@lastshotlabs/bunshot 0.0.25 → 0.0.28

package/dist/packages/bunshot-auth/src/lib/oauthReauth.js

@@ -0,0 +1,255 @@
+import { DEFAULT_MAX_ENTRIES, evictExpired, evictOldest, sha256 } from '../../../bunshot-core/src/index.js';
+export function createMemoryOAuthReauthRepository() {
+    const states = new Map();
+    const confirmations = new Map();
+    return {
+        async storeState(hash, data, ttl) {
+            evictExpired(states);
+            evictOldest(states, DEFAULT_MAX_ENTRIES);
+            states.set(hash, { data, expiresAt: Date.now() + ttl * 1000 });
+        },
+        async consumeState(hash) {
+            const entry = states.get(hash);
+            if (!entry || entry.expiresAt <= Date.now()) {
+                states.delete(hash);
+                return null;
+            }
+            states.delete(hash);
+            return entry.data;
+        },
+        async storeConfirmation(hash, data, ttl) {
+            evictExpired(confirmations);
+            evictOldest(confirmations, DEFAULT_MAX_ENTRIES);
+            confirmations.set(hash, { data, expiresAt: Date.now() + ttl * 1000 });
+        },
+        async consumeConfirmation(hash) {
+            const entry = confirmations.get(hash);
+            if (!entry || entry.expiresAt <= Date.now()) {
+                confirmations.delete(hash);
+                return null;
+            }
+            confirmations.delete(hash);
+            return entry.data;
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// SQLite repository factory
+// ---------------------------------------------------------------------------
+export function createSqliteOAuthReauthRepository(db) {
+    let initialized = false;
+    function init() {
+        if (initialized)
+            return;
+        db.run(`CREATE TABLE IF NOT EXISTS auth_oauth_reauth_states (
+      tokenHash TEXT PRIMARY KEY,
+      data      TEXT NOT NULL,
+      expiresAt INTEGER NOT NULL
+    )`);
+        db.run('CREATE INDEX IF NOT EXISTS idx_auth_oauth_reauth_states_expiresAt ON auth_oauth_reauth_states(expiresAt)');
+        db.run(`CREATE TABLE IF NOT EXISTS auth_oauth_reauth_confirmations (
+      codeHash  TEXT PRIMARY KEY,
+      data      TEXT NOT NULL,
+      expiresAt INTEGER NOT NULL
+    )`);
+        db.run('CREATE INDEX IF NOT EXISTS idx_auth_oauth_reauth_confirmations_expiresAt ON auth_oauth_reauth_confirmations(expiresAt)');
+        initialized = true;
+    }
+    return {
+        async storeState(hash, data, ttl) {
+            init();
+            const expiresAt = Date.now() + ttl * 1000;
+            db.run(`INSERT INTO auth_oauth_reauth_states (tokenHash, data, expiresAt)
+         VALUES (?, ?, ?)
+         ON CONFLICT(tokenHash) DO UPDATE SET data = excluded.data, expiresAt = excluded.expiresAt`, [hash, JSON.stringify(data), expiresAt]);
+        },
+        async consumeState(hash) {
+            init();
+            const now = Date.now();
+            const row = db
+                .query('SELECT data FROM auth_oauth_reauth_states WHERE tokenHash = ? AND expiresAt > ?')
+                .get(hash, now);
+            db.run('DELETE FROM auth_oauth_reauth_states WHERE tokenHash = ?', [hash]);
+            if (!row)
+                return null;
+            return JSON.parse(row.data);
+        },
+        async storeConfirmation(hash, data, ttl) {
+            init();
+            const expiresAt = Date.now() + ttl * 1000;
+            db.run(`INSERT INTO auth_oauth_reauth_confirmations (codeHash, data, expiresAt)
+         VALUES (?, ?, ?)
+         ON CONFLICT(codeHash) DO UPDATE SET data = excluded.data, expiresAt = excluded.expiresAt`, [hash, JSON.stringify(data), expiresAt]);
+        },
+        async consumeConfirmation(hash) {
+            init();
+            const now = Date.now();
+            const row = db
+                .query('SELECT data FROM auth_oauth_reauth_confirmations WHERE codeHash = ? AND expiresAt > ?')
+                .get(hash, now);
+            db.run('DELETE FROM auth_oauth_reauth_confirmations WHERE codeHash = ?', [hash]);
+            if (!row)
+                return null;
+            return JSON.parse(row.data);
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// Redis helpers
+// ---------------------------------------------------------------------------
+/** Atomically GET+DEL a key. Uses native GETDEL (Redis >= 6.2) with a Lua fallback. */
+async function redisGetDel(redis, key) {
+    if (typeof redis.getdel === 'function') {
+        try {
+            return await redis.getdel(key);
+        }
+        catch (err) {
+            const msg = err?.message ?? '';
+            if (!/unknown command|ERR unknown command/i.test(msg))
+                throw err;
+        }
+    }
+    const result = await redis.eval("local v = redis.call('GET', KEYS[1])\nif v then redis.call('DEL', KEYS[1]) end\nreturn v", 1, key);
+    return result ?? null;
+}
+// ---------------------------------------------------------------------------
+// Redis repository factory
+// ---------------------------------------------------------------------------
+export function createRedisOAuthReauthRepository(getRedis, appName) {
+    return {
+        async storeState(hash, data, ttl) {
+            await getRedis().set(`oauthreauth:${appName}:${hash}`, JSON.stringify(data), 'EX', ttl);
