@lastshotlabs/bunshot 0.0.25 → 0.0.27

package/dist/routes/auth.js

@@ -1,4 +1,5 @@
 import { createRoute, withSecurity } from "../lib/createRoute";
+import { HttpError } from "../lib/HttpError";
 import { z } from "zod";
 import { setCookie, getCookie, deleteCookie } from "hono/cookie";
 import * as AuthService from "../services/auth";
@@ -6,15 +7,18 @@ import { makeRegisterSchema, makeLoginSchema, resetPasswordSchema } from "../sch
 import { COOKIE_TOKEN, HEADER_USER_TOKEN, COOKIE_REFRESH_TOKEN, HEADER_REFRESH_TOKEN } from "../lib/constants";
 import { userAuth } from "../middleware/userAuth";
 import { isLimited, trackAttempt, bustAuthLimit } from "../lib/authRateLimit";
+import { isStuffingBlocked, trackFailedLogin } from "../lib/credentialStuffing";
 import { getAuthAdapter } from "../lib/authAdapter";
 import { createRouter } from "../lib/context";
-import { getVerificationToken, deleteVerificationToken, createVerificationToken } from "../lib/emailVerification";
+import { consumeVerificationToken, createVerificationToken } from "../lib/emailVerification";
 import { createResetToken, consumeResetToken } from "../lib/resetPassword";
 import { createDeletionCancelToken, consumeDeletionCancelToken } from "../lib/deletionCancelToken";
-import { getRefreshTokenExpiry, getAccessTokenExpiry, getCsrfEnabled, getAppName } from "../lib/appConfig";
+import { getRefreshTokenExpiry, getAccessTokenExpiry, getCsrfEnabled, getAppName, getBreachedPasswordConfig } from "../lib/appConfig";
+import { checkBreachedPassword } from "../lib/breachedPassword";
 import { refreshCsrfToken, clearCsrfToken } from "../middleware/csrf";
-import { getUserSessions, deleteSession, deleteUserSessions } from "../lib/session";
+import { getUserSessions, deleteSession, deleteUserSessions, setMfaVerifiedAt } from "../lib/session";
 import { getClientIp } from "../lib/clientIp";
+import { emitSecurityEvent } from "../lib/securityEvents";
 const isProd = process.env.NODE_ENV === "production";
 const TokenResponse = z.object({
     token: z.string().describe("JWT session token. Also set as an HttpOnly session cookie. Empty string when mfaRequired is true."),
@@ -37,7 +41,7 @@ const cookieOptions = (maxAge) => ({
     path: "/",
     maxAge: maxAge ?? 60 * 60 * 24 * 7, // 7 days
 });
-export const createAuthRouter = ({ primaryField, emailVerification, passwordReset, rateLimit, accountDeletion, refreshTokens }) => {
+export const createAuthRouter = ({ primaryField, emailVerification, passwordReset, rateLimit, accountDeletion, refreshTokens, stepUp }) => {
     const router = createRouter();
     const RegisterSchema = makeRegisterSchema(primaryField);
     const LoginSchema = makeLoginSchema(primaryField);
@@ -66,10 +70,18 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
     }), async (c) => {
         const ip = getClientIp(c);
         if (await trackAttempt(`register:${ip}`, registerOpts)) {
+            emitSecurityEvent({ eventType: "security.rate_limit.exceeded", severity: "warn", timestamp: new Date().toISOString(), meta: { path: c.req.path } });
             return c.json({ error: "Too many registration attempts. Try again later." }, 429);
         }
         const body = c.req.valid("json");
         const identifier = body[primaryField];
+        const breachConfig = getBreachedPasswordConfig();
+        if (breachConfig) {
+            const { breached } = await checkBreachedPassword(body.password, breachConfig);
+            if (breached && breachConfig.block !== false) {
+                throw new HttpError(400, "This password has appeared in a data breach. Please choose a different password.", "BREACHED_PASSWORD");
+            }
+        }
         const metadata = {
             ipAddress: ip !== "unknown" ? ip : undefined,
             userAgent: c.req.header("user-agent") ?? undefined,
@@ -81,7 +93,8 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
         }
         if (getCsrfEnabled())
             refreshCsrfToken(c);
-        return c.json(result, 201);
+        const { refreshToken: _rt, ...safeResult } = result;
+        return c.json(result.refreshToken ? safeResult : result, 201);
     });
     router.openapi(createRoute({
         method: "post",
@@ -100,11 +113,23 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
         const body = c.req.valid("json");
         const identifier = body[primaryField];
         const limitKey = `login:${identifier}`;
