@lastshotlabs/bunshot 0.0.25 → 0.0.28

package/dist/lib/emailVerification.js

@@ -1,86 +0,0 @@
-import { getRedis } from "./redis";
-import { appConnection, mongoose } from "./mongo";
-import { getAppName, getTokenExpiry } from "./appConfig";
-import { sha256 } from "./crypto";
-import { sqliteCreateVerificationToken, sqliteGetVerificationToken, sqliteDeleteVerificationToken, } from "../adapters/sqliteAuth";
-import { memoryCreateVerificationToken, memoryGetVerificationToken, memoryDeleteVerificationToken, } from "../adapters/memoryAuth";
-function getVerificationModel() {
-    if (appConnection.models["EmailVerification"])
-        return appConnection.models["EmailVerification"];
-    const { Schema } = mongoose;
-    const verificationSchema = new Schema({
-        token: { type: String, required: true, unique: true },
-        userId: { type: String, required: true },
-        email: { type: String, required: true },
-        expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
-    }, { collection: "email_verifications" });
-    return appConnection.model("EmailVerification", verificationSchema);
-}
-let _store = "redis";
-export const setEmailVerificationStore = (store) => { _store = store; };
-// ---------------------------------------------------------------------------
-// Public API
-// ---------------------------------------------------------------------------
-/** Create a verification token. Returns the raw token (for the email link).
- *  Only the SHA-256 hash is persisted in the store. */
-export const createVerificationToken = async (userId, email) => {
-    const token = crypto.randomUUID();
-    const hash = sha256(token);
-    const ttl = getTokenExpiry();
-    if (_store === "memory") {
-        memoryCreateVerificationToken(hash, userId, email, ttl);
-        return token;
-    }
-    if (_store === "sqlite") {
-        sqliteCreateVerificationToken(hash, userId, email, ttl);
-        return token;
-    }
-    if (_store === "mongo") {
-        await getVerificationModel().create({
-            token: hash,
-            userId,
-            email,
-            expiresAt: new Date(Date.now() + ttl * 1000),
-        });
-        return token;
-    }
-    await getRedis().set(`verify:${getAppName()}:${hash}`, JSON.stringify({ userId, email }), "EX", ttl);
-    return token;
-};
-/** Look up a verification token by its raw value. Hashes before lookup. */
-export const getVerificationToken = async (token) => {
-    const hash = sha256(token);
-    if (_store === "memory")
-        return memoryGetVerificationToken(hash);
-    if (_store === "sqlite")
-        return sqliteGetVerificationToken(hash);
-    if (_store === "mongo") {
-        const doc = await getVerificationModel()
-            .findOne({ token: hash, expiresAt: { $gt: new Date() } })
-            .lean();
-        if (!doc)
-            return null;
-        return { userId: doc.userId, email: doc.email };
-    }
-    const raw = await getRedis().get(`verify:${getAppName()}:${hash}`);
-    if (!raw)
-        return null;
-    return JSON.parse(raw);
-};
-/** Delete a verification token by its raw value. Hashes before lookup. */
-export const deleteVerificationToken = async (token) => {
-    const hash = sha256(token);
-    if (_store === "memory") {
-        memoryDeleteVerificationToken(hash);
-        return;
-    }
-    if (_store === "sqlite") {
-        sqliteDeleteVerificationToken(hash);
-        return;
-    }
-    if (_store === "mongo") {
-        await getVerificationModel().deleteOne({ token: hash });
-        return;
-    }
-    await getRedis().del(`verify:${getAppName()}:${hash}`);
-};

