@lastshotlabs/bunshot 0.0.25 → 0.0.27

package/dist/lib/emailVerification.js

@@ -2,8 +2,8 @@ import { getRedis } from "./redis";
 import { appConnection, mongoose } from "./mongo";
 import { getAppName, getTokenExpiry } from "./appConfig";
 import { sha256 } from "./crypto";
-import { sqliteCreateVerificationToken, sqliteGetVerificationToken, sqliteDeleteVerificationToken, } from "../adapters/sqliteAuth";
-import { memoryCreateVerificationToken, memoryGetVerificationToken, memoryDeleteVerificationToken, } from "../adapters/memoryAuth";
+import { sqliteCreateVerificationToken, sqliteGetVerificationToken, sqliteDeleteVerificationToken, sqliteConsumeVerificationToken, } from "../adapters/sqliteAuth";
+import { memoryCreateVerificationToken, memoryGetVerificationToken, memoryDeleteVerificationToken, memoryConsumeVerificationToken, } from "../adapters/memoryAuth";
 function getVerificationModel() {
     if (appConnection.models["EmailVerification"])
         return appConnection.models["EmailVerification"];
@@ -16,6 +16,25 @@ function getVerificationModel() {
     }, { collection: "email_verifications" });
     return appConnection.model("EmailVerification", verificationSchema);
 }
+// ---------------------------------------------------------------------------
+// Redis helpers
+// ---------------------------------------------------------------------------
+/** Atomically GET+DEL a key. Uses native GETDEL (Redis >= 6.2) with a Lua fallback. */
+async function redisGetDel(key) {
+    const redis = getRedis();
+    if (typeof redis.getdel === "function") {
+        try {
+            return await redis.getdel(key);
+        }
+        catch (err) {
+            const msg = err?.message ?? "";
+            if (!/unknown command|ERR unknown command/i.test(msg))
+                throw err;
+        }
+    }
+    const result = await redis.eval("local v = redis.call('GET', KEYS[1])\nif v then redis.call('DEL', KEYS[1]) end\nreturn v", 1, key);
+    return result ?? null;
+}
 let _store = "redis";
 export const setEmailVerificationStore = (store) => { _store = store; };
 // ---------------------------------------------------------------------------
@@ -24,7 +43,9 @@ export const setEmailVerificationStore = (store) => { _store = store; };
 /** Create a verification token. Returns the raw token (for the email link).
  *  Only the SHA-256 hash is persisted in the store. */
 export const createVerificationToken = async (userId, email) => {
-    const token = crypto.randomUUID();
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    const token = Buffer.from(bytes).toString("base64url");
     const hash = sha256(token);
     const ttl = getTokenExpiry();
     if (_store === "memory") {
@@ -84,3 +105,25 @@ export const deleteVerificationToken = async (token) => {
     }
     await getRedis().del(`verify:${getAppName()}:${hash}`);
 };
+/** Atomically consume a verification token — returns its payload and deletes it in one operation.
+ *  Returns null if the token is invalid, expired, or already used. */
+export const consumeVerificationToken = async (token) => {
+    const hash = sha256(token);
+    if (_store === "memory")
+        return memoryConsumeVerificationToken(hash);
+    if (_store === "sqlite")
+        return sqliteConsumeVerificationToken(hash);
+    if (_store === "mongo") {
+        const doc = await getVerificationModel()
+            .findOneAndDelete({ token: hash, expiresAt: { $gt: new Date() } })
+            .lean();
+        if (!doc)
+            return null;
+        return { userId: doc.userId, email: doc.email };
+    }
+    // Redis: atomically return and remove the key (GETDEL or Lua fallback)
+    const raw = await redisGetDel(`verify:${getAppName()}:${hash}`);
+    if (!raw)
+        return null;
+    return JSON.parse(raw);
+};

