@lastshotlabs/bunshot 0.0.25 → 0.0.27

package/dist/middleware/csrf.js

@@ -4,11 +4,15 @@ import { COOKIE_TOKEN, COOKIE_CSRF_TOKEN, HEADER_CSRF_TOKEN } from "../lib/const
 import { createHmac, randomBytes } from "crypto";
 const isProd = process.env.NODE_ENV === "production";
 const STATE_CHANGING_METHODS = new Set(["POST", "PUT", "PATCH", "DELETE"]);
-function getJwtSecret() {
+let _csrfSecret = null;
+function getCsrfSecret() {
+    if (_csrfSecret)
+        return _csrfSecret;
     const secret = isProd ? process.env.JWT_SECRET_PROD : process.env.JWT_SECRET_DEV;
     if (!secret)
         throw new Error("CSRF middleware requires JWT_SECRET_DEV/JWT_SECRET_PROD to be set");
-    return secret;
+    _csrfSecret = secret;
+    return _csrfSecret;
 }
 function generateCsrfToken(secret) {
     const token = randomBytes(32).toString("hex");
@@ -36,7 +40,7 @@ const csrfCookieOptions = {
  * session fixation-adjacent attacks.
  */
 export function refreshCsrfToken(c) {
-    const secret = getJwtSecret();
+    const secret = getCsrfSecret();
     const token = generateCsrfToken(secret);
     setCookie(c, COOKIE_CSRF_TOKEN, token, csrfCookieOptions);
 }
@@ -68,7 +72,7 @@ export const csrfProtection = (options = {}) => {
             "origins to enable origin validation.");
     }
     return async (c, next) => {
-        const secret = getJwtSecret();
+        const secret = getCsrfSecret();
         // Set CSRF cookie on every response if not already present
         const existingCsrf = getCookie(c, COOKIE_CSRF_TOKEN);
         if (!existingCsrf) {

package/dist/middleware/errorHandler.js

@@ -6,7 +6,10 @@ export const errorHandler = async (req, next) => {
     catch (err) {
         console.error(err);
         if (err instanceof HttpError) {
-            return Response.json({ error: err.message }, { status: err.status });
+            const body = { error: err.message };
+            if (err.code !== undefined)
+                body.code = err.code;
+            return Response.json(body, { status: err.status });
         }
         return Response.json({ error: "Internal Server Error" }, { status: 500 });
     }

