@lastshotlabs/bunshot 0.0.27 → 0.1.0

package/dist/lib/jwt.js

@@ -1,111 +0,0 @@
-import { SignJWT, jwtVerify } from "jose";
-import { getJwtIssuer, getJwtAudience } from "./appConfig";
-import { getSigningPrivateKey, getVerifyPublicKeys, isJwksLoaded } from "./jwks";
-let _secret = null;
-let _algorithm = "HS256";
-function getSecret() {
-    if (_secret)
-        return _secret;
-    const isProd = process.env.NODE_ENV === "production";
-    const envKey = isProd ? "JWT_SECRET_PROD" : "JWT_SECRET_DEV";
-    const rawSecret = process.env[envKey];
-    if (!rawSecret || rawSecret.length < 32) {
-        throw new Error(`[security] ${envKey} is missing or too short (${rawSecret?.length ?? 0} chars). ` +
-            `JWT secrets must be at least 32 characters. Generate one with: ` +
-            `node -e "console.log(require('crypto').randomBytes(64).toString('hex'))"`);
-    }
-    _secret = new TextEncoder().encode(rawSecret);
-    return _secret;
-}
-export function validateJwtSecrets() {
-    if (_algorithm !== "RS256") {
-        getSecret();
-    }
-}
-export async function signToken(claimsOrUserId, sessionIdOrExpiry, expirySeconds) {
-    let claims;
-    let expiry;
-    if (typeof claimsOrUserId === "string") {
-        // Legacy positional: signToken(userId, sessionId, expirySeconds?)
-        claims = { sub: claimsOrUserId, sid: sessionIdOrExpiry };
-        expiry = expirySeconds;
-    }
-    else {
-        // New object form: signToken(claims, expirySeconds?)
-        claims = claimsOrUserId;
-        expiry = sessionIdOrExpiry;
-    }
-    if (_algorithm === "RS256") {
-        if (!isJwksLoaded()) {
-            throw new Error("RS256 requires OIDC key configuration — call loadJwksKey() first");
-        }
-        // Use RS256 with JWKS key
-        const privateKey = getSigningPrivateKey();
-        const jwt = new SignJWT(claims)
-            .setProtectedHeader({ alg: "RS256", kid: "key-1" })
-            .setIssuedAt()
-            .setExpirationTime(expiry ? `${expiry}s` : "7d");
-        const issuer = getJwtIssuer();
-        const audience = getJwtAudience();
-        if (issuer)
-            jwt.setIssuer(issuer);
-        if (audience)
-            jwt.setAudience(audience);
-        return jwt.sign(privateKey);
-    }
-    const jwt = new SignJWT(claims)
-        .setProtectedHeader({ alg: _algorithm })
-        .setIssuedAt()
-        .setExpirationTime(expiry ? `${expiry}s` : "7d");
-    const issuer = getJwtIssuer();
-    const audience = getJwtAudience();
-    if (issuer)
-        jwt.setIssuer(issuer);
-    if (audience)
-        jwt.setAudience(audience);
-    return jwt.sign(getSecret());
-}
-export const verifyToken = async (token) => {
-    if (_algorithm === "RS256") {
-        if (!isJwksLoaded()) {
-            throw new Error("RS256 requires OIDC key configuration");
-        }
-        const publicKeys = getVerifyPublicKeys();
-        const opts = { algorithms: ["RS256"] };
-        const issuer = getJwtIssuer();
-        const audience = getJwtAudience();
-        if (issuer)
-            opts.issuer = issuer;
-        if (audience)
-            opts.audience = audience;
-        // Try each key (supports key rotation)
-        for (const key of publicKeys) {
-            try {
-                const { payload } = await jwtVerify(token, key, opts);
-                return payload;
-            }
-            catch {
-                continue;
-            }
-        }
-        throw new Error("JWT verification failed with all available keys");
-    }
-    const issuer = getJwtIssuer();
-    const audience = getJwtAudience();
-    const opts = { algorithms: [_algorithm] };
-    if (issuer)
-        opts.issuer = issuer;
