@lastshotlabs/bunshot 0.0.27 → 0.0.28

package/dist/packages/bunshot-auth/src/lib/magicLink.js

@@ -0,0 +1,145 @@
+import { DEFAULT_MAX_ENTRIES, evictExpired, evictOldest, sha256 } from '../../../bunshot-core/src/index.js';
+export function createMemoryMagicLinkRepository() {
+    const tokens = new Map();
+    return {
+        async store(hash, userId, ttl) {
+            evictExpired(tokens);
+            evictOldest(tokens, DEFAULT_MAX_ENTRIES);
+            tokens.set(hash, { userId, expiresAt: Date.now() + ttl * 1000 });
+        },
+        async consume(hash) {
+            const entry = tokens.get(hash);
+            if (!entry || entry.expiresAt <= Date.now()) {
+                tokens.delete(hash);
+                return null;
+            }
+            tokens.delete(hash);
+            return entry.userId;
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// SQLite repository factory
+// ---------------------------------------------------------------------------
+export function createSqliteMagicLinkRepository(db) {
+    let initialized = false;
+    function init() {
+        if (initialized)
+            return;
+        db.run(`CREATE TABLE IF NOT EXISTS auth_magic_links (
+      tokenHash TEXT PRIMARY KEY,
+      userId    TEXT NOT NULL,
+      expiresAt INTEGER NOT NULL
+    )`);
+        db.run('CREATE INDEX IF NOT EXISTS idx_auth_magic_links_expiresAt ON auth_magic_links(expiresAt)');
+        initialized = true;
+    }
+    return {
+        async store(hash, userId, ttl) {
+            init();
+            const expiresAt = Date.now() + ttl * 1000;
+            db.run(`INSERT INTO auth_magic_links (tokenHash, userId, expiresAt)
+         VALUES (?, ?, ?)
+         ON CONFLICT(tokenHash) DO UPDATE SET userId = excluded.userId, expiresAt = excluded.expiresAt`, [hash, userId, expiresAt]);
+        },
+        async consume(hash) {
+            init();
+            const now = Date.now();
+            const row = db
+                .query('SELECT userId FROM auth_magic_links WHERE tokenHash = ? AND expiresAt > ?')
+                .get(hash, now);
+            db.run('DELETE FROM auth_magic_links WHERE tokenHash = ?', [hash]);
+            if (!row)
+                return null;
+            return row.userId;
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// Redis repository factory
+// ---------------------------------------------------------------------------
+/** Atomically GET+DEL a key. Uses native GETDEL (Redis >= 6.2) with a Lua fallback. */
+async function redisGetDel(redis, key) {
+    if (typeof redis.getdel === 'function') {
+        try {
+            return await redis.getdel(key);
+        }
+        catch (err) {
+            const msg = err?.message ?? '';
+            if (!/unknown command|ERR unknown command/i.test(msg))
+                throw err;
+        }
+    }
+    const result = await redis.eval("local v = redis.call('GET', KEYS[1])\nif v then redis.call('DEL', KEYS[1]) end\nreturn v", 1, key);
+    return result ?? null;
+}
+export function createRedisMagicLinkRepository(getRedis, appName) {
+    return {
+        async store(hash, userId, ttl) {
+            await getRedis().set(`magiclink:${appName}:${hash}`, userId, 'EX', ttl);
+        },
+        async consume(hash) {
+            const userId = await redisGetDel(getRedis(), `magiclink:${appName}:${hash}`);
+            return userId ?? null;
+        },
+    };
+}
+export function createMongoMagicLinkRepository(conn, mg) {
+    function getModel() {
+        if (conn.models['MagicLink'])
+            return conn.models['MagicLink'];
+        const { Schema } = mg;
+        const magicLinkSchema = new Schema({
+            token: { type: String, required: true, unique: true },
+            userId: { type: String, required: true },
+            expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
+        }, { collection: 'magic_links' });
+        return conn.model('MagicLink', magicLinkSchema);
+    }
+    return {
+        async store(hash, userId, ttl) {
+            await getModel().create({
+                token: hash,
+                userId,
+                expiresAt: new Date(Date.now() + ttl * 1000),
+            });
+        },
+        async consume(hash) {
+            const doc = await getModel()
+                .findOneAndDelete({ token: hash, expiresAt: { $gt: new Date() } })