package/dist/middleware/identify.js

@@ -2,10 +2,12 @@ import { getCookie } from "hono/cookie";
 import { verifyToken } from "../lib/jwt";
 import { getSession, updateSessionLastActive, getSessionFingerprint, setSessionFingerprint } from "../lib/session";
 import { COOKIE_TOKEN, HEADER_USER_TOKEN } from "../lib/constants";
-import { log } from "../lib/logger";
-import { getTrackLastActive, getSigningConfig } from "../lib/appConfig";
+import { log, authTrace } from "../lib/logger";
+import { getTrackLastActive, getSigningConfig, getCheckSuspensionOnIdentify } from "../lib/appConfig";
+import { getSuspended } from "../lib/suspension";
 import { getClientIp } from "../lib/clientIp";
-import { sha256 } from "../lib/crypto";
+import { sha256, timingSafeEqual } from "../lib/crypto";
+import { HttpError } from "../lib/HttpError";
 function computeFingerprint(c, fields) {
     const parts = fields.map((f) => {
         if (f === "ip")
@@ -20,20 +22,31 @@ export const identify = async (c, next) => {
     c.set("authUserId", null);
     c.set("roles", null);
     c.set("sessionId", null);
+    c.set("authClientId", null);
+    c.set("tokenPayload", null);
     // cookie for browsers, x-user-token header for non-browser clients
     const token = getCookie(c, COOKIE_TOKEN) ?? c.req.header(HEADER_USER_TOKEN) ?? null;
     log(`[identify] token=${token ? "present" : "absent"}`);
     if (token) {
         try {
             const payload = await verifyToken(token);
+            c.set("tokenPayload", payload);
             const sessionId = payload.sid;
             if (!sessionId) {
-                log("[identify] token missing sid claim — unauthenticated");
+                // Check for M2M token (scope present, no sid)
+                if (payload.scope && payload.sub) {
+                    c.set("authClientId", payload.sub);
+                    log(`[identify] M2M token for clientId=${payload.sub}`);
+                }
+                else {
+                    log("[identify] token missing sid claim — unauthenticated");
+                }
             }
             else {
                 const stored = await getSession(sessionId);
-                log(`[identify] token for authUserId=${payload.sub} verified, checking session...`);
-                if (stored === token) {
+                log("[identify] token verified, checking session...");
+                authTrace(`[identify] authUserId=${payload.sub}`);
+                if (timingSafeEqual(stored ?? "", token)) {
                     const signingCfg = getSigningConfig();
                     const bindingCfg = signingCfg?.sessionBinding;
                     if (bindingCfg) {
@@ -45,19 +58,20 @@ export const identify = async (c, next) => {
                         if (storedFp === null) {
                             // First authenticated request — store the fingerprint
                             setSessionFingerprint(sessionId, current).catch(() => {
-                                log(`[identify] failed to store fingerprint for sessionId=${sessionId}`);
+                                log("[identify] failed to store session fingerprint");
                             });
                             c.set("authUserId", payload.sub);
                             c.set("sessionId", sessionId);
                         }
-                        else if (storedFp === current) {
+                        else if (timingSafeEqual(storedFp, current)) {
                             c.set("authUserId", payload.sub);
                             c.set("sessionId", sessionId);
                         }
                         else {
-                            log(`[identify] fingerprint mismatch for sessionId=${sessionId} onMismatch=${onMismatch}`);
+                            log(`[identify] fingerprint mismatch, onMismatch=${onMismatch}`);
+                            authTrace(`[identify] sessionId=${sessionId}`);
                             if (onMismatch === "reject") {
-                                return c.json({ error: "Unauthorized", code: "FINGERPRINT_MISMATCH" }, 401);
+                                throw new HttpError(401, "Unauthorized", "FINGERPRINT_MISMATCH");
                             }
                             else if (onMismatch === "log-only") {
                                 c.set("authUserId", payload.sub);
@@ -71,10 +85,21 @@ export const identify = async (c, next) => {
                         c.set("sessionId", sessionId);
                     }
                     if (c.get("authUserId")) {
-                        log(`[identify] authUserId=${payload.sub} sessionId=${sessionId}`);
+                        if (getCheckSuspensionOnIdentify()) {
+                            const suspensionStatus = await getSuspended(payload.sub).catch(() => ({ suspended: false }));
+                            if (suspensionStatus.suspended) {
+                                c.set("authUserId", null);
+                                c.set("sessionId", null);
+                                c.set("roles", null);
+                                log(`[identify] userId=${payload.sub} is suspended — unauthenticated`);
+                            }
+                        }
+                    }
+                    if (c.get("authUserId")) {
+                        authTrace(`[identify] authUserId=${payload.sub} sessionId=${sessionId}`);
                         if (getTrackLastActive()) {
                             updateSessionLastActive(sessionId).catch(() => {
-                                log(`[identify] failed to update lastActiveAt for sessionId=${sessionId}`);
+                                log("[identify] failed to update session lastActiveAt");
                             });
                         }
                     }
@@ -84,7 +109,9 @@ export const identify = async (c, next) => {
                 }
             }
         }
-        catch {
+        catch (err) {
+            if (err instanceof HttpError)
+                throw err;
             log("[identify] invalid token — unauthenticated");
         }
     }