-    if (audience)
-        opts.audience = audience;
-    const { payload } = await jwtVerify(token, getSecret(), opts);
-    return payload;
-};
-/** @internal — used by Feature 8 (OIDC) to switch to RS256 once key material is loaded */
-export function _setAlgorithm(alg) {
-    _algorithm = alg;
-}
-/** @internal — reset for testing */
-export function _resetJwtState() {
-    _secret = null;
-    _algorithm = "HS256";
-}

package/dist/lib/metrics.d.ts

@@ -1,14 +0,0 @@
-type Labels = Record<string, string>;
-export declare function defaultNormalizePath(path: string): string;
-export declare function incrementCounter(name: string, labels: Labels, amount?: number): void;
-export declare function observeHistogram(name: string, labels: Labels, value: number, buckets?: number[]): void;
-type GaugeCallback = () => Promise<{
-    labels: Labels;
-    value: number;
-}[]>;
-export declare function registerGaugeCallback(name: string, cb: GaugeCallback): void;
-export declare function serializeMetrics(): Promise<string>;
-export declare function resetMetrics(): void;
-export declare function setMetricsQueues(map: Map<string, any>): void;
-export declare function closeMetricsQueues(): Promise<void>;
-export {};

package/dist/lib/mfaChallenge.d.ts

@@ -1,55 +0,0 @@
-export type MfaChallengePurpose = "login" | "webauthn-registration" | "passkey-login";
-export interface MfaChallengeOptions {
-    emailOtpHash?: string;
-    webauthnChallenge?: string;
-}
-export interface MfaChallengeData {
-    userId: string;
-    purpose: MfaChallengePurpose;
-    emailOtpHash?: string;
-    webauthnChallenge?: string;
-}
-/** Reset all in-memory MFA challenge state. Called by clearMemoryStore(). */
-export declare const clearMemoryMfaChallenges: () => void;
-/** Must be called when store is "sqlite" to inject the db instance. */
-export declare const setMfaChallengeSqliteDb: (db: any) => void;
-type MfaChallengeStore = "redis" | "mongo" | "sqlite" | "memory";
-export declare const setMfaChallengeStore: (store: MfaChallengeStore) => void;
-export declare const createMfaChallenge: (userId: string, options?: MfaChallengeOptions) => Promise<string>;
-export declare const consumeMfaChallenge: (token: string) => Promise<MfaChallengeData | null>;
-/**
- * Replace the email OTP hash on an existing challenge without consuming it.
- * Used for the resend flow. Increments resendCount and caps the challenge lifetime.
- * Returns { userId, resendCount } on success, null if challenge not found/expired/max resends reached.
- */
-export declare const replaceMfaChallengeOtp: (token: string, newEmailOtpHash: string) => Promise<{
-    userId: string;
-    resendCount: number;
-} | null>;
-/**
- * Create a WebAuthn registration challenge token. Separate from the login flow —
- * uses `purpose: "webauthn-registration"` so it cannot be consumed by `consumeMfaChallenge`.
- */
-export declare const createWebAuthnRegistrationChallenge: (userId: string, challenge: string) => Promise<string>;
-/**
- * Consume a WebAuthn registration challenge token.
- * Only accepts tokens with `purpose: "webauthn-registration"`.
- */
-export declare const consumeWebAuthnRegistrationChallenge: (token: string) => Promise<{
-    userId: string;
-    challenge: string;
-} | null>;
-/**
- * Create a passkey login challenge token. Not tied to a user — userId is resolved
- * from the credential after assertion. Uses a fixed 120s TTL.
- */
-export declare const createPasskeyLoginChallenge: (challenge: string) => Promise<string>;
-/**
- * Consume a passkey login challenge token.
- * Only accepts tokens with `purpose: "passkey-login"`.
- * Returns the stored webauthnChallenge bytes or null if expired/invalid.