+        const clientIp = getClientIp(c) ?? "unknown";
+        if (isStuffingBlocked(clientIp, identifier)) {
+            emitSecurityEvent({
+                eventType: "security.credential_stuffing.detected",
+                severity: "critical",
+                timestamp: new Date().toISOString(),
+                ip: clientIp,
+                meta: { identifier },
+            });
+            throw new HttpError(429, "Too many login attempts from this source", "CREDENTIAL_STUFFING_BLOCKED");
+        }
         if (await isLimited(limitKey, loginOpts)) {
+            emitSecurityEvent({ eventType: "security.rate_limit.exceeded", severity: "warn", timestamp: new Date().toISOString(), meta: { path: c.req.path } });
             return c.json({ error: "Too many failed login attempts. Try again later." }, 429);
         }
         const metadata = {
-            ipAddress: getClientIp(c),
+            ipAddress: clientIp !== "unknown" ? clientIp : undefined,
             userAgent: c.req.header("user-agent") ?? undefined,
         };
         try {
@@ -118,9 +143,13 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
                 if (getCsrfEnabled())
                     refreshCsrfToken(c);
             }
-            return c.json(result, 200);
+            const { refreshToken: _rt, ...safeResult } = result;
+            return c.json(result.refreshToken ? safeResult : result, 200);
         }
         catch (err) {
+            if (err instanceof HttpError && err.status === 401) {
+                trackFailedLogin(clientIp, identifier);
+            }
             await trackAttempt(limitKey, loginOpts); // failure — count it
             throw err;
         }
@@ -255,13 +284,25 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
         method: "post",
         path: "/auth/set-password",
         summary: "Set or update password",
-        description: "Sets or updates the password for the authenticated user. Useful for OAuth-only users who want to add a password. Requires a valid session.",
+        description: "Sets or updates the password for the authenticated user. Useful for OAuth-only users who want to add a password. If the account already has a password set, `currentPassword` is required. Requires a valid session.",
         tags,
-        request: { body: { content: { "application/json": { schema: z.object({ password: z.string().min(8).describe("New password. Minimum 8 characters.") }) } }, description: "New password." } },
+        request: {
+            body: {
+                content: {
+                    "application/json": {
+                        schema: z.object({
+                            password: z.string().min(8).describe("New password."),
+                            currentPassword: z.string().optional().describe("Current password. Required if the account already has a password set."),
+                        }),
+                    },
+                },
+                description: "New password.",
+            },
+        },
         responses: {
             200: { content: { "application/json": { schema: z.object({ message: z.string() }) } }, description: "Password updated successfully." },
-            400: { content: { "application/json": { schema: ErrorResponse } }, description: "Validation error (e.g. password too short)." },
-            401: { content: { "application/json": { schema: ErrorResponse } }, description: "No valid session." },
+            400: { content: { "application/json": { schema: ErrorResponse } }, description: "Validation error, or current password is required when one is already set." },
+            401: { content: { "application/json": { schema: ErrorResponse } }, description: "No valid session, or current password is incorrect." },
             501: { content: { "application/json": { schema: ErrorResponse } }, description: "The configured auth adapter does not support setPassword." },
         },
     }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
@@ -269,10 +310,27 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
         if (!adapter.setPassword) {
             return c.json({ error: "Auth adapter does not support setPassword" }, 501);
         }
-        const { password } = c.req.valid("json");
+        const { password, currentPassword } = c.req.valid("json");
         const authUserId = c.get("authUserId");
+        // If the user already has a password, require currentPassword to change it
