npm - @mesob/auth-hono - Versions diffs - 0.5.0 → 0.5.3 - Mend

@mesob/auth-hono 0.5.0 → 0.5.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (31) hide show

package/dist/{index-DwIwuvVj.d.ts → index-v_uxUd8A.d.ts} +53 -5
package/dist/index.d.ts +12 -5
package/dist/index.js +704 -249
package/dist/index.js.map +1 -1
package/dist/lib/auth-rate-limit.d.ts +21 -0
package/dist/lib/auth-rate-limit.js +228 -0
package/dist/lib/auth-rate-limit.js.map +1 -0
package/dist/lib/cleanup.d.ts +1 -1
package/dist/lib/cookie.d.ts +5 -3
package/dist/lib/cookie.js +6 -1
package/dist/lib/cookie.js.map +1 -1
package/dist/lib/has-role-permission.d.ts +2 -2
package/dist/lib/iam-seed.d.ts +3 -3
package/dist/lib/load-session-pair.d.ts +16 -0
package/dist/lib/load-session-pair.js +505 -0
package/dist/lib/load-session-pair.js.map +1 -0
package/dist/lib/normalize-auth-response.d.ts +2 -2
package/dist/lib/normalize-rate-limit-ip.d.ts +5 -0
package/dist/lib/normalize-rate-limit-ip.js +159 -0
package/dist/lib/normalize-rate-limit-ip.js.map +1 -0
package/dist/lib/normalize-user.d.ts +2 -2
package/dist/lib/openapi-config.d.ts +2 -2
package/dist/lib/permission-catalog.d.ts +1 -1
package/dist/lib/phone-validation.d.ts +2 -2
package/dist/lib/session-cache.d.ts +22 -0
package/dist/lib/session-cache.js +396 -0
package/dist/lib/session-cache.js.map +1 -0
package/dist/lib/session.d.ts +2 -2
package/dist/lib/tenant.d.ts +2 -2
package/package.json +2 -2
package/dist/{index-D8OE85f8.d.ts → index-Dhe5obDc.d.ts} +1 -1

package/dist/index.js CHANGED Viewed

@@ -327,6 +327,232 @@ var createDatabase = (connectionString) => {
 import { OpenAPIHono as OpenAPIHono17 } from "@hono/zod-openapi";
 import { getCookie as getCookie3 } from "hono/cookie";
+// src/lib/cookie.ts
+import { deleteCookie as honoDel, setCookie as honoSet } from "hono/cookie";
+var isProduction = process.env.NODE_ENV === "production";
+var getSessionKeyNamespace = (config) => {
+  const p = config.prefix?.trim();
+  return p && p.length > 0 ? p : "msb";
+};
+var getSessionCookieName = (config) => {
+  const prefix = config.prefix?.trim() || "";
+  const baseName = "session_token";
+  if (prefix) {
+    return `${prefix}_${baseName}`;
+  }
+  return isProduction ? "__Host-session_token" : baseName;
+};
+var setSessionCookie = (c, token, config, options) => {
+  const cookieName = getSessionCookieName(config);
+  const cookieOptions = {
+    httpOnly: true,
+    secure: isProduction,
+    sameSite: "Lax",
+    path: options.path || "/",
+    expires: options.expires,
+    ...isProduction && { domain: void 0 }
+    // __Host- requires no domain
+  };
+  honoSet(c, cookieName, token, cookieOptions);
+};
+var deleteSessionCookie = (c, config) => {
+  const cookieName = getSessionCookieName(config);
+  honoDel(c, cookieName, {
+    httpOnly: true,
+    secure: isProduction,
+    sameSite: "Lax",
+    path: "/",
+    expires: /* @__PURE__ */ new Date(0)
+  });
+};
+// src/lib/crypto.ts
+import { scrypt } from "@noble/hashes/scrypt.js";
+import { randomBytes } from "@noble/hashes/utils.js";
+var encoder = new TextEncoder();
+var randomHex = (bytes) => {
+  const arr = randomBytes(bytes);
+  return Array.from(arr, (b) => b.toString(16).padStart(2, "0")).join(
+    ""
+  );
+};
+var toHex = (buffer) => {
+  return Array.from(
+    buffer,
+    (b) => b.toString(16).padStart(2, "0")
+  ).join("");
+};
+var hexToBytes = (hex) => {
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes[i / 2] = Number.parseInt(hex.slice(i, i + 2), 16);
+  }
+  return bytes;
+};
+var SCRYPT_KEYLEN = 64;
+var SCRYPT_COST = 16384;
+var SCRYPT_BLOCK_SIZE = 8;
+var SCRYPT_PARALLELISM = 1;
+var hashPassword = async (password) => {
+  const salt = randomBytes(16);
+  const saltHex = toHex(salt);
+  const passwordBytes = encoder.encode(password);
+  const derivedKey = await Promise.resolve(
+    scrypt(passwordBytes, salt, {
+      N: SCRYPT_COST,
+      r: SCRYPT_BLOCK_SIZE,
+      p: SCRYPT_PARALLELISM,
+      dkLen: SCRYPT_KEYLEN
+    })
+  );
+  return `${saltHex}:${toHex(derivedKey)}`;
+};
+var verifyPassword = async (password, hashed) => {
+  if (!hashed) {
+    return false;
+  }
+  const [saltHex, keyHex] = hashed.split(":");
+  if (!(saltHex && keyHex)) {
+    return false;
+  }
+  const salt = hexToBytes(saltHex);
+  const passwordBytes = encoder.encode(password);
+  const derivedKey = await Promise.resolve(
+    scrypt(passwordBytes, salt, {
+      N: SCRYPT_COST,
+      r: SCRYPT_BLOCK_SIZE,
+      p: SCRYPT_PARALLELISM,
+      dkLen: SCRYPT_KEYLEN
+    })
+  );
+  const derived = toHex(derivedKey);
+  if (derived.length !== keyHex.length) {
+    return false;
+  }
+  let result = 0;
+  for (let i = 0; i < derived.length; i++) {
+    result |= derived.charCodeAt(i) ^ keyHex.charCodeAt(i);
+  }
+  return result === 0;
+};
+var hashToken = async (token, secret) => {
+  if (!secret || secret.length === 0) {
+    throw new Error(
+      "AUTH_SECRET is required and must be a non-empty string. Please set AUTH_SECRET environment variable."