- */
-export declare const consumePasskeyLoginChallenge: (token: string) => Promise<{
-    webauthnChallenge: string;
-} | null>;
-export {};

package/dist/lib/mfaChallenge.js

@@ -1,398 +0,0 @@
-import { getRedis } from "./redis";
-import { appConnection, mongoose } from "./mongo";
-import { getAppName, getMfaChallengeTtl } from "./appConfig";
-import { sha256 } from "./crypto";
-const MAX_RESENDS = 3;
-function getMfaChallengeModel() {
-    if (appConnection.models["MfaChallenge"])
-        return appConnection.models["MfaChallenge"];
-    const { Schema } = mongoose;
-    const schema = new Schema({
-        token: { type: String, required: true, unique: true },
-        userId: { type: String, required: true },
-        purpose: { type: String, required: true, default: "login" },
-        emailOtpHash: { type: String },
-        webauthnChallenge: { type: String },
-        createdAt: { type: Date, required: true },
-        resendCount: { type: Number, required: true, default: 0 },
-        expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
-    }, { collection: "mfa_challenges" });
-    return appConnection.model("MfaChallenge", schema);
-}
-// ---------------------------------------------------------------------------
-// In-memory store
-// ---------------------------------------------------------------------------
-const _memoryChallenges = new Map();
-/** Reset all in-memory MFA challenge state. Called by clearMemoryStore(). */
-export const clearMemoryMfaChallenges = () => { _memoryChallenges.clear(); };
-// ---------------------------------------------------------------------------
-// SQLite store (reuses the existing SQLite DB instance)
-// ---------------------------------------------------------------------------
-let _sqliteDb = null;
-let _sqliteTableCreated = false;
-/** Must be called when store is "sqlite" to inject the db instance. */
-export const setMfaChallengeSqliteDb = (db) => { _sqliteDb = db; };
-function ensureSqliteMfaTable() {
-    if (_sqliteTableCreated || !_sqliteDb)
-        return;
-    _sqliteDb.run(`CREATE TABLE IF NOT EXISTS mfa_challenges (
-    token             TEXT PRIMARY KEY,
-    userId            TEXT NOT NULL,
-    purpose           TEXT NOT NULL DEFAULT 'login',
-    emailOtpHash      TEXT,
-    webauthnChallenge TEXT,
-    createdAt         INTEGER NOT NULL,
-    resendCount       INTEGER NOT NULL DEFAULT 0,
-    expiresAt         INTEGER NOT NULL
-  )`);
-    // Migrate pre-existing tables that lack newer columns
-    try {
-        _sqliteDb.run("ALTER TABLE mfa_challenges ADD COLUMN emailOtpHash TEXT");
-    }
-    catch { /* already exists */ }
-    try {
-        _sqliteDb.run("ALTER TABLE mfa_challenges ADD COLUMN createdAt INTEGER NOT NULL DEFAULT 0");
-    }
-    catch { /* already exists */ }
-    try {
-        _sqliteDb.run("ALTER TABLE mfa_challenges ADD COLUMN resendCount INTEGER NOT NULL DEFAULT 0");
-    }
-    catch { /* already exists */ }
-    try {
-        _sqliteDb.run("ALTER TABLE mfa_challenges ADD COLUMN purpose TEXT NOT NULL DEFAULT 'login'");
-    }
-    catch { /* already exists */ }
-    try {
-        _sqliteDb.run("ALTER TABLE mfa_challenges ADD COLUMN webauthnChallenge TEXT");
-    }
-    catch { /* already exists */ }
-    _sqliteTableCreated = true;
-}
-// ---------------------------------------------------------------------------
-// Redis helpers
-// ---------------------------------------------------------------------------
-/** Atomically GET+DEL a key. Uses native GETDEL (Redis >= 6.2) with a Lua fallback. */
-async function redisGetDel(key) {
-    const redis = getRedis();
-    if (typeof redis.getdel === "function") {
-        try {
-            return await redis.getdel(key);
-        }
-        catch (err) {
-            const msg = err?.message ?? "";
-            if (!/unknown command|ERR unknown command/i.test(msg))
-                throw err;
-            // Fall through to Lua on "unknown command"
-        }
-    }
