@lastshotlabs/bunshot 0.0.27 → 0.0.28

package/dist/adapters/memoryAuth.js

@@ -1,749 +0,0 @@
-import { HttpError } from "../lib/HttpError";
-import { getPersistSessionMetadata, getIncludeInactiveSessions } from "../lib/appConfig";
-import { clearMemoryRateLimitStore } from "../lib/authRateLimit";
-import { clearMemoryMfaChallenges } from "../lib/mfaChallenge";
-import { clearAuditLogMemoryStore } from "../lib/auditLog";
-import { clearPresenceStore } from "../lib/wsPresence";
-import { clearWsMessageMemoryStore } from "../lib/wsMessages";
-import { clearHeartbeatState } from "../lib/wsHeartbeat";
-import { clearMemoryUploadStore } from "./memoryStorage";
-import { clearUploadRegistry } from "../lib/uploadRegistry";
-const _users = new Map();
-const _byEmail = new Map();
-const _sessions = new Map(); // sessionId → session
-const _userSessionIds = new Map(); // userId → Set<sessionId>
-const _refreshTokenIndex = new Map(); // refreshToken → sessionId
-const _oauthStates = new Map();
-const _cache = new Map();
-const _verificationTokens = new Map();
-const _resetTokens = new Map();
-const _cancelTokens = new Map();
-const _oauthCodes = new Map();
-const _tenantRoles = new Map(); // "userId:tenantId" → roles
-const _groups = new Map(); // groupId → GroupRecord
-const _groupMemberships = new Map();
-const _m2mClients = new Map();
-/** Reset all in-memory state. Useful for test isolation. */
-export const clearMemoryStore = () => {
-    _users.clear();
-    _byEmail.clear();
-    _sessions.clear();
-    _userSessionIds.clear();
-    _refreshTokenIndex.clear();
-    _tenantRoles.clear();
-    _groups.clear();
-    _groupMemberships.clear();
-    _oauthStates.clear();
-    _oauthCodes.clear();
-    _cache.clear();
-    _verificationTokens.clear();
-    _resetTokens.clear();
-    _cancelTokens.clear();
-    _m2mClients.clear();
-    clearMemoryRateLimitStore();
-    clearMemoryMfaChallenges();
-    clearAuditLogMemoryStore();
-    clearPresenceStore();
-    clearWsMessageMemoryStore();
-    clearHeartbeatState();
-    clearMemoryUploadStore();
-    clearUploadRegistry();
-};
-// ---------------------------------------------------------------------------
-// Auth adapter
-// ---------------------------------------------------------------------------
-export const memoryAuthAdapter = {
-    async findByEmail(email) {
-        const id = _byEmail.get(email.toLowerCase());
-        if (!id)
-            return null;
-        const user = _users.get(id);
-        if (!user || !user.passwordHash)
-            return null;
-        return { id: user.id, passwordHash: user.passwordHash };
-    },
-    async create(email, passwordHash) {
-        const normalised = email.toLowerCase();
-        if (_byEmail.has(normalised))
-            throw new HttpError(409, "Email already registered");
-        const id = crypto.randomUUID();
-        const user = { id, email: normalised, passwordHash, providerIds: [], roles: [], emailVerified: false, mfaSecret: null, mfaEnabled: false, recoveryCodes: [], mfaMethods: [], webauthnCredentials: [], suspended: false };
-        _users.set(id, user);
-        _byEmail.set(normalised, id);
-        return { id };
-    },
-    async setPassword(userId, passwordHash) {
-        const user = _users.get(userId);
-        if (!user)
-            return;
-        user.passwordHash = passwordHash;
-    },
-    async findOrCreateByProvider(provider, providerId, profile) {
-        const key = `${provider}:${providerId}`;
-        // Find by provider key
-        for (const user of _users.values()) {
-            if (user.providerIds.includes(key))
-                return { id: user.id, created: false };
-        }
-        // Reject if email belongs to a credential account
-        if (profile.email) {
-            const existingId = _byEmail.get(profile.email.toLowerCase());
-            if (existingId)
-                throw new HttpError(409, "An account with this email already exists. Sign in with your credentials, then link Google from your account settings.");
-        }
-        const id = crypto.randomUUID();
-        const email = profile.email ? profile.email.toLowerCase() : null;