+                .lean();
+            if (!doc)
+                return null;
+            return doc.userId;
+        },
+    };
+}
+export const magicLinkFactories = {
+    memory: () => createMemoryMagicLinkRepository(),
+    sqlite: infra => createSqliteMagicLinkRepository(infra.getSqliteDb()),
+    redis: infra => createRedisMagicLinkRepository(infra.getRedis, infra.appName),
+    mongo: infra => {
+        const { conn, mg } = infra.getMongo();
+        return createMongoMagicLinkRepository(conn, mg);
+    },
+    postgres: () => {
+        throw new Error('[bunshot-auth] postgres store is not yet supported for magicLink repository');
+    },
+};
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+const DEFAULT_MAGIC_LINK_TTL = 60 * 15; // 15 minutes
+export const createMagicLinkToken = async (repo, userId, ttlSeconds) => {
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    const token = Buffer.from(bytes).toString('base64url');
+    const hash = sha256(token);
+    const ttl = ttlSeconds ?? DEFAULT_MAGIC_LINK_TTL;
+    await repo.store(hash, userId, ttl);
+    return token;
+};
+export const consumeMagicLinkToken = async (repo, token) => {
+    const hash = sha256(token);
+    return repo.consume(hash);
+};

package/dist/packages/bunshot-auth/src/lib/mfaChallenge.d.ts

@@ -0,0 +1,60 @@
+import type { RepoFactories } from '../../../bunshot-core/src/index.js';
+import type { AuthResolvedConfig } from '../config/authConfig';
+import type { RedisLike } from '../types/redis';
+export type MfaChallengePurpose = 'login' | 'webauthn-registration' | 'passkey-login' | 'reauth';
+export interface MfaChallengeOptions {
+    emailOtpHash?: string;
+    webauthnChallenge?: string;
+}
+export interface ReauthChallengeOptions {
+    emailOtpHash?: string;
+    webauthnChallenge?: string;
+    ttlSeconds?: number;
+}
+export interface MfaChallengeData {
+    userId: string;
+    purpose: MfaChallengePurpose;
+    emailOtpHash?: string;
+    webauthnChallenge?: string;
+    sessionId?: string;
+}
+interface MfaChallengeRecord {
+    userId: string;
+    purpose: MfaChallengePurpose;
+    emailOtpHash?: string;
+    webauthnChallenge?: string;
+    sessionId?: string;
+    createdAt: number;
+    resendCount: number;
+}
+export interface IMfaChallengeRepository {
+    createChallenge(hash: string, data: MfaChallengeRecord, ttl: number): Promise<void>;
+    consumeChallenge(hash: string): Promise<MfaChallengeRecord | null>;
+    replaceOtp(hash: string, newOtpHash: string, ttl: number, maxResends: number): Promise<{
+        userId: string;
+        resendCount: number;
+    } | null>;
+}
+export declare function createMemoryMfaChallengeRepository(): IMfaChallengeRepository;
+export declare function createSqliteMfaChallengeRepository(db: import('bun:sqlite').Database): IMfaChallengeRepository;
+export declare function createRedisMfaChallengeRepository(getRedis: () => RedisLike, appName: string): IMfaChallengeRepository;
+export declare function createMongoMfaChallengeRepository(conn: import('mongoose').Connection, mg: typeof import('mongoose')): IMfaChallengeRepository;
+export declare const mfaChallengeFactories: RepoFactories<IMfaChallengeRepository>;
+export declare const createMfaChallenge: (repo: IMfaChallengeRepository, userId: string, options?: MfaChallengeOptions, config?: AuthResolvedConfig) => Promise<string>;
+export declare const consumeMfaChallenge: (repo: IMfaChallengeRepository, token: string) => Promise<MfaChallengeData | null>;
+export declare const replaceMfaChallengeOtp: (repo: IMfaChallengeRepository, token: string, newEmailOtpHash: string, config?: AuthResolvedConfig) => Promise<{
+    userId: string;
+    resendCount: number;
+} | null>;
+export declare const createWebAuthnRegistrationChallenge: (repo: IMfaChallengeRepository, userId: string, challenge: string, config?: AuthResolvedConfig) => Promise<string>;
+export declare const consumeWebAuthnRegistrationChallenge: (repo: IMfaChallengeRepository, token: string) => Promise<{
+    userId: string;
+    challenge: string;
+} | null>;
+export declare const createPasskeyLoginChallenge: (repo: IMfaChallengeRepository, challenge: string) => Promise<string>;
+export declare const consumePasskeyLoginChallenge: (repo: IMfaChallengeRepository, token: string) => Promise<{
+    webauthnChallenge: string;
+} | null>;
