@lastshotlabs/bunshot 0.0.25 → 0.0.28

package/dist/packages/bunshot-auth/src/lib/deletionCancelToken.js

@@ -0,0 +1,148 @@
+import { DEFAULT_MAX_ENTRIES, evictExpired, evictOldest } from '../../../bunshot-core/src/index.js';
+import { sha256 as hashToken } from '../../../bunshot-core/src/index.js';
+export function createMemoryDeletionCancelTokenRepository() {
+    const tokens = new Map();
+    return {
+        async store(hash, userId, jobId, ttl) {
+            evictExpired(tokens);
+            evictOldest(tokens, DEFAULT_MAX_ENTRIES);
+            tokens.set(hash, { userId, jobId, expiresAt: Date.now() + ttl * 1000 });
+        },
+        async consume(hash) {
+            const entry = tokens.get(hash);
+            if (!entry || entry.expiresAt <= Date.now()) {
+                tokens.delete(hash);
+                return null;
+            }
+            tokens.delete(hash);
+            return { userId: entry.userId, jobId: entry.jobId };
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// SQLite repository factory
+// ---------------------------------------------------------------------------
+export function createSqliteDeletionCancelTokenRepository(db) {
+    let initialized = false;
+    function init() {
+        if (initialized)
+            return;
+        db.run(`CREATE TABLE IF NOT EXISTS auth_deletion_cancel_tokens (
+      tokenHash TEXT PRIMARY KEY,
+      userId    TEXT NOT NULL,
+      jobId     TEXT NOT NULL,
+      expiresAt INTEGER NOT NULL
+    )`);
+        db.run('CREATE INDEX IF NOT EXISTS idx_auth_deletion_cancel_tokens_expiresAt ON auth_deletion_cancel_tokens(expiresAt)');
+        initialized = true;
+    }
+    return {
+        async store(hash, userId, jobId, ttl) {
+            init();
+            const expiresAt = Date.now() + ttl * 1000;
+            db.run(`INSERT INTO auth_deletion_cancel_tokens (tokenHash, userId, jobId, expiresAt)
+         VALUES (?, ?, ?, ?)
+         ON CONFLICT(tokenHash) DO UPDATE SET userId = excluded.userId, jobId = excluded.jobId, expiresAt = excluded.expiresAt`, [hash, userId, jobId, expiresAt]);
+        },
+        async consume(hash) {
+            init();
+            const now = Date.now();
+            const row = db
+                .query('SELECT userId, jobId FROM auth_deletion_cancel_tokens WHERE tokenHash = ? AND expiresAt > ?')
+                .get(hash, now);
+            db.run('DELETE FROM auth_deletion_cancel_tokens WHERE tokenHash = ?', [hash]);
+            if (!row)
+                return null;
+            return { userId: row.userId, jobId: row.jobId };
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// Redis repository factory
+// ---------------------------------------------------------------------------
+/** Atomically GET+DEL a key. Uses native GETDEL (Redis >= 6.2) with a Lua fallback. */
+async function redisGetDel(redis, key) {
+    if (typeof redis.getdel === 'function') {
+        try {
+            return await redis.getdel(key);
+        }
+        catch (err) {
+            const msg = err?.message ?? '';
+            if (!/unknown command|ERR unknown command/i.test(msg))
+                throw err;
+        }
+    }
+    const result = await redis.eval("local v = redis.call('GET', KEYS[1])\nif v then redis.call('DEL', KEYS[1]) end\nreturn v", 1, key);
+    return result ?? null;
+}
+export function createRedisDeletionCancelTokenRepository(getRedis, appName) {
+    return {
+        async store(hash, userId, jobId, ttl) {
+            await getRedis().set(`delcancel:${appName}:${hash}`, JSON.stringify({ userId, jobId }), 'EX', ttl);
+        },
+        async consume(hash) {
+            const raw = await redisGetDel(getRedis(), `delcancel:${appName}:${hash}`);
+            if (!raw)
+                return null;
+            return JSON.parse(raw);
+        },
+    };
+}
+export function createMongoDeletionCancelTokenRepository(conn, mg) {
+    function getModel() {
+        if (conn.models['DeletionCancelToken'])
+            return conn.models['DeletionCancelToken'];
+        const { Schema } = mg;
+        const schema = new Schema({
+            token: { type: String, required: true, unique: true },
+            userId: { type: String, required: true },
+            jobId: { type: String, required: true },
+            expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
+        }, { collection: 'deletion_cancel_tokens' });
+        return conn.model('DeletionCancelToken', schema);
+    }
+    return {
+        async store(hash, userId, jobId, ttl) {
+            await getModel().create({
+                token: hash,
+                userId,
+                jobId,
+                expiresAt: new Date(Date.now() + ttl * 1000),
+            });
+        },
+        async consume(hash) {
+            const doc = await getModel()
+                .findOneAndDelete({ token: hash, expiresAt: { $gt: new Date() } })
+                .lean();
+            if (!doc)
+                return null;
+            return { userId: doc.userId, jobId: doc.jobId };
+        },
+    };
+}
+export const deletionCancelTokenFactories = {
+    memory: () => createMemoryDeletionCancelTokenRepository(),
+    sqlite: infra => createSqliteDeletionCancelTokenRepository(infra.getSqliteDb()),
+    redis: infra => createRedisDeletionCancelTokenRepository(infra.getRedis, infra.appName),
+    mongo: infra => {
+        const { conn, mg } = infra.getMongo();
+        return createMongoDeletionCancelTokenRepository(conn, mg);
+    },
+    postgres: () => {
+        throw new Error('[bunshot-auth] postgres store is not yet supported for deletionCancelToken repository');
+    },
+};
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+export const createDeletionCancelToken = async (repo, userId, jobId, gracePeriodSeconds) => {
+    const token = crypto.randomUUID();
+    const hash = hashToken(token);
+    const ttl = gracePeriodSeconds + 300;
+    await repo.store(hash, userId, jobId, ttl);
+    return token;
+};
+export const consumeDeletionCancelToken = async (repo, token) => {
+    const hash = hashToken(token);
+    return repo.consume(hash);
+};