-        const user = { id, email, passwordHash: null, providerIds: [key], roles: [], emailVerified: false, mfaSecret: null, mfaEnabled: false, recoveryCodes: [], mfaMethods: [], webauthnCredentials: [], suspended: false };
-        _users.set(id, user);
-        if (email)
-            _byEmail.set(email, id);
-        return { id, created: true };
-    },
-    async linkProvider(userId, provider, providerId) {
-        const user = _users.get(userId);
-        if (!user)
-            throw new HttpError(404, "User not found");
-        const key = `${provider}:${providerId}`;
-        if (!user.providerIds.includes(key))
-            user.providerIds.push(key);
-    },
-    async getRoles(userId) {
-        return _users.get(userId)?.roles ?? [];
-    },
-    async setRoles(userId, roles) {
-        const user = _users.get(userId);
-        if (!user)
-            return;
-        user.roles = [...roles];
-    },
-    async addRole(userId, role) {
-        const user = _users.get(userId);
-        if (!user)
-            return;
-        if (!user.roles.includes(role))
-            user.roles.push(role);
-    },
-    async removeRole(userId, role) {
-        const user = _users.get(userId);
-        if (!user)
-            return;
-        user.roles = user.roles.filter((r) => r !== role);
-    },
-    async getUser(userId) {
-        const user = _users.get(userId);
-        if (!user)
-            return null;
-        return {
-            email: user.email ?? undefined,
-            providerIds: [...user.providerIds],
-            emailVerified: user.emailVerified,
-            displayName: user.displayName,
-            firstName: user.firstName,
-            lastName: user.lastName,
-            externalId: user.externalId,
-            suspended: user.suspended,
-            suspendedReason: user.suspendedReason,
-        };
-    },
-    async unlinkProvider(userId, provider) {
-        const user = _users.get(userId);
-        if (!user)
-            throw new HttpError(404, "User not found");
-        user.providerIds = user.providerIds.filter((id) => !id.startsWith(`${provider}:`));
-    },
-    async findByIdentifier(value) {
-        const id = _byEmail.get(value.toLowerCase());
-        if (!id)
-            return null;
-        const user = _users.get(id);
-        if (!user || !user.passwordHash)
-            return null;
-        return { id: user.id, passwordHash: user.passwordHash };
-    },
-    async setEmailVerified(userId, verified) {
-        const user = _users.get(userId);
-        if (user)
-            user.emailVerified = verified;
-    },
-    async getEmailVerified(userId) {
-        return _users.get(userId)?.emailVerified ?? false;
-    },
-    async deleteUser(userId) {
-        const user = _users.get(userId);
-        if (user?.email)
-            _byEmail.delete(user.email);
-        _users.delete(userId);
-    },
-    async hasPassword(userId) {
-        return !!_users.get(userId)?.passwordHash;
-    },
-    async setMfaSecret(userId, secret) {
-        const user = _users.get(userId);
-        if (user)
-            user.mfaSecret = secret;
-    },
-    async getMfaSecret(userId) {
-        return _users.get(userId)?.mfaSecret ?? null;
-    },
-    async isMfaEnabled(userId) {
-        return _users.get(userId)?.mfaEnabled ?? false;
-    },
-    async setMfaEnabled(userId, enabled) {
-        const user = _users.get(userId);
-        if (user)
-            user.mfaEnabled = enabled;
-    },
-    async setRecoveryCodes(userId, codes) {
-        const user = _users.get(userId);
-        if (user)
-            user.recoveryCodes = [...codes];
-    },
-    async getRecoveryCodes(userId) {
-        return _users.get(userId)?.recoveryCodes ?? [];
-    },
-    async removeRecoveryCode(userId, code) {
-        const user = _users.get(userId);
-        if (user)
-            user.recoveryCodes = user.recoveryCodes.filter((c) => c !== code);
-    },
-    async getMfaMethods(userId) {
-        const user = _users.get(userId);
-        if (!user)
-            return [];
-        // Backward compat: if mfaEnabled but no methods recorded, assume TOTP
-        if (user.mfaMethods.length === 0 && user.mfaEnabled)
-            return ["totp"];
-        return [...user.mfaMethods];
-    },
-    async setMfaMethods(userId, methods) {
