@lastshotlabs/bunshot 0.0.27 → 0.0.28
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.oclif.manifest.json +39 -0
- package/README.md +8282 -2147
- package/dist/cli/commands/init.js +690 -0
- package/dist/cli/index.js +6 -0
- package/dist/cli.js +4 -4
- package/dist/packages/bunshot-admin/src/index.d.ts +15 -0
- package/dist/packages/bunshot-admin/src/index.js +11 -0
- package/dist/packages/bunshot-admin/src/lib/resourceTypes.d.ts +8 -0
- package/dist/packages/bunshot-admin/src/lib/resourceTypes.js +33 -0
- package/dist/packages/bunshot-admin/src/lib/typedRoute.d.ts +14 -0
- package/dist/packages/bunshot-admin/src/lib/typedRoute.js +17 -0
- package/dist/packages/bunshot-admin/src/plugin.d.ts +4 -0
- package/dist/packages/bunshot-admin/src/plugin.js +46 -0
- package/dist/packages/bunshot-admin/src/providers/auth0Access.d.ts +6 -0
- package/dist/packages/bunshot-admin/src/providers/auth0Access.js +32 -0
- package/dist/packages/bunshot-admin/src/routes/admin.d.ts +10 -0
- package/dist/packages/bunshot-admin/src/routes/admin.js +923 -0
- package/dist/packages/bunshot-admin/src/routes/mail.d.ts +6 -0
- package/dist/packages/bunshot-admin/src/routes/mail.js +114 -0
- package/dist/packages/bunshot-admin/src/routes/permissions.d.ts +8 -0
- package/dist/packages/bunshot-admin/src/routes/permissions.js +315 -0
- package/dist/packages/bunshot-admin/src/types/config.d.ts +16 -0
- package/dist/packages/bunshot-admin/src/types/config.js +37 -0
- package/dist/packages/bunshot-admin/src/types/env.d.ts +14 -0
- package/dist/packages/bunshot-admin/src/types/provider.d.ts +1 -0
- package/dist/packages/bunshot-admin/src/types/provider.js +4 -0
- package/dist/packages/bunshot-auth/src/adapters/memoryAuth.d.ts +66 -0
- package/dist/packages/bunshot-auth/src/adapters/memoryAuth.js +1063 -0
- package/dist/packages/bunshot-auth/src/adapters/mongoAuth.d.ts +2 -0
- package/dist/packages/bunshot-auth/src/adapters/mongoAuth.js +536 -0
- package/dist/packages/bunshot-auth/src/adapters/sqliteAuth.d.ts +88 -0
- package/dist/packages/bunshot-auth/src/adapters/sqliteAuth.js +1366 -0
- package/dist/packages/bunshot-auth/src/admin/bunshotAccess.d.ts +2 -0
- package/dist/packages/bunshot-auth/src/admin/bunshotAccess.js +23 -0
- package/dist/packages/bunshot-auth/src/admin/bunshotUsers.d.ts +5 -0
- package/dist/packages/bunshot-auth/src/admin/bunshotUsers.js +131 -0
- package/dist/packages/bunshot-auth/src/bootstrap.d.ts +38 -0
- package/dist/packages/bunshot-auth/src/bootstrap.js +384 -0
- package/dist/packages/bunshot-auth/src/config/appConfig.d.ts +3 -0
- package/dist/packages/bunshot-auth/src/config/appConfig.js +4 -0
- package/dist/packages/bunshot-auth/src/config/authConfig.d.ts +478 -0
- package/dist/packages/bunshot-auth/src/config/authConfig.js +46 -0
- package/dist/packages/bunshot-auth/src/config/configLock.d.ts +2 -0
- package/dist/packages/bunshot-auth/src/config/configLock.js +10 -0
- package/dist/packages/bunshot-auth/src/index.d.ts +25 -0
- package/dist/packages/bunshot-auth/src/index.js +23 -0
- package/dist/packages/bunshot-auth/src/infra/mongo.d.ts +15 -0
- package/dist/packages/bunshot-auth/src/infra/mongo.js +44 -0
- package/dist/packages/bunshot-auth/src/infra/queue.d.ts +14 -0
- package/dist/packages/bunshot-auth/src/infra/queue.js +27 -0
- package/dist/packages/bunshot-auth/src/infra/redis.d.ts +5 -0
- package/dist/packages/bunshot-auth/src/infra/redis.js +15 -0
- package/dist/packages/bunshot-auth/src/infra/signing.d.ts +7 -0
- package/dist/packages/bunshot-auth/src/infra/signing.js +8 -0
- package/dist/packages/bunshot-auth/src/lib/accountLockout.d.ts +34 -0
- package/dist/packages/bunshot-auth/src/lib/accountLockout.js +244 -0
- package/dist/packages/bunshot-auth/src/lib/adapterTiers.d.ts +1 -0
- package/dist/packages/bunshot-auth/src/lib/adapterTiers.js +1 -0
- package/dist/packages/bunshot-auth/src/lib/authAdapter.d.ts +1 -0
- package/dist/packages/bunshot-auth/src/lib/authAdapter.js +1 -0
- package/dist/packages/bunshot-auth/src/lib/authContext.d.ts +15 -0
- package/dist/packages/bunshot-auth/src/lib/authContext.js +1 -0
- package/dist/packages/bunshot-auth/src/lib/authEventBus.d.ts +4 -0
- package/dist/packages/bunshot-auth/src/lib/authEventBus.js +15 -0
- package/dist/packages/bunshot-auth/src/lib/authRateLimit.d.ts +28 -0
- package/dist/packages/bunshot-auth/src/lib/authRateLimit.js +205 -0
- package/dist/{lib → packages/bunshot-auth/src/lib}/breachedPassword.d.ts +8 -2
- package/dist/{lib → packages/bunshot-auth/src/lib}/breachedPassword.js +22 -9
- package/dist/packages/bunshot-auth/src/lib/cache.d.ts +12 -0
- package/dist/packages/bunshot-auth/src/lib/cache.js +120 -0
- package/dist/packages/bunshot-auth/src/lib/clientIp.d.ts +4 -0
- package/dist/{lib → packages/bunshot-auth/src/lib}/clientIp.js +14 -7
- package/dist/packages/bunshot-auth/src/lib/cookieOptions.d.ts +27 -0
- package/dist/packages/bunshot-auth/src/lib/cookieOptions.js +33 -0
- package/dist/packages/bunshot-auth/src/lib/credentialStuffing.d.ts +40 -0
- package/dist/packages/bunshot-auth/src/lib/credentialStuffing.js +221 -0
- package/dist/packages/bunshot-auth/src/lib/deletionCancelToken.d.ts +19 -0
- package/dist/packages/bunshot-auth/src/lib/deletionCancelToken.js +148 -0
- package/dist/packages/bunshot-auth/src/lib/emailTemplates.d.ts +23 -0
- package/dist/packages/bunshot-auth/src/lib/emailTemplates.js +265 -0
- package/dist/packages/bunshot-auth/src/lib/emailVerification.d.ts +30 -0
- package/dist/packages/bunshot-auth/src/lib/emailVerification.js +200 -0
- package/dist/packages/bunshot-auth/src/lib/env.d.ts +1 -0
- package/dist/packages/bunshot-auth/src/lib/env.js +3 -0
- package/dist/packages/bunshot-auth/src/lib/fingerprint.js +36 -0
- package/dist/{lib → packages/bunshot-auth/src/lib}/groups.d.ts +15 -16
- package/dist/{lib → packages/bunshot-auth/src/lib}/groups.js +22 -34
- package/dist/packages/bunshot-auth/src/lib/jwks.d.ts +28 -0
- package/dist/packages/bunshot-auth/src/lib/jwks.js +79 -0
- package/dist/packages/bunshot-auth/src/lib/jwt.d.ts +12 -0
- package/dist/packages/bunshot-auth/src/lib/jwt.js +86 -0
- package/dist/{lib → packages/bunshot-auth/src/lib}/logger.js +3 -3
- package/dist/{lib → packages/bunshot-auth/src/lib}/m2m.d.ts +5 -4
- package/dist/{lib → packages/bunshot-auth/src/lib}/m2m.js +6 -10
- package/dist/packages/bunshot-auth/src/lib/magicLink.d.ts +13 -0
- package/dist/packages/bunshot-auth/src/lib/magicLink.js +145 -0
- package/dist/packages/bunshot-auth/src/lib/mfaChallenge.d.ts +60 -0
- package/dist/packages/bunshot-auth/src/lib/mfaChallenge.js +419 -0
- package/dist/packages/bunshot-auth/src/lib/oauth.d.ts +82 -0
- package/dist/packages/bunshot-auth/src/lib/oauth.js +177 -0
- package/dist/packages/bunshot-auth/src/lib/oauthCode.d.ts +19 -0
- package/dist/packages/bunshot-auth/src/lib/oauthCode.js +182 -0
- package/dist/packages/bunshot-auth/src/lib/oauthReauth.d.ts +19 -0
- package/dist/packages/bunshot-auth/src/lib/oauthReauth.js +255 -0
- package/dist/packages/bunshot-auth/src/lib/organization.d.ts +66 -0
- package/dist/packages/bunshot-auth/src/lib/organization.js +225 -0
- package/dist/packages/bunshot-auth/src/lib/passwordHistory.d.ts +12 -0
- package/dist/packages/bunshot-auth/src/lib/passwordHistory.js +31 -0
- package/dist/packages/bunshot-auth/src/lib/resetPassword.d.ts +20 -0
- package/dist/packages/bunshot-auth/src/lib/resetPassword.js +148 -0
- package/dist/packages/bunshot-auth/src/lib/roles.d.ts +9 -0
- package/dist/packages/bunshot-auth/src/lib/roles.js +93 -0
- package/dist/packages/bunshot-auth/src/lib/saml.d.ts +29 -0
- package/dist/packages/bunshot-auth/src/lib/saml.js +73 -0
- package/dist/packages/bunshot-auth/src/lib/samlRequestId.d.ts +13 -0
- package/dist/packages/bunshot-auth/src/lib/samlRequestId.js +129 -0
- package/dist/{lib → packages/bunshot-auth/src/lib}/scim.d.ts +7 -7
- package/dist/{lib → packages/bunshot-auth/src/lib}/scim.js +15 -13
- package/dist/packages/bunshot-auth/src/lib/securityEventWiring.d.ts +22 -0
- package/dist/packages/bunshot-auth/src/lib/securityEventWiring.js +65 -0
- package/dist/packages/bunshot-auth/src/lib/session.d.ts +45 -0
- package/dist/packages/bunshot-auth/src/lib/session.js +1211 -0
- package/dist/packages/bunshot-auth/src/lib/storeInfra.d.ts +26 -0
- package/dist/packages/bunshot-auth/src/lib/storeInfra.js +18 -0
- package/dist/{lib → packages/bunshot-auth/src/lib}/suspension.d.ts +3 -2
- package/dist/{lib → packages/bunshot-auth/src/lib}/suspension.js +2 -5
- package/dist/packages/bunshot-auth/src/lib/validateAdapter.d.ts +16 -0
- package/dist/packages/bunshot-auth/src/lib/validateAdapter.js +161 -0
- package/dist/packages/bunshot-auth/src/middleware/bearerAuth.d.ts +13 -0
- package/dist/packages/bunshot-auth/src/middleware/bearerAuth.js +58 -0
- package/dist/{middleware → packages/bunshot-auth/src/middleware}/csrf.d.ts +5 -4
- package/dist/packages/bunshot-auth/src/middleware/csrf.js +138 -0
- package/dist/packages/bunshot-auth/src/middleware/identify.d.ts +4 -0
- package/dist/packages/bunshot-auth/src/middleware/identify.js +124 -0
- package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireMfaSetup.d.ts +2 -2
- package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireMfaSetup.js +10 -8
- package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireRole.d.ts +2 -2
- package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireRole.js +20 -16
- package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireScope.d.ts +2 -2
- package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireScope.js +6 -6
- package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireStepUp.d.ts +2 -2
- package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireStepUp.js +8 -7
- package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireVerifiedEmail.d.ts +2 -2
- package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireVerifiedEmail.js +7 -6
- package/dist/packages/bunshot-auth/src/middleware/scimAuth.d.ts +8 -0
- package/dist/packages/bunshot-auth/src/middleware/scimAuth.js +29 -0
- package/dist/packages/bunshot-auth/src/middleware/userAuth.d.ts +3 -0
- package/dist/packages/bunshot-auth/src/middleware/userAuth.js +6 -0
- package/dist/{models → packages/bunshot-auth/src/models}/AuthUser.d.ts +12 -8
- package/dist/packages/bunshot-auth/src/models/AuthUser.js +53 -0
- package/dist/packages/bunshot-auth/src/models/Group.d.ts +19 -0
- package/dist/packages/bunshot-auth/src/models/Group.js +22 -0
- package/dist/{models → packages/bunshot-auth/src/models}/GroupMembership.d.ts +6 -8
- package/dist/packages/bunshot-auth/src/models/GroupMembership.js +19 -0
- package/dist/{models → packages/bunshot-auth/src/models}/M2MClient.d.ts +1 -1
- package/dist/{models → packages/bunshot-auth/src/models}/M2MClient.js +5 -5
- package/dist/packages/bunshot-auth/src/models/TenantRole.d.ts +13 -0
- package/dist/packages/bunshot-auth/src/models/TenantRole.js +17 -0
- package/dist/packages/bunshot-auth/src/plugin.d.ts +4 -0
- package/dist/packages/bunshot-auth/src/plugin.js +274 -0
- package/dist/packages/bunshot-auth/src/routes/auth.d.ts +15 -0
- package/dist/packages/bunshot-auth/src/routes/auth.js +1624 -0
- package/dist/packages/bunshot-auth/src/routes/groups.d.ts +4 -0
- package/dist/packages/bunshot-auth/src/routes/groups.js +481 -0
- package/dist/packages/bunshot-auth/src/routes/m2m.d.ts +2 -0
- package/dist/packages/bunshot-auth/src/routes/m2m.js +145 -0
- package/dist/packages/bunshot-auth/src/routes/mfa.d.ts +6 -0
