@lastshotlabs/bunshot 0.0.25 → 0.0.28

package/dist/packages/bunshot-auth/src/admin/bunshotAccess.d.ts

@@ -0,0 +1,2 @@
+import type { AdminAccessProvider } from '../../../bunshot-core/src/index.js';
+export declare function createBunshotAuthAccessProvider(): AdminAccessProvider;

package/dist/packages/bunshot-auth/src/admin/bunshotAccess.js

@@ -0,0 +1,23 @@
+import { getAuthRuntimeFromRequest } from '../runtime';
+export function createBunshotAuthAccessProvider() {
+    return {
+        name: 'bunshot-auth',
+        async verifyRequest(c) {
+            const userId = c.get('authUserId');
+            if (!userId)
+                return null;
+            const adapter = getAuthRuntimeFromRequest(c).adapter;
+            const user = await adapter.getUser?.(userId);
+            if (!user)
+                return null;
+            const roles = (await adapter.getRoles?.(userId)) ?? [];
+            return {
+                subject: userId,
+                email: user.email,
+                displayName: user.displayName ?? undefined,
+                roles,
+                provider: 'bunshot-auth',
+            };
+        },
+    };
+}

package/dist/packages/bunshot-auth/src/admin/bunshotUsers.d.ts

@@ -0,0 +1,5 @@
+import type { ManagedUserProvider } from '../../../bunshot-core/src/index.js';
+import type { AuthResolvedConfig } from '../config/authConfig';
+import type { AuthAdapter } from '../lib/authAdapter';
+import type { ISessionRepository } from '../lib/session';
+export declare function createBunshotManagedUserProvider(adapter: AuthAdapter, config: AuthResolvedConfig, sessionRepo: ISessionRepository): ManagedUserProvider;

package/dist/packages/bunshot-auth/src/admin/bunshotUsers.js

@@ -0,0 +1,131 @@
+import { setSuspended } from '../lib/suspension';
+export function createBunshotManagedUserProvider(adapter, config, sessionRepo) {
+    return {
+        name: 'bunshot-auth',
+        async listUsers(input) {
+            const limit = input.limit ?? 50;
+            const startIndex = input.cursor ? decodeAdminCursor(input.cursor) : 0;
+            const result = await adapter.listUsers?.({
+                ...(input.search ? { email: input.search } : {}),
+                startIndex,
+                count: limit + 1,
+            });
+            if (!result)
+                return { items: [] };
+            const hasMore = result.users.length > limit;
+            const page = hasMore ? result.users.slice(0, limit) : result.users;
+            return {
+                items: page.map(toManagedUserRecord),
+                nextCursor: hasMore ? encodeAdminCursor(startIndex + limit) : undefined,
+            };
+        },
+        async getUser(userId) {
+            const user = await adapter.getUser?.(userId);
+            if (!user)
+                return null;
+            return {
+                id: userId,
+                email: user.email,
+                displayName: user.displayName ?? undefined,
+                firstName: user.firstName ?? undefined,
+                lastName: user.lastName ?? undefined,
+                externalId: user.externalId ?? undefined,
+                status: user.suspended ? 'suspended' : 'active',
+                provider: 'bunshot-auth',
+            };
+        },
+        async getCapabilities() {
+            return {
+                canListUsers: true,
+                canSearchUsers: true,
+                canViewUser: true,
+                canEditUser: true,
+                canSuspendUsers: true,
+                canDeleteUsers: true,
+                canViewSessions: true,
+                canRevokeSessions: true,
+                canManageRoles: true,
+            };
+        },
+        async suspendUser(input) {
+            await setSuspended(adapter, input.userId, true, input.reason);
+        },
+        async unsuspendUser(input) {
+            await setSuspended(adapter, input.userId, false);
+        },
+        async updateUser(input) {
+            await adapter.updateProfile?.(input.userId, {
+                displayName: input.displayName,
+                firstName: input.firstName,
+                lastName: input.lastName,
+                externalId: input.externalId,
+            });
+            const user = await adapter.getUser?.(input.userId);
+            if (!user)
+                return null;
+            return {
+                id: input.userId,
+                email: user.email,
+                displayName: user.displayName ?? undefined,
+                firstName: user.firstName ?? undefined,
+                lastName: user.lastName ?? undefined,
+                externalId: user.externalId ?? undefined,
+                status: user.suspended ? 'suspended' : 'active',
+                provider: 'bunshot-auth',
+            };
+        },
+        async deleteUser(userId) {
+            const sessions = await sessionRepo.getUserSessions(userId, config);
+            await Promise.all(sessions.map(s => sessionRepo.deleteSession(s.sessionId, config)));
+            await adapter.deleteUser?.(userId);
+        },
+        async listSessions(userId) {
+            const sessions = await sessionRepo.getUserSessions(userId, config);
+            return sessions.map(s => ({
+                sessionId: s.sessionId,
+                userId,
+                createdAt: s.createdAt,
+                lastActiveAt: s.lastActiveAt,
+                ip: s.ipAddress ?? undefined,
+                userAgent: s.userAgent ?? undefined,
+            }));
+        },
+        async revokeSession(sessionId) {
+            await sessionRepo.deleteSession(sessionId, config);
+        },
+        async revokeAllSessions(userId) {
+            const sessions = await sessionRepo.getUserSessions(userId, config);
+            await Promise.all(sessions.map(s => sessionRepo.deleteSession(s.sessionId, config)));
+        },
+        async getRoles(userId) {
+            return (await adapter.getRoles?.(userId)) ?? [];
+        },
+        async setRoles(userId, roles) {
+            await adapter.setRoles?.(userId, roles);
+        },
+    };
+}
+function encodeAdminCursor(offset) {
+    return btoa(JSON.stringify({ offset }));
+}
+function decodeAdminCursor(cursor) {
+    try {
+        const parsed = JSON.parse(atob(cursor));
+        return typeof parsed.offset === 'number' ? parsed.offset : 0;
+    }
+    catch {
+        return 0;
+    }
+}
+function toManagedUserRecord(user) {
+    return {
+        id: user.id,
+        email: user.email,
+        displayName: user.displayName ?? undefined,
+        firstName: user.firstName ?? undefined,
+        lastName: user.lastName ?? undefined,
+        externalId: user.externalId ?? undefined,
+        status: user.suspended ? 'suspended' : 'active',
+        provider: 'bunshot-auth',
+    };
+}

