@lastshotlabs/bunshot 0.0.25 → 0.0.28

package/dist/lib/mfaChallenge.js

@@ -1,293 +0,0 @@
-import { getRedis } from "./redis";
-import { appConnection, mongoose } from "./mongo";
-import { getAppName, getMfaChallengeTtl } from "./appConfig";
-import { sha256 } from "./crypto";
-const MAX_RESENDS = 3;
-function getMfaChallengeModel() {
-    if (appConnection.models["MfaChallenge"])
-        return appConnection.models["MfaChallenge"];
-    const { Schema } = mongoose;
-    const schema = new Schema({
-        token: { type: String, required: true, unique: true },
-        userId: { type: String, required: true },
-        purpose: { type: String, required: true, default: "login" },
-        emailOtpHash: { type: String },
-        webauthnChallenge: { type: String },
-        createdAt: { type: Date, required: true },
-        resendCount: { type: Number, required: true, default: 0 },
-        expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
-    }, { collection: "mfa_challenges" });
-    return appConnection.model("MfaChallenge", schema);
-}
-// ---------------------------------------------------------------------------
-// In-memory store
-// ---------------------------------------------------------------------------
-const _memoryChallenges = new Map();
-/** Reset all in-memory MFA challenge state. Called by clearMemoryStore(). */
-export const clearMemoryMfaChallenges = () => { _memoryChallenges.clear(); };
-// ---------------------------------------------------------------------------
-// SQLite store (reuses the existing SQLite DB instance)
-// ---------------------------------------------------------------------------
-let _sqliteDb = null;
-let _sqliteTableCreated = false;
-/** Must be called when store is "sqlite" to inject the db instance. */
-export const setMfaChallengeSqliteDb = (db) => { _sqliteDb = db; };
-function ensureSqliteMfaTable() {
-    if (_sqliteTableCreated || !_sqliteDb)
-        return;
-    _sqliteDb.run(`CREATE TABLE IF NOT EXISTS mfa_challenges (
-    token             TEXT PRIMARY KEY,
-    userId            TEXT NOT NULL,
-    purpose           TEXT NOT NULL DEFAULT 'login',
-    emailOtpHash      TEXT,
-    webauthnChallenge TEXT,
-    createdAt         INTEGER NOT NULL,
-    resendCount       INTEGER NOT NULL DEFAULT 0,
-    expiresAt         INTEGER NOT NULL
-  )`);
-    // Migrate pre-existing tables that lack newer columns
-    try {
-        _sqliteDb.run("ALTER TABLE mfa_challenges ADD COLUMN emailOtpHash TEXT");
-    }
-    catch { /* already exists */ }
-    try {
-        _sqliteDb.run("ALTER TABLE mfa_challenges ADD COLUMN createdAt INTEGER NOT NULL DEFAULT 0");
-    }
-    catch { /* already exists */ }
-    try {
-        _sqliteDb.run("ALTER TABLE mfa_challenges ADD COLUMN resendCount INTEGER NOT NULL DEFAULT 0");
-    }
-    catch { /* already exists */ }
-    try {
-        _sqliteDb.run("ALTER TABLE mfa_challenges ADD COLUMN purpose TEXT NOT NULL DEFAULT 'login'");
-    }
-    catch { /* already exists */ }
-    try {
-        _sqliteDb.run("ALTER TABLE mfa_challenges ADD COLUMN webauthnChallenge TEXT");
-    }
-    catch { /* already exists */ }
-    _sqliteTableCreated = true;
-}
-let _store = "redis";
-export const setMfaChallengeStore = (store) => { _store = store; };
-// ---------------------------------------------------------------------------
-// Public API
-// ---------------------------------------------------------------------------
-export const createMfaChallenge = async (userId, options) => {
