;
+    suspended: boolean;
+    suspendedAt?: Date;
+    suspendedReason?: string;
+    emailVerified?: boolean;
+    providerIds?: string[];
 }
 export declare const setAuthAdapter: (adapter: AuthAdapter) => void;
 export declare const getAuthAdapter: () => AuthAdapter;

package/dist/lib/authRateLimit.js

@@ -20,10 +20,34 @@ const memoryStore = {
     async delete(key) {
         _memoryStore.delete(key);
     },
+    // No increment — memory store uses the read-modify-write fallback (single-process, acceptable)
 };
 // ---------------------------------------------------------------------------
 // Redis implementation
 // ---------------------------------------------------------------------------
+// Lua script: atomically read + increment + write JSON entry, preserving { count, resetAt } format.
+// Returns the new count as a number.
+const TRACK_SCRIPT = `
+local key = KEYS[1]
+local windowMs = tonumber(ARGV[1])
+local now = tonumber(ARGV[2])
+local raw = redis.call("GET", key)
+local count, resetAt
+
+if raw then
+  local entry = cjson.decode(raw)
+  count = entry.count + 1
+  resetAt = entry.resetAt
+else
+  count = 1
+  resetAt = now + windowMs
+end
+
+local ttl = math.max(1, resetAt - now)
+local payload = cjson.encode({count = count, resetAt = resetAt})
+redis.call("SET", key, payload, "PX", ttl)
+return count
+`;
 const redisStore = {
     async get(key) {
         const { getRedis } = await import("./redis");
@@ -43,6 +67,13 @@ const redisStore = {
         const { getRedis } = await import("./redis");
         await getRedis().del(`rl:${getAppName()}:${key}`);
     },
+    async increment(key, windowMs) {
+        const { getRedis } = await import("./redis");
+        const fullKey = `rl:${getAppName()}:${key}`;
+        const now = Date.now();
+        const count = await getRedis().eval(TRACK_SCRIPT, 1, fullKey, windowMs, now);
+        return count;
+    },
 };
 // ---------------------------------------------------------------------------
 // Active store + setter
@@ -60,6 +91,11 @@ export const isLimited = async (key, opts) => {
 };
 /** Increments the counter and returns true if now over the limit. */
 export const trackAttempt = async (key, opts) => {
+    if (_store.increment) {
+        const count = await _store.increment(key, opts.windowMs);
+        return count >= opts.max;
+    }
+    // Read-modify-write fallback for memory store (single-process — no lost increments)
     const now = Date.now();
     const existing = await _store.get(key);
     if (!existing) {

package/dist/lib/breachedPassword.d.ts

@@ -0,0 +1,13 @@
+import type { BreachedPasswordConfig } from "./appConfig";
+export type { BreachedPasswordConfig };
+/**
+ * Check whether a password has appeared in a data breach using the
+ * HaveIBeenPwned k-Anonymity API.
+ *
+ * Sends only the first 5 hex chars of the SHA-1 hash — the full hash
+ * never leaves the server.
+ */
+export declare function checkBreachedPassword(password: string, config?: BreachedPasswordConfig): Promise<{
+    breached: boolean;
+    count: number;
+}>;

package/dist/lib/breachedPassword.js

@@ -0,0 +1,48 @@
+/**
+ * Check whether a password has appeared in a data breach using the
+ * HaveIBeenPwned k-Anonymity API.
+ *
+ * Sends only the first 5 hex chars of the SHA-1 hash — the full hash
+ * never leaves the server.
+ */
+export async function checkBreachedPassword(password, config) {
+    const timeout = config?.timeout ?? 3000;
+    const minCount = config?.minBreachCount ?? 1;
+    // SHA-1 the password
+    const encoder = new TextEncoder();
+    const data = encoder.encode(password);
+    const hashBuffer = await crypto.subtle.digest("SHA-1", data);
+    const hashArray = Array.from(new Uint8Array(hashBuffer));
+    const hashHex = hashArray.map((b) => b.toString(16).padStart(2, "0")).join("").toUpperCase();
+    const prefix = hashHex.slice(0, 5);
+    const suffix = hashHex.slice(5);
+    let responseText;
+    try {
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), timeout);
+        const res = await fetch(`https://api.pwnedpasswords.com/range/${prefix}`, {
+            signal: controller.signal,
+            headers: { "Add-Padding": "true" },
+        });
+        clearTimeout(timer);
+        if (!res.ok)
+            throw new Error(`HIBP API returned ${res.status}`);
+        responseText = await res.text();
+    }
+    catch {
+        // API failure — apply onApiFailure policy
+        if (config?.onApiFailure === "block") {
+            return { breached: true, count: -1 };
+        }
+        return { breached: false, count: 0 };
+    }
+    // Parse response: each line is "SUFFIX:COUNT"
+    for (const line of responseText.split("\n")) {
+        const [lineSuffix, countStr] = line.trim().split(":");
+        if (lineSuffix === suffix) {
+            const count = parseInt(countStr, 10);
+            return { breached: count >= minCount, count };
+        }
+    }
+    return { breached: false, count: 0 };
+}

