@lastshotlabs/bunshot 0.0.25 → 0.0.28

package/dist/packages/bunshot-auth/src/lib/storeInfra.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Centralized store infrastructure.
+ *
+ * Add a new backing store in ONE place:
+ *   1. Add the type to `StoreType` in types/store.ts
+ *   2. Add its infra deps to `StoreInfra`
+ *   3. Add a factory entry in each repository's `factories` record
+ *
+ * Repos declare their factory maps as `Record<StoreType, (infra: StoreInfra) => T>`.
+ * `resolveRepo()` picks the right factory and calls it.
+ */
+import type { StoreType } from '../types/store';
+import type { RedisLike } from '../types/redis';
+import type { Connection } from 'mongoose';
+import type { Database } from 'bun:sqlite';
+export interface StoreInfra {
+    readonly appName: string;
+    readonly getRedis: () => RedisLike;
+    readonly getMongo: () => {
+        conn: Connection;
+        mg: typeof import('mongoose');
+    };
+    readonly getSqliteDb: () => Database;
+}
+export type RepoFactories<T> = Record<StoreType, (infra: StoreInfra) => T>;
+export declare function resolveRepo<T>(factories: RepoFactories<T>, storeType: StoreType, infra: StoreInfra): T;

package/dist/packages/bunshot-auth/src/lib/storeInfra.js

@@ -0,0 +1,18 @@
+/**
+ * Centralized store infrastructure.
+ *
+ * Add a new backing store in ONE place:
+ *   1. Add the type to `StoreType` in types/store.ts
+ *   2. Add its infra deps to `StoreInfra`
+ *   3. Add a factory entry in each repository's `factories` record
+ *
+ * Repos declare their factory maps as `Record<StoreType, (infra: StoreInfra) => T>`.
+ * `resolveRepo()` picks the right factory and calls it.
+ */
+export function resolveRepo(factories, storeType, infra) {
+    const factory = factories[storeType];
+    if (!factory) {
+        throw new Error(`[bunshot-auth] Unsupported store type: ${storeType}`);
+    }
+    return factory(infra);
+}

package/dist/packages/bunshot-auth/src/lib/suspension.d.ts

@@ -0,0 +1,14 @@
+import type { AuthAdapter } from '../lib/authAdapter';
+/**
+ * Suspend or unsuspend a user.
+ * No-op when the adapter does not implement setSuspended.
+ */
+export declare function setSuspended(adapter: AuthAdapter, userId: string, suspended: boolean, reason?: string): Promise<void>;
+/**
+ * Get the suspension status of a user.
+ * Returns { suspended: false } when the adapter does not implement getSuspended.
+ */
+export declare function getSuspended(adapter: AuthAdapter, userId: string): Promise<{
+    suspended: boolean;
+    suspendedReason?: string;
+}>;

package/dist/packages/bunshot-auth/src/lib/suspension.js

@@ -0,0 +1,20 @@
+/**
+ * Suspend or unsuspend a user.
+ * No-op when the adapter does not implement setSuspended.
+ */
+export async function setSuspended(adapter, userId, suspended, reason) {
+    if (adapter.setSuspended) {
+        await adapter.setSuspended(userId, suspended, reason);
+    }
+}
+/**
+ * Get the suspension status of a user.
+ * Returns { suspended: false } when the adapter does not implement getSuspended.
+ */
+export async function getSuspended(adapter, userId) {
+    if (adapter.getSuspended) {
+        const result = await adapter.getSuspended(userId);
+        return result ?? { suspended: false };
+    }
+    return { suspended: false };
+}

package/dist/packages/bunshot-auth/src/lib/validateAdapter.d.ts

@@ -0,0 +1,16 @@
+import type { AuthAdapter } from './authAdapter';
+export interface AdapterValidationConfig {
+    hasOAuthProviders: boolean;
+    hasMfa: boolean;
+    hasMfaWebAuthn: boolean;
+    hasRoles: boolean;
+    hasDefaultRole: boolean;
+    hasGroups: boolean;
+    hasSuspension: boolean;
+    hasM2m: boolean;
+    hasAdminApi: boolean;
+    hasPasswordReset: boolean;
+    hasPreventReuse: boolean;
+    hasScim: boolean;
+}
+export declare function validateAdapterCapabilities(adapter: AuthAdapter, cfg: AdapterValidationConfig): void;