package/dist/packages/bunshot-auth/src/lib/emailTemplates.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Built-in email templates with variable substitution.
+ *
+ * Templates use {{variableName}} placeholders. Unknown variables are left as-is.
+ * All templates use inline CSS only — no external CDN dependencies.
+ */
+export interface EmailTemplate {
+    subject: string;
+    html: string;
+    text: string;
+}
+export interface TemplateVariables {
+    [key: string]: string | number;
+}
+/**
+ * Render a template by replacing {{variableName}} placeholders with the
+ * provided values. Unknown variables are left as-is in the output.
+ *
+ * HTML body values are escaped to prevent XSS. Subject and text fields
+ * are plain text and are not escaped.
+ */
+export declare function renderTemplate(template: EmailTemplate, vars: TemplateVariables): EmailTemplate;
+export declare const templates: Record<string, EmailTemplate>;

package/dist/packages/bunshot-auth/src/lib/emailTemplates.js

@@ -0,0 +1,265 @@
+/**
+ * Built-in email templates with variable substitution.
+ *
+ * Templates use {{variableName}} placeholders. Unknown variables are left as-is.
+ * All templates use inline CSS only — no external CDN dependencies.
+ */
+function escapeHtml(str) {
+    return str
+        .replace(/&/g, '&')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&#x27;');
+}
+/**
+ * Render a template by replacing {{variableName}} placeholders with the
+ * provided values. Unknown variables are left as-is in the output.
+ *
+ * HTML body values are escaped to prevent XSS. Subject and text fields
+ * are plain text and are not escaped.
+ */
+export function renderTemplate(template, vars) {
+    const replace = (str, escape) => str.replace(/\{\{(\w+)\}\}/g, (match, key) => {
+        const value = vars[key];
+        if (value === undefined)
+            return match;
+        const strValue = String(value);
+        return escape ? escapeHtml(strValue) : strValue;
+    });
+    return {
+        subject: replace(template.subject, false),
+        html: replace(template.html, true),
+        text: replace(template.text, false),
+    };
+}
+// ---------------------------------------------------------------------------
+// Shared HTML shell
+// ---------------------------------------------------------------------------
+function htmlShell(bodyContent) {
+    return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>Email</title>
+</head>
+<body style="margin:0;padding:0;background-color:#f4f4f5;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,Helvetica,Arial,sans-serif;">
+  <table width="100%" cellpadding="0" cellspacing="0" style="background-color:#f4f4f5;padding:40px 0;">
+    <tr>
+      <td align="center">
+        <table width="560" cellpadding="0" cellspacing="0" style="max-width:560px;width:100%;background-color:#ffffff;border-radius:8px;overflow:hidden;box-shadow:0 1px 3px rgba(0,0,0,0.08);">
+          <tr>
+            <td style="padding:40px 48px;">
+              ${bodyContent}
+            </td>
+          </tr>
+          <tr>
+            <td style="padding:24px 48px;background-color:#f9fafb;border-top:1px solid #e5e7eb;">
+              <p style="margin:0;font-size:12px;color:#9ca3af;text-align:center;">
+                This email was sent by {{appName}}. If you did not request this, you can safely ignore it.
+              </p>
+            </td>
+          </tr>
+        </table>
+      </td>
+    </tr>
+  </table>
+</body>
+</html>`;
+}
+function ctaButton(href, label) {
+    return `<a href="${href}" style="display:inline-block;padding:12px 24px;background-color:#18181b;color:#ffffff;text-decoration:none;border-radius:6px;font-size:14px;font-weight:600;letter-spacing:0.01em;">${label}</a>`;
+}
+function heading(text) {