+export declare const createReauthChallenge: (repo: IMfaChallengeRepository, userId: string, sessionId: string, options?: ReauthChallengeOptions, config?: AuthResolvedConfig) => Promise<string>;
+export declare const consumeReauthChallenge: (repo: IMfaChallengeRepository, token: string, sessionId: string) => Promise<MfaChallengeData | null>;
+export {};

package/dist/packages/bunshot-auth/src/lib/mfaChallenge.js

@@ -0,0 +1,419 @@
+import { DEFAULT_MAX_ENTRIES, evictExpired, evictOldest, sha256, timingSafeEqual, } from '../../../bunshot-core/src/index.js';
+const MAX_RESENDS = 3;
+// ---------------------------------------------------------------------------
+// Memory repository factory
+// ---------------------------------------------------------------------------
+export function createMemoryMfaChallengeRepository() {
+    const challenges = new Map();
+    return {
+        async createChallenge(hash, data, ttl) {
+            evictExpired(challenges);
+            evictOldest(challenges, DEFAULT_MAX_ENTRIES);
+            challenges.set(hash, { ...data, expiresAt: Date.now() + ttl * 1000 });
+        },
+        async consumeChallenge(hash) {
+            const entry = challenges.get(hash);
+            if (!entry || entry.expiresAt <= Date.now()) {
+                challenges.delete(hash);
+                return null;
+            }
+            challenges.delete(hash);
+            return {
+                userId: entry.userId,
+                purpose: entry.purpose,
+                emailOtpHash: entry.emailOtpHash,
+                webauthnChallenge: entry.webauthnChallenge,
+                sessionId: entry.sessionId,
+                createdAt: entry.createdAt,
+                resendCount: entry.resendCount,
+            };
+        },
+        async replaceOtp(hash, newOtpHash, ttl, maxResends) {
+            const entry = challenges.get(hash);
+            if (!entry || entry.expiresAt <= Date.now()) {
+                challenges.delete(hash);
+                return null;
+            }
+            if (entry.resendCount >= maxResends)
+                return null;
+            entry.emailOtpHash = newOtpHash;
+            entry.resendCount++;
+            const maxExpiry = entry.createdAt + ttl * 3 * 1000;
+            entry.expiresAt = Math.min(Date.now() + ttl * 1000, maxExpiry);
+            return { userId: entry.userId, resendCount: entry.resendCount };
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// SQLite repository factory
+// ---------------------------------------------------------------------------
+export function createSqliteMfaChallengeRepository(db) {
+    let tableCreated = false;
+    function ensureTable() {
+        if (tableCreated || !db)
+            return;
+        db.run(`CREATE TABLE IF NOT EXISTS mfa_challenges (
+      token             TEXT PRIMARY KEY,
+      userId            TEXT NOT NULL,
+      purpose           TEXT NOT NULL DEFAULT 'login',
+      emailOtpHash      TEXT,
+      webauthnChallenge TEXT,
+      sessionId         TEXT,
+      createdAt         INTEGER NOT NULL,
+      resendCount       INTEGER NOT NULL DEFAULT 0,
+      expiresAt         INTEGER NOT NULL
+    )`);
+        // Migrate pre-existing tables that lack newer columns
+        try {
+            db.run('ALTER TABLE mfa_challenges ADD COLUMN emailOtpHash TEXT');
+        }
+        catch {
+            /* already exists */
+        }
+        try {
+            db.run('ALTER TABLE mfa_challenges ADD COLUMN createdAt INTEGER NOT NULL DEFAULT 0');
+        }
+        catch {
+            /* already exists */
+        }
+        try {
+            db.run('ALTER TABLE mfa_challenges ADD COLUMN resendCount INTEGER NOT NULL DEFAULT 0');
+        }
+        catch {
+            /* already exists */
+        }
+        try {
+            db.run("ALTER TABLE mfa_challenges ADD COLUMN purpose TEXT NOT NULL DEFAULT 'login'");
+        }
+        catch {
+            /* already exists */
+        }
+        try {
+            db.run('ALTER TABLE mfa_challenges ADD COLUMN webauthnChallenge TEXT');
+        }
+        catch {
+            /* already exists */
+        }
+        try {
+            db.run('ALTER TABLE mfa_challenges ADD COLUMN sessionId TEXT');
+        }
+        catch {
+            /* already exists */
+        }
+        tableCreated = true;
+    }
+    return {
+        async createChallenge(hash, data, ttl) {