package/dist/packages/bunshot-auth/src/lib/validateAdapter.js

@@ -0,0 +1,161 @@
+export function validateAdapterCapabilities(adapter, cfg) {
+    const errors = [];
+    // ---------------------------------------------------------------------------
+    // Core — always required
+    // ---------------------------------------------------------------------------
+    if (!adapter.verifyPassword) {
+        errors.push('the configured auth adapter is missing the required "verifyPassword(userId, password)" method. Add verifyPassword to your adapter.');
+    }
+    if (!adapter.getIdentifier) {
+        errors.push('the configured auth adapter is missing the required "getIdentifier(userId)" method. Add getIdentifier to your adapter.');
+    }
+    // ---------------------------------------------------------------------------
+    // passwordReset — requires setPassword
+    // ---------------------------------------------------------------------------
+    if (cfg.hasPasswordReset && !adapter.setPassword) {
+        errors.push('"passwordReset" is configured but the auth adapter does not implement setPassword. Add setPassword to your adapter or remove passwordReset.');
+    }
+    // ---------------------------------------------------------------------------
+    // Tier 2 — OAuth
+    // ---------------------------------------------------------------------------
+    if (cfg.hasOAuthProviders) {
+        const oauthMethods = ['findOrCreateByProvider', 'linkProvider', 'unlinkProvider'];
+        for (const method of oauthMethods) {
+            if (!adapter[method]) {
+                errors.push(`"oauth.providers" is configured but the auth adapter does not implement ${method}. Add ${method} to your adapter.`);
+            }
+        }
+    }
+    // ---------------------------------------------------------------------------
+    // Tier 3 — MFA
+    // ---------------------------------------------------------------------------
+    if (cfg.hasMfa) {
+        const mfaMethods = [
+            'setMfaSecret',
+            'getMfaSecret',
+            'isMfaEnabled',
+            'setMfaEnabled',
+            'setRecoveryCodes',
+            'getRecoveryCodes',
+            'removeRecoveryCode',
+            'consumeRecoveryCode',
+        ];
+        for (const method of mfaMethods) {
+            if (!adapter[method]) {
+                errors.push(`"mfa" is configured but the auth adapter does not implement ${method}. Add ${method} to your adapter.`);
+            }
+        }
+    }
+    // ---------------------------------------------------------------------------
+    // Tier 4 — WebAuthn
+    // ---------------------------------------------------------------------------
+    if (cfg.hasMfaWebAuthn) {
+        const webauthnMethods = [
+            'getWebAuthnCredentials',
+            'addWebAuthnCredential',
+            'removeWebAuthnCredential',
+            'updateWebAuthnCredentialSignCount',
+            'findUserByWebAuthnCredentialId',
+        ];
+        for (const method of webauthnMethods) {
+            if (!adapter[method]) {
+                errors.push(`"mfa.webauthn" is configured but the auth adapter does not implement ${method}. Add ${method} to your adapter.`);
+            }
+        }
+    }
+    // ---------------------------------------------------------------------------
+    // Tier 5 — Roles
+    // ---------------------------------------------------------------------------
+    if (cfg.hasRoles || cfg.hasDefaultRole) {
+        const roleMethods = ['getRoles', 'setRoles', 'addRole', 'removeRole'];
+        for (const method of roleMethods) {
+            if (!adapter[method]) {
+                // Backward-compat: the original error only checked setRoles and mentioned defaultRole
+                if (cfg.hasDefaultRole && method === 'setRoles' && !cfg.hasRoles) {
+                    errors.push(`"defaultRole" is set but the auth adapter does not implement setRoles. Add setRoles to your adapter or remove defaultRole.`);