- package/dist/packages/bunshot-auth/src/routes/mfa.js +991 -0
- package/dist/packages/bunshot-auth/src/routes/oauth.d.ts +3 -0
- package/dist/packages/bunshot-auth/src/routes/oauth.js +1727 -0
- package/dist/packages/bunshot-auth/src/routes/oidc.d.ts +2 -0
- package/dist/packages/bunshot-auth/src/routes/oidc.js +84 -0
- package/dist/packages/bunshot-auth/src/routes/organizations.d.ts +3 -0
- package/dist/packages/bunshot-auth/src/routes/organizations.js +741 -0
- package/dist/packages/bunshot-auth/src/routes/passkey.d.ts +2 -0
- package/dist/packages/bunshot-auth/src/routes/passkey.js +199 -0
- package/dist/packages/bunshot-auth/src/routes/saml.d.ts +2 -0
- package/dist/packages/bunshot-auth/src/routes/saml.js +226 -0
- package/dist/packages/bunshot-auth/src/routes/scim.d.ts +3 -0
- package/dist/packages/bunshot-auth/src/routes/scim.js +588 -0
- package/dist/packages/bunshot-auth/src/runtime.d.ts +52 -0
- package/dist/packages/bunshot-auth/src/runtime.js +11 -0
- package/dist/{schemas → packages/bunshot-auth/src/schemas}/auth.d.ts +4 -5
- package/dist/packages/bunshot-auth/src/schemas/auth.js +24 -0
- package/dist/packages/bunshot-auth/src/schemas/error.d.ts +10 -0
- package/dist/packages/bunshot-auth/src/schemas/error.js +10 -0
- package/dist/packages/bunshot-auth/src/schemas/success.d.ts +10 -0
- package/dist/packages/bunshot-auth/src/schemas/success.js +10 -0
- package/dist/packages/bunshot-auth/src/services/auth.d.ts +39 -0
- package/dist/packages/bunshot-auth/src/services/auth.js +378 -0
- package/dist/{services → packages/bunshot-auth/src/services}/mfa.d.ts +41 -17
- package/dist/{services → packages/bunshot-auth/src/services}/mfa.js +259 -183
- package/dist/packages/bunshot-auth/src/testing.d.ts +31 -0
- package/dist/packages/bunshot-auth/src/testing.js +23 -0
- package/dist/packages/bunshot-auth/src/types/adapter.d.ts +1 -0
- package/dist/packages/bunshot-auth/src/types/adapter.js +1 -0
- package/dist/packages/bunshot-auth/src/types/config.d.ts +152 -0
- package/dist/packages/bunshot-auth/src/types/config.js +179 -0
- package/dist/{routes → packages/bunshot-auth/src/types}/groups.d.ts +2 -3
- package/dist/packages/bunshot-auth/src/types/groups.js +1 -0
- package/dist/packages/bunshot-auth/src/types/oauthCode.d.ts +6 -0
- package/dist/packages/bunshot-auth/src/types/oauthCode.js +1 -0
- package/dist/packages/bunshot-auth/src/types/oauthReauth.d.ts +13 -0
- package/dist/packages/bunshot-auth/src/types/oauthReauth.js +1 -0
- package/dist/packages/bunshot-auth/src/types/redis.d.ts +1 -0
- package/dist/packages/bunshot-auth/src/types/redis.js +1 -0
- package/dist/packages/bunshot-auth/src/types/saml.d.ts +10 -0
- package/dist/packages/bunshot-auth/src/types/saml.js +1 -0
- package/dist/packages/bunshot-auth/src/types/session.d.ts +18 -0
- package/dist/packages/bunshot-auth/src/types/session.js +1 -0
- package/dist/packages/bunshot-auth/src/types/store.d.ts +1 -0
- package/dist/packages/bunshot-auth/src/types/store.js +1 -0
- package/dist/packages/bunshot-core/src/adminProvider.d.ts +95 -0
- package/dist/packages/bunshot-core/src/adminProvider.js +1 -0
- package/dist/packages/bunshot-core/src/auditLog.d.ts +34 -0
- package/dist/packages/bunshot-core/src/auditLog.js +1 -0
- package/dist/packages/bunshot-core/src/auth-adapter.d.ts +227 -0
- package/dist/packages/bunshot-core/src/auth-adapter.js +4 -0
- package/dist/packages/bunshot-core/src/authVariables.d.ts +14 -0
- package/dist/packages/bunshot-core/src/authVariables.js +4 -0
- package/dist/packages/bunshot-core/src/cache.d.ts +12 -0
- package/dist/packages/bunshot-core/src/cache.js +21 -0
- package/dist/{lib → packages/bunshot-core/src}/captcha.d.ts +1 -10
- package/dist/packages/bunshot-core/src/captcha.js +1 -0
- package/dist/packages/bunshot-core/src/clearRegistry.d.ts +6 -0
- package/dist/packages/bunshot-core/src/clearRegistry.js +17 -0
- package/dist/packages/bunshot-core/src/clientIp.d.ts +3 -0
- package/dist/packages/bunshot-core/src/clientIp.js +45 -0
- package/dist/packages/bunshot-core/src/configLock.d.ts +4 -0
- package/dist/packages/bunshot-core/src/configLock.js +7 -0
- package/dist/packages/bunshot-core/src/configValidation.d.ts +22 -0
- package/dist/packages/bunshot-core/src/configValidation.js +39 -0
- package/dist/packages/bunshot-core/src/constants.js +10 -0
- package/dist/packages/bunshot-core/src/context/bunshotContext.d.ts +232 -0
- package/dist/packages/bunshot-core/src/context/bunshotContext.js +1 -0
- package/dist/packages/bunshot-core/src/context/contextAccess.d.ts +3 -0
- package/dist/packages/bunshot-core/src/context/contextAccess.js +16 -0
- package/dist/packages/bunshot-core/src/context/contextStore.d.ts +16 -0
- package/dist/packages/bunshot-core/src/context/contextStore.js +31 -0
- package/dist/packages/bunshot-core/src/context/frameworkConfig.d.ts +38 -0
- package/dist/packages/bunshot-core/src/context/frameworkConfig.js +1 -0
- package/dist/packages/bunshot-core/src/context/index.d.ts +4 -0
- package/dist/packages/bunshot-core/src/context/index.js +2 -0
- package/dist/packages/bunshot-core/src/context.d.ts +40 -0
- package/dist/packages/bunshot-core/src/context.js +35 -0
- package/dist/packages/bunshot-core/src/coreContracts.d.ts +47 -0
- package/dist/packages/bunshot-core/src/coreContracts.js +1 -0
- package/dist/packages/bunshot-core/src/coreRegistrar.d.ts +6 -0
- package/dist/packages/bunshot-core/src/coreRegistrar.js +42 -0
- package/dist/{lib → packages/bunshot-core/src}/createRoute.d.ts +4 -30
- package/dist/{lib → packages/bunshot-core/src}/createRoute.js +39 -88
- package/dist/packages/bunshot-core/src/cronRegistry.d.ts +11 -0
- package/dist/packages/bunshot-core/src/cronRegistry.js +1 -0
- package/dist/packages/bunshot-core/src/crypto.d.ts +43 -0
- package/dist/packages/bunshot-core/src/crypto.js +74 -0
- package/dist/packages/bunshot-core/src/csrf.d.ts +8 -0
- package/dist/packages/bunshot-core/src/csrf.js +1 -0
- package/dist/packages/bunshot-core/src/defaults/defaultFingerprint.d.ts +7 -0
- package/dist/packages/bunshot-core/src/defaults/defaultFingerprint.js +19 -0
- package/dist/packages/bunshot-core/src/defaults/memoryCacheAdapter.d.ts +6 -0
- package/dist/packages/bunshot-core/src/defaults/memoryCacheAdapter.js +40 -0
- package/dist/packages/bunshot-core/src/defaults/memoryRateLimit.d.ts +6 -0
- package/dist/packages/bunshot-core/src/defaults/memoryRateLimit.js +24 -0
- package/dist/packages/bunshot-core/src/emailTemplates.d.ts +5 -0
- package/dist/packages/bunshot-core/src/emailTemplates.js +10 -0
- package/dist/{lib/HttpError.d.ts → packages/bunshot-core/src/errors.d.ts} +4 -1
- package/dist/{lib/HttpError.js → packages/bunshot-core/src/errors.js} +7 -1
- package/dist/packages/bunshot-core/src/eventBus.d.ts +270 -0
- package/dist/packages/bunshot-core/src/eventBus.js +143 -0
- package/dist/packages/bunshot-core/src/idempotency.d.ts +18 -0
- package/dist/packages/bunshot-core/src/idempotency.js +1 -0
- package/dist/packages/bunshot-core/src/index.d.ts +60 -0
- package/dist/packages/bunshot-core/src/index.js +34 -0
- package/dist/packages/bunshot-core/src/mail.d.ts +14 -0
- package/dist/packages/bunshot-core/src/mail.js +8 -0
- package/dist/packages/bunshot-core/src/memoryEviction.d.ts +24 -0
- package/dist/packages/bunshot-core/src/memoryEviction.js +52 -0
- package/dist/packages/bunshot-core/src/pagination.d.ts +45 -0
- package/dist/packages/bunshot-core/src/pagination.js +61 -0
- package/dist/packages/bunshot-core/src/permissions.d.ts +64 -0
- package/dist/packages/bunshot-core/src/permissions.js +27 -0
- package/dist/packages/bunshot-core/src/plugin.d.ts +44 -0
- package/dist/packages/bunshot-core/src/plugin.js +1 -0
- package/dist/packages/bunshot-core/src/rateLimit.d.ts +5 -0
- package/dist/packages/bunshot-core/src/rateLimit.js +18 -0
- package/dist/packages/bunshot-core/src/redis.d.ts +21 -0
- package/dist/packages/bunshot-core/src/redis.js +1 -0
- package/dist/packages/bunshot-core/src/routeAuth.d.ts +5 -0
- package/dist/packages/bunshot-core/src/routeAuth.js +11 -0
- package/dist/packages/bunshot-core/src/routeOverrides.d.ts +24 -0
- package/dist/packages/bunshot-core/src/routeOverrides.js +25 -0
- package/dist/packages/bunshot-core/src/routerAdapter.d.ts +6 -0
- package/dist/packages/bunshot-core/src/routerAdapter.js +56 -0
- package/dist/packages/bunshot-core/src/secrets.d.ts +48 -0
- package/dist/packages/bunshot-core/src/secrets.js +8 -0
- package/dist/packages/bunshot-core/src/signing.d.ts +41 -0
- package/dist/packages/bunshot-core/src/signing.js +1 -0
- package/dist/packages/bunshot-core/src/sse.d.ts +36 -0
- package/dist/packages/bunshot-core/src/sse.js +1 -0
- package/dist/packages/bunshot-core/src/storageAdapter.js +1 -0
- package/dist/packages/bunshot-core/src/storeInfra.d.ts +44 -0
- package/dist/packages/bunshot-core/src/storeInfra.js +18 -0
- package/dist/packages/bunshot-core/src/storeType.d.ts +7 -0
- package/dist/packages/bunshot-core/src/storeType.js +1 -0
- package/dist/packages/bunshot-core/src/testing.d.ts +1 -0
- package/dist/packages/bunshot-core/src/testing.js +1 -0
- package/dist/packages/bunshot-core/src/uploadRegistry.d.ts +23 -0
- package/dist/packages/bunshot-core/src/uploadRegistry.js +4 -0
- package/dist/packages/bunshot-core/src/userResolver.d.ts +5 -0
- package/dist/packages/bunshot-core/src/userResolver.js +14 -0
- package/dist/packages/bunshot-core/src/wsMessages.d.ts +42 -0
- package/dist/packages/bunshot-core/src/wsMessages.js +4 -0
- package/dist/packages/bunshot-permissions/src/adapters/memory.d.ts +7 -0
- package/dist/packages/bunshot-permissions/src/adapters/memory.js +73 -0
- package/dist/packages/bunshot-permissions/src/index.d.ts +10 -0
- package/dist/packages/bunshot-permissions/src/index.js +5 -0
- package/dist/packages/bunshot-permissions/src/lib/bootstrap.d.ts +7 -0
- package/dist/packages/bunshot-permissions/src/lib/bootstrap.js +12 -0
- package/dist/packages/bunshot-permissions/src/lib/evaluator.d.ts +10 -0
- package/dist/packages/bunshot-permissions/src/lib/evaluator.js +165 -0
- package/dist/packages/bunshot-permissions/src/lib/registry.d.ts +2 -0
- package/dist/packages/bunshot-permissions/src/lib/registry.js +31 -0
- package/dist/packages/bunshot-permissions/src/lib/validation.d.ts +1 -0
- package/dist/packages/bunshot-permissions/src/lib/validation.js +1 -0
- package/dist/packages/bunshot-permissions/src/types/adapter.d.ts +1 -0
- package/dist/packages/bunshot-permissions/src/types/adapter.js +1 -0
- package/dist/packages/bunshot-permissions/src/types/evaluator.d.ts +1 -0
- package/dist/packages/bunshot-permissions/src/types/evaluator.js +1 -0
- package/dist/packages/bunshot-permissions/src/types/models.d.ts +1 -0
- package/dist/packages/bunshot-permissions/src/types/models.js +1 -0
- package/dist/packages/bunshot-permissions/src/types/registry.d.ts +1 -0
- package/dist/packages/bunshot-permissions/src/types/registry.js +1 -0
- package/dist/packages/bunshot-postgres/src/adapter.d.ts +6 -0
- package/dist/packages/bunshot-postgres/src/adapter.js +794 -0
- package/dist/packages/bunshot-postgres/src/connection.d.ts +15 -0
- package/dist/packages/bunshot-postgres/src/connection.js +16 -0
- package/dist/packages/bunshot-postgres/src/index.d.ts +4 -0
- package/dist/packages/bunshot-postgres/src/index.js +2 -0
- package/dist/packages/bunshot-postgres/src/schema.d.ts +997 -0
- package/dist/packages/bunshot-postgres/src/schema.js +105 -0
- package/dist/src/app.d.ts +230 -0