package/dist/packages/bunshot-auth/src/bootstrap.d.ts

@@ -0,0 +1,38 @@
+/**
+ * bootstrapAuth — extracted auth setup for use by the auth plugin.
+ *
+ * Called by the plugin's setupMiddleware() phase.
+ * - Framework path: `resolvedStores` provided — skips store resolution and connection calls.
+ * - Standalone path: `resolvedStores` absent — resolves stores from config.db with memory defaults.
+ */
+import type { ConnectionOptions } from 'bullmq';
+import type Redis from 'ioredis';
+import type { Connection } from 'mongoose';
+import type { BunshotEventBus, DataEncryptionKey, SigningConfig, StoreType } from '../../bunshot-core/src/index.js';
+import type { AuthAdapter } from './lib/authAdapter';
+import type { AuthRuntimeContext } from './runtime';
+import type { ResolvedStores } from './types/adapter';
+import type { AuthPluginConfig } from './types/config';
+export type { ResolvedStores };
+export type { StoreType };
+type AuthRedisClient = ConnectionOptions & Redis;
+export interface BootstrapResult {
+    adapter: AuthAdapter;
+    runtime: AuthRuntimeContext;
+    configuredOAuthProviders: string[];
+    bearerAuthBypassPaths: string[];
+    oauthCallbackPaths: string[];
+    stores: ResolvedStores;
+    teardownFns: (() => void | Promise<void>)[];
+}
+export interface AuthRuntimeInfra {
+    signing: SigningConfig | null;
+    dataEncryptionKeys: readonly DataEncryptionKey[];
+    /** Returns the Redis client. Throws if Redis is not configured. */
+    getRedis?: () => AuthRedisClient;
+    /** Returns the Mongo auth connection, or null. */
+    getMongoAuth?: () => Connection | null;
+    /** Returns the Mongo app connection, or null. */
+    getMongoApp?: () => Connection | null;
+}
+export declare function bootstrapAuth(config: AuthPluginConfig, bus: BunshotEventBus, resolvedStores?: ResolvedStores, runtimeInfra?: AuthRuntimeInfra): Promise<BootstrapResult>;

