@lastshotlabs/bunshot 0.0.25 → 0.0.27

package/dist/routes/passkey.js

@@ -0,0 +1,157 @@
+import { createRoute } from "../lib/createRoute";
+import { z } from "zod";
+import { setCookie } from "hono/cookie";
+import { createRouter } from "../lib/context";
+import * as AuthService from "../services/auth";
+import { getAuthAdapter } from "../lib/authAdapter";
+import { getMfaWebAuthnConfig, getRefreshTokenConfig, getAccessTokenExpiry, getRefreshTokenExpiry, getCsrfEnabled } from "../lib/appConfig";
+import { createPasskeyLoginChallenge } from "../lib/mfaChallenge";
+import { trackAttempt } from "../lib/authRateLimit";
+import { getClientIp } from "../lib/clientIp";
+import { COOKIE_TOKEN, COOKIE_REFRESH_TOKEN } from "../lib/constants";
+import { refreshCsrfToken } from "../middleware/csrf";
+const isProd = process.env.NODE_ENV === "production";
+const cookieOptions = (maxAge) => ({
+    httpOnly: true,
+    secure: isProd,
+    sameSite: "Lax",
+    path: "/",
+    maxAge: maxAge ?? 60 * 60 * 24 * 7,
+});
+const tags = ["Passkey"];
+const ErrorResponse = z.object({ error: z.string() }).openapi("PasskeyErrorResponse");
+export const createPasskeyRouter = () => {
+    const router = createRouter();
+    // ─── POST /auth/passkey/login-options ──────────────────────────────────────
+    router.openapi(createRoute({
+        method: "post",
+        path: "/auth/passkey/login-options",
+        summary: "Get passkey login options",
+        description: "Returns WebAuthn authentication options for passwordless login. Always returns valid-looking options regardless of whether the email exists (enumeration prevention).",
+        tags,
+        request: {
+            body: {
+                content: {
+                    "application/json": {
+                        schema: z.object({
+                            email: z.string().optional().describe("Optional email hint. When provided and found, restricts the credential list for a faster prompt. Never reveals whether the email exists."),
+                        }),
+                    },
+                },
+                required: false,
+            },
+        },
+        responses: {
+            200: {
+                content: {
+                    "application/json": {
+                        schema: z.object({
+                            options: z.unknown().describe("PublicKeyCredentialRequestOptionsJSON — pass to @simplewebauthn/browser startAuthentication()."),
+                            passkeyToken: z.string().describe("Short-lived single-use challenge token (120s). Pass to POST /auth/passkey/login."),
+                        }),
+                    },
+                },
+                description: "WebAuthn authentication options.",
+            },
+            429: { content: { "application/json": { schema: ErrorResponse } }, description: "Rate limit exceeded." },
+        },
+    }), async (c) => {
+        const ip = getClientIp(c);
+        if (await trackAttempt(`passkey-login-options:${ip}`, { windowMs: 60 * 1000, max: 5 })) {
+            return c.json({ error: "Too many requests. Try again later." }, 429);
+        }
+        const webauthnConfig = getMfaWebAuthnConfig();
+        const adapter = getAuthAdapter();
+        // Resolve credential hints for the email (enumeration-safe: ignore all errors/misses)
+        let allowCredentials = [];
+        try {
+            const body = await c.req.json().catch(() => ({}));
+            const email = body?.email;
+            if (email && adapter.getWebAuthnCredentials) {
+                const findFn = adapter.findByIdentifier ?? adapter.findByEmail.bind(adapter);
+                const user = await findFn(email);
+                if (user) {
+                    const creds = await adapter.getWebAuthnCredentials(user.id);
+                    allowCredentials = creds.map((cr) => ({ id: cr.credentialId, transports: cr.transports }));
