@lastshotlabs/bunshot 0.0.8 → 0.0.10

package/dist/models/AuthUser.js

@@ -1,14 +1,31 @@
-import mongoose from "mongoose";
-import { authConnection } from "../lib/mongo";
-const AuthUserSchema = new mongoose.Schema({
-    email: { type: String, unique: true, sparse: true, lowercase: true },
-    password: { type: String },
-    /** Compound provider keys: ["google:123456", "apple:000111"] */
-    providerIds: [{ type: String }],
-    /** App-defined roles assigned to this user: ["admin", "editor", ...] */
-    roles: [{ type: String }],
-    /** Whether the user's email address has been verified. */
-    emailVerified: { type: Boolean, default: false },
-}, { timestamps: true });
-AuthUserSchema.index({ providerIds: 1 });
-export const AuthUser = authConnection.model("AuthUser", AuthUserSchema);
+import { authConnection, mongoose } from "../lib/mongo";
+// Lazily register the model — authConnection and mongoose are proxies that
+// resolve once connectAuthMongo() / connectMongo() has been called.
+let _AuthUser = null;
+function getAuthUser() {
+    if (!_AuthUser) {
+        const { Schema } = mongoose;
+        const schema = new Schema({
+            email: { type: String, unique: true, sparse: true, lowercase: true },
+            password: { type: String },
+            /** Compound provider keys: ["google:123456", "apple:000111"] */
+            providerIds: [{ type: String }],
+            /** App-defined roles assigned to this user: ["admin", "editor", ...] */
+            roles: [{ type: String }],
+            /** Whether the user's email address has been verified. */
+            emailVerified: { type: Boolean, default: false },
+        }, { timestamps: true });
+        schema.index({ providerIds: 1 });
+        _AuthUser = authConnection.model("AuthUser", schema);
+    }
+    return _AuthUser;
+}
+// Export a Proxy so callers can use AuthUser.findOne() etc. at any time after
+// connectAuthMongo() / connectMongo() has been called.
+export const AuthUser = new Proxy({}, {
+    get(_, prop) {
+        const model = getAuthUser();
+        const val = model[prop];
+        return typeof val === "function" ? val.bind(model) : val;
+    },
+});

package/dist/routes/auth.d.ts

@@ -1,8 +1,9 @@
-import type { PrimaryField, EmailVerificationConfig } from "../lib/appConfig";
+import type { PrimaryField, EmailVerificationConfig, PasswordResetConfig } from "../lib/appConfig";
 import type { AuthRateLimitConfig } from "../app";
 export interface AuthRouterOptions {
     primaryField: PrimaryField;
     emailVerification?: EmailVerificationConfig;
+    passwordReset?: PasswordResetConfig;
     rateLimit?: AuthRateLimitConfig;
 }
-export declare const createAuthRouter: ({ primaryField, emailVerification, rateLimit }: AuthRouterOptions) => import("@hono/zod-openapi").OpenAPIHono<import("../lib/context").AppEnv, {}, "/">;
+export declare const createAuthRouter: ({ primaryField, emailVerification, passwordReset, rateLimit }: AuthRouterOptions) => import("@hono/zod-openapi").OpenAPIHono<import("../lib/context").AppEnv, {}, "/">;

