@lastshotlabs/bunshot 0.0.9 → 0.0.13

package/dist/lib/resetPassword.d.ts

@@ -0,0 +1,12 @@
+type ResetStore = "redis" | "mongo" | "sqlite" | "memory";
+export declare const setPasswordResetStore: (store: ResetStore) => void;
+/** Create a reset token. Returns the raw token (to embed in the email link).
+ *  Only the SHA-256 hash is persisted in the store. */
+export declare const createResetToken: (userId: string, email: string) => Promise<string>;
+/** Atomically consume a reset token — returns its payload and deletes it in one operation.
+ *  Returns null if the token is invalid, expired, or already used. */
+export declare const consumeResetToken: (token: string) => Promise<{
+    userId: string;
+    email: string;
+} | null>;
+export {};

package/dist/lib/resetPassword.js

@@ -0,0 +1,95 @@
+import { createHash } from "crypto";
+import { getRedis } from "./redis";
+import { appConnection } from "./mongo";
+import { getAppName, getResetTokenExpiry } from "./appConfig";
+import { Schema } from "mongoose";
+import { sqliteCreateResetToken, sqliteConsumeResetToken, } from "../adapters/sqliteAuth";
+import { memoryCreateResetToken, memoryConsumeResetToken, } from "../adapters/memoryAuth";
+// ---------------------------------------------------------------------------
+// Token hashing — store SHA-256(token); raw token is only in the email link.
+// If the store is ever leaked, outstanding tokens cannot be replayed directly.
+// ---------------------------------------------------------------------------
+const hashToken = (token) => createHash("sha256").update(token).digest("hex");
+const resetSchema = new Schema({
+    token: { type: String, required: true, unique: true },
+    userId: { type: String, required: true },
+    email: { type: String, required: true },
+    expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
+}, { collection: "password_resets" });
+function getResetModel() {
+    return appConnection.models["PasswordReset"] ??
+        appConnection.model("PasswordReset", resetSchema);
+}
+// ---------------------------------------------------------------------------
+// Redis helpers
+// ---------------------------------------------------------------------------
+/** Atomically GET+DEL a key. Uses native GETDEL (Redis >= 6.2) with a Lua fallback. */
+async function redisGetDel(key) {
+    const redis = getRedis();
+    if (typeof redis.getdel === "function") {
+        try {
+            return await redis.getdel(key);
+        }
+        catch (err) {
+            const msg = err?.message ?? "";
+            if (!/unknown command|ERR unknown command/i.test(msg))
+                throw err;
+            // Fall through to Lua on "unknown command"
+        }
+    }
+    const result = await redis.eval("local v = redis.call('GET', KEYS[1])\nif v then redis.call('DEL', KEYS[1]) end\nreturn v", 1, key);
+    return result ?? null;
+}
+let _store = "redis";
+export const setPasswordResetStore = (store) => { _store = store; };
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+/** Create a reset token. Returns the raw token (to embed in the email link).
+ *  Only the SHA-256 hash is persisted in the store. */
+export const createResetToken = async (userId, email) => {
+    const token = crypto.randomUUID();
+    const hash = hashToken(token);
+    const ttl = getResetTokenExpiry();
+    if (_store === "memory") {
+        memoryCreateResetToken(hash, userId, email, ttl);
+        return token;
+    }
+    if (_store === "sqlite") {
+        sqliteCreateResetToken(hash, userId, email, ttl);
+        return token;
+    }
+    if (_store === "mongo") {
+        await getResetModel().create({
+            token: hash,
+            userId,
+            email,
+            expiresAt: new Date(Date.now() + ttl * 1000),
+        });
+        return token;
+    }
+    await getRedis().set(`reset:${getAppName()}:${hash}`, JSON.stringify({ userId, email }), "EX", ttl);
+    return token;
+};
+/** Atomically consume a reset token — returns its payload and deletes it in one operation.
+ *  Returns null if the token is invalid, expired, or already used. */
+export const consumeResetToken = async (token) => {
+    const hash = hashToken(token);
+    if (_store === "memory")
+        return memoryConsumeResetToken(hash);
+    if (_store === "sqlite")
+        return sqliteConsumeResetToken(hash);
+    if (_store === "mongo") {
+        const doc = await getResetModel()
+            .findOneAndDelete({ token: hash, expiresAt: { $gt: new Date() } })
+            .lean();
+        if (!doc)
+            return null;
+        return { userId: doc.userId, email: doc.email };
+    }
+    // Redis: atomically return and remove the key (GETDEL or Lua fallback)
+    const raw = await redisGetDel(`reset:${getAppName()}:${hash}`);
+    if (!raw)
+        return null;
+    return JSON.parse(raw);
+};