-        const user = _users.get(userId);
-        if (user)
-            user.mfaMethods = [...methods];
-    },
-    async getWebAuthnCredentials(userId) {
-        return [...(_users.get(userId)?.webauthnCredentials ?? [])];
-    },
-    async addWebAuthnCredential(userId, credential) {
-        const user = _users.get(userId);
-        if (user)
-            user.webauthnCredentials.push({ ...credential });
-    },
-    async removeWebAuthnCredential(userId, credentialId) {
-        const user = _users.get(userId);
-        if (user)
-            user.webauthnCredentials = user.webauthnCredentials.filter((c) => c.credentialId !== credentialId);
-    },
-    async updateWebAuthnCredentialSignCount(userId, credentialId, signCount) {
-        const user = _users.get(userId);
-        if (!user)
-            return;
-        const cred = user.webauthnCredentials.find((c) => c.credentialId === credentialId);
-        if (cred)
-            cred.signCount = signCount;
-    },
-    async findUserByWebAuthnCredentialId(credentialId) {
-        for (const user of _users.values()) {
-            if (user.webauthnCredentials.some((c) => c.credentialId === credentialId))
-                return user.id;
-        }
-        return null;
-    },
-    async getTenantRoles(userId, tenantId) {
-        return _tenantRoles.get(`${userId}:${tenantId}`) ?? [];
-    },
-    async setTenantRoles(userId, tenantId, roles) {
-        _tenantRoles.set(`${userId}:${tenantId}`, [...roles]);
-    },
-    async addTenantRole(userId, tenantId, role) {
-        const key = `${userId}:${tenantId}`;
-        const current = _tenantRoles.get(key) ?? [];
-        if (!current.includes(role)) {
-            _tenantRoles.set(key, [...current, role]);
-        }
-    },
-    async removeTenantRole(userId, tenantId, role) {
-        const key = `${userId}:${tenantId}`;
-        const current = _tenantRoles.get(key);
-        if (current) {
-            _tenantRoles.set(key, current.filter((r) => r !== role));
-        }
-    },
-    async setSuspended(userId, suspended, reason) {
-        const user = _users.get(userId);
-        if (!user)
-            return;
-        user.suspended = suspended;
-        if (suspended) {
-            user.suspendedAt = new Date();
-            user.suspendedReason = reason;
-        }
-        else {
-            user.suspendedAt = undefined;
-            user.suspendedReason = undefined;
-        }
-    },
-    async getSuspended(userId) {
-        const user = _users.get(userId);
-        if (!user)
-            return null;
-        return { suspended: user.suspended, suspendedReason: user.suspendedReason };
-    },
-    async updateProfile(userId, fields) {
-        const user = _users.get(userId);
-        if (!user)
-            return;
-        if ("displayName" in fields)
-            user.displayName = fields.displayName;
-        if ("firstName" in fields)
-            user.firstName = fields.firstName;
-        if ("lastName" in fields)
-            user.lastName = fields.lastName;
-        if ("externalId" in fields)
-            user.externalId = fields.externalId;
-    },
-    async listUsers(query) {
-        let users = [..._users.values()];
-        if (query.email !== undefined)
-            users = users.filter((u) => u.email === query.email);
-        if (query.externalId !== undefined)
-            users = users.filter((u) => u.externalId === query.externalId);
-        if (query.suspended !== undefined)
-            users = users.filter((u) => u.suspended === query.suspended);
-        const totalResults = users.length;
-        const startIndex = query.startIndex ?? 0;
-        const count = query.count ?? 100;
-        const page = users.slice(startIndex, startIndex + count);
-        return {
-            users: page.map((u) => ({
-                id: u.id,
-                email: u.email ?? undefined,
-                displayName: u.displayName,
-                firstName: u.firstName,
-                lastName: u.lastName,
-                externalId: u.externalId,
-                suspended: u.suspended,
-                suspendedAt: u.suspendedAt,
-                suspendedReason: u.suspendedReason,
-                emailVerified: u.emailVerified,
