@lastshotlabs/bunshot 0.0.25 → 0.0.28

package/dist/packages/bunshot-auth/src/lib/oauth.d.ts

@@ -0,0 +1,82 @@
+import { Apple, Bitbucket, GitHub, GitLab, Google, LinkedIn, MicrosoftEntraId, Slack, Twitter, generateCodeVerifier, generateState } from 'arctic';
+import type { RepoFactories } from '../../../bunshot-core/src/index.js';
+import type { RedisLike } from '../types/redis';
+export type OAuthProviderConfig = {
+    google?: {
+        clientId: string;
+        clientSecret: string;
+        redirectUri: string;
+    };
+    apple?: {
+        clientId: string;
+        teamId: string;
+        keyId: string;
+        privateKey: string;
+        redirectUri: string;
+    };
+    microsoft?: {
+        tenantId: string;
+        clientId: string;
+        clientSecret: string;
+        redirectUri: string;
+    };
+    github?: {
+        clientId: string;
+        clientSecret: string;
+        redirectUri: string;
+    };
+    linkedin?: {
+        clientId: string;
+        clientSecret: string;
+        redirectUri: string;
+    };
+    twitter?: {
+        clientId: string;
+        clientSecret: string | null;
+        redirectUri: string;
+    };
+    gitlab?: {
+        baseUrl?: string;
+        clientId: string;
+        clientSecret: string | null;
+        redirectUri: string;
+    };
+    slack?: {
+        clientId: string;
+        clientSecret: string;
+        redirectUri: string | null;
+    };
+    bitbucket?: {
+        clientId: string;
+        clientSecret: string;
+        redirectUri: string;
+    };
+};
+export type OAuthProviders = {
+    google?: Google;
+    apple?: Apple;
+    microsoft?: MicrosoftEntraId;
+    github?: GitHub;
+    linkedin?: LinkedIn;
+    twitter?: Twitter;
+    gitlab?: GitLab;
+    slack?: Slack;
+    bitbucket?: Bitbucket;
+};
+export type ConfiguredOAuthProvider = keyof OAuthProviders;
+export interface OAuthStateRecord {
+    codeVerifier?: string;
+    linkUserId?: string;
+}
+export interface OAuthStateStore {
+    store(state: string, codeVerifier?: string, linkUserId?: string): Promise<void>;
+    consume(state: string): Promise<OAuthStateRecord | null>;
+}
+export declare function createMemoryOAuthStateStore(): OAuthStateStore;
+export declare function createSqliteOAuthStateStore(db: import('bun:sqlite').Database): OAuthStateStore;
+export declare function createRedisOAuthStateStore(getRedis: () => RedisLike, appName: string): OAuthStateStore;
+export declare function createMongoOAuthStateStore(conn: import('mongoose').Connection, mg: typeof import('mongoose')): OAuthStateStore;
+export declare function createOAuthProviders(config: OAuthProviderConfig): OAuthProviders;
+export declare function getConfiguredOAuthProviders(providers: OAuthProviders): ConfiguredOAuthProvider[];
+export declare const oauthStateFactories: RepoFactories<OAuthStateStore>;
+export { generateState, generateCodeVerifier };

