@mesob/auth-hono 0.5.2 → 0.5.4

package/dist/index.js

@@ -327,6 +327,232 @@ var createDatabase = (connectionString) => {
 import { OpenAPIHono as OpenAPIHono17 } from "@hono/zod-openapi";
 import { getCookie as getCookie3 } from "hono/cookie";
 
+// src/lib/cookie.ts
+import { deleteCookie as honoDel, setCookie as honoSet } from "hono/cookie";
+var isProduction = process.env.NODE_ENV === "production";
+var getSessionKeyNamespace = (config) => {
+  const p = config.prefix?.trim();
+  return p && p.length > 0 ? p : "msb";
+};
+var getSessionCookieName = (config) => {
+  const prefix = config.prefix?.trim() || "";
+  const baseName = "session_token";
+  if (prefix) {
+    return `${prefix}_${baseName}`;
+  }
+  return isProduction ? "__Host-session_token" : baseName;
+};
+var setSessionCookie = (c, token, config, options) => {
+  const cookieName = getSessionCookieName(config);
+  const cookieOptions = {
+    httpOnly: true,
+    secure: isProduction,
+    sameSite: "Lax",
+    path: options.path || "/",
+    expires: options.expires,
+    ...isProduction && { domain: void 0 }
+    // __Host- requires no domain
+  };
+  honoSet(c, cookieName, token, cookieOptions);
+};
+var deleteSessionCookie = (c, config) => {
+  const cookieName = getSessionCookieName(config);
+  honoDel(c, cookieName, {
+    httpOnly: true,
+    secure: isProduction,
+    sameSite: "Lax",
+    path: "/",
+    expires: /* @__PURE__ */ new Date(0)
+  });
+};
+
+// src/lib/crypto.ts
+import { scrypt } from "@noble/hashes/scrypt.js";
+import { randomBytes } from "@noble/hashes/utils.js";
+var encoder = new TextEncoder();
+var randomHex = (bytes) => {
+  const arr = randomBytes(bytes);
+  return Array.from(arr, (b) => b.toString(16).padStart(2, "0")).join(
+    ""
+  );
+};
+var toHex = (buffer) => {
+  return Array.from(
+    buffer,
+    (b) => b.toString(16).padStart(2, "0")
+  ).join("");
+};
+var hexToBytes = (hex) => {
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes[i / 2] = Number.parseInt(hex.slice(i, i + 2), 16);
+  }
+  return bytes;
+};
+var SCRYPT_KEYLEN = 64;
+var SCRYPT_COST = 16384;
+var SCRYPT_BLOCK_SIZE = 8;
+var SCRYPT_PARALLELISM = 1;
+var hashPassword = async (password) => {
+  const salt = randomBytes(16);
+  const saltHex = toHex(salt);
+  const passwordBytes = encoder.encode(password);
+  const derivedKey = await Promise.resolve(
+    scrypt(passwordBytes, salt, {
+      N: SCRYPT_COST,
+      r: SCRYPT_BLOCK_SIZE,
+      p: SCRYPT_PARALLELISM,
+      dkLen: SCRYPT_KEYLEN
+    })
+  );
+  return `${saltHex}:${toHex(derivedKey)}`;
+};
+var verifyPassword = async (password, hashed) => {
+  if (!hashed) {
+    return false;
+  }
+  const [saltHex, keyHex] = hashed.split(":");
+  if (!(saltHex && keyHex)) {
+    return false;
+  }
+  const salt = hexToBytes(saltHex);
+  const passwordBytes = encoder.encode(password);
+  const derivedKey = await Promise.resolve(
+    scrypt(passwordBytes, salt, {
+      N: SCRYPT_COST,
+      r: SCRYPT_BLOCK_SIZE,
+      p: SCRYPT_PARALLELISM,
+      dkLen: SCRYPT_KEYLEN
+    })
+  );
+  const derived = toHex(derivedKey);
+  if (derived.length !== keyHex.length) {
+    return false;
+  }
+  let result = 0;
+  for (let i = 0; i < derived.length; i++) {
+    result |= derived.charCodeAt(i) ^ keyHex.charCodeAt(i);
+  }
+  return result === 0;
+};
+var hashToken = async (token, secret) => {
+  if (!secret || secret.length === 0) {
+    throw new Error(
+      "AUTH_SECRET is required and must be a non-empty string. Please set AUTH_SECRET environment variable."