package/dist/lib/fingerprint.js

@@ -1,36 +0,0 @@
-const BROWSER_HEADERS = [
-    "sec-fetch-site",
-    "sec-fetch-mode",
-    "sec-fetch-dest",
-    "sec-ch-ua",
-    "sec-ch-ua-mobile",
-    "sec-ch-ua-platform",
-    "origin",
-    "referer",
-    "x-requested-with",
-];
-const encoder = new TextEncoder();
-/**
- * Builds a 12-hex-char fingerprint from stable HTTP headers.
- * IP-independent: bots that rotate IPs but use the same HTTP client
- * will produce the same fingerprint and share a rate-limit bucket.
- */
-export async function buildFingerprint(req) {
-    const h = (name) => req.headers.get(name) ?? "";
-    // Encode which browser-only headers are present as a bitmask string.
-    // Real browsers send most of these; raw HTTP clients send none.
-    const bitmap = BROWSER_HEADERS.map((name) => req.headers.has(name) ? "1" : "0").join("");
-    const raw = [
-        h("user-agent"),
-        h("accept"),
-        h("accept-language"),
-        h("accept-encoding"),
-        h("connection"),
-        bitmap,
-    ].join("|");
-    const buf = await crypto.subtle.digest("SHA-256", encoder.encode(raw));
-    const bytes = new Uint8Array(buf).slice(0, 6);
-    return Array.from(bytes)
-        .map((b) => b.toString(16).padStart(2, "0"))
-        .join("");
-}