package/dist/packages/bunshot-auth/src/bootstrap.js

@@ -0,0 +1,384 @@
+import { createMemoryAuthAdapter } from './adapters/memoryAuth';
+import { buildAuthResolvedConfig } from './config/authConfig';
+import { isProd } from './lib/env';
+import { validateJwtSecrets } from './lib/jwt';
+import { createOAuthProviders, getConfiguredOAuthProviders } from './lib/oauth';
+import { wireSecurityEventConfig } from './lib/securityEventWiring';
+const REDIS_STORE_UNAVAILABLE_MESSAGE = '[bunshot-auth] A store is configured as "redis" but no Redis connection is available.\n' +
+    'When using bunshot-auth standalone, use "memory" or "sqlite" stores,\n' +
+    'or establish a Redis connection (connectRedis()) before calling plugin.setupMiddleware().';
+const STANDALONE_MONGO_UNAVAILABLE_MESSAGE = '[bunshot-auth] Standalone mode with mongo requires connecting before setupMiddleware().\n' +
+    'Call connectMongo() / connectAuthMongo() + connectAppMongo() and pass connections via frameworkConfig,\n' +
+    'or use the framework (createServer / createApp) which handles this automatically.';
+const STANDALONE_REDIS_SESSION_UNAVAILABLE_MESSAGE = '[bunshot-auth] Standalone mode with redis stores requires connecting before setupMiddleware().\n' +
+    'Call connectRedis() and pass the client via frameworkConfig.redis,\n' +
+    'or use "memory" / "sqlite" stores for standalone mode.';
+function usesRedisStore(stores) {
+    return [stores.sessions, stores.oauthState, stores.authStore].includes('redis');
+}
+function requiresSqlite(stores) {
+    return (!!stores.sqlite || [stores.sessions, stores.oauthState, stores.authStore].includes('sqlite'));
+}
+function resolveSecurityStore(stores, configuredStore) {
+    if (configuredStore)
+        return configuredStore;
+    return [stores.sessions, stores.oauthState].includes('redis') ? 'redis' : 'memory';
+}
+function assertRedisAvailable(runtimeInfra, message) {
+    if (!runtimeInfra?.getRedis) {
+        throw new Error(message);
+    }
+    try {
+        runtimeInfra.getRedis();
+    }
+    catch {
+        throw new Error(message);
+    }
+}
+function assertMongoAuthAvailable(runtimeInfra, message) {
+    if (!runtimeInfra?.getMongoAuth?.()) {
+        throw new Error(message);
+    }
+}
+export async function bootstrapAuth(config, bus, resolvedStores, runtimeInfra) {
+    const authConfig = config.auth ?? {};
+    const sessionPolicy = authConfig.sessionPolicy ?? {};
+    const teardownFns = [];
+    const signing = runtimeInfra?.signing ?? config.security?.signing ?? null;
+    const dataEncryptionKeys = runtimeInfra?.dataEncryptionKeys ?? [];
+    // Section A: Event bus wiring
+    wireSecurityEventConfig(bus, config.securityEvents);
+    // Section B: Store resolution
+    let stores;
+    if (resolvedStores) {
+        stores = resolvedStores;
+    }
+    else {
+        const db = config.db ?? {};
+        const defaultStore = 'memory';
+        stores = {
+            sessions: db.sessions ?? defaultStore,
+            oauthState: db.oauthState ?? db.sessions ?? defaultStore,
+            cache: db.sessions ?? defaultStore,
+            authStore: db.auth ?? (db.mongo !== false ? 'mongo' : (db.sessions ?? defaultStore)),
+            sqlite: db.sqlite,
+        };
+        if (usesRedisStore(stores))
+            assertRedisAvailable(runtimeInfra, REDIS_STORE_UNAVAILABLE_MESSAGE);
+        if (db.mongo === 'single' || db.mongo === 'separate')
+            assertMongoAuthAvailable(runtimeInfra, STANDALONE_MONGO_UNAVAILABLE_MESSAGE);
+        if (db.redis !== false && stores.sessions === 'redis')
+            assertRedisAvailable(runtimeInfra, STANDALONE_REDIS_SESSION_UNAVAILABLE_MESSAGE);
+    }
+    // Section C: SQLite init
+    let sqliteAdapter = null;
+    if (requiresSqlite(stores)) {
+        const { createSqliteAuthAdapter } = await import('./adapters/sqliteAuth');