+        const user = adapter.getUser ? await adapter.getUser(authUserId) : null;
+        if (user) {
+            const findFn = adapter.findByIdentifier ?? (user.email ? adapter.findByEmail.bind(adapter) : null);
+            if (findFn && user.email) {
+                const found = await findFn(user.email);
+                if (found?.passwordHash) {
+                    if (!currentPassword) {
+                        return c.json({ error: "Current password is required to change an existing password." }, 400);
+                    }
+                    if (!(await Bun.password.verify(currentPassword, found.passwordHash))) {
+                        return c.json({ error: "Current password is incorrect." }, 401);
+                    }
+                }
+            }
+        }
         const passwordHash = await Bun.password.hash(password);
         await adapter.setPassword(authUserId, passwordHash);
+        emitSecurityEvent({ eventType: "auth.password.change", severity: "info", timestamp: new Date().toISOString() });
         return c.json({ message: "Password updated" }, 200);
     });
     router.openapi(createRoute({
@@ -314,12 +372,13 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
             }
             const { token } = c.req.valid("json");
             const adapter = getAuthAdapter();
-            const entry = await getVerificationToken(token);
+            const entry = await consumeVerificationToken(token);
             if (!entry)
                 return c.json({ error: "Invalid or expired verification token" }, 400);
             if (adapter.setEmailVerified)
                 await adapter.setEmailVerified(entry.userId, true);
-            await deleteVerificationToken(token);
+            if (getCsrfEnabled())
+                refreshCsrfToken(c);
             return c.json({ message: "Email verified" }, 200);
         });
         router.openapi(createRoute({
@@ -436,6 +495,13 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
                 return c.json({ error: "Too many attempts. Try again later." }, 429);
             }
             const { token, password } = c.req.valid("json");
+            const breachConfig = getBreachedPasswordConfig();
+            if (breachConfig) {
+                const { breached } = await checkBreachedPassword(password, breachConfig);
+                if (breached && breachConfig.block !== false) {
+                    throw new HttpError(400, "This password has appeared in a data breach. Please choose a different password.", "BREACHED_PASSWORD");
+                }
+            }
             // consumeResetToken atomically gets and deletes — prevents concurrent replay
             const entry = await consumeResetToken(token);
             if (!entry)
@@ -449,6 +515,7 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
             // Revoke all sessions so stolen JWTs can't stay valid after a reset
             const sessions = await getUserSessions(entry.userId);
             await Promise.all(sessions.map((s) => deleteSession(s.sessionId)));
+            emitSecurityEvent({ eventType: "auth.password.reset", severity: "info", timestamp: new Date().toISOString() });
             return c.json({ message: "Password reset successfully" }, 200);
         });
     }
@@ -458,7 +525,6 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
     if (refreshTokens) {
         const RefreshResponse = z.object({
             token: z.string().describe("New short-lived JWT access token."),
-            refreshToken: z.string().describe("New refresh token (rotation). The previous token is valid for a short grace window."),
             userId: z.string().describe("Unique user ID."),
         }).openapi("RefreshResponse");
         router.openapi(createRoute({
@@ -497,7 +563,8 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
             const result = await AuthService.refresh(rt);
             setCookie(c, COOKIE_TOKEN, result.token, cookieOptions(getAccessTokenExpiry()));
             setCookie(c, COOKIE_REFRESH_TOKEN, result.refreshToken, cookieOptions(getRefreshTokenExpiry()));
-            return c.json(result, 200);
+            const { refreshToken: _rt, ...safeResult } = result;
+            return c.json(safeResult, 200);
         });
     }
     // ---------------------------------------------------------------------------
@@ -548,6 +615,78 @@ export const createAuthRouter = ({ primaryField, emailVerification, passwordRese