package/dist/lib/idempotency.js

@@ -1,182 +0,0 @@
-import { getRedis } from "./redis";
-import { appConnection, mongoose } from "./mongo";
-import { getAppName } from "./appConfig";
-import { getSigningConfig, getSigningSecret } from "./appConfig";
-import { hmacSign } from "./signing";
-import { HEADER_IDEMPOTENCY_KEY } from "./constants";
-let _store = "redis";
-export const setIdempotencyStore = (store) => { _store = store; };
-// ---------------------------------------------------------------------------
-// Memory store (tests only — no TTL eviction)
-// ---------------------------------------------------------------------------
-const _memory = new Map();
-export const clearIdempotencyMemoryStore = () => _memory.clear();
-function getIdempotencyModel() {
-    if (appConnection.models["Idempotency"])
-        return appConnection.models["Idempotency"];
-    const { Schema } = mongoose;
-    const schema = new Schema({
-        key: { type: String, required: true, unique: true },
-        status: { type: Number, required: true },
-        body: { type: String, required: true },
-        createdAt: { type: Date, required: true },
-        expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
-    }, { collection: "idempotency" });
-    return appConnection.model("Idempotency", schema);
-}
-// ---------------------------------------------------------------------------
-// SQLite helpers (lazy — only available when bun:sqlite is in use)
-// ---------------------------------------------------------------------------
-function getSqliteDb() {
-    const { getDb } = require("../adapters/sqliteAuth");
-    return getDb();
-}
-function sqliteEnsureTable() {
-    const db = getSqliteDb();
-    db.run(`CREATE TABLE IF NOT EXISTS idempotency (
-    key       TEXT PRIMARY KEY,
-    status    INTEGER NOT NULL,
-    body      TEXT NOT NULL,
-    createdAt INTEGER NOT NULL,
-    expiresAt INTEGER NOT NULL
-  )`);
-}
-// ---------------------------------------------------------------------------
-// Key derivation
-// ---------------------------------------------------------------------------
-function deriveKey(rawKey, userId) {
-    const prefix = userId ?? "anon";
-    const cfg = getSigningConfig();
-    if (cfg?.idempotencyKeys) {
-        const secret = getSigningSecret();
-        if (secret) {
-            return `${prefix}:${hmacSign(rawKey, secret)}`;
-        }
-    }
-    return `${prefix}:${rawKey}`;
-}
-function redisIdempotencyKey(key) {
-    return `idempotency:${getAppName()}:${key}`;
-}
-// ---------------------------------------------------------------------------
-// Store operations
-// ---------------------------------------------------------------------------
-async function getRecord(key) {
-    if (_store === "memory") {
-        return _memory.get(key) ?? null;
-    }
-    if (_store === "sqlite") {
-        sqliteEnsureTable();
-        const row = getSqliteDb().query("SELECT status, body, createdAt FROM idempotency WHERE key = ? AND expiresAt > ?").get(key, Date.now());
-        return row ? { status: row.status, body: row.body, createdAt: row.createdAt } : null;
-    }
-    if (_store === "redis") {
-        const raw = await getRedis().get(redisIdempotencyKey(key));
-        if (!raw)
-            return null;
-        return JSON.parse(raw);
-    }
-    // mongo
-    const doc = await getIdempotencyModel()
-        .findOne({ key, expiresAt: { $gt: new Date() } }, "status body createdAt")
-        .lean();
-    return doc ? { status: doc.status, body: doc.body, createdAt: doc.createdAt.getTime() } : null;
-}
-/**
- * Attempt to store a record. Returns true if stored, false if a record
- * already exists (write collision — treat as cache hit).
- */
-async function tryStoreRecord(key, record, ttl) {
-    if (_store === "memory") {
-        if (_memory.has(key))
-            return false;
-        _memory.set(key, record);
-        return true;
-    }
-    if (_store === "sqlite") {
-        sqliteEnsureTable();
-        const db = getSqliteDb();
-        const expiresAt = record.createdAt + ttl * 1000;
-        db.run("INSERT OR IGNORE INTO idempotency (key, status, body, createdAt, expiresAt) VALUES (?, ?, ?, ?, ?)", [key, record.status, record.body, record.createdAt, expiresAt]);
-        // SQLite INSERT OR IGNORE doesn't throw on conflict; check changes count
-        const changes = db.query("SELECT changes() as changes").get()?.changes ?? 0;
-        return changes > 0;
-    }
-    if (_store === "redis") {
-        // SET NX: set-if-not-exists — second concurrent writer gets a no-op
-        const value = JSON.stringify(record);
-        const result = await getRedis().set(redisIdempotencyKey(key), value, "EX", ttl, "NX");
-        return result === "OK";
-    }
-    // mongo — unique index on key; second writer catches duplicate key error
-    try {
-        const now = new Date(record.createdAt);
-        await getIdempotencyModel().create({
-            key,
-            status: record.status,
-            body: record.body,
-            createdAt: now,
-            expiresAt: new Date(now.getTime() + ttl * 1000),
-        });
-        return true;
-    }
-    catch (err) {
-        // Duplicate key — another concurrent request already stored the result
-        if (err?.code === 11000 || err?.code === "11000")
-            return false;
-        throw err;
-    }
-}
-// ---------------------------------------------------------------------------
-// Middleware factory
-// ---------------------------------------------------------------------------
-/**
- * Idempotency middleware. Reads the `Idempotency-Key` header and returns a
- * cached response if one exists for this user + key combination. Otherwise
- * calls the next handler, stores the response, and returns it.
- *
- * On write collision (two concurrent identical requests), the second request
- * re-reads and returns the first-stored result.
- *
- * When `signing.idempotencyKeys: true`, keys are HMAC'd before storage to
- * prevent enumeration. When off, raw keys are stored (slight enumeration risk).
- */
-export const idempotent = (opts) => async (c, next) => {
-    const rawKey = c.req.header(HEADER_IDEMPOTENCY_KEY);
-    if (!rawKey) {
-        await next();
-        return;
-    }
-    const userId = c.get("authUserId") ?? null;
-    const key = deriveKey(rawKey, userId);
-    const ttl = opts?.ttl ?? 86400;
-    // Cache hit — return stored response
-    const cached = await getRecord(key);
-    if (cached) {
-        return c.json(JSON.parse(cached.body), cached.status);
-    }
-    // Cache miss — call handler
-    await next();
-    // Capture the response body by reading it
-    const status = c.res.status;
-    let body = "";
-    try {
-        body = await c.res.clone().text();
-    }
-    catch {
-        // Non-text/non-json response — skip caching
-        return;
-    }
-    const record = { status, body, createdAt: Date.now() };
-    const stored = await tryStoreRecord(key, record, ttl);
-    if (!stored) {
-        // Write collision — return the first-stored result
-        const winner = await getRecord(key);
-        if (winner) {
-            c.res = new Response(winner.body, {
-                status: winner.status,
-                headers: { "content-type": "application/json" },
-            });
-        }
-    }
-};

package/dist/lib/jwt.d.ts

@@ -1,2 +0,0 @@
-export declare const signToken: (userId: string, sessionId: string, expirySeconds?: number) => Promise<string>;
-export declare const verifyToken: (token: string) => Promise<import("jose").JWTPayload>;