package/dist/routes/auth.js

@@ -9,6 +9,8 @@ import { isLimited, trackAttempt, bustAuthLimit } from "../lib/authRateLimit";
 import { getAuthAdapter } from "../lib/authAdapter";
 import { createRouter } from "../lib/context";
 import { getVerificationToken, deleteVerificationToken, createVerificationToken } from "../lib/emailVerification";
+import { createResetToken, consumeResetToken } from "../lib/resetPassword";
+import { getUserSessions, deleteSession } from "../lib/session";
 const isProd = process.env.NODE_ENV === "production";
 const TokenResponse = z.object({ token: z.string(), emailVerified: z.boolean().optional() });
 const ErrorResponse = z.object({ error: z.string() });
@@ -20,7 +22,8 @@ const cookieOptions = {
     path: "/",
     maxAge: 60 * 60 * 24 * 7, // 7 days
 };
-export const createAuthRouter = ({ primaryField, emailVerification, rateLimit }) => {
+const clientIp = (xff, xri) => (xff ? xff.split(",")[0]?.trim() : undefined) ?? xri ?? undefined;
+export const createAuthRouter = ({ primaryField, emailVerification, passwordReset, rateLimit }) => {
     const router = createRouter();
     const RegisterSchema = makeRegisterSchema(primaryField);
     const LoginSchema = makeLoginSchema(primaryField);
@@ -31,6 +34,8 @@ export const createAuthRouter = ({ primaryField, emailVerification, rateLimit })
     const registerOpts = { windowMs: rateLimit?.register?.windowMs ?? 60 * 60 * 1000, max: rateLimit?.register?.max ?? 5 };
     const verifyOpts = { windowMs: rateLimit?.verifyEmail?.windowMs ?? 15 * 60 * 1000, max: rateLimit?.verifyEmail?.max ?? 10 };
     const resendOpts = { windowMs: rateLimit?.resendVerification?.windowMs ?? 60 * 60 * 1000, max: rateLimit?.resendVerification?.max ?? 3 };
+    const forgotOpts = { windowMs: rateLimit?.forgotPassword?.windowMs ?? 15 * 60 * 1000, max: rateLimit?.forgotPassword?.max ?? 5 };
+    const resetOpts = { windowMs: rateLimit?.resetPassword?.windowMs ?? 15 * 60 * 1000, max: rateLimit?.resetPassword?.max ?? 10 };
     router.openapi(createRoute({
         method: "post",
         path: "/auth/register",
@@ -43,13 +48,17 @@ export const createAuthRouter = ({ primaryField, emailVerification, rateLimit })
             429: { content: { "application/json": { schema: ErrorResponse } }, description: "Too many attempts" },
         },
     }), async (c) => {
-        const ip = c.req.header("x-forwarded-for") ?? "unknown";
+        const ip = clientIp(c.req.header("x-forwarded-for"), c.req.header("x-real-ip")) ?? "unknown";
         if (await trackAttempt(`register:${ip}`, registerOpts)) {
             return c.json({ error: "Too many registration attempts. Try again later." }, 429);
         }
         const body = c.req.valid("json");
         const identifier = body[primaryField];
-        const token = await AuthService.register(identifier, body.password);
+        const metadata = {
+            ipAddress: ip !== "unknown" ? ip : undefined,
+            userAgent: c.req.header("user-agent") ?? undefined,
+        };
+        const token = await AuthService.register(identifier, body.password, metadata);
         setCookie(c, COOKIE_TOKEN, token, cookieOptions);
         return c.json({ token }, 201);
     });
@@ -71,8 +80,12 @@ export const createAuthRouter = ({ primaryField, emailVerification, rateLimit })
         if (await isLimited(limitKey, loginOpts)) {
             return c.json({ error: "Too many failed login attempts. Try again later." }, 429);
         }
+        const metadata = {
+            ipAddress: clientIp(c.req.header("x-forwarded-for"), c.req.header("x-real-ip")),
+            userAgent: c.req.header("user-agent") ?? undefined,
+        };
         try {
-            const result = await AuthService.login(identifier, body.password);
+            const result = await AuthService.login(identifier, body.password, metadata);
             await bustAuthLimit(limitKey); // success — clear failure count
             setCookie(c, COOKIE_TOKEN, result.token, cookieOptions);
             return c.json(result, 200);
@@ -203,5 +216,127 @@ export const createAuthRouter = ({ primaryField, emailVerification, rateLimit })
             return c.json({ message: "Verification email sent" }, 200);
         });
     }
+    // Password reset routes — only mounted when passwordReset is configured and primaryField is "email"
+    if (passwordReset && primaryField === "email") {
+        router.openapi(createRoute({
+            method: "post",
+            path: "/auth/forgot-password",
+            tags,
+            request: { body: { content: { "application/json": { schema: z.object({ email: z.string().email() }) } } } },
+            responses: {
+                200: { content: { "application/json": { schema: z.object({ message: z.string() }) } }, description: "Reset email sent if address is registered" },
+                400: { content: { "application/json": { schema: ErrorResponse } }, description: "Validation error" },
+                429: { content: { "application/json": { schema: ErrorResponse } }, description: "Too many attempts" },
+            },
+        }), async (c) => {
+            const ip = clientIp(c.req.header("x-forwarded-for"), c.req.header("x-real-ip")) ?? "unknown";
+            const { email } = c.req.valid("json");
+            // Rate-limit by both IP and email to prevent distributed email-bombing
+            const ipLimited = await trackAttempt(`forgot:ip:${ip}`, forgotOpts);
+            const emailLimited = await trackAttempt(`forgot:email:${email}`, forgotOpts);