package/dist/middleware/requestSigning.js

@@ -1,6 +1,7 @@
 import { getSigningConfig, getSigningSecret } from "../lib/appConfig";
 import { hmacVerify } from "../lib/signing";
 import { HEADER_SIGNATURE, HEADER_TIMESTAMP } from "../lib/constants";
+import { HttpError } from "../lib/HttpError";
 /**
  * Canonicalize the query string for signing.
  *
@@ -60,22 +61,22 @@ export const requireSignedRequest = (opts) => async (c, next) => {
     const rawTs = c.req.header(tsHeader);
     const tsNum = rawTs !== undefined ? parseInt(rawTs, 10) : NaN;
     if (isNaN(tsNum)) {
-        return c.json({ error: "Unauthorized", code: "EXPIRED_TIMESTAMP" }, 401);
+        throw new HttpError(401, "Unauthorized", "EXPIRED_TIMESTAMP");
     }
     // Auto-detect Unix seconds (< 1e10) vs milliseconds
     const tsMs = tsNum < 1e10 ? tsNum * 1000 : tsNum;
     if (Math.abs(Date.now() - tsMs) > tolerance) {
-        return c.json({ error: "Unauthorized", code: "EXPIRED_TIMESTAMP" }, 401);
+        throw new HttpError(401, "Unauthorized", "EXPIRED_TIMESTAMP");
     }
     // --- Signature header ---
     const sig = c.req.header(sigHeader);
     if (!sig) {
-        return c.json({ error: "Unauthorized", code: "INVALID_SIGNATURE" }, 401);
+        throw new HttpError(401, "Unauthorized", "INVALID_SIGNATURE");
     }
     // --- Secret resolution ---
     const secret = getSigningSecret();
     if (!secret) {
-        return c.json({ error: "Internal Server Error", code: "SIGNING_SECRET_MISSING" }, 500);
+        throw new HttpError(500, "Internal Server Error", "SIGNING_SECRET_MISSING");
     }
     // --- Build canonical string ---
     const method = c.req.method.toUpperCase();
@@ -93,7 +94,7 @@ export const requireSignedRequest = (opts) => async (c, next) => {
         valid = false;
     }
     if (!valid) {
-        return c.json({ error: "Unauthorized", code: "INVALID_SIGNATURE" }, 401);
+        throw new HttpError(401, "Unauthorized", "INVALID_SIGNATURE");
     }
     await next();
 };

package/dist/middleware/requireMfaSetup.js

@@ -1,4 +1,5 @@
 import { getAuthAdapter } from "../lib/authAdapter";
+import { HttpError } from "../lib/HttpError";
 const EXEMPT_PREFIXES = ["/auth/", "/health", "/docs", "/openapi.json"];
 /**
  * Middleware that blocks authenticated users who have not completed MFA setup.
@@ -30,7 +31,7 @@ export const requireMfaSetup = async (c, next) => {
     }
     const enabled = await adapter.isMfaEnabled(userId);
     if (!enabled) {
-        return c.json({ error: "MFA setup required", code: "MFA_SETUP_REQUIRED" }, 403);
+        throw new HttpError(403, "MFA setup required", "MFA_SETUP_REQUIRED");
     }
     return next();
 };

package/dist/middleware/requireScope.d.ts

@@ -0,0 +1,10 @@
+import type { MiddlewareHandler } from "hono";
+import type { AppEnv } from "../lib/context";
+/**
+ * Middleware that requires the JWT to contain all specified scopes.
+ * Reads scope from `tokenPayload.scope` (set by identify middleware).
+ *
+ * @example
+ * router.get("/data", requireScope("read:data"), handler);
+ */
+export declare const requireScope: (...requiredScopes: string[]) => MiddlewareHandler<AppEnv>;