package/dist/lib/jwks.d.ts

@@ -0,0 +1,25 @@
+import { type JWK } from "jose";
+export interface JwksKeyConfig {
+    privateKey: string;
+    publicKey: string;
+    kid?: string;
+}
+type KeyMaterial = CryptoKey;
+export declare function loadJwksKey(config: JwksKeyConfig): Promise<void>;
+export declare function loadPreviousKey(config: {
+    publicKey: string;
+    kid?: string;
+}): Promise<void>;
+export declare function generateAndLoadKeyPair(): Promise<{
+    privateKey: string;
+    publicKey: string;
+}>;
+export declare function getSigningPrivateKey(): KeyMaterial;
+export declare function getVerifyPublicKeys(): KeyMaterial[];
+export declare function getJwks(): {
+    keys: JWK[];
+};
+export declare function isJwksLoaded(): boolean;
+/** @internal — reset for tests */
+export declare function _resetJwksState(): void;
+export {};

package/dist/lib/jwks.js

@@ -0,0 +1,51 @@
+import { generateKeyPair, exportJWK, importPKCS8, importSPKI } from "jose";
+let _primaryKey = null;
+let _previousKeys = [];
+export async function loadJwksKey(config) {
+    const kid = config.kid ?? "key-1";
+    const privateKey = await importPKCS8(config.privateKey, "RS256");
+    const publicKey = await importSPKI(config.publicKey, "RS256");
+    const jwk = await exportJWK(publicKey);
+    _primaryKey = { privateKey, publicKey, jwk: { ...jwk, kid, alg: "RS256", use: "sig" }, kid };
+}
+export async function loadPreviousKey(config) {
+    const kid = config.kid ?? `key-prev-${_previousKeys.length + 1}`;
+    const publicKey = await importSPKI(config.publicKey, "RS256");
+    const jwk = await exportJWK(publicKey);
+    _previousKeys.push({ privateKey: null, publicKey, jwk: { ...jwk, kid, alg: "RS256", use: "sig" }, kid });
+}
+export async function generateAndLoadKeyPair() {
+    const { privateKey: pk, publicKey: pubk } = await generateKeyPair("RS256", { modulusLength: 2048, extractable: true });
+    const { exportSPKI, exportPKCS8 } = await import("jose");
+    const privatePem = await exportPKCS8(pk);
+    const publicPem = await exportSPKI(pubk);
+    await loadJwksKey({ privateKey: privatePem, publicKey: publicPem, kid: "key-1" });
+    return { privateKey: privatePem, publicKey: publicPem };
+}
+export function getSigningPrivateKey() {
+    if (!_primaryKey)
+        throw new Error("RS256 requires OIDC key configuration — call loadJwksKey() first");
+    return _primaryKey.privateKey;
+}
+export function getVerifyPublicKeys() {
+    const keys = [];
+    if (_primaryKey)
+        keys.push(_primaryKey.publicKey);
+    keys.push(..._previousKeys.map((k) => k.publicKey));
+    return keys;
+}
+export function getJwks() {
+    const keys = [];
+    if (_primaryKey)
+        keys.push(_primaryKey.jwk);
+    keys.push(..._previousKeys.map((k) => k.jwk));
+    return { keys };
+}
+export function isJwksLoaded() {
+    return _primaryKey !== null;
+}
+/** @internal — reset for tests */
+export function _resetJwksState() {
+    _primaryKey = null;
+    _previousKeys = [];
+}

package/dist/lib/jwt.d.ts

@@ -1,2 +1,15 @@
-export declare const signToken: (userId: string, sessionId: string, expirySeconds?: number) => Promise<string>;
-export declare const verifyToken: (token: string) => Promise<import("jose").JWTPayload>;
+import type { JWTPayload } from "jose";
+export declare function validateJwtSecrets(): void;
+export type TokenClaims = {
+    sub: string;
+    sid?: string;
+    scope?: string;
+    [key: string]: unknown;
+};
+export declare function signToken(claims: TokenClaims, expirySeconds?: number): Promise<string>;
+export declare function signToken(userId: string, sessionId: string, expirySeconds?: number): Promise<string>;
+export declare const verifyToken: (token: string) => Promise<JWTPayload>;
+/** @internal — used by Feature 8 (OIDC) to switch to RS256 once key material is loaded */
+export declare function _setAlgorithm(alg: string): void;
+/** @internal — reset for testing */
+export declare function _resetJwtState(): void;