+                }
+                else {
+                    errors.push(`roles are configured but the auth adapter does not implement ${method}. Add ${method} to your adapter.`);
+                }
+            }
+        }
+    }
+    // ---------------------------------------------------------------------------
+    // Tier 6 — Groups
+    // ---------------------------------------------------------------------------
+    if (cfg.hasGroups) {
+        const groupMethods = [
+            'createGroup',
+            'deleteGroup',
+            'getGroup',
+            'listGroups',
+            'updateGroup',
+            'addGroupMember',
+            'updateGroupMembership',
+            'removeGroupMember',
+            'getGroupMembers',
+            'getUserGroups',
+            'getEffectiveRoles',
+        ];
+        for (const method of groupMethods) {
+            if (!adapter[method]) {
+                errors.push(`"groups" is configured but the auth adapter does not implement ${method}. Add ${method} to your adapter.`);
+            }
+        }
+    }
+    // ---------------------------------------------------------------------------
+    // Tier 7 — Suspension
+    // ---------------------------------------------------------------------------
+    if (cfg.hasSuspension) {
+        const suspensionMethods = ['setSuspended', 'getSuspended'];
+        for (const method of suspensionMethods) {
+            if (!adapter[method]) {
+                errors.push(`suspension checking is configured but the auth adapter does not implement ${method}. Add ${method} to your adapter.`);
+            }
+        }
+    }
+    // ---------------------------------------------------------------------------
+    // Tier 8 — Enterprise: M2M
+    // ---------------------------------------------------------------------------
+    if (cfg.hasM2m) {
+        const m2mMethods = [
+            'getM2MClient',
+            'createM2MClient',
+            'deleteM2MClient',
+            'listM2MClients',
+        ];
+        for (const method of m2mMethods) {
+            if (!adapter[method]) {
+                errors.push(`"auth.m2m" is configured but the auth adapter does not implement ${method}. Add ${method} to your adapter.`);
+            }
+        }
+    }
+    // ---------------------------------------------------------------------------
+    // Tier 8 — Enterprise: admin.api requires listUsers
+    // ---------------------------------------------------------------------------
+    if (cfg.hasAdminApi && !adapter.listUsers) {
+        errors.push(`"adminApi" is configured but the auth adapter does not implement listUsers. Add listUsers to your adapter.`);
+    }
+    // ---------------------------------------------------------------------------
+    // Tier 8 — Enterprise: password history (preventReuse)
+    // ---------------------------------------------------------------------------
+    if (cfg.hasPreventReuse) {
+        const historyMethods = ['getPasswordHistory', 'addPasswordToHistory'];
+        for (const method of historyMethods) {
+            if (!adapter[method]) {
+                errors.push(`"auth.passwordPolicy.preventReuse" is configured but the auth adapter does not implement ${method}. Add ${method} to your adapter.`);
+            }
+        }
+    }
+    // ---------------------------------------------------------------------------
+    // SCIM — requires getUser for RFC 7644 §3.6 DELETE 404 compliance
+    // ---------------------------------------------------------------------------
+    if (cfg.hasScim && !adapter.getUser) {
+        errors.push('"scim" is enabled but the auth adapter does not implement getUser. ' +
+            'SCIM DELETE requires getUser to return 404 for non-existent resources (RFC 7644 §3.6). ' +
+            'Add getUser to your adapter or disable SCIM.');
+    }
+    if (errors.length > 0) {
+        throw new Error(`createApp: Adapter capability validation failed:\n${errors.map(e => `  - ${e}`).join('\n')}`);
+    }
+}