         });
     }
     // ---------------------------------------------------------------------------
+    // Step-up MFA re-authentication — only mounted when stepUp is configured
+    // ---------------------------------------------------------------------------
+    if (stepUp) {
+        const stepUpOpts = { windowMs: rateLimit?.mfaVerify?.windowMs ?? 15 * 60 * 1000, max: rateLimit?.mfaVerify?.max ?? 10 };
+        const stepUpSchema = z.object({
+            mfaCode: z.string().optional().describe("6-digit TOTP code or recovery code."),
+            password: z.string().optional().describe("Account password."),
+        }).refine(data => data.mfaCode || data.password, {
+            message: "Either mfaCode or password is required",
+        });
+        router.use("/auth/step-up", userAuth);
+        router.openapi(withSecurity(createRoute({
+            method: "post",
+            path: "/auth/step-up",
+            summary: "Step-up MFA re-authentication",
+            description: "Re-authenticates the current session via TOTP code or password to satisfy step-up requirements for sensitive operations. On success, sets mfaVerifiedAt in the session.",
+            tags,
+            request: {
+                body: {
+                    content: {
+                        "application/json": {
+                            schema: stepUpSchema,
+                        },
+                    },
+                    description: "TOTP code or password for re-authentication.",
+                },
+            },
+            responses: {
+                200: { content: { "application/json": { schema: z.object({ ok: z.literal(true) }) } }, description: "Step-up authentication successful." },
+                400: { content: { "application/json": { schema: ErrorResponse } }, description: "Neither mfaCode nor password provided." },
+                401: { content: { "application/json": { schema: ErrorResponse } }, description: "Invalid code or password, or no valid session." },
+                429: { content: { "application/json": { schema: ErrorResponse } }, description: "Too many step-up attempts. Try again later." },
+            },
+        }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
+            const ip = getClientIp(c);
+            if (await trackAttempt(`step-up:${ip}`, stepUpOpts)) {
+                return c.json({ error: "Too many step-up attempts. Try again later." }, 429);
+            }
+            const userId = c.get("authUserId");
+            const sessionId = c.get("sessionId");
+            const { mfaCode, password } = c.req.valid("json");
+            let valid = false;
+            if (mfaCode) {
+                const { verifyTotp, verifyRecoveryCode } = await import("../services/mfa");
+                valid = await verifyTotp(userId, mfaCode);
+                if (!valid)
+                    valid = await verifyRecoveryCode(userId, mfaCode);
+            }
+            else if (password) {
+                const adapter = getAuthAdapter();
+                const findFn = adapter.findByIdentifier ?? (adapter.findByEmail ? adapter.findByEmail.bind(adapter) : null);
+                if (findFn) {
+                    const user = adapter.getUser ? await adapter.getUser(userId) : null;
+                    const identifier = user?.email ?? "";
+                    if (identifier) {
+                        const found = await findFn(identifier);
+                        if (found?.passwordHash) {
+                            valid = await Bun.password.verify(password, found.passwordHash);
+                        }
+                    }
+                }
+            }
+            if (!valid) {
+                emitSecurityEvent({ eventType: "auth.step_up.failure", severity: "warn", timestamp: new Date().toISOString(), userId });
+                return c.json({ error: "Invalid credentials" }, 401);
+            }
+            await setMfaVerifiedAt(sessionId);
+            emitSecurityEvent({ eventType: "auth.step_up.success", severity: "info", timestamp: new Date().toISOString(), userId });
+            return c.json({ ok: true }, 200);
+        });
+    }
+    // ---------------------------------------------------------------------------
     // Session management
     // ---------------------------------------------------------------------------
     const SessionInfoSchema = z.object({

