@lastshotlabs/bunshot 0.0.25 → 0.0.27

package/dist/routes/uploads.js

@@ -2,14 +2,54 @@ import { z } from "zod";
 import { createRouter } from "../lib/context";
 import { createRoute } from "../lib/createRoute";
 import { userAuth } from "../middleware/userAuth";
-import { getStorageAdapter, getUploadConfig } from "../lib/upload";
+import { getStorageAdapter, generateUploadKeyFromFilename } from "../lib/upload";
 import { getSigningConfig, getSigningSecret } from "../lib/appConfig";
 import { createPresignedUrl } from "../lib/signing";
+import { getUploadRecord, deleteUploadRecord, registerUpload } from "../lib/uploadRegistry";
 const tags = ["Uploads"];
+async function checkUploadAccess(action, key, userId, tenantId, config) {
+    const record = await getUploadRecord(key);
+    const authorize = config.authorization?.authorize;
+    const allowExternalKeys = config.allowExternalKeys ?? false;
+    if (record) {
+        // If the registry record has a tenantId, the requester must match — period.
+        if (record.tenantId && record.tenantId !== tenantId) {
+            return { allowed: false, notFound: false };
+        }
+        // Owner match → allow
+        if (record.ownerUserId && record.ownerUserId === userId) {
+            return { allowed: true, notFound: false };
+        }
+        // No owner or owner mismatch → try callback
+        if (authorize) {
+            const ok = await authorize({ action, key, userId: userId ?? undefined, tenantId: tenantId ?? undefined });
+            return { allowed: ok, notFound: false };
+        }
+        return { allowed: false, notFound: false };
+    }
+    // Record not in registry
+    if (allowExternalKeys) {
+        if (authorize) {
+            const ok = await authorize({ action, key, userId: userId ?? undefined, tenantId: tenantId ?? undefined });
+            return { allowed: ok, notFound: false };
+        }
+        return { allowed: false, notFound: false };
+    }
+    return { allowed: false, notFound: true };
+}
 export const createUploadsRouter = (config) => {
     const router = createRouter();
     const basePath = (config.path ?? "/uploads").replace(/\/$/, "");
     router.use(`${basePath}/*`, userAuth);
+    const BLOCKED_MIME_TYPES = new Set([
+        "application/x-executable",
+        "application/x-sh",
+        "application/x-msdownload",
+        "text/html",
+        "application/x-httpd-php",
+        "application/javascript",
+        "text/javascript",
+    ]);
     const presignRoute = createRoute({
         method: "post",
         path: `${basePath}/presign`,
@@ -20,9 +60,11 @@ export const createUploadsRouter = (config) => {
                 content: {
                     "application/json": {
                         schema: z.object({
-                            key: z.string().describe("Storage key for the upload"),
+                            filename: z.string().optional().describe("Original filename (used to derive the storage key extension)"),
                             mimeType: z.string().optional().describe("MIME type of the file"),
                             expirySeconds: z.number().int().positive().optional().describe("URL expiry in seconds"),
+                            maxBytes: z.number().int().positive().max(100 * 1024 * 1024).optional()
+                                .describe("Maximum allowed file size in bytes (client-enforced via Content-Length header). Defaults to 10MB. Maximum: 100MB."),
                         }),
                     },
                 },
@@ -31,7 +73,11 @@ export const createUploadsRouter = (config) => {
         responses: {
             200: {
                 description: "Presigned URL generated",
-                content: { "application/json": { schema: z.object({ url: z.string(), key: z.string() }) } },
+                content: { "application/json": { schema: z.object({ url: z.string(), key: z.string(), maxBytes: z.number().optional() }) } },
+            },
+            400: {
+                description: "File type not allowed",
+                content: { "application/json": { schema: z.object({ error: z.string() }) } },
             },
             501: {
                 description: "Not implemented by adapter",
@@ -44,11 +90,26 @@ export const createUploadsRouter = (config) => {
         if (!adapter?.presignPut) {