package/dist/lib/session.js

@@ -1,22 +1,22 @@
 import { getRedis } from "./redis";
-import { appConnection } from "./mongo";
+import { appConnection, mongoose } from "./mongo";
 import { getAppName, getPersistSessionMetadata, getIncludeInactiveSessions } from "./appConfig";
-import { Schema } from "mongoose";
 import { sqliteCreateSession, sqliteGetSession, sqliteDeleteSession, sqliteGetUserSessions, sqliteGetActiveSessionCount, sqliteEvictOldestSession, sqliteUpdateSessionLastActive, } from "../adapters/sqliteAuth";
 import { memoryCreateSession, memoryGetSession, memoryDeleteSession, memoryGetUserSessions, memoryGetActiveSessionCount, memoryEvictOldestSession, memoryUpdateSessionLastActive, } from "../adapters/memoryAuth";
-const sessionSchema = new Schema({
-    sessionId: { type: String, required: true, unique: true },
-    userId: { type: String, required: true, index: true },
-    token: { type: String, default: null },
-    createdAt: { type: Date, required: true },
-    lastActiveAt: { type: Date, required: true },
-    expiresAt: { type: Date, required: true },
-    ipAddress: { type: String },
-    userAgent: { type: String },
-}, { collection: "sessions", timestamps: false });
 function getSessionModel() {
     if (appConnection.models["Session"])
         return appConnection.models["Session"];
+    const { Schema } = mongoose;
+    const sessionSchema = new Schema({
+        sessionId: { type: String, required: true, unique: true },
+        userId: { type: String, required: true, index: true },
+        token: { type: String, default: null },
+        createdAt: { type: Date, required: true },
+        lastActiveAt: { type: Date, required: true },
+        expiresAt: { type: Date, required: true },
+        ipAddress: { type: String },
+        userAgent: { type: String },
+    }, { collection: "sessions", timestamps: false });
     // Add TTL index only when metadata is not persisted — docs auto-delete at expiresAt.
     // When persisting, token is nulled (soft-delete) but the row is kept indefinitely.
     if (!getPersistSessionMetadata()) {

package/dist/middleware/cacheResponse.js

@@ -1,17 +1,18 @@
 import { getRedis } from "../lib/redis";
 import { getAppName } from "../lib/appConfig";
-import { appConnection } from "../lib/mongo";
-import { Schema } from "mongoose";
+import { appConnection, mongoose } from "../lib/mongo";
 import { isSqliteReady, sqliteGetCache, sqliteSetCache, sqliteDelCache, sqliteDelCachePattern } from "../adapters/sqliteAuth";
 import { memoryGetCache, memorySetCache, memoryDelCache, memoryDelCachePattern } from "../adapters/memoryAuth";
-const cacheSchema = new Schema({
-    key: { type: String, required: true, unique: true },
-    value: { type: String, required: true },
-    expiresAt: { type: Date, index: { expireAfterSeconds: 0 } },
-}, { collection: "cache_entries" });
 function getCacheModel() {
-    return appConnection.models["CacheEntry"] ??
-        appConnection.model("CacheEntry", cacheSchema);
+    if (appConnection.models["CacheEntry"])
+        return appConnection.models["CacheEntry"];
+    const { Schema } = mongoose;
+    const cacheSchema = new Schema({
+        key: { type: String, required: true, unique: true },
+        value: { type: String, required: true },
+        expiresAt: { type: Date, index: { expireAfterSeconds: 0 } },
+    }, { collection: "cache_entries" });
+    return appConnection.model("CacheEntry", cacheSchema);
 }
 function isMongoReady() {
     return appConnection.readyState === 1;