+        sqliteAdapter = createSqliteAuthAdapter(stores.sqlite ?? './data.db');
+        teardownFns.push(() => sqliteAdapter.stopCleanup());
+    }
+    // Section E: Adapter resolution
+    let authAdapter;
+    const explicitAdapter = authConfig.adapter;
+    if (explicitAdapter) {
+        authAdapter = explicitAdapter;
+    }
+    else if (stores.authStore === 'sqlite') {
+        if (!sqliteAdapter)
+            throw new Error('[bunshot-auth] SQLite adapter not initialized');
+        authAdapter = sqliteAdapter.adapter;
+    }
+    else if (stores.authStore === 'memory') {
+        authAdapter = createMemoryAuthAdapter(() => resolvedConfig);
+    }
+    else {
+        const { createMongoAuthAdapter } = await import('./adapters/mongoAuth');
+        const { resolveMongoose: resolveMg_ } = await import('./infra/mongo');
+        const authConn = runtimeInfra?.getMongoAuth?.() ?? null;
+        if (!authConn)
+            throw new Error('[bunshot-auth] Mongo auth adapter requires a Mongo auth connection via runtimeInfra.getMongoAuth');
+        authAdapter = createMongoAuthAdapter(authConn, resolveMg_());
+    }
+    // Section F: Config-vs-config validations
+    const emailVerification = authConfig.emailVerification;
+    const passwordReset = authConfig.passwordReset;
+    const primaryField = authConfig.primaryField ?? 'email';
+    const oauthProviders = authConfig.oauth?.providers;
+    if (emailVerification && primaryField !== 'email') {
+        throw new Error(`[bunshot-auth] "emailVerification" is only supported when primaryField is "email". Either set primaryField to "email" or remove emailVerification.`);
+    }
+    if (passwordReset && primaryField !== 'email') {
+        throw new Error(`[bunshot-auth] "passwordReset" is only supported when primaryField is "email". Either set primaryField to "email" or remove passwordReset.`);
+    }
+    if (authConfig.concealRegistration && primaryField !== 'email') {
+        throw new Error(`[bunshot-auth] "concealRegistration" requires primaryField to be "email" — concealment relies on email delivery as the side-channel`);
+    }
+    // Adapter capability validation
+    {
+        const { validateAdapterCapabilities } = await import('./lib/validateAdapter');
+        validateAdapterCapabilities(authAdapter, {
+            hasOAuthProviders: Array.isArray(oauthProviders) && oauthProviders.length > 0,
+            hasMfa: !!authConfig.mfa,
+            hasMfaWebAuthn: !!authConfig.mfa?.webauthn,
+            hasRoles: (authConfig.roles?.length ?? 0) > 0 && !authConfig.defaultRole,
+            hasDefaultRole: !!authConfig.defaultRole,
+            hasGroups: !!config.groups,
+            hasSuspension: !!authConfig.checkSuspensionOnIdentify,
+            hasM2m: !!authConfig.m2m?.enabled,
+            hasAdminApi: false,
+            hasPasswordReset: !!passwordReset,
+            hasPreventReuse: !!authConfig.passwordPolicy?.preventReuse,
+            hasScim: !!authConfig.scim,
+        });
+    }
+    // Validate TOTP encryption key
+    if (authConfig.mfa) {
+        if (dataEncryptionKeys.length === 0) {
+            if (isProd()) {
+                throw new Error('[bunshot-auth] MFA is configured in production but BUNSHOT_DATA_ENCRYPTION_KEY is not set. Set this env var to encrypt TOTP secrets at rest.');
+            }
+            else {
+                console.warn('[bunshot-auth] WARNING: MFA configured without BUNSHOT_DATA_ENCRYPTION_KEY. TOTP secrets stored in plaintext. Set this key in production.');
+            }
+        }
+    }
+    // Section G: Build resolved auth config
+    const maxSessions = (() => {
+        const n = sessionPolicy.maxSessions ?? 6;
+        return Number.isFinite(n) && n >= 1 ? Math.floor(n) : 1;
+    })();
+    let resolvedConfig = {
+        appName: config.appName ?? 'Bun Core API',
+        appRoles: authConfig.roles ?? [],