-                providerIds: [...u.providerIds],
-            })),
-            totalResults,
-        };
-    },
-    // ---------------------------------------------------------------------------
-    // Groups
-    // ---------------------------------------------------------------------------
-    async createGroup(group) {
-        // Enforce name uniqueness within scope (null = app-wide, string = tenant-scoped)
-        for (const g of _groups.values()) {
-            if (g.name === group.name && g.tenantId === group.tenantId) {
-                throw new HttpError(409, "A group with this name already exists in this scope");
-            }
-        }
-        const id = crypto.randomUUID();
-        const now = Date.now();
-        _groups.set(id, { ...group, id, createdAt: now, updatedAt: now });
-        return { id };
-    },
-    async deleteGroup(groupId) {
-        _groups.delete(groupId);
-        // Cascade: remove all memberships for this group
-        for (const [userId, memberships] of _groupMemberships) {
-            const filtered = memberships.filter((m) => m.groupId !== groupId);
-            if (filtered.length !== memberships.length) {
-                _groupMemberships.set(userId, filtered);
-            }
-        }
-    },
-    async getGroup(groupId) {
-        return _groups.get(groupId) ?? null;
-    },
-    async listGroups(tenantId, opts) {
-        const limit = Math.min(opts?.limit ?? 50, 200);
-        const offset = opts?.offset ?? 0;
-        const all = [..._groups.values()].filter((g) => g.tenantId === tenantId);
-        return { items: all.slice(offset, offset + limit), total: all.length, limit, offset };
-    },
-    async updateGroup(groupId, updates) {
-        const group = _groups.get(groupId);
-        if (!group)
-            return;
-        const now = Date.now();
-        _groups.set(groupId, { ...group, ...updates, id: group.id, tenantId: group.tenantId, createdAt: group.createdAt, updatedAt: now });
-    },
-    async addGroupMember(groupId, userId, roles = []) {
-        const group = _groups.get(groupId);
-        if (!group)
-            throw new HttpError(404, "Group not found");
-        const existing = _groupMemberships.get(userId) ?? [];
-        if (existing.some((m) => m.groupId === groupId)) {
-            throw new HttpError(409, "User is already a member of this group");
-        }
-        _groupMemberships.set(userId, [...existing, {
-                groupId, roles: [...roles], tenantId: group.tenantId, createdAt: Date.now(),
-            }]);
-    },
-    async updateGroupMembership(groupId, userId, roles) {
-        const memberships = _groupMemberships.get(userId);
-        if (!memberships)
-            return;
-        const idx = memberships.findIndex((m) => m.groupId === groupId);
-        if (idx === -1)
-            return;
-        memberships[idx] = { ...memberships[idx], roles: [...roles] };
-    },
-    async removeGroupMember(groupId, userId) {
-        const memberships = _groupMemberships.get(userId);
-        if (!memberships)
-            return;
-        _groupMemberships.set(userId, memberships.filter((m) => m.groupId !== groupId));
-    },
-    async getGroupMembers(groupId, opts) {
-        const limit = Math.min(opts?.limit ?? 50, 200);
-        const offset = opts?.offset ?? 0;
-        const all = [];
-        for (const [userId, memberships] of _groupMemberships) {
-            const m = memberships.find((m) => m.groupId === groupId);
-            if (m)
-                all.push({ userId, roles: [...m.roles] });
-        }
-        return { items: all.slice(offset, offset + limit), total: all.length, limit, offset };
-    },
-    async getUserGroups(userId, tenantId) {
-        const memberships = (_groupMemberships.get(userId) ?? []).filter((m) => m.tenantId === tenantId);
-        const result = [];
-        for (const m of memberships) {
-            const group = _groups.get(m.groupId);
-            if (group)
-                result.push({ group: { ...group }, membershipRoles: [...m.roles] });
-        }
-        return result;
-    },
-    async getEffectiveRoles(userId, tenantId) {
-        const direct = tenantId
-            ? (_tenantRoles.get(`${userId}:${tenantId}`) ?? [])