package/dist/lib/captcha.d.ts

@@ -0,0 +1,25 @@
+export type CaptchaProvider = "recaptcha" | "hcaptcha" | "turnstile";
+export interface CaptchaConfig {
+    provider: CaptchaProvider;
+    secretKey: string;
+    /** Minimum score for reCAPTCHA v3. Default: 0.5. Ignored for v2/hcaptcha/turnstile. */
+    minScore?: number;
+    /** Body field name containing the CAPTCHA token. Default: "captcha-token". */
+    tokenField?: string;
+    /** When true, only require CAPTCHA after rate limit threshold is hit. Default: false. */
+    adaptive?: boolean;
+    /** Rate limit window for adaptive mode. */
+    adaptiveThreshold?: {
+        windowMs: number;
+        max: number;
+    };
+}
+/**
+ * Verify a CAPTCHA token with the provider's API.
+ * Returns { success: true } on pass, { success: false, error } on fail.
+ */
+export declare function verifyCaptcha(token: string, config: CaptchaConfig, ip?: string): Promise<{
+    success: boolean;
+    score?: number;
+    error?: string;
+}>;

package/dist/lib/captcha.js

@@ -0,0 +1,37 @@
+const VERIFY_URLS = {
+    recaptcha: "https://www.google.com/recaptcha/api/siteverify",
+    hcaptcha: "https://hcaptcha.com/siteverify",
+    turnstile: "https://challenges.cloudflare.com/turnstile/v0/siteverify",
+};
+/**
+ * Verify a CAPTCHA token with the provider's API.
+ * Returns { success: true } on pass, { success: false, error } on fail.
+ */
+export async function verifyCaptcha(token, config, ip) {
+    const url = VERIFY_URLS[config.provider];
+    const body = new URLSearchParams({ secret: config.secretKey, response: token });
+    if (ip)
+        body.set("remoteip", ip);
+    let data;
+    try {
+        const res = await fetch(url, { method: "POST", body });
+        if (!res.ok)
+            return { success: false, error: `Provider returned ${res.status}` };
+        data = await res.json();
+    }
+    catch (err) {
+        return { success: false, error: "CAPTCHA provider unreachable" };
+    }
+    if (!data.success) {
+        return { success: false, error: String(data["error-codes"]?.[0] ?? "invalid-token") };
+    }
+    // reCAPTCHA v3: check score
+    if (config.provider === "recaptcha" && typeof data.score === "number") {
+        const minScore = config.minScore ?? 0.5;
+        if (data.score < minScore) {
+            return { success: false, score: data.score, error: "score-too-low" };
+        }
+        return { success: true, score: data.score };
+    }
+    return { success: true };
+}

package/dist/lib/context.d.ts

@@ -1,5 +1,6 @@
 import { OpenAPIHono, type Hook } from "@hono/zod-openapi";
 import type { ZodIssue } from "zod";
+import type { JWTPayload } from "jose";
 import type { UploadResult } from "./storageAdapter";
 export interface ValidationErrorDetail {
     path: string;
@@ -22,6 +23,10 @@ export type AppVariables = {
     validationErrorFormatter: ValidationErrorFormatter;
     uploadResults: UploadResult[] | null;
     uploadBucket: string | undefined;
+    /** Set by identify when a scope-bearing M2M token (no sid) is verified. */
+    authClientId: string | null;
+    /** Raw verified JWT payload stashed by identify for downstream middleware. Null when unauthenticated. */
+    tokenPayload: JWTPayload | null;
 };
 export type AppEnv = {
     Variables: AppVariables;