package/dist/packages/bunshot-auth/src/lib/oauth.js

@@ -0,0 +1,177 @@
+import { Apple, Bitbucket, GitHub, GitLab, Google, LinkedIn, MicrosoftEntraId, Slack, Twitter, generateCodeVerifier, generateState, } from 'arctic';
+import { DEFAULT_MAX_ENTRIES, evictExpired, evictOldest } from '../../../bunshot-core/src/index.js';
+const STATE_TTL = 300;
+export function createMemoryOAuthStateStore() {
+    const states = new Map();
+    return {
+        async store(state, codeVerifier, linkUserId) {
+            evictExpired(states);
+            evictOldest(states, DEFAULT_MAX_ENTRIES);
+            states.set(state, { codeVerifier, linkUserId, expiresAt: Date.now() + STATE_TTL * 1000 });
+        },
+        async consume(state) {
+            const entry = states.get(state);
+            if (!entry || entry.expiresAt <= Date.now()) {
+                states.delete(state);
+                return null;
+            }
+            states.delete(state);
+            return { codeVerifier: entry.codeVerifier, linkUserId: entry.linkUserId };
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// SQLite repository factory
+// ---------------------------------------------------------------------------
+export function createSqliteOAuthStateStore(db) {
+    let initialized = false;
+    function init() {
+        if (initialized)
+            return;
+        db.run(`CREATE TABLE IF NOT EXISTS oauth_states (
+      state      TEXT PRIMARY KEY,
+      codeVerifier TEXT,
+      linkUserId TEXT,
+      expiresAt  INTEGER NOT NULL
+    )`);
+        db.run('CREATE INDEX IF NOT EXISTS idx_oauth_states_expiresAt ON oauth_states(expiresAt)');
+        initialized = true;
+    }
+    return {
+        async store(state, codeVerifier, linkUserId) {
+            init();
+            const expiresAt = Date.now() + STATE_TTL * 1000;
+            db.run(`INSERT INTO oauth_states (state, codeVerifier, linkUserId, expiresAt)
+         VALUES (?, ?, ?, ?)
+         ON CONFLICT(state) DO UPDATE SET codeVerifier = excluded.codeVerifier, linkUserId = excluded.linkUserId, expiresAt = excluded.expiresAt`, [state, codeVerifier ?? null, linkUserId ?? null, expiresAt]);
+        },
+        async consume(state) {
+            init();
+            const now = Date.now();
+            const row = db
+                .query('SELECT codeVerifier, linkUserId FROM oauth_states WHERE state = ? AND expiresAt > ?')
+                .get(state, now);
+            db.run('DELETE FROM oauth_states WHERE state = ?', [state]);
+            return row ?? null;
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// Redis repository factory
+// ---------------------------------------------------------------------------
+async function redisGetDel(redis, key) {
+    if (typeof redis.getdel === 'function') {
+        try {
+            return await redis.getdel(key);
+        }
+        catch (err) {
+            const msg = err?.message ?? '';
+            if (!/unknown command|ERR unknown command/i.test(msg))
+                throw err;
+        }
+    }
+    const result = await redis.eval("local v = redis.call('GET', KEYS[1])\nif v then redis.call('DEL', KEYS[1]) end\nreturn v", 1, key);
+    return result ?? null;
+}
+export function createRedisOAuthStateStore(getRedis, appName) {
+    return {
+        async store(state, codeVerifier, linkUserId) {
+            await getRedis().set(`oauth:${appName}:state:${state}`, JSON.stringify({ codeVerifier, linkUserId }), 'EX', STATE_TTL);
+        },
+        async consume(state) {
+            const key = `oauth:${appName}:state:${state}`;
+            const value = await redisGetDel(getRedis(), key);
+            if (!value)
+                return null;
+            return JSON.parse(value);
+        },
+    };
+}
+function getOAuthStateModel(conn, mg) {
+    if (conn.models['OAuthState']) {
+        return conn.models['OAuthState'];
+    }
+    const { Schema } = mg;
+    const oauthStateSchema = new Schema({
+        state: { type: String, required: true, unique: true },
+        codeVerifier: { type: String },
+        linkUserId: { type: String },
+        expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
+    }, { collection: 'oauth_states' });
+    return conn.model('OAuthState', oauthStateSchema);
+}
+export function createMongoOAuthStateStore(conn, mg) {
+    return {
+        async store(state, codeVerifier, linkUserId) {
+            const expiresAt = new Date(Date.now() + STATE_TTL * 1000);
+            await getOAuthStateModel(conn, mg).create({ state, codeVerifier, linkUserId, expiresAt });
+        },
+        async consume(state) {
+            const doc = await getOAuthStateModel(conn, mg)
+                .findOneAndDelete({ state, expiresAt: { $gt: new Date() } })
+                .lean();
+            return doc ? { codeVerifier: doc.codeVerifier, linkUserId: doc.linkUserId } : null;
+        },
+    };
+}
+export function createOAuthProviders(config) {
+    const providers = {};
+    if (config.google) {
+        const { clientId, clientSecret, redirectUri } = config.google;
+        providers.google = new Google(clientId, clientSecret, redirectUri);
+    }
+    if (config.apple) {
+        const { clientId, teamId, keyId, privateKey, redirectUri } = config.apple;
+        providers.apple = new Apple(clientId, teamId, keyId, new TextEncoder().encode(privateKey), redirectUri);
+    }
+    if (config.microsoft) {
+        const { tenantId, clientId, clientSecret, redirectUri } = config.microsoft;
+        providers.microsoft = new MicrosoftEntraId(tenantId, clientId, clientSecret, redirectUri);
+    }
+    if (config.github) {
+        const { clientId, clientSecret, redirectUri } = config.github;
+        providers.github = new GitHub(clientId, clientSecret, redirectUri);
+    }
+    if (config.linkedin) {
+        const { clientId, clientSecret, redirectUri } = config.linkedin;
+        providers.linkedin = new LinkedIn(clientId, clientSecret, redirectUri);
+    }
+    if (config.twitter) {
+        const { clientId, clientSecret, redirectUri } = config.twitter;
+        providers.twitter = new Twitter(clientId, clientSecret, redirectUri);
+    }
+    if (config.gitlab) {
+        const { baseUrl, clientId, clientSecret, redirectUri } = config.gitlab;
+        providers.gitlab = new GitLab(baseUrl ?? 'https://gitlab.com', clientId, clientSecret, redirectUri);
+    }
+    if (config.slack) {
+        const { clientId, clientSecret, redirectUri } = config.slack;
+        providers.slack = new Slack(clientId, clientSecret, redirectUri);
+    }
+    if (config.bitbucket) {
+        const { clientId, clientSecret, redirectUri } = config.bitbucket;
+        providers.bitbucket = new Bitbucket(clientId, clientSecret, redirectUri);
+    }
+    return providers;
+}
+export function getConfiguredOAuthProviders(providers) {
+    return Object.entries(providers)
+        .filter(([, value]) => value != null)
+        .map(([name]) => name);
+}
+// ---------------------------------------------------------------------------
+// Factory map
+// ---------------------------------------------------------------------------
+export const oauthStateFactories = {
+    memory: () => createMemoryOAuthStateStore(),
+    sqlite: infra => createSqliteOAuthStateStore(infra.getSqliteDb()),
+    redis: infra => createRedisOAuthStateStore(infra.getRedis, infra.appName),
+    mongo: infra => {
+        const { conn, mg } = infra.getMongo();
+        return createMongoOAuthStateStore(conn, mg);
+    },
+    postgres: () => {
+        throw new Error('[bunshot-auth] postgres store is not yet supported for oauthState repository');
+    },
+};
+export { generateState, generateCodeVerifier };