package/dist/packages/bunshot-auth/src/middleware/bearerAuth.d.ts

@@ -0,0 +1,13 @@
+import type { MiddlewareHandler } from 'hono';
+import type { BearerAuthConfig } from '../config/authConfig';
+/**
+ * Build a bearerAuth middleware from the given config.
+ *
+ * Supports three forms:
+ *   - string: single token; no clientId
+ *   - string[]: multiple tokens, any match allows; no clientId
+ *   - BearerAuthClient[]: named clients with per-entry revocation; matched clientId set on context
+ *
+ * Config is required — there is no env var fallback.
+ */
+export declare function createBearerAuth(config: BearerAuthConfig): MiddlewareHandler;

package/dist/packages/bunshot-auth/src/middleware/bearerAuth.js

@@ -0,0 +1,58 @@
+import { timingSafeEqual } from '../../../bunshot-core/src/index.js';
+/**
+ * Build a bearerAuth middleware from the given config.
+ *
+ * Supports three forms:
+ *   - string: single token; no clientId
+ *   - string[]: multiple tokens, any match allows; no clientId
+ *   - BearerAuthClient[]: named clients with per-entry revocation; matched clientId set on context
+ *
+ * Config is required — there is no env var fallback.
+ */
+export function createBearerAuth(config) {
+    return async (c, next) => {
+        const header = c.req.header('Authorization');
+        const token = header?.startsWith('Bearer ') ? header.slice(7) : null;
+        if (!token) {
+            return c.json({ error: 'Unauthorized' }, 401);
+        }
+        if (typeof config === 'string') {
+            // Single string — direct comparison
+            if (!timingSafeEqual(token, config)) {
+                return c.json({ error: 'Unauthorized' }, 401);
+            }
+            await next();
+            return;
+        }
+        if (config.length === 0) {
+            return c.json({ error: 'Unauthorized' }, 401);
+        }
+        // Determine if this is string[] or BearerAuthClient[]
+        if (typeof config[0] === 'string') {
+            // string[] — check all tokens
+            const tokens = config;
+            const matched = tokens.some(t => timingSafeEqual(token, t));
+            if (!matched) {
+                return c.json({ error: 'Unauthorized' }, 401);
+            }
+            await next();
+            return;
+        }
+        // BearerAuthClient[] — check non-revoked clients
+        const clients = config;
+        let matchedClient = null;
+        for (const client of clients) {
+            if (client.revoked)
+                continue;
+            if (timingSafeEqual(token, client.token)) {
+                matchedClient = client;
+                break;
+            }
+        }
+        if (!matchedClient) {
+            return c.json({ error: 'Unauthorized' }, 401);
+        }
+        c.set('bearerClientId', matchedClient.clientId);
+        await next();
+    };
+}

package/dist/{middleware → packages/bunshot-auth/src/middleware}/csrf.d.ts

@@ -1,16 +1,17 @@
-import type { MiddlewareHandler } from "hono";
-import { setCookie, deleteCookie } from "hono/cookie";
-import type { AppEnv } from "../lib/context";
+import type { MiddlewareHandler } from 'hono';
+import { deleteCookie, setCookie } from 'hono/cookie';
+import type { AppEnv, SigningConfig } from '../../../bunshot-core/src/index.js';
 export interface CsrfMiddlewareOptions {
     exemptPaths?: string[];
     checkOrigin?: boolean;
     allowedOrigins?: string | string[];
+    signing?: SigningConfig | null;
 }
 /**
  * Refreshes the CSRF token cookie — call on login/register to prevent
  * session fixation-adjacent attacks.
  */
-export declare function refreshCsrfToken(c: Parameters<typeof setCookie>[0]): void;
+export declare function refreshCsrfToken(c: Parameters<typeof setCookie>[0], signing?: SigningConfig | null): void;
 /**
  * Clears the CSRF token cookie — call on logout.
  */