package/dist/middleware/requireScope.js

@@ -0,0 +1,25 @@
+import { HttpError } from "../lib/HttpError";
+/**
+ * Middleware that requires the JWT to contain all specified scopes.
+ * Reads scope from `tokenPayload.scope` (set by identify middleware).
+ *
+ * @example
+ * router.get("/data", requireScope("read:data"), handler);
+ */
+export const requireScope = (...requiredScopes) => async (c, next) => {
+    const payload = c.get("tokenPayload");
+    if (!payload) {
+        throw new HttpError(401, "Authentication required");
+    }
+    const scope = payload.scope;
+    if (!scope) {
+        throw new HttpError(403, "Insufficient scope", "INSUFFICIENT_SCOPE");
+    }
+    const grantedScopes = scope.split(" ");
+    for (const required of requiredScopes) {
+        if (!grantedScopes.includes(required)) {
+            throw new HttpError(403, "Insufficient scope", "INSUFFICIENT_SCOPE");
+        }
+    }
+    await next();
+};

package/dist/middleware/requireStepUp.d.ts

@@ -0,0 +1,18 @@
+import type { MiddlewareHandler } from "hono";
+import type { AppEnv } from "../lib/context";
+export interface StepUpOptions {
+    /** Max age in seconds since last MFA verification. Default: 300 (5 min). */
+    maxAge?: number;
+}
+/**
+ * Middleware that requires the user to have recently completed step-up MFA.
+ *
+ * Attach to sensitive routes that require fresh MFA verification:
+ * ```
+ * router.post("/transfer", userAuth, requireStepUp(), transferHandler);
+ * ```
+ *
+ * The user completes step-up via POST /auth/step-up.
+ * After successful step-up, mfaVerifiedAt is stored in their session.
+ */
+export declare const requireStepUp: (opts?: StepUpOptions) => MiddlewareHandler<AppEnv>;

package/dist/middleware/requireStepUp.js

@@ -0,0 +1,29 @@
+import { getMfaVerifiedAt } from "../lib/session";
+import { HttpError } from "../lib/HttpError";
+/**
+ * Middleware that requires the user to have recently completed step-up MFA.
+ *
+ * Attach to sensitive routes that require fresh MFA verification:
+ * ```
+ * router.post("/transfer", userAuth, requireStepUp(), transferHandler);
+ * ```
+ *
+ * The user completes step-up via POST /auth/step-up.
+ * After successful step-up, mfaVerifiedAt is stored in their session.
+ */
+export const requireStepUp = (opts) => async (c, next) => {
+    const sessionId = c.get("sessionId");
+    if (!sessionId) {
+        throw new HttpError(401, "Authentication required");
+    }
+    const maxAge = opts?.maxAge ?? 300;
+    const verifiedAt = await getMfaVerifiedAt(sessionId);
+    if (verifiedAt === null) {
+        throw new HttpError(403, "Step-up authentication required", "STEP_UP_REQUIRED");
+    }
+    const now = Math.floor(Date.now() / 1000);
+    if (now - verifiedAt > maxAge) {
+        throw new HttpError(403, "Step-up authentication expired", "STEP_UP_REQUIRED");
+    }
+    await next();
+};

package/dist/middleware/scimAuth.d.ts

@@ -0,0 +1,8 @@
+import type { MiddlewareHandler } from "hono";
+import type { AppEnv } from "../lib/context";
+export declare function setScimTokens(tokens: string | string[]): void;
+/**
+ * Middleware that validates SCIM bearer tokens.
+ * Tokens are checked with timingSafeEqual to prevent timing attacks.
+ */
+export declare const scimAuth: MiddlewareHandler<AppEnv>;

package/dist/middleware/scimAuth.js

@@ -0,0 +1,29 @@
+import { timingSafeEqual } from "../lib/crypto";
+import { HttpError } from "../lib/HttpError";
+let _scimTokens = [];
+export function setScimTokens(tokens) {
+    _scimTokens = Array.isArray(tokens) ? tokens : [tokens];
+}
+/**
+ * Middleware that validates SCIM bearer tokens.
+ * Tokens are checked with timingSafeEqual to prevent timing attacks.
+ */
+export const scimAuth = async (c, next) => {
+    const authHeader = c.req.header("authorization") ?? "";
+    if (!authHeader.startsWith("Bearer ")) {
+        throw new HttpError(401, "SCIM bearer token required");
+    }
+    const provided = authHeader.slice(7);
+    const valid = _scimTokens.some((token) => {
+        try {
+            return timingSafeEqual(provided, token);
+        }
+        catch {
+            return false;
+        }
+    });
+    if (!valid) {
+        throw new HttpError(401, "Invalid SCIM token");
+    }
+    await next();
+};