package/dist/packages/bunshot-auth/src/lib/oauthCode.d.ts

@@ -0,0 +1,19 @@
+import type { RepoFactories } from '../../../bunshot-core/src/index.js';
+import type { OAuthCodePayload } from '../types/oauthCode';
+import type { RedisLike } from '../types/redis';
+export type { OAuthCodePayload } from '../types/oauthCode';
+export interface IOAuthCodeRepository {
+    store(hash: string, payload: OAuthCodePayload, ttl: number): Promise<void>;
+    consume(hash: string): Promise<OAuthCodePayload | null>;
+}
+export declare function createMemoryOAuthCodeRepository(): IOAuthCodeRepository;
+export declare function createSqliteOAuthCodeRepository(db: import('bun:sqlite').Database): IOAuthCodeRepository;
+export declare function createRedisOAuthCodeRepository(getRedis: () => RedisLike, appName: string): IOAuthCodeRepository;
+export declare function createMongoOAuthCodeRepository(conn: import('mongoose').Connection, mg: typeof import('mongoose')): IOAuthCodeRepository;
+export declare const oauthCodeFactories: RepoFactories<IOAuthCodeRepository>;
+/** Store a one-time authorization code. Returns the raw code (for the redirect URL).
+ *  Only the SHA-256 hash is persisted. */
+export declare const storeOAuthCode: (repo: IOAuthCodeRepository, payload: OAuthCodePayload, deks: readonly import("../../../bunshot-core/src/index.js").DataEncryptionKey[]) => Promise<string>;
+/** Atomically consume an authorization code — returns its payload and deletes it.
+ *  Returns null if invalid, expired, or already used. */
+export declare const consumeOAuthCode: (repo: IOAuthCodeRepository, code: string, deks: readonly import("../../../bunshot-core/src/index.js").DataEncryptionKey[]) => Promise<OAuthCodePayload | null>;