+    );
+  }
+  const key = await crypto.subtle.importKey(
+    "raw",
+    encoder.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const signature = await crypto.subtle.sign(
+    "HMAC",
+    key,
+    encoder.encode(token)
+  );
+  return toHex(new Uint8Array(signature));
+};
+var generateToken = (bytes = 48) => randomHex(bytes);
+// src/lib/error-handler.ts
+import { logger } from "@mesob/common";
+import { HTTPException } from "hono/http-exception";
+var isDatabaseError = (error) => {
+  if (typeof error !== "object" || error === null) {
+    return false;
+  }
+  if ("code" in error || "query" in error || "detail" in error) {
+    return true;
+  }
+  if (error instanceof Error) {
+    const message = error.message.toLowerCase();
+    return message.includes("failed query") || message.includes("relation") || message.includes("column") || message.includes("syntax error") || message.includes("duplicate key") || message.includes("foreign key") || message.includes("null value");
+  }
+  return false;
+};
+var sanitizeDatabaseError = (error) => {
+  const code = error.code;
+  if (code === "23505") {
+    return "Resource already exists";
+  }
+  if (code === "23503") {
+    return "Referenced resource not found";
+  }
+  if (code === "23502") {
+    return "Required field is missing";
+  }
+  if (code === "42P01") {
+    return "Resource not found";
+  }
+  if (code === "42703") {
+    return "Invalid request";
+  }
+  if (code === "23514") {
+    return "Validation failed";
+  }
+  return "An error occurred while processing your request";
+};
+var isDatabaseErrorMessage = (message) => {
+  const lowerMessage = message.toLowerCase();
+  return lowerMessage.includes("failed query") || lowerMessage.includes("select") || lowerMessage.includes("insert") || lowerMessage.includes("update") || lowerMessage.includes("delete") || lowerMessage.includes("from") || lowerMessage.includes("where") || lowerMessage.includes("limit") || lowerMessage.includes("params:") || lowerMessage.includes("query") || message.includes('"iam".') || message.includes('"tenants"') || message.includes('"users"') || message.includes('"sessions"') || message.includes('"accounts"') || lowerMessage.includes("relation") || lowerMessage.includes("column") || lowerMessage.includes("syntax error") || lowerMessage.includes("database") || lowerMessage.includes("postgres") || lowerMessage.includes("sql");
+};
+var handleError = (error, c) => {
+  logger.error("API Error:", {
+    error,
+    path: c.req.path,
+    method: c.req.method,
+    url: c.req.url
+  });
+  if (error instanceof HTTPException) {
+    const message = isDatabaseErrorMessage(error.message) ? "An error occurred while processing your request" : error.message;
+    return c.json({ error: message }, error.status);
+  }
+  if (isDatabaseError(error)) {
+    const userMessage = sanitizeDatabaseError(error);
+    logger.error("Database error details:", {
+      code: error.code,
+      message: error.message,
+      detail: error.detail,
+      query: error.query,
+      parameters: error.parameters
+    });
+    return c.json({ error: userMessage }, 500);
+  }
+  if (error instanceof Error) {
+    const message = error.message;
+    const lowerMessage = message.toLowerCase();
+    const isDatabaseError2 = lowerMessage.includes("failed query") || lowerMessage.includes("select") || lowerMessage.includes("insert") || lowerMessage.includes("update") || lowerMessage.includes("delete") || lowerMessage.includes("from") || lowerMessage.includes("where") || lowerMessage.includes("limit") || lowerMessage.includes("params:") || lowerMessage.includes("query") || message.includes('"iam".') || message.includes('"tenants"') || message.includes('"users"') || message.includes('"sessions"') || message.includes('"accounts"') || lowerMessage.includes("relation") || lowerMessage.includes("column") || lowerMessage.includes("syntax error") || lowerMessage.includes("duplicate key") || lowerMessage.includes("foreign key") || lowerMessage.includes("null value") || lowerMessage.includes("database") || lowerMessage.includes("postgres") || lowerMessage.includes("sql");
+    if (isDatabaseError2) {
+      logger.error("SQL/database error detected:", {
+        message: error.message,
+        stack: error.stack,
+        name: error.name
+      });
+      return c.json(
+        { error: "An error occurred while processing your request" },
+        500
+      );
+    }
+    logger.error("Error details:", {
+      message: error.message,
+      stack: error.stack,
+      name: error.name
+    });
+    return c.json(
+      { error: "An error occurred while processing your request" },
+      500
+    );
+  }
+  logger.error("Unknown error:", error);
+  return c.json(
+    { error: "An error occurred while processing your request" },
+    500
+  );
+};
 // src/db/orm/session.ts
 import { and, eq, gt } from "drizzle-orm";
 var fetchSessionByToken = async ({
@@ -384,6 +610,19 @@ var deleteSession = async ({
     )
   );
 };
+var listHashedTokensForUser = async ({
+  database,
+  userId,
+  tenantId
+}) => {
+  const rows = await database.select({ token: sessionsInIam.token }).from(sessionsInIam).where(
+    and(
+      eq(sessionsInIam.userId, userId),
+      eq(sessionsInIam.tenantId, tenantId)
+    )
+  );
+  return rows.map((r) => r.token);
+};
 // src/db/orm/tenant.ts