package/dist/middleware/webhookAuth.d.ts

@@ -18,7 +18,7 @@ export interface WebhookAuthOptions {
     /** Header that carries the signature. Default: `"x-webhook-signature"`. */
     header?: string;
     /** HMAC algorithm. Default: `"sha256"`. */
-    algorithm?: "sha256" | "sha512" | "sha1";
+    algorithm?: "sha256" | "sha512";
     /**
      * Strip this prefix from the signature header value before comparing.
      * e.g. `"sha256="` for GitHub-style `X-Hub-Signature-256: sha256=<hex>`.

package/dist/middleware/webhookAuth.js

@@ -1,5 +1,6 @@
 import { createHmac } from "crypto";
 import { timingSafeEqual } from "../lib/crypto";
+import { HttpError } from "../lib/HttpError";
 export const webhookAuth = (options) => async (c, next) => {
     const algorithm = options.algorithm ?? "sha256";
     const sigHeader = options.header ?? "x-webhook-signature";
@@ -9,18 +10,18 @@ export const webhookAuth = (options) => async (c, next) => {
         const rawTs = c.req.header(tsHeader);
         const tsNum = rawTs !== undefined ? parseInt(rawTs, 10) : NaN;
         if (isNaN(tsNum)) {
-            return c.json({ error: "Unauthorized", code: "EXPIRED_TIMESTAMP" }, 401);
+            throw new HttpError(401, "Unauthorized", "EXPIRED_TIMESTAMP");
         }
         // Auto-detect Unix seconds (< 1e10) vs milliseconds
         const tsMs = tsNum < 1e10 ? tsNum * 1000 : tsNum;
         if (Math.abs(Date.now() - tsMs) > tolerance) {
-            return c.json({ error: "Unauthorized", code: "EXPIRED_TIMESTAMP" }, 401);
+            throw new HttpError(401, "Unauthorized", "EXPIRED_TIMESTAMP");
         }
     }
     // --- Signature header ---
     const rawSig = c.req.header(sigHeader);
     if (!rawSig) {
-        return c.json({ error: "Unauthorized", code: "INVALID_SIGNATURE" }, 401);
+        throw new HttpError(401, "Unauthorized", "INVALID_SIGNATURE");
     }
     const provided = options.prefix && rawSig.startsWith(options.prefix)
         ? rawSig.slice(options.prefix.length)
@@ -32,7 +33,7 @@ export const webhookAuth = (options) => async (c, next) => {
             secret = await options.secret(c);
         }
         catch {
-            return c.json({ error: "Internal Server Error", code: "WEBHOOK_SECRET_ERROR" }, 500);
+            throw new HttpError(500, "Internal Server Error", "WEBHOOK_SECRET_ERROR");
         }
     }
     else {
@@ -51,7 +52,7 @@ export const webhookAuth = (options) => async (c, next) => {
         valid = false;
     }
     if (!valid) {
-        return c.json({ error: "Unauthorized", code: "INVALID_SIGNATURE" }, 401);
+        throw new HttpError(401, "Unauthorized", "INVALID_SIGNATURE");
     }
     await next();
 };

package/dist/models/AuthUser.d.ts

@@ -25,6 +25,13 @@ interface IAuthUser {
         name?: string;
         createdAt: Date;
     }>;
+    displayName?: string;
+    firstName?: string;
+    lastName?: string;
+    externalId?: string;
+    suspended: boolean;
+    suspendedAt?: Date;
+    suspendedReason?: string;
 }
 type AuthUserDocument = IAuthUser & Document;
 export declare const AuthUser: Model<AuthUserDocument, {}, {}, {}, Document<unknown, {}, AuthUserDocument, {}, import("mongoose").DefaultSchemaOptions> & IAuthUser & Document<import("mongoose").Types.ObjectId, any, any, Record<string, any>, {}> & Required<{