-    const token = crypto.randomUUID();
-    const hash = sha256(token);
-    const ttl = getMfaChallengeTtl();
-    const now = Date.now();
-    const purpose = "login";
-    const emailOtpHash = options?.emailOtpHash;
-    const webauthnChallenge = options?.webauthnChallenge;
-    if (_store === "memory") {
-        _memoryChallenges.set(hash, { userId, purpose, emailOtpHash, webauthnChallenge, createdAt: now, resendCount: 0, expiresAt: now + ttl * 1000 });
-        return token;
-    }
-    if (_store === "sqlite") {
-        ensureSqliteMfaTable();
-        _sqliteDb.run("INSERT INTO mfa_challenges (token, userId, purpose, emailOtpHash, webauthnChallenge, createdAt, resendCount, expiresAt) VALUES (?, ?, ?, ?, ?, ?, 0, ?)", [hash, userId, purpose, emailOtpHash ?? null, webauthnChallenge ?? null, now, now + ttl * 1000]);
-        return token;
-    }
-    if (_store === "mongo") {
-        await getMfaChallengeModel().create({
-            token: hash,
-            userId,
-            purpose,
-            emailOtpHash,
-            webauthnChallenge,
-            createdAt: new Date(now),
-            resendCount: 0,
-            expiresAt: new Date(now + ttl * 1000),
-        });
-        return token;
-    }
-    // redis
-    await getRedis().set(`mfachallenge:${getAppName()}:${hash}`, JSON.stringify({ userId, purpose, emailOtpHash, webauthnChallenge, createdAt: now, resendCount: 0 }), "EX", ttl);
-    return token;
-};
-export const consumeMfaChallenge = async (token) => {
-    const hash = sha256(token);
-    if (_store === "memory") {
-        const entry = _memoryChallenges.get(hash);
-        if (!entry || entry.expiresAt <= Date.now()) {
-            _memoryChallenges.delete(hash);
-            return null;
-        }
-        _memoryChallenges.delete(hash);
-        if (entry.purpose !== "login")
-            return null;
-        return { userId: entry.userId, purpose: entry.purpose, emailOtpHash: entry.emailOtpHash, webauthnChallenge: entry.webauthnChallenge };
-    }
-    if (_store === "sqlite") {
-        ensureSqliteMfaTable();
-        const row = _sqliteDb.query("DELETE FROM mfa_challenges WHERE token = ? AND expiresAt > ? RETURNING userId, purpose, emailOtpHash, webauthnChallenge").get(hash, Date.now());
-        if (!row || row.purpose !== "login")
-            return null;
-        return { userId: row.userId, purpose: "login", emailOtpHash: row.emailOtpHash ?? undefined, webauthnChallenge: row.webauthnChallenge ?? undefined };
-    }
-    if (_store === "mongo") {
-        const doc = await getMfaChallengeModel().findOneAndDelete({ token: hash, expiresAt: { $gt: new Date() } });
-        if (!doc || doc.purpose !== "login")
-            return null;
-        return { userId: doc.userId, purpose: "login", emailOtpHash: doc.emailOtpHash, webauthnChallenge: doc.webauthnChallenge };
-    }
-    // redis
-    const key = `mfachallenge:${getAppName()}:${hash}`;
-    const raw = await getRedis().get(key);
-    if (!raw)
-        return null;
-    await getRedis().del(key);
-    const data = JSON.parse(raw);
-    if (data.purpose !== "login")
-        return null;
-    return { userId: data.userId, purpose: "login", emailOtpHash: data.emailOtpHash, webauthnChallenge: data.webauthnChallenge };
-};
-/**
- * Replace the email OTP hash on an existing challenge without consuming it.
- * Used for the resend flow. Increments resendCount and caps the challenge lifetime.
- * Returns { userId, resendCount } on success, null if challenge not found/expired/max resends reached.