+            ensureTable();
+            const now = Date.now();
+            db.run('INSERT INTO mfa_challenges (token, userId, purpose, emailOtpHash, webauthnChallenge, sessionId, createdAt, resendCount, expiresAt) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)', [
+                hash,
+                data.userId,
+                data.purpose,
+                data.emailOtpHash ?? null,
+                data.webauthnChallenge ?? null,
+                data.sessionId ?? null,
+                data.createdAt,
+                data.resendCount,
+                now + ttl * 1000,
+            ]);
+        },
+        async consumeChallenge(hash) {
+            ensureTable();
+            const row = db
+                .query('DELETE FROM mfa_challenges WHERE token = ? AND expiresAt > ? RETURNING userId, purpose, emailOtpHash, webauthnChallenge, sessionId, createdAt, resendCount')
+                .get(hash, Date.now());
+            if (!row)
+                return null;
+            return {
+                userId: row.userId,
+                purpose: row.purpose,
+                emailOtpHash: row.emailOtpHash ?? undefined,
+                webauthnChallenge: row.webauthnChallenge ?? undefined,
+                sessionId: row.sessionId ?? undefined,
+                createdAt: row.createdAt,
+                resendCount: row.resendCount,
+            };
+        },
+        async replaceOtp(hash, newOtpHash, ttl, maxResends) {
+            ensureTable();
+            const now = Date.now();
+            const existing = db
+                .query('SELECT createdAt, resendCount FROM mfa_challenges WHERE token = ? AND expiresAt > ?')
+                .get(hash, now);
+            if (!existing || existing.resendCount >= maxResends)
+                return null;
+            const newExpiry = Math.min(now + ttl * 1000, existing.createdAt + ttl * 3 * 1000);
+            const newCount = existing.resendCount + 1;
+            const row = db
+                .query('UPDATE mfa_challenges SET emailOtpHash = ?, resendCount = ?, expiresAt = ? WHERE token = ? RETURNING userId')
+                .get(newOtpHash, newCount, newExpiry, hash);
+            return row ? { userId: row.userId, resendCount: newCount } : null;
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// Redis repository factory
+// ---------------------------------------------------------------------------
+/** Atomically GET+DEL a key. Uses native GETDEL (Redis >= 6.2) with a Lua fallback. */
+async function redisGetDel(redis, key) {
+    if (typeof redis.getdel === 'function') {
+        try {
+            return await redis.getdel(key);
+        }
+        catch (err) {
+            const msg = err?.message ?? '';
+            if (!/unknown command|ERR unknown command/i.test(msg))
+                throw err;
+            // Fall through to Lua on "unknown command"
+        }
+    }
+    const result = await redis.eval("local v = redis.call('GET', KEYS[1])\nif v then redis.call('DEL', KEYS[1]) end\nreturn v", 1, key);
+    return result ?? null;
+}
+export function createRedisMfaChallengeRepository(getRedis, appName) {
+    return {
+        async createChallenge(hash, data, ttl) {
+            const redis = getRedis();
+            await redis.set(`mfachallenge:${appName}:${hash}`, JSON.stringify(data), 'EX', ttl);
+        },
+        async consumeChallenge(hash) {
+            const redis = getRedis();
+            const key = `mfachallenge:${appName}:${hash}`;
+            const raw = await redisGetDel(redis, key);
+            if (!raw)
+                return null;
+            return JSON.parse(raw);
+        },
+        async replaceOtp(hash, newOtpHash, ttl, maxResends) {
+            const redis = getRedis();
+            const key = `mfachallenge:${appName}:${hash}`;
+            const now = Date.now();
+            const luaScript = `
+local raw = redis.call('GET', KEYS[1])
+if not raw then return nil end
+local data = cjson.decode(raw)
+if data.resendCount >= tonumber(ARGV[1]) then return nil end
+data.emailOtpHash = ARGV[2]
+data.resendCount = data.resendCount + 1
+local maxExpiry = data.createdAt + tonumber(ARGV[3]) * 3 * 1000
+local nowTtl = tonumber(ARGV[4]) + tonumber(ARGV[3]) * 1000
+local newExpiry = math.min(nowTtl, maxExpiry)
+local remainingTtl = math.max(1, math.ceil((newExpiry - tonumber(ARGV[4])) / 1000))