+    );
+  }
+  const key = await crypto.subtle.importKey(
+    "raw",
+    encoder.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const signature = await crypto.subtle.sign(
+    "HMAC",
+    key,
+    encoder.encode(token)
+  );
+  return toHex(new Uint8Array(signature));
+};
+var generateToken = (bytes = 48) => randomHex(bytes);
+
+// src/lib/error-handler.ts
+import { logger } from "@mesob/common";
+import { HTTPException } from "hono/http-exception";
+var isDatabaseError = (error) => {
+  if (typeof error !== "object" || error === null) {
+    return false;
+  }
+  if ("code" in error || "query" in error || "detail" in error) {
+    return true;
+  }
+  if (error instanceof Error) {
+    const message = error.message.toLowerCase();
+    return message.includes("failed query") || message.includes("relation") || message.includes("column") || message.includes("syntax error") || message.includes("duplicate key") || message.includes("foreign key") || message.includes("null value");
+  }
+  return false;
+};
+var sanitizeDatabaseError = (error) => {
+  const code = error.code;
+  if (code === "23505") {
+    return "Resource already exists";
+  }
+  if (code === "23503") {
+    return "Referenced resource not found";
+  }
+  if (code === "23502") {
+    return "Required field is missing";
+  }
+  if (code === "42P01") {
+    return "Resource not found";
+  }
+  if (code === "42703") {
+    return "Invalid request";
+  }
+  if (code === "23514") {
+    return "Validation failed";
+  }
+  return "An error occurred while processing your request";
+};
+var isDatabaseErrorMessage = (message) => {
+  const lowerMessage = message.toLowerCase();
+  return lowerMessage.includes("failed query") || lowerMessage.includes("select") || lowerMessage.includes("insert") || lowerMessage.includes("update") || lowerMessage.includes("delete") || lowerMessage.includes("from") || lowerMessage.includes("where") || lowerMessage.includes("limit") || lowerMessage.includes("params:") || lowerMessage.includes("query") || message.includes('"iam".') || message.includes('"tenants"') || message.includes('"users"') || message.includes('"sessions"') || message.includes('"accounts"') || lowerMessage.includes("relation") || lowerMessage.includes("column") || lowerMessage.includes("syntax error") || lowerMessage.includes("database") || lowerMessage.includes("postgres") || lowerMessage.includes("sql");
+};
+var handleError = (error, c) => {
+  logger.error("API Error:", {
+    error,
+    path: c.req.path,
+    method: c.req.method,
+    url: c.req.url
+  });
+  if (error instanceof HTTPException) {
+    const message = isDatabaseErrorMessage(error.message) ? "An error occurred while processing your request" : error.message;
+    return c.json({ error: message }, error.status);
+  }
+  if (isDatabaseError(error)) {
+    const userMessage = sanitizeDatabaseError(error);
+    logger.error("Database error details:", {
+      code: error.code,
+      message: error.message,
+      detail: error.detail,
+      query: error.query,
+      parameters: error.parameters
+    });
+    return c.json({ error: userMessage }, 500);
+  }
+  if (error instanceof Error) {
+    const message = error.message;
+    const lowerMessage = message.toLowerCase();
+    const isDatabaseError2 = lowerMessage.includes("failed query") || lowerMessage.includes("select") || lowerMessage.includes("insert") || lowerMessage.includes("update") || lowerMessage.includes("delete") || lowerMessage.includes("from") || lowerMessage.includes("where") || lowerMessage.includes("limit") || lowerMessage.includes("params:") || lowerMessage.includes("query") || message.includes('"iam".') || message.includes('"tenants"') || message.includes('"users"') || message.includes('"sessions"') || message.includes('"accounts"') || lowerMessage.includes("relation") || lowerMessage.includes("column") || lowerMessage.includes("syntax error") || lowerMessage.includes("duplicate key") || lowerMessage.includes("foreign key") || lowerMessage.includes("null value") || lowerMessage.includes("database") || lowerMessage.includes("postgres") || lowerMessage.includes("sql");
+    if (isDatabaseError2) {
+      logger.error("SQL/database error detected:", {
+        message: error.message,
+        stack: error.stack,
+        name: error.name
+      });
+      return c.json(
+        { error: "An error occurred while processing your request" },
+        500
+      );
+    }
+    logger.error("Error details:", {
+      message: error.message,
+      stack: error.stack,
+      name: error.name
+    });
+    return c.json(
+      { error: "An error occurred while processing your request" },
+      500
+    );
+  }
+  logger.error("Unknown error:", error);
+  return c.json(
+    { error: "An error occurred while processing your request" },
+    500
+  );
+};
+
 // src/db/orm/session.ts
 import { and, eq, gt } from "drizzle-orm";
 var fetchSessionByToken = async ({
@@ -384,6 +610,19 @@ var deleteSession = async ({