package/dist/lib/jwt.js

@@ -1,5 +1,8 @@
 import { SignJWT, jwtVerify } from "jose";
+import { getJwtIssuer, getJwtAudience } from "./appConfig";
+import { getSigningPrivateKey, getVerifyPublicKeys, isJwksLoaded } from "./jwks";
 let _secret = null;
+let _algorithm = "HS256";
 function getSecret() {
     if (_secret)
         return _secret;
@@ -14,11 +17,95 @@ function getSecret() {
     _secret = new TextEncoder().encode(rawSecret);
     return _secret;
 }
-export const signToken = async (userId, sessionId, expirySeconds) => new SignJWT({ sub: userId, sid: sessionId })
-    .setProtectedHeader({ alg: "HS256" })
-    .setExpirationTime(expirySeconds ? `${expirySeconds}s` : "7d")
-    .sign(getSecret());
+export function validateJwtSecrets() {
+    if (_algorithm !== "RS256") {
+        getSecret();
+    }
+}
+export async function signToken(claimsOrUserId, sessionIdOrExpiry, expirySeconds) {
+    let claims;
+    let expiry;
+    if (typeof claimsOrUserId === "string") {
+        // Legacy positional: signToken(userId, sessionId, expirySeconds?)
+        claims = { sub: claimsOrUserId, sid: sessionIdOrExpiry };
+        expiry = expirySeconds;
+    }
+    else {
+        // New object form: signToken(claims, expirySeconds?)
+        claims = claimsOrUserId;
+        expiry = sessionIdOrExpiry;
+    }
+    if (_algorithm === "RS256") {
+        if (!isJwksLoaded()) {
+            throw new Error("RS256 requires OIDC key configuration — call loadJwksKey() first");
+        }
+        // Use RS256 with JWKS key
+        const privateKey = getSigningPrivateKey();
+        const jwt = new SignJWT(claims)
+            .setProtectedHeader({ alg: "RS256", kid: "key-1" })
+            .setIssuedAt()
+            .setExpirationTime(expiry ? `${expiry}s` : "7d");
+        const issuer = getJwtIssuer();
+        const audience = getJwtAudience();
+        if (issuer)
+            jwt.setIssuer(issuer);
+        if (audience)
+            jwt.setAudience(audience);
+        return jwt.sign(privateKey);
+    }
+    const jwt = new SignJWT(claims)
+        .setProtectedHeader({ alg: _algorithm })
+        .setIssuedAt()
+        .setExpirationTime(expiry ? `${expiry}s` : "7d");
+    const issuer = getJwtIssuer();
+    const audience = getJwtAudience();
+    if (issuer)
+        jwt.setIssuer(issuer);
+    if (audience)
+        jwt.setAudience(audience);
+    return jwt.sign(getSecret());
+}
 export const verifyToken = async (token) => {
-    const { payload } = await jwtVerify(token, getSecret());
+    if (_algorithm === "RS256") {
+        if (!isJwksLoaded()) {
+            throw new Error("RS256 requires OIDC key configuration");
+        }
+        const publicKeys = getVerifyPublicKeys();
+        const opts = { algorithms: ["RS256"] };
+        const issuer = getJwtIssuer();
+        const audience = getJwtAudience();
+        if (issuer)
+            opts.issuer = issuer;
+        if (audience)
+            opts.audience = audience;
+        // Try each key (supports key rotation)
+        for (const key of publicKeys) {
+            try {
+                const { payload } = await jwtVerify(token, key, opts);
+                return payload;
+            }
+            catch {
+                continue;
+            }
+        }
+        throw new Error("JWT verification failed with all available keys");
+    }
+    const issuer = getJwtIssuer();
+    const audience = getJwtAudience();
+    const opts = { algorithms: [_algorithm] };
+    if (issuer)
+        opts.issuer = issuer;
+    if (audience)
+        opts.audience = audience;
+    const { payload } = await jwtVerify(token, getSecret(), opts);
     return payload;
 };
+/** @internal — used by Feature 8 (OIDC) to switch to RS256 once key material is loaded */
+export function _setAlgorithm(alg) {
+    _algorithm = alg;
+}
+/** @internal — reset for testing */
+export function _resetJwtState() {
+    _secret = null;
+    _algorithm = "HS256";
+}