 import { and as and2, eq as eq2, sql as sql2 } from "drizzle-orm";
@@ -492,226 +731,335 @@ var fetchUserWithRoles = async ({
   return userResult || null;
 };
-// src/lib/cookie.ts
-import { deleteCookie as honoDel, setCookie as honoSet } from "hono/cookie";
-var isProduction = process.env.NODE_ENV === "production";
-var getSessionCookieName = (config) => {
-  const prefix = config.cookie?.prefix || "";
-  const baseName = "session_token";
-  if (prefix) {
-    return `${prefix}_${baseName}`;
+// src/lib/session-cache.ts
+var sessionCacheKey = (config, hashedToken) => `${getSessionKeyNamespace(config)}:sc:v1:${hashedToken}`;
+async function readSessionCache(config, hashedToken) {
+  const sc = config.sessionCache;
+  if (!sc?.enabled) {
+    return null;
   }
-  return isProduction ? "__Host-session_token" : baseName;
-};
-var setSessionCookie = (c, token, config, options) => {
-  const cookieName = getSessionCookieName(config);
-  const cookieOptions = {
-    httpOnly: true,
-    secure: isProduction,
-    sameSite: "Lax",
-    path: options.path || "/",
-    expires: options.expires,
-    ...isProduction && { domain: void 0 }
-    // __Host- requires no domain
-  };
-  honoSet(c, cookieName, token, cookieOptions);
-};
-var deleteSessionCookie = (c, config) => {
-  const cookieName = getSessionCookieName(config);
-  honoDel(c, cookieName, {
-    httpOnly: true,
-    secure: isProduction,
-    sameSite: "Lax",
-    path: "/",
-    expires: /* @__PURE__ */ new Date(0)
-  });
-};
-// src/lib/crypto.ts
-import { scrypt } from "@noble/hashes/scrypt.js";
-import { randomBytes } from "@noble/hashes/utils.js";
-var encoder = new TextEncoder();
-var randomHex = (bytes) => {
-  const arr = randomBytes(bytes);
-  return Array.from(arr, (b) => b.toString(16).padStart(2, "0")).join(
-    ""
+  const raw = await sc.kv.get(sessionCacheKey(config, hashedToken));
+  if (!raw) {
+    return null;
+  }
+  try {
+    const parsed = JSON.parse(raw);
+    if (!parsed?.session?.expiresAt || new Date(parsed.session.expiresAt) <= /* @__PURE__ */ new Date()) {
+      await sc.kv.delete(sessionCacheKey(config, hashedToken));
+      return null;
+    }
+    return parsed;
+  } catch {
+    await sc.kv.delete(sessionCacheKey(config, hashedToken));
+    return null;
+  }
+}
+async function writeSessionCache(config, hashedToken, payload) {
+  const sc = config.sessionCache;
+  if (!sc?.enabled) {
+    return;
+  }
+  const ttl = sc.ttlSeconds ?? Math.max(
+    60,
+    Math.ceil(
+      (new Date(payload.session.expiresAt).getTime() - Date.now()) / 1e3
+    )
   );
-};
-var toHex = (buffer) => {
-  return Array.from(
-    buffer,
-    (b) => b.toString(16).padStart(2, "0")
-  ).join("");
-};
-var hexToBytes = (hex) => {
-  const bytes = new Uint8Array(hex.length / 2);
-  for (let i = 0; i < hex.length; i += 2) {
-    bytes[i / 2] = Number.parseInt(hex.slice(i, i + 2), 16);
+  await sc.kv.put(
+    sessionCacheKey(config, hashedToken),
+    JSON.stringify(payload),
+    {
+      expirationTtl: Math.min(Math.max(ttl, 60), 2147483647)
+    }
+  );
+}
+async function deleteSessionCacheKeys(config, hashedTokens) {
+  const sc = config.sessionCache;
+  if (!sc?.enabled || hashedTokens.length === 0) {
+    return;
   }
-  return bytes;
-};
-var SCRYPT_KEYLEN = 64;
-var SCRYPT_COST = 16384;
-var SCRYPT_BLOCK_SIZE = 8;
-var SCRYPT_PARALLELISM = 1;
-var hashPassword = async (password) => {
-  const salt = randomBytes(16);
-  const saltHex = toHex(salt);
-  const passwordBytes = encoder.encode(password);
-  const derivedKey = await Promise.resolve(
-    scrypt(passwordBytes, salt, {
-      N: SCRYPT_COST,
-      r: SCRYPT_BLOCK_SIZE,
-      p: SCRYPT_PARALLELISM,
-      dkLen: SCRYPT_KEYLEN
-    })
+  await Promise.all(
+    hashedTokens.map((t) => sc.kv.delete(sessionCacheKey(config, t)))
   );
-  return `${saltHex}:${toHex(derivedKey)}`;
-};
-var verifyPassword = async (password, hashed) => {
-  if (!hashed) {
-    return false;
+}
+async function invalidateSessionCacheForHashedToken(config, hashedToken) {
+  await deleteSessionCacheKeys(config, [hashedToken]);
+}
+async function invalidateSessionCacheForUser(config, database, userId, tenantId) {
+  const tokens = await listHashedTokensForUser({
+    database,
+    userId,
+    tenantId
+  });
+  await deleteSessionCacheKeys(config, tokens);
+}
+// src/lib/load-session-pair.ts
+async function loadSessionPair(database, config, hashedToken) {
+  const cached = await readSessionCache(config, hashedToken);
+  if (cached) {
+    return { session: cached.session, user: cached.user };
+  }
+  const session = await fetchSessionByToken({
+    database,
+    hashedToken,
+    tenantId: config.tenant?.tenantId || "tenant"
+  });
+  if (!session) {
+    return null;
+  }
+  const user = await fetchUserWithRoles({
+    database,
+    userId: session.userId,
+    tenantId: session.tenantId
+  });
+  if (!user) {
+    await deleteSession({
+      database,
+      sessionId: session.id,
+      tenantId: session.tenantId
+    });
+    return null;
+  }
+  await writeSessionCache(config, hashedToken, { session, user });
+  return { session, user };
+}
+// src/lib/normalize-rate-limit-ip.ts
+function parseIpv4Dotted(s) {
+  const p = s.split(".");
+  if (p.length !== 4) {
+    return null;
+  }
+  const b = new Uint8Array(4);
+  for (let i = 0; i < 4; i++) {