- */
-export const replaceMfaChallengeOtp = async (token, newEmailOtpHash) => {
-    const hash = sha256(token);
-    const ttl = getMfaChallengeTtl();
-    if (_store === "memory") {
-        const entry = _memoryChallenges.get(hash);
-        if (!entry || entry.expiresAt <= Date.now()) {
-            _memoryChallenges.delete(hash);
-            return null;
-        }
-        if (entry.resendCount >= MAX_RESENDS)
-            return null;
-        entry.emailOtpHash = newEmailOtpHash;
-        entry.resendCount++;
-        // Cap lifetime: min(now + ttl, createdAt + ttl * 3)
-        const maxExpiry = entry.createdAt + ttl * 3 * 1000;
-        entry.expiresAt = Math.min(Date.now() + ttl * 1000, maxExpiry);
-        return { userId: entry.userId, resendCount: entry.resendCount };
-    }
-    if (_store === "sqlite") {
-        ensureSqliteMfaTable();
-        const now = Date.now();
-        const existing = _sqliteDb.query("SELECT createdAt, resendCount FROM mfa_challenges WHERE token = ? AND expiresAt > ?").get(hash, now);
-        if (!existing || existing.resendCount >= MAX_RESENDS)
-            return null;
-        const newExpiry = Math.min(now + ttl * 1000, existing.createdAt + ttl * 3 * 1000);
-        const newCount = existing.resendCount + 1;
-        const row = _sqliteDb.query("UPDATE mfa_challenges SET emailOtpHash = ?, resendCount = ?, expiresAt = ? WHERE token = ? RETURNING userId").get(newEmailOtpHash, newCount, newExpiry, hash);
-        return row ? { userId: row.userId, resendCount: newCount } : null;
-    }
-    if (_store === "mongo") {
-        const now = new Date();
-        const existing = await getMfaChallengeModel().findOne({
-            token: hash,
-            expiresAt: { $gt: now },
-            resendCount: { $lt: MAX_RESENDS },
-        });
-        if (!existing)
-            return null;
-        const newCount = existing.resendCount + 1;
-        const newExpiry = new Date(Math.min(Date.now() + ttl * 1000, existing.createdAt.getTime() + ttl * 3 * 1000));
-        existing.emailOtpHash = newEmailOtpHash;
-        existing.resendCount = newCount;
-        existing.expiresAt = newExpiry;
-        await existing.save();
-        return { userId: existing.userId, resendCount: newCount };
-    }
-    // redis
-    const key = `mfachallenge:${getAppName()}:${hash}`;
-    const raw = await getRedis().get(key);
-    if (!raw)
-        return null;
-    const data = JSON.parse(raw);
-    if (data.resendCount >= MAX_RESENDS)
-        return null;
-    data.emailOtpHash = newEmailOtpHash;
-    data.resendCount++;
-    // Cap lifetime
-    const maxExpiry = data.createdAt + ttl * 3 * 1000;
-    const newExpiry = Math.min(Date.now() + ttl * 1000, maxExpiry);
-    const remainingTtl = Math.max(1, Math.ceil((newExpiry - Date.now()) / 1000));
-    await getRedis().set(key, JSON.stringify(data), "EX", remainingTtl);
-    return { userId: data.userId, resendCount: data.resendCount };
-};
-// ---------------------------------------------------------------------------
-// WebAuthn registration challenge helpers
-// ---------------------------------------------------------------------------
-/**
- * Create a WebAuthn registration challenge token. Separate from the login flow —
- * uses `purpose: "webauthn-registration"` so it cannot be consumed by `consumeMfaChallenge`.
- */
-export const createWebAuthnRegistrationChallenge = async (userId, challenge) => {
-    const token = crypto.randomUUID();
-    const hash = sha256(token);
-    const ttl = getMfaChallengeTtl();
-    const now = Date.now();
-    const purpose = "webauthn-registration";
-    if (_store === "memory") {
-        _memoryChallenges.set(hash, { userId, purpose, webauthnChallenge: challenge, createdAt: now, resendCount: 0, expiresAt: now + ttl * 1000 });
-        return token;
-    }
-    if (_store === "sqlite") {
-        ensureSqliteMfaTable();
-        _sqliteDb.run("INSERT INTO mfa_challenges (token, userId, purpose, webauthnChallenge, createdAt, resendCount, expiresAt) VALUES (?, ?, ?, ?, ?, 0, ?)", [hash, userId, purpose, challenge, now, now + ttl * 1000]);
-        return token;
-    }
-    if (_store === "mongo") {
-        await getMfaChallengeModel().create({
-            token: hash,
-            userId,
-            purpose,
-            webauthnChallenge: challenge,
-            createdAt: new Date(now),
-            resendCount: 0,
-            expiresAt: new Date(now + ttl * 1000),
-        });
-        return token;
-    }
-    // redis
-    await getRedis().set(`mfachallenge:${getAppName()}:${hash}`, JSON.stringify({ userId, purpose, webauthnChallenge: challenge, createdAt: now, resendCount: 0 }), "EX", ttl);
-    return token;
-};
-/**
- * Consume a WebAuthn registration challenge token.