+            if (ipLimited || emailLimited) {
+                return c.json({ error: "Too many attempts. Try again later." }, 429);
+            }
+            const adapter = getAuthAdapter();
+            const user = await adapter.findByEmail(email);
+            // Fire-and-forget: the response does not wait for token creation or email sending,
+            // which reduces obvious timing differences between registered and unregistered emails.
+            const msg = { message: "If that email is registered, a password reset link has been sent." };
+            if (user) {
+                void (async () => {
+                    try {
+                        const token = await createResetToken(user.id, email);
+                        await passwordReset.onSend(email, token);
+                    }
+                    catch (err) {
+                        console.error("Failed to send password reset email:", err);
+                    }
+                })();
+            }
+            return c.json(msg, 200);
+        });
+        router.openapi(createRoute({
+            method: "post",
+            path: "/auth/reset-password",
+            tags,
+            request: { body: { content: { "application/json": { schema: z.object({ token: z.string(), password: z.string().min(8) }) } } } },
+            responses: {
+                200: { content: { "application/json": { schema: z.object({ message: z.string() }) } }, description: "Password reset successfully" },
+                400: { content: { "application/json": { schema: ErrorResponse } }, description: "Validation error or invalid/expired token" },
+                429: { content: { "application/json": { schema: ErrorResponse } }, description: "Too many attempts" },
+                501: { content: { "application/json": { schema: ErrorResponse } }, description: "Not supported by adapter" },
+            },
+        }), async (c) => {
+            const ip = clientIp(c.req.header("x-forwarded-for"), c.req.header("x-real-ip")) ?? "unknown";
+            if (await trackAttempt(`reset:${ip}`, resetOpts)) {
+                return c.json({ error: "Too many attempts. Try again later." }, 429);
+            }
+            const { token, password } = c.req.valid("json");
+            // consumeResetToken atomically gets and deletes — prevents concurrent replay
+            const entry = await consumeResetToken(token);
+            if (!entry)
+                return c.json({ error: "Invalid or expired reset token" }, 400);
+            const adapter = getAuthAdapter();
+            if (!adapter.setPassword) {
+                return c.json({ error: "Auth adapter does not support setPassword" }, 501);
+            }
+            const passwordHash = await Bun.password.hash(password);
+            await adapter.setPassword(entry.userId, passwordHash);
+            // Revoke all sessions so stolen JWTs can't stay valid after a reset
+            const sessions = await getUserSessions(entry.userId);
+            await Promise.all(sessions.map((s) => deleteSession(s.sessionId)));
+            return c.json({ message: "Password reset successfully" }, 200);
+        });
+    }
+    // ---------------------------------------------------------------------------
+    // Session management
+    // ---------------------------------------------------------------------------
+    const SessionInfoSchema = z.object({
+        sessionId: z.string(),
+        createdAt: z.number(),
+        lastActiveAt: z.number(),
+        expiresAt: z.number(),
+        ipAddress: z.string().optional(),
+        userAgent: z.string().optional(),
+        isActive: z.boolean(),
+    });
+    router.use("/auth/sessions", userAuth);
+    router.use("/auth/sessions/*", userAuth);
+    router.openapi(createRoute({
+        method: "get",
+        path: "/auth/sessions",
+        tags,
+        responses: {
+            200: {
+                content: { "application/json": { schema: z.object({ sessions: z.array(SessionInfoSchema) }) } },
+                description: "List of sessions for the current user",
+            },
+            401: { content: { "application/json": { schema: ErrorResponse } }, description: "Unauthorized" },
+        },
+    }), async (c) => {
+        const userId = c.get("authUserId");
+        const sessions = await getUserSessions(userId);
+        return c.json({ sessions }, 200);
+    });
+    router.openapi(createRoute({
+        method: "delete",
+        path: "/auth/sessions/{sessionId}",
+        tags,
+        request: { params: z.object({ sessionId: z.string() }) },
+        responses: {
+            200: { content: { "application/json": { schema: z.object({ message: z.string() }) } }, description: "Session revoked" },
+            401: { content: { "application/json": { schema: ErrorResponse } }, description: "Unauthorized" },
+            404: { content: { "application/json": { schema: ErrorResponse } }, description: "Session not found" },
+        },
+    }), async (c) => {
+        const userId = c.get("authUserId");
+        const { sessionId } = c.req.valid("param");
+        const sessions = await getUserSessions(userId);
+        const session = sessions.find((s) => s.sessionId === sessionId);
+        if (!session)
+            return c.json({ error: "Session not found" }, 404);
+        await deleteSession(sessionId);
+        return c.json({ message: "Session revoked" }, 200);
+    });
     return router;
 };