+    return `<h1 style="margin:0 0 8px 0;font-size:22px;font-weight:700;color:#111827;line-height:1.3;">${text}</h1>`;
+}
+function subtext(text) {
+    return `<p style="margin:0 0 24px 0;font-size:14px;color:#6b7280;line-height:1.6;">${text}</p>`;
+}
+function appNameHeading() {
+    return `<p style="margin:0 0 24px 0;font-size:13px;font-weight:600;color:#6b7280;text-transform:uppercase;letter-spacing:0.05em;">{{appName}}</p>`;
+}
+function linkFallback(href) {
+    return `<p style="margin:24px 0 0 0;font-size:12px;color:#9ca3af;">If the button doesn't work, copy and paste this link:<br /><a href="${href}" style="color:#6b7280;word-break:break-all;">${href}</a></p>`;
+}
+// ---------------------------------------------------------------------------
+// Built-in templates
+// ---------------------------------------------------------------------------
+export const templates = {
+    /**
+     * Email verification
+     * Variables: {{appName}}, {{verificationLink}}, {{expiryMinutes}}
+     */
+    emailVerification: {
+        subject: 'Verify your email',
+        html: htmlShell(`
+              ${appNameHeading()}
+              ${heading('Verify your email address')}
+              ${subtext('Click the button below to verify your email address. This link expires in {{expiryMinutes}} minutes.')}
+              ${ctaButton('{{verificationLink}}', 'Verify Email')}
+              ${linkFallback('{{verificationLink}}')}
+    `),
+        text: `Verify your email address
+
+Hi,
+
+Please verify your email address for {{appName}} by visiting the link below.
+
+{{verificationLink}}
+
+This link expires in {{expiryMinutes}} minutes.
+
+If you did not create an account, you can safely ignore this email.`,
+    },
+    /**
+     * Password reset
+     * Variables: {{appName}}, {{resetLink}}, {{expiryMinutes}}
+     */
+    passwordReset: {
+        subject: 'Reset your password',
+        html: htmlShell(`
+              ${appNameHeading()}
+              ${heading('Reset your password')}
+              ${subtext('We received a request to reset your password. Click the button below to choose a new one. This link expires in {{expiryMinutes}} minutes.')}
+              ${ctaButton('{{resetLink}}', 'Reset Password')}
+              ${linkFallback('{{resetLink}}')}
+    `),
+        text: `Reset your password
+
+Hi,
+
+We received a request to reset your password for {{appName}}.
+
+Visit the link below to choose a new password:
+
+{{resetLink}}
+
+This link expires in {{expiryMinutes}} minutes.
+
+If you did not request a password reset, you can safely ignore this email.`,
+    },
+    /**
+     * Magic link sign-in
+     * Variables: {{appName}}, {{magicLink}}, {{expiryMinutes}}
+     */
+    magicLink: {
+        subject: 'Your sign-in link',
+        html: htmlShell(`
+              ${appNameHeading()}
+              ${heading('Your sign-in link')}
+              ${subtext('Click the button below to sign in to {{appName}}. This link expires in {{expiryMinutes}} minutes and can only be used once.')}
+              ${ctaButton('{{magicLink}}', 'Sign In')}
+              ${linkFallback('{{magicLink}}')}
+    `),
+        text: `Your sign-in link for {{appName}}
+
+Hi,
+
+Use the link below to sign in to {{appName}}. This link expires in {{expiryMinutes}} minutes and can only be used once.
+
+{{magicLink}}
+
+If you did not request this, you can safely ignore this email.`,
+    },
+    /**
+     * Email OTP (MFA)
+     * Variables: {{appName}}, {{code}}, {{expiryMinutes}}
+     */
+    emailOtp: {
+        subject: 'Your verification code',
+        html: htmlShell(`
+              ${appNameHeading()}
+              ${heading('Your verification code')}
+              ${subtext('Enter the code below to complete your sign-in. It expires in {{expiryMinutes}} minutes.')}