- * Only accepts tokens with `purpose: "webauthn-registration"`.
- */
-export const consumeWebAuthnRegistrationChallenge = async (token) => {
-    const hash = sha256(token);
-    if (_store === "memory") {
-        const entry = _memoryChallenges.get(hash);
-        if (!entry || entry.expiresAt <= Date.now()) {
-            _memoryChallenges.delete(hash);
-            return null;
-        }
-        _memoryChallenges.delete(hash);
-        if (entry.purpose !== "webauthn-registration" || !entry.webauthnChallenge)
-            return null;
-        return { userId: entry.userId, challenge: entry.webauthnChallenge };
-    }
-    if (_store === "sqlite") {
-        ensureSqliteMfaTable();
-        const row = _sqliteDb.query("DELETE FROM mfa_challenges WHERE token = ? AND expiresAt > ? RETURNING userId, purpose, webauthnChallenge").get(hash, Date.now());
-        if (!row || row.purpose !== "webauthn-registration" || !row.webauthnChallenge)
-            return null;
-        return { userId: row.userId, challenge: row.webauthnChallenge };
-    }
-    if (_store === "mongo") {
-        const doc = await getMfaChallengeModel().findOneAndDelete({ token: hash, expiresAt: { $gt: new Date() } });
-        if (!doc || doc.purpose !== "webauthn-registration" || !doc.webauthnChallenge)
-            return null;
-        return { userId: doc.userId, challenge: doc.webauthnChallenge };
-    }
-    // redis
-    const key = `mfachallenge:${getAppName()}:${hash}`;
-    const raw = await getRedis().get(key);
-    if (!raw)
-        return null;
-    await getRedis().del(key);
-    const data = JSON.parse(raw);
-    if (data.purpose !== "webauthn-registration" || !data.webauthnChallenge)
-        return null;
-    return { userId: data.userId, challenge: data.webauthnChallenge };
-};

package/dist/lib/mongo.d.ts

@@ -1,39 +0,0 @@
-import type { Connection, Mongoose } from "mongoose";
-type MongooseModule = Mongoose;
-/**
- * Named connection used exclusively for auth data (AuthUser model).
- * Connected via connectAuthMongo() or connectMongo() (backward compat).
- */
-export declare const authConnection: Connection;
-/**
- * Named connection for app/tenant data.
- * Connected via connectAppMongo() or connectMongo() (backward compat).
- * Use this when registering your own models: appConnection.model("Product", schema).
- */
-export declare const appConnection: Connection;
-/**
- * The mongoose instance. Available after connectMongo() / connectAuthMongo() is called.
- */
-export declare const mongoose: MongooseModule;
-/**
- * Connect the auth connection to its dedicated MongoDB server.
- * Uses MONGO_AUTH_USER_*, MONGO_AUTH_PW_*, MONGO_AUTH_HOST_*, MONGO_AUTH_DB_* env vars.
- */
-export declare const connectAuthMongo: () => Promise<void>;
-/**
- * Connect the app connection to its MongoDB server.
- * Uses MONGO_USER_*, MONGO_PW_*, MONGO_HOST_*, MONGO_DB_* env vars.
- */
-export declare const connectAppMongo: () => Promise<void>;
-/**
- * Connect both auth and app connections to the same MongoDB server.
- * Backward-compatible shorthand for single-DB setups.
- * Uses MONGO_USER_*, MONGO_PW_*, MONGO_HOST_*, MONGO_DB_* env vars.
- */
-export declare const connectMongo: () => Promise<void>;
-/**
- * Close both auth and app Mongo connections.
- * Useful for one-off scripts that need a clean exit.