+    if (!/^\d{1,3}$/.test(p[i])) {
+      return null;
+    }
+    const n = Number(p[i]);
+    if (!Number.isInteger(n) || n < 0 || n > 255) {
+      return null;
+    }
+    b[i] = n;
+  }
+  return b;
+}
+function ipv4Key(bytes) {
+  return `4:${bytes[0]}.${bytes[1]}.${bytes[2]}.${bytes[3]}`;
+}
+function maskIpv6InPlace(bytes, prefixBits) {
+  if (prefixBits >= 128) {
+    return;
   }
-  const [saltHex, keyHex] = hashed.split(":");
-  if (!(saltHex && keyHex)) {
-    return false;
+  const whole = Math.floor(prefixBits / 8);
+  const rem = prefixBits % 8;
+  if (rem === 0) {
+    for (let i = whole; i < 16; i++) {
+      bytes[i] = 0;
+    }
+  } else {
+    for (let i = whole + 1; i < 16; i++) {
+      bytes[i] = 0;
+    }
+    const keep = 255 << 8 - rem & 255;
+    bytes[whole] &= keep;
   }
-  const salt = hexToBytes(saltHex);
-  const passwordBytes = encoder.encode(password);
-  const derivedKey = await Promise.resolve(
-    scrypt(passwordBytes, salt, {
-      N: SCRYPT_COST,
-      r: SCRYPT_BLOCK_SIZE,
-      p: SCRYPT_PARALLELISM,
-      dkLen: SCRYPT_KEYLEN
-    })
-  );
-  const derived = toHex(derivedKey);
-  if (derived.length !== keyHex.length) {
-    return false;
+}
+function isIpv4MappedIpv6(bytes) {
+  for (let i = 0; i < 10; i++) {
+    if (bytes[i] !== 0) {
+      return false;
+    }
   }
-  let result = 0;
-  for (let i = 0; i < derived.length; i++) {
-    result |= derived.charCodeAt(i) ^ keyHex.charCodeAt(i);
+  return bytes[10] === 255 && bytes[11] === 255;
+}
+function parseIpv6HextetsToBytes(s) {
+  const buf = new Uint8Array(16);
+  if (s === "") {
+    return buf;
   }
-  return result === 0;
-};
-var hashToken = async (token, secret) => {
-  if (!secret || secret.length === 0) {
-    throw new Error(
-      "AUTH_SECRET is required and must be a non-empty string. Please set AUTH_SECRET environment variable."
-    );
+  const double = s.includes("::");
+  if (double && s.split("::").length > 2) {
+    return null;
   }
-  const key = await crypto.subtle.importKey(
-    "raw",
-    encoder.encode(secret),
-    { name: "HMAC", hash: "SHA-256" },
-    false,
-    ["sign"]
-  );
-  const signature = await crypto.subtle.sign(
-    "HMAC",
-    key,
-    encoder.encode(token)
-  );
-  return toHex(new Uint8Array(signature));
-};
-var generateToken = (bytes = 48) => randomHex(bytes);
-// src/lib/error-handler.ts
-import { logger } from "@mesob/common";
-import { HTTPException } from "hono/http-exception";
-var isDatabaseError = (error) => {
-  if (typeof error !== "object" || error === null) {
-    return false;
+  const [leftRaw, rightRaw] = double ? s.split("::", 2) : [s, ""];
+  const left = leftRaw ? leftRaw.split(":").filter(Boolean) : [];
+  const right = rightRaw ? rightRaw.split(":").filter(Boolean) : [];
+  const partsLen = left.length + right.length;
+  if (double) {
+    if (partsLen > 8) {
+      return null;
+    }
+  } else if (partsLen !== 8) {
+    return null;
   }
-  if ("code" in error || "query" in error || "detail" in error) {
-    return true;
+  const pad = double ? 8 - partsLen : 0;
+  const all = [...left, ...Array(pad).fill("0"), ...right];
+  if (all.length !== 8) {
+    return null;
   }
-  if (error instanceof Error) {
-    const message = error.message.toLowerCase();
-    return message.includes("failed query") || message.includes("relation") || message.includes("column") || message.includes("syntax error") || message.includes("duplicate key") || message.includes("foreign key") || message.includes("null value");
+  for (let i = 0; i < 8; i++) {
+    const h = all[i];
+    if (!h || h.includes(".")) {
+      return null;
+    }
+    const v = Number.parseInt(h, 16);
+    if (v > 65535 || Number.isNaN(v)) {
+      return null;
+    }
+    buf[i * 2] = v >> 8;
+    buf[i * 2 + 1] = v & 255;
   }
-  return false;
-};
-var sanitizeDatabaseError = (error) => {
-  const code = error.code;
-  if (code === "23505") {
-    return "Resource already exists";
+  return buf;
+}
+function parseIpv6ToBytes(address) {
+  let a = address.trim().toLowerCase();
+  if (a.startsWith("[") && a.endsWith("]")) {
+    a = a.slice(1, -1);
   }
-  if (code === "23503") {
-    return "Referenced resource not found";
+  const zi = a.indexOf("%");
+  if (zi >= 0) {
+    a = a.slice(0, zi);
   }
-  if (code === "23502") {
-    return "Required field is missing";
+  if (a === "") {
+    return null;
   }
-  if (code === "42P01") {
-    return "Resource not found";
+  if (!a.includes(":")) {
+    const v4 = parseIpv4Dotted(a);
+    return v4 ? v4 : null;
+  }
+  const lastColon = a.lastIndexOf(":");
+  if (lastColon > 0) {
+    const maybeV4 = a.slice(lastColon + 1);
+    if (/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(maybeV4)) {
+      const v4b = parseIpv4Dotted(maybeV4);
+      if (!v4b) {
+        return null;
+      }
+      const prefix = a.slice(0, lastColon);
+      const w1 = v4b[0] << 8 | v4b[1];
+      const w2 = v4b[2] << 8 | v4b[3];
+      const tailHex = `${w1.toString(16)}:${w2.toString(16)}`;
+      let merged;
+      if (!prefix) {
+        merged = tailHex;
+      } else if (prefix.endsWith(":")) {
+        merged = `${prefix}${tailHex}`;
+      } else {
+        merged = `${prefix}:${tailHex}`;
+      }
+      return parseIpv6HextetsToBytes(merged);
+    }
   }
-  if (code === "42703") {