+        },
+        async consumeState(hash) {
+            const key = `oauthreauth:${appName}:${hash}`;
+            const raw = await redisGetDel(getRedis(), key);
+            if (!raw)
+                return null;
+            return JSON.parse(raw);
+        },
+        async storeConfirmation(hash, data, ttl) {
+            await getRedis().set(`oauthreauthconf:${appName}:${hash}`, JSON.stringify(data), 'EX', ttl);
+        },
+        async consumeConfirmation(hash) {
+            const key = `oauthreauthconf:${appName}:${hash}`;
+            const raw = await redisGetDel(getRedis(), key);
+            if (!raw)
+                return null;
+            return JSON.parse(raw);
+        },
+    };
+}
+export function createMongoOAuthReauthRepository(conn, mg) {
+    function getReauthModel() {
+        if (conn.models['OAuthReauth'])
+            return conn.models['OAuthReauth'];
+        const { Schema } = mg;
+        const schema = new Schema({
+            tokenHash: { type: String, required: true, unique: true },
+            userId: { type: String, required: true },
+            sessionId: { type: String, required: true },
+            provider: { type: String, required: true },
+            purpose: { type: String, required: true },
+            returnUrl: { type: String },
+            expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
+        }, { collection: 'oauth_reauth_states' });
+        return conn.model('OAuthReauth', schema);
+    }
+    function getConfirmationModel() {
+        if (conn.models['OAuthReauthConfirmation'])
+            return conn.models['OAuthReauthConfirmation'];
+        const { Schema } = mg;
+        const schema = new Schema({
+            codeHash: { type: String, required: true, unique: true },
+            userId: { type: String, required: true },
+            purpose: { type: String, required: true },
+            expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
+        }, { collection: 'oauth_reauth_confirmations' });
+        return conn.model('OAuthReauthConfirmation', schema);
+    }
+    return {
+        async storeState(hash, data, ttl) {
+            await getReauthModel().create({
+                tokenHash: hash,
+                userId: data.userId,
+                sessionId: data.sessionId,
+                provider: data.provider,
+                purpose: data.purpose,
+                returnUrl: data.returnUrl,
+                expiresAt: new Date(Date.now() + ttl * 1000),
+            });
+        },
+        async consumeState(hash) {
+            const doc = await getReauthModel()
+                .findOneAndDelete({ tokenHash: hash, expiresAt: { $gt: new Date() } })
+                .lean();
+            if (!doc)
+                return null;
+            return {
+                userId: doc.userId,
+                sessionId: doc.sessionId,
+                provider: doc.provider,
+                purpose: doc.purpose,
+                expiresAt: doc.expiresAt.getTime(),
+                returnUrl: doc.returnUrl,
+            };
+        },
+        async storeConfirmation(hash, data, ttl) {
+            await getConfirmationModel().create({
+                codeHash: hash,
+                userId: data.userId,
+                purpose: data.purpose,
+                expiresAt: new Date(Date.now() + ttl * 1000),
+            });
+        },
+        async consumeConfirmation(hash) {
+            const doc = await getConfirmationModel()
+                .findOneAndDelete({ codeHash: hash, expiresAt: { $gt: new Date() } })
+                .lean();
+            if (!doc)
+                return null;
+            return { userId: doc.userId, purpose: doc.purpose };
+        },
+    };
+}
+export const oauthReauthFactories = {
+    memory: () => createMemoryOAuthReauthRepository(),
+    sqlite: infra => createSqliteOAuthReauthRepository(infra.getSqliteDb()),
+    redis: infra => createRedisOAuthReauthRepository(infra.getRedis, infra.appName),
+    mongo: infra => {
+        const { conn, mg } = infra.getMongo();
+        return createMongoOAuthReauthRepository(conn, mg);
+    },
+    postgres: () => {
+        throw new Error('[bunshot-auth] postgres store is not yet supported for oauthReauth repository');
+    },
+};
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+const REAUTH_TTL = 300; // 5 minutes — matches OAuth state TTL
+const CONFIRMATION_TTL = 300; // 5 minutes
+export const createReauthState = async (repo, data) => {
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    const token = Buffer.from(bytes).toString('base64url');
+    const hash = sha256(token);
+    await repo.storeState(hash, data, REAUTH_TTL);
+    return token;
+};
+export const consumeReauthState = async (repo, token) => {
+    const hash = sha256(token);
+    return repo.consumeState(hash);
+};
+export const storeReauthConfirmation = async (repo, data) => {
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    const code = Buffer.from(bytes).toString('base64url');
+    const hash = sha256(code);
+    await repo.storeConfirmation(hash, data, CONFIRMATION_TTL);
+    return code;
+};
+export const consumeReauthConfirmation = async (repo, code) => {
+    const hash = sha256(code);
+    return repo.consumeConfirmation(hash);
+};