+              <div style="margin:0 0 24px 0;padding:20px;background-color:#f9fafb;border-radius:6px;text-align:center;border:1px solid #e5e7eb;">
+                <span style="font-size:36px;font-weight:700;color:#111827;letter-spacing:0.15em;font-family:'Courier New',Courier,monospace;">{{code}}</span>
+              </div>
+              <p style="margin:0;font-size:13px;color:#9ca3af;">Do not share this code with anyone. {{appName}} will never ask for your code.</p>
+    `),
+        text: `Your verification code for {{appName}}
+
+Your verification code is:
+
+{{code}}
+
+This code expires in {{expiryMinutes}} minutes. Do not share it with anyone.
+
+If you did not request this, you can safely ignore this email.`,
+    },
+    /**
+     * Welcome email (sent after registration)
+     * Variables: {{appName}}, {{identifier}}
+     */
+    welcomeEmail: {
+        subject: 'Welcome to {{appName}}',
+        html: htmlShell(`
+              ${appNameHeading()}
+              ${heading('Welcome to {{appName}}')}
+              ${subtext("Your account has been created for <strong>{{identifier}}</strong>. You're all set to get started.")}
+              <p style="margin:0;font-size:14px;color:#6b7280;line-height:1.6;">If you have any questions, don't hesitate to reach out to our support team.</p>
+    `),
+        text: `Welcome to {{appName}}
+
+Hi {{identifier}},
+
+Your account has been created. You're all set to get started.
+
+If you have any questions, don't hesitate to reach out to our support team.
+
+— The {{appName}} Team`,
+    },
+    /**
+     * Account deletion scheduled (with cancel link)
+     * Variables: {{appName}}, {{cancelLink}}, {{gracePeriodHours}}
+     */
+    accountDeletion: {
+        subject: 'Account deletion scheduled',
+        html: htmlShell(`
+              ${appNameHeading()}
+              ${heading('Your account is scheduled for deletion')}
+              ${subtext('Your {{appName}} account has been scheduled for deletion. If this was a mistake, click the button below to cancel within {{gracePeriodHours}} hours.')}
+              ${ctaButton('{{cancelLink}}', 'Cancel Deletion')}
+              ${linkFallback('{{cancelLink}}')}
+              <p style="margin:24px 0 0 0;font-size:13px;color:#ef4444;font-weight:500;">After {{gracePeriodHours}} hours, your account and all associated data will be permanently deleted and cannot be recovered.</p>
+    `),
+        text: `Your account is scheduled for deletion
+
+Hi,
+
+Your {{appName}} account has been scheduled for deletion. If this was a mistake, visit the link below to cancel within {{gracePeriodHours}} hours.
+
+{{cancelLink}}
+
+After {{gracePeriodHours}} hours, your account and all associated data will be permanently deleted and cannot be recovered.
+
+If you intended to delete your account, no action is needed.`,
+    },
+    /**
+     * Organization invitation
+     * Variables: {{appName}}, {{orgName}}, {{invitationLink}}, {{expiryDays}}
+     */
+    orgInvitation: {
+        subject: "You've been invited to join {{orgName}}",
+        html: htmlShell(`
+              ${appNameHeading()}
+              ${heading("You've been invited to join {{orgName}}")}
+              ${subtext("You've been invited to join <strong>{{orgName}}</strong> on {{appName}}. Click the button below to accept your invitation. This invite expires in {{expiryDays}} days.")}
+              ${ctaButton('{{invitationLink}}', 'Accept Invitation')}
+              ${linkFallback('{{invitationLink}}')}
+    `),
+        text: `You've been invited to join {{orgName}}
+
+Hi,
+
+You've been invited to join {{orgName}} on {{appName}}.
+
+Accept your invitation here:
+
+{{invitationLink}}
+
+This invite expires in {{expiryDays}} days.
+
+If you were not expecting this invitation, you can safely ignore this email.`,
+    },
+};