- */
-export declare const disconnectMongo: () => Promise<void>;
-export {};

package/dist/lib/mongo.js

@@ -1,124 +0,0 @@
-import { log } from "./logger";
-const isProd = process.env.NODE_ENV === "production";
-function requireMongoose() {
-    try {
-        // Bun supports require() in ESM; this defers the import to call time
-        // eslint-disable-next-line @typescript-eslint/no-require-imports
-        const mod = require("mongoose");
-        return mod.default ?? mod;
-    }
-    catch {
-        throw new Error("mongoose is not installed. Run: bun add mongoose");
-    }
-}
-function buildUri(user, password, host, db) {
-    const [hostPart, queryPart] = host.split("?");
-    return `mongodb+srv://${user}:${password}@${hostPart.replace(/\/$/, "")}/${db}${queryPart ? `?${queryPart}` : ""}`;
-}
-// Internal mutable references — set inside connect functions
-let _authConn = null;
-let _appConn = null;
-let _mongoose = null;
-function makeConnectionProxy(label, getConn, setConn) {
-    return new Proxy({}, {
-        get(_, prop) {
-            let conn = getConn();
-            if (!conn) {
-                // Lazily create a disconnected connection so appConnection.model() works at module
-                // load time. Mongoose buffers queries until openUri() is called by connectMongo().
-                conn = requireMongoose().createConnection();
-                setConn(conn);
-            }
-            const val = conn[prop];
-            return typeof val === "function" ? val.bind(conn) : val;
-        },
-    });
-}
-/**
- * Named connection used exclusively for auth data (AuthUser model).
- * Connected via connectAuthMongo() or connectMongo() (backward compat).
- */
-export const authConnection = makeConnectionProxy("auth", () => _authConn, (c) => { _authConn = c; });
-/**
- * Named connection for app/tenant data.
- * Connected via connectAppMongo() or connectMongo() (backward compat).
- * Use this when registering your own models: appConnection.model("Product", schema).
- */
-export const appConnection = makeConnectionProxy("app", () => _appConn, (c) => { _appConn = c; });
-/**
- * The mongoose instance. Available after connectMongo() / connectAuthMongo() is called.
- */
-export const mongoose = new Proxy({}, {
-    get(_, prop) {
-        const mg = _mongoose ?? requireMongoose();
-        return mg[prop];
-    },
-});
-/**
- * Connect the auth connection to its dedicated MongoDB server.
- * Uses MONGO_AUTH_USER_*, MONGO_AUTH_PW_*, MONGO_AUTH_HOST_*, MONGO_AUTH_DB_* env vars.
- */
-export const connectAuthMongo = async () => {
-    const mg = requireMongoose();
-    _mongoose = mg;
-    if (!_authConn)
-        _authConn = mg.createConnection();
-    const user = isProd ? process.env.MONGO_AUTH_USER_PROD : process.env.MONGO_AUTH_USER_DEV;
-    const password = isProd ? process.env.MONGO_AUTH_PW_PROD : process.env.MONGO_AUTH_PW_DEV;
-    const host = isProd ? process.env.MONGO_AUTH_HOST_PROD : process.env.MONGO_AUTH_HOST_DEV;
-    const db = isProd ? process.env.MONGO_AUTH_DB_PROD : process.env.MONGO_AUTH_DB_DEV;
-    const uri = buildUri(user, password, host, db);
-    await _authConn.openUri(uri);
-    log(`[mongo] auth connected to ${host} as ${user}`);
-};
-/**
- * Connect the app connection to its MongoDB server.
- * Uses MONGO_USER_*, MONGO_PW_*, MONGO_HOST_*, MONGO_DB_* env vars.
- */
-export const connectAppMongo = async () => {
-    const mg = requireMongoose();
-    _mongoose = mg;
-    if (!_appConn)
-        _appConn = mg.createConnection();
-    const user = isProd ? process.env.MONGO_USER_PROD : process.env.MONGO_USER_DEV;
-    const password = isProd ? process.env.MONGO_PW_PROD : process.env.MONGO_PW_DEV;
-    const host = isProd ? process.env.MONGO_HOST_PROD : process.env.MONGO_HOST_DEV;
-    const db = isProd ? process.env.MONGO_DB_PROD : process.env.MONGO_DB_DEV;
-    const uri = buildUri(user, password, host, db);
-    await _appConn.openUri(uri);
-    log(`[mongo] app connected to ${host} as ${user}`);
-};
-/**
- * Connect both auth and app connections to the same MongoDB server.
- * Backward-compatible shorthand for single-DB setups.
- * Uses MONGO_USER_*, MONGO_PW_*, MONGO_HOST_*, MONGO_DB_* env vars.