     )
   );
 };
+var listHashedTokensForUser = async ({
+  database,
+  userId,
+  tenantId
+}) => {
+  const rows = await database.select({ token: sessionsInIam.token }).from(sessionsInIam).where(
+    and(
+      eq(sessionsInIam.userId, userId),
+      eq(sessionsInIam.tenantId, tenantId)
+    )
+  );
+  return rows.map((r) => r.token);
+};
 
 // src/db/orm/tenant.ts
 import { and as and2, eq as eq2, sql as sql2 } from "drizzle-orm";
@@ -492,226 +731,335 @@ var fetchUserWithRoles = async ({
   return userResult || null;
 };
 
-// src/lib/cookie.ts
-import { deleteCookie as honoDel, setCookie as honoSet } from "hono/cookie";
-var isProduction = process.env.NODE_ENV === "production";
-var getSessionCookieName = (config) => {
-  const prefix = config.cookie?.prefix || "";
-  const baseName = "session_token";
-  if (prefix) {
-    return `${prefix}_${baseName}`;
+// src/lib/session-cache.ts
+var sessionCacheKey = (config, hashedToken) => `${getSessionKeyNamespace(config)}:sc:v1:${hashedToken}`;
+async function readSessionCache(config, hashedToken) {
+  const sc = config.sessionCache;
+  if (!sc?.enabled) {
+    return null;
   }
-  return isProduction ? "__Host-session_token" : baseName;
-};
-var setSessionCookie = (c, token, config, options) => {
-  const cookieName = getSessionCookieName(config);
-  const cookieOptions = {
-    httpOnly: true,
-    secure: isProduction,
-    sameSite: "Lax",
-    path: options.path || "/",
-    expires: options.expires,
-    ...isProduction && { domain: void 0 }
-    // __Host- requires no domain
-  };
-  honoSet(c, cookieName, token, cookieOptions);
-};
-var deleteSessionCookie = (c, config) => {
-  const cookieName = getSessionCookieName(config);
-  honoDel(c, cookieName, {
-    httpOnly: true,
-    secure: isProduction,
-    sameSite: "Lax",
-    path: "/",
-    expires: /* @__PURE__ */ new Date(0)
+  const raw = await sc.kv.get(sessionCacheKey(config, hashedToken));
+  if (!raw) {
+    return null;
+  }
+  try {
+    const parsed = JSON.parse(raw);
+    if (!parsed?.session?.expiresAt || new Date(parsed.session.expiresAt) <= /* @__PURE__ */ new Date()) {
+      await sc.kv.delete(sessionCacheKey(config, hashedToken));
+      return null;
+    }
+    return parsed;
+  } catch {
+    await sc.kv.delete(sessionCacheKey(config, hashedToken));
+    return null;
+  }
+}
+async function writeSessionCache(config, hashedToken, payload) {
+  const sc = config.sessionCache;
+  if (!sc?.enabled) {
+    return;
+  }
+  const ttl = sc.ttlSeconds ?? Math.max(
+    60,
+    Math.ceil(
+      (new Date(payload.session.expiresAt).getTime() - Date.now()) / 1e3
+    )
+  );
+  await sc.kv.put(
+    sessionCacheKey(config, hashedToken),
+    JSON.stringify(payload),
+    {
+      expirationTtl: Math.min(Math.max(ttl, 60), 2147483647)
+    }
+  );
+}
+async function deleteSessionCacheKeys(config, hashedTokens) {
+  const sc = config.sessionCache;
+  if (!sc?.enabled || hashedTokens.length === 0) {
+    return;
+  }
+  await Promise.all(
+    hashedTokens.map((t) => sc.kv.delete(sessionCacheKey(config, t)))
+  );
+}
+async function invalidateSessionCacheForHashedToken(config, hashedToken) {
+  await deleteSessionCacheKeys(config, [hashedToken]);
+}
+async function invalidateSessionCacheForUser(config, database, userId, tenantId) {
+  const tokens = await listHashedTokensForUser({
+    database,
+    userId,
+    tenantId
   });
-};
+  await deleteSessionCacheKeys(config, tokens);
+}
 
-// src/lib/crypto.ts
-import { scrypt } from "@noble/hashes/scrypt.js";
-import { randomBytes } from "@noble/hashes/utils.js";
-var encoder = new TextEncoder();
-var randomHex = (bytes) => {
-  const arr = randomBytes(bytes);
-  return Array.from(arr, (b) => b.toString(16).padStart(2, "0")).join(
-    ""
-  );
-};
-var toHex = (buffer) => {
-  return Array.from(
-    buffer,
-    (b) => b.toString(16).padStart(2, "0")
-  ).join("");
-};
-var hexToBytes = (hex) => {
-  const bytes = new Uint8Array(hex.length / 2);
-  for (let i = 0; i < hex.length; i += 2) {
-    bytes[i / 2] = Number.parseInt(hex.slice(i, i + 2), 16);
+// src/lib/load-session-pair.ts
+async function loadSessionPair(database, config, hashedToken) {
+  const cached = await readSessionCache(config, hashedToken);
+  if (cached) {
+    return { session: cached.session, user: cached.user };
+  }
+  const session = await fetchSessionByToken({
+    database,
+    hashedToken,
+    tenantId: config.tenant?.tenantId || "tenant"
+  });
+  if (!session) {
+    return null;
+  }
+  const user = await fetchUserWithRoles({
+    database,
+    userId: session.userId,
+    tenantId: session.tenantId
+  });
+  if (!user) {
+    await deleteSession({
+      database,
+      sessionId: session.id,
+      tenantId: session.tenantId
+    });
+    return null;
+  }
+  await writeSessionCache(config, hashedToken, { session, user });
+  return { session, user };
+}
+
+// src/lib/normalize-rate-limit-ip.ts
+function parseIpv4Dotted(s) {