+                }
+            }
+        }
+        catch {
+            // Enumeration protection: swallow all errors, proceed with empty credential list
+        }
+        const { generateAuthenticationOptions } = await import("@simplewebauthn/server");
+        const options = await generateAuthenticationOptions({
+            rpID: webauthnConfig.rpId,
+            allowCredentials: allowCredentials.length > 0
+                ? allowCredentials.map((ac) => ({ id: ac.id, transports: ac.transports }))
+                : undefined,
+            userVerification: webauthnConfig.userVerification ?? "required",
+            timeout: webauthnConfig.timeout ?? 60000,
+        });
+        const passkeyToken = await createPasskeyLoginChallenge(options.challenge);
+        return c.json({ options: options, passkeyToken }, 200);
+    });
+    // ─── POST /auth/passkey/login ──────────────────────────────────────────────
+    router.openapi(createRoute({
+        method: "post",
+        path: "/auth/passkey/login",
+        summary: "Complete passkey login",
+        description: "Verifies the WebAuthn assertion and returns a session token. Satisfies both factors by default — no MFA prompt unless passkeyMfaBypass is disabled.",
+        tags,
+        request: {
+            body: {
+                content: {
+                    "application/json": {
+                        schema: z.object({
+                            passkeyToken: z.string().describe("Token from POST /auth/passkey/login-options."),
+                            assertionResponse: z.record(z.string(), z.unknown()).describe("AuthenticationResponseJSON from @simplewebauthn/browser startAuthentication()."),
+                        }),
+                    },
+                },
+                required: true,
+            },
+        },
+        responses: {
+            200: {
+                content: {
+                    "application/json": {
+                        schema: z.object({
+                            token: z.string(),
+                            userId: z.string(),
+                            email: z.string().optional(),
+                            refreshToken: z.string().optional(),
+                            mfaRequired: z.boolean().optional(),
+                            mfaToken: z.string().optional(),
+                            mfaMethods: z.array(z.string()).optional(),
+                        }),
+                    },
+                },
+                description: "Session token returned. Also set as HttpOnly cookie.",
+            },
+            401: { content: { "application/json": { schema: ErrorResponse } }, description: "Authentication failed." },
+            429: { content: { "application/json": { schema: ErrorResponse } }, description: "Rate limit exceeded." },
+        },
+    }), async (c) => {
+        const ip = getClientIp(c);
+        if (await trackAttempt(`passkey-login:${ip}`, { windowMs: 15 * 60 * 1000, max: 10 })) {
+            return c.json({ error: "Too many requests. Try again later." }, 429);
+        }
+        const { passkeyToken, assertionResponse } = c.req.valid("json");
+        const metadata = {
+            ipAddress: ip,
+            userAgent: c.req.header("user-agent") ?? undefined,
+        };
+        const result = await AuthService.passkeyLogin(passkeyToken, assertionResponse, metadata);
+        if (!result.mfaRequired) {
+            const rtConfig = getRefreshTokenConfig();
+            setCookie(c, COOKIE_TOKEN, result.token, cookieOptions(rtConfig ? getAccessTokenExpiry() : undefined));
+            if (result.refreshToken) {
+                setCookie(c, COOKIE_REFRESH_TOKEN, result.refreshToken, cookieOptions(getRefreshTokenExpiry()));
+            }
+            if (getCsrfEnabled())
+                refreshCsrfToken(c);
+        }
+        return c.json(result);
+    });
+    return router;
+};