             return c.json({ error: "Presigned URLs not supported by the configured storage adapter" }, 501);
         }
-        const { key, mimeType, expirySeconds } = c.req.valid("json");
-        const _uploadConfig = getUploadConfig();
+        const { filename, mimeType, expirySeconds, maxBytes } = c.req.valid("json");
+        if (mimeType && BLOCKED_MIME_TYPES.has(mimeType)) {
+            return c.json({ error: "File type not allowed." }, 400);
+        }
+        const userId = c.get("authUserId") ?? undefined;
+        const tenantId = c.get("tenantId") ?? undefined;
+        // Server-generates the key — client cannot control the storage path
+        const key = generateUploadKeyFromFilename(filename, { userId, tenantId });
         const expiry = expirySeconds ?? (typeof config.expirySeconds === "number" ? config.expirySeconds : 3600);
         const url = await adapter.presignPut(key, { expirySeconds: expiry, mimeType });
-        return c.json({ url, key }, 200);
+        // Register the upload for ownership tracking
+        await registerUpload({
+            key,
+            ownerUserId: userId,
+            tenantId,
+            mimeType,
+            bucket: c.get("uploadBucket") ?? undefined,
+            createdAt: Date.now(),
+        });
+        return c.json({ url, key, ...(maxBytes !== undefined ? { maxBytes } : {}) }, 200);
     });
     const presignGetRoute = createRoute({
         method: "get",
@@ -73,6 +134,14 @@ export const createUploadsRouter = (config) => {
                     },
                 },
             },
+            403: {
+                description: "Forbidden — not the owner or unauthorized",
+                content: { "application/json": { schema: z.object({ error: z.string() }) } },
+            },
+            404: {
+                description: "Key not found in upload registry",
+                content: { "application/json": { schema: z.object({ error: z.string() }) } },
+            },
             501: {
                 description: "Not implemented",
                 content: { "application/json": { schema: z.object({ error: z.string() }) } },
@@ -82,6 +151,13 @@ export const createUploadsRouter = (config) => {
     router.openapi(presignGetRoute, async (c) => {
         const { key } = c.req.valid("param");
         const { expiry: expiryStr } = c.req.valid("query");
+        const userId = c.get("authUserId");
+        const tenantId = c.get("tenantId");
+        const { allowed, notFound } = await checkUploadAccess("read", key, userId, tenantId, config);
+        if (notFound)
+            return c.json({ error: "Not found" }, 404);
+        if (!allowed)
+            return c.json({ error: "Forbidden" }, 403);
         const expirySeconds = expiryStr ? parseInt(expiryStr, 10) : (typeof config.expirySeconds === "number" ? config.expirySeconds : 3600);
         const signingCfg = getSigningConfig();
         if (signingCfg?.presignedUrls) {
@@ -117,6 +193,14 @@ export const createUploadsRouter = (config) => {
         },
         responses: {
             204: { description: "Deleted" },
+            403: {
+                description: "Forbidden — not the owner or unauthorized",
+                content: { "application/json": { schema: z.object({ error: z.string() }) } },
+            },
+            404: {
+                description: "Key not found in upload registry",
+                content: { "application/json": { schema: z.object({ error: z.string() }) } },
+            },
             500: {
                 description: "No storage adapter configured",
                 content: { "application/json": { schema: z.object({ error: z.string() }) } },
@@ -128,7 +212,15 @@ export const createUploadsRouter = (config) => {
         if (!adapter)
             return c.json({ error: "No storage adapter configured" }, 500);
         const { key } = c.req.valid("param");
+        const userId = c.get("authUserId");
+        const tenantId = c.get("tenantId");
+        const { allowed, notFound } = await checkUploadAccess("delete", key, userId, tenantId, config);
+        if (notFound)
+            return c.json({ error: "Not found" }, 404);
+        if (!allowed)
+            return c.json({ error: "Forbidden" }, 403);
         await adapter.delete(key);
+        await deleteUploadRecord(key);
         return c.body(null, 204);
     });
     return router;