package/dist/packages/bunshot-auth/src/lib/oauthCode.js

@@ -0,0 +1,182 @@
+import { DEFAULT_MAX_ENTRIES, decryptField, encryptField, evictExpired, evictOldest, isEncryptedField, sha256, } from '../../../bunshot-core/src/index.js';
+export function createMemoryOAuthCodeRepository() {
+    const codes = new Map();
+    return {
+        async store(hash, payload, ttl) {
+            evictExpired(codes);
+            evictOldest(codes, DEFAULT_MAX_ENTRIES);
+            codes.set(hash, { payload, expiresAt: Date.now() + ttl * 1000 });
+        },
+        async consume(hash) {
+            const entry = codes.get(hash);
+            if (!entry || entry.expiresAt <= Date.now()) {
+                codes.delete(hash);
+                return null;
+            }
+            codes.delete(hash);
+            return entry.payload;
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// SQLite repository factory
+// ---------------------------------------------------------------------------
+export function createSqliteOAuthCodeRepository(db) {
+    let initialized = false;
+    function init() {
+        if (initialized)
+            return;
+        db.run(`CREATE TABLE IF NOT EXISTS auth_oauth_codes (
+      codeHash     TEXT PRIMARY KEY,
+      payload      TEXT NOT NULL,
+      expiresAt    INTEGER NOT NULL
+    )`);
+        db.run('CREATE INDEX IF NOT EXISTS idx_auth_oauth_codes_expiresAt ON auth_oauth_codes(expiresAt)');
+        initialized = true;
+    }
+    return {
+        async store(hash, payload, ttl) {
+            init();
+            const expiresAt = Date.now() + ttl * 1000;
+            db.run(`INSERT INTO auth_oauth_codes (codeHash, payload, expiresAt)
+         VALUES (?, ?, ?)
+         ON CONFLICT(codeHash) DO UPDATE SET payload = excluded.payload, expiresAt = excluded.expiresAt`, [hash, JSON.stringify(payload), expiresAt]);
+        },
+        async consume(hash) {
+            init();
+            const now = Date.now();
+            const row = db
+                .query('SELECT payload FROM auth_oauth_codes WHERE codeHash = ? AND expiresAt > ?')
+                .get(hash, now);
+            db.run('DELETE FROM auth_oauth_codes WHERE codeHash = ?', [hash]);
+            if (!row)
+                return null;
+            return JSON.parse(row.payload);
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// Redis repository factory
+// ---------------------------------------------------------------------------
+/** Atomically GET+DEL a key. Uses native GETDEL (Redis >= 6.2) with a Lua fallback. */
+async function redisGetDel(redis, key) {
+    if (typeof redis.getdel === 'function') {
+        try {
+            return await redis.getdel(key);
+        }
+        catch (err) {
+            const msg = err?.message ?? '';
+            if (!/unknown command|ERR unknown command/i.test(msg))
+                throw err;
+        }
+    }
+    const result = await redis.eval("local v = redis.call('GET', KEYS[1])\nif v then redis.call('DEL', KEYS[1]) end\nreturn v", 1, key);
+    return result ?? null;
+}
+export function createRedisOAuthCodeRepository(getRedis, appName) {
+    return {
+        async store(hash, payload, ttl) {
+            await getRedis().set(`oauthcode:${appName}:${hash}`, JSON.stringify(payload), 'EX', ttl);
+        },
+        async consume(hash) {
+            const key = `oauthcode:${appName}:${hash}`;
+            const raw = await redisGetDel(getRedis(), key);
+            if (!raw)
+                return null;
+            return JSON.parse(raw);
+        },
+    };
+}
+export function createMongoOAuthCodeRepository(conn, mg) {
+    function getModel() {
+        if (conn.models['OAuthCode'])
+            return conn.models['OAuthCode'];
+        const { Schema } = mg;
+        const schema = new Schema({
+            codeHash: { type: String, required: true, unique: true },
+            token: { type: String, required: true },
+            userId: { type: String, required: true },
+            email: { type: String },
+            refreshToken: { type: String },
+            expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
+        }, { collection: 'oauth_codes' });
+        return conn.model('OAuthCode', schema);
+    }
+    return {
+        async store(hash, payload, ttl) {
+            await getModel().create({
+                codeHash: hash,
+                ...payload,
+                expiresAt: new Date(Date.now() + ttl * 1000),
+            });
+        },
+        async consume(hash) {
+            const doc = await getModel()
+                .findOneAndDelete({ codeHash: hash, expiresAt: { $gt: new Date() } })
+                .lean();
+            if (!doc)
+                return null;
+            return {
+                token: doc.token,
+                userId: doc.userId,
+                email: doc.email,
+                refreshToken: doc.refreshToken,
+            };
+        },
+    };
+}
+export const oauthCodeFactories = {
+    memory: () => createMemoryOAuthCodeRepository(),
+    sqlite: infra => createSqliteOAuthCodeRepository(infra.getSqliteDb()),
+    redis: infra => createRedisOAuthCodeRepository(infra.getRedis, infra.appName),
+    mongo: infra => {
+        const { conn, mg } = infra.getMongo();
+        return createMongoOAuthCodeRepository(conn, mg);
+    },
+    postgres: () => {
+        throw new Error('[bunshot-auth] postgres store is not yet supported for oauthCode repository');
+    },
+};
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+const CODE_TTL = 60; // 60 seconds
+/** Store a one-time authorization code. Returns the raw code (for the redirect URL).
+ *  Only the SHA-256 hash is persisted. */
+export const storeOAuthCode = async (repo, payload, deks) => {
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    const code = Buffer.from(bytes).toString('base64url');
+    const hash = sha256(code);
+    let storedPayload = payload;
+    if (deks.length > 0) {
+        storedPayload = { ...storedPayload, token: await encryptField(storedPayload.token, [...deks]) };
+        if (storedPayload.refreshToken) {
+            storedPayload = {
+                ...storedPayload,
+                refreshToken: await encryptField(storedPayload.refreshToken, [...deks]),
+            };
+        }
+    }
+    await repo.store(hash, storedPayload, CODE_TTL);
+    return code;
+};
+/** Atomically consume an authorization code — returns its payload and deletes it.
+ *  Returns null if invalid, expired, or already used. */
+export const consumeOAuthCode = async (repo, code, deks) => {
+    const hash = sha256(code);
+    let result = await repo.consume(hash);
+    if (result && isEncryptedField(result.token)) {
+        try {
+            result.token = await decryptField(result.token, [...deks]);
+            if (result.refreshToken && isEncryptedField(result.refreshToken)) {
+                result.refreshToken = await decryptField(result.refreshToken, [...deks]);
+            }
+        }
+        catch (err) {
+            console.error('[oauthCode] decryptField failed — key rotation during active code TTL?', err);
+            return null;
+        }
+    }
+    return result;
+};