package/dist/routes/saml.d.ts

@@ -0,0 +1,2 @@
+import { Hono } from "hono";
+export declare function createSamlRouter(): Hono<import("hono/types").BlankEnv, import("hono/types").BlankSchema, "/">;

package/dist/routes/saml.js

@@ -0,0 +1,86 @@
+import { Hono } from "hono";
+import { HttpError } from "../lib/HttpError";
+import { getSamlConfig } from "../lib/appConfig";
+import { getAuthAdapter } from "../lib/authAdapter";
+import { storeOAuthState, consumeOAuthState } from "../lib/oauth";
+import { createSessionForUser } from "../services/auth";
+import { setCookie } from "hono/cookie";
+import { COOKIE_TOKEN } from "../lib/constants";
+export function createSamlRouter() {
+    const router = new Hono();
+    // GET /auth/saml/login — initiate SAML login, redirect to IdP
+    router.get("/auth/saml/login", async (c) => {
+        const config = getSamlConfig();
+        if (!config)
+            throw new HttpError(404, "SAML not configured");
+        const { initSaml, createAuthnRequest } = await import("../lib/saml");
+        await initSaml(config);
+        // Store relay state — use codeVerifier slot to carry redirectUrl
+        const relayState = crypto.randomUUID();
+        const redirectAfter = c.req.query("redirect") ?? config.postLoginRedirect ?? "/";
+        await storeOAuthState(relayState, redirectAfter);
+        const { redirectUrl } = createAuthnRequest();
+        return c.redirect(`${redirectUrl}&RelayState=${encodeURIComponent(relayState)}`);
+    });
+    // POST /auth/saml/acs — handle SAML assertion from IdP
+    router.post("/auth/saml/acs", async (c) => {
+        const config = getSamlConfig();
+        if (!config)
+            throw new HttpError(404, "SAML not configured");
+        let formData;
+        try {
+            formData = await c.req.formData();
+        }
+        catch {
+            throw new HttpError(400, "Invalid SAML response");
+        }
+        const samlResponse = formData.get("SAMLResponse");
+        const relayState = formData.get("RelayState");
+        if (!samlResponse)
+            throw new HttpError(400, "Missing SAMLResponse");
+        const { initSaml, validateSamlResponse, samlProfileToIdentityProfile } = await import("../lib/saml");
+        await initSaml(config);
+        let samlProfile;
+        try {
+            samlProfile = await validateSamlResponse(samlResponse, config);
+        }
+        catch (err) {
+            throw new HttpError(401, "Invalid SAML assertion");
+        }
+        let userId;
+        if (config.onLogin) {
+            const result = await config.onLogin(samlProfile);
+            userId = result.userId;
+        }
+        else {
+            const adapter = getAuthAdapter();
+            if (!adapter.findOrCreateByProvider)
+                throw new HttpError(500, "Auth adapter missing findOrCreateByProvider");
+            const profile = samlProfileToIdentityProfile(samlProfile);
+            const result = await adapter.findOrCreateByProvider("saml", samlProfile.nameId, profile);
+            userId = result.id;
+            // Update profile fields from SAML attributes
+            if (adapter.updateProfile && (profile.firstName || profile.lastName || profile.displayName)) {
+                await adapter.updateProfile(userId, profile).catch(() => { });
+            }
+        }
+        const { token } = await createSessionForUser(userId);
+        // consumeOAuthState returns { codeVerifier?, linkUserId? } — redirectUrl was stored in codeVerifier
+        const redirectUrl = relayState
+            ? (await consumeOAuthState(relayState))?.codeVerifier ?? config.postLoginRedirect ?? "/"
+            : config.postLoginRedirect ?? "/";
+        setCookie(c, COOKIE_TOKEN, token, { httpOnly: true, path: "/", sameSite: "Lax" });
+        return c.redirect(redirectUrl);
+    });
+    // GET /auth/saml/metadata — serve SP metadata XML
+    router.get("/auth/saml/metadata", async (c) => {
+        const config = getSamlConfig();
+        if (!config)
+            throw new HttpError(404, "SAML not configured");
+        const { initSaml, getSamlSpMetadata } = await import("../lib/saml");
+        await initSaml(config);
+        const metadata = getSamlSpMetadata();
+        return c.body(metadata, 200, { "Content-Type": "application/xml" });
+    });
+    return router;
+}

package/dist/routes/scim.d.ts

@@ -0,0 +1,2 @@
+import { Hono } from "hono";
+export declare function createScimRouter(): Hono<import("hono/types").BlankEnv, import("hono/types").BlankSchema, "/">;