+  const p = s.split(".");
+  if (p.length !== 4) {
+    return null;
+  }
+  const b = new Uint8Array(4);
+  for (let i = 0; i < 4; i++) {
+    if (!/^\d{1,3}$/.test(p[i])) {
+      return null;
+    }
+    const n = Number(p[i]);
+    if (!Number.isInteger(n) || n < 0 || n > 255) {
+      return null;
+    }
+    b[i] = n;
+  }
+  return b;
+}
+function ipv4Key(bytes) {
+  return `4:${bytes[0]}.${bytes[1]}.${bytes[2]}.${bytes[3]}`;
+}
+function maskIpv6InPlace(bytes, prefixBits) {
+  if (prefixBits >= 128) {
+    return;
+  }
+  const whole = Math.floor(prefixBits / 8);
+  const rem = prefixBits % 8;
+  if (rem === 0) {
+    for (let i = whole; i < 16; i++) {
+      bytes[i] = 0;
+    }
+  } else {
+    for (let i = whole + 1; i < 16; i++) {
+      bytes[i] = 0;
+    }
+    const keep = 255 << 8 - rem & 255;
+    bytes[whole] &= keep;
   }
-  return bytes;
-};
-var SCRYPT_KEYLEN = 64;
-var SCRYPT_COST = 16384;
-var SCRYPT_BLOCK_SIZE = 8;
-var SCRYPT_PARALLELISM = 1;
-var hashPassword = async (password) => {
-  const salt = randomBytes(16);
-  const saltHex = toHex(salt);
-  const passwordBytes = encoder.encode(password);
-  const derivedKey = await Promise.resolve(
-    scrypt(passwordBytes, salt, {
-      N: SCRYPT_COST,
-      r: SCRYPT_BLOCK_SIZE,
-      p: SCRYPT_PARALLELISM,
-      dkLen: SCRYPT_KEYLEN
-    })
-  );
-  return `${saltHex}:${toHex(derivedKey)}`;
-};
-var verifyPassword = async (password, hashed) => {
-  if (!hashed) {
-    return false;
+}
+function isIpv4MappedIpv6(bytes) {
+  for (let i = 0; i < 10; i++) {
+    if (bytes[i] !== 0) {
+      return false;
+    }
   }
-  const [saltHex, keyHex] = hashed.split(":");
-  if (!(saltHex && keyHex)) {
-    return false;
+  return bytes[10] === 255 && bytes[11] === 255;
+}
+function parseIpv6HextetsToBytes(s) {
+  const buf = new Uint8Array(16);
+  if (s === "") {
+    return buf;
   }
-  const salt = hexToBytes(saltHex);
-  const passwordBytes = encoder.encode(password);
-  const derivedKey = await Promise.resolve(
-    scrypt(passwordBytes, salt, {
-      N: SCRYPT_COST,
-      r: SCRYPT_BLOCK_SIZE,
-      p: SCRYPT_PARALLELISM,
-      dkLen: SCRYPT_KEYLEN
-    })
-  );
-  const derived = toHex(derivedKey);
-  if (derived.length !== keyHex.length) {
-    return false;
+  const double = s.includes("::");
+  if (double && s.split("::").length > 2) {
+    return null;
   }
-  let result = 0;
-  for (let i = 0; i < derived.length; i++) {
-    result |= derived.charCodeAt(i) ^ keyHex.charCodeAt(i);
+  const [leftRaw, rightRaw] = double ? s.split("::", 2) : [s, ""];
+  const left = leftRaw ? leftRaw.split(":").filter(Boolean) : [];
+  const right = rightRaw ? rightRaw.split(":").filter(Boolean) : [];
+  const partsLen = left.length + right.length;
+  if (double) {
+    if (partsLen > 8) {
+      return null;
+    }
+  } else if (partsLen !== 8) {
+    return null;
   }
-  return result === 0;
-};
-var hashToken = async (token, secret) => {
-  if (!secret || secret.length === 0) {
-    throw new Error(
-      "AUTH_SECRET is required and must be a non-empty string. Please set AUTH_SECRET environment variable."
-    );
+  const pad = double ? 8 - partsLen : 0;
+  const all = [...left, ...Array(pad).fill("0"), ...right];
+  if (all.length !== 8) {
+    return null;
   }
-  const key = await crypto.subtle.importKey(
-    "raw",
-    encoder.encode(secret),
-    { name: "HMAC", hash: "SHA-256" },
-    false,
-    ["sign"]
-  );
-  const signature = await crypto.subtle.sign(
-    "HMAC",
-    key,
-    encoder.encode(token)
-  );
-  return toHex(new Uint8Array(signature));
-};
-var generateToken = (bytes = 48) => randomHex(bytes);
-
-// src/lib/error-handler.ts
-import { logger } from "@mesob/common";
-import { HTTPException } from "hono/http-exception";
-var isDatabaseError = (error) => {
-  if (typeof error !== "object" || error === null) {
-    return false;
+  for (let i = 0; i < 8; i++) {
+    const h = all[i];
+    if (!h || h.includes(".")) {
+      return null;
+    }
+    const v = Number.parseInt(h, 16);
+    if (v > 65535 || Number.isNaN(v)) {
+      return null;
+    }
+    buf[i * 2] = v >> 8;
+    buf[i * 2 + 1] = v & 255;
   }
-  if ("code" in error || "query" in error || "detail" in error) {
-    return true;
+  return buf;
+}
+function parseIpv6ToBytes(address) {
+  let a = address.trim().toLowerCase();
+  if (a.startsWith("[") && a.endsWith("]")) {
+    a = a.slice(1, -1);
   }
-  if (error instanceof Error) {
-    const message = error.message.toLowerCase();
-    return message.includes("failed query") || message.includes("relation") || message.includes("column") || message.includes("syntax error") || message.includes("duplicate key") || message.includes("foreign key") || message.includes("null value");
+  const zi = a.indexOf("%");
+  if (zi >= 0) {
+    a = a.slice(0, zi);
   }
-  return false;
-};
-var sanitizeDatabaseError = (error) => {
-  const code = error.code;
-  if (code === "23505") {