package/dist/packages/bunshot-auth/src/lib/organization.d.ts

@@ -0,0 +1,66 @@
+export interface Organization {
+    id: string;
+    name: string;
+    slug: string;
+    tenantId?: string;
+    createdAt: Date;
+    metadata?: Record<string, unknown>;
+}
+export interface OrgMembership {
+    orgId: string;
+    userId: string;
+    roles: string[];
+    joinedAt: Date;
+    invitedBy?: string;
+}
+export interface OrgInvitation {
+    id: string;
+    orgId: string;
+    email: string;
+    roles: string[];
+    /** SHA-256 hashed token — never returned to client. The raw token is sent to the user. */
+    token: string;
+    expiresAt: Date;
+    invitedBy: string;
+}
+export interface OrganizationConfig {
+    enabled: boolean;
+    /** Role given to members added directly (not via invitation). Default: none. */
+    defaultMemberRole?: string;
+    /** Default invitation TTL in seconds. Default: 604800 (7 days). */
+    invitationTtlSeconds?: number;
+}
+export interface OrgService {
+    createOrg(data: {
+        name: string;
+        slug: string;
+        tenantId?: string;
+        metadata?: Record<string, unknown>;
+    }): Promise<Organization>;
+    getOrg(orgId: string): Promise<Organization | null>;
+    getOrgBySlug(slug: string): Promise<Organization | null>;
+    listOrgs(opts?: {
+        limit?: number;
+        cursor?: string;
+    }): Promise<{
+        orgs: Organization[];
+        nextCursor?: string;
+    }>;
+    updateOrg(orgId: string, data: Partial<Pick<Organization, 'name' | 'metadata'>>): Promise<Organization | null>;
+    deleteOrg(orgId: string): Promise<void>;
+    addOrgMember(orgId: string, userId: string, roles?: string[], invitedBy?: string): Promise<OrgMembership>;
+    removeOrgMember(orgId: string, userId: string): Promise<void>;
+    getOrgMembers(orgId: string): Promise<OrgMembership[]>;
+    getUserOrgs(userId: string): Promise<Organization[]>;
+    updateOrgMemberRoles(orgId: string, userId: string, roles: string[]): Promise<void>;
+    createOrgInvitation(orgId: string, email: string, roles: string[], invitedBy: string, ttlSeconds?: number): Promise<{
+        invitation: OrgInvitation;
+        token: string;
+    }>;
+    consumeOrgInvitation(token: string): Promise<OrgInvitation | null>;
+    listOrgInvitations(orgId: string): Promise<OrgInvitation[]>;
+    revokeOrgInvitation(invitationId: string): Promise<void>;
+    getDefaultInvitationTtl(): number;
+    getOrgConfig(): OrganizationConfig;
+}
+export declare function createOrgService(config: OrganizationConfig): OrgService;