- */
-export const connectMongo = async () => {
-    const mg = requireMongoose();
-    _mongoose = mg;
-    if (!_authConn)
-        _authConn = mg.createConnection();
-    if (!_appConn)
-        _appConn = mg.createConnection();
-    const user = isProd ? process.env.MONGO_USER_PROD : process.env.MONGO_USER_DEV;
-    const password = isProd ? process.env.MONGO_PW_PROD : process.env.MONGO_PW_DEV;
-    const host = isProd ? process.env.MONGO_HOST_PROD : process.env.MONGO_HOST_DEV;
-    const db = isProd ? process.env.MONGO_DB_PROD : process.env.MONGO_DB_DEV;
-    const uri = buildUri(user, password, host, db);
-    await Promise.all([
-        _authConn.openUri(uri),
-        _appConn.openUri(uri),
-    ]);
-    log(`[mongo] connected to ${host} as ${user}`);
-};
-/**
- * Close both auth and app Mongo connections.
- * Useful for one-off scripts that need a clean exit.
- */
-export const disconnectMongo = async () => {
-    await Promise.all([
-        _authConn && _authConn.readyState !== 0 ? _authConn.close() : Promise.resolve(),
-        _appConn && _appConn.readyState !== 0 ? _appConn.close() : Promise.resolve(),
-    ]);
-    log("[mongo] disconnected");
-};

package/dist/lib/oauth.d.ts

@@ -1,40 +0,0 @@
-import { Google, Apple, MicrosoftEntraId, GitHub, generateState, generateCodeVerifier } from "arctic";
-export type OAuthProviderConfig = {
-    google?: {
-        clientId: string;
-        clientSecret: string;
-        redirectUri: string;
-    };
-    apple?: {
-        clientId: string;
-        teamId: string;
-        keyId: string;
-        privateKey: string;
-        redirectUri: string;
-    };
-    microsoft?: {
-        tenantId: string;
-        clientId: string;
-        clientSecret: string;
-        redirectUri: string;
-    };
-    github?: {
-        clientId: string;
-        clientSecret: string;
-        redirectUri: string;
-    };
-};
-export declare const initOAuthProviders: (config: OAuthProviderConfig) => void;
-export declare const getGoogle: () => Google;
-export declare const getApple: () => Apple;
-export declare const getMicrosoft: () => MicrosoftEntraId;
-export declare const getGitHub: () => GitHub;
-export declare const getConfiguredOAuthProviders: () => string[];
-type OAuthStateStore = "redis" | "mongo" | "sqlite" | "memory";
-export declare const setOAuthStateStore: (store: OAuthStateStore) => void;
-export declare const storeOAuthState: (state: string, codeVerifier?: string, linkUserId?: string) => Promise<void>;
-export declare const consumeOAuthState: (state: string) => Promise<{
-    codeVerifier?: string;
-    linkUserId?: string;
-} | null>;
-export { generateState, generateCodeVerifier };

package/dist/lib/oauth.js

@@ -1,101 +0,0 @@
-import { Google, Apple, MicrosoftEntraId, GitHub, generateState, generateCodeVerifier } from "arctic";
-import { getRedis } from "./redis";
-import { appConnection, mongoose } from "./mongo";
-import { getAppName } from "./appConfig";
-import { sqliteStoreOAuthState, sqliteConsumeOAuthState } from "../adapters/sqliteAuth";
-import { memoryStoreOAuthState, memoryConsumeOAuthState } from "../adapters/memoryAuth";
-let _providers = {};
-export const initOAuthProviders = (config) => {
-    if (config.google) {
-        const { clientId, clientSecret, redirectUri } = config.google;
-        _providers.google = new Google(clientId, clientSecret, redirectUri);
-    }
-    if (config.apple) {
-        const { clientId, teamId, keyId, privateKey, redirectUri } = config.apple;
-        _providers.apple = new Apple(clientId, teamId, keyId, new TextEncoder().encode(privateKey), redirectUri);
-    }
-    if (config.microsoft) {
-        const { tenantId, clientId, clientSecret, redirectUri } = config.microsoft;
-        _providers.microsoft = new MicrosoftEntraId(tenantId, clientId, clientSecret, redirectUri);
-    }
-    if (config.github) {
-        const { clientId, clientSecret, redirectUri } = config.github;