-    const result = await redis.eval("local v = redis.call('GET', KEYS[1])\nif v then redis.call('DEL', KEYS[1]) end\nreturn v", 1, key);
-    return result ?? null;
-}
-let _store = "redis";
-export const setMfaChallengeStore = (store) => { _store = store; };
-// ---------------------------------------------------------------------------
-// Public API
-// ---------------------------------------------------------------------------
-export const createMfaChallenge = async (userId, options) => {
-    const bytes = new Uint8Array(32);
-    crypto.getRandomValues(bytes);
-    const token = Buffer.from(bytes).toString("base64url");
-    const hash = sha256(token);
-    const ttl = getMfaChallengeTtl();
-    const now = Date.now();
-    const purpose = "login";
-    const emailOtpHash = options?.emailOtpHash;
-    const webauthnChallenge = options?.webauthnChallenge;
-    if (_store === "memory") {
-        _memoryChallenges.set(hash, { userId, purpose, emailOtpHash, webauthnChallenge, createdAt: now, resendCount: 0, expiresAt: now + ttl * 1000 });
-        return token;
-    }
-    if (_store === "sqlite") {
-        ensureSqliteMfaTable();
-        _sqliteDb.run("INSERT INTO mfa_challenges (token, userId, purpose, emailOtpHash, webauthnChallenge, createdAt, resendCount, expiresAt) VALUES (?, ?, ?, ?, ?, ?, 0, ?)", [hash, userId, purpose, emailOtpHash ?? null, webauthnChallenge ?? null, now, now + ttl * 1000]);
-        return token;
-    }
-    if (_store === "mongo") {
-        await getMfaChallengeModel().create({
-            token: hash,
-            userId,
-            purpose,
-            emailOtpHash,
-            webauthnChallenge,
-            createdAt: new Date(now),
-            resendCount: 0,
-            expiresAt: new Date(now + ttl * 1000),
-        });
-        return token;
-    }
-    // redis
-    await getRedis().set(`mfachallenge:${getAppName()}:${hash}`, JSON.stringify({ userId, purpose, emailOtpHash, webauthnChallenge, createdAt: now, resendCount: 0 }), "EX", ttl);
-    return token;
-};
-export const consumeMfaChallenge = async (token) => {
-    const hash = sha256(token);
-    if (_store === "memory") {
-        const entry = _memoryChallenges.get(hash);
-        if (!entry || entry.expiresAt <= Date.now()) {
-            _memoryChallenges.delete(hash);
-            return null;
-        }
-        _memoryChallenges.delete(hash);
-        if (entry.purpose !== "login")
-            return null;
-        return { userId: entry.userId, purpose: entry.purpose, emailOtpHash: entry.emailOtpHash, webauthnChallenge: entry.webauthnChallenge };
-    }
-    if (_store === "sqlite") {
-        ensureSqliteMfaTable();
-        const row = _sqliteDb.query("DELETE FROM mfa_challenges WHERE token = ? AND expiresAt > ? RETURNING userId, purpose, emailOtpHash, webauthnChallenge").get(hash, Date.now());
-        if (!row || row.purpose !== "login")
-            return null;
-        return { userId: row.userId, purpose: "login", emailOtpHash: row.emailOtpHash ?? undefined, webauthnChallenge: row.webauthnChallenge ?? undefined };
-    }
-    if (_store === "mongo") {
-        const doc = await getMfaChallengeModel().findOneAndDelete({ token: hash, expiresAt: { $gt: new Date() } });
-        if (!doc || doc.purpose !== "login")
-            return null;
-        return { userId: doc.userId, purpose: "login", emailOtpHash: doc.emailOtpHash, webauthnChallenge: doc.webauthnChallenge };
-    }
-    // redis
-    const key = `mfachallenge:${getAppName()}:${hash}`;
-    const raw = await redisGetDel(key);
-    if (!raw)
-        return null;
-    const data = JSON.parse(raw);
-    if (data.purpose !== "login")
-        return null;
-    return { userId: data.userId, purpose: "login", emailOtpHash: data.emailOtpHash, webauthnChallenge: data.webauthnChallenge };
-};
-/**
- * Replace the email OTP hash on an existing challenge without consuming it.
- * Used for the resend flow. Increments resendCount and caps the challenge lifetime.
- * Returns { userId, resendCount } on success, null if challenge not found/expired/max resends reached.