package/dist/packages/bunshot-auth/src/lib/organization.js

@@ -0,0 +1,225 @@
+import { randomUUID } from 'crypto';
+import { DEFAULT_MAX_ENTRIES, evictOldest, sha256 } from '../../../bunshot-core/src/index.js';
+// ---------------------------------------------------------------------------
+// Factory
+// ---------------------------------------------------------------------------
+const DEFAULT_INVITATION_TTL = 7 * 24 * 60 * 60; // 7 days in seconds
+export function createOrgService(config) {
+    const _orgs = new Map(); // orgId -> Org
+    const _orgBySlug = new Map(); // slug -> orgId
+    const _memberships = new Map(); // "orgId:userId" -> membership
+    const _invitations = new Map(); // invitationId -> invitation
+    const _tokenIndex = new Map(); // hashedToken -> invitationId
+    function memberKey(orgId, userId) {
+        return `${orgId}:${userId}`;
+    }
+    // Purge expired invitations from both _invitations and _tokenIndex together
+    // so the two maps stay in sync. Called before each new invitation is stored.
+    function sweepExpiredInvitations() {
+        const now = new Date();
+        for (const [id, inv] of _invitations) {
+            if (inv.expiresAt < now) {
+                _tokenIndex.delete(inv.token);
+                _invitations.delete(id);
+            }
+        }
+    }
+    // Evict the oldest invitation from both _invitations and _tokenIndex together.
+    function evictOldestInvitation() {
+        const id = _invitations.keys().next().value;
+        if (id === undefined)
+            return;
+        const inv = _invitations.get(id);
+        _tokenIndex.delete(inv.token);
+        _invitations.delete(id);
+    }
+    return {
+        async createOrg(data) {
+            if (_orgBySlug.has(data.slug)) {
+                throw new Error(`Organization with slug "${data.slug}" already exists`);
+            }
+            const org = {
+                id: randomUUID(),
+                name: data.name,
+                slug: data.slug,
+                tenantId: data.tenantId,
+                createdAt: new Date(),
+                metadata: data.metadata,
+            };
+            evictOldest(_orgs, DEFAULT_MAX_ENTRIES);
+            _orgs.set(org.id, org);
+            _orgBySlug.set(org.slug, org.id);
+            return org;
+        },
+        async getOrg(orgId) {
+            return _orgs.get(orgId) ?? null;
+        },
+        async getOrgBySlug(slug) {
+            const orgId = _orgBySlug.get(slug);
+            if (!orgId)
+                return null;
+            return _orgs.get(orgId) ?? null;
+        },
+        async listOrgs(opts) {
+            const all = Array.from(_orgs.values()).sort((a, b) => a.createdAt.getTime() - b.createdAt.getTime() || a.id.localeCompare(b.id));
+            const limit = opts?.limit ?? 50;
+            let filtered = all;
+            if (opts?.cursor) {
+                try {
+                    const c = JSON.parse(atob(opts.cursor));
+                    filtered = all.filter(o => o.createdAt.getTime() > c.createdAt ||
+                        (o.createdAt.getTime() === c.createdAt && o.id > c.id));
+                }
+                catch {
+                    /* invalid cursor — start from beginning */
+                }
+            }
+            const page = filtered.slice(0, limit);
+            const nextCursor = filtered.length > limit
+                ? btoa(JSON.stringify({
+                    createdAt: page[page.length - 1].createdAt.getTime(),
+                    id: page[page.length - 1].id,
+                }))
+                : undefined;
+            return { orgs: page, nextCursor };
+        },
+        async updateOrg(orgId, data) {
+            const org = _orgs.get(orgId);
+            if (!org)
+                return null;
+            if (data.name !== undefined)
+                org.name = data.name;
+            if (data.metadata !== undefined)
+                org.metadata = data.metadata;
+            return org;
+        },
+        async deleteOrg(orgId) {
+            const org = _orgs.get(orgId);
+            if (!org)
+                return;
+            // Cascade: remove all memberships for this org
+            for (const [key, m] of _memberships) {
+                if (m.orgId === orgId)
+                    _memberships.delete(key);
+            }
+            // Cascade: remove all pending invitations for this org (and their token indices)