package/dist/routes/oauth.js

@@ -5,10 +5,10 @@ import { getGoogle, getApple, storeOAuthState, consumeOAuthState, generateState,
 import { getAuthAdapter } from "../lib/authAdapter";
 import { HttpError } from "../lib/HttpError";
 import { signToken } from "../lib/jwt";
-import { createSession } from "../lib/session";
+import { createSession, getActiveSessionCount, evictOldestSession } from "../lib/session";
 import { COOKIE_TOKEN } from "../lib/constants";
 import { userAuth } from "../middleware/userAuth";
-import { getDefaultRole } from "../lib/appConfig";
+import { getDefaultRole, getMaxSessions } from "../lib/appConfig";
 const isProd = process.env.NODE_ENV === "production";
 const cookieOptions = {
     httpOnly: true,
@@ -36,8 +36,17 @@ const finishOAuth = async (c, provider, providerId, profile, postLoginRedirect)
         if (role && adapter.setRoles)
             await adapter.setRoles(user.id, [role]);
     }
-    const token = await signToken(user.id);
-    await createSession(user.id, token);
+    const sessionId = crypto.randomUUID();
+    const token = await signToken(user.id, sessionId);
+    const xff = c.req.header("x-forwarded-for");
+    const metadata = {
+        ipAddress: (xff ? xff.split(",")[0]?.trim() : undefined) ?? c.req.header("x-real-ip") ?? undefined,
+        userAgent: c.req.header("user-agent") ?? undefined,
+    };
+    while (await getActiveSessionCount(user.id) >= getMaxSessions()) {
+        await evictOldestSession(user.id);
+    }
+    await createSession(user.id, token, sessionId, metadata);
     setCookie(c, COOKIE_TOKEN, token, cookieOptions);
     // Append token to redirect so non-browser clients (mobile deep links) can extract it.
     // Browser apps can safely ignore the query param.

package/dist/services/auth.d.ts

@@ -1,5 +1,6 @@
-export declare const register: (identifier: string, password: string) => Promise<string>;
-export declare const login: (identifier: string, password: string) => Promise<{
+import type { SessionMetadata } from "../lib/session";
+export declare const register: (identifier: string, password: string, metadata?: SessionMetadata) => Promise<string>;
+export declare const login: (identifier: string, password: string, metadata?: SessionMetadata) => Promise<{
     token: string;
     emailVerified?: boolean;
 }>;

package/dist/services/auth.js

@@ -1,18 +1,22 @@
 import { getAuthAdapter } from "../lib/authAdapter";
 import { HttpError } from "../lib/HttpError";
 import { signToken, verifyToken } from "../lib/jwt";
-import { createSession, deleteSession } from "../lib/session";
-import { getDefaultRole, getPrimaryField, getEmailVerificationConfig } from "../lib/appConfig";
+import { createSession, deleteSession, getActiveSessionCount, evictOldestSession } from "../lib/session";
+import { getDefaultRole, getPrimaryField, getEmailVerificationConfig, getMaxSessions } from "../lib/appConfig";
 import { createVerificationToken } from "../lib/emailVerification";
-export const register = async (identifier, password) => {
+export const register = async (identifier, password, metadata) => {
     const hashed = await Bun.password.hash(password);
     const adapter = getAuthAdapter();
     const user = await adapter.create(identifier, hashed);
     const role = getDefaultRole();
     if (role)
         await adapter.setRoles(user.id, [role]);
-    const token = await signToken(user.id);
-    await createSession(user.id, token);
+    const sessionId = crypto.randomUUID();
+    const token = await signToken(user.id, sessionId);
+    while (await getActiveSessionCount(user.id) >= getMaxSessions()) {
+        await evictOldestSession(user.id);
+    }
+    await createSession(user.id, token, sessionId, metadata);
     const evConfig = getEmailVerificationConfig();
     if (evConfig && getPrimaryField() === "email") {
         try {
@@ -25,30 +29,35 @@ export const register = async (identifier, password) => {
     }
     return token;
 };
-export const login = async (identifier, password) => {
+export const login = async (identifier, password, metadata) => {
     const adapter = getAuthAdapter();
     const findFn = adapter.findByIdentifier ?? adapter.findByEmail.bind(adapter);
     const user = await findFn(identifier);
     if (!user || !(await Bun.password.verify(password, user.passwordHash))) {
         throw new HttpError(401, "Invalid credentials");
     }
+    const sessionId = crypto.randomUUID();
+    const token = await signToken(user.id, sessionId);
+    while (await getActiveSessionCount(user.id) >= getMaxSessions()) {
+        await evictOldestSession(user.id);
+    }
     const evConfig = getEmailVerificationConfig();
     if (evConfig && getPrimaryField() === "email" && adapter.getEmailVerified) {
         const verified = await adapter.getEmailVerified(user.id);
         if (evConfig.required && !verified) {
             throw new HttpError(403, "Email not verified");
         }
-        const token = await signToken(user.id);
-        await createSession(user.id, token);
+        await createSession(user.id, token, sessionId, metadata);
         return { token, emailVerified: verified };
     }
-    const token = await signToken(user.id);
-    await createSession(user.id, token);
+    await createSession(user.id, token, sessionId, metadata);
     return { token };
 };
 export const logout = async (token) => {
     if (token) {
         const payload = await verifyToken(token);
-        await deleteSession(payload.sub);
+        const sessionId = payload.sid;
+        if (sessionId)
+            await deleteSession(sessionId);
     }
 };