- package/dist/src/app.js +182 -0
- package/dist/src/cli/commands/init.d.ts +10 -0
- package/dist/src/cli/commands/init.js +709 -0
- package/dist/src/cli/index.d.ts +1 -0
- package/dist/src/cli/index.js +3 -0
- package/dist/src/entrypoints/mongo.d.ts +6 -0
- package/dist/src/entrypoints/mongo.js +4 -0
- package/dist/src/entrypoints/queue.d.ts +2 -0
- package/dist/src/entrypoints/queue.js +1 -0
- package/dist/src/entrypoints/redis.d.ts +1 -0
- package/dist/src/entrypoints/redis.js +1 -0
- package/dist/{adapters → src/framework/adapters}/localStorage.d.ts +1 -1
- package/dist/{adapters → src/framework/adapters}/localStorage.js +10 -10
- package/dist/src/framework/adapters/memoryStorage.d.ts +2 -0
- package/dist/src/framework/adapters/memoryStorage.js +45 -0
- package/dist/{adapters → src/framework/adapters}/s3Storage.d.ts +1 -1
- package/dist/{adapters → src/framework/adapters}/s3Storage.js +12 -12
- package/dist/src/framework/admin/bunshotAccess.d.ts +2 -0
- package/dist/src/framework/admin/bunshotAccess.js +23 -0
- package/dist/src/framework/admin/bunshotUsers.d.ts +2 -0
- package/dist/src/framework/admin/bunshotUsers.js +103 -0
- package/dist/src/framework/admin/index.d.ts +7 -0
- package/dist/src/framework/admin/index.js +21 -0
- package/dist/src/framework/boundaryAdapters/cacheFactories.d.ts +13 -0
- package/dist/src/framework/boundaryAdapters/cacheFactories.js +86 -0
- package/dist/src/framework/boundaryAdapters/index.d.ts +2 -0
- package/dist/src/framework/boundaryAdapters/index.js +1 -0
- package/dist/src/framework/boundaryAdapters.d.ts +17 -0
- package/dist/src/framework/boundaryAdapters.js +62 -0
- package/dist/src/framework/buildContext.d.ts +33 -0
- package/dist/src/framework/buildContext.js +119 -0
- package/dist/src/framework/config/schema.d.ts +447 -0
- package/dist/src/framework/config/schema.js +528 -0
- package/dist/src/framework/createInfrastructure.d.ts +76 -0
- package/dist/src/framework/createInfrastructure.js +221 -0
- package/dist/src/framework/lib/auditLog.d.ts +23 -0
- package/dist/src/framework/lib/auditLog.js +416 -0
- package/dist/src/framework/lib/captcha.d.ts +11 -0
- package/dist/{lib → src/framework/lib}/captcha.js +13 -10
- package/dist/{lib → src/framework/lib}/createDtoMapper.js +4 -4
- package/dist/src/framework/lib/createRoute.d.ts +1 -0
- package/dist/src/framework/lib/createRoute.js +2 -0
- package/dist/{lib → src/framework/lib}/idempotency.d.ts +2 -6
- package/dist/src/framework/lib/idempotency.js +74 -0
- package/dist/src/framework/lib/logger.d.ts +3 -0
- package/dist/src/framework/lib/logger.js +14 -0
- package/dist/src/framework/lib/metrics.d.ts +34 -0
- package/dist/{lib → src/framework/lib}/metrics.js +49 -57
- package/dist/src/framework/lib/pagination.d.ts +42 -0
- package/dist/src/framework/lib/pagination.js +51 -0
- package/dist/src/framework/lib/redisTransport.d.ts +38 -0
- package/dist/src/framework/lib/redisTransport.js +107 -0
- package/dist/src/framework/lib/resolveUserId.d.ts +2 -0
- package/dist/src/framework/lib/resolveUserId.js +5 -0
- package/dist/src/framework/lib/sseCollision.d.ts +6 -0
- package/dist/src/framework/lib/sseCollision.js +26 -0
- package/dist/src/framework/lib/storageAdapter.d.ts +1 -0
- package/dist/src/framework/lib/storageAdapter.js +1 -0
- package/dist/{lib → src/framework/lib}/stripUnreferencedSchemas.js +4 -4
- package/dist/src/framework/lib/tenant.d.ts +21 -0
- package/dist/src/framework/lib/tenant.js +70 -0
- package/dist/{lib → src/framework/lib}/upload.d.ts +11 -10
- package/dist/src/framework/lib/upload.js +132 -0
- package/dist/src/framework/lib/uploadRegistry.d.ts +23 -0
- package/dist/src/framework/lib/uploadRegistry.js +34 -0
- package/dist/{lib → src/framework/lib}/validate.d.ts +1 -1
- package/dist/{lib → src/framework/lib}/validate.js +2 -2
- package/dist/src/framework/lib/ws.d.ts +19 -0
- package/dist/src/framework/lib/ws.js +130 -0
- package/dist/src/framework/lib/wsHeartbeat.d.ts +12 -0
- package/dist/src/framework/lib/wsHeartbeat.js +53 -0
- package/dist/src/framework/lib/wsMessages.d.ts +25 -0
- package/dist/src/framework/lib/wsMessages.js +45 -0
- package/dist/src/framework/lib/wsNamespace.d.ts +17 -0
- package/dist/src/framework/lib/wsNamespace.js +19 -0
- package/dist/src/framework/lib/wsPresence.d.ts +17 -0
- package/dist/src/framework/lib/wsPresence.js +84 -0
- package/dist/src/framework/lib/wsTransport.d.ts +38 -0
- package/dist/src/framework/lib/wsTransport.js +9 -0
- package/dist/{lib → src/framework/lib}/zodToMongoose.d.ts +1 -1
- package/dist/{lib → src/framework/lib}/zodToMongoose.js +11 -11
- package/dist/{middleware → src/framework/middleware}/auditLog.d.ts +4 -3
- package/dist/src/framework/middleware/auditLog.js +42 -0
- package/dist/{middleware → src/framework/middleware}/botProtection.d.ts +2 -2
- package/dist/{middleware → src/framework/middleware}/botProtection.js +8 -9
- package/dist/src/framework/middleware/cacheResponse.d.ts +35 -0
- package/dist/src/framework/middleware/cacheResponse.js +126 -0
- package/dist/{middleware → src/framework/middleware}/captcha.d.ts +2 -3
- package/dist/src/framework/middleware/captcha.js +37 -0
- package/dist/{middleware → src/framework/middleware}/errorHandler.d.ts +1 -1
- package/dist/{middleware → src/framework/middleware}/errorHandler.js +2 -2
- package/dist/src/framework/middleware/index.js +1 -0
- package/dist/{middleware → src/framework/middleware}/logger.d.ts +1 -1
- package/dist/src/framework/middleware/metrics.d.ts +12 -0
- package/dist/src/framework/middleware/metrics.js +26 -0
- package/dist/{middleware → src/framework/middleware}/rateLimit.d.ts +2 -2
- package/dist/src/framework/middleware/rateLimit.js +22 -0
- package/dist/src/framework/middleware/requestId.d.ts +3 -0
- package/dist/{middleware → src/framework/middleware}/requestId.js +2 -2
- package/dist/{middleware → src/framework/middleware}/requestLogger.d.ts +3 -3
- package/dist/{middleware → src/framework/middleware}/requestLogger.js +17 -12
- package/dist/{middleware → src/framework/middleware}/requestSigning.d.ts +2 -2
- package/dist/{middleware → src/framework/middleware}/requestSigning.js +18 -20
- package/dist/src/framework/middleware/tenant.d.ts +14 -0
- package/dist/{middleware → src/framework/middleware}/tenant.js +31 -27
- package/dist/src/framework/middleware/upload.d.ts +5 -0
- package/dist/{middleware → src/framework/middleware}/upload.js +4 -4
- package/dist/{middleware → src/framework/middleware}/webhookAuth.d.ts +3 -3
- package/dist/{middleware → src/framework/middleware}/webhookAuth.js +11 -12
- package/dist/src/framework/models/AuditLog.d.ts +21 -0
- package/dist/src/framework/models/AuditLog.js +31 -0
- package/dist/src/framework/mountMiddleware.d.ts +91 -0
- package/dist/src/framework/mountMiddleware.js +128 -0
- package/dist/src/framework/mountOptionalEndpoints.d.ts +103 -0
- package/dist/src/framework/mountOptionalEndpoints.js +47 -0
- package/dist/src/framework/mountRoutes.d.ts +21 -0
- package/dist/src/framework/mountRoutes.js +144 -0
- package/dist/src/framework/persistence/cronRegistry.d.ts +28 -0
- package/dist/src/framework/persistence/cronRegistry.js +139 -0
- package/dist/src/framework/persistence/idempotency.d.ts +26 -0
- package/dist/src/framework/persistence/idempotency.js +178 -0
- package/dist/src/framework/persistence/index.d.ts +6 -0
- package/dist/src/framework/persistence/index.js +8 -0
- package/dist/src/framework/persistence/storeInfra.d.ts +9 -0
- package/dist/src/framework/persistence/storeInfra.js +1 -0
- package/dist/src/framework/persistence/uploadRegistry.d.ts +35 -0
- package/dist/src/framework/persistence/uploadRegistry.js +235 -0
- package/dist/src/framework/persistence/wsMessages.d.ts +22 -0
- package/dist/src/framework/persistence/wsMessages.js +296 -0
- package/dist/src/framework/preloadSchemas.d.ts +24 -0
- package/dist/src/framework/preloadSchemas.js +42 -0
- package/dist/src/framework/registerBoundaryAdapters.d.ts +23 -0
- package/dist/src/framework/registerBoundaryAdapters.js +46 -0
- package/dist/src/framework/routes/admin.d.ts +9 -0
- package/dist/src/framework/routes/admin.js +361 -0
- package/dist/src/framework/routes/health.d.ts +1 -0
- package/dist/src/framework/routes/health.js +21 -0
- package/dist/src/framework/routes/home.d.ts +1 -0
- package/dist/src/framework/routes/home.js +18 -0
- package/dist/src/framework/routes/jobs.d.ts +3 -0
- package/dist/{routes → src/framework/routes}/jobs.js +128 -103
- package/dist/src/framework/routes/metrics.d.ts +10 -0
- package/dist/src/framework/routes/metrics.js +57 -0
- package/dist/{routes → src/framework/routes}/uploads.d.ts +3 -3
- package/dist/src/framework/routes/uploads.js +262 -0
- package/dist/src/framework/runPluginLifecycle.d.ts +27 -0
- package/dist/src/framework/runPluginLifecycle.js +121 -0
- package/dist/src/framework/secrets/frameworkSecretSchema.d.ts +58 -0
- package/dist/src/framework/secrets/frameworkSecretSchema.js +20 -0
- package/dist/src/framework/secrets/index.d.ts +9 -0
- package/dist/src/framework/secrets/index.js +7 -0
- package/dist/src/framework/secrets/providers/envProvider.d.ts +15 -0
- package/dist/src/framework/secrets/providers/envProvider.js +18 -0
- package/dist/src/framework/secrets/providers/fileProvider.d.ts +8 -0
- package/dist/src/framework/secrets/providers/fileProvider.js +82 -0
- package/dist/src/framework/secrets/providers/ssmProvider.d.ts +20 -0
- package/dist/src/framework/secrets/providers/ssmProvider.js +127 -0
- package/dist/src/framework/secrets/resolveSecretBundle.d.ts +53 -0
- package/dist/src/framework/secrets/resolveSecretBundle.js +84 -0
- package/dist/src/framework/secrets/resolveSecrets.d.ts +18 -0
- package/dist/src/framework/secrets/resolveSecrets.js +34 -0
- package/dist/src/framework/sse/index.d.ts +21 -0
- package/dist/src/framework/sse/index.js +109 -0
- package/dist/src/framework/ws/index.d.ts +11 -0
- package/dist/src/framework/ws/index.js +8 -0
- package/dist/src/index.d.ts +87 -0
- package/dist/src/index.js +58 -0
- package/dist/src/lib/appConfig.d.ts +7 -0
- package/dist/src/lib/appConfig.js +27 -0
- package/dist/src/lib/appMeta.d.ts +7 -0
- package/dist/src/lib/appMeta.js +3 -0
- package/dist/src/lib/authConfig.d.ts +532 -0
- package/dist/{lib/appConfig.js → src/lib/authConfig.js} +75 -17
- package/dist/{lib → src/lib}/context.d.ts +6 -12
- package/dist/{lib → src/lib}/context.js +5 -5
- package/dist/src/lib/logger.d.ts +1 -0
- package/dist/src/lib/logger.js +1 -0
- package/dist/src/lib/mongo.d.ts +58 -0
- package/dist/src/lib/mongo.js +96 -0
- package/dist/src/lib/queue.d.ts +72 -0
- package/dist/src/lib/queue.js +152 -0
- package/dist/src/lib/redis.d.ts +28 -0
- package/dist/src/lib/redis.js +72 -0
- package/dist/{lib → src/lib}/signing.d.ts +2 -2
- package/dist/src/lib/signing.js +210 -0
- package/dist/src/lib/signingConfig.d.ts +40 -0
- package/dist/src/lib/signingConfig.js +28 -0
- package/dist/src/server.d.ts +146 -0
- package/dist/src/server.js +469 -0
- package/dist/src/shared/lib/HttpError.d.ts +1 -0
- package/dist/src/shared/lib/HttpError.js +2 -0
- package/dist/src/shared/lib/constants.d.ts +10 -0
- package/dist/src/shared/lib/crypto.d.ts +43 -0
- package/dist/src/shared/lib/crypto.js +74 -0
- package/dist/src/shared/lib/signing.d.ts +52 -0
- package/dist/{lib → src/shared/lib}/signing.js +35 -8
- package/dist/src/testing.d.ts +34 -0
- package/dist/src/testing.js +93 -0
- package/package.json +60 -24
- package/dist/adapters/memoryAuth.d.ts +0 -52