package/dist/packages/bunshot-auth/src/middleware/csrf.js

@@ -0,0 +1,138 @@
+import { getCsrfCookieOptions } from '../lib/cookieOptions';
+import { isProd } from '../lib/env';
+import { createHmac, randomBytes } from 'crypto';
+import { deleteCookie, getCookie, setCookie } from 'hono/cookie';
+import { COOKIE_CSRF_TOKEN, COOKIE_TOKEN, HEADER_CSRF_TOKEN, timingSafeEqual, } from '../../../bunshot-core/src/index.js';
+import { getSigningSecret } from '../infra/signing';
+import { getAuthRuntimeFromRequest } from '../runtime';
+const STATE_CHANGING_METHODS = new Set(['POST', 'PUT', 'PATCH', 'DELETE']);
+function getCsrfSecret(c, signing) {
+    const ctxSigning = c?.get?.('bunshotCtx');
+    const raw = getSigningSecret(ctxSigning?.signing ?? signing);
+    if (!raw)
+        throw new Error('[bunshot] CSRF middleware: no signing secret configured. Set JWT_SECRET or inject a signing config via createServer({ security: { signing: ... } }).');
+    return Array.isArray(raw) ? raw[0] : raw;
+}
+function generateCsrfToken(secret) {
+    const token = randomBytes(32).toString('hex');
+    const sig = createHmac('sha256', secret).update(token).digest('hex');
+    return `${token}.${sig}`;
+}
+function verifyCsrfSignature(cookieValue, secret) {
+    const dotIdx = cookieValue.indexOf('.');
+    if (dotIdx === -1)
+        return false;
+    const token = cookieValue.substring(0, dotIdx);
+    const sig = cookieValue.substring(dotIdx + 1);
+    const expected = createHmac('sha256', secret).update(token).digest('hex');
+    return timingSafeEqual(sig, expected);
+}
+/**
+ * Refreshes the CSRF token cookie — call on login/register to prevent
+ * session fixation-adjacent attacks.
+ */
+export function refreshCsrfToken(c, signing) {
+    const secret = getCsrfSecret(c, signing);
+    const token = generateCsrfToken(secret);
+    const authRuntime = getAuthRuntimeFromRequest(c);
+    setCookie(c, COOKIE_CSRF_TOKEN, token, getCsrfCookieOptions(isProd(), authRuntime.config));
+}
+/**
+ * Clears the CSRF token cookie — call on logout.
+ */
+export function clearCsrfToken(c) {
+    deleteCookie(c, COOKIE_CSRF_TOKEN, { path: '/' });
+}
+export const csrfProtection = (options = {}) => {
+    const { exemptPaths = [], checkOrigin = true, allowedOrigins, signing } = options;
+    // Normalize allowed origins for origin validation
+    const originSet = new Set();
+    if (allowedOrigins) {
+        const origins = Array.isArray(allowedOrigins) ? allowedOrigins : [allowedOrigins];
+        for (const o of origins) {
+            // "*" is intentionally excluded: validating against a wildcard would accept any origin,
+            // defeating the check. When CORS is open, origin validation is meaningless.
+            if (o !== '*')
+                originSet.add(o.replace(/\/$/, ''));
+        }
+    }
+    if (checkOrigin && originSet.size === 0) {
+        // Warn in all environments — this is a one-time startup message, not per-request noise,
+        // and a misconfigured production deployment should surface it.
+        console.warn('[bunshot] csrfProtection: checkOrigin is enabled but no specific allowed origins are ' +
+            'configured (CORS is "*" or allowedOrigins is unset). Origin validation is disabled — ' +