package/dist/lib/logger.d.ts

@@ -1 +1,3 @@
 export declare const log: (...args: unknown[]) => void;
+/** Like log(), but also requires LOGGING_AUTH_TRACE=true. Use for lines that include user/session IDs. */
+export declare const authTrace: (...args: unknown[]) => void;

package/dist/lib/logger.js

@@ -5,3 +5,9 @@ export const log = (...args) => {
     if (verbose)
         console.log(...args);
 };
+const authTraceEnabled = process.env.LOGGING_AUTH_TRACE === "true";
+/** Like log(), but also requires LOGGING_AUTH_TRACE=true. Use for lines that include user/session IDs. */
+export const authTrace = (...args) => {
+    if (authTraceEnabled)
+        log(...args);
+};

package/dist/lib/m2m.d.ts

@@ -0,0 +1,29 @@
+import type { M2MClientRecord } from "./authAdapter";
+/**
+ * Look up an M2M client by clientId (active only).
+ * Returns the client record including clientSecretHash for verification.
+ */
+export declare function getM2MClient(clientId: string): Promise<(M2MClientRecord & {
+    clientSecretHash: string;
+}) | null>;
+/**
+ * Create a new M2M client. Returns the client ID and a plaintext secret (shown once).
+ * The secret is hashed with Bun.password before storage.
+ */
+export declare function createM2MClient(opts: {
+    clientId: string;
+    name: string;
+    scopes?: string[];
+}): Promise<{
+    id: string;
+    clientId: string;
+    clientSecret: string;
+}>;
+/**
+ * Delete an M2M client by clientId.
+ */
+export declare function deleteM2MClient(clientId: string): Promise<void>;
+/**
+ * List all M2M clients (secrets not included).
+ */
+export declare function listM2MClients(): Promise<M2MClientRecord[]>;

package/dist/lib/m2m.js

@@ -0,0 +1,48 @@
+import { getAuthAdapter } from "./authAdapter";
+/**
+ * Look up an M2M client by clientId (active only).
+ * Returns the client record including clientSecretHash for verification.
+ */
+export async function getM2MClient(clientId) {
+    const adapter = getAuthAdapter();
+    if (!adapter.getM2MClient)
+        return null;
+    return adapter.getM2MClient(clientId);
+}
+/**
+ * Create a new M2M client. Returns the client ID and a plaintext secret (shown once).
+ * The secret is hashed with Bun.password before storage.
+ */
+export async function createM2MClient(opts) {
+    const adapter = getAuthAdapter();
+    if (!adapter.createM2MClient) {
+        throw new Error("Auth adapter does not support M2M clients");
+    }
+    const clientSecret = crypto.randomUUID() + "-" + crypto.randomUUID();
+    const clientSecretHash = await Bun.password.hash(clientSecret);
+    const { id } = await adapter.createM2MClient({
+        clientId: opts.clientId,
+        clientSecretHash,
+        name: opts.name,
+        scopes: opts.scopes ?? [],
+    });
+    return { id, clientId: opts.clientId, clientSecret };
+}
+/**
+ * Delete an M2M client by clientId.
+ */
+export async function deleteM2MClient(clientId) {
+    const adapter = getAuthAdapter();
+    if (adapter.deleteM2MClient) {
+        await adapter.deleteM2MClient(clientId);
+    }
+}
+/**
+ * List all M2M clients (secrets not included).
+ */
+export async function listM2MClients() {
+    const adapter = getAuthAdapter();
+    if (!adapter.listM2MClients)
+        return [];
+    return adapter.listM2MClients();
+}