- */
-export const replaceMfaChallengeOtp = async (token, newEmailOtpHash) => {
-    const hash = sha256(token);
-    const ttl = getMfaChallengeTtl();
-    if (_store === "memory") {
-        const entry = _memoryChallenges.get(hash);
-        if (!entry || entry.expiresAt <= Date.now()) {
-            _memoryChallenges.delete(hash);
-            return null;
-        }
-        if (entry.resendCount >= MAX_RESENDS)
-            return null;
-        entry.emailOtpHash = newEmailOtpHash;
-        entry.resendCount++;
-        // Cap lifetime: min(now + ttl, createdAt + ttl * 3)
-        const maxExpiry = entry.createdAt + ttl * 3 * 1000;
-        entry.expiresAt = Math.min(Date.now() + ttl * 1000, maxExpiry);
-        return { userId: entry.userId, resendCount: entry.resendCount };
-    }
-    if (_store === "sqlite") {
-        ensureSqliteMfaTable();
-        const now = Date.now();
-        const existing = _sqliteDb.query("SELECT createdAt, resendCount FROM mfa_challenges WHERE token = ? AND expiresAt > ?").get(hash, now);
-        if (!existing || existing.resendCount >= MAX_RESENDS)
-            return null;
-        const newExpiry = Math.min(now + ttl * 1000, existing.createdAt + ttl * 3 * 1000);
-        const newCount = existing.resendCount + 1;
-        const row = _sqliteDb.query("UPDATE mfa_challenges SET emailOtpHash = ?, resendCount = ?, expiresAt = ? WHERE token = ? RETURNING userId").get(newEmailOtpHash, newCount, newExpiry, hash);
-        return row ? { userId: row.userId, resendCount: newCount } : null;
-    }
-    if (_store === "mongo") {
-        const now = new Date();
-        const existing = await getMfaChallengeModel().findOne({
-            token: hash,
-            expiresAt: { $gt: now },
-            resendCount: { $lt: MAX_RESENDS },
-        });
-        if (!existing)
-            return null;
-        const newCount = existing.resendCount + 1;
-        const newExpiry = new Date(Math.min(Date.now() + ttl * 1000, existing.createdAt.getTime() + ttl * 3 * 1000));
-        existing.emailOtpHash = newEmailOtpHash;
-        existing.resendCount = newCount;
-        existing.expiresAt = newExpiry;
-        await existing.save();
-        return { userId: existing.userId, resendCount: newCount };
-    }
-    // redis
-    const key = `mfachallenge:${getAppName()}:${hash}`;
-    const raw = await getRedis().get(key);
-    if (!raw)
-        return null;
-    const data = JSON.parse(raw);
-    if (data.resendCount >= MAX_RESENDS)
-        return null;
-    data.emailOtpHash = newEmailOtpHash;
-    data.resendCount++;
-    // Cap lifetime
-    const maxExpiry = data.createdAt + ttl * 3 * 1000;
-    const newExpiry = Math.min(Date.now() + ttl * 1000, maxExpiry);
-    const remainingTtl = Math.max(1, Math.ceil((newExpiry - Date.now()) / 1000));
-    await getRedis().set(key, JSON.stringify(data), "EX", remainingTtl);
-    return { userId: data.userId, resendCount: data.resendCount };
-};
-// ---------------------------------------------------------------------------
-// WebAuthn registration challenge helpers
-// ---------------------------------------------------------------------------
-/**
- * Create a WebAuthn registration challenge token. Separate from the login flow —
- * uses `purpose: "webauthn-registration"` so it cannot be consumed by `consumeMfaChallenge`.
- */
-export const createWebAuthnRegistrationChallenge = async (userId, challenge) => {
-    const bytes = new Uint8Array(32);
-    crypto.getRandomValues(bytes);
-    const token = Buffer.from(bytes).toString("base64url");
-    const hash = sha256(token);
-    const ttl = getMfaChallengeTtl();
-    const now = Date.now();
-    const purpose = "webauthn-registration";
-    if (_store === "memory") {
-        _memoryChallenges.set(hash, { userId, purpose, webauthnChallenge: challenge, createdAt: now, resendCount: 0, expiresAt: now + ttl * 1000 });
-        return token;
-    }
-    if (_store === "sqlite") {
-        ensureSqliteMfaTable();
-        _sqliteDb.run("INSERT INTO mfa_challenges (token, userId, purpose, webauthnChallenge, createdAt, resendCount, expiresAt) VALUES (?, ?, ?, ?, ?, 0, ?)", [hash, userId, purpose, challenge, now, now + ttl * 1000]);
-        return token;
-    }
-    if (_store === "mongo") {
-        await getMfaChallengeModel().create({
-            token: hash,
-            userId,
-            purpose,
-            webauthnChallenge: challenge,
-            createdAt: new Date(now),
-            resendCount: 0,
-            expiresAt: new Date(now + ttl * 1000),
-        });
-        return token;
-    }
-    // redis
-    await getRedis().set(`mfachallenge:${getAppName()}:${hash}`, JSON.stringify({ userId, purpose, webauthnChallenge: challenge, createdAt: now, resendCount: 0 }), "EX", ttl);
-    return token;
-};
-/**
- * Consume a WebAuthn registration challenge token.