package/dist/models/AuthUser.js

@@ -31,6 +31,13 @@ function getAuthUser() {
                     name: { type: String },
                     createdAt: { type: Date, default: Date.now },
                 }],
+            displayName: { type: String, default: null },
+            firstName: { type: String, default: null },
+            lastName: { type: String, default: null },
+            externalId: { type: String, default: null, index: true, sparse: true },
+            suspended: { type: Boolean, default: false },
+            suspendedAt: { type: Date, default: null },
+            suspendedReason: { type: String, default: null },
         }, { timestamps: true });
         schema.index({ providerIds: 1 });
         _AuthUser = authConnection.model("AuthUser", schema);

package/dist/models/M2MClient.d.ts

@@ -0,0 +1,18 @@
+import mongoose from "mongoose";
+export interface IM2MClient {
+    _id: string;
+    clientId: string;
+    clientSecretHash: string;
+    name: string;
+    scopes: string[];
+    active: boolean;
+    createdAt: Date;
+    updatedAt: Date;
+}
+export declare const M2MClient: mongoose.Model<IM2MClient, {}, {}, {}, mongoose.Document<unknown, {}, IM2MClient, {}, mongoose.DefaultSchemaOptions> & IM2MClient & Required<{
+    _id: string;
+}> & {
+    __v: number;
+} & {
+    id: string;
+}, any, IM2MClient>;

package/dist/models/M2MClient.js

@@ -0,0 +1,18 @@
+import mongoose from "mongoose";
+const m2mClientSchema = new mongoose.Schema({
+    clientId: { type: String, required: true, unique: true },
+    clientSecretHash: { type: String, required: true },
+    name: { type: String, required: true },
+    scopes: { type: [String], default: [] },
+    active: { type: Boolean, default: true },
+}, { timestamps: true });
+// Lazy proxy pattern (same as AuthUser.ts)
+export const M2MClient = new Proxy({}, {
+    get(_, prop) {
+        const { authConnection } = require("../lib/mongo");
+        if (!authConnection)
+            throw new Error("authConnection not initialized — call connectAuthMongo() or connectMongo() first");
+        const model = authConnection.models["M2MClient"] ?? authConnection.model("M2MClient", m2mClientSchema);
+        return model[prop];
+    },
+});

package/dist/routes/auth.d.ts

@@ -1,4 +1,4 @@
-import type { PrimaryField, EmailVerificationConfig, PasswordResetConfig, RefreshTokenConfig } from "../lib/appConfig";
+import type { PrimaryField, EmailVerificationConfig, PasswordResetConfig, RefreshTokenConfig, StepUpConfig } from "../lib/appConfig";
 import type { AuthRateLimitConfig, AccountDeletionConfig } from "../app";
 export interface AuthRouterOptions {
     primaryField: PrimaryField;
@@ -7,5 +7,6 @@ export interface AuthRouterOptions {
     rateLimit?: AuthRateLimitConfig;
     accountDeletion?: AccountDeletionConfig;
     refreshTokens?: RefreshTokenConfig;
+    stepUp?: StepUpConfig;
 }
-export declare const createAuthRouter: ({ primaryField, emailVerification, passwordReset, rateLimit, accountDeletion, refreshTokens }: AuthRouterOptions) => import("@hono/zod-openapi").OpenAPIHono<import("../lib/context").AppEnv, {}, "/">;
+export declare const createAuthRouter: ({ primaryField, emailVerification, passwordReset, rateLimit, accountDeletion, refreshTokens, stepUp }: AuthRouterOptions) => import("@hono/zod-openapi").OpenAPIHono<import("../lib/context").AppEnv, {}, "/">;