package/dist/routes/jobs.js

@@ -21,6 +21,9 @@ export const createJobsRouter = (config) => {
     const allowedQueues = new Set(config.allowedQueues ?? []);
     const authConfig = config.auth ?? "none";
     const scopeToUser = config.scopeToUser ?? false;
+    if (process.env.NODE_ENV === "production" && authConfig === "none" && !config.unsafePublic) {
+        throw new Error("[security] jobs.auth is required in production. Set jobs.auth or set unsafePublic: true.");
+    }
     // Determine if userAuth is involved (for scopeToUser and OpenAPI security schemes)
     const hasUserAuth = authConfig === "userAuth" || Array.isArray(authConfig);
     // Apply middleware based on config
@@ -141,7 +144,9 @@ export const createJobsRouter = (config) => {
             filteredJobs = jobs.filter((job) => job.data?.userId === userId);
         }
         const result = await Promise.all(filteredJobs.map(jobToResponse));
-        return c.json({ jobs: result, total }, 200);
+        // NOTE: When scopeToUser is active, total is a page-local filtered count, not a
+        // globally accurate total. BullMQ does not support server-side user filtering.
+        return c.json({ jobs: result, total: scopeToUser && hasUserAuth ? filteredJobs.length : total }, 200);
     });
     // ─── Dead letter queue ────────────────────────────────────────────────
     // Must be registered BEFORE getJobRoute so that the literal path segment
@@ -187,8 +192,15 @@ export const createJobsRouter = (config) => {
             dlqQueue.getWaiting(start, end),
             dlqQueue.getWaitingCount(),
         ]);
-        const result = await Promise.all(jobs.map(jobToResponse));
-        return c.json({ jobs: result, total }, 200);
+        let filteredJobs = jobs;
+        if (scopeToUser && hasUserAuth) {
+            const userId = c.get("authUserId");
+            filteredJobs = jobs.filter((job) => job.data?.userId === userId);
+        }
+        const result = await Promise.all(filteredJobs.map(jobToResponse));
+        // NOTE: When scopeToUser is active, total is a page-local filtered count, not a
+        // globally accurate total. BullMQ does not support server-side user filtering.
+        return c.json({ jobs: result, total: scopeToUser && hasUserAuth ? filteredJobs.length : total }, 200);
     });
     // ─── Get job status ─────────────────────────────────────────────────────
     const getJobRoute = createRoute({
@@ -265,6 +277,12 @@ export const createJobsRouter = (config) => {
         const job = await queue.getJob(id);
         if (!job)
             return c.json({ error: "Job not found" }, 404);
+        if (scopeToUser && hasUserAuth) {
+            const userId = c.get("authUserId");
+            if (job.data?.userId !== userId) {
+                return c.json({ error: "Job not found" }, 404);
+            }
+        }
         const { logs, count } = await queue.getJobLogs(id);
         return c.json({ logs, count }, 200);
     });

package/dist/routes/m2m.d.ts

@@ -0,0 +1,2 @@
+import { Hono } from "hono";
+export declare function createM2MRouter(): Hono<import("hono/types").BlankEnv, import("hono/types").BlankSchema, "/">;

package/dist/routes/m2m.js

@@ -0,0 +1,72 @@
+import { Hono } from "hono";
+import { getAuthAdapter } from "../lib/authAdapter";
+import { signToken } from "../lib/jwt";
+import { HttpError } from "../lib/HttpError";
+import { getM2MTokenExpiry } from "../lib/appConfig";
+export function createM2MRouter() {
+    const router = new Hono();
+    /**
+     * POST /oauth/token
+     * OAuth 2.0 client_credentials grant
+     */
+    router.post("/oauth/token", async (c) => {
+        let body;
+        const contentType = c.req.header("content-type") ?? "";
+        if (contentType.includes("application/x-www-form-urlencoded")) {
+            const text = await c.req.text();
+            const params = new URLSearchParams(text);
+            body = {
+                grant_type: params.get("grant_type") ?? undefined,
+                client_id: params.get("client_id") ?? undefined,
+                client_secret: params.get("client_secret") ?? undefined,
+                scope: params.get("scope") ?? undefined,
+            };
+        }
+        else {
+            try {
+                body = await c.req.json();
+            }
+            catch {
+                throw new HttpError(400, "Invalid request body");
+            }
+        }
+        if (body.grant_type !== "client_credentials") {
+            throw new HttpError(400, "Unsupported grant type", "UNSUPPORTED_GRANT_TYPE");
+        }
+        const { client_id: clientId, client_secret: clientSecret } = body;
+        if (!clientId || !clientSecret) {
+            throw new HttpError(400, "client_id and client_secret are required");
+        }
+        const adapter = getAuthAdapter();
+        if (!adapter.getM2MClient) {
+            throw new HttpError(501, "M2M client credentials not supported by auth adapter");
+        }
+        const client = await adapter.getM2MClient(clientId);
+        if (!client) {
+            throw new HttpError(401, "Invalid client credentials");
+        }
+        const secretValid = await Bun.password.verify(clientSecret, client.clientSecretHash);
+        if (!secretValid) {
+            throw new HttpError(401, "Invalid client credentials");
+        }
+        // Validate requested scopes against client's allowed scopes
+        let grantedScopes = client.scopes;
+        if (body.scope) {
+            const requested = body.scope.split(" ");
+            const invalid = requested.filter((s) => !client.scopes.includes(s));
+            if (invalid.length > 0) {
+                throw new HttpError(400, `Scope not allowed: ${invalid.join(", ")}`, "INVALID_SCOPE");
+            }
+            grantedScopes = requested;
+        }
+        const expiry = getM2MTokenExpiry();
+        const token = await signToken({ sub: clientId, scope: grantedScopes.join(" ") }, expiry);
+        return c.json({
+            access_token: token,
+            token_type: "Bearer",
+            expires_in: expiry,
+            scope: grantedScopes.join(" "),
+        });
+    });
+    return router;
+}