package/dist/lib/mfaChallenge.d.ts

@@ -1,4 +1,4 @@
-export type MfaChallengePurpose = "login" | "webauthn-registration";
+export type MfaChallengePurpose = "login" | "webauthn-registration" | "passkey-login";
 export interface MfaChallengeOptions {
     emailOtpHash?: string;
     webauthnChallenge?: string;
@@ -39,4 +39,17 @@ export declare const consumeWebAuthnRegistrationChallenge: (token: string) => Pr
     userId: string;
     challenge: string;
 } | null>;
+/**
+ * Create a passkey login challenge token. Not tied to a user — userId is resolved
+ * from the credential after assertion. Uses a fixed 120s TTL.
+ */
+export declare const createPasskeyLoginChallenge: (challenge: string) => Promise<string>;
+/**
+ * Consume a passkey login challenge token.
+ * Only accepts tokens with `purpose: "passkey-login"`.
+ * Returns the stored webauthnChallenge bytes or null if expired/invalid.
+ */
+export declare const consumePasskeyLoginChallenge: (token: string) => Promise<{
+    webauthnChallenge: string;
+} | null>;
 export {};

package/dist/lib/mfaChallenge.js

@@ -68,13 +68,35 @@ function ensureSqliteMfaTable() {
     catch { /* already exists */ }
     _sqliteTableCreated = true;
 }
+// ---------------------------------------------------------------------------
+// Redis helpers
+// ---------------------------------------------------------------------------
+/** Atomically GET+DEL a key. Uses native GETDEL (Redis >= 6.2) with a Lua fallback. */
+async function redisGetDel(key) {
+    const redis = getRedis();
+    if (typeof redis.getdel === "function") {
+        try {
+            return await redis.getdel(key);
+        }
+        catch (err) {
+            const msg = err?.message ?? "";
+            if (!/unknown command|ERR unknown command/i.test(msg))
+                throw err;
+            // Fall through to Lua on "unknown command"
+        }
+    }
+    const result = await redis.eval("local v = redis.call('GET', KEYS[1])\nif v then redis.call('DEL', KEYS[1]) end\nreturn v", 1, key);
+    return result ?? null;
+}
 let _store = "redis";
 export const setMfaChallengeStore = (store) => { _store = store; };
 // ---------------------------------------------------------------------------
 // Public API
 // ---------------------------------------------------------------------------
 export const createMfaChallenge = async (userId, options) => {
-    const token = crypto.randomUUID();
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    const token = Buffer.from(bytes).toString("base64url");
     const hash = sha256(token);
     const ttl = getMfaChallengeTtl();
     const now = Date.now();
@@ -135,10 +157,9 @@ export const consumeMfaChallenge = async (token) => {
     }
     // redis
     const key = `mfachallenge:${getAppName()}:${hash}`;
-    const raw = await getRedis().get(key);
+    const raw = await redisGetDel(key);
     if (!raw)
         return null;
-    await getRedis().del(key);
     const data = JSON.parse(raw);
     if (data.purpose !== "login")
         return null;
@@ -220,7 +241,9 @@ export const replaceMfaChallengeOtp = async (token, newEmailOtpHash) => {
  * uses `purpose: "webauthn-registration"` so it cannot be consumed by `consumeMfaChallenge`.
  */
 export const createWebAuthnRegistrationChallenge = async (userId, challenge) => {
-    const token = crypto.randomUUID();
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    const token = Buffer.from(bytes).toString("base64url");
     const hash = sha256(token);
     const ttl = getMfaChallengeTtl();
     const now = Date.now();
@@ -282,12 +305,94 @@ export const consumeWebAuthnRegistrationChallenge = async (token) => {
     }
     // redis
     const key = `mfachallenge:${getAppName()}:${hash}`;
-    const raw = await getRedis().get(key);
+    const raw = await redisGetDel(key);
     if (!raw)
         return null;
-    await getRedis().del(key);
     const data = JSON.parse(raw);
     if (data.purpose !== "webauthn-registration" || !data.webauthnChallenge)
         return null;
     return { userId: data.userId, challenge: data.webauthnChallenge };
 };
+// ---------------------------------------------------------------------------