package/dist/models/AuthUser.d.ts

@@ -1,112 +1,20 @@
-import mongoose from "mongoose";
-export declare const AuthUser: mongoose.Model<{
+import type { Document, Model } from "mongoose";
+interface IAuthUser {
+    email?: string | null;
+    password?: string | null;
+    /** Compound provider keys: ["google:123456", "apple:000111"] */
     providerIds: string[];
-    emailVerified: boolean;
+    /** App-defined roles assigned to this user: ["admin", "editor", ...] */
     roles: string[];
-    email?: string | null | undefined;
-    password?: string | null | undefined;
-} & mongoose.DefaultTimestampProps, {}, {}, {
-    id: string;
-}, mongoose.Document<unknown, {}, {
-    providerIds: string[];
+    /** Whether the user's email address has been verified. */
     emailVerified: boolean;
-    roles: string[];
-    email?: string | null | undefined;
-    password?: string | null | undefined;
-} & mongoose.DefaultTimestampProps, {
-    id: string;
-}, {
-    timestamps: true;
-}> & Omit<{
-    providerIds: string[];
-    emailVerified: boolean;
-    roles: string[];
-    email?: string | null | undefined;
-    password?: string | null | undefined;
-} & mongoose.DefaultTimestampProps & {
-    _id: mongoose.Types.ObjectId;
-} & {
+}
+type AuthUserDocument = IAuthUser & Document;
+export declare const AuthUser: Model<AuthUserDocument, {}, {}, {}, Document<unknown, {}, AuthUserDocument, {}, import("mongoose").DefaultSchemaOptions> & IAuthUser & Document<import("mongoose").Types.ObjectId, any, any, Record<string, any>, {}> & Required<{
+    _id: import("mongoose").Types.ObjectId;
+}> & {
     __v: number;
-}, "id"> & {
-    id: string;
-}, mongoose.Schema<any, mongoose.Model<any, any, any, any, any, any, any>, {}, {}, {}, {}, {
-    timestamps: true;
-}, {
-    providerIds: string[];
-    emailVerified: boolean;
-    roles: string[];
-    email?: string | null | undefined;
-    password?: string | null | undefined;
-} & mongoose.DefaultTimestampProps, mongoose.Document<unknown, {}, {
-    providerIds: string[];
-    emailVerified: boolean;
-    roles: string[];
-    email?: string | null | undefined;
-    password?: string | null | undefined;
-} & mongoose.DefaultTimestampProps, {
-    id: string;
-}, mongoose.MergeType<mongoose.DefaultSchemaOptions, {
-    timestamps: true;
-}>> & Omit<{
-    providerIds: string[];
-    emailVerified: boolean;
-    roles: string[];
-    email?: string | null | undefined;
-    password?: string | null | undefined;
-} & mongoose.DefaultTimestampProps & {
-    _id: mongoose.Types.ObjectId;
 } & {
-    __v: number;
-}, "id"> & {
     id: string;
-}, {
-    [path: string]: mongoose.SchemaDefinitionProperty<undefined, any, any>;
-} | {
-    [x: string]: mongoose.SchemaDefinitionProperty<any, any, mongoose.Document<unknown, {}, {
-        providerIds: string[];
-        emailVerified: boolean;
-        roles: string[];
-        email?: string | null | undefined;
-        password?: string | null | undefined;
-    } & mongoose.DefaultTimestampProps, {
-        id: string;
-    }, mongoose.MergeType<mongoose.DefaultSchemaOptions, {
-        timestamps: true;
-    }>> & Omit<{
-        providerIds: string[];
-        emailVerified: boolean;
-        roles: string[];
-        email?: string | null | undefined;
-        password?: string | null | undefined;
-    } & mongoose.DefaultTimestampProps & {
-        _id: mongoose.Types.ObjectId;
-    } & {
-        __v: number;
-    }, "id"> & {
-        id: string;
-    }> | undefined;
-}, {
-    providerIds: string[];
-    emailVerified: boolean;
-    roles: string[];
-    email?: string | null | undefined;
-    password?: string | null | undefined;
-    createdAt: NativeDate;
-    updatedAt: NativeDate;
-} & {
-    _id: mongoose.Types.ObjectId;
-} & {
-    __v: number;
-}>, {
-    providerIds: string[];
-    emailVerified: boolean;
-    roles: string[];
-    email?: string | null | undefined;
-    password?: string | null | undefined;
-    createdAt: NativeDate;
-    updatedAt: NativeDate;
-} & {
-    _id: mongoose.Types.ObjectId;
-} & {
-    __v: number;
-}>;
+}, any, AuthUserDocument>;
+export {};