+            for (const [id, inv] of _invitations) {
+                if (inv.orgId === orgId) {
+                    _tokenIndex.delete(inv.token);
+                    _invitations.delete(id);
+                }
+            }
+            _orgBySlug.delete(org.slug);
+            _orgs.delete(orgId);
+        },
+        async addOrgMember(orgId, userId, roles = [], invitedBy) {
+            const key = memberKey(orgId, userId);
+            if (_memberships.has(key)) {
+                throw new Error(`User "${userId}" is already a member of org "${orgId}"`);
+            }
+            const membership = {
+                orgId,
+                userId,
+                roles,
+                joinedAt: new Date(),
+                invitedBy,
+            };
+            evictOldest(_memberships, DEFAULT_MAX_ENTRIES);
+            _memberships.set(key, membership);
+            return membership;
+        },
+        async removeOrgMember(orgId, userId) {
+            _memberships.delete(memberKey(orgId, userId));
+        },
+        async getOrgMembers(orgId) {
+            const result = [];
+            for (const m of _memberships.values()) {
+                if (m.orgId === orgId)
+                    result.push(m);
+            }
+            return result;
+        },
+        async getUserOrgs(userId) {
+            const orgs = [];
+            for (const m of _memberships.values()) {
+                if (m.userId === userId) {
+                    const org = _orgs.get(m.orgId);
+                    if (org)
+                        orgs.push(org);
+                }
+            }
+            return orgs;
+        },
+        async updateOrgMemberRoles(orgId, userId, roles) {
+            const key = memberKey(orgId, userId);
+            const m = _memberships.get(key);
+            if (m) {
+                m.roles = roles;
+            }
+        },
+        async createOrgInvitation(orgId, email, roles, invitedBy, ttlSeconds) {
+            const rawToken = randomUUID();
+            const hashedToken = sha256(rawToken);
+            const ttl = ttlSeconds ?? config.invitationTtlSeconds ?? DEFAULT_INVITATION_TTL;
+            const invitation = {
+                id: randomUUID(),
+                orgId,
+                email,
+                roles,
+                token: hashedToken,
+                expiresAt: new Date(Date.now() + ttl * 1000),
+                invitedBy,
+            };
+            sweepExpiredInvitations();
+            while (_invitations.size >= DEFAULT_MAX_ENTRIES) {
+                evictOldestInvitation();
+            }
+            _invitations.set(invitation.id, invitation);
+            _tokenIndex.set(hashedToken, invitation.id);
+            return { invitation, token: rawToken };
+        },
+        async consumeOrgInvitation(token) {
+            const hashedToken = sha256(token);
+            const invitationId = _tokenIndex.get(hashedToken);
+            if (!invitationId)
+                return null;
+            const invitation = _invitations.get(invitationId);
+            if (!invitation)
+                return null;
+            // Check expiry
+            if (invitation.expiresAt < new Date()) {
+                // Clean up expired invitation
+                _tokenIndex.delete(hashedToken);
+                _invitations.delete(invitationId);
+                return null;
+            }
+            // Single-use: remove from store
+            _tokenIndex.delete(hashedToken);
+            _invitations.delete(invitationId);
+            return invitation;
+        },
+        async listOrgInvitations(orgId) {
+            const result = [];
+            const now = new Date();
+            for (const inv of _invitations.values()) {
+                if (inv.orgId === orgId && inv.expiresAt > now) {
+                    result.push(inv);
+                }
+            }
+            return result;
+        },
+        async revokeOrgInvitation(invitationId) {
+            const inv = _invitations.get(invitationId);
+            if (!inv)
+                return;
+            _tokenIndex.delete(inv.token);
+            _invitations.delete(invitationId);
+        },
+        getDefaultInvitationTtl() {
+            return config.invitationTtlSeconds ?? DEFAULT_INVITATION_TTL;
+        },
+        getOrgConfig() {
+            return config;
+        },
+    };
+}