- package/dist/adapters/memoryAuth.js +0 -749
- package/dist/adapters/memoryStorage.d.ts +0 -3
- package/dist/adapters/memoryStorage.js +0 -44
- package/dist/adapters/mongoAuth.d.ts +0 -2
- package/dist/adapters/mongoAuth.js +0 -403
- package/dist/adapters/sqliteAuth.d.ts +0 -72
- package/dist/adapters/sqliteAuth.js +0 -858
- package/dist/app.d.ts +0 -559
- package/dist/app.js +0 -651
- package/dist/entrypoints/mongo.d.ts +0 -5
- package/dist/entrypoints/mongo.js +0 -4
- package/dist/entrypoints/queue.d.ts +0 -2
- package/dist/entrypoints/queue.js +0 -1
- package/dist/entrypoints/redis.d.ts +0 -1
- package/dist/entrypoints/redis.js +0 -1
- package/dist/index.d.ts +0 -117
- package/dist/index.js +0 -88
- package/dist/lib/appConfig.d.ts +0 -275
- package/dist/lib/auditLog.d.ts +0 -58
- package/dist/lib/auditLog.js +0 -218
- package/dist/lib/authAdapter.d.ts +0 -246
- package/dist/lib/authAdapter.js +0 -7
- package/dist/lib/authRateLimit.d.ts +0 -13
- package/dist/lib/authRateLimit.js +0 -117
- package/dist/lib/clientIp.d.ts +0 -14
- package/dist/lib/credentialStuffing.d.ts +0 -31
- package/dist/lib/credentialStuffing.js +0 -77
- package/dist/lib/crypto.d.ts +0 -11
- package/dist/lib/crypto.js +0 -22
- package/dist/lib/deletionCancelToken.d.ts +0 -12
- package/dist/lib/deletionCancelToken.js +0 -88
- package/dist/lib/emailVerification.d.ts +0 -19
- package/dist/lib/emailVerification.js +0 -129
- package/dist/lib/fingerprint.js +0 -36
- package/dist/lib/idempotency.js +0 -182
- package/dist/lib/jwks.d.ts +0 -25
- package/dist/lib/jwks.js +0 -51
- package/dist/lib/jwt.d.ts +0 -15
- package/dist/lib/jwt.js +0 -111
- package/dist/lib/metrics.d.ts +0 -14
- package/dist/lib/mfaChallenge.d.ts +0 -55
- package/dist/lib/mfaChallenge.js +0 -398
- package/dist/lib/mongo.d.ts +0 -39
- package/dist/lib/mongo.js +0 -124
- package/dist/lib/oauth.d.ts +0 -40
- package/dist/lib/oauth.js +0 -101
- package/dist/lib/oauthCode.d.ts +0 -15
- package/dist/lib/oauthCode.js +0 -95
- package/dist/lib/pagination.d.ts +0 -119
- package/dist/lib/pagination.js +0 -166
- package/dist/lib/queue.d.ts +0 -37
- package/dist/lib/queue.js +0 -117
- package/dist/lib/redis.d.ts +0 -9
- package/dist/lib/redis.js +0 -61
- package/dist/lib/resetPassword.d.ts +0 -12
- package/dist/lib/resetPassword.js +0 -93
- package/dist/lib/roles.d.ts +0 -7
- package/dist/lib/roles.js +0 -49
- package/dist/lib/saml.d.ts +0 -25
- package/dist/lib/saml.js +0 -64
- package/dist/lib/securityEvents.d.ts +0 -28
- package/dist/lib/securityEvents.js +0 -26
- package/dist/lib/session.d.ts +0 -49
- package/dist/lib/session.js +0 -597
- package/dist/lib/tenant.d.ts +0 -15
- package/dist/lib/tenant.js +0 -65
- package/dist/lib/upload.js +0 -112
- package/dist/lib/uploadRegistry.d.ts +0 -18
- package/dist/lib/uploadRegistry.js +0 -83
- package/dist/lib/ws.d.ts +0 -22
- package/dist/lib/ws.js +0 -96
- package/dist/lib/wsHeartbeat.d.ts +0 -12
- package/dist/lib/wsHeartbeat.js +0 -57
- package/dist/lib/wsMessages.d.ts +0 -40
- package/dist/lib/wsMessages.js +0 -330
- package/dist/lib/wsPresence.d.ts +0 -25
- package/dist/lib/wsPresence.js +0 -99
- package/dist/middleware/auditLog.js +0 -39
- package/dist/middleware/bearerAuth.d.ts +0 -2
- package/dist/middleware/bearerAuth.js +0 -11
- package/dist/middleware/cacheResponse.d.ts +0 -15
- package/dist/middleware/cacheResponse.js +0 -178
- package/dist/middleware/captcha.js +0 -36
- package/dist/middleware/csrf.js +0 -129
- package/dist/middleware/identify.d.ts +0 -3
- package/dist/middleware/identify.js +0 -122
- package/dist/middleware/index.js +0 -1
- package/dist/middleware/metrics.d.ts +0 -9
- package/dist/middleware/metrics.js +0 -26
- package/dist/middleware/rateLimit.js +0 -22
- package/dist/middleware/requestId.d.ts +0 -3
- package/dist/middleware/scimAuth.d.ts +0 -8
- package/dist/middleware/scimAuth.js +0 -29
- package/dist/middleware/tenant.d.ts +0 -5
- package/dist/middleware/upload.d.ts +0 -5
- package/dist/middleware/userAuth.d.ts +0 -3
- package/dist/middleware/userAuth.js +0 -6
- package/dist/models/AuditLog.d.ts +0 -30
- package/dist/models/AuditLog.js +0 -39
- package/dist/models/AuthUser.js +0 -55
- package/dist/models/Group.d.ts +0 -21
- package/dist/models/Group.js +0 -28
- package/dist/models/GroupMembership.js +0 -25
- package/dist/models/TenantRole.d.ts +0 -15
- package/dist/models/TenantRole.js +0 -23
- package/dist/routes/auth.d.ts +0 -12
- package/dist/routes/auth.js +0 -744
- package/dist/routes/groups.js +0 -346
- package/dist/routes/health.d.ts +0 -1
- package/dist/routes/health.js +0 -22
- package/dist/routes/home.d.ts +0 -1
- package/dist/routes/home.js +0 -16
- package/dist/routes/jobs.d.ts +0 -2
- package/dist/routes/m2m.d.ts +0 -2
- package/dist/routes/m2m.js +0 -72
- package/dist/routes/metrics.d.ts +0 -8
- package/dist/routes/metrics.js +0 -55
- package/dist/routes/mfa.d.ts +0 -5
- package/dist/routes/mfa.js +0 -628
- package/dist/routes/oauth.d.ts +0 -2
- package/dist/routes/oauth.js +0 -520
- package/dist/routes/oidc.d.ts +0 -2
- package/dist/routes/oidc.js +0 -29
- package/dist/routes/passkey.d.ts +0 -1
- package/dist/routes/passkey.js +0 -157
- package/dist/routes/saml.d.ts +0 -2
- package/dist/routes/saml.js +0 -86
- package/dist/routes/scim.d.ts +0 -2
- package/dist/routes/scim.js +0 -255
- package/dist/routes/uploads.js +0 -227
- package/dist/schemas/auth.js +0 -30
- package/dist/server.d.ts +0 -57
- package/dist/server.js +0 -112
- package/dist/services/auth.d.ts +0 -29
- package/dist/services/auth.js +0 -238
- package/dist/ws/index.d.ts +0 -10
- package/dist/ws/index.js +0 -39
- package/docs/sections/adding-middleware/full.md +0 -35
- package/docs/sections/adding-models/full.md +0 -125
- package/docs/sections/adding-models/overview.md +0 -13
- package/docs/sections/adding-routes/full.md +0 -182
- package/docs/sections/adding-routes/overview.md +0 -23
- package/docs/sections/auth-flow/full.md +0 -790
- package/docs/sections/auth-flow/overview.md +0 -10
- package/docs/sections/auth-security-examples/full.md +0 -388
- package/docs/sections/authentication/full.md +0 -130
- package/docs/sections/authentication/overview.md +0 -5
- package/docs/sections/cli/full.md +0 -42
- package/docs/sections/configuration/full.md +0 -172
- package/docs/sections/configuration/overview.md +0 -18
- package/docs/sections/configuration-example/full.md +0 -117
- package/docs/sections/configuration-example/overview.md +0 -30
- package/docs/sections/documentation/full.md +0 -171
- package/docs/sections/environment-variables/full.md +0 -55
- package/docs/sections/exports/full.md +0 -123
- package/docs/sections/extending-context/full.md +0 -59
- package/docs/sections/header.md +0 -3
- package/docs/sections/installation/full.md +0 -6
- package/docs/sections/jobs/full.md +0 -140
- package/docs/sections/jobs/overview.md +0 -15
- package/docs/sections/logging/full.md +0 -83
- package/docs/sections/metrics/full.md +0 -131
- package/docs/sections/mongodb-connections/full.md +0 -45
- package/docs/sections/mongodb-connections/overview.md +0 -7
- package/docs/sections/multi-tenancy/full.md +0 -66
- package/docs/sections/multi-tenancy/overview.md +0 -15
- package/docs/sections/oauth/full.md +0 -189
- package/docs/sections/oauth/overview.md +0 -16
- package/docs/sections/package-development/full.md +0 -7
- package/docs/sections/pagination/full.md +0 -93
- package/docs/sections/passkey-login/full.md +0 -90
- package/docs/sections/passkey-login/overview.md +0 -1
- package/docs/sections/peer-dependencies/full.md +0 -47
- package/docs/sections/quick-start/full.md +0 -43
- package/docs/sections/response-caching/full.md +0 -117
- package/docs/sections/response-caching/overview.md +0 -13
- package/docs/sections/roles/full.md +0 -225
- package/docs/sections/roles/overview.md +0 -14
- package/docs/sections/running-without-redis/full.md +0 -16
- package/docs/sections/running-without-redis-or-mongodb/full.md +0 -60
- package/docs/sections/signing/full.md +0 -203
- package/docs/sections/stack/full.md +0 -10
- package/docs/sections/uploads/full.md +0 -208
- package/docs/sections/versioning/full.md +0 -85
- package/docs/sections/webhook-auth/full.md +0 -100
- package/docs/sections/websocket/full.md +0 -196
- package/docs/sections/websocket/overview.md +0 -5
- package/docs/sections/websocket-rooms/full.md +0 -102
- package/docs/sections/websocket-rooms/overview.md +0 -5
- /package/dist/{lib/storageAdapter.js → packages/bunshot-admin/src/types/env.js} +0 -0
- /package/dist/{lib → packages/bunshot-auth/src/lib}/fingerprint.d.ts +0 -0
- /package/dist/{lib → packages/bunshot-auth/src/lib}/logger.d.ts +0 -0
- /package/dist/{lib → packages/bunshot-core/src}/constants.d.ts +0 -0
- /package/dist/{lib → packages/bunshot-core/src}/storageAdapter.d.ts +0 -0
- /package/dist/{lib → src/framework/lib}/createDtoMapper.d.ts +0 -0
- /package/dist/{lib → src/framework/lib}/stripUnreferencedSchemas.d.ts +0 -0
- /package/dist/{middleware → src/framework/middleware}/cors.d.ts +0 -0
- /package/dist/{middleware → src/framework/middleware}/cors.js +0 -0
- /package/dist/{middleware → src/framework/middleware}/index.d.ts +0 -0
- /package/dist/{middleware → src/framework/middleware}/logger.js +0 -0
- /package/dist/{lib → src/shared/lib}/constants.js +0 -0
|
@@ -0,0 +1,1063 @@
|
|
|
1
|
+
import { DEFAULT_MAX_ENTRIES, HttpError, evictExpired, evictOldest, } from '../../../bunshot-core/src/index.js';
|
|
2
|
+
import { hashToken, timingSafeEqual } from '../../../bunshot-core/src/index.js';
|
|
3
|
+
function encodeCursor(createdAt, id) {
|
|
4
|
+
return btoa(JSON.stringify({ createdAt, id }));
|
|
5
|
+
}
|
|
6
|
+
function decodeCursor(cursor) {
|
|
7
|
+
try {
|
|
8
|
+
return JSON.parse(atob(cursor));
|
|
9
|
+
}
|
|
10
|
+
catch {
|
|
11
|
+
return null;
|
|
12
|
+
}
|
|
13
|
+
}
|
|
14
|
+
// ---------------------------------------------------------------------------
|
|
15
|
+
// Factory
|
|
16
|
+
// ---------------------------------------------------------------------------
|
|
17
|
+
const DEFAULT_SESSION_TTL_MS = 60 * 60 * 24 * 7 * 1000; // 7 days
|
|
18
|
+
const OAUTH_STATE_TTL_MS = 5 * 60 * 1000; // 5 minutes
|
|
19
|
+
export function createMemoryAuthAdapter(getConfig) {
|
|
20
|
+
function getSessionTtlMs() {
|
|
21
|
+
const abs = getConfig?.()?.sessionPolicy.absoluteTimeout;
|
|
22
|
+
return abs ? abs * 1000 : DEFAULT_SESSION_TTL_MS;
|
|
23
|
+
}
|
|
24
|
+
// -------------------------------------------------------------------------
|
|
25
|
+
// Instance state — all Maps live inside the closure
|
|
26
|
+
// -------------------------------------------------------------------------
|
|
27
|
+
const _users = new Map();
|
|
28
|
+
const _byEmail = new Map();
|
|
29
|
+
const _sessions = new Map(); // sessionId → session
|
|
30
|
+
const _userSessionIds = new Map(); // userId → Set<sessionId>
|
|
31
|
+
const _refreshTokenIndex = new Map(); // refreshToken → sessionId
|
|
32
|
+
const _oauthStates = new Map();
|
|
33
|
+
const _cache = new Map();
|
|
34
|
+
const _verificationTokens = new Map();
|
|
35
|
+
const _resetTokens = new Map();
|
|
36
|
+
const _cancelTokens = new Map();
|
|
37
|
+
const _oauthCodes = new Map();
|
|
38
|
+
const _oauthReauthStates = new Map();
|
|
39
|
+
const _oauthReauthConfirmations = new Map();
|
|
40
|
+
const _tenantRoles = new Map(); // "userId:tenantId" → roles
|
|
41
|
+
const _groups = new Map(); // groupId → GroupRecord
|
|
42
|
+
const _groupMemberships = new Map();
|
|
43
|
+