-    return "Invalid request";
+  return parseIpv6HextetsToBytes(a);
+}
+function bytesToHex(bytes) {
+  let o = "";
+  for (let i = 0; i < bytes.length; i++) {
+    o += bytes[i].toString(16).padStart(2, "0");
   }
-  if (code === "23514") {
-    return "Validation failed";
+  return o;
+}
+function rateLimitClientKey(raw, ipv6SubnetBits) {
+  const s = raw.trim();
+  if (!s || s === "unknown") {
+    return "unknown";
   }
-  return "An error occurred while processing your request";
-};
-var isDatabaseErrorMessage = (message) => {
-  const lowerMessage = message.toLowerCase();
-  return lowerMessage.includes("failed query") || lowerMessage.includes("select") || lowerMessage.includes("insert") || lowerMessage.includes("update") || lowerMessage.includes("delete") || lowerMessage.includes("from") || lowerMessage.includes("where") || lowerMessage.includes("limit") || lowerMessage.includes("params:") || lowerMessage.includes("query") || message.includes('"iam".') || message.includes('"tenants"') || message.includes('"users"') || message.includes('"sessions"') || message.includes('"accounts"') || lowerMessage.includes("relation") || lowerMessage.includes("column") || lowerMessage.includes("syntax error") || lowerMessage.includes("database") || lowerMessage.includes("postgres") || lowerMessage.includes("sql");
-};
-var handleError = (error, c) => {
-  logger.error("API Error:", {
-    error,
-    path: c.req.path,
-    method: c.req.method,
-    url: c.req.url
-  });
-  if (error instanceof HTTPException) {
-    const message = isDatabaseErrorMessage(error.message) ? "An error occurred while processing your request" : error.message;
-    return c.json({ error: message }, error.status);
+  const prefixBits = Number.isFinite(ipv6SubnetBits) && ipv6SubnetBits >= 1 && ipv6SubnetBits <= 128 ? Math.floor(ipv6SubnetBits) : 64;
+  if (!s.includes(":")) {
+    const v4 = parseIpv4Dotted(s);
+    return v4 ? ipv4Key(v4) : `raw:${s}`;
   }
-  if (isDatabaseError(error)) {
-    const userMessage = sanitizeDatabaseError(error);
-    logger.error("Database error details:", {
-      code: error.code,
-      message: error.message,
-      detail: error.detail,
-      query: error.query,
-      parameters: error.parameters
-    });
-    return c.json({ error: userMessage }, 500);
+  const bytes = parseIpv6ToBytes(s);
+  if (!bytes) {
+    return `raw:${s}`;
   }
-  if (error instanceof Error) {
-    const message = error.message;
-    const lowerMessage = message.toLowerCase();
-    const isDatabaseError2 = lowerMessage.includes("failed query") || lowerMessage.includes("select") || lowerMessage.includes("insert") || lowerMessage.includes("update") || lowerMessage.includes("delete") || lowerMessage.includes("from") || lowerMessage.includes("where") || lowerMessage.includes("limit") || lowerMessage.includes("params:") || lowerMessage.includes("query") || message.includes('"iam".') || message.includes('"tenants"') || message.includes('"users"') || message.includes('"sessions"') || message.includes('"accounts"') || lowerMessage.includes("relation") || lowerMessage.includes("column") || lowerMessage.includes("syntax error") || lowerMessage.includes("duplicate key") || lowerMessage.includes("foreign key") || lowerMessage.includes("null value") || lowerMessage.includes("database") || lowerMessage.includes("postgres") || lowerMessage.includes("sql");
-    if (isDatabaseError2) {
-      logger.error("SQL/database error detected:", {
-        message: error.message,
-        stack: error.stack,
-        name: error.name
-      });
+  if (isIpv4MappedIpv6(bytes)) {
+    return ipv4Key(bytes.subarray(12, 16));
+  }
+  maskIpv6InPlace(bytes, prefixBits);
+  return `6:${bytesToHex(bytes)}`;
+}
+// src/lib/auth-rate-limit.ts
+var AUTH_RATE_LIMIT_POST_PATHS = /* @__PURE__ */ new Set([
+  "/check-account",
+  "/sign-in",
+  "/sign-up",
+  "/password/forgot",
+  "/password/reset",
+  "/password/set",
+  "/email/verification/request",
+  "/email/verification/confirm",
+  "/phone/verification/request",
+  "/phone/verification/confirm"
+]);
+var DEFAULT_MESSAGE = "Too many requests. Please wait before trying again.";
+var RL_PREFIX = "msb:rl:v1:";
+function getClientIp(c, headerName) {
+  const primary = c.req.header(headerName)?.trim();
+  if (primary) {
+    return primary;
+  }
+  const forwarded = c.req.header("x-forwarded-for")?.split(",")[0]?.trim();
+  if (forwarded) {
+    return forwarded;
+  }
+  return c.req.header("x-real-ip")?.trim() || "unknown";
+}
+function rateLimitKey(path, windowStart, ip) {
+  const bucket = path.replaceAll(/[^a-z0-9/-]/gi, "_");
+  return `${RL_PREFIX}${bucket}:${ip}:${windowStart}`;
+}
+async function checkAuthRateLimit(c, config) {
+  const rl = config.rateLimit;
+  if (!rl?.enabled) {
+    return { limited: false };
+  }
+  if (c.req.method !== "POST") {
+    return { limited: false };
+  }
+  const path = c.req.path;
+  if (!AUTH_RATE_LIMIT_POST_PATHS.has(path)) {
+    return { limited: false };
+  }
+  const rawIp = getClientIp(c, rl.ipHeader ?? "cf-connecting-ip");
+  const ipKey = rateLimitClientKey(rawIp, rl.ipv6Subnet ?? 64);
+  const now = Math.floor(Date.now() / 1e3);
+  const windowStart = Math.floor(now / rl.window) * rl.window;
+  const key = rateLimitKey(path, windowStart, ipKey);
+  const msg = rl.message ?? DEFAULT_MESSAGE;
+  const raw = await rl.kv.get(key);