package/dist/ws/index.js

@@ -8,9 +8,12 @@ export const createWsUpgradeHandler = (server) => async (req) => {
             ?.match(new RegExp(`(?:^|;\\s*)${COOKIE_TOKEN}=([^;]+)`))?.[1] ?? null;
         if (token) {
             const payload = await verifyToken(token);
-            const stored = await getSession(payload.sub);
-            if (stored === token)
-                userId = payload.sub;
+            const sessionId = payload.sid;
+            if (sessionId) {
+                const stored = await getSession(sessionId);
+                if (stored === token)
+                    userId = payload.sub;
+            }
         }
     }
     catch { /* unauthenticated — userId stays null */ }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lastshotlabs/bunshot",
-  "version": "0.0.8",
+  "version": "0.0.10",
   "description": "Batteries-included Bun + Hono API framework — auth, sessions, rate limiting, WebSocket, queues, and OpenAPI docs out of the box",
   "repository": {
     "type": "git",
@@ -22,6 +22,18 @@
     ".": {
       "import": "./dist/index.js",
       "types": "./dist/index.d.ts"
+    },
+    "./mongo": {
+      "import": "./dist/entrypoints/mongo.js",
+      "types": "./dist/entrypoints/mongo.d.ts"
+    },
+    "./redis": {
+      "import": "./dist/entrypoints/redis.js",
+      "types": "./dist/entrypoints/redis.d.ts"
+    },
+    "./queue": {
+      "import": "./dist/entrypoints/queue.js",
+      "types": "./dist/entrypoints/queue.d.ts"
     }
   },
   "bin": {
@@ -41,19 +53,37 @@
     "@hono/zod-openapi": "1.2.2",
     "@scalar/hono-api-reference": "0.10.0",
     "arctic": "^3.7.0",
-    "bullmq": "^5.70.4",
-    "hono": "4.12.5",
-    "ioredis": "5.10.0",
-    "jose": "6.2.0",
-    "mongoose": "9.2.4",
-    "zod": "4.3.6"
+    "jose": "6.2.0"
+  },
+  "peerDependencies": {
+    "hono": ">=4.12 <5",
+    "zod": ">=4.0 <5",
+    "mongoose": ">=9.0 <10",
+    "ioredis": ">=5.0 <6",
+    "bullmq": ">=5.0 <6"
+  },
+  "peerDependenciesMeta": {
+    "mongoose": {
+      "optional": true
+    },
+    "ioredis": {
+      "optional": true
+    },
+    "bullmq": {
+      "optional": true
+    }
   },
   "devDependencies": {
     "@types/bun": "1.3.10",
     "tsc-alias": "^1.8.16",
-    "typescript": "^5.9.3"
+    "typescript": "^5.9.3",
+    "hono": ">=4.12",
+    "zod": ">=4.0",
+    "mongoose": "9.2.4",
+    "ioredis": "5.10.0",
+    "bullmq": "^5.70.4"
   },
   "publishConfig": {
     "access": "public"
   }
-}
+}