+        defaultRole: authConfig.defaultRole ?? null,
+        primaryField,
+        concealRegistration: authConfig.concealRegistration ?? null,
+        emailVerification: emailVerification ?? null,
+        passwordReset: passwordReset ?? null,
+        magicLink: authConfig.magicLink ?? null,
+        passwordPolicy: authConfig.passwordPolicy ?? {},
+        authCookie: authConfig.cookieConfig ?? {},
+        csrfCookie: authConfig.csrfCookieConfig ?? {},
+        maxSessions,
+        persistSessionMetadata: sessionPolicy.persistSessionMetadata ?? true,
+        includeInactiveSessions: sessionPolicy.includeInactiveSessions ?? false,
+        trackLastActive: sessionPolicy.trackLastActive ?? false,
+        sessionPolicy,
+        refreshToken: authConfig.refreshTokens ?? null,
+        mfa: authConfig.mfa ?? null,
+        csrfEnabled: !!config.security?.csrf?.enabled,
+        jwt: authConfig.jwt ?? null,
+        breachedPassword: authConfig.breachedPasswordCheck ?? null,
+        oauthReauth: authConfig.oauth?.reauth ?? null,
+        stepUp: authConfig.stepUp ?? null,
+        checkSuspensionOnIdentify: !!authConfig.checkSuspensionOnIdentify,
+        captcha: config.security?.captcha ?? null,
+        m2m: authConfig.m2m?.enabled !== false && authConfig.m2m ? authConfig.m2m : null,
+        saml: authConfig.saml ?? null,
+        oidc: authConfig.oidc ?? null,
+        scim: authConfig.scim ?? null,
+        emailTemplates: config.emailTemplates ?? null,
+        hooks: authConfig.hooks ?? {},
+    };
+    // Section G2: Security services
+    const securityStore = resolveSecurityStore(stores, authConfig.rateLimit?.store);
+    let credentialStuffingService = null;
+    let lockoutService = null;
+    if (sessionPolicy.idleTimeout) {
+        console.log('[bunshot-auth] sessionPolicy.idleTimeout is set — trackLastActive auto-enabled for idle timeout enforcement.');
+    }
+    // Section H: OIDC setup
+    if (authConfig.oidc) {
+        resolvedConfig = {
+            ...resolvedConfig,
+            jwt: { ...(authConfig.jwt ?? {}), issuer: authConfig.oidc.issuer, algorithm: 'RS256' },
+        };
+        const { loadJwksKey, generateAndLoadKeyPair, loadPreviousKey } = await import('./lib/jwks');
+        let oidcConfig = resolvedConfig.oidc ?? authConfig.oidc;
+        if (oidcConfig.signingKey) {
+            oidcConfig = loadJwksKey(oidcConfig, oidcConfig.signingKey);
+        }
+        else {
+            oidcConfig = (await generateAndLoadKeyPair(oidcConfig)).oidc;
+        }
+        for (const prev of authConfig.oidc.previousKeys ?? []) {
+            oidcConfig = loadPreviousKey(oidcConfig, prev);
+        }
+        resolvedConfig = {
+            ...resolvedConfig,
+            oidc: oidcConfig,
+        };
+    }
+    // Freeze the final config
+    resolvedConfig = buildAuthResolvedConfig(resolvedConfig);
+    validateJwtSecrets(resolvedConfig, signing);
+    if (sqliteAdapter) {
+        // SQLite has no native TTL mechanism, so auth owns cleanup startup.
+        sqliteAdapter.startCleanup(() => resolvedConfig);
+    }
+    // Section I: OAuth init
+    const resolvedOAuthProviders = oauthProviders ? createOAuthProviders(oauthProviders) : {};
+    const configuredOAuth = getConfiguredOAuthProviders(resolvedOAuthProviders);
+    // Section J: Queue factory + account deletion worker
+    const enableAuthRoutes = authConfig.enabled !== false;
+    let queueFactory = null;
+    if (runtimeInfra?.getRedis) {
+        try {
+            const { createQueueFactory } = await import('./infra/queue');
+            queueFactory = createQueueFactory(runtimeInfra.getRedis);
+        }
+        catch (err) {
+            // BullMQ not installed — only error if queued deletion is configured
+            if (!err?.message?.includes('bullmq is not installed'))
+                throw err;
+            if (authConfig.accountDeletion?.queued) {