package/dist/routes/metrics.d.ts

@@ -3,5 +3,6 @@ import type { AppEnv } from "../lib/context";
 export interface MetricsRouteConfig {
     auth?: "userAuth" | "none" | MiddlewareHandler<AppEnv>[];
     queues?: string[];
+    unsafePublic?: boolean;
 }
 export declare const createMetricsRouter: (config: MetricsRouteConfig) => import("@hono/zod-openapi").OpenAPIHono<AppEnv, {}, "/">;

package/dist/routes/metrics.js

@@ -4,6 +4,9 @@ import { userAuth } from "../middleware/userAuth";
 export const createMetricsRouter = (config) => {
     const router = createRouter();
     const authConfig = config.auth ?? "none";
+    if (process.env.NODE_ENV === "production" && authConfig === "none" && !config.unsafePublic) {
+        throw new Error("[security] metrics.auth is required in production. Set metrics.auth or set unsafePublic: true.");
+    }
     // Apply auth middleware
     if (authConfig === "userAuth") {
         router.use("/metrics", userAuth);

package/dist/routes/mfa.js

@@ -8,10 +8,12 @@ import * as AuthService from "../services/auth";
 import { consumeMfaChallenge, replaceMfaChallengeOtp } from "../lib/mfaChallenge";
 import { COOKIE_TOKEN, COOKIE_REFRESH_TOKEN } from "../lib/constants";
 import { getRefreshTokenConfig, getAccessTokenExpiry, getRefreshTokenExpiry, getMfaEmailOtpConfig, getMfaWebAuthnConfig, getCsrfEnabled } from "../lib/appConfig";
+import { setMfaVerifiedAt } from "../lib/session";
 import { refreshCsrfToken } from "../middleware/csrf";
 import { getAuthAdapter } from "../lib/authAdapter";
 import { trackAttempt } from "../lib/authRateLimit";
 import { getClientIp } from "../lib/clientIp";
+import { emitSecurityEvent } from "../lib/securityEvents";
 const isProd = process.env.NODE_ENV === "production";
 const cookieOptions = (maxAge) => ({
     httpOnly: true,
@@ -105,6 +107,7 @@ export const createMfaRouter = ({ rateLimit } = {}) => {
         const userId = c.get("authUserId");
         const { code } = c.req.valid("json");
         const recoveryCodes = await MfaService.verifySetup(userId, code);
+        emitSecurityEvent({ eventType: "auth.mfa.setup", severity: "info", timestamp: new Date().toISOString(), userId: c.get("authUserId") ?? undefined });
         return c.json({ message: "MFA enabled", recoveryCodes }, 200);
     });
     // ─── Verify (complete login after password) ───────────────────────────────
@@ -185,13 +188,17 @@ export const createMfaRouter = ({ rateLimit } = {}) => {
         if (!valid && code) {
             valid = await MfaService.verifyRecoveryCode(userId, code);
         }
-        if (!valid)
+        if (!valid) {
+            emitSecurityEvent({ eventType: "auth.mfa.verify.failure", severity: "warn", timestamp: new Date().toISOString() });
             return c.json({ error: "Invalid MFA code" }, 401);
+        }
         // Create session — reuse the service helper for refresh token support
         const result = await AuthService.createSessionForUser(userId, {
             ipAddress: getClientIp(c),
             userAgent: c.req.header("user-agent") ?? undefined,
         });
+        // Mark MFA as verified on the new session so step-up is satisfied immediately
+        await setMfaVerifiedAt(result.sessionId);
         const rtConfig = getRefreshTokenConfig();
         setCookie(c, COOKIE_TOKEN, result.token, cookieOptions(rtConfig ? getAccessTokenExpiry() : undefined));
         if (result.refreshToken) {
@@ -199,6 +206,7 @@ export const createMfaRouter = ({ rateLimit } = {}) => {
         }
         if (getCsrfEnabled())
             refreshCsrfToken(c);
+        emitSecurityEvent({ eventType: "auth.mfa.verify.success", severity: "info", timestamp: new Date().toISOString() });
         return c.json({ token: result.token, userId, refreshToken: result.refreshToken }, 200);
     });
     // ─── Disable MFA ──────────────────────────────────────────────────────────