-            : (_users.get(userId)?.roles ?? []);
-        const memberships = (_groupMemberships.get(userId) ?? []).filter((m) => m.tenantId === tenantId);
-        const groupRoles = memberships.flatMap((m) => [
-            ...(_groups.get(m.groupId)?.roles ?? []),
-            ...m.roles,
-        ]);
-        return [...new Set([...direct, ...groupRoles])];
-    },
-    // ---------------------------------------------------------------------------
-    // M2M client credentials
-    // ---------------------------------------------------------------------------
-    async getM2MClient(clientId) {
-        for (const c of _m2mClients.values()) {
-            if (c.clientId === clientId && c.active)
-                return { ...c };
-        }
-        return null;
-    },
-    async createM2MClient(data) {
-        const id = crypto.randomUUID();
-        _m2mClients.set(id, { id, ...data, active: true });
-        return { id };
-    },
-    async deleteM2MClient(clientId) {
-        for (const [key, c] of _m2mClients.entries()) {
-            if (c.clientId === clientId) {
-                _m2mClients.delete(key);
-                return;
-            }
-        }
-    },
-    async listM2MClients() {
-        return Array.from(_m2mClients.values()).map(({ clientSecretHash: _, ...rest }) => rest);
-    },
-};
-// ---------------------------------------------------------------------------
-// Session helpers (used by src/lib/session.ts)
-// ---------------------------------------------------------------------------
-const SESSION_TTL_MS = 60 * 60 * 24 * 7 * 1000; // 7 days
-export const memoryCreateSession = (userId, token, sessionId, metadata) => {
-    const now = Date.now();
-    const session = {
-        sessionId, userId, token,
-        createdAt: now, lastActiveAt: now, expiresAt: now + SESSION_TTL_MS,
-        ipAddress: metadata?.ipAddress,
-        userAgent: metadata?.userAgent,
-    };
-    _sessions.set(sessionId, session);
-    if (!_userSessionIds.has(userId))
-        _userSessionIds.set(userId, new Set());
-    _userSessionIds.get(userId).add(sessionId);
-};
-export const memoryGetSession = (sessionId) => {
-    const entry = _sessions.get(sessionId);
-    if (!entry || !entry.token || entry.expiresAt <= Date.now())
-        return null;
-    return entry.token;
-};
-export const memoryDeleteSession = (sessionId) => {
-    const entry = _sessions.get(sessionId);
-    if (!entry)
-        return;
-    // Clean up refresh token reverse-lookup keys
-    if (entry.refreshToken)
-        _refreshTokenIndex.delete(entry.refreshToken);
-    if (entry.prevRefreshToken)
-        _refreshTokenIndex.delete(entry.prevRefreshToken);
-    if (getPersistSessionMetadata()) {
-        entry.token = null;
-        entry.refreshToken = null;
-        entry.prevRefreshToken = null;
-        entry.prevTokenExpiresAt = null;
-    }
-    else {
-        _sessions.delete(sessionId);
-        _userSessionIds.get(entry.userId)?.delete(sessionId);
-    }
-};
-export const memoryGetUserSessions = (userId) => {
-    const ids = _userSessionIds.get(userId);
-    if (!ids)
-        return [];
-    const now = Date.now();
-    const includeInactive = getIncludeInactiveSessions();
-    const persist = getPersistSessionMetadata();
-    const results = [];
-    for (const sessionId of ids) {
-        const s = _sessions.get(sessionId);
-        if (!s)
-            continue;
-        const isActive = !!s.token && s.expiresAt > now;
-        if (!isActive && !persist)
-            continue;
-        if (!isActive && !includeInactive)
-            continue;
-        results.push({
-            sessionId: s.sessionId,
-            createdAt: s.createdAt,
-            lastActiveAt: s.lastActiveAt,
-            expiresAt: s.expiresAt,
-            ipAddress: s.ipAddress,
-            userAgent: s.userAgent,
-            isActive,
-        });
-    }
-    return results;
-};
-export const memoryGetActiveSessionCount = (userId) => {
-    const ids = _userSessionIds.get(userId);
-    if (!ids)
-        return 0;
-    const now = Date.now();
-    let count = 0;
-    for (const sessionId of ids) {
-        const s = _sessions.get(sessionId);
-        if (s && s.token && s.expiresAt > now)
-            count++;
-    }
-    return count;