+  let count = 0;
+  if (raw) {
+    try {
+      const parsed = JSON.parse(raw);
+      count = typeof parsed.n === "number" ? parsed.n : 0;
+    } catch {
+      count = 0;
+    }
+  }
+  if (count >= rl.max) {
+    return { limited: true, message: msg };
+  }
+  await rl.kv.put(key, JSON.stringify({ n: count + 1 }), {
+    expirationTtl: Math.min(rl.window * 2, 2147483647)
+  });
+  return { limited: false };
+}
+// src/middlewares/auth-rate-limit-middleware.ts
+var createAuthRateLimitMiddleware = (config) => {
+  return async (c, next) => {
+    const result = await checkAuthRateLimit(c, config);
+    if (result.limited) {
       return c.json(
-        { error: "An error occurred while processing your request" },
-        500
+        { error: result.message, code: "RATE_LIMITED" },
+        429
       );
     }
-    logger.error("Error details:", {
-      message: error.message,
-      stack: error.stack,
-      name: error.name
-    });
-    return c.json(
-      { error: "An error occurred while processing your request" },
-      500
-    );
-  }
-  logger.error("Unknown error:", error);
-  return c.json(
-    { error: "An error occurred while processing your request" },
-    500
-  );
+    await next();
+  };
 };
 // src/routes/index.ts
@@ -1283,6 +1631,19 @@ var checkAccountHandler = async (c) => {
   const resolvedTenantId = ensureTenantId(config, tenantId);
   const { username } = body;
   const isEmail = username.includes("@");
+  const disabledChannelResponse = {
+    exists: false,
+    verified: false,
+    hasPassword: false,
+    requiresPasswordSetup: false,
+    account: null
+  };
+  if (isEmail && !config.email.enabled) {
+    return c.json(disabledChannelResponse, 200);
+  }
+  if (!(isEmail || config.phone.enabled)) {
+    return c.json(disabledChannelResponse, 200);
+  }
   const userTypeFilter = sql4`${usersInIam.userType} @> ARRAY[${config.userType}]::text[]`;
   const whereClause = isEmail ? and6(
     eq6(usersInIam.tenantId, resolvedTenantId),
@@ -1818,6 +2179,7 @@ var signOutHandler = async (c) => {
       )
     );
   }
+  await invalidateSessionCacheForHashedToken(config, hashedToken);
   deleteSessionCookie(c, config);
   return c.json({ message: "Signed out" }, 200);
 };
@@ -1846,6 +2208,20 @@ var SignUpError = class extends Error {
     this.status = status;
   }
 };
+var normalizeSignupDomain = (value) => {
+  return value.trim().toLowerCase().replace(/^@/, "");
+};
+var isAllowedSignupEmail = (email, allowedDomains) => {
+  const domain = email.split("@")[1]?.toLowerCase();
+  if (!domain) {
+    return false;
+  }
+  const normalizedDomains = allowedDomains.map(normalizeSignupDomain).filter(Boolean);
+  if (normalizedDomains.length === 0) {
+    return true;
+  }
+  return normalizedDomains.includes(domain);
+};
 var signUpHandler = async (c) => {
   const body = c.req.valid("json");
   const config = c.get("config");
@@ -1857,7 +2233,19 @@ var signUpHandler = async (c) => {
   if (!identifier) {
     return c.json({ error: "Either email or phone is required" }, 409);
   }
+  if (config.signUp && !config.signUp.enabled) {
+    return c.json({ error: "Sign up is disabled" }, 403);
+  }
   const isEmail = identifier.includes("@");
+  if (isEmail && config.signUp && !config.signUp.emailEnabled) {
+    return c.json({ error: "Email sign up is disabled" }, 403);
+  }
+  if (!isEmail && config.signUp && !config.signUp.phoneEnabled) {
+    return c.json({ error: "Phone sign up is disabled" }, 403);
+  }
+  if (isEmail && config.signUp?.allowedEmailDomains && !isAllowedSignupEmail(identifier, config.signUp.allowedEmailDomains)) {
+    return c.json({ error: "Email domain is not allowed for sign up" }, 403);
+  }
   if (phone) {
     const phoneValidator = createPhoneField(config);
     if (!phoneValidator.validate(phone)) {
@@ -2578,6 +2966,12 @@ var emailVerificationConfirmHandler = async (c) => {
   if (result.status === "error") {
     return c.json({ error: result.error }, 400);
   }
+  await invalidateSessionCacheForUser(
+    config,
+    database,
+    result.user.id,
+    resolvedTenantId
+  );
   setSessionCookie(c, result.sessionToken, config, {
     expires: new Date(result.expiresAt)
   });
@@ -2833,6 +3227,12 @@ var changePasswordHandler = async (c) => {
       eq18(accountsInIam.provider, "credentials")
     )
   );
+  await invalidateSessionCacheForUser(
+    config,
+    database,
+    userId,
+    resolvedTenantId
+  );
   const currentSessionToken = getCookie2(c, getSessionCookieName(config));
   if (currentSessionToken) {
     const hashedToken = await hashToken(currentSessionToken, config.secret);
@@ -3113,6 +3513,12 @@ var resetPasswordHandler = async (c) => {
       eq20(accountsInIam.provider, "credentials")
     )
   );
+  await invalidateSessionCacheForUser(
+    config,
+    database,
+    verification.userId,
+    resolvedTenantId
+  );
   await database.delete(sessionsInIam).where(
     and20(
       eq20(sessionsInIam.tenantId, resolvedTenantId),
@@ -3952,6 +4358,12 @@ var phoneVerificationConfirmHandler = async (c) => {
   if (result.status === "error") {
     return c.json({ error: result.error }, 400);
   }
+  await invalidateSessionCacheForUser(
+    config,
+    database,
+    result.user.id,
+    resolvedTenantId
+  );
   if (!result.session) {
     return c.json(
       {