package/dist/services/auth.d.ts

@@ -15,6 +15,7 @@ export interface AuthResult {
 export declare const createSessionForUser: (userId: string, metadata?: SessionMetadata) => Promise<{
     token: string;
     refreshToken?: string;
+    sessionId: string;
 }>;
 export declare const register: (identifier: string, password: string, metadata?: SessionMetadata) => Promise<AuthResult>;
 export declare const login: (identifier: string, password: string, metadata?: SessionMetadata) => Promise<AuthResult>;
@@ -25,3 +26,4 @@ export declare const refresh: (refreshTokenValue: string) => Promise<{
 }>;
 export declare const deleteAccount: (userId: string, password?: string) => Promise<void>;
 export declare const logout: (token: string | null) => Promise<void>;
+export declare const passkeyLogin: (passkeyToken: string, assertionResponse: any, metadata?: SessionMetadata) => Promise<AuthResult>;

package/dist/services/auth.js

@@ -2,14 +2,16 @@ import { getAuthAdapter } from "../lib/authAdapter";
 import { HttpError } from "../lib/HttpError";
 import { signToken, verifyToken } from "../lib/jwt";
 import { createSession, deleteSession, getActiveSessionCount, evictOldestSession, deleteUserSessions, setRefreshToken, getSessionByRefreshToken, rotateRefreshToken } from "../lib/session";
-import { getDefaultRole, getPrimaryField, getEmailVerificationConfig, getMaxSessions, getRefreshTokenConfig, getAccessTokenExpiry, getMfaConfig, getMfaEmailOtpConfig, getMfaWebAuthnConfig } from "../lib/appConfig";
+import { getDefaultRole, getPrimaryField, getEmailVerificationConfig, getMaxSessions, getRefreshTokenConfig, getAccessTokenExpiry, getMfaConfig, getMfaEmailOtpConfig, getMfaWebAuthnConfig, getMfaWebAuthnPasskeyMfaBypass } from "../lib/appConfig";
+import { getSuspended } from "../lib/suspension";
 import { createVerificationToken } from "../lib/emailVerification";
 import { createMfaChallenge } from "../lib/mfaChallenge";
 import { generateEmailOtpCode, generateWebAuthnAuthenticationOptions } from "./mfa";
+import { emitSecurityEvent } from "../lib/securityEvents";
 async function createSessionWithRefreshToken(userId, sessionId, metadata) {
     const rtConfig = getRefreshTokenConfig();
     const expirySeconds = rtConfig ? getAccessTokenExpiry() : undefined;
-    const token = await signToken(userId, sessionId, expirySeconds);
+    const token = await signToken({ sub: userId, sid: sessionId }, expirySeconds);
     while (await getActiveSessionCount(userId) >= getMaxSessions()) {
         await evictOldestSession(userId);
     }
@@ -27,25 +29,32 @@ export const createSessionForUser = async (userId, metadata) => {
     return createSessionWithRefreshToken(userId, sessionId, metadata);
 };
 export const register = async (identifier, password, metadata) => {
-    const hashed = await Bun.password.hash(password);
-    const adapter = getAuthAdapter();
-    const user = await adapter.create(identifier, hashed);
-    const role = getDefaultRole();
-    if (role)
-        await adapter.setRoles(user.id, [role]);
-    const sessionId = crypto.randomUUID();
-    const { token, refreshToken } = await createSessionWithRefreshToken(user.id, sessionId, metadata);
-    const evConfig = getEmailVerificationConfig();
-    if (evConfig && getPrimaryField() === "email") {
-        try {
-            const verificationToken = await createVerificationToken(user.id, identifier);
-            await evConfig.onSend(identifier, verificationToken);
-        }
-        catch (e) {
-            console.error("[email-verification] Failed to send verification email:", e);
+    try {
+        const hashed = await Bun.password.hash(password);
+        const adapter = getAuthAdapter();
+        const user = await adapter.create(identifier, hashed);
+        const role = getDefaultRole();
+        if (role)
+            await adapter.setRoles(user.id, [role]);
+        const sessionId = crypto.randomUUID();
+        const { token, refreshToken } = await createSessionWithRefreshToken(user.id, sessionId, metadata);
+        const evConfig = getEmailVerificationConfig();
+        if (evConfig && getPrimaryField() === "email") {
+            try {
+                const verificationToken = await createVerificationToken(user.id, identifier);
+                await evConfig.onSend(identifier, verificationToken);