+            'only the HMAC double-submit cookie check is active. Set security.cors to specific ' +
+            'origins to enable origin validation.');
+    }
+    return async (c, next) => {
+        const secret = getCsrfSecret(c, signing);
+        // Set CSRF cookie on every response if not already present
+        const existingCsrf = getCookie(c, COOKIE_CSRF_TOKEN);
+        if (!existingCsrf) {
+            const token = generateCsrfToken(secret);
+            setCookie(c, COOKIE_CSRF_TOKEN, token, getCsrfCookieOptions(isProd(), getAuthRuntimeFromRequest(c).config));
+        }
+        // Only validate state-changing methods
+        if (!STATE_CHANGING_METHODS.has(c.req.method)) {
+            return next();
+        }
+        // Skip if no auth cookie present — not vulnerable to CSRF
+        const authCookie = getCookie(c, COOKIE_TOKEN);
+        if (!authCookie) {
+            return next();
+        }
+        // Skip exempt paths
+        const path = c.req.path;
+        for (const exempt of exemptPaths) {
+            if (exempt.endsWith('*')) {
+                if (path.startsWith(exempt.slice(0, -1)))
+                    return next();
+            }
+            else {
+                if (path === exempt)
+                    return next();
+            }
+        }
+        // Origin validation (secondary layer)
+        if (checkOrigin && originSet.size > 0) {
+            const origin = c.req.header('origin');
+            if (origin) {
+                const normalized = origin.replace(/\/$/, '');
+                if (!originSet.has(normalized)) {
+                    getAuthRuntimeFromRequest(c).eventBus.emit('security.csrf.failed', {
+                        path: c.req.path,
+                        meta: { method: c.req.method, reason: 'origin_mismatch' },
+                    });
+                    return c.json({ error: 'CSRF origin mismatch' }, 403);
+                }
+            }
+        }
+        // Double submit cookie validation
+        const csrfCookie = getCookie(c, COOKIE_CSRF_TOKEN);
+        const csrfHeader = c.req.header(HEADER_CSRF_TOKEN);
+        if (!csrfCookie || !csrfHeader) {
+            getAuthRuntimeFromRequest(c).eventBus.emit('security.csrf.failed', {
+                path: c.req.path,
+                meta: { method: c.req.method, reason: 'token_missing' },
+            });
+            return c.json({ error: 'CSRF token missing' }, 403);
+        }
+        // Verify the cookie's HMAC signature (prevents cookie injection)
+        if (!verifyCsrfSignature(csrfCookie, secret)) {
+            getAuthRuntimeFromRequest(c).eventBus.emit('security.csrf.failed', {
+                path: c.req.path,
+                meta: { method: c.req.method, reason: 'token_invalid' },
+            });
+            return c.json({ error: 'CSRF token invalid' }, 403);
+        }
+        // Compare header value to cookie value
+        if (!timingSafeEqual(csrfHeader, csrfCookie)) {
+            getAuthRuntimeFromRequest(c).eventBus.emit('security.csrf.failed', {
+                path: c.req.path,
+                meta: { method: c.req.method, reason: 'token_mismatch' },
+            });
+            return c.json({ error: 'CSRF token mismatch' }, 403);
+        }
+        return next();
+    };
+};