+redis.call('SET', KEYS[1], cjson.encode(data), 'EX', remainingTtl)
+return cjson.encode({ userId = data.userId, resendCount = data.resendCount })
+`;
+            const result = (await redis.eval(luaScript, 1, key, maxResends, newOtpHash, ttl, now));
+            if (!result)
+                return null;
+            return JSON.parse(result);
+        },
+    };
+}
+export function createMongoMfaChallengeRepository(conn, mg) {
+    function getModel() {
+        if (conn.models['MfaChallenge'])
+            return conn.models['MfaChallenge'];
+        const { Schema } = mg;
+        const schema = new Schema({
+            token: { type: String, required: true, unique: true },
+            userId: { type: String, required: true },
+            purpose: { type: String, required: true, default: 'login' },
+            emailOtpHash: { type: String },
+            webauthnChallenge: { type: String },
+            sessionId: { type: String },
+            createdAt: { type: Date, required: true },
+            resendCount: { type: Number, required: true, default: 0 },
+            expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
+        }, { collection: 'mfa_challenges' });
+        return conn.model('MfaChallenge', schema);
+    }
+    return {
+        async createChallenge(hash, data, ttl) {
+            await getModel().create({
+                token: hash,
+                userId: data.userId,
+                purpose: data.purpose,
+                emailOtpHash: data.emailOtpHash,
+                webauthnChallenge: data.webauthnChallenge,
+                sessionId: data.sessionId,
+                createdAt: new Date(data.createdAt),
+                resendCount: data.resendCount,
+                expiresAt: new Date(data.createdAt + ttl * 1000),
+            });
+        },
+        async consumeChallenge(hash) {
+            const doc = await getModel().findOneAndDelete({
+                token: hash,
+                expiresAt: { $gt: new Date() },
+            });
+            if (!doc)
+                return null;
+            return {
+                userId: doc.userId,
+                purpose: doc.purpose,
+                emailOtpHash: doc.emailOtpHash,
+                webauthnChallenge: doc.webauthnChallenge,
+                sessionId: doc.sessionId,
+                createdAt: doc.createdAt.getTime(),
+                resendCount: doc.resendCount,
+            };
+        },
+        async replaceOtp(hash, newOtpHash, ttl, maxResends) {
+            const now = new Date();
+            const nowMs = now.getTime();
+            const doc = await getModel().findOneAndUpdate({
+                token: hash,
+                expiresAt: { $gt: now },
+                resendCount: { $lt: maxResends },
+            }, [
+                {
+                    $set: {
+                        emailOtpHash: newOtpHash,
+                        resendCount: { $add: ['$resendCount', 1] },
+                        expiresAt: {
+                            $min: [new Date(nowMs + ttl * 1000), { $add: ['$createdAt', ttl * 3 * 1000] }],
+                        },
+                    },
+                },
+            ], { new: true, updatePipeline: true });
+            if (!doc)
+                return null;
+            return { userId: doc.userId, resendCount: doc.resendCount };
+        },
+    };
+}
+export const mfaChallengeFactories = {
+    memory: () => createMemoryMfaChallengeRepository(),
+    sqlite: infra => createSqliteMfaChallengeRepository(infra.getSqliteDb()),
+    redis: infra => createRedisMfaChallengeRepository(infra.getRedis, infra.appName),
+    mongo: infra => {
+        const { conn, mg } = infra.getMongo();
+        return createMongoMfaChallengeRepository(conn, mg);
+    },
+    postgres: () => {
+        throw new Error('[bunshot-auth] postgres store is not yet supported for mfaChallenge repository');
+    },
+};
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+export const createMfaChallenge = async (repo, userId, options, config) => {
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    const token = Buffer.from(bytes).toString('base64url');
+    const hash = sha256(token);
+    const ttl = config?.mfa?.challengeTtlSeconds ?? 300;
+    const now = Date.now();
+    await repo.createChallenge(hash, {
+        userId,