+// Passkey login challenge helpers (passwordless first-factor)
+// ---------------------------------------------------------------------------
+const PASSKEY_LOGIN_CHALLENGE_TTL = 120; // seconds — single-use, so longer TTL is safe
+/**
+ * Create a passkey login challenge token. Not tied to a user — userId is resolved
+ * from the credential after assertion. Uses a fixed 120s TTL.
+ */
+export const createPasskeyLoginChallenge = async (challenge) => {
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    const token = Buffer.from(bytes).toString("base64url");
+    const hash = sha256(token);
+    const ttl = PASSKEY_LOGIN_CHALLENGE_TTL;
+    const now = Date.now();
+    const purpose = "passkey-login";
+    const userId = ""; // anonymous — resolved from credential ID at login time
+    if (_store === "memory") {
+        _memoryChallenges.set(hash, { userId, purpose, webauthnChallenge: challenge, createdAt: now, resendCount: 0, expiresAt: now + ttl * 1000 });
+        return token;
+    }
+    if (_store === "sqlite") {
+        ensureSqliteMfaTable();
+        _sqliteDb.run("INSERT INTO mfa_challenges (token, userId, purpose, webauthnChallenge, createdAt, resendCount, expiresAt) VALUES (?, ?, ?, ?, ?, 0, ?)", [hash, userId, purpose, challenge, now, now + ttl * 1000]);
+        return token;
+    }
+    if (_store === "mongo") {
+        await getMfaChallengeModel().create({
+            token: hash,
+            userId,
+            purpose,
+            webauthnChallenge: challenge,
+            createdAt: new Date(now),
+            resendCount: 0,
+            expiresAt: new Date(now + ttl * 1000),
+        });
+        return token;
+    }
+    // redis
+    await getRedis().set(`mfachallenge:${getAppName()}:${hash}`, JSON.stringify({ userId, purpose, webauthnChallenge: challenge, createdAt: now, resendCount: 0 }), "EX", ttl);
+    return token;
+};
+/**
+ * Consume a passkey login challenge token.
+ * Only accepts tokens with `purpose: "passkey-login"`.
+ * Returns the stored webauthnChallenge bytes or null if expired/invalid.
+ */
+export const consumePasskeyLoginChallenge = async (token) => {
+    const hash = sha256(token);
+    if (_store === "memory") {
+        const entry = _memoryChallenges.get(hash);
+        if (!entry || entry.expiresAt <= Date.now()) {
+            _memoryChallenges.delete(hash);
+            return null;
+        }
+        _memoryChallenges.delete(hash);
+        if (entry.purpose !== "passkey-login" || !entry.webauthnChallenge)
+            return null;
+        return { webauthnChallenge: entry.webauthnChallenge };
+    }
+    if (_store === "sqlite") {
+        ensureSqliteMfaTable();
+        const row = _sqliteDb.query("DELETE FROM mfa_challenges WHERE token = ? AND expiresAt > ? RETURNING purpose, webauthnChallenge").get(hash, Date.now());
+        if (!row || row.purpose !== "passkey-login" || !row.webauthnChallenge)
+            return null;
+        return { webauthnChallenge: row.webauthnChallenge };
+    }
+    if (_store === "mongo") {
+        const doc = await getMfaChallengeModel().findOneAndDelete({ token: hash, expiresAt: { $gt: new Date() } });
+        if (!doc || doc.purpose !== "passkey-login" || !doc.webauthnChallenge)
+            return null;
+        return { webauthnChallenge: doc.webauthnChallenge };
+    }
+    // redis
+    const key = `mfachallenge:${getAppName()}:${hash}`;
+    const raw = await redisGetDel(key);
+    if (!raw)
+        return null;
+    const data = JSON.parse(raw);
+    if (data.purpose !== "passkey-login" || !data.webauthnChallenge)
+        return null;
+    return { webauthnChallenge: data.webauthnChallenge };
+};

package/dist/lib/mongo.js

@@ -13,7 +13,7 @@ function requireMongoose() {
 }
 function buildUri(user, password, host, db) {
     const [hostPart, queryPart] = host.split("?");
-    return `mongodb+srv://${user}:${password}@${hostPart.replace(/\/$/, "")}/${db}${queryPart ? `?${queryPart}` : ""}`;
+    return `mongodb+srv://${encodeURIComponent(user)}:${encodeURIComponent(password)}@${hostPart.replace(/\/$/, "")}/${db}${queryPart ? `?${queryPart}` : ""}`;
 }
 // Internal mutable references — set inside connect functions
 let _authConn = null;