+            }
+            catch (e) {
+                console.error("[email-verification] Failed to send verification email:", e);
+            }
         }
+        emitSecurityEvent({ eventType: "auth.register.success", severity: "info", timestamp: new Date().toISOString(), userId: user.id });
+        return { token, userId: user.id, email: identifier, refreshToken };
+    }
+    catch (err) {
+        emitSecurityEvent({ eventType: "auth.register.failure", severity: "warn", timestamp: new Date().toISOString() });
+        throw err;
     }
-    return { token, userId: user.id, email: identifier, refreshToken };
 };
 // Pre-computed dummy hash so non-existent-user login takes the same time as wrong-password login
 const DUMMY_HASH = await Bun.password.hash("dummy-timing-safe-placeholder");
@@ -57,8 +66,15 @@ export const login = async (identifier, password, metadata) => {
     const hashToVerify = user?.passwordHash ?? DUMMY_HASH;
     const passwordValid = await Bun.password.verify(password, hashToVerify);
     if (!user || !passwordValid) {
+        emitSecurityEvent({ eventType: "auth.login.failure", severity: "warn", timestamp: new Date().toISOString(), meta: { identifier } });
         throw new HttpError(401, "Invalid credentials");
     }
+    // Check suspension
+    const suspensionStatus = await getSuspended(user.id);
+    if (suspensionStatus.suspended) {
+        emitSecurityEvent({ eventType: "auth.login.blocked", severity: "critical", timestamp: new Date().toISOString(), meta: { reason: "suspended" } });
+        throw new HttpError(403, "Account suspended", "ACCOUNT_SUSPENDED");
+    }
     // Check email verification before MFA to avoid leaking MFA status to unverified users
     const fullUser = adapter.getUser ? await adapter.getUser(user.id) : null;
     const googleLinked = fullUser?.providerIds?.some((id) => id.startsWith("google:")) ?? false;
@@ -100,6 +116,7 @@ export const login = async (identifier, password, metadata) => {
     }
     const sessionId = crypto.randomUUID();
     const { token, refreshToken } = await createSessionWithRefreshToken(user.id, sessionId, metadata);
+    emitSecurityEvent({ eventType: "auth.login.success", severity: "info", timestamp: new Date().toISOString(), userId: user.id });
     if (evConfig && getPrimaryField() === "email" && adapter.getEmailVerified) {
         const verified = await adapter.getEmailVerified(user.id);
         return { token, userId: user.id, email: fullUser?.email, emailVerified: verified, googleLinked, refreshToken };
@@ -115,12 +132,12 @@ export const refresh = async (refreshTokenValue) => {
     // If the returned newRefreshToken differs from what was sent, we're in a grace window replay.
     // Return the current tokens without rotating again.
     if (newRefreshToken !== refreshTokenValue) {
-        const accessToken = await signToken(userId, sessionId, getAccessTokenExpiry());
+        const accessToken = await signToken({ sub: userId, sid: sessionId }, getAccessTokenExpiry());
         return { token: accessToken, refreshToken: newRefreshToken, userId };
     }
     // Normal rotation: generate new refresh + access tokens
     const newRT = crypto.randomUUID();
-    const newAccessToken = await signToken(userId, sessionId, getAccessTokenExpiry());
+    const newAccessToken = await signToken({ sub: userId, sid: sessionId }, getAccessTokenExpiry());
     await rotateRefreshToken(sessionId, newRT, newAccessToken);
     return { token: newAccessToken, refreshToken: newRT, userId };
 };
@@ -148,12 +165,74 @@ export const deleteAccount = async (userId, password) => {
     await deleteUserSessions(userId);
     // Delete the user
     await adapter.deleteUser(userId);
+    emitSecurityEvent({ eventType: "auth.account.deleted", severity: "warn", timestamp: new Date().toISOString(), userId });
 };
 export const logout = async (token) => {
     if (token) {
         const payload = await verifyToken(token);
         const sessionId = payload.sid;
-        if (sessionId)
+        if (sessionId) {
             await deleteSession(sessionId);
+            emitSecurityEvent({ eventType: "auth.logout", severity: "info", timestamp: new Date().toISOString(), sessionId });
+        }
+    }
+};
+export const passkeyLogin = async (passkeyToken, assertionResponse, metadata) => {