@@ -3987,6 +4399,14 @@ var phoneVerificationRequestHandler = async (c) => {
     return c.json({ error: "Phone authentication is disabled" }, 400);
   }
   const { phone, context } = body;
+  if (context === "sign-up" && config.signUp) {
+    if (!config.signUp.enabled) {
+      return c.json({ error: "Sign up is disabled" }, 400);
+    }
+    if (!config.signUp.phoneEnabled) {
+      return c.json({ error: "Phone sign up is disabled" }, 400);
+    }
+  }
   if (!phone) {
     return c.json({ error: "Phone required" }, 400);
   }
@@ -4350,6 +4770,12 @@ var updateProfileHandler = async (c) => {
   if (!updatedUser) {
     return c.json({ error: "User not found" }, 404);
   }
+  await invalidateSessionCacheForUser(
+    config,
+    database,
+    userId,
+    resolvedTenantId
+  );
   return c.json({ user: normalizeUser(updatedUser) }, 200);
 };
@@ -4370,6 +4796,12 @@ var updateEmailHandler = async (c) => {
     return c.json({ error: AUTH_ERRORS.UNAUTHORIZED }, 401);
   }
   const resolvedTenantId = ensureTenantId(config, tenantId);
+  await invalidateSessionCacheForUser(
+    config,
+    database,
+    userId,
+    resolvedTenantId
+  );
   if (user.email && session?.id) {
     await database.delete(sessionsInIam).where(
       and28(
@@ -4435,6 +4867,12 @@ var updatePhoneHandler = async (c) => {
     return c.json({ error: AUTH_ERRORS.UNAUTHORIZED }, 401);
   }
   const resolvedTenantId = ensureTenantId(config, tenantId);
+  await invalidateSessionCacheForUser(
+    config,
+    database,
+    userId,
+    resolvedTenantId
+  );
   const phoneValidator = createPhoneField(config);
   if (!phoneValidator.validate(body.phone)) {
     return c.json({ error: "Invalid phone number format" }, 400);
@@ -6100,12 +6538,14 @@ var listSessionsHandler = async (c) => {
 import { and as and45, eq as eq46 } from "drizzle-orm";
 var revokeAllSessionsHandler = async (c) => {
   const { userId } = c.req.valid("param");
+  const config = c.get("config");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
   const [user] = await database.select().from(usersInIam).where(and45(eq46(usersInIam.id, userId), eq46(usersInIam.tenantId, tenantId))).limit(1);
   if (!user) {
     return c.json({ error: "User not found" }, 404);
   }
+  await invalidateSessionCacheForUser(config, database, userId, tenantId);
   await database.delete(sessionsInIam).where(
     and45(
       eq46(sessionsInIam.tenantId, tenantId),
@@ -6125,6 +6565,8 @@ var revokeSessionHandler = async (c) => {
   if (!existing) {
     return c.json({ error: "Session not found" }, 404);
   }
+  const config = c.get("config");
+  await deleteSessionCacheKeys(config, [existing.token]);
   await database.delete(sessionsInIam).where(and46(eq47(sessionsInIam.id, id), eq47(sessionsInIam.tenantId, tenantId)));
   return c.json({ message: "Session revoked" }, 200);
 };
@@ -6728,6 +7170,12 @@ var assignUserRoleHandler = async (c) => {
       userId: body.userId,
       roleId: body.roleId
     }).returning();
+    await invalidateSessionCacheForUser(
+      config,
+      database,
+      body.userId,
+      resolvedTenantId
+    );
     return c.json({ userRole }, 201);
   } catch (error) {
     if (error && typeof error === "object" && "code" in error && error.code === "23505") {
@@ -6758,6 +7206,7 @@ var listUserRolesHandler = async (c) => {
 import { and as and49, eq as eq54 } from "drizzle-orm";
 var revokeUserRoleHandler = async (c) => {
   const { id } = c.req.valid("param");
+  const config = c.get("config");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
   const [existing] = await database.select().from(userRolesInIam).where(
@@ -6769,6 +7218,12 @@ var revokeUserRoleHandler = async (c) => {
   await database.delete(userRolesInIam).where(
     and49(eq54(userRolesInIam.id, id), eq54(userRolesInIam.tenantId, tenantId))
   );
+  await invalidateSessionCacheForUser(
+    config,
+    database,
+    existing.userId,
+    tenantId
+  );
   return c.json({ message: "Role revoked from user" }, 200);
 };
@@ -6900,6 +7355,7 @@ import { and as and50, eq as eq55, sql as sql25 } from "drizzle-orm";
 var banUserHandler = async (c) => {
   const { id } = c.req.valid("param");
   const body = c.req.valid("json");
+  const config = c.get("config");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
   const [existing] = await database.select().from(usersInIam).where(and50(eq55(usersInIam.id, id), eq55(usersInIam.tenantId, tenantId))).limit(1);
@@ -6918,6 +7374,7 @@ var banUserHandler = async (c) => {
   if (!userWithRoles) {
     return c.json({ error: "User not found" }, 404);
   }
+  await invalidateSessionCacheForUser(config, database, id, tenantId);
   return c.json({ user: normalizeUser(userWithRoles) }, 200);
 };
@@ -7501,6 +7958,7 @@ import { and as and56, eq as eq61, inArray as inArray7, sql as sql28 } from "dri
 var updateUserHandler = async (c) => {
   const { id } = c.req.valid("param");
   const body = c.req.valid("json");
+  const config = c.get("config");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
   const [existing] = await database.select().from(usersInIam).where(and56(eq61(usersInIam.id, id), eq61(usersInIam.tenantId, tenantId))).limit(1);
@@ -7600,6 +8058,7 @@ var updateUserHandler = async (c) => {
     userId: id,
     tenantId
   });
+  await invalidateSessionCacheForUser(config, database, id, tenantId);