-    return "Resource already exists";
+  if (a === "") {
+    return null;
   }
-  if (code === "23503") {
-    return "Referenced resource not found";
+  if (!a.includes(":")) {
+    const v4 = parseIpv4Dotted(a);
+    return v4 ? v4 : null;
+  }
+  const lastColon = a.lastIndexOf(":");
+  if (lastColon > 0) {
+    const maybeV4 = a.slice(lastColon + 1);
+    if (/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(maybeV4)) {
+      const v4b = parseIpv4Dotted(maybeV4);
+      if (!v4b) {
+        return null;
+      }
+      const prefix = a.slice(0, lastColon);
+      const w1 = v4b[0] << 8 | v4b[1];
+      const w2 = v4b[2] << 8 | v4b[3];
+      const tailHex = `${w1.toString(16)}:${w2.toString(16)}`;
+      let merged;
+      if (!prefix) {
+        merged = tailHex;
+      } else if (prefix.endsWith(":")) {
+        merged = `${prefix}${tailHex}`;
+      } else {
+        merged = `${prefix}:${tailHex}`;
+      }
+      return parseIpv6HextetsToBytes(merged);
+    }
   }
-  if (code === "23502") {
-    return "Required field is missing";
+  return parseIpv6HextetsToBytes(a);
+}
+function bytesToHex(bytes) {
+  let o = "";
+  for (let i = 0; i < bytes.length; i++) {
+    o += bytes[i].toString(16).padStart(2, "0");
   }
-  if (code === "42P01") {
-    return "Resource not found";
+  return o;
+}
+function rateLimitClientKey(raw, ipv6SubnetBits) {
+  const s = raw.trim();
+  if (!s || s === "unknown") {
+    return "unknown";
   }
-  if (code === "42703") {
-    return "Invalid request";
+  const prefixBits = Number.isFinite(ipv6SubnetBits) && ipv6SubnetBits >= 1 && ipv6SubnetBits <= 128 ? Math.floor(ipv6SubnetBits) : 64;
+  if (!s.includes(":")) {
+    const v4 = parseIpv4Dotted(s);
+    return v4 ? ipv4Key(v4) : `raw:${s}`;
   }
-  if (code === "23514") {
-    return "Validation failed";
+  const bytes = parseIpv6ToBytes(s);
+  if (!bytes) {
+    return `raw:${s}`;
   }
-  return "An error occurred while processing your request";
-};
-var isDatabaseErrorMessage = (message) => {
-  const lowerMessage = message.toLowerCase();
-  return lowerMessage.includes("failed query") || lowerMessage.includes("select") || lowerMessage.includes("insert") || lowerMessage.includes("update") || lowerMessage.includes("delete") || lowerMessage.includes("from") || lowerMessage.includes("where") || lowerMessage.includes("limit") || lowerMessage.includes("params:") || lowerMessage.includes("query") || message.includes('"iam".') || message.includes('"tenants"') || message.includes('"users"') || message.includes('"sessions"') || message.includes('"accounts"') || lowerMessage.includes("relation") || lowerMessage.includes("column") || lowerMessage.includes("syntax error") || lowerMessage.includes("database") || lowerMessage.includes("postgres") || lowerMessage.includes("sql");
-};
-var handleError = (error, c) => {
-  logger.error("API Error:", {
-    error,
-    path: c.req.path,
-    method: c.req.method,
-    url: c.req.url
-  });
-  if (error instanceof HTTPException) {
-    const message = isDatabaseErrorMessage(error.message) ? "An error occurred while processing your request" : error.message;
-    return c.json({ error: message }, error.status);
+  if (isIpv4MappedIpv6(bytes)) {
+    return ipv4Key(bytes.subarray(12, 16));
   }
-  if (isDatabaseError(error)) {
-    const userMessage = sanitizeDatabaseError(error);
-    logger.error("Database error details:", {
-      code: error.code,
-      message: error.message,
-      detail: error.detail,
-      query: error.query,
-      parameters: error.parameters
-    });
-    return c.json({ error: userMessage }, 500);
+  maskIpv6InPlace(bytes, prefixBits);
+  return `6:${bytesToHex(bytes)}`;
+}
+
+// src/lib/auth-rate-limit.ts
+var AUTH_RATE_LIMIT_POST_PATHS = /* @__PURE__ */ new Set([
+  "/check-account",
+  "/sign-in",
+  "/sign-up",
+  "/password/forgot",
+  "/password/reset",
+  "/password/set",
+  "/email/verification/request",
+  "/email/verification/confirm",
+  "/phone/verification/request",
+  "/phone/verification/confirm"
+]);
+var DEFAULT_MESSAGE = "Too many requests. Please wait before trying again.";
+var RL_PREFIX = "msb:rl:v1:";
+function getClientIp(c, headerName) {
+  const primary = c.req.header(headerName)?.trim();
+  if (primary) {
+    return primary;
+  }
+  const forwarded = c.req.header("x-forwarded-for")?.split(",")[0]?.trim();
+  if (forwarded) {
+    return forwarded;
+  }
+  return c.req.header("x-real-ip")?.trim() || "unknown";
+}
+function rateLimitKey(path, windowStart, ip) {
+  const bucket = path.replaceAll(/[^a-z0-9/-]/gi, "_");
+  return `${RL_PREFIX}${bucket}:${ip}:${windowStart}`;
+}
+async function checkAuthRateLimit(c, config) {
+  const rl = config.rateLimit;
+  if (!rl?.enabled) {
+    return { limited: false };
+  }
+  if (c.req.method !== "POST") {
+    return { limited: false };
+  }
+  const path = c.req.path;
+  if (!AUTH_RATE_LIMIT_POST_PATHS.has(path)) {
+    return { limited: false };
+  }
+  const rawIp = getClientIp(c, rl.ipHeader ?? "cf-connecting-ip");