const _m2mClients = new Map();
|
|
44
|
+
const _magicLinkTokens = new Map();
|
|
45
|
+
let _memoryWarned = false;
|
|
46
|
+
function warnMemoryAdapter() {
|
|
47
|
+
if (!_memoryWarned) {
|
|
48
|
+
_memoryWarned = true;
|
|
49
|
+
console.warn('[bunshot] Memory adapter for auth has no eviction — for development/testing only');
|
|
50
|
+
}
|
|
51
|
+
}
|
|
52
|
+
// -------------------------------------------------------------------------
|
|
53
|
+
// Session store methods (forward-declared so they can reference each other)
|
|
54
|
+
// -------------------------------------------------------------------------
|
|
55
|
+
const memoryDeleteSession = (sessionId) => {
|
|
56
|
+
const entry = _sessions.get(sessionId);
|
|
57
|
+
if (!entry)
|
|
58
|
+
return;
|
|
59
|
+
// Clean up refresh token reverse-lookup keys
|
|
60
|
+
if (entry.refreshToken)
|
|
61
|
+
_refreshTokenIndex.delete(entry.refreshToken);
|
|
62
|
+
if (entry.prevRefreshToken)
|
|
63
|
+
_refreshTokenIndex.delete(entry.prevRefreshToken);
|
|
64
|
+
if (getConfig().persistSessionMetadata) {
|
|
65
|
+
entry.token = null;
|
|
66
|
+
entry.refreshToken = null;
|
|
67
|
+
entry.prevRefreshToken = null;
|
|
68
|
+
entry.prevTokenExpiresAt = null;
|
|
69
|
+
}
|
|
70
|
+
else {
|
|
71
|
+
_sessions.delete(sessionId);
|
|
72
|
+
_userSessionIds.get(entry.userId)?.delete(sessionId);
|
|
73
|
+
}
|
|
74
|
+
};
|
|
75
|
+
const memoryCreateSession = (userId, token, sessionId, metadata) => {
|
|
76
|
+
const now = Date.now();
|
|
77
|
+
const session = {
|
|
78
|
+
sessionId,
|
|
79
|
+
userId,
|
|
80
|
+
token,
|
|
81
|
+
createdAt: now,
|
|
82
|
+
lastActiveAt: now,
|
|
83
|
+
expiresAt: now + getSessionTtlMs(),
|
|
84
|
+
ipAddress: metadata?.ipAddress,
|
|
85
|
+
userAgent: metadata?.userAgent,
|
|
86
|
+
};
|
|
87
|
+
evictOldest(_sessions, DEFAULT_MAX_ENTRIES);
|
|
88
|
+
_sessions.set(sessionId, session);
|
|
89
|
+
if (!_userSessionIds.has(userId))
|
|
90
|
+
_userSessionIds.set(userId, new Set());
|
|
91
|
+
_userSessionIds.get(userId).add(sessionId);
|
|
92
|
+
};
|
|
93
|
+
// -------------------------------------------------------------------------
|
|
94
|
+
// Return the combined AuthAdapter + MemoryAuthStores object
|
|
95
|
+
// -------------------------------------------------------------------------
|
|
96
|
+
return {
|
|
97
|
+
// -----------------------------------------------------------------------
|
|
98
|
+
// AuthAdapter methods
|
|
99
|
+
// -----------------------------------------------------------------------
|
|
100
|
+
async findByEmail(email) {
|
|
101
|
+
warnMemoryAdapter();
|
|
102
|
+
const id = _byEmail.get(email.toLowerCase());
|
|
103
|
+
if (!id)
|
|
104
|
+
return null;
|
|
105
|
+
const user = _users.get(id);
|
|
106
|
+
if (!user || !user.passwordHash)
|
|
107
|
+
return null;
|
|
108
|
+
return { id: user.id, passwordHash: user.passwordHash };
|
|
109
|
+
},
|
|
110
|
+
async create(email, passwordHash) {
|
|
111
|
+
const normalised = email.toLowerCase();
|
|
112
|
+
if (_byEmail.has(normalised))
|
|
113
|
+
throw new HttpError(409, 'Email already registered');
|
|
114
|
+
const id = crypto.randomUUID();
|
|
115
|
+
const user = {
|
|
116
|
+
id,
|
|
117
|
+
email: normalised,
|
|
118
|
+
identifier: normalised,
|
|
119
|
+
passwordHash,
|
|
120
|
+
providerIds: [],
|
|
121
|
+
roles: [],
|
|
122
|
+
emailVerified: false,
|
|
123
|
+
mfaSecret: null,
|
|
124
|
+
mfaEnabled: false,
|
|
125
|
+
recoveryCodes: [],
|
|
126
|
+
mfaMethods: [],
|
|
127
|
+
webauthnCredentials: [],
|
|
128
|
+
suspended: false,
|
|
129
|
+
passwordHistory: [],
|
|
130
|
+
};
|
|
131
|
+
evictOldest(_users, DEFAULT_MAX_ENTRIES);
|
|
132
|
+
_users.set(id, user);
|
|
133
|
+
_byEmail.set(normalised, id);
|
|
134
|
+
return { id };
|
|
135
|
+
},
|
|
136
|
+
async verifyPassword(userId, password) {
|
|
137
|
+
const user = _users.get(userId);
|
|
138
|
+
if (!user?.passwordHash)
|
|
139
|
+
return false;
|
|
140
|
+
return Bun.password.verify(password, user.passwordHash);
|
|
141
|
+
},
|
|
142
|
+
async getIdentifier(userId) {
|
|
143
|
+
const user = _users.get(userId);
|
|
144
|
+
return user?.identifier ?? user?.email ?? '';
|
|
145
|
+
},
|
|
146
|
+
async setPassword(userId, passwordHash) {
|
|
147
|
+
const user = _users.get(userId);
|
|
148
|
+
if (!user)
|
|
149
|
+
return;
|
|
150
|
+
user.passwordHash = passwordHash;
|
|
151
|
+
},
|
|
152
|
+
async findOrCreateByProvider(provider, providerId, profile) {
|
|
153
|
+
const key = `${provider}:${providerId}`;
|
|
154
|
+
// Find by provider key
|
|
155
|
+
for (const user of _users.values()) {
|
|
156
|
+
if (user.providerIds.includes(key))
|
|
157
|
+
return { id: user.id, created: false };
|
|
158
|
+
}
|
|
159
|
+
// Reject if email belongs to a credential account
|
|
160
|
+
if (profile.email) {
|
|
161
|
+
const existingId = _byEmail.get(profile.email.toLowerCase());
|
|
162
|
+
if (existingId)
|
|
163
|
+
throw new HttpError(409, 'An account with this email already exists. Sign in with your credentials, then link Google from your account settings.');
|
|
164
|
+
}
|
|
165
|
+
const id = crypto.randomUUID();
|
|
166
|
+
const email = profile.email ? profile.email.toLowerCase() : null;
|
|
167
|
+
const user = {
|
|
168
|
+
id,
|
|
169
|
+
email,
|
|
170
|
+
identifier: email,
|
|
171
|
+
passwordHash: null,
|
|
172
|
+
providerIds: [key],
|
|
173
|
+
roles: [],
|
|
174
|
+
emailVerified: false,
|
|
175
|
+
mfaSecret: null,
|
|
176
|
+
mfaEnabled: false,
|
|
177
|
+
recoveryCodes: [],
|
|
178
|
+
mfaMethods: [],
|
|
179
|
+
webauthnCredentials: [],
|
|
180
|
+
suspended: false,
|
|
181
|
+
passwordHistory: [],
|
|
182
|
+
};
|
|
183
|
+
evictOldest(_users, DEFAULT_MAX_ENTRIES);
|
|
184
|
+
_users.set(id, user);
|
|
185
|
+
if (email)
|
|
186
|
+
_byEmail.set(email, id);
|
|
187
|
+
return { id, created: true };
|
|
188
|
+
},
|
|
189
|
+
async linkProvider(userId, provider, providerId) {
|
|
190
|
+
const user = _users.get(userId);
|
|
191
|
+
if (!user)
|
|
192
|
+
throw new HttpError(404, 'User not found');
|
|
193
|
+
const key = `${provider}:${providerId}`;
|
|
194
|
+
if (!user.providerIds.includes(key))
|
|
195
|
+
user.providerIds.push(key);
|
|
196
|
+
},
|
|
197
|
+
async getRoles(userId) {
|
|
198
|
+
return _users.get(userId)?.roles ?? [];
|
|
199
|
+
},
|
|
200
|
+
async setRoles(userId, roles) {
|
|
201
|
+
const user = _users.get(userId);
|
|
202
|
+
if (!user)
|
|
203
|
+
return;
|
|
204
|
+
user.roles = [...roles];
|
|
205
|
+
},
|
|
206
|
+
async addRole(userId, role) {
|
|
207
|
+
const user = _users.get(userId);
|
|
208
|
+
if (!user)
|
|
209
|
+
return;
|
|
210
|
+
if (!user.roles.includes(role))
|
|
211
|
+
user.roles.push(role);
|
|
212
|
+
},
|
|
213
|
+
async removeRole(userId, role) {
|
|
214
|
+
const user = _users.get(userId);
|
|
215
|
+
if (!user)
|
|
216
|
+
return;
|
|
217
|
+
user.roles = user.roles.filter(r => r !== role);
|
|
218
|
+
},
|
|
219
|
+
async getUser(userId) {
|
|
220
|
+
const user = _users.get(userId);
|
|
221
|
+
if (!user)
|
|
222
|
+
return null;
|
|
223
|
+
return {
|
|
224
|
+
email: user.email ?? undefined,
|
|
225
|
+
providerIds: [...user.providerIds],
|
|
226
|
+
emailVerified: user.emailVerified,
|
|
227
|
+
displayName: user.displayName,
|
|
228
|
+
firstName: user.firstName,
|
|
229
|
+
lastName: user.lastName,
|
|
230
|
+
externalId: user.externalId,
|
|
231
|
+
suspended: user.suspended,
|
|
232
|
+
suspendedReason: user.suspendedReason,
|
|
233
|
+
userMetadata: user.userMetadata ? { ...user.userMetadata } : undefined,
|
|
234
|
+
appMetadata: user.appMetadata ? { ...user.appMetadata } : undefined,
|
|
235
|
+
};
|
|
236
|
+
},
|
|
237
|
+
async unlinkProvider(userId, provider) {
|
|
238
|
+
const user = _users.get(userId);
|
|
239
|
+
if (!user)
|
|
240
|
+
throw new HttpError(404, 'User not found');
|
|
241
|
+
user.providerIds = user.providerIds.filter(id => !id.startsWith(`${provider}:`));
|
|
242
|
+
},
|
|
243
|
+
async findByIdentifier(value) {
|
|
244
|
+
const normalized = value.toLowerCase();
|
|
245
|
+
// First try _byEmail index (covers email primaryField)
|
|
246
|
+
const idFromEmail = _byEmail.get(normalized);
|
|
247
|
+
if (idFromEmail) {
|
|
248
|
+
const user = _users.get(idFromEmail);
|
|
249
|
+
if (user)
|
|
250
|
+
return { id: user.id, passwordHash: user.passwordHash ?? '' };
|
|
251
|
+
}
|
|
252
|
+
// Fallback: linear scan for identifier field (non-email primaryField)
|
|
253
|
+
for (const user of _users.values()) {
|
|
254
|
+
if (user.identifier === normalized) {
|
|
255
|
+
return { id: user.id, passwordHash: user.passwordHash ?? '' };
|
|
256
|
+
}
|
|
257
|
+
}
|
|
258
|
+
return null;
|
|
259
|
+
},
|
|
260
|
+
async setEmailVerified(userId, verified) {
|
|
261
|
+
const user = _users.get(userId);
|
|
262
|
+
if (user)
|
|
263
|
+
user.emailVerified = verified;
|
|
264
|
+
},
|
|
265
|
+
async getEmailVerified(userId) {
|
|
266
|
+
return _users.get(userId)?.emailVerified ?? false;
|
|
267
|
+
},
|
|
268
|
+
async deleteUser(userId) {
|
|
269
|
+
const user = _users.get(userId);
|
|
270
|
+
if (user?.email)
|
|
271
|
+
_byEmail.delete(user.email);
|
|
272
|
+
_users.delete(userId);
|
|
273
|
+
// Cascade: clean up sessions (mirrors deleteUserSessions logic)
|
|
274
|
+
const sessionIds = _userSessionIds.get(userId);
|
|
275
|
+
if (sessionIds) {
|
|
276
|
+
for (const sessionId of sessionIds) {
|
|
277
|
+
const session = _sessions.get(sessionId);
|
|
278
|
+
if (session) {
|
|
279
|
+
if (session.refreshToken)
|
|
280
|
+
_refreshTokenIndex.delete(session.refreshToken);
|
|
281
|
+
if (session.prevRefreshToken)
|
|
282
|
+
_refreshTokenIndex.delete(session.prevRefreshToken);
|
|
283
|
+
_sessions.delete(sessionId);
|
|
284
|
+
}
|
|
285
|
+
}
|
|
286
|
+
_userSessionIds.delete(userId);
|
|
287
|
+
}
|
|
288
|
+
// Cascade: clean up tenant roles
|
|
289
|
+
for (const key of _tenantRoles.keys()) {
|
|
290
|
+
if (key.startsWith(`${userId}:`))
|
|
291
|
+
_tenantRoles.delete(key);
|
|
292
|
+
}
|
|
293
|
+
// Cascade: clean up group memberships
|
|
294
|
+
_groupMemberships.delete(userId);
|
|
295
|
+
},
|
|
296
|
+
async hasPassword(userId) {
|
|
297
|
+
return !!_users.get(userId)?.passwordHash;
|
|
298
|
+
},
|
|
299
|
+
async setMfaSecret(userId, secret) {
|
|
300
|
+
const user = _users.get(userId);
|
|
301
|
+
if (user)
|
|
302
|
+
user.mfaSecret = secret;
|
|
303
|
+
},
|
|
304
|
+
async getMfaSecret(userId) {
|
|
305
|
+
return _users.get(userId)?.mfaSecret ?? null;
|
|
306
|
+
},
|
|
307
|
+
async isMfaEnabled(userId) {
|
|
308
|
+
return _users.get(userId)?.mfaEnabled ?? false;
|
|
309
|
+
},
|
|
310
|
+
async setMfaEnabled(userId, enabled) {
|
|
311
|
+
const user = _users.get(userId);
|
|
312
|
+
if (user)
|
|
313
|
+
user.mfaEnabled = enabled;
|
|
314
|
+
},
|
|
315
|
+
async setRecoveryCodes(userId, codes) {
|
|
316
|
+
const user = _users.get(userId);
|
|
317
|
+
if (user)
|
|
318
|
+
user.recoveryCodes = [...codes];
|
|
319
|
+
},
|
|
320
|
+
async getRecoveryCodes(userId) {
|
|
321
|
+
return _users.get(userId)?.recoveryCodes ?? [];
|
|
322
|
+
},
|
|
323
|
+
async removeRecoveryCode(userId, code) {
|
|
324
|
+
const user = _users.get(userId);
|
|
325
|
+
if (user)
|
|
326
|
+
user.recoveryCodes = user.recoveryCodes.filter(c => c !== code);
|
|
327
|
+
},
|
|
328
|
+
async consumeRecoveryCode(userId, hashedCode) {
|
|
329
|
+
// Synchronous find-and-splice — safe in single-threaded Bun (no await between read and write).