   return c.json(
     {
       user: normalizeUser(userWithRoles ?? updated)
@@ -8178,26 +8637,14 @@ var loadSession = async ({
 }) => {
   try {
     const hashedToken = await hashToken(sessionToken, config.secret);
-    const session = await fetchSessionByToken({
-      database,
-      hashedToken,
-      tenantId: config.tenant?.tenantId || "tenant"
-    });
-    if (!session) {
-      return;
-    }
-    const user = await fetchUserWithRoles({
-      database,
-      userId: session.userId,
-      tenantId: session.tenantId
-    });
-    if (user) {
+    const pair = await loadSessionPair(database, config, hashedToken);
+    if (pair) {
       setAuthContext({
         c,
         config,
         database,
-        user,
-        session
+        user: pair.user,
+        session: pair.session
       });
     }
   } catch {
@@ -8235,6 +8682,9 @@ var createAuthRoutes = ({
   app.onError((error, c) => {
     return handleError(error, c);
   });
+  if (config.rateLimit?.enabled) {
+    app.use("*", createAuthRateLimitMiddleware(config));
+  }
   app.use(
     "*",
     createAuthMiddleware({
@@ -8457,12 +8907,9 @@ var createGetSession = (database, config) => {
     }
     try {
       const hashedToken = await hashToken(sessionToken, config.secret);
-      const session = await fetchSessionByToken({
-        database,
-        hashedToken,
-        tenantId: config.tenant?.tenantId || "tenant"
-      });
-      if (!session) {
+      const pair = await loadSessionPair(database, config, hashedToken);
+      if (!pair) {
+        await invalidateSessionCacheForHashedToken(config, hashedToken);
         deleteSessionCookie(c, config);
         return {
           session: null,
@@ -8471,25 +8918,7 @@ var createGetSession = (database, config) => {
           status: "invalid_session"
         };
       }
-      const user = await fetchUserWithRoles({
-        database,
-        userId: session.userId,
-        tenantId: session.tenantId
-      });
-      if (!user) {
-        await deleteSession({
-          database,
-          sessionId: session.id,
-          tenantId: session.tenantId
-        });
-        deleteSessionCookie(c, config);
-        return {
-          session: null,
-          user: null,
-          sessionToken: null,
-          status: "user_not_found"
-        };
-      }
+      let { session, user } = pair;
       const rememberMe = session.meta?.rememberMe !== false;
       const updateAge = getSessionUpdateAge({
         sessionConfig: config.session,
@@ -8509,12 +8938,8 @@ var createGetSession = (database, config) => {
         setSessionCookie(c, sessionToken, config, {
           expires: new Date(newExpiresAt)
         });
-        return {
-          session: { ...session, expiresAt: newExpiresAt },
-          user,
-          sessionToken,
-          status: "valid"
-        };
+        session = { ...session, expiresAt: newExpiresAt };
+        await writeSessionCache(config, hashedToken, { session, user });
       }
       return { session, user, sessionToken, status: "valid" };
     } catch {
@@ -8550,9 +8975,7 @@ var defaultAuthConfig = {
   docs: {
     enabled: true
   },
-  cookie: {
-    prefix: "msb"
-  },
+  prefix: "msb",
   session: {
     expiresIn: "7d",
     rememberMeExpiresIn: "30d",
@@ -8566,10 +8989,18 @@ var defaultAuthConfig = {
     ...defaultConfig,
     phoneRegex: defaultPhoneRegex
   },
+  signUp: {
+    enabled: true,
+    emailEnabled: true,
+    phoneEnabled: true,
+    allowedEmailDomains: []
+  },
   security: {
     maxLoginAttempts: 5,
     lockoutDuration: "15m"
-  }
+  },
+  sessionCache: { enabled: false },
+  rateLimit: { enabled: false }
 };
 // src/lib/cleanup.ts
@@ -8602,6 +9033,21 @@ var createMesobAuth = (authConfig) => {
       "AUTH_SECRET is required and must be a non-empty string. Please set AUTH_SECRET environment variable."
     );
   }
+  if (config.sessionCache?.enabled && !config.sessionCache.kv) {
+    throw new Error("sessionCache.kv is required when sessionCache.enabled");
+  }
+  if (config.rateLimit?.enabled) {
+    if (!config.rateLimit.kv) {
+      throw new Error("rateLimit.kv is required when rateLimit.enabled");
+    }
+    if (config.rateLimit.window < 1 || config.rateLimit.max < 1) {
+      throw new Error("rateLimit.window and rateLimit.max must be >= 1");
+    }
+    const ipv6s = config.rateLimit.ipv6Subnet;
+    if (ipv6s !== void 0 && (!Number.isFinite(ipv6s) || ipv6s < 1 || ipv6s > 128)) {
+      throw new Error("rateLimit.ipv6Subnet must be between 1 and 128");
+    }
+  }
   const database = createDatabase(config.connectionString);
   const routesApp = createAuthRoutes({ config, database });
   const basePath = config.basePath || "";
@@ -8630,14 +9076,23 @@ var createMesobAuth = (authConfig) => {
   };
 };
 export {
+  AUTH_RATE_LIMIT_POST_PATHS,
   cleanupExpiredData,
   cleanupExpiredSessions,
   cleanupExpiredVerifications,
+  createAuthRateLimitMiddleware,
   createDatabase,
   createMesobAuth,
   createSessionMiddleware,
   createTenantMiddleware,
+  deleteSessionCacheKeys,
+  getSessionCookieName,
+  getSessionKeyNamespace,
   hasPermission,
-  hasPermissionThrow
+  hasPermissionThrow,
+  invalidateSessionCacheForHashedToken,
+  invalidateSessionCacheForUser,
+  rateLimitClientKey,
+  sessionCacheKey
 };
 //# sourceMappingURL=index.js.map