- * Only accepts tokens with `purpose: "webauthn-registration"`.
- */
-export const consumeWebAuthnRegistrationChallenge = async (token) => {
-    const hash = sha256(token);
-    if (_store === "memory") {
-        const entry = _memoryChallenges.get(hash);
-        if (!entry || entry.expiresAt <= Date.now()) {
-            _memoryChallenges.delete(hash);
-            return null;
-        }
-        _memoryChallenges.delete(hash);
-        if (entry.purpose !== "webauthn-registration" || !entry.webauthnChallenge)
-            return null;
-        return { userId: entry.userId, challenge: entry.webauthnChallenge };
-    }
-    if (_store === "sqlite") {
-        ensureSqliteMfaTable();
-        const row = _sqliteDb.query("DELETE FROM mfa_challenges WHERE token = ? AND expiresAt > ? RETURNING userId, purpose, webauthnChallenge").get(hash, Date.now());
-        if (!row || row.purpose !== "webauthn-registration" || !row.webauthnChallenge)
-            return null;
-        return { userId: row.userId, challenge: row.webauthnChallenge };
-    }
-    if (_store === "mongo") {
-        const doc = await getMfaChallengeModel().findOneAndDelete({ token: hash, expiresAt: { $gt: new Date() } });
-        if (!doc || doc.purpose !== "webauthn-registration" || !doc.webauthnChallenge)
-            return null;
-        return { userId: doc.userId, challenge: doc.webauthnChallenge };
-    }
-    // redis
-    const key = `mfachallenge:${getAppName()}:${hash}`;
-    const raw = await redisGetDel(key);
-    if (!raw)
-        return null;
-    const data = JSON.parse(raw);
-    if (data.purpose !== "webauthn-registration" || !data.webauthnChallenge)
-        return null;
-    return { userId: data.userId, challenge: data.webauthnChallenge };
-};
-// ---------------------------------------------------------------------------
-// Passkey login challenge helpers (passwordless first-factor)
-// ---------------------------------------------------------------------------
-const PASSKEY_LOGIN_CHALLENGE_TTL = 120; // seconds — single-use, so longer TTL is safe
-/**
- * Create a passkey login challenge token. Not tied to a user — userId is resolved
- * from the credential after assertion. Uses a fixed 120s TTL.
- */
-export const createPasskeyLoginChallenge = async (challenge) => {
-    const bytes = new Uint8Array(32);
-    crypto.getRandomValues(bytes);
-    const token = Buffer.from(bytes).toString("base64url");
-    const hash = sha256(token);
-    const ttl = PASSKEY_LOGIN_CHALLENGE_TTL;
-    const now = Date.now();
-    const purpose = "passkey-login";
-    const userId = ""; // anonymous — resolved from credential ID at login time
-    if (_store === "memory") {
-        _memoryChallenges.set(hash, { userId, purpose, webauthnChallenge: challenge, createdAt: now, resendCount: 0, expiresAt: now + ttl * 1000 });
-        return token;
-    }
-    if (_store === "sqlite") {
-        ensureSqliteMfaTable();
-        _sqliteDb.run("INSERT INTO mfa_challenges (token, userId, purpose, webauthnChallenge, createdAt, resendCount, expiresAt) VALUES (?, ?, ?, ?, ?, 0, ?)", [hash, userId, purpose, challenge, now, now + ttl * 1000]);
-        return token;
-    }
-    if (_store === "mongo") {
-        await getMfaChallengeModel().create({
-            token: hash,
-            userId,
-            purpose,
-            webauthnChallenge: challenge,
-            createdAt: new Date(now),
-            resendCount: 0,
-            expiresAt: new Date(now + ttl * 1000),
-        });
-        return token;
-    }
-    // redis
-    await getRedis().set(`mfachallenge:${getAppName()}:${hash}`, JSON.stringify({ userId, purpose, webauthnChallenge: challenge, createdAt: now, resendCount: 0 }), "EX", ttl);
-    return token;
-};
-/**
- * Consume a passkey login challenge token.