|
|
330
|
+
const user = _users.get(userId);
|
|
331
|
+
if (!user)
|
|
332
|
+
return false;
|
|
333
|
+
const codes = user.recoveryCodes;
|
|
334
|
+
const idx = codes.indexOf(hashedCode);
|
|
335
|
+
if (idx === -1)
|
|
336
|
+
return false;
|
|
337
|
+
codes.splice(idx, 1);
|
|
338
|
+
return true;
|
|
339
|
+
},
|
|
340
|
+
async getMfaMethods(userId) {
|
|
341
|
+
const user = _users.get(userId);
|
|
342
|
+
if (!user)
|
|
343
|
+
return [];
|
|
344
|
+
return [...user.mfaMethods];
|
|
345
|
+
},
|
|
346
|
+
async setMfaMethods(userId, methods) {
|
|
347
|
+
const user = _users.get(userId);
|
|
348
|
+
if (user)
|
|
349
|
+
user.mfaMethods = [...methods];
|
|
350
|
+
},
|
|
351
|
+
async getWebAuthnCredentials(userId) {
|
|
352
|
+
return [...(_users.get(userId)?.webauthnCredentials ?? [])];
|
|
353
|
+
},
|
|
354
|
+
async addWebAuthnCredential(userId, credential) {
|
|
355
|
+
const user = _users.get(userId);
|
|
356
|
+
if (user)
|
|
357
|
+
user.webauthnCredentials.push({ ...credential });
|
|
358
|
+
},
|
|
359
|
+
async removeWebAuthnCredential(userId, credentialId) {
|
|
360
|
+
const user = _users.get(userId);
|
|
361
|
+
if (user)
|
|
362
|
+
user.webauthnCredentials = user.webauthnCredentials.filter(c => c.credentialId !== credentialId);
|
|
363
|
+
},
|
|
364
|
+
async updateWebAuthnCredentialSignCount(userId, credentialId, signCount) {
|
|
365
|
+
const user = _users.get(userId);
|
|
366
|
+
if (!user)
|
|
367
|
+
return;
|
|
368
|
+
const cred = user.webauthnCredentials.find(c => c.credentialId === credentialId);
|
|
369
|
+
if (cred)
|
|
370
|
+
cred.signCount = signCount;
|
|
371
|
+
},
|
|
372
|
+
async findUserByWebAuthnCredentialId(credentialId) {
|
|
373
|
+
for (const user of _users.values()) {
|
|
374
|
+
if (user.webauthnCredentials.some(c => c.credentialId === credentialId))
|
|
375
|
+
return user.id;
|
|
376
|
+
}
|
|
377
|
+
return null;
|
|
378
|
+
},
|
|
379
|
+
async getTenantRoles(userId, tenantId) {
|
|
380
|
+
return _tenantRoles.get(`${userId}:${tenantId}`) ?? [];
|
|
381
|
+
},
|
|
382
|
+
async setTenantRoles(userId, tenantId, roles) {
|
|
383
|
+
_tenantRoles.set(`${userId}:${tenantId}`, [...roles]);
|
|
384
|
+
},
|
|
385
|
+
async addTenantRole(userId, tenantId, role) {
|
|
386
|
+
const key = `${userId}:${tenantId}`;
|
|
387
|
+
const current = _tenantRoles.get(key) ?? [];
|
|
388
|
+
if (!current.includes(role)) {
|
|
389
|
+
_tenantRoles.set(key, [...current, role]);
|
|
390
|
+
}
|
|
391
|
+
},
|
|
392
|
+
async removeTenantRole(userId, tenantId, role) {
|
|
393
|
+
const key = `${userId}:${tenantId}`;
|
|
394
|
+
const current = _tenantRoles.get(key);
|
|
395
|
+
if (current) {
|
|
396
|
+
_tenantRoles.set(key, current.filter(r => r !== role));
|
|
397
|
+
}
|
|
398
|
+
},
|
|
399
|
+
async setSuspended(userId, suspended, reason) {
|
|
400
|
+
const user = _users.get(userId);
|
|
401
|
+
if (!user)
|
|
402
|
+
return;
|
|
403
|
+
user.suspended = suspended;
|
|
404
|
+
if (suspended) {
|
|
405
|
+
user.suspendedAt = new Date();
|
|
406
|
+
user.suspendedReason = reason;
|
|
407
|
+
}
|
|
408
|
+
else {
|
|
409
|
+
user.suspendedAt = undefined;
|
|
410
|
+
user.suspendedReason = undefined;
|
|
411
|
+
}
|
|
412
|
+
},
|
|
413
|
+
async getSuspended(userId) {
|
|
414
|
+
const user = _users.get(userId);
|
|
415
|
+
if (!user)
|
|
416
|
+
return null;
|
|
417
|
+
return { suspended: user.suspended, suspendedReason: user.suspendedReason };
|
|
418
|
+
},
|
|
419
|
+
async updateProfile(userId, fields) {
|
|
420
|
+
const user = _users.get(userId);
|
|
421
|
+
if (!user)
|
|
422
|
+
return;
|
|
423
|
+
if ('displayName' in fields)
|
|
424
|
+
user.displayName = fields.displayName;
|
|
425
|
+
if ('firstName' in fields)
|
|
426
|
+
user.firstName = fields.firstName;
|
|
427
|
+
if ('lastName' in fields)
|
|
428
|
+
user.lastName = fields.lastName;
|
|
429
|
+
if ('externalId' in fields)
|
|
430
|
+
user.externalId = fields.externalId;
|
|
431
|
+
if ('userMetadata' in fields)
|
|
432
|
+
user.userMetadata = fields.userMetadata;
|
|
433
|
+
},
|
|
434
|
+
async getUserMetadata(userId) {
|
|
435
|
+
const user = _users.get(userId);
|
|
436
|
+
if (!user)
|
|
437
|
+
return {};
|
|
438
|
+
return {
|
|
439
|
+
userMetadata: user.userMetadata ? { ...user.userMetadata } : undefined,
|
|
440
|
+
appMetadata: user.appMetadata ? { ...user.appMetadata } : undefined,
|
|
441
|
+
};
|
|
442
|
+
},
|
|
443
|
+
async setUserMetadata(userId, data) {
|
|
444
|
+
const user = _users.get(userId);
|
|
445
|
+
if (user)
|
|
446
|
+
user.userMetadata = { ...data };
|
|
447
|
+
},
|
|
448
|
+
async setAppMetadata(userId, data) {
|
|
449
|
+
const user = _users.get(userId);
|
|
450
|
+
if (user)
|
|
451
|
+
user.appMetadata = { ...data };
|
|
452
|
+
},
|
|
453
|
+
async listUsers(query) {
|
|
454
|
+
let users = [..._users.values()];
|
|
455
|
+
if (query.email !== undefined)
|
|
456
|
+
users = users.filter(u => u.email === query.email);
|
|
457
|
+
if (query.externalId !== undefined)
|
|
458
|
+
users = users.filter(u => u.externalId === query.externalId);
|
|
459
|
+
if (query.suspended !== undefined)
|
|
460
|
+
users = users.filter(u => u.suspended === query.suspended);
|
|
461
|
+
const totalResults = users.length;
|
|
462
|
+
const startIndex = query.startIndex ?? 0;
|
|
463
|
+
const count = query.count ?? 100;
|
|
464
|
+
const page = users.slice(startIndex, startIndex + count);
|
|
465
|
+
return {
|
|
466
|
+
users: page.map(u => ({
|
|
467
|
+
id: u.id,
|
|
468
|
+
email: u.email ?? undefined,
|
|
469
|
+
displayName: u.displayName,
|
|
470
|
+
firstName: u.firstName,
|
|
471
|
+
lastName: u.lastName,
|
|
472
|
+
externalId: u.externalId,
|
|
473
|
+
suspended: u.suspended,
|
|
474
|
+
suspendedAt: u.suspendedAt,
|
|
475
|
+
suspendedReason: u.suspendedReason,
|
|
476
|
+
emailVerified: u.emailVerified,
|
|
477
|
+
providerIds: [...u.providerIds],
|
|
478
|
+
})),
|
|
479
|
+
totalResults,
|
|
480
|
+
};
|
|
481
|
+
},
|
|
482
|
+
// -----------------------------------------------------------------------
|
|
483
|
+
// Groups
|
|
484
|
+
// -----------------------------------------------------------------------
|
|
485
|
+
async createGroup(group) {
|
|
486
|
+
// Enforce name uniqueness within scope (null = app-wide, string = tenant-scoped)
|
|
487
|
+
for (const g of _groups.values()) {
|
|
488
|
+
if (g.name === group.name && g.tenantId === group.tenantId) {
|
|
489
|
+
throw new HttpError(409, 'A group with this name already exists in this scope');
|
|
490
|
+
}
|
|
491
|
+
}
|
|
492
|
+
const id = crypto.randomUUID();
|
|
493
|
+
const now = Date.now();
|
|
494
|
+
evictOldest(_groups, DEFAULT_MAX_ENTRIES);
|
|
495
|
+
_groups.set(id, { ...group, id, createdAt: now, updatedAt: now });
|
|
496
|
+
return { id };
|
|
497
|
+
},
|
|
498
|
+
async deleteGroup(groupId) {
|
|
499
|
+
_groups.delete(groupId);
|
|
500
|
+
// Cascade: remove all memberships for this group
|
|
501
|
+
for (const [userId, memberships] of _groupMemberships) {
|
|
502
|
+
const filtered = memberships.filter(m => m.groupId !== groupId);
|
|
503
|
+
if (filtered.length !== memberships.length) {
|
|
504
|
+
_groupMemberships.set(userId, filtered);
|
|
505
|
+
}
|
|
506
|
+
}
|
|
507
|
+
},
|
|
508
|
+
async getGroup(groupId) {
|
|
509
|
+
return _groups.get(groupId) ?? null;
|
|
510
|
+
},
|
|
511
|
+
async listGroups(tenantId, opts) {
|
|
512
|
+
const limit = Math.min(opts?.limit ?? 50, 200);
|
|
513
|
+
const all = [..._groups.values()]
|
|
514
|
+
.filter(g => g.tenantId === tenantId)
|
|
515
|
+
.sort((a, b) => a.createdAt - b.createdAt || a.id.localeCompare(b.id));
|
|
516
|
+
let filtered = all;
|
|
517
|
+
if (opts?.cursor) {
|
|
518
|
+
const c = decodeCursor(opts.cursor);
|
|
519
|
+
if (c) {
|
|
520
|
+
filtered = all.filter(g => g.createdAt > c.createdAt || (g.createdAt === c.createdAt && g.id > c.id));
|
|
521
|
+
}
|
|
522
|
+
}
|
|
523
|
+
const page = filtered.slice(0, limit);
|
|
524
|
+
const nextCursor = filtered.length > limit
|
|
525
|
+
? encodeCursor(page[page.length - 1].createdAt, page[page.length - 1].id)
|
|
526
|
+
: undefined;
|
|
527
|
+
return { items: page, nextCursor };
|
|
528
|
+
},
|
|
529
|
+
async updateGroup(groupId, updates) {
|
|
530
|
+
const group = _groups.get(groupId);
|
|
531
|
+
if (!group)
|
|
532
|
+
return;
|
|
533
|
+
const now = Date.now();
|
|
534
|
+
_groups.set(groupId, {
|
|
535
|
+
...group,
|
|
536
|
+
...updates,
|
|
537
|
+
id: group.id,
|
|
538
|
+
tenantId: group.tenantId,
|
|
539
|
+
createdAt: group.createdAt,
|
|
540
|
+
updatedAt: now,
|
|
541
|
+
});
|
|
542
|
+
},
|
|
543
|
+
async addGroupMember(groupId, userId, roles = []) {
|
|
544
|
+
const group = _groups.get(groupId);
|
|
545
|
+
if (!group)
|
|
546
|
+
throw new HttpError(404, 'Group not found');
|
|
547
|
+
const existing = _groupMemberships.get(userId) ?? [];
|
|
548
|
+
if (existing.some(m => m.groupId === groupId)) {
|
|
549
|
+
throw new HttpError(409, 'User is already a member of this group');
|
|
550
|
+
}
|
|
551
|
+
_groupMemberships.set(userId, [
|
|
552
|
+
...existing,
|
|
553
|
+
{
|
|
554
|
+
groupId,
|
|
555
|
+
roles: [...roles],
|
|
556
|
+
tenantId: group.tenantId,
|
|
557
|
+
createdAt: Date.now(),
|
|
558
|
+
},
|
|
559
|
+
]);
|
|
560
|
+
},
|
|
561
|
+
async updateGroupMembership(groupId, userId, roles) {
|
|
562
|
+
const memberships = _groupMemberships.get(userId);
|
|
563
|
+
if (!memberships)
|
|
564
|
+
return;
|
|
565
|
+
const idx = memberships.findIndex(m => m.groupId === groupId);
|
|
566
|
+
if (idx === -1)
|
|
567
|
+
return;
|
|
568
|
+
memberships[idx] = { ...memberships[idx], roles: [...roles] };
|
|
569
|
+
},
|
|
570
|
+
async removeGroupMember(groupId, userId) {
|
|
571
|
+
const memberships = _groupMemberships.get(userId);
|
|
572
|
+
if (!memberships)
|
|
573
|
+
return;
|
|
574
|
+
_groupMemberships.set(userId, memberships.filter(m => m.groupId !== groupId));
|
|
575
|
+
},
|
|
576
|
+
async getGroupMembers(groupId, opts) {
|
|
577
|
+
const limit = Math.min(opts?.limit ?? 50, 200);
|
|
578
|
+
const all = [];
|
|
579
|
+
for (const [userId, memberships] of _groupMemberships) {
|
|
580
|
+
const m = memberships.find(m => m.groupId === groupId);
|
|
581
|
+
if (m)
|
|
582
|
+
all.push({ userId, roles: [...m.roles], createdAt: m.createdAt });
|
|
583
|
+
}
|
|
584
|
+
all.sort((a, b) => a.createdAt - b.createdAt || a.userId.localeCompare(b.userId));
|