-        _providers.github = new GitHub(clientId, clientSecret, redirectUri);
-    }
-};
-export const getGoogle = () => {
-    if (!_providers.google)
-        throw new Error("Google OAuth not configured");
-    return _providers.google;
-};
-export const getApple = () => {
-    if (!_providers.apple)
-        throw new Error("Apple OAuth not configured");
-    return _providers.apple;
-};
-export const getMicrosoft = () => {
-    if (!_providers.microsoft)
-        throw new Error("Microsoft Entra ID OAuth not configured");
-    return _providers.microsoft;
-};
-export const getGitHub = () => {
-    if (!_providers.github)
-        throw new Error("GitHub OAuth not configured");
-    return _providers.github;
-};
-export const getConfiguredOAuthProviders = () => Object.entries(_providers)
-    .filter(([, v]) => v != null)
-    .map(([k]) => k);
-function getOAuthStateModel() {
-    if (appConnection.models["OAuthState"])
-        return appConnection.models["OAuthState"];
-    const { Schema } = mongoose;
-    const oauthStateSchema = new Schema({
-        state: { type: String, required: true, unique: true },
-        codeVerifier: { type: String },
-        linkUserId: { type: String },
-        expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
-    }, { collection: "oauth_states" });
-    return appConnection.model("OAuthState", oauthStateSchema);
-}
-let _oauthStore = "redis";
-export const setOAuthStateStore = (store) => { _oauthStore = store; };
-// ---------------------------------------------------------------------------
-// State helpers
-// ---------------------------------------------------------------------------
-const STATE_TTL = 300; // 5 minutes
-export const storeOAuthState = async (state, codeVerifier, linkUserId) => {
-    if (_oauthStore === "memory") {
-        memoryStoreOAuthState(state, codeVerifier, linkUserId);
-        return;
-    }
-    if (_oauthStore === "sqlite") {
-        sqliteStoreOAuthState(state, codeVerifier, linkUserId);
-        return;
-    }
-    if (_oauthStore === "mongo") {
-        const expiresAt = new Date(Date.now() + STATE_TTL * 1000);
-        await getOAuthStateModel().create({ state, codeVerifier, linkUserId, expiresAt });
-        return;
-    }
-    await getRedis().set(`oauth:${getAppName()}:state:${state}`, JSON.stringify({ codeVerifier, linkUserId }), "EX", STATE_TTL);
-};
-export const consumeOAuthState = async (state) => {
-    if (_oauthStore === "memory")
-        return memoryConsumeOAuthState(state);
-    if (_oauthStore === "sqlite")
-        return sqliteConsumeOAuthState(state);
-    if (_oauthStore === "mongo") {
-        const doc = await getOAuthStateModel()
-            .findOneAndDelete({ state, expiresAt: { $gt: new Date() } })
-            .lean();
-        return doc ? { codeVerifier: doc.codeVerifier, linkUserId: doc.linkUserId } : null;
-    }
-    const key = `oauth:${getAppName()}:state:${state}`;
-    const value = await getRedis().get(key);
-    if (!value)
-        return null;
-    await getRedis().del(key);
-    return JSON.parse(value);
-};
-export { generateState, generateCodeVerifier };

package/dist/lib/oauthCode.d.ts

@@ -1,15 +0,0 @@
-type OAuthCodeStore = "redis" | "mongo" | "sqlite" | "memory";
-export declare const setOAuthCodeStore: (store: OAuthCodeStore) => void;
-export interface OAuthCodePayload {
-    token: string;
-    userId: string;
-    email?: string;
-    refreshToken?: string;
-}
-/** Store a one-time authorization code. Returns the raw code (for the redirect URL).
- *  Only the SHA-256 hash is persisted. */
-export declare const storeOAuthCode: (payload: OAuthCodePayload) => Promise<string>;
-/** Atomically consume an authorization code — returns its payload and deletes it.
- *  Returns null if invalid, expired, or already used. */
-export declare const consumeOAuthCode: (code: string) => Promise<OAuthCodePayload | null>;
-export {};