+  const ipKey = rateLimitClientKey(rawIp, rl.ipv6Subnet ?? 64);
+  const now = Math.floor(Date.now() / 1e3);
+  const windowStart = Math.floor(now / rl.window) * rl.window;
+  const key = rateLimitKey(path, windowStart, ipKey);
+  const msg = rl.message ?? DEFAULT_MESSAGE;
+  const raw = await rl.kv.get(key);
+  let count = 0;
+  if (raw) {
+    try {
+      const parsed = JSON.parse(raw);
+      count = typeof parsed.n === "number" ? parsed.n : 0;
+    } catch {
+      count = 0;
+    }
   }
-  if (error instanceof Error) {
-    const message = error.message;
-    const lowerMessage = message.toLowerCase();
-    const isDatabaseError2 = lowerMessage.includes("failed query") || lowerMessage.includes("select") || lowerMessage.includes("insert") || lowerMessage.includes("update") || lowerMessage.includes("delete") || lowerMessage.includes("from") || lowerMessage.includes("where") || lowerMessage.includes("limit") || lowerMessage.includes("params:") || lowerMessage.includes("query") || message.includes('"iam".') || message.includes('"tenants"') || message.includes('"users"') || message.includes('"sessions"') || message.includes('"accounts"') || lowerMessage.includes("relation") || lowerMessage.includes("column") || lowerMessage.includes("syntax error") || lowerMessage.includes("duplicate key") || lowerMessage.includes("foreign key") || lowerMessage.includes("null value") || lowerMessage.includes("database") || lowerMessage.includes("postgres") || lowerMessage.includes("sql");
-    if (isDatabaseError2) {
-      logger.error("SQL/database error detected:", {
-        message: error.message,
-        stack: error.stack,
-        name: error.name
-      });
+  if (count >= rl.max) {
+    return { limited: true, message: msg };
+  }
+  await rl.kv.put(key, JSON.stringify({ n: count + 1 }), {
+    expirationTtl: Math.min(rl.window * 2, 2147483647)
+  });
+  return { limited: false };
+}
+
+// src/middlewares/auth-rate-limit-middleware.ts
+var createAuthRateLimitMiddleware = (config) => {
+  return async (c, next) => {
+    const result = await checkAuthRateLimit(c, config);
+    if (result.limited) {
       return c.json(
-        { error: "An error occurred while processing your request" },
-        500
+        { error: result.message, code: "RATE_LIMITED" },
+        429
       );
     }
-    logger.error("Error details:", {
-      message: error.message,
-      stack: error.stack,
-      name: error.name
-    });
-    return c.json(
-      { error: "An error occurred while processing your request" },
-      500
-    );
-  }
-  logger.error("Unknown error:", error);
-  return c.json(
-    { error: "An error occurred while processing your request" },
-    500
-  );
+    await next();
+  };
 };
 
 // src/routes/index.ts
@@ -932,7 +1280,10 @@ var normalizeAuthUser = (user) => ({
   phone: user.phone,
   image: user.image,
   emailVerified: user.emailVerified,
-  phoneVerified: user.phoneVerified
+  phoneVerified: user.phoneVerified,
+  roles: user.roles ?? null,
+  roleCodes: user.roleCodes ?? null,
+  permissions: user.permissions ?? null
 });
 var normalizeAuthSession = (session) => session ? {
   id: session.id,
@@ -1831,6 +2182,7 @@ var signOutHandler = async (c) => {
       )
     );
   }
+  await invalidateSessionCacheForHashedToken(config, hashedToken);
   deleteSessionCookie(c, config);
   return c.json({ message: "Signed out" }, 200);
 };
@@ -2617,6 +2969,12 @@ var emailVerificationConfirmHandler = async (c) => {
   if (result.status === "error") {
     return c.json({ error: result.error }, 400);
   }
+  await invalidateSessionCacheForUser(
+    config,
+    database,
+    result.user.id,
+    resolvedTenantId
+  );
   setSessionCookie(c, result.sessionToken, config, {
     expires: new Date(result.expiresAt)
   });
@@ -2872,6 +3230,12 @@ var changePasswordHandler = async (c) => {
       eq18(accountsInIam.provider, "credentials")
     )
   );
+  await invalidateSessionCacheForUser(
+    config,
+    database,
+    userId,
+    resolvedTenantId
+  );
   const currentSessionToken = getCookie2(c, getSessionCookieName(config));
   if (currentSessionToken) {
     const hashedToken = await hashToken(currentSessionToken, config.secret);
@@ -3152,6 +3516,12 @@ var resetPasswordHandler = async (c) => {
       eq20(accountsInIam.provider, "credentials")
     )
   );
+  await invalidateSessionCacheForUser(
+    config,
+    database,
+    verification.userId,
+    resolvedTenantId
+  );
   await database.delete(sessionsInIam).where(
     and20(
       eq20(sessionsInIam.tenantId, resolvedTenantId),
@@ -3991,6 +4361,12 @@ var phoneVerificationConfirmHandler = async (c) => {
   if (result.status === "error") {
     return c.json({ error: result.error }, 400);
   }
+  await invalidateSessionCacheForUser(
+    config,
+    database,
+    result.user.id,
+    resolvedTenantId
+  );
   if (!result.session) {
     return c.json(
       {
@@ -4397,6 +4773,12 @@ var updateProfileHandler = async (c) => {