package/dist/packages/bunshot-auth/src/lib/emailVerification.d.ts

@@ -0,0 +1,30 @@
+import type { RepoFactories } from '../../../bunshot-core/src/index.js';
+import type { AuthResolvedConfig } from '../config/authConfig';
+import type { RedisLike } from '../types/redis';
+export interface IVerificationTokenRepository {
+    create(hash: string, userId: string, email: string, ttl: number): Promise<void>;
+    get(hash: string): Promise<{
+        userId: string;
+        email: string;
+    } | null>;
+    delete(hash: string): Promise<void>;
+    consume(hash: string): Promise<{
+        userId: string;
+        email: string;
+    } | null>;
+}
+export declare function createMemoryVerificationTokenRepository(): IVerificationTokenRepository;
+export declare function createSqliteVerificationTokenRepository(db: import('bun:sqlite').Database): IVerificationTokenRepository;
+export declare function createRedisVerificationTokenRepository(getRedis: () => RedisLike, appName: string): IVerificationTokenRepository;
+export declare function createMongoVerificationTokenRepository(conn: import('mongoose').Connection, mg: typeof import('mongoose')): IVerificationTokenRepository;
+export declare const verificationTokenFactories: RepoFactories<IVerificationTokenRepository>;
+export declare const createVerificationToken: (repo: IVerificationTokenRepository, userId: string, email: string, config: AuthResolvedConfig) => Promise<string>;
+export declare const getVerificationToken: (repo: IVerificationTokenRepository, token: string) => Promise<{
+    userId: string;
+    email: string;
+} | null>;
+export declare const deleteVerificationToken: (repo: IVerificationTokenRepository, token: string) => Promise<void>;
+export declare const consumeVerificationToken: (repo: IVerificationTokenRepository, token: string) => Promise<{
+    userId: string;
+    email: string;
+} | null>;