package/dist/models/AuthUser.js

@@ -1,14 +1,31 @@
-import mongoose from "mongoose";
-import { authConnection } from "../lib/mongo";
-const AuthUserSchema = new mongoose.Schema({
-    email: { type: String, unique: true, sparse: true, lowercase: true },
-    password: { type: String },
-    /** Compound provider keys: ["google:123456", "apple:000111"] */
-    providerIds: [{ type: String }],
-    /** App-defined roles assigned to this user: ["admin", "editor", ...] */
-    roles: [{ type: String }],
-    /** Whether the user's email address has been verified. */
-    emailVerified: { type: Boolean, default: false },
-}, { timestamps: true });
-AuthUserSchema.index({ providerIds: 1 });
-export const AuthUser = authConnection.model("AuthUser", AuthUserSchema);
+import { authConnection, mongoose } from "../lib/mongo";
+// Lazily register the model — authConnection and mongoose are proxies that
+// resolve once connectAuthMongo() / connectMongo() has been called.
+let _AuthUser = null;
+function getAuthUser() {
+    if (!_AuthUser) {
+        const { Schema } = mongoose;
+        const schema = new Schema({
+            email: { type: String, unique: true, sparse: true, lowercase: true },
+            password: { type: String },
+            /** Compound provider keys: ["google:123456", "apple:000111"] */
+            providerIds: [{ type: String }],
+            /** App-defined roles assigned to this user: ["admin", "editor", ...] */
+            roles: [{ type: String }],
+            /** Whether the user's email address has been verified. */
+            emailVerified: { type: Boolean, default: false },
+        }, { timestamps: true });
+        schema.index({ providerIds: 1 });
+        _AuthUser = authConnection.model("AuthUser", schema);
+    }
+    return _AuthUser;
+}
+// Export a Proxy so callers can use AuthUser.findOne() etc. at any time after
+// connectAuthMongo() / connectMongo() has been called.
+export const AuthUser = new Proxy({}, {
+    get(_, prop) {
+        const model = getAuthUser();
+        const val = model[prop];
+        return typeof val === "function" ? val.bind(model) : val;
+    },
+});

package/dist/routes/auth.d.ts

@@ -1,8 +1,9 @@
-import type { PrimaryField, EmailVerificationConfig } from "../lib/appConfig";
+import type { PrimaryField, EmailVerificationConfig, PasswordResetConfig } from "../lib/appConfig";
 import type { AuthRateLimitConfig } from "../app";
 export interface AuthRouterOptions {
     primaryField: PrimaryField;
     emailVerification?: EmailVerificationConfig;
+    passwordReset?: PasswordResetConfig;
     rateLimit?: AuthRateLimitConfig;
 }
-export declare const createAuthRouter: ({ primaryField, emailVerification, rateLimit }: AuthRouterOptions) => import("@hono/zod-openapi").OpenAPIHono<import("../lib/context").AppEnv, {}, "/">;
+export declare const createAuthRouter: ({ primaryField, emailVerification, passwordReset, rateLimit }: AuthRouterOptions) => import("@hono/zod-openapi").OpenAPIHono<import("../lib/context").AppEnv, {}, "/">;