   if (!updatedUser) {
     return c.json({ error: "User not found" }, 404);
   }
+  await invalidateSessionCacheForUser(
+    config,
+    database,
+    userId,
+    resolvedTenantId
+  );
   return c.json({ user: normalizeUser(updatedUser) }, 200);
 };
 
@@ -4417,6 +4799,12 @@ var updateEmailHandler = async (c) => {
     return c.json({ error: AUTH_ERRORS.UNAUTHORIZED }, 401);
   }
   const resolvedTenantId = ensureTenantId(config, tenantId);
+  await invalidateSessionCacheForUser(
+    config,
+    database,
+    userId,
+    resolvedTenantId
+  );
   if (user.email && session?.id) {
     await database.delete(sessionsInIam).where(
       and28(
@@ -4482,6 +4870,12 @@ var updatePhoneHandler = async (c) => {
     return c.json({ error: AUTH_ERRORS.UNAUTHORIZED }, 401);
   }
   const resolvedTenantId = ensureTenantId(config, tenantId);
+  await invalidateSessionCacheForUser(
+    config,
+    database,
+    userId,
+    resolvedTenantId
+  );
   const phoneValidator = createPhoneField(config);
   if (!phoneValidator.validate(body.phone)) {
     return c.json({ error: "Invalid phone number format" }, 400);
@@ -6147,12 +6541,14 @@ var listSessionsHandler = async (c) => {
 import { and as and45, eq as eq46 } from "drizzle-orm";
 var revokeAllSessionsHandler = async (c) => {
   const { userId } = c.req.valid("param");
+  const config = c.get("config");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
   const [user] = await database.select().from(usersInIam).where(and45(eq46(usersInIam.id, userId), eq46(usersInIam.tenantId, tenantId))).limit(1);
   if (!user) {
     return c.json({ error: "User not found" }, 404);
   }
+  await invalidateSessionCacheForUser(config, database, userId, tenantId);
   await database.delete(sessionsInIam).where(
     and45(
       eq46(sessionsInIam.tenantId, tenantId),
@@ -6172,6 +6568,8 @@ var revokeSessionHandler = async (c) => {
   if (!existing) {
     return c.json({ error: "Session not found" }, 404);
   }
+  const config = c.get("config");
+  await deleteSessionCacheKeys(config, [existing.token]);
   await database.delete(sessionsInIam).where(and46(eq47(sessionsInIam.id, id), eq47(sessionsInIam.tenantId, tenantId)));
   return c.json({ message: "Session revoked" }, 200);
 };
@@ -6775,6 +7173,12 @@ var assignUserRoleHandler = async (c) => {
       userId: body.userId,
       roleId: body.roleId
     }).returning();
+    await invalidateSessionCacheForUser(
+      config,
+      database,
+      body.userId,
+      resolvedTenantId
+    );
     return c.json({ userRole }, 201);
   } catch (error) {
     if (error && typeof error === "object" && "code" in error && error.code === "23505") {
@@ -6805,6 +7209,7 @@ var listUserRolesHandler = async (c) => {
 import { and as and49, eq as eq54 } from "drizzle-orm";
 var revokeUserRoleHandler = async (c) => {
   const { id } = c.req.valid("param");
+  const config = c.get("config");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
   const [existing] = await database.select().from(userRolesInIam).where(
@@ -6816,6 +7221,12 @@ var revokeUserRoleHandler = async (c) => {
   await database.delete(userRolesInIam).where(
     and49(eq54(userRolesInIam.id, id), eq54(userRolesInIam.tenantId, tenantId))
   );
+  await invalidateSessionCacheForUser(
+    config,
+    database,
+    existing.userId,
+    tenantId
+  );
   return c.json({ message: "Role revoked from user" }, 200);
 };
 
@@ -6947,6 +7358,7 @@ import { and as and50, eq as eq55, sql as sql25 } from "drizzle-orm";
 var banUserHandler = async (c) => {
   const { id } = c.req.valid("param");
   const body = c.req.valid("json");
+  const config = c.get("config");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
   const [existing] = await database.select().from(usersInIam).where(and50(eq55(usersInIam.id, id), eq55(usersInIam.tenantId, tenantId))).limit(1);
@@ -6965,6 +7377,7 @@ var banUserHandler = async (c) => {
   if (!userWithRoles) {
     return c.json({ error: "User not found" }, 404);
   }
+  await invalidateSessionCacheForUser(config, database, id, tenantId);
   return c.json({ user: normalizeUser(userWithRoles) }, 200);
 };
 
@@ -7548,6 +7961,7 @@ import { and as and56, eq as eq61, inArray as inArray7, sql as sql28 } from "dri
 var updateUserHandler = async (c) => {
   const { id } = c.req.valid("param");
   const body = c.req.valid("json");
+  const config = c.get("config");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
   const [existing] = await database.select().from(usersInIam).where(and56(eq61(usersInIam.id, id), eq61(usersInIam.tenantId, tenantId))).limit(1);
@@ -7647,6 +8061,7 @@ var updateUserHandler = async (c) => {
     userId: id,
     tenantId
   });
+  await invalidateSessionCacheForUser(config, database, id, tenantId);
   return c.json(
     {
       user: normalizeUser(userWithRoles ?? updated)
@@ -8225,26 +8640,14 @@ var loadSession = async ({
 }) => {
   try {