package/dist/packages/bunshot-auth/src/lib/passwordHistory.d.ts

@@ -0,0 +1,12 @@
+import type { AuthAdapter } from '../lib/authAdapter';
+/**
+ * Check whether a plaintext password matches any of the stored history hashes.
+ * Returns true if the password is NOT reused (safe to use), false if it was found in history.
+ * Skips the check if the adapter does not implement getPasswordHistory.
+ */
+export declare function checkPasswordNotReused(adapter: AuthAdapter, userId: string, newPasswordPlaintext: string, maxCount: number): Promise<boolean>;
+/**
+ * Record a newly-set password hash into the user's password history.
+ * No-op if the adapter does not implement addPasswordToHistory.
+ */
+export declare function recordPasswordChange(adapter: AuthAdapter, userId: string, newHash: string, maxCount: number): Promise<void>;

package/dist/packages/bunshot-auth/src/lib/passwordHistory.js

@@ -0,0 +1,31 @@
+/**
+ * Check whether a plaintext password matches any of the stored history hashes.
+ * Returns true if the password is NOT reused (safe to use), false if it was found in history.
+ * Skips the check if the adapter does not implement getPasswordHistory.
+ */
+export async function checkPasswordNotReused(adapter, userId, newPasswordPlaintext, maxCount) {
+    if (maxCount <= 0)
+        return true;
+    if (!adapter.getPasswordHistory)
+        return true;
+    const history = await adapter.getPasswordHistory(userId);
+    if (history.length === 0)
+        return true;
+    for (const hash of history) {
+        if (await Bun.password.verify(newPasswordPlaintext, hash)) {
+            return false; // reused
+        }
+    }
+    return true; // not reused
+}
+/**
+ * Record a newly-set password hash into the user's password history.
+ * No-op if the adapter does not implement addPasswordToHistory.
+ */
+export async function recordPasswordChange(adapter, userId, newHash, maxCount) {
+    if (maxCount <= 0)
+        return;
+    if (!adapter.addPasswordToHistory)
+        return;
+    await adapter.addPasswordToHistory(userId, newHash, maxCount);
+}

package/dist/packages/bunshot-auth/src/lib/resetPassword.d.ts

@@ -0,0 +1,20 @@
+import type { RepoFactories } from '../../../bunshot-core/src/index.js';
+import type { AuthResolvedConfig } from '../config/authConfig';
+import type { RedisLike } from '../types/redis';
+export interface IResetTokenRepository {
+    create(hash: string, userId: string, email: string, ttl: number): Promise<void>;
+    consume(hash: string): Promise<{
+        userId: string;
+        email: string;
+    } | null>;
+}
+export declare function createMemoryResetTokenRepository(): IResetTokenRepository;
+export declare function createSqliteResetTokenRepository(db: import('bun:sqlite').Database): IResetTokenRepository;
+export declare function createRedisResetTokenRepository(getRedis: () => RedisLike, appName: string): IResetTokenRepository;
+export declare function createMongoResetTokenRepository(conn: import('mongoose').Connection, mg: typeof import('mongoose')): IResetTokenRepository;
+export declare const resetTokenFactories: RepoFactories<IResetTokenRepository>;
+export declare const createResetToken: (repo: IResetTokenRepository, userId: string, email: string, config: AuthResolvedConfig) => Promise<string>;
+export declare const consumeResetToken: (repo: IResetTokenRepository, token: string) => Promise<{
+    userId: string;
+    email: string;
+} | null>;