package/dist/packages/bunshot-auth/src/middleware/identify.d.ts

@@ -0,0 +1,4 @@
+import type { MiddlewareHandler } from 'hono';
+import type { AppEnv } from '../../../bunshot-core/src/index.js';
+import type { AuthRuntimeContext } from '../runtime';
+export declare const createIdentifyMiddleware: (authRuntime: AuthRuntimeContext) => MiddlewareHandler<AppEnv>;

package/dist/packages/bunshot-auth/src/middleware/identify.js

@@ -0,0 +1,124 @@
+import { verifyToken } from '../lib/jwt';
+import { authTrace, log } from '../lib/logger';
+import { getSuspended } from '../lib/suspension';
+import { getCookie } from 'hono/cookie';
+import { COOKIE_TOKEN, HEADER_USER_TOKEN, HttpError, sha256, timingSafeEqual, } from '../../../bunshot-core/src/index.js';
+import { getClientIp } from '../../../bunshot-core/src/index.js';
+function computeFingerprint(c, fields) {
+    const parts = fields.map(f => {
+        if (f === 'ip')
+            return getClientIp(c) ?? '';
+        if (f === 'ua')
+            return c.req.header('user-agent') ?? '';
+        return c.req.header('accept-language') ?? '';
+    });
+    return sha256(parts.join(':'));
+}
+export const createIdentifyMiddleware = (authRuntime) => async (c, next) => {
+    const authConfig = authRuntime.config;
+    const sessionRepo = authRuntime.repos.session;
+    c.set('authUserId', null);
+    c.set('roles', null);
+    c.set('sessionId', null);
+    c.set('authClientId', null);
+    c.set('tokenPayload', null);
+    // cookie for browsers, x-user-token header for non-browser clients
+    const token = getCookie(c, COOKIE_TOKEN) ?? c.req.header(HEADER_USER_TOKEN) ?? null;
+    log(`[identify] token=${token ? 'present' : 'absent'}`);
+    if (token) {
+        try {
+            const payload = await verifyToken(token, authConfig, authRuntime?.signing ?? c.get('bunshotCtx')?.signing ?? null);
+            c.set('tokenPayload', payload);
+            const sessionId = payload.sid;
+            if (!sessionId) {
+                // Check for M2M token (scope present, no sid)
+                if (payload.scope && payload.sub) {
+                    c.set('authClientId', payload.sub);
+                    log(`[identify] M2M token for clientId=${payload.sub}`);
+                }
+                else {
+                    log('[identify] token missing sid claim — unauthenticated');
+                }
+            }
+            else {
+                const stored = await sessionRepo.getSession(sessionId, authConfig);
+                log('[identify] token verified, checking session...');
+                authTrace(`[identify] authUserId=${payload.sub}`);
+                if (timingSafeEqual(stored ?? '', token)) {
+                    const signingCfg = authRuntime.signing ?? c.get('bunshotCtx')?.signing ?? null;
+                    const bindingCfg = signingCfg?.sessionBinding;
+                    if (bindingCfg) {
+                        const bindingOpts = typeof bindingCfg === 'object' ? bindingCfg : {};
+                        const fields = bindingOpts.fields ?? [
+                            'ip',
+                            'ua',
+                        ];
+                        const onMismatch = bindingOpts.onMismatch ?? 'unauthenticate';
+                        const current = computeFingerprint(c, fields);
+                        const storedFp = await sessionRepo.getSessionFingerprint(sessionId);
+                        if (storedFp === null) {
+                            // First authenticated request — store the fingerprint
+                            sessionRepo.setSessionFingerprint(sessionId, current).catch(() => {
+                                log('[identify] failed to store session fingerprint');
+                            });
+                            c.set('authUserId', payload.sub);
+                            c.set('sessionId', sessionId);
+                        }
+                        else if (timingSafeEqual(storedFp, current)) {
+                            c.set('authUserId', payload.sub);
+                            c.set('sessionId', sessionId);
+                        }
+                        else {
+                            log(`[identify] fingerprint mismatch, onMismatch=${onMismatch}`);
+                            authTrace(`[identify] sessionId=${sessionId}`);
+                            if (onMismatch === 'reject') {
+                                throw new HttpError(401, 'Unauthorized', 'FINGERPRINT_MISMATCH');
+                            }
+                            else if (onMismatch === 'log-only') {
+                                c.set('authUserId', payload.sub);
+                                c.set('sessionId', sessionId);
+                            }
+                            // onMismatch === "unauthenticate" — leave authUserId null (already null)
+                        }
+                    }
+                    else {
+                        c.set('authUserId', payload.sub);
+                        c.set('sessionId', sessionId);
+                    }
+                    if (c.get('authUserId')) {
+                        if (authConfig.checkSuspensionOnIdentify) {
+                            const suspensionStatus = await getSuspended(authRuntime.adapter, payload.sub).catch(() => ({ suspended: false }));
+                            if (suspensionStatus.suspended) {
+                                c.set('authUserId', null);
+                                c.set('sessionId', null);
+                                c.set('roles', null);
+                                log(`[identify] userId=${payload.sub} is suspended — unauthenticated`);
+                            }
+                        }
+                    }
+                    if (c.get('authUserId')) {
+                        authTrace(`[identify] authUserId=${payload.sub} sessionId=${sessionId}`);
+                        // Auto-enable lastActiveAt tracking when idleTimeout is configured
+                        if (authConfig.trackLastActive || authConfig.sessionPolicy.idleTimeout) {
+                            sessionRepo.updateSessionLastActive(sessionId, authConfig).catch(() => {
+                                log('[identify] failed to update session lastActiveAt');
+                            });
+                        }
+                    }
+                }
+                else {
+                    log('[identify] token/session mismatch — unauthenticated');
+                }
+            }
+        }
+        catch (err) {
+            if (err instanceof HttpError)
+                throw err;
+            log('[identify] invalid token — unauthenticated');
+        }
+    }
+    else {
+        log('[identify] no token — unauthenticated');
+    }
+    await next();
+};

package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireMfaSetup.d.ts

@@ -1,5 +1,5 @@
-import type { MiddlewareHandler } from "hono";
-import type { AppEnv } from "../lib/context";
+import type { MiddlewareHandler } from 'hono';
+import type { AppEnv } from '../../../bunshot-core/src/index.js';
 /**
  * Middleware that blocks authenticated users who have not completed MFA setup.
  *