+                throw new Error('[bunshot-auth] accountDeletion.queued requires BullMQ. Run: bun add bullmq');
+            }
+        }
+    }
+    if (authConfig.accountDeletion?.queued && enableAuthRoutes) {
+        if (!queueFactory) {
+            throw new Error('[bunshot-auth] accountDeletion.queued requires Redis and BullMQ.');
+        }
+        const appName_ = config.appName ?? 'Bun Core API';
+        const accountDeletion_ = authConfig.accountDeletion;
+        queueFactory.createWorker(`${appName_}:account-deletions`, async (job) => {
+            const { userId } = job.data;
+            const adapter_ = authAdapter;
+            if (accountDeletion_.onBeforeDelete)
+                await accountDeletion_.onBeforeDelete(userId);
+            if (adapter_.deleteUser)
+                await adapter_.deleteUser(userId);
+            if (accountDeletion_.onAfterDelete)
+                await accountDeletion_.onAfterDelete(userId);
+        }, { concurrency: 1 });
+    }
+    // Section K: Bearer auth bypass paths
+    const oauthBypass = configuredOAuth.flatMap(p => [
+        `/auth/${p}`,
+        `/auth/${p}/callback`,
+        `/auth/${p}/link`,
+    ]);
+    const DEFAULT_BYPASS = [
+        '/docs',
+        '/openapi.json',
+        '/sw.js',
+        '/health',
+        '/',
+        '/metrics',
+        '/oauth/token',
+        '/.well-known/openid-configuration',
+        '/.well-known/jwks.json',
+        '/auth/saml/*',
+        '/scim/v2/*',
+    ];
+    const extraBypass = typeof config.security?.bearerAuth === 'object' && config.security.bearerAuth !== null
+        ? (config.security.bearerAuth.bypass ?? [])
+        : [];
+    const bearerAuthBypassPaths = [...DEFAULT_BYPASS, ...oauthBypass, ...extraBypass];
+    const oauthCallbackPaths = oauthBypass.filter(p => p.includes('/callback'));
+    // Section L: Organization service
+    let orgService = null;
+    if (config.organizations?.enabled) {
+        const { createOrgService } = await import('./lib/organization');
+        orgService = createOrgService(config.organizations);
+    }
+    // Section M: Repository creation — one infra, all repos resolved from factory maps
+    const { resolveMongoose } = await import('./infra/mongo');
+    const { resolveRepo } = await import('../../bunshot-core/src/index.js');
+    const { oauthStateFactories } = await import('./lib/oauth');
+    const { oauthCodeFactories } = await import('./lib/oauthCode');
+    const { oauthReauthFactories } = await import('./lib/oauthReauth');
+    const { magicLinkFactories } = await import('./lib/magicLink');
+    const { deletionCancelTokenFactories } = await import('./lib/deletionCancelToken');
+    const { mfaChallengeFactories } = await import('./lib/mfaChallenge');
+    const { verificationTokenFactories } = await import('./lib/emailVerification');
+    const { resetTokenFactories } = await import('./lib/resetPassword');
+    const { sessionFactories } = await import('./lib/session');
+    const { createCredentialStuffingService, credentialStuffingFactories } = await import('./lib/credentialStuffing');
+    const { createLockoutService, lockoutRepositoryFactories } = await import('./lib/accountLockout');
+    const { createAuthRateLimitService, authRateLimitFactories } = await import('./lib/authRateLimit');
+    const getRedis = runtimeInfra?.getRedis ??
+        (() => {
+            throw new Error('[bunshot-auth] Redis not configured');
+        });
+    const getMongoApp = runtimeInfra?.getMongoApp ?? (() => null);
+    const storeInfra = {
+        appName: resolvedConfig.appName,
+        getRedis,
+        getMongo: () => {
+            const conn = getMongoApp();
+            if (!conn)
+                throw new Error('[bunshot-auth] Mongo app connection not configured');
+            return { conn, mg: resolveMongoose() };
+        },
+        getSqliteDb: () => {