-};
-export const memoryEvictOldestSession = (userId) => {
-    const ids = _userSessionIds.get(userId);
-    if (!ids)
-        return;
-    const now = Date.now();
-    let oldest = null;
-    for (const sessionId of ids) {
-        const s = _sessions.get(sessionId);
-        if (!s || !s.token || s.expiresAt <= now)
-            continue;
-        if (!oldest || s.createdAt < oldest.createdAt)
-            oldest = s;
-    }
-    if (oldest)
-        memoryDeleteSession(oldest.sessionId);
-};
-export const memoryUpdateSessionLastActive = (sessionId) => {
-    const entry = _sessions.get(sessionId);
-    if (entry)
-        entry.lastActiveAt = Date.now();
-};
-export const memoryGetSessionFingerprint = (sessionId) => {
-    return _sessions.get(sessionId)?.fingerprint ?? null;
-};
-export const memorySetSessionFingerprint = (sessionId, fingerprint) => {
-    const entry = _sessions.get(sessionId);
-    if (entry)
-        entry.fingerprint = fingerprint;
-};
-export const memoryGetMfaVerifiedAt = (sessionId) => {
-    return _sessions.get(sessionId)?.mfaVerifiedAt ?? null;
-};
-export const memorySetMfaVerifiedAt = (sessionId, ts) => {
-    const entry = _sessions.get(sessionId);
-    if (entry)
-        entry.mfaVerifiedAt = ts;
-};
-export const memorySetRefreshToken = (sessionId, refreshToken) => {
-    const entry = _sessions.get(sessionId);
-    if (!entry)
-        return;
-    entry.refreshToken = refreshToken;
-    _refreshTokenIndex.set(refreshToken, sessionId);
-};
-import { getRotationGraceSeconds } from "../lib/appConfig";
-export const memoryGetSessionByRefreshToken = (refreshToken) => {
-    const sessionId = _refreshTokenIndex.get(refreshToken);
-    if (!sessionId)
-        return null;
-    const entry = _sessions.get(sessionId);
-    if (!entry)
-        return null;
-    // Current refresh token matches
-    if (entry.refreshToken === refreshToken) {
-        return { sessionId: entry.sessionId, userId: entry.userId, newRefreshToken: refreshToken };
-    }
-    // Check grace window
-    if (entry.prevRefreshToken === refreshToken && entry.prevTokenExpiresAt && entry.prevTokenExpiresAt > Date.now()) {
-        return { sessionId: entry.sessionId, userId: entry.userId, newRefreshToken: entry.refreshToken };
-    }
-    // Grace window expired — theft detected, invalidate session
-    if (entry.prevRefreshToken === refreshToken) {
-        memoryDeleteSession(sessionId);
-        return null;
-    }
-    return null;
-};
-export const memoryRotateRefreshToken = (sessionId, newRefreshToken, newAccessToken) => {
-    const entry = _sessions.get(sessionId);
-    if (!entry)
-        return;
-    const graceSeconds = getRotationGraceSeconds();
-    // Move current to prev
-    const oldRefreshToken = entry.refreshToken;
-    entry.prevRefreshToken = oldRefreshToken;
-    entry.prevTokenExpiresAt = Date.now() + graceSeconds * 1000;
-    entry.refreshToken = newRefreshToken;
-    entry.token = newAccessToken;
-    // Update reverse-lookup index
-    _refreshTokenIndex.set(newRefreshToken, sessionId);
-    // Old token stays in index during grace window — cleaned up on next lookup or session delete
-};
-// ---------------------------------------------------------------------------
-// OAuth state helpers (used by src/lib/oauth.ts)
-// ---------------------------------------------------------------------------
-const OAUTH_STATE_TTL_MS = 5 * 60 * 1000; // 5 minutes
-export const memoryStoreOAuthState = (state, codeVerifier, linkUserId) => {
-    _oauthStates.set(state, { codeVerifier, linkUserId, expiresAt: Date.now() + OAUTH_STATE_TTL_MS });
-};
-export const memoryConsumeOAuthState = (state) => {
-    const entry = _oauthStates.get(state);
-    if (!entry || entry.expiresAt <= Date.now()) {
-        _oauthStates.delete(state);
-        return null;
-    }
-    _oauthStates.delete(state);
-    return { codeVerifier: entry.codeVerifier, linkUserId: entry.linkUserId };
-};
-// ---------------------------------------------------------------------------
-// Cache helpers (used by src/middleware/cacheResponse.ts)
-// ---------------------------------------------------------------------------
-export const memoryGetCache = (key) => {
-    const entry = _cache.get(key);