|
585
|
+
let filtered = all;
|
|
586
|
+
if (opts?.cursor) {
|
|
587
|
+
const c = decodeCursor(opts.cursor);
|
|
588
|
+
if (c) {
|
|
589
|
+
filtered = all.filter(m => m.createdAt > c.createdAt || (m.createdAt === c.createdAt && m.userId > c.id));
|
|
590
|
+
}
|
|
591
|
+
}
|
|
592
|
+
const page = filtered.slice(0, limit);
|
|
593
|
+
const nextCursor = filtered.length > limit
|
|
594
|
+
? encodeCursor(page[page.length - 1].createdAt, page[page.length - 1].userId)
|
|
595
|
+
: undefined;
|
|
596
|
+
return {
|
|
597
|
+
items: page.map(({ userId, roles }) => ({ userId, roles })),
|
|
598
|
+
nextCursor,
|
|
599
|
+
};
|
|
600
|
+
},
|
|
601
|
+
async getUserGroups(userId, tenantId) {
|
|
602
|
+
const memberships = (_groupMemberships.get(userId) ?? []).filter(m => m.tenantId === tenantId);
|
|
603
|
+
const result = [];
|
|
604
|
+
for (const m of memberships) {
|
|
605
|
+
const group = _groups.get(m.groupId);
|
|
606
|
+
if (group)
|
|
607
|
+
result.push({ group: { ...group }, membershipRoles: [...m.roles] });
|
|
608
|
+
}
|
|
609
|
+
return result;
|
|
610
|
+
},
|
|
611
|
+
async getEffectiveRoles(userId, tenantId) {
|
|
612
|
+
const direct = tenantId
|
|
613
|
+
? (_tenantRoles.get(`${userId}:${tenantId}`) ?? [])
|
|
614
|
+
: (_users.get(userId)?.roles ?? []);
|
|
615
|
+
const memberships = (_groupMemberships.get(userId) ?? []).filter(m => m.tenantId === tenantId);
|
|
616
|
+
const groupRoles = memberships.flatMap(m => [
|
|
617
|
+
...(_groups.get(m.groupId)?.roles ?? []),
|
|
618
|
+
...m.roles,
|
|
619
|
+
]);
|
|
620
|
+
return [...new Set([...direct, ...groupRoles])];
|
|
621
|
+
},
|
|
622
|
+
async getPasswordHistory(userId) {
|
|
623
|
+
return [...(_users.get(userId)?.passwordHistory ?? [])];
|
|
624
|
+
},
|
|
625
|
+
async addPasswordToHistory(userId, hash, maxCount) {
|
|
626
|
+
const user = _users.get(userId);
|
|
627
|
+
if (!user)
|
|
628
|
+
return;
|
|
629
|
+
user.passwordHistory.push(hash);
|
|
630
|
+
if (user.passwordHistory.length > maxCount) {
|
|
631
|
+
user.passwordHistory = user.passwordHistory.slice(-maxCount);
|
|
632
|
+
}
|
|
633
|
+
},
|
|
634
|
+
// -----------------------------------------------------------------------
|
|
635
|
+
// M2M client credentials
|
|
636
|
+
// -----------------------------------------------------------------------
|
|
637
|
+
async getM2MClient(clientId) {
|
|
638
|
+
for (const c of _m2mClients.values()) {
|
|
639
|
+
if (c.clientId === clientId && c.active)
|
|
640
|
+
return { ...c };
|
|
641
|
+
}
|
|
642
|
+
return null;
|
|
643
|
+
},
|
|
644
|
+
async createM2MClient(data) {
|
|
645
|
+
const id = crypto.randomUUID();
|
|
646
|
+
evictOldest(_m2mClients, DEFAULT_MAX_ENTRIES);
|
|
647
|
+
_m2mClients.set(id, { id, ...data, active: true });
|
|
648
|
+
return { id };
|
|
649
|
+
},
|
|
650
|
+
async deleteM2MClient(clientId) {
|
|
651
|
+
for (const [key, c] of _m2mClients.entries()) {
|
|
652
|
+
if (c.clientId === clientId) {
|
|
653
|
+
_m2mClients.delete(key);
|
|
654
|
+
return;
|
|
655
|
+
}
|
|
656
|
+
}
|
|
657
|
+
},
|
|
658
|
+
async listM2MClients() {
|
|
659
|
+
return Array.from(_m2mClients.values()).map(({ clientSecretHash: _, ...rest }) => rest);
|
|
660
|
+
},
|
|
661
|
+
// -----------------------------------------------------------------------
|
|
662
|
+
// Session store methods
|
|
663
|
+
// -----------------------------------------------------------------------
|
|
664
|
+
memoryAtomicCreateSession(userId, token, sessionId, maxSessions, metadata) {
|
|
665
|
+
const now = Date.now();
|
|
666
|
+
const ids = _userSessionIds.get(userId);
|
|
667
|
+
if (ids) {
|
|
668
|
+
// Count active sessions and find oldest in a single pass
|
|
669
|
+
let activeCount = 0;
|
|
670
|
+
let oldest = null;
|
|
671
|
+
for (const sid of ids) {
|
|
672
|
+
const s = _sessions.get(sid);
|
|
673
|
+
if (s && s.token && s.expiresAt > now) {
|
|
674
|
+
activeCount++;
|
|
675
|
+
if (!oldest || s.createdAt < oldest.createdAt)
|
|
676
|
+
oldest = s;
|
|
677
|
+
}
|
|
678
|
+
}
|
|
679
|
+
// Evict oldest sessions until we have room for the new one
|
|
680
|
+
while (activeCount >= maxSessions && oldest) {
|
|
681
|
+
memoryDeleteSession(oldest.sessionId);
|
|
682
|
+
activeCount--;
|
|
683
|
+
// Find next oldest
|
|
684
|
+
oldest = null;
|
|
685
|
+
for (const sid of ids) {
|
|
686
|
+
const s = _sessions.get(sid);
|
|
687
|
+
if (s && s.token && s.expiresAt > now) {
|
|
688
|
+
if (!oldest || s.createdAt < oldest.createdAt)
|
|
689
|
+
oldest = s;
|
|
690
|
+
}
|
|
691
|
+
}
|
|
692
|
+
}
|
|
693
|
+
}
|
|
694
|
+
// Create the new session
|
|
695
|
+
memoryCreateSession(userId, token, sessionId, metadata);
|
|
696
|
+
},
|
|
697
|
+
memoryCreateSession,
|
|
698
|
+
memoryGetSession(sessionId) {
|
|
699
|
+
const entry = _sessions.get(sessionId);
|
|
700
|
+
if (!entry || !entry.token || entry.expiresAt <= Date.now())
|
|
701
|
+
return null;
|
|
702
|
+
return entry.token;
|
|
703
|
+
},
|
|
704
|
+
memoryGetSessionRecord(sessionId) {
|
|
705
|
+
const entry = _sessions.get(sessionId);
|
|
706
|
+
if (!entry || !entry.token || entry.expiresAt <= Date.now())
|
|
707
|
+
return null;
|
|
708
|
+
return { token: entry.token, lastActiveAt: entry.lastActiveAt };
|
|
709
|
+
},
|
|
710
|
+
memoryDeleteSession,
|
|
711
|
+
memoryGetUserSessions(userId) {
|
|
712
|
+
const ids = _userSessionIds.get(userId);
|
|
713
|
+
if (!ids)
|
|
714
|
+
return [];
|
|
715
|
+
const now = Date.now();
|
|
716
|
+
const config = getConfig();
|
|
717
|
+
const includeInactive = config.includeInactiveSessions;
|
|
718
|
+
const persist = config.persistSessionMetadata;
|
|
719
|
+
const results = [];
|
|
720
|
+
for (const sessionId of ids) {
|
|
721
|
+
const s = _sessions.get(sessionId);
|
|
722
|
+
if (!s)
|
|
723
|
+
continue;
|
|
724
|
+
const isActive = !!s.token && s.expiresAt > now;
|
|
725
|
+
if (!isActive && !persist)
|
|
726
|
+
continue;
|
|
727
|
+
if (!isActive && !includeInactive)
|
|
728
|
+
continue;
|
|
729
|
+
results.push({
|
|
730
|
+
sessionId: s.sessionId,
|
|
731
|
+
createdAt: s.createdAt,
|
|
732
|
+
lastActiveAt: s.lastActiveAt,
|
|
733
|
+
expiresAt: s.expiresAt,
|
|
734
|
+
ipAddress: s.ipAddress,
|
|
735
|
+
userAgent: s.userAgent,
|
|
736
|
+
isActive,
|
|
737
|
+
});
|
|
738
|
+
}
|
|
739
|
+
return results;
|
|
740
|
+
},
|
|
741
|
+
memoryGetActiveSessionCount(userId) {
|
|
742
|
+
const ids = _userSessionIds.get(userId);
|
|
743
|
+
if (!ids)
|
|
744
|
+
return 0;
|
|
745
|
+
const now = Date.now();
|
|
746
|
+
let count = 0;
|
|
747
|
+
for (const sessionId of ids) {
|
|
748
|
+
const s = _sessions.get(sessionId);
|
|
749
|
+
if (s && s.token && s.expiresAt > now)
|
|
750
|
+
count++;
|
|
751
|
+
}
|
|
752
|
+
return count;
|
|
753
|
+
},
|
|
754
|
+
memoryEvictOldestSession(userId) {
|
|
755
|
+
const ids = _userSessionIds.get(userId);
|
|
756
|
+
if (!ids)
|
|
757
|
+
return;
|
|
758
|
+
const now = Date.now();
|
|
759
|
+
let oldest = null;
|
|
760
|
+
for (const sessionId of ids) {
|
|
761
|
+
const s = _sessions.get(sessionId);
|
|
762
|
+
if (!s || !s.token || s.expiresAt <= now)
|
|
763
|
+
continue;
|
|
764
|
+
if (!oldest || s.createdAt < oldest.createdAt)
|
|
765
|
+
oldest = s;
|
|
766
|
+
}
|
|
767
|
+
if (oldest)
|
|
768
|
+
memoryDeleteSession(oldest.sessionId);
|
|
769
|
+
},
|
|
770
|
+
memoryUpdateSessionLastActive(sessionId) {
|
|
771
|
+
const entry = _sessions.get(sessionId);
|
|
772
|
+
if (entry)
|
|
773
|
+
entry.lastActiveAt = Date.now();
|
|
774
|
+
},
|
|
775
|
+
/** Test-only helper: set lastActiveAt to a specific timestamp for idle timeout testing. */
|
|
776
|
+
memorySetSessionLastActive(sessionId, ts) {
|
|
777
|
+
const entry = _sessions.get(sessionId);
|
|
778
|
+
if (entry)
|
|
779
|
+
entry.lastActiveAt = ts;
|
|
780
|
+
},
|
|
781
|
+
memoryGetSessionFingerprint(sessionId) {
|
|
782
|
+
return _sessions.get(sessionId)?.fingerprint ?? null;
|
|
783
|
+
},
|
|
784
|
+
memorySetSessionFingerprint(sessionId, fingerprint) {
|
|
785
|
+
const entry = _sessions.get(sessionId);
|
|
786
|
+
if (entry)
|
|
787
|
+
entry.fingerprint = fingerprint;
|
|
788
|
+
},
|
|
789
|
+
memoryGetMfaVerifiedAt(sessionId) {
|
|
790
|
+
return _sessions.get(sessionId)?.mfaVerifiedAt ?? null;
|
|
791
|
+
},
|
|
792
|
+
memorySetMfaVerifiedAt(sessionId, ts) {
|
|
793
|
+
const entry = _sessions.get(sessionId);
|
|
794
|
+
if (entry)
|
|
795
|
+
entry.mfaVerifiedAt = ts;
|
|
796
|
+
},
|
|
797
|
+
memorySetRefreshToken(sessionId, refreshToken) {
|
|
798
|
+
const entry = _sessions.get(sessionId);
|
|
799
|
+
if (!entry)
|
|
800
|
+
return;
|
|
801
|
+
const tokenHash = hashToken(refreshToken);
|
|
802
|
+
entry.refreshToken = tokenHash;
|
|
803
|
+
_refreshTokenIndex.set(tokenHash, sessionId);
|
|
804
|
+
},
|
|
805
|
+
memoryGetSessionByRefreshToken(refreshToken) {
|
|
806
|
+
const tokenHash = hashToken(refreshToken);
|
|
807
|
+
const sessionId = _refreshTokenIndex.get(tokenHash);
|
|
808
|
+
if (!sessionId)
|
|
809
|
+
return null;
|
|
810
|
+
const entry = _sessions.get(sessionId);
|
|
811
|
+
if (!entry)
|
|
812
|
+
return null;
|
|
813
|
+
// Current refresh token matches (compare hashes — timing-safe)
|
|
814
|
+
if (entry.refreshToken && timingSafeEqual(entry.refreshToken, tokenHash)) {
|
|
815
|
+
return { sessionId: entry.sessionId, userId: entry.userId, newRefreshToken: refreshToken };
|
|
816
|
+
}
|
|
817
|
+
// Check grace window (prevRefreshToken is stored as hash too — timing-safe)
|
|
818
|
+
if (entry.prevRefreshToken &&
|
|
819
|
+
timingSafeEqual(entry.prevRefreshToken, tokenHash) &&
|
|
820
|
+
entry.prevTokenExpiresAt &&
|
|
821
|
+
entry.prevTokenExpiresAt > Date.now()) {
|
|
822
|
+
// Return current plain refresh token so caller can re-issue it directly
|
|
823
|
+
return {
|
|
824
|
+
sessionId: entry.sessionId,
|
|
825
|
+
userId: entry.userId,
|
|
826
|
+
newRefreshToken: entry.refreshTokenPlain ?? entry.refreshToken,
|
|
827
|
+
};
|
|
828
|
+
}
|
|
829
|
+
// Grace window expired — theft detected, invalidate session
|
|
830
|
+
if (entry.prevRefreshToken && timingSafeEqual(entry.prevRefreshToken, tokenHash)) {
|
|
831
|
+
memoryDeleteSession(sessionId);
|
|
832
|
+
return null;
|
|
833
|
+
}
|
|
834
|
+
return null;
|
|
835
|
+
},
|
|
836
|
+
memoryRotateRefreshToken(sessionId, newRefreshToken, newAccessToken) {
|
|
837
|
+
const entry = _sessions.get(sessionId);
|
|
838
|
+
if (!entry)