package/dist/lib/credentialStuffing.d.ts

@@ -0,0 +1,31 @@
+export interface CredentialStuffingConfig {
+    /** Block when an IP attempts login against this many distinct accounts. Default: 5 per 15 min. */
+    maxAccountsPerIp?: {
+        count: number;
+        windowMs: number;
+    };
+    /** Block when an account is attempted from this many distinct IPs. Default: 10 per 15 min. */
+    maxIpsPerAccount?: {
+        count: number;
+        windowMs: number;
+    };
+    /** Called when stuffing is detected. Non-blocking, errors swallowed. */
+    onDetected?: (signal: {
+        type: "ip" | "account";
+        key: string;
+        count: number;
+    }) => void;
+}
+export declare function setCredentialStuffingConfig(config: CredentialStuffingConfig | null): void;
+export declare function getCredentialStuffingConfig(): CredentialStuffingConfig | null;
+/**
+ * Track a failed login attempt. Call this AFTER confirming the login failed.
+ */
+export declare function trackFailedLogin(ip: string, identifier: string): void;
+/**
+ * Check whether this login attempt should be blocked.
+ * Call this BEFORE verifying credentials.
+ */
+export declare function isStuffingBlocked(ip: string, identifier: string): boolean;
+/** Clear the in-memory store (for testing). */
+export declare function clearCredentialStuffingStore(): void;

package/dist/lib/credentialStuffing.js

@@ -0,0 +1,77 @@
+// In-memory store: key → BoundedSet
+const _store = new Map();
+function cleanExpired() {
+    const now = Date.now();
+    for (const [key, entry] of _store.entries()) {
+        if (entry.expiresAt < now)
+            _store.delete(key);
+    }
+}
+function addToSet(key, member, windowMs) {
+    cleanExpired();
+    const now = Date.now();
+    let entry = _store.get(key);
+    if (!entry || entry.expiresAt < now) {
+        entry = { members: new Set(), expiresAt: now + windowMs };
+        _store.set(key, entry);
+    }
+    entry.members.add(member);
+    return entry.members.size;
+}
+function getSetSize(key) {
+    cleanExpired();
+    const now = Date.now();
+    const entry = _store.get(key);
+    if (!entry || entry.expiresAt < now)
+        return 0;
+    return entry.members.size;
+}
+let _config = null;
+export function setCredentialStuffingConfig(config) {
+    _config = config;
+}
+export function getCredentialStuffingConfig() {
+    return _config;
+}
+/**
+ * Track a failed login attempt. Call this AFTER confirming the login failed.
+ */
+export function trackFailedLogin(ip, identifier) {
+    if (!_config)
+        return;
+    const ipWindowMs = _config.maxAccountsPerIp?.windowMs ?? 15 * 60 * 1000;
+    const accountWindowMs = _config.maxIpsPerAccount?.windowMs ?? 15 * 60 * 1000;
+    addToSet(`ip:${ip}`, identifier, ipWindowMs);
+    addToSet(`account:${identifier}`, ip, accountWindowMs);
+}
+/**
+ * Check whether this login attempt should be blocked.
+ * Call this BEFORE verifying credentials.
+ */
+export function isStuffingBlocked(ip, identifier) {
+    if (!_config)
+        return false;
+    const ipMax = _config.maxAccountsPerIp?.count ?? 5;
+    const accountMax = _config.maxIpsPerAccount?.count ?? 10;
+    const ipCount = getSetSize(`ip:${ip}`);
+    if (ipCount >= ipMax) {
+        try {
+            _config.onDetected?.({ type: "ip", key: ip, count: ipCount });
+        }
+        catch { /* swallow */ }
+        return true;
+    }
+    const accountCount = getSetSize(`account:${identifier}`);
+    if (accountCount >= accountMax) {
+        try {
+            _config.onDetected?.({ type: "account", key: identifier, count: accountCount });
+        }
+        catch { /* swallow */ }
+        return true;
+    }
+    return false;
+}
+/** Clear the in-memory store (for testing). */
+export function clearCredentialStuffingStore() {
+    _store.clear();
+}

package/dist/lib/emailVerification.d.ts

@@ -10,4 +10,10 @@ export declare const getVerificationToken: (token: string) => Promise<{
 } | null>;
 /** Delete a verification token by its raw value. Hashes before lookup. */
 export declare const deleteVerificationToken: (token: string) => Promise<void>;
+/** Atomically consume a verification token — returns its payload and deletes it in one operation.
+ *  Returns null if the token is invalid, expired, or already used. */
+export declare const consumeVerificationToken: (token: string) => Promise<{
+    userId: string;
+    email: string;
+} | null>;
 export {};