+    const adapter = getAuthAdapter();
+    if (!adapter.findUserByWebAuthnCredentialId || !adapter.getWebAuthnCredentials) {
+        throw new HttpError(501, "Auth adapter does not support passkey login");
+    }
+    const { consumePasskeyLoginChallenge } = await import("../lib/mfaChallenge");
+    const challengeData = await consumePasskeyLoginChallenge(passkeyToken);
+    if (!challengeData) {
+        throw new HttpError(401, "Invalid or expired passkey token");
+    }
+    const credentialId = assertionResponse?.id;
+    if (!credentialId) {
+        throw new HttpError(401, "Invalid assertion response");
+    }
+    const userId = await adapter.findUserByWebAuthnCredentialId(credentialId);
+    if (!userId) {
+        throw new HttpError(401, "Invalid credentials");
+    }
+    const { verifyWebAuthn } = await import("./mfa");
+    const verified = await verifyWebAuthn(userId, assertionResponse, challengeData.webauthnChallenge);
+    if (!verified) {
+        throw new HttpError(401, "WebAuthn verification failed");
+    }
+    // Check suspension
+    const suspensionStatus = await getSuspended(userId);
+    if (suspensionStatus.suspended) {
+        throw new HttpError(403, "Account suspended", "ACCOUNT_SUSPENDED");
+    }
+    // passkeyMfaBypass=true (default): passkey with userVerification=required satisfies both factors
+    const mfaBypass = getMfaWebAuthnPasskeyMfaBypass();
+    if (!mfaBypass && getMfaConfig() && adapter.isMfaEnabled && await adapter.isMfaEnabled(userId)) {
+        const methods = adapter.getMfaMethods ? await adapter.getMfaMethods(userId) : ["totp"];
+        let emailOtpHash;
+        const emailOtpConfig = getMfaEmailOtpConfig();
+        if (methods.includes("emailOtp") && emailOtpConfig) {
+            const { generateEmailOtpCode } = await import("./mfa");
+            const { code, hash } = generateEmailOtpCode();
+            emailOtpHash = hash;
+            const fullUser = adapter.getUser ? await adapter.getUser(userId) : null;
+            if (fullUser?.email)
+                await emailOtpConfig.onSend(fullUser.email, code);
+        }
+        let webauthnChallenge2;
+        let webauthnOptions;
+        if (methods.includes("webauthn") && getMfaWebAuthnConfig()) {
+            const { generateWebAuthnAuthenticationOptions } = await import("./mfa");
+            const result = await generateWebAuthnAuthenticationOptions(userId);
+            if (result) {
+                webauthnChallenge2 = result.challenge;
+                webauthnOptions = result.options;
+            }
+        }
+        const mfaToken = await createMfaChallenge(userId, { emailOtpHash, webauthnChallenge: webauthnChallenge2 });
+        return { token: "", userId, mfaRequired: true, mfaToken, mfaMethods: methods, webauthnOptions };
     }
+    const { token, refreshToken } = await createSessionForUser(userId, metadata);
+    const fullUser = adapter.getUser ? await adapter.getUser(userId) : null;
+    return { token, userId, email: fullUser?.email, refreshToken };
 };

package/dist/services/mfa.js

@@ -343,8 +343,8 @@ export const initiateWebAuthnRegistration = async (userId) => {
         })),
         authenticatorSelection: {
             authenticatorAttachment: config.authenticatorAttachment,
-            userVerification: config.userVerification ?? "preferred",
-            residentKey: "preferred",
+            userVerification: config.userVerification ?? "required",
+            residentKey: "required",
         },
         timeout: config.timeout ?? 60000,
     });

package/dist/ws/index.js

@@ -2,6 +2,7 @@ import { verifyToken } from "../lib/jwt";
 import { getSession } from "../lib/session";
 import { COOKIE_TOKEN } from "../lib/constants";
 import { trackSocket, untrackSocket } from "../lib/wsPresence";
+import { timingSafeEqual } from "../lib/crypto";
 export const createWsUpgradeHandler = (server) => async (req) => {
     let userId = null;
     try {
@@ -12,7 +13,7 @@ export const createWsUpgradeHandler = (server) => async (req) => {
             const sessionId = payload.sid;
             if (sessionId) {
                 const stored = await getSession(sessionId);
-                if (stored === token)
+                if (timingSafeEqual(stored ?? "", token))
                     userId = payload.sub;
             }
         }