package/dist/packages/bunshot-auth/src/lib/oauthReauth.d.ts

@@ -0,0 +1,19 @@
+import type { RepoFactories } from '../../../bunshot-core/src/index.js';
+import type { OAuthReauthConfirmation, OAuthReauthState } from '../types/oauthReauth';
+import type { RedisLike } from '../types/redis';
+export type { OAuthReauthState, OAuthReauthConfirmation } from '../types/oauthReauth';
+export interface IOAuthReauthRepository {
+    storeState(hash: string, data: OAuthReauthState, ttl: number): Promise<void>;
+    consumeState(hash: string): Promise<OAuthReauthState | null>;
+    storeConfirmation(hash: string, data: OAuthReauthConfirmation, ttl: number): Promise<void>;
+    consumeConfirmation(hash: string): Promise<OAuthReauthConfirmation | null>;
+}
+export declare function createMemoryOAuthReauthRepository(): IOAuthReauthRepository;
+export declare function createSqliteOAuthReauthRepository(db: import('bun:sqlite').Database): IOAuthReauthRepository;
+export declare function createRedisOAuthReauthRepository(getRedis: () => RedisLike, appName: string): IOAuthReauthRepository;
+export declare function createMongoOAuthReauthRepository(conn: import('mongoose').Connection, mg: typeof import('mongoose')): IOAuthReauthRepository;
+export declare const oauthReauthFactories: RepoFactories<IOAuthReauthRepository>;
+export declare const createReauthState: (repo: IOAuthReauthRepository, data: OAuthReauthState) => Promise<string>;
+export declare const consumeReauthState: (repo: IOAuthReauthRepository, token: string) => Promise<OAuthReauthState | null>;
+export declare const storeReauthConfirmation: (repo: IOAuthReauthRepository, data: OAuthReauthConfirmation) => Promise<string>;
+export declare const consumeReauthConfirmation: (repo: IOAuthReauthRepository, code: string) => Promise<OAuthReauthConfirmation | null>;