package/dist/routes/scim.js

@@ -0,0 +1,255 @@
+import { Hono } from "hono";
+import { getAuthAdapter } from "../lib/authAdapter";
+import { scimAuth } from "../middleware/scimAuth";
+import { userRecordToScim, parseScimFilter, scimError } from "../lib/scim";
+import { getScimConfig } from "../lib/appConfig";
+export function createScimRouter() {
+    const router = new Hono();
+    // All SCIM routes require SCIM bearer auth
+    router.use("/scim/v2/*", scimAuth);
+    // GET /scim/v2/Users — list/search users
+    router.get("/scim/v2/Users", async (c) => {
+        const config = getScimConfig();
+        if (!config)
+            return scimError(404, "SCIM not configured");
+        const adapter = getAuthAdapter();
+        if (!adapter.listUsers)
+            return scimError(501, "Auth adapter does not support listUsers");
+        const filter = c.req.query("filter");
+        const startIndex = parseInt(c.req.query("startIndex") ?? "1", 10);
+        const count = parseInt(c.req.query("count") ?? "100", 10);
+        const query = parseScimFilter(filter);
+        query.startIndex = Math.max(0, startIndex - 1); // SCIM is 1-based
+        query.count = Math.min(count, 200);
+        const { users, totalResults } = await adapter.listUsers(query);
+        const response = {
+            schemas: ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
+            totalResults,
+            startIndex,
+            itemsPerPage: users.length,
+            Resources: users.map((u) => userRecordToScim(u, config.userMapping)),
+        };
+        return c.json(response, 200);
+    });
+    // GET /scim/v2/Users/:id — get a user
+    router.get("/scim/v2/Users/:id", async (c) => {
+        const config = getScimConfig();
+        if (!config)
+            return scimError(404, "SCIM not configured");
+        const adapter = getAuthAdapter();
+        if (!adapter.getUser)
+            return scimError(501, "Auth adapter does not support getUser");
+        const user = await adapter.getUser(c.req.param("id"));
+        if (!user)
+            return scimError(404, "User not found");
+        const scimUser = userRecordToScim({
+            id: c.req.param("id"),
+            email: user.email,
+            displayName: user.displayName,
+            firstName: user.firstName,
+            lastName: user.lastName,
+            externalId: user.externalId,
+            suspended: user.suspended ?? false,
+            suspendedReason: user.suspendedReason,
+        }, config.userMapping);
+        return c.json(scimUser, 200);
+    });
+    // POST /scim/v2/Users — create a user (provision)
+    router.post("/scim/v2/Users", async (c) => {
+        const config = getScimConfig();
+        if (!config)
+            return scimError(404, "SCIM not configured");
+        const adapter = getAuthAdapter();
+        if (!adapter.create)
+            return scimError(501, "Auth adapter does not support create");
+        let body;
+        try {
+            body = await c.req.json();
+        }
+        catch {
+            return scimError(400, "Invalid JSON");
+        }
+        const email = body.userName ?? body.emails?.[0]?.value;
+        if (!email)
+            return scimError(400, "userName is required");
+        const existingByEmail = await (adapter.findByEmail?.(email));
+        if (existingByEmail)
+            return scimError(409, "User already exists");
+        // Create user with a random placeholder password (SCIM users authenticate via SSO)
+        const { sha256 } = await import("../lib/crypto");
+        const placeholderHash = sha256(crypto.randomUUID());
+        const { id } = await adapter.create(email, placeholderHash);
+        // Set profile fields
+        if (adapter.updateProfile) {
+            const fields = {};
+            if (body.name?.givenName)
+                fields.firstName = body.name.givenName;
+            if (body.name?.familyName)
+                fields.lastName = body.name.familyName;
+            if (body.displayName)
+                fields.displayName = body.displayName;
+            if (body.externalId)
+                fields.externalId = body.externalId;
+            if (Object.keys(fields).length > 0)
+                await adapter.updateProfile(id, fields);
+        }
+        const scimUser = userRecordToScim({
+            id,
+            email,
+            displayName: body.displayName,
+            firstName: body.name?.givenName,
+            lastName: body.name?.familyName,
+            externalId: body.externalId,
+            suspended: body.active === false,
+        }, config.userMapping);
+        return c.json(scimUser, 201);
+    });
+    // PUT /scim/v2/Users/:id — replace a user
+    router.put("/scim/v2/Users/:id", async (c) => {
+        const config = getScimConfig();
+        if (!config)
+            return scimError(404, "SCIM not configured");
+        const adapter = getAuthAdapter();
+        const userId = c.req.param("id");
+        let body;
+        try {
+            body = await c.req.json();
+        }
+        catch {
+            return scimError(400, "Invalid JSON");
+        }
+        if (adapter.updateProfile) {
+            const fields = {};
+            if (body.name?.givenName !== undefined)
+                fields.firstName = body.name.givenName;
+            if (body.name?.familyName !== undefined)
+                fields.lastName = body.name.familyName;
+            if (body.displayName !== undefined)
+                fields.displayName = body.displayName;
+            if (body.externalId !== undefined)
+                fields.externalId = body.externalId;
+            if (Object.keys(fields).length > 0)
+                await adapter.updateProfile(userId, fields);
+        }
+        if (adapter.setSuspended && body.active !== undefined) {
