@mesob/auth-hono 0.5.2 → 0.5.4

package/dist/{index-CDgzxZzO.d.ts → index-v_uxUd8A.d.ts}

@@ -137,17 +137,54 @@ type SeedRole = {
     isEditable?: boolean;
     isDeletable?: boolean;
 };
-type CookieConfig = {
-    prefix?: string;
+/** KV subset for session cache + rate limits (e.g. Cloudflare KVNamespace). */
+type AuthKvStorage = {
+    get(key: string): Promise<string | null | undefined>;
+    put(key: string, value: string, options?: {
+        expirationTtl?: number;
+    }): Promise<void>;
+    delete(key: string): Promise<void>;
+};
+type SessionCacheConfig = {
+    enabled: false;
+} | {
+    enabled: true;
+    kv: AuthKvStorage;
+    /** Cache entry TTL in seconds */
+    ttlSeconds?: number;
+};
+type AuthRateLimitConfig = {
+    enabled: false;
+} | {
+    enabled: true;
+    kv: AuthKvStorage;
+    /** Window length in seconds */
+    window: number;
+    /** Max requests per window per IP (and per route bucket in impl) */
+    max: number;
+    /** Shown on 429 for auth-react */
+    message?: string;
+    /** Default cf-connecting-ip; impl may fall back to x-forwarded-for */
+    ipHeader?: string;
+    /**
+     * IPv6 rate-limit bucket: mask to this prefix length (1–128).
+     * 128 = full address; 64 = typical LAN; 48 / 32 = larger nets. Default 64.
+     * IPv4 always uses the full address. IPv4-mapped IPv6 → IPv4 key.
+     */
+    ipv6Subnet?: number;
 };
 type AuthConfig = {
     connectionString: string;
     userType: string;
     secret: string;
     basePath?: string;
+    /**
+     * Session cookie name + KV session cache key namespace (`{prefix}_session_token`, `{prefix}:sc:v1:…`).
+     * Default `msb`. Align with auth-react `prefix`.
+     */
+    prefix?: string;
     tenant?: TenantConfig;
     docs?: DocsConfig;
-    cookie?: CookieConfig;
     permissions?: PermissionTree;
     roles?: SeedRole[];
     session: SessionConfig;
@@ -155,6 +192,10 @@ type AuthConfig = {
     phone: PhoneConfig;
     signUp?: SignUpConfig;
     security?: SecurityConfig;
+    /** Session+user cache in KV; DB remains source of truth when disabled */
+    sessionCache?: SessionCacheConfig;
+    /** Abuse guard on unauthenticated auth routes; separate KV from sessionCache */
+    rateLimit?: AuthRateLimitConfig;
 };
 
 type CreateAuthRoutesOptions = {
@@ -172,4 +213,4 @@ type MesobAuth = {
     sessionMiddleware: hono.MiddlewareHandler;
 };
 
-export type { AuthConfig as A, MesobAuth as M, SessionStatus as S, Tenant as T, User as U, SendInvitationParams as a, SendVerificationOTPParams as b, Session as c, SeedRole as d, SessionConfig as e };
+export type { AuthConfig as A, MesobAuth as M, SessionStatus as S, Tenant as T, User as U, AuthEnv as a, AuthKvStorage as b, AuthRateLimitConfig as c, SendInvitationParams as d, SendVerificationOTPParams as e, Session as f, SessionCacheConfig as g, SeedRole as h, SessionConfig as i };

package/dist/index.d.ts

@@ -1,10 +1,15 @@
-import { A as AuthConfig, M as MesobAuth } from './index-CDgzxZzO.js';
-export { a as SendInvitationParams, b as SendVerificationOTPParams, c as Session, S as SessionStatus, T as Tenant, U as User } from './index-CDgzxZzO.js';
+import { A as AuthConfig, a as AuthEnv, M as MesobAuth } from './index-v_uxUd8A.js';
+export { b as AuthKvStorage, c as AuthRateLimitConfig, d as SendInvitationParams, e as SendVerificationOTPParams, f as Session, g as SessionCacheConfig, S as SessionStatus, T as Tenant, U as User } from './index-v_uxUd8A.js';
 import { D as Database } from './index-Dhe5obDc.js';
 export { c as createDatabase } from './index-Dhe5obDc.js';
+export { AUTH_RATE_LIMIT_POST_PATHS } from './lib/auth-rate-limit.js';
 export { cleanupExpiredData, cleanupExpiredSessions, cleanupExpiredVerifications } from './lib/cleanup.js';
+export { getSessionCookieName, getSessionKeyNamespace } from './lib/cookie.js';
 export { hasPermission, hasPermissionThrow } from './lib/has-role-permission.js';
+export { rateLimitClientKey } from './lib/normalize-rate-limit-ip.js';
+export { deleteSessionCacheKeys, invalidateSessionCacheForHashedToken, invalidateSessionCacheForUser, sessionCacheKey } from './lib/session-cache.js';
 import * as hono from 'hono';
+import { MiddlewareHandler } from 'hono';
 import '@hono/zod-openapi';
 import '@mesob/common';
 import 'drizzle-orm/node-postgres';
@@ -12,10 +17,12 @@ import 'drizzle-orm';
 import 'drizzle-orm/pg-core';
 import 'pg';
 
+declare const createAuthRateLimitMiddleware: (config: AuthConfig) => MiddlewareHandler<AuthEnv>;
+
 declare const createSessionMiddleware: () => hono.MiddlewareHandler<any, string, {}, Response>;
 
 declare const createTenantMiddleware: (database: Database, config: AuthConfig) => hono.MiddlewareHandler<any, string, {}, Response>;
 
 declare const createMesobAuth: (authConfig: AuthConfig) => MesobAuth;
 
-export { AuthConfig, Database, MesobAuth, createMesobAuth, createSessionMiddleware, createTenantMiddleware };
+export { AuthConfig, Database, MesobAuth, createAuthRateLimitMiddleware, createMesobAuth, createSessionMiddleware, createTenantMiddleware };