-    if (!entry)
-        return null;
-    if (entry.expiresAt !== undefined && entry.expiresAt <= Date.now()) {
-        _cache.delete(key);
-        return null;
-    }
-    return entry.value;
-};
-export const memorySetCache = (key, value, ttlSeconds) => {
-    const expiresAt = ttlSeconds ? Date.now() + ttlSeconds * 1000 : undefined;
-    _cache.set(key, { value, expiresAt });
-};
-export const memoryDelCache = (key) => {
-    _cache.delete(key);
-};
-export const memoryDelCachePattern = (pattern) => {
-    // Convert glob * to a regex
-    const regex = new RegExp("^" + pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*") + "$");
-    for (const key of _cache.keys()) {
-        if (regex.test(key))
-            _cache.delete(key);
-    }
-};
-// ---------------------------------------------------------------------------
-// Email verification token helpers (used by src/lib/emailVerification.ts)
-// ---------------------------------------------------------------------------
-export const memoryCreateVerificationToken = (token, userId, email, ttlSeconds) => {
-    _verificationTokens.set(token, { userId, email, expiresAt: Date.now() + ttlSeconds * 1000 });
-};
-export const memoryGetVerificationToken = (token) => {
-    const entry = _verificationTokens.get(token);
-    if (!entry || entry.expiresAt <= Date.now()) {
-        _verificationTokens.delete(token);
-        return null;
-    }
-    return { userId: entry.userId, email: entry.email };
-};
-export const memoryDeleteVerificationToken = (token) => {
-    _verificationTokens.delete(token);
-};
-export const memoryConsumeVerificationToken = (token) => {
-    const entry = _verificationTokens.get(token);
-    if (!entry || entry.expiresAt <= Date.now()) {
-        _verificationTokens.delete(token);
-        return null;
-    }
-    _verificationTokens.delete(token);
-    return { userId: entry.userId, email: entry.email };
-};
-// ---------------------------------------------------------------------------
-// Password reset token helpers (used by src/lib/resetPassword.ts)
-// ---------------------------------------------------------------------------
-export const memoryCreateResetToken = (token, userId, email, ttlSeconds) => {
-    const now = Date.now();
-    // Opportunistically purge expired entries to prevent unbounded memory growth
-    for (const [k, v] of _resetTokens) {
-        if (v.expiresAt <= now)
-            _resetTokens.delete(k);
-    }
-    _resetTokens.set(token, { userId, email, expiresAt: now + ttlSeconds * 1000 });
-};
-export const memoryConsumeResetToken = (hash) => {
-    const entry = _resetTokens.get(hash);
-    if (!entry || entry.expiresAt <= Date.now()) {
-        _resetTokens.delete(hash);
-        return null;
-    }
-    _resetTokens.delete(hash);
-    return { userId: entry.userId, email: entry.email };
-};
-export const memoryStoreOAuthCode = (hash, payload, ttlSeconds) => {
-    _oauthCodes.set(hash, { ...payload, expiresAt: Date.now() + ttlSeconds * 1000 });
-};
-export const memoryConsumeOAuthCode = (hash) => {
-    const entry = _oauthCodes.get(hash);
-    if (!entry || entry.expiresAt <= Date.now()) {
-        _oauthCodes.delete(hash);
-        return null;
-    }
-    _oauthCodes.delete(hash);
-    return { token: entry.token, userId: entry.userId, email: entry.email, refreshToken: entry.refreshToken };
-};
-// ---------------------------------------------------------------------------
-// Account deletion cancel token helpers (used by src/lib/deletionCancelToken.ts)
-// ---------------------------------------------------------------------------
-export const memoryCreateDeletionCancelToken = (token, userId, jobId, ttlSeconds) => {
-    const now = Date.now();
-    for (const [k, v] of _cancelTokens) {
-        if (v.expiresAt <= now)
-            _cancelTokens.delete(k);
-    }
-    _cancelTokens.set(token, { userId, jobId, expiresAt: now + ttlSeconds * 1000 });
-};
-export const memoryConsumeDeletionCancelToken = (hash) => {
-    const entry = _cancelTokens.get(hash);
-    if (!entry || entry.expiresAt <= Date.now()) {
-        _cancelTokens.delete(hash);
-        return null;
-    }
-    _cancelTokens.delete(hash);
-    return { userId: entry.userId, jobId: entry.jobId };
-};