- * Only accepts tokens with `purpose: "passkey-login"`.
- * Returns the stored webauthnChallenge bytes or null if expired/invalid.
- */
-export const consumePasskeyLoginChallenge = async (token) => {
-    const hash = sha256(token);
-    if (_store === "memory") {
-        const entry = _memoryChallenges.get(hash);
-        if (!entry || entry.expiresAt <= Date.now()) {
-            _memoryChallenges.delete(hash);
-            return null;
-        }
-        _memoryChallenges.delete(hash);
-        if (entry.purpose !== "passkey-login" || !entry.webauthnChallenge)
-            return null;
-        return { webauthnChallenge: entry.webauthnChallenge };
-    }
-    if (_store === "sqlite") {
-        ensureSqliteMfaTable();
-        const row = _sqliteDb.query("DELETE FROM mfa_challenges WHERE token = ? AND expiresAt > ? RETURNING purpose, webauthnChallenge").get(hash, Date.now());
-        if (!row || row.purpose !== "passkey-login" || !row.webauthnChallenge)
-            return null;
-        return { webauthnChallenge: row.webauthnChallenge };
-    }
-    if (_store === "mongo") {
-        const doc = await getMfaChallengeModel().findOneAndDelete({ token: hash, expiresAt: { $gt: new Date() } });
-        if (!doc || doc.purpose !== "passkey-login" || !doc.webauthnChallenge)
-            return null;
-        return { webauthnChallenge: doc.webauthnChallenge };
-    }
-    // redis
-    const key = `mfachallenge:${getAppName()}:${hash}`;
-    const raw = await redisGetDel(key);
-    if (!raw)
-        return null;
-    const data = JSON.parse(raw);
-    if (data.purpose !== "passkey-login" || !data.webauthnChallenge)
-        return null;
-    return { webauthnChallenge: data.webauthnChallenge };
-};

package/dist/lib/mongo.d.ts

@@ -1,39 +0,0 @@
-import type { Connection, Mongoose } from "mongoose";
-type MongooseModule = Mongoose;
-/**
- * Named connection used exclusively for auth data (AuthUser model).
- * Connected via connectAuthMongo() or connectMongo() (backward compat).
- */
-export declare const authConnection: Connection;
-/**
- * Named connection for app/tenant data.
- * Connected via connectAppMongo() or connectMongo() (backward compat).
- * Use this when registering your own models: appConnection.model("Product", schema).
- */
-export declare const appConnection: Connection;
-/**
- * The mongoose instance. Available after connectMongo() / connectAuthMongo() is called.
- */
-export declare const mongoose: MongooseModule;
-/**
- * Connect the auth connection to its dedicated MongoDB server.
- * Uses MONGO_AUTH_USER_*, MONGO_AUTH_PW_*, MONGO_AUTH_HOST_*, MONGO_AUTH_DB_* env vars.
- */
-export declare const connectAuthMongo: () => Promise<void>;
-/**
- * Connect the app connection to its MongoDB server.
- * Uses MONGO_USER_*, MONGO_PW_*, MONGO_HOST_*, MONGO_DB_* env vars.
- */
-export declare const connectAppMongo: () => Promise<void>;
-/**
- * Connect both auth and app connections to the same MongoDB server.
- * Backward-compatible shorthand for single-DB setups.
- * Uses MONGO_USER_*, MONGO_PW_*, MONGO_HOST_*, MONGO_DB_* env vars.
- */
-export declare const connectMongo: () => Promise<void>;
-/**
- * Close both auth and app Mongo connections.
- * Useful for one-off scripts that need a clean exit.
- */
-export declare const disconnectMongo: () => Promise<void>;
-export {};