package/dist/lib/oauthCode.js

@@ -18,6 +18,25 @@ function getOAuthCodeModel() {
     }, { collection: "oauth_codes" });
     return appConnection.model("OAuthCode", schema);
 }
+// ---------------------------------------------------------------------------
+// Redis helpers
+// ---------------------------------------------------------------------------
+/** Atomically GET+DEL a key. Uses native GETDEL (Redis >= 6.2) with a Lua fallback. */
+async function redisGetDel(key) {
+    const redis = getRedis();
+    if (typeof redis.getdel === "function") {
+        try {
+            return await redis.getdel(key);
+        }
+        catch (err) {
+            const msg = err?.message ?? "";
+            if (!/unknown command|ERR unknown command/i.test(msg))
+                throw err;
+        }
+    }
+    const result = await redis.eval("local v = redis.call('GET', KEYS[1])\nif v then redis.call('DEL', KEYS[1]) end\nreturn v", 1, key);
+    return result ?? null;
+}
 let _store = "redis";
 export const setOAuthCodeStore = (store) => { _store = store; };
 const CODE_TTL = 60; // 60 seconds
@@ -27,7 +46,9 @@ const CODE_TTL = 60; // 60 seconds
 /** Store a one-time authorization code. Returns the raw code (for the redirect URL).
  *  Only the SHA-256 hash is persisted. */
 export const storeOAuthCode = async (payload) => {
-    const code = crypto.randomUUID();
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    const code = Buffer.from(bytes).toString("base64url");
     const hash = sha256(code);
     if (_store === "memory") {
         memoryStoreOAuthCode(hash, payload, CODE_TTL);
@@ -67,23 +88,7 @@ export const consumeOAuthCode = async (code) => {
     }
     // Redis
     const key = `oauthcode:${getAppName()}:${hash}`;
-    const redis = getRedis();
-    let raw = null;
-    if (typeof redis.getdel === "function") {
-        try {
-            raw = await redis.getdel(key);
-        }
-        catch {
-            raw = await redis.get(key);
-            if (raw)
-                await redis.del(key);
-        }
-    }
-    else {
-        raw = await redis.get(key);
-        if (raw)
-            await redis.del(key);
-    }
+    const raw = await redisGetDel(key);
     if (!raw)
         return null;
     return JSON.parse(raw);

package/dist/lib/resetPassword.js

@@ -44,7 +44,9 @@ export const setPasswordResetStore = (store) => { _store = store; };
 /** Create a reset token. Returns the raw token (to embed in the email link).
  *  Only the SHA-256 hash is persisted in the store. */
 export const createResetToken = async (userId, email) => {
-    const token = crypto.randomUUID();
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    const token = Buffer.from(bytes).toString("base64url");
     const hash = hashToken(token);
     const ttl = getResetTokenExpiry();
     if (_store === "memory") {

package/dist/lib/saml.d.ts

@@ -0,0 +1,25 @@
+import type { IdentityProfile } from "./authAdapter";
+export interface SamlProfile {
+    nameId: string;
+    nameIdFormat?: string;
+    email?: string;
+    firstName?: string;
+    lastName?: string;
+    displayName?: string;
+    groups?: string[];
+    attributes: Record<string, string | string[]>;
+}
+export interface SamlAttributeMapping {
+    email?: string;
+    firstName?: string;
+    lastName?: string;
+    groups?: string;
+}
+export declare function initSaml(config: import("./appConfig").SamlConfig): Promise<void>;
+export declare function createAuthnRequest(): {
+    redirectUrl: string;
+    id: string;
+};
+export declare function validateSamlResponse(body: string, config: import("./appConfig").SamlConfig): Promise<SamlProfile>;
+export declare function samlProfileToIdentityProfile(profile: SamlProfile): IdentityProfile;
+export declare function getSamlSpMetadata(): string;