+            if (!sqliteAdapter)
+                throw new Error('[bunshot-auth] SQLite adapter not initialized');
+            return sqliteAdapter.db;
+        },
+        getPostgres: () => {
+            throw new Error('[bunshot-auth] postgres store is not supported in bunshot-auth');
+        },
+    };
+    const oauthStateStore = resolveRepo(oauthStateFactories, stores.oauthState, storeInfra);
+    const oauthCodeRepo = resolveRepo(oauthCodeFactories, stores.oauthState, storeInfra);
+    const oauthReauthRepo = resolveRepo(oauthReauthFactories, stores.oauthState, storeInfra);
+    const magicLinkRepo = resolveRepo(magicLinkFactories, stores.sessions, storeInfra);
+    const deletionCancelTokenRepo = resolveRepo(deletionCancelTokenFactories, stores.sessions, storeInfra);
+    const mfaChallengeRepo = resolveRepo(mfaChallengeFactories, stores.sessions, storeInfra);
+    const verificationTokenRepo = resolveRepo(verificationTokenFactories, stores.sessions, storeInfra);
+    const resetTokenRepo = resolveRepo(resetTokenFactories, stores.sessions, storeInfra);
+    const sessionRepo = resolveRepo(sessionFactories, stores.sessions, storeInfra);
+    const rateLimitRepo = resolveRepo(authRateLimitFactories, securityStore, storeInfra);
+    const rateLimitService = createAuthRateLimitService(rateLimitRepo);
+    if (authConfig.rateLimit?.credentialStuffing) {
+        const credentialStuffingRepo = resolveRepo(credentialStuffingFactories, securityStore, storeInfra);
+        credentialStuffingService = createCredentialStuffingService(authConfig.rateLimit.credentialStuffing, credentialStuffingRepo);
+    }
+    if (authConfig.lockout) {
+        const lockoutRepo = resolveRepo(lockoutRepositoryFactories, securityStore, storeInfra);
+        lockoutService = createLockoutService(authConfig.lockout, lockoutRepo);
+    }
+    let samlRequestIdRepo = null;
+    if (authConfig.saml) {
+        const { samlRequestIdFactories } = await import('./lib/samlRequestId');
+        samlRequestIdRepo = resolveRepo(samlRequestIdFactories, stores.oauthState, storeInfra);
+    }
+    return {
+        adapter: authAdapter,
+        runtime: {
+            adapter: authAdapter,
+            eventBus: bus,
+            config: resolvedConfig,
+            stores,
+            signing,
+            dataEncryptionKeys,
+            oauth: {
+                providers: resolvedOAuthProviders,
+                stateStore: oauthStateStore,
+            },
+            lockout: lockoutService,
+            rateLimit: rateLimitService,
+            credentialStuffing: credentialStuffingService,
+            orgService,
+            queueFactory,
+            repos: {
+                oauthCode: oauthCodeRepo,
+                oauthReauth: oauthReauthRepo,
+                magicLink: magicLinkRepo,
+                deletionCancelToken: deletionCancelTokenRepo,
+                mfaChallenge: mfaChallengeRepo,
+                samlRequestId: samlRequestIdRepo,
+                verificationToken: verificationTokenRepo,
+                resetToken: resetTokenRepo,
+                session: sessionRepo,
+            },
+        },
+        configuredOAuthProviders: configuredOAuth,
+        bearerAuthBypassPaths,
+        oauthCallbackPaths,
+        stores,
+        teardownFns,
+    };
+}

package/dist/packages/bunshot-auth/src/config/appConfig.d.ts

@@ -0,0 +1,3 @@
+export declare const getAppName: () => string;
+export declare const getAppRoles: () => readonly string[];
+export declare const getDefaultRole: () => string | null;

package/dist/packages/bunshot-auth/src/config/appConfig.js

@@ -0,0 +1,4 @@
+import { getAuthResolvedConfig } from "./authConfig";
+export const getAppName = () => getAuthResolvedConfig().appName;
+export const getAppRoles = () => getAuthResolvedConfig().appRoles;
+export const getDefaultRole = () => getAuthResolvedConfig().defaultRole;