     const hashedToken = await hashToken(sessionToken, config.secret);
-    const session = await fetchSessionByToken({
-      database,
-      hashedToken,
-      tenantId: config.tenant?.tenantId || "tenant"
-    });
-    if (!session) {
-      return;
-    }
-    const user = await fetchUserWithRoles({
-      database,
-      userId: session.userId,
-      tenantId: session.tenantId
-    });
-    if (user) {
+    const pair = await loadSessionPair(database, config, hashedToken);
+    if (pair) {
       setAuthContext({
         c,
         config,
         database,
-        user,
-        session
+        user: pair.user,
+        session: pair.session
       });
     }
   } catch {
@@ -8282,6 +8685,9 @@ var createAuthRoutes = ({
   app.onError((error, c) => {
     return handleError(error, c);
   });
+  if (config.rateLimit?.enabled) {
+    app.use("*", createAuthRateLimitMiddleware(config));
+  }
   app.use(
     "*",
     createAuthMiddleware({
@@ -8504,12 +8910,9 @@ var createGetSession = (database, config) => {
     }
     try {
       const hashedToken = await hashToken(sessionToken, config.secret);
-      const session = await fetchSessionByToken({
-        database,
-        hashedToken,
-        tenantId: config.tenant?.tenantId || "tenant"
-      });
-      if (!session) {
+      const pair = await loadSessionPair(database, config, hashedToken);
+      if (!pair) {
+        await invalidateSessionCacheForHashedToken(config, hashedToken);
         deleteSessionCookie(c, config);
         return {
           session: null,
@@ -8518,25 +8921,7 @@ var createGetSession = (database, config) => {
           status: "invalid_session"
         };
       }
-      const user = await fetchUserWithRoles({
-        database,
-        userId: session.userId,
-        tenantId: session.tenantId
-      });
-      if (!user) {
-        await deleteSession({
-          database,
-          sessionId: session.id,
-          tenantId: session.tenantId
-        });
-        deleteSessionCookie(c, config);
-        return {
-          session: null,
-          user: null,
-          sessionToken: null,
-          status: "user_not_found"
-        };
-      }
+      let { session, user } = pair;
       const rememberMe = session.meta?.rememberMe !== false;
       const updateAge = getSessionUpdateAge({
         sessionConfig: config.session,
@@ -8556,12 +8941,8 @@ var createGetSession = (database, config) => {
         setSessionCookie(c, sessionToken, config, {
           expires: new Date(newExpiresAt)
         });
-        return {
-          session: { ...session, expiresAt: newExpiresAt },
-          user,
-          sessionToken,
-          status: "valid"
-        };
+        session = { ...session, expiresAt: newExpiresAt };
+        await writeSessionCache(config, hashedToken, { session, user });
       }
       return { session, user, sessionToken, status: "valid" };
     } catch {
@@ -8597,9 +8978,7 @@ var defaultAuthConfig = {
   docs: {
     enabled: true
   },
-  cookie: {
-    prefix: "msb"
-  },
+  prefix: "msb",
   session: {
     expiresIn: "7d",
     rememberMeExpiresIn: "30d",
@@ -8622,7 +9001,9 @@ var defaultAuthConfig = {
   security: {
     maxLoginAttempts: 5,
     lockoutDuration: "15m"
-  }
+  },
+  sessionCache: { enabled: false },
+  rateLimit: { enabled: false }
 };
 
 // src/lib/cleanup.ts
@@ -8655,6 +9036,21 @@ var createMesobAuth = (authConfig) => {
       "AUTH_SECRET is required and must be a non-empty string. Please set AUTH_SECRET environment variable."
     );
   }
+  if (config.sessionCache?.enabled && !config.sessionCache.kv) {
+    throw new Error("sessionCache.kv is required when sessionCache.enabled");
+  }
+  if (config.rateLimit?.enabled) {
+    if (!config.rateLimit.kv) {
+      throw new Error("rateLimit.kv is required when rateLimit.enabled");
+    }
+    if (config.rateLimit.window < 1 || config.rateLimit.max < 1) {
+      throw new Error("rateLimit.window and rateLimit.max must be >= 1");
+    }
+    const ipv6s = config.rateLimit.ipv6Subnet;
+    if (ipv6s !== void 0 && (!Number.isFinite(ipv6s) || ipv6s < 1 || ipv6s > 128)) {
+      throw new Error("rateLimit.ipv6Subnet must be between 1 and 128");
+    }
+  }
   const database = createDatabase(config.connectionString);
   const routesApp = createAuthRoutes({ config, database });
   const basePath = config.basePath || "";
@@ -8683,14 +9079,23 @@ var createMesobAuth = (authConfig) => {
   };
 };
 export {
+  AUTH_RATE_LIMIT_POST_PATHS,
   cleanupExpiredData,
   cleanupExpiredSessions,
   cleanupExpiredVerifications,
+  createAuthRateLimitMiddleware,
   createDatabase,
   createMesobAuth,
   createSessionMiddleware,
   createTenantMiddleware,
+  deleteSessionCacheKeys,
+  getSessionCookieName,
+  getSessionKeyNamespace,
   hasPermission,
-  hasPermissionThrow
+  hasPermissionThrow,
+  invalidateSessionCacheForHashedToken,
+  invalidateSessionCacheForUser,
+  rateLimitClientKey,
+  sessionCacheKey
 };
 //# sourceMappingURL=index.js.map