package/dist/routes/oauth.js

@@ -25,6 +25,12 @@ const cookieOptions = (maxAge) => ({
 });
 const tags = ["OAuth"];
 const OAuthErrorResponse = z.object({ error: z.string().describe("Human-readable error message.") }).openapi("OAuthErrorResponse");
+// `postLoginRedirect` is always sourced from server-side config (passed into
+// `createOAuthRouter` at startup) and is never derived from user-supplied input
+// or OAuth callback query parameters. No runtime allowlist validation is required
+// because the value is not attacker-controlled. The `auth.oauth.allowedRedirectUrls`
+// config is available for consuming apps that want to enforce an explicit allowlist
+// at the framework level if they ever pass a dynamic value here.
 const finishOAuth = async (c, provider, providerId, profile, postLoginRedirect) => {
     const adapter = getAuthAdapter();
     if (!adapter.findOrCreateByProvider) {

package/dist/routes/oidc.d.ts

@@ -0,0 +1,2 @@
+import { Hono } from "hono";
+export declare function createOidcRouter(): Hono<import("hono/types").BlankEnv, import("hono/types").BlankSchema, "/">;

package/dist/routes/oidc.js

@@ -0,0 +1,29 @@
+import { Hono } from "hono";
+import { getJwks } from "../lib/jwks";
+import { getOidcConfig } from "../lib/appConfig";
+export function createOidcRouter() {
+    const router = new Hono();
+    router.get("/.well-known/openid-configuration", (c) => {
+        const config = getOidcConfig();
+        if (!config)
+            return c.json({ error: "OIDC not configured" }, 404);
+        const issuer = config.issuer;
+        const tokenEndpoint = config.tokenEndpoint ?? `${issuer}/oauth/token`;
+        return c.json({
+            issuer,
+            authorization_endpoint: `${issuer}/auth/oauth`,
+            token_endpoint: tokenEndpoint,
+            jwks_uri: `${issuer}/.well-known/jwks.json`,
+            response_types_supported: ["code"],
+            subject_types_supported: ["public"],
+            id_token_signing_alg_values_supported: ["RS256"],
+            scopes_supported: config.scopes ?? ["openid"],
+            token_endpoint_auth_methods_supported: ["client_secret_post"],
+            claims_supported: ["sub", "iss", "aud", "exp", "iat"],
+        });
+    });
+    router.get("/.well-known/jwks.json", (c) => {
+        return c.json(getJwks());
+    });
+    return router;
+}

package/dist/routes/passkey.d.ts

@@ -0,0 +1 @@
+export declare const createPasskeyRouter: () => import("@hono/zod-openapi").OpenAPIHono<import("../lib/context").AppEnv, {}, "/">;