+        purpose: 'login',
+        emailOtpHash: options?.emailOtpHash,
+        webauthnChallenge: options?.webauthnChallenge,
+        createdAt: now,
+        resendCount: 0,
+    }, ttl);
+    return token;
+};
+export const consumeMfaChallenge = async (repo, token) => {
+    const hash = sha256(token);
+    const record = await repo.consumeChallenge(hash);
+    if (!record || record.purpose !== 'login')
+        return null;
+    return {
+        userId: record.userId,
+        purpose: record.purpose,
+        emailOtpHash: record.emailOtpHash,
+        webauthnChallenge: record.webauthnChallenge,
+    };
+};
+export const replaceMfaChallengeOtp = async (repo, token, newEmailOtpHash, config) => {
+    const hash = sha256(token);
+    const ttl = config?.mfa?.challengeTtlSeconds ?? 300;
+    return repo.replaceOtp(hash, newEmailOtpHash, ttl, MAX_RESENDS);
+};
+// ---------------------------------------------------------------------------
+// WebAuthn registration challenge helpers
+// ---------------------------------------------------------------------------
+export const createWebAuthnRegistrationChallenge = async (repo, userId, challenge, config) => {
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    const token = Buffer.from(bytes).toString('base64url');
+    const hash = sha256(token);
+    const ttl = config?.mfa?.challengeTtlSeconds ?? 300;
+    await repo.createChallenge(hash, {
+        userId,
+        purpose: 'webauthn-registration',
+        webauthnChallenge: challenge,
+        createdAt: Date.now(),
+        resendCount: 0,
+    }, ttl);
+    return token;
+};
+export const consumeWebAuthnRegistrationChallenge = async (repo, token) => {
+    const hash = sha256(token);
+    const record = await repo.consumeChallenge(hash);
+    if (!record || record.purpose !== 'webauthn-registration' || !record.webauthnChallenge)
+        return null;
+    return { userId: record.userId, challenge: record.webauthnChallenge };
+};
+// ---------------------------------------------------------------------------
+// Passkey login challenge helpers
+// ---------------------------------------------------------------------------
+const PASSKEY_LOGIN_CHALLENGE_TTL = 120;
+export const createPasskeyLoginChallenge = async (repo, challenge) => {
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    const token = Buffer.from(bytes).toString('base64url');
+    const hash = sha256(token);
+    await repo.createChallenge(hash, {
+        userId: '',
+        purpose: 'passkey-login',
+        webauthnChallenge: challenge,
+        createdAt: Date.now(),
+        resendCount: 0,
+    }, PASSKEY_LOGIN_CHALLENGE_TTL);
+    return token;
+};
+export const consumePasskeyLoginChallenge = async (repo, token) => {
+    const hash = sha256(token);
+    const record = await repo.consumeChallenge(hash);
+    if (!record || record.purpose !== 'passkey-login' || !record.webauthnChallenge)
+        return null;
+    return { webauthnChallenge: record.webauthnChallenge };
+};
+// ---------------------------------------------------------------------------
+// Reauth challenge helpers
+// ---------------------------------------------------------------------------
+export const createReauthChallenge = async (repo, userId, sessionId, options, config) => {
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    const token = Buffer.from(bytes).toString('base64url');
+    const hash = sha256(token);
+    const ttl = options?.ttlSeconds ?? config?.mfa?.challengeTtlSeconds ?? 300;
+    await repo.createChallenge(hash, {
+        userId,
+        purpose: 'reauth',
+        emailOtpHash: options?.emailOtpHash,
+        webauthnChallenge: options?.webauthnChallenge,
+        sessionId,
+        createdAt: Date.now(),
+        resendCount: 0,
+    }, ttl);
+    return token;
+};
+export const consumeReauthChallenge = async (repo, token, sessionId) => {
+    const hash = sha256(token);
+    const record = await repo.consumeChallenge(hash);
+    if (!record || record.purpose !== 'reauth')
+        return null;
+    if (!record.sessionId || !timingSafeEqual(record.sessionId, sessionId))
+        return null;
+    return {
+        userId: record.userId,
+        purpose: record.purpose,
+        emailOtpHash: record.emailOtpHash,
+        webauthnChallenge: record.webauthnChallenge,
+        sessionId: record.sessionId,
+    };
+};