package/dist/packages/bunshot-auth/src/lib/emailVerification.js

@@ -0,0 +1,200 @@
+import { DEFAULT_MAX_ENTRIES, evictExpired, evictOldest, sha256 } from '../../../bunshot-core/src/index.js';
+export function createMemoryVerificationTokenRepository() {
+    const tokens = new Map();
+    return {
+        async create(hash, userId, email, ttl) {
+            evictExpired(tokens);
+            evictOldest(tokens, DEFAULT_MAX_ENTRIES);
+            tokens.set(hash, { userId, email, expiresAt: Date.now() + ttl * 1000 });
+        },
+        async get(hash) {
+            const entry = tokens.get(hash);
+            if (!entry || entry.expiresAt <= Date.now()) {
+                tokens.delete(hash);
+                return null;
+            }
+            return { userId: entry.userId, email: entry.email };
+        },
+        async delete(hash) {
+            tokens.delete(hash);
+        },
+        async consume(hash) {
+            const entry = tokens.get(hash);
+            if (!entry || entry.expiresAt <= Date.now()) {
+                tokens.delete(hash);
+                return null;
+            }
+            tokens.delete(hash);
+            return { userId: entry.userId, email: entry.email };
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// SQLite repository factory
+// ---------------------------------------------------------------------------
+export function createSqliteVerificationTokenRepository(db) {
+    let initialized = false;
+    function init() {
+        if (initialized)
+            return;
+        db.run(`CREATE TABLE IF NOT EXISTS auth_verification_tokens (
+      tokenHash TEXT PRIMARY KEY,
+      userId    TEXT NOT NULL,
+      email     TEXT NOT NULL,
+      expiresAt INTEGER NOT NULL
+    )`);
+        db.run('CREATE INDEX IF NOT EXISTS idx_auth_verification_tokens_expiresAt ON auth_verification_tokens(expiresAt)');
+        initialized = true;
+    }
+    return {
+        async create(hash, userId, email, ttl) {
+            init();
+            const expiresAt = Date.now() + ttl * 1000;
+            db.run(`INSERT INTO auth_verification_tokens (tokenHash, userId, email, expiresAt)
+         VALUES (?, ?, ?, ?)
+         ON CONFLICT(tokenHash) DO UPDATE SET userId = excluded.userId, email = excluded.email, expiresAt = excluded.expiresAt`, [hash, userId, email, expiresAt]);
+        },
+        async get(hash) {
+            init();
+            const now = Date.now();
+            const row = db
+                .query('SELECT userId, email FROM auth_verification_tokens WHERE tokenHash = ? AND expiresAt > ?')
+                .get(hash, now);
+            return row ? { userId: row.userId, email: row.email } : null;
+        },
+        async delete(hash) {
+            init();
+            db.run('DELETE FROM auth_verification_tokens WHERE tokenHash = ?', [hash]);
+        },
+        async consume(hash) {
+            init();
+            const now = Date.now();
+            const row = db
+                .query('SELECT userId, email FROM auth_verification_tokens WHERE tokenHash = ? AND expiresAt > ?')
+                .get(hash, now);
+            db.run('DELETE FROM auth_verification_tokens WHERE tokenHash = ?', [hash]);
+            if (!row)
+                return null;
+            return { userId: row.userId, email: row.email };
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// Redis repository factory
+// ---------------------------------------------------------------------------
+/** Atomically GET+DEL a key. Uses native GETDEL (Redis >= 6.2) with a Lua fallback. */
+async function redisGetDel(redis, key) {
+    if (typeof redis.getdel === 'function') {
+        try {
+            return await redis.getdel(key);
+        }
+        catch (err) {
+            const msg = err?.message ?? '';
+            if (!/unknown command|ERR unknown command/i.test(msg))
+                throw err;
+        }
+    }
+    const result = await redis.eval("local v = redis.call('GET', KEYS[1])\nif v then redis.call('DEL', KEYS[1]) end\nreturn v", 1, key);
+    return result ?? null;