|
|
839
|
+
return;
|
|
840
|
+
const graceSeconds = getConfig().refreshToken?.rotationGraceSeconds ?? 30;
|
|
841
|
+
const newHash = hashToken(newRefreshToken);
|
|
842
|
+
// Move current hash to prev; store new hash and plain token as current
|
|
843
|
+
const oldHash = entry.refreshToken;
|
|
844
|
+
entry.prevRefreshToken = oldHash;
|
|
845
|
+
entry.prevTokenExpiresAt = Date.now() + graceSeconds * 1000;
|
|
846
|
+
entry.refreshToken = newHash;
|
|
847
|
+
entry.refreshTokenPlain = newRefreshToken;
|
|
848
|
+
entry.token = newAccessToken;
|
|
849
|
+
// Update reverse-lookup index
|
|
850
|
+
_refreshTokenIndex.set(newHash, sessionId);
|
|
851
|
+
// Old hash stays in index during grace window — cleaned up on next lookup or session delete
|
|
852
|
+
},
|
|
853
|
+
memoryDeleteUserSessions(userId) {
|
|
854
|
+
const sessionIds = _userSessionIds.get(userId);
|
|
855
|
+
if (!sessionIds)
|
|
856
|
+
return;
|
|
857
|
+
for (const sessionId of sessionIds) {
|
|
858
|
+
const session = _sessions.get(sessionId);
|
|
859
|
+
if (session) {
|
|
860
|
+
if (session.refreshToken)
|
|
861
|
+
_refreshTokenIndex.delete(session.refreshToken);
|
|
862
|
+
if (session.prevRefreshToken)
|
|
863
|
+
_refreshTokenIndex.delete(session.prevRefreshToken);
|
|
864
|
+
_sessions.delete(sessionId);
|
|
865
|
+
}
|
|
866
|
+
}
|
|
867
|
+
_userSessionIds.delete(userId);
|
|
868
|
+
},
|
|
869
|
+
// -----------------------------------------------------------------------
|
|
870
|
+
// OAuth state helpers
|
|
871
|
+
// -----------------------------------------------------------------------
|
|
872
|
+
memoryStoreOAuthState(state, codeVerifier, linkUserId) {
|
|
873
|
+
evictExpired(_oauthStates);
|
|
874
|
+
evictOldest(_oauthStates, DEFAULT_MAX_ENTRIES);
|
|
875
|
+
_oauthStates.set(state, {
|
|
876
|
+
codeVerifier,
|
|
877
|
+
linkUserId,
|
|
878
|
+
expiresAt: Date.now() + OAUTH_STATE_TTL_MS,
|
|
879
|
+
});
|
|
880
|
+
},
|
|
881
|
+
memoryConsumeOAuthState(state) {
|
|
882
|
+
const entry = _oauthStates.get(state);
|
|
883
|
+
if (!entry || entry.expiresAt <= Date.now()) {
|
|
884
|
+
_oauthStates.delete(state);
|
|
885
|
+
return null;
|
|
886
|
+
}
|
|
887
|
+
_oauthStates.delete(state);
|
|
888
|
+
return { codeVerifier: entry.codeVerifier, linkUserId: entry.linkUserId };
|
|
889
|
+
},
|
|
890
|
+
// -----------------------------------------------------------------------
|
|
891
|
+
// Cache helpers
|
|
892
|
+
// -----------------------------------------------------------------------
|
|
893
|
+
memoryGetCache(key) {
|
|
894
|
+
const entry = _cache.get(key);
|
|
895
|
+
if (!entry)
|
|
896
|
+
return null;
|
|
897
|
+
if (entry.expiresAt !== undefined && entry.expiresAt <= Date.now()) {
|
|
898
|
+
_cache.delete(key);
|
|
899
|
+
return null;
|
|
900
|
+
}
|
|
901
|
+
return entry.value;
|
|
902
|
+
},
|
|
903
|
+
memorySetCache(key, value, ttlSeconds) {
|
|
904
|
+
const expiresAt = ttlSeconds ? Date.now() + ttlSeconds * 1000 : undefined;
|
|
905
|
+
evictExpired(_cache);
|
|
906
|
+
evictOldest(_cache, DEFAULT_MAX_ENTRIES);
|
|
907
|
+
_cache.set(key, { value, expiresAt });
|
|
908
|
+
},
|
|
909
|
+
memoryDelCache(key) {
|
|
910
|
+
_cache.delete(key);
|
|
911
|
+
},
|
|
912
|
+
memoryDelCachePattern(pattern) {
|
|
913
|
+
// Convert glob * to a regex
|
|
914
|
+
const regex = new RegExp('^' + pattern.replace(/[.+^${}()|[\]\\]/g, '\\$&').replace(/\*/g, '.*') + '$');
|
|
915
|
+
for (const key of _cache.keys()) {
|
|
916
|
+
if (regex.test(key))
|
|
917
|
+
_cache.delete(key);
|
|
918
|
+
}
|
|
919
|
+
},
|
|
920
|
+
// -----------------------------------------------------------------------
|
|
921
|
+
// Email verification token helpers
|
|
922
|
+
// -----------------------------------------------------------------------
|
|
923
|
+
memoryCreateVerificationToken(token, userId, email, ttlSeconds) {
|
|
924
|
+
evictExpired(_verificationTokens);
|
|
925
|
+
evictOldest(_verificationTokens, DEFAULT_MAX_ENTRIES);
|
|
926
|
+
_verificationTokens.set(token, { userId, email, expiresAt: Date.now() + ttlSeconds * 1000 });
|
|
927
|
+
},
|
|
928
|
+
memoryGetVerificationToken(token) {
|
|
929
|
+
const entry = _verificationTokens.get(token);
|
|
930
|
+
if (!entry || entry.expiresAt <= Date.now()) {
|
|
931
|
+
_verificationTokens.delete(token);
|
|
932
|
+
return null;
|
|
933
|
+
}
|
|
934
|
+
return { userId: entry.userId, email: entry.email };
|
|
935
|
+
},
|
|
936
|
+
memoryDeleteVerificationToken(token) {
|
|
937
|
+
_verificationTokens.delete(token);
|
|
938
|
+
},
|
|
939
|
+
memoryConsumeVerificationToken(token) {
|
|
940
|
+
const entry = _verificationTokens.get(token);
|
|
941
|
+
if (!entry || entry.expiresAt <= Date.now()) {
|
|
942
|
+
_verificationTokens.delete(token);
|
|
943
|
+
return null;
|
|
944
|
+
}
|
|
945
|
+
_verificationTokens.delete(token);
|
|
946
|
+
return { userId: entry.userId, email: entry.email };
|
|
947
|
+
},
|
|
948
|
+
// -----------------------------------------------------------------------
|
|
949
|
+
// Password reset token helpers
|
|
950
|
+
// -----------------------------------------------------------------------
|
|
951
|
+
memoryCreateResetToken(token, userId, email, ttlSeconds) {
|
|
952
|
+
const now = Date.now();
|
|
953
|
+
evictExpired(_resetTokens);
|
|
954
|
+
evictOldest(_resetTokens, DEFAULT_MAX_ENTRIES);
|
|
955
|
+
_resetTokens.set(token, { userId, email, expiresAt: now + ttlSeconds * 1000 });
|
|
956
|
+
},
|
|
957
|
+
memoryConsumeResetToken(hash) {
|
|
958
|
+
const entry = _resetTokens.get(hash);
|
|
959
|
+
if (!entry || entry.expiresAt <= Date.now()) {
|
|
960
|
+
_resetTokens.delete(hash);
|
|
961
|
+
return null;
|
|
962
|
+
}
|
|
963
|
+
_resetTokens.delete(hash);
|
|
964
|
+
return { userId: entry.userId, email: entry.email };
|
|
965
|
+
},
|
|
966
|
+
// -----------------------------------------------------------------------
|
|
967
|
+
// OAuth code helpers
|
|
968
|
+
// -----------------------------------------------------------------------
|
|
969
|
+
memoryStoreOAuthCode(hash, payload, ttlSeconds) {
|
|
970
|
+
evictExpired(_oauthCodes);
|
|
971
|
+
evictOldest(_oauthCodes, DEFAULT_MAX_ENTRIES);
|
|
972
|
+
_oauthCodes.set(hash, { ...payload, expiresAt: Date.now() + ttlSeconds * 1000 });
|
|
973
|
+
},
|
|
974
|
+
memoryConsumeOAuthCode(hash) {
|
|
975
|
+
const entry = _oauthCodes.get(hash);
|
|
976
|
+
if (!entry || entry.expiresAt <= Date.now()) {
|
|
977
|
+
_oauthCodes.delete(hash);
|
|
978
|
+
return null;
|
|
979
|
+
}
|
|
980
|
+
_oauthCodes.delete(hash);
|
|
981
|
+
return {
|
|
982
|
+
token: entry.token,
|
|
983
|
+
userId: entry.userId,
|
|
984
|
+
email: entry.email,
|
|
985
|
+
refreshToken: entry.refreshToken,
|
|
986
|
+
};
|
|
987
|
+
},
|
|
988
|
+
// -----------------------------------------------------------------------
|
|
989
|
+
// Account deletion cancel token helpers
|
|
990
|
+
// -----------------------------------------------------------------------
|
|
991
|
+
memoryCreateDeletionCancelToken(token, userId, jobId, ttlSeconds) {
|
|
992
|
+
const now = Date.now();
|
|
993
|
+
evictExpired(_cancelTokens);
|
|
994
|
+
evictOldest(_cancelTokens, DEFAULT_MAX_ENTRIES);
|
|
995
|
+
_cancelTokens.set(token, { userId, jobId, expiresAt: now + ttlSeconds * 1000 });
|
|
996
|
+
},
|
|
997
|
+
memoryConsumeDeletionCancelToken(hash) {
|
|
998
|
+
const entry = _cancelTokens.get(hash);
|
|
999
|
+
if (!entry || entry.expiresAt <= Date.now()) {
|
|
1000
|
+
_cancelTokens.delete(hash);
|
|
1001
|
+
return null;
|
|
1002
|
+
}
|
|
1003
|
+
_cancelTokens.delete(hash);
|
|
1004
|
+
return { userId: entry.userId, jobId: entry.jobId };
|
|
1005
|
+
},
|
|
1006
|
+
// -----------------------------------------------------------------------
|
|
1007
|
+
// Magic link token helpers
|
|
1008
|
+
// -----------------------------------------------------------------------
|
|
1009
|
+
memoryCreateMagicLinkToken(token, userId, ttlSeconds) {
|
|
1010
|
+
const now = Date.now();
|
|
1011
|
+
evictExpired(_magicLinkTokens);
|
|
1012
|
+
evictOldest(_magicLinkTokens, DEFAULT_MAX_ENTRIES);
|
|
1013
|
+
_magicLinkTokens.set(token, { userId, expiresAt: now + ttlSeconds * 1000 });
|
|
1014
|
+
},
|
|
1015
|
+
memoryConsumeMagicLinkToken(hash) {
|
|
1016
|
+
const entry = _magicLinkTokens.get(hash);
|
|
1017
|
+
if (!entry || entry.expiresAt <= Date.now()) {
|
|
1018
|
+
_magicLinkTokens.delete(hash);
|
|
1019
|
+
return null;
|
|
1020
|
+
}
|
|
1021
|
+
_magicLinkTokens.delete(hash);
|
|
1022
|
+
return entry.userId;
|
|
1023
|
+
},
|
|
1024
|
+
// -----------------------------------------------------------------------
|
|
1025
|
+
// OAuth re-auth state helpers
|
|
1026
|
+
// -----------------------------------------------------------------------
|
|
1027
|
+
memoryStoreOAuthReauth(hash, data, ttlSeconds) {
|
|
1028
|
+
evictExpired(_oauthReauthStates);
|
|
1029
|
+
evictOldest(_oauthReauthStates, DEFAULT_MAX_ENTRIES);
|
|
1030
|
+
_oauthReauthStates.set(hash, { ...data, expiresAt: Date.now() + ttlSeconds * 1000 });
|
|
1031
|
+
},
|
|
1032
|
+
memoryConsumeOAuthReauth(hash) {
|
|
1033
|
+
const entry = _oauthReauthStates.get(hash);
|
|
1034
|
+
if (!entry || entry.expiresAt <= Date.now()) {
|
|
1035
|
+
_oauthReauthStates.delete(hash);
|
|
1036
|
+
return null;
|
|
1037
|
+
}
|
|
1038
|
+
_oauthReauthStates.delete(hash);
|
|
1039
|
+
return {
|
|
1040
|
+
userId: entry.userId,
|
|
1041
|
+
sessionId: entry.sessionId,
|
|
1042
|
+
provider: entry.provider,
|
|
1043
|
+
purpose: entry.purpose,
|
|
1044
|
+
expiresAt: entry.expiresAt,
|
|
1045
|
+
returnUrl: entry.returnUrl,
|
|
1046
|
+
};
|
|
1047
|
+
},
|
|
1048
|
+
memoryStoreOAuthReauthConfirmation(hash, data, ttlSeconds) {
|
|
1049
|
+
evictExpired(_oauthReauthConfirmations);
|
|
1050
|
+
evictOldest(_oauthReauthConfirmations, DEFAULT_MAX_ENTRIES);
|
|
1051
|
+
_oauthReauthConfirmations.set(hash, { ...data, expiresAt: Date.now() + ttlSeconds * 1000 });
|
|
1052
|
+
},
|
|
1053
|
+
memoryConsumeOAuthReauthConfirmation(hash) {
|
|
1054
|
+
const entry = _oauthReauthConfirmations.get(hash);
|
|
1055
|
+
if (!entry || entry.expiresAt <= Date.now()) {
|
|
1056
|
+
_oauthReauthConfirmations.delete(hash);
|
|
1057
|
+
return null;
|
|
1058
|
+
}
|
|
1059
|
+
_oauthReauthConfirmations.delete(hash);
|
|
1060
|
+
return { userId: entry.userId, purpose: entry.purpose };
|
|
1061
|
+
},
|
|
1062
|
+
};
|
|
1063
|
+
}
|