+            await adapter.setSuspended(userId, !body.active);
+        }
+        const user = await adapter.getUser?.(userId);
+        if (!user)
+            return scimError(404, "User not found");
+        return c.json(userRecordToScim({
+            id: userId,
+            email: user.email,
+            displayName: user.displayName,
+            firstName: user.firstName,
+            lastName: user.lastName,
+            externalId: user.externalId,
+            suspended: user.suspended ?? false,
+        }, config.userMapping), 200);
+    });
+    // PATCH /scim/v2/Users/:id — partial update
+    router.patch("/scim/v2/Users/:id", async (c) => {
+        const config = getScimConfig();
+        if (!config)
+            return scimError(404, "SCIM not configured");
+        const adapter = getAuthAdapter();
+        const userId = c.req.param("id");
+        let body;
+        try {
+            body = await c.req.json();
+        }
+        catch {
+            return scimError(400, "Invalid JSON");
+        }
+        const operations = body.Operations ?? [];
+        for (const op of operations) {
+            const opType = op.op?.toLowerCase();
+            if (opType === "replace" || opType === "add") {
+                const value = op.value;
+                if (op.path === "active" && adapter.setSuspended) {
+                    await adapter.setSuspended(userId, !value);
+                }
+                else if (!op.path && typeof value === "object" && adapter.updateProfile) {
+                    // Bulk replace — map SCIM fields to profile fields
+                    const fields = {};
+                    if (value.displayName !== undefined)
+                        fields.displayName = value.displayName;
+                    if (value["name.givenName"] !== undefined)
+                        fields.firstName = value["name.givenName"];
+                    if (value["name.familyName"] !== undefined)
+                        fields.lastName = value["name.familyName"];
+                    if (value.externalId !== undefined)
+                        fields.externalId = value.externalId;
+                    if (value.active !== undefined && adapter.setSuspended) {
+                        await adapter.setSuspended(userId, !value.active);
+                    }
+                    if (Object.keys(fields).length > 0)
+                        await adapter.updateProfile(userId, fields);
+                }
+            }
+            else if (opType === "remove" && op.path === "active" && adapter.setSuspended) {
+                await adapter.setSuspended(userId, true);
+            }
+        }
+        const user = await adapter.getUser?.(userId);
+        if (!user)
+            return scimError(404, "User not found");
+        return c.json(userRecordToScim({
+            id: userId,
+            email: user.email,
+            displayName: user.displayName,
+            firstName: user.firstName,
+            lastName: user.lastName,
+            externalId: user.externalId,
+            suspended: user.suspended ?? false,
+        }, config.userMapping), 200);
+    });
+    // DELETE /scim/v2/Users/:id — deprovision
+    router.delete("/scim/v2/Users/:id", async (c) => {
+        const config = getScimConfig();
+        if (!config)
+            return scimError(404, "SCIM not configured");
+        const adapter = getAuthAdapter();
+        const userId = c.req.param("id");
+        const onDeprovision = config.onDeprovision ?? "suspend";
+        if (typeof onDeprovision === "function") {
+            await onDeprovision(userId);
+        }
+        else if (onDeprovision === "delete") {
+            if (adapter.deleteUser)
+                await adapter.deleteUser(userId);
+        }
+        else {
+            // Default: suspend
+            if (adapter.setSuspended)
+                await adapter.setSuspended(userId, true, "SCIM deprovisioned");
+        }
+        return c.body(null, 204);
+    });
+    // Discovery endpoints
+    router.get("/scim/v2/ServiceProviderConfig", (c) => {
+        return c.json({
+            schemas: ["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"],
+            patch: { supported: true },
+            bulk: { supported: false, maxOperations: 0, maxPayloadSize: 0 },
+            filter: { supported: true, maxResults: 200 },
+            changePassword: { supported: false },
+            sort: { supported: false },
+            etag: { supported: false },
+        });
+    });
+    router.get("/scim/v2/ResourceTypes", (c) => {
+        return c.json({
+            schemas: ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
+            totalResults: 1,
+            Resources: [{
+                    schemas: ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
+                    id: "User",
+                    name: "User",
+                    endpoint: "/scim/v2/Users",
+                    schema: "urn:ietf:params:scim:schemas:core:2.0:User",
+                }],
+        });
+    });
+    return router;
+}

package/dist/routes/uploads.d.ts

@@ -1,2 +1,14 @@
 import type { PresignedUrlConfig } from "../app";
-export declare const createUploadsRouter: (config: PresignedUrlConfig) => import("@hono/zod-openapi").OpenAPIHono<import("../lib/context").AppEnv, {}, "/">;
+interface UploadsRouterConfig extends PresignedUrlConfig {
+    authorization?: {
+        authorize?: (input: {
+            action: "read" | "delete";
+            key: string;
+            userId?: string;
+            tenantId?: string;
+        }) => boolean | Promise<boolean>;
+    };
+    allowExternalKeys?: boolean;
+}
+export declare const createUploadsRouter: (config: UploadsRouterConfig) => import("@hono/zod-openapi").OpenAPIHono<import("../lib/context").AppEnv, {}, "/">;
+export {};