+}
+export function createRedisVerificationTokenRepository(getRedis, appName) {
+    return {
+        async create(hash, userId, email, ttl) {
+            await getRedis().set(`verify:${appName}:${hash}`, JSON.stringify({ userId, email }), 'EX', ttl);
+        },
+        async get(hash) {
+            const raw = await getRedis().get(`verify:${appName}:${hash}`);
+            if (!raw)
+                return null;
+            return JSON.parse(raw);
+        },
+        async delete(hash) {
+            await getRedis().del(`verify:${appName}:${hash}`);
+        },
+        async consume(hash) {
+            const raw = await redisGetDel(getRedis(), `verify:${appName}:${hash}`);
+            if (!raw)
+                return null;
+            return JSON.parse(raw);
+        },
+    };
+}
+export function createMongoVerificationTokenRepository(conn, mg) {
+    function getModel() {
+        if (conn.models['EmailVerification'])
+            return conn.models['EmailVerification'];
+        const { Schema } = mg;
+        const schema = new Schema({
+            token: { type: String, required: true, unique: true },
+            userId: { type: String, required: true },
+            email: { type: String, required: true },
+            expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
+        }, { collection: 'email_verifications' });
+        return conn.model('EmailVerification', schema);
+    }
+    return {
+        async create(hash, userId, email, ttl) {
+            await getModel().create({
+                token: hash,
+                userId,
+                email,
+                expiresAt: new Date(Date.now() + ttl * 1000),
+            });
+        },
+        async get(hash) {
+            const doc = await getModel()
+                .findOne({ token: hash, expiresAt: { $gt: new Date() } })
+                .lean();
+            if (!doc)
+                return null;
+            return { userId: doc.userId, email: doc.email };
+        },
+        async delete(hash) {
+            await getModel().deleteOne({ token: hash });
+        },
+        async consume(hash) {
+            const doc = await getModel()
+                .findOneAndDelete({ token: hash, expiresAt: { $gt: new Date() } })
+                .lean();
+            if (!doc)
+                return null;
+            return { userId: doc.userId, email: doc.email };
+        },
+    };
+}
+export const verificationTokenFactories = {
+    memory: () => createMemoryVerificationTokenRepository(),
+    sqlite: infra => createSqliteVerificationTokenRepository(infra.getSqliteDb()),
+    redis: infra => createRedisVerificationTokenRepository(infra.getRedis, infra.appName),
+    mongo: infra => {
+        const { conn, mg } = infra.getMongo();
+        return createMongoVerificationTokenRepository(conn, mg);
+    },
+    postgres: () => {
+        throw new Error('[bunshot-auth] postgres store is not yet supported for verificationToken repository');
+    },
+};
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+export const createVerificationToken = async (repo, userId, email, config) => {
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    const token = Buffer.from(bytes).toString('base64url');
+    const hash = sha256(token);
+    const ttl = config.emailVerification?.tokenExpiry ?? 86400;
+    await repo.create(hash, userId, email, ttl);
+    return token;
+};
+export const getVerificationToken = async (repo, token) => {
+    const hash = sha256(token);
+    return repo.get(hash);
+};
+export const deleteVerificationToken = async (repo, token) => {
+    const hash = sha256(token);
+    await repo.delete(hash);
+};
+export const consumeVerificationToken = async (repo, token) => {
+    const hash = sha256(token);
+    return repo.consume(hash);
+};

package/dist/packages/bunshot-auth/src/lib/env.d.ts

@@ -0,0 +1 @@
+export declare function isProd(): boolean;

package/dist/packages/bunshot-auth/src/lib/env.js

@@ -0,0 +1,3 @@
+export function isProd() {
+    return process.env.NODE_ENV === 'production';
+}