package/dist/lib/jwt.js

@@ -1,24 +0,0 @@
-import { SignJWT, jwtVerify } from "jose";
-let _secret = null;
-function getSecret() {
-    if (_secret)
-        return _secret;
-    const isProd = process.env.NODE_ENV === "production";
-    const envKey = isProd ? "JWT_SECRET_PROD" : "JWT_SECRET_DEV";
-    const rawSecret = process.env[envKey];
-    if (!rawSecret || rawSecret.length < 32) {
-        throw new Error(`[security] ${envKey} is missing or too short (${rawSecret?.length ?? 0} chars). ` +
-            `JWT secrets must be at least 32 characters. Generate one with: ` +
-            `node -e "console.log(require('crypto').randomBytes(64).toString('hex'))"`);
-    }
-    _secret = new TextEncoder().encode(rawSecret);
-    return _secret;
-}
-export const signToken = async (userId, sessionId, expirySeconds) => new SignJWT({ sub: userId, sid: sessionId })
-    .setProtectedHeader({ alg: "HS256" })
-    .setExpirationTime(expirySeconds ? `${expirySeconds}s` : "7d")
-    .sign(getSecret());
-export const verifyToken = async (token) => {
-    const { payload } = await jwtVerify(token, getSecret());
-    return payload;
-};

package/dist/lib/logger.d.ts

@@ -1 +0,0 @@
-export declare const log: (...args: unknown[]) => void;

package/dist/lib/logger.js

@@ -1,7 +0,0 @@
-const isDev = process.env.NODE_ENV !== "production";
-const verboseEnv = process.env.LOGGING_VERBOSE;
-const verbose = verboseEnv !== undefined ? verboseEnv === "true" : isDev;
-export const log = (...args) => {
-    if (verbose)
-        console.log(...args);
-};

package/dist/lib/metrics.d.ts

@@ -1,14 +0,0 @@
-type Labels = Record<string, string>;
-export declare function defaultNormalizePath(path: string): string;
-export declare function incrementCounter(name: string, labels: Labels, amount?: number): void;
-export declare function observeHistogram(name: string, labels: Labels, value: number, buckets?: number[]): void;
-type GaugeCallback = () => Promise<{
-    labels: Labels;
-    value: number;
-}[]>;
-export declare function registerGaugeCallback(name: string, cb: GaugeCallback): void;
-export declare function serializeMetrics(): Promise<string>;
-export declare function resetMetrics(): void;
-export declare function setMetricsQueues(map: Map<string, any>): void;
-export declare function closeMetricsQueues(): Promise<void>;
-export {};

package/dist/lib/mfaChallenge.d.ts

@@ -1,42 +0,0 @@
-export type MfaChallengePurpose = "login" | "webauthn-registration";
-export interface MfaChallengeOptions {
-    emailOtpHash?: string;
-    webauthnChallenge?: string;
-}
-export interface MfaChallengeData {
-    userId: string;
-    purpose: MfaChallengePurpose;
-    emailOtpHash?: string;
-    webauthnChallenge?: string;
-}
-/** Reset all in-memory MFA challenge state. Called by clearMemoryStore(). */
-export declare const clearMemoryMfaChallenges: () => void;
-/** Must be called when store is "sqlite" to inject the db instance. */
-export declare const setMfaChallengeSqliteDb: (db: any) => void;
-type MfaChallengeStore = "redis" | "mongo" | "sqlite" | "memory";
-export declare const setMfaChallengeStore: (store: MfaChallengeStore) => void;
-export declare const createMfaChallenge: (userId: string, options?: MfaChallengeOptions) => Promise<string>;
-export declare const consumeMfaChallenge: (token: string) => Promise<MfaChallengeData | null>;
-/**
- * Replace the email OTP hash on an existing challenge without consuming it.
- * Used for the resend flow. Increments resendCount and caps the challenge lifetime.
- * Returns { userId, resendCount } on success, null if challenge not found/expired/max resends reached.
- */
-export declare const replaceMfaChallengeOtp: (token: string, newEmailOtpHash: string) => Promise<{
-    userId: string;
-    resendCount: number;
-} | null>;
-/**
- * Create a WebAuthn registration challenge token. Separate from the login flow —
- * uses `purpose: "webauthn-registration"` so it cannot be consumed by `consumeMfaChallenge`.
- */
-export declare const createWebAuthnRegistrationChallenge: (userId: string, challenge: string) => Promise<string>;
-/**
- * Consume a WebAuthn registration challenge token.
- * Only accepts tokens with `purpose: "webauthn-registration"`.
- */
-export declare const consumeWebAuthnRegistrationChallenge: (token: string) => Promise<{
-    userId: string;
-    challenge: string;
-} | null>;
-export {};