@mostajs/auth 2.5.2 → 3.0.2

package/dist/components/MfaChallenge.d.ts

@@ -0,0 +1,17 @@
+export interface MfaChallengeProps {
+    /** POST endpoint qui valide TOTP ou backup code. */
+    verifyEndpoint: string;
+    /** Callback quand la vérification réussit. */
+    onSuccess: (result: {
+        method: 'totp' | 'backup_code';
+        remainingBackupCodes: number;
+    }) => void;
+    /** Callback quand l'user annule (back to login). */
+    onCancel?: () => void;
+    /** Fetch implementation (test override). */
+    fetchImpl?: typeof fetch;
+    /** Préremplit l'input — utile en flow re-enter (ex: mobile autofill). */
+    initialCode?: string;
+}
+export declare function MfaChallenge(props: MfaChallengeProps): import("react/jsx-runtime").JSX.Element;
+export default MfaChallenge;

package/dist/components/MfaChallenge.js

@@ -0,0 +1,55 @@
+// @mostajs/auth — <MfaChallenge/> — Lot 4 / v2.9.0+
+// Author: Dr Hamid MADANI <drmdh@msn.com>
+//
+// Composant invoqué pendant le login quand le user a un facteur TOTP enabled.
+// Accepte soit un code TOTP 6 chiffres, soit un backup code "XXXX-XXXX" — le
+// serveur fait la discrimination (cf. lib/mfa-totp.ts > verifyMfaCode).
+//
+// Le composant est volontairement headless côté visuel (zéro CSS framework
+// imposé), branche-toi sur les classes `mostajs-mfa-*`.
+'use client';
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { useState } from 'react';
+export function MfaChallenge(props) {
+    const fetchImpl = props.fetchImpl ?? fetch;
+    const [mode, setMode] = useState('totp');
+    const [code, setCode] = useState(props.initialCode ?? '');
+    const [error, setError] = useState(null);
+    const [submitting, setSubmitting] = useState(false);
+    async function handleSubmit(e) {
+        e.preventDefault();
+        setError(null);
+        setSubmitting(true);
+        try {
+            const res = await fetchImpl(props.verifyEndpoint, {
+                method: 'POST',
+                headers: { 'content-type': 'application/json' },
+                body: JSON.stringify({ code: code.trim() }),
+            });
+            const result = await res.json();
+            if (!res.ok || result.ok !== true) {
+                setError(result.reason ?? 'wrong_code');
+                return;
+            }
+            props.onSuccess({
+                method: result.method,
+                remainingBackupCodes: result.remainingBackupCodes ?? 0,
+            });
+        }
+        catch (err) {
+            setError(err.message);
+        }
+        finally {
+            setSubmitting(false);
+        }
+    }
+    const isTotp = mode === 'totp';
+    const placeholder = isTotp ? '000000' : 'XXXX-XXXX';
+    const inputMode = isTotp ? 'numeric' : 'text';
+    const pattern = isTotp ? '[0-9]{6}' : undefined;
+    const maxLength = isTotp ? 6 : 9;
+    return (_jsxs("form", { className: "mostajs-mfa-challenge", onSubmit: handleSubmit, role: "dialog", "aria-labelledby": "mfa-challenge-title", children: [_jsx("h2", { id: "mfa-challenge-title", children: "V\u00E9rification \u00E0 deux facteurs" }), _jsx("p", { children: isTotp
+                    ? 'Saisis le code à 6 chiffres affiché par ton application d\'authentification.'
+                    : 'Saisis l\'un de tes 10 codes de secours.' }), _jsx("input", { type: "text", inputMode: inputMode, autoComplete: "one-time-code", autoFocus: true, pattern: pattern, maxLength: maxLength, value: code, onChange: (e) => setCode(e.target.value), placeholder: placeholder, className: "mostajs-mfa-code-input", "aria-label": isTotp ? 'Code TOTP' : 'Code de secours', required: true }), error && (_jsx("p", { className: "mostajs-mfa-error", role: "alert", children: "Code incorrect, r\u00E9essaie." })), _jsxs("div", { className: "mostajs-mfa-actions", children: [_jsx("button", { type: "submit", disabled: submitting || code.length === 0, children: submitting ? 'Vérification…' : 'Valider' }), _jsx("button", { type: "button", className: "mostajs-mfa-link", onClick: () => { setMode(isTotp ? 'backup' : 'totp'); setCode(''); setError(null); }, children: isTotp ? 'Utiliser un code de secours' : 'Utiliser un code TOTP' }), props.onCancel && (_jsx("button", { type: "button", className: "mostajs-mfa-link", onClick: props.onCancel, children: "Annuler" }))] })] }));
+}
+export default MfaChallenge;

package/dist/components/MfaEnrollDialog.d.ts

@@ -0,0 +1,18 @@
+export interface MfaEnrollDialogProps {
+    /** Issuer affiché dans l'authenticator (ex: "Octonet"). */
+    issuer: string;
+    /** Email/login de l'user — affiché dans l'authenticator. */
+    accountName: string;
+    /** POST endpoint qui démarre l'enroll (retourne EnrollResult). */
+    enrollEndpoint: string;
+    /** POST endpoint qui confirme l'enrollment avec un code TOTP. */
+    confirmEndpoint: string;
+    /** Callback quand l'user a fini (succès). */
+    onComplete?: () => void;
+    /** Callback quand l'user annule. */
+    onCancel?: () => void;
+    /** Fetch implementation (test override). */
+    fetchImpl?: typeof fetch;
+}
+export declare function MfaEnrollDialog(props: MfaEnrollDialogProps): import("react/jsx-runtime").JSX.Element;
+export default MfaEnrollDialog;

package/dist/components/MfaEnrollDialog.js

@@ -0,0 +1,72 @@
+// @mostajs/auth — <MfaEnrollDialog/> — Lot 4 / v2.9.0+
+// Author: Dr Hamid MADANI <drmdh@msn.com>
+//
+// Dialogue 3-étapes pour enroller un facteur TOTP :
+//   1. Affiche le QR code + secret base32 fallback
+//   2. Affiche les 10 backup codes UNE SEULE FOIS — l'user doit confirmer
+//      qu'il les a sauvegardés avant de continuer
+//   3. Demande un premier code TOTP courant pour confirmer la lecture
+//
+// Composant 'use client' minimal (pas de framework UI imposé). Les classes CSS
+// sont des hooks (`mostajs-mfa-*`) que le consumer style librement.
+'use client';
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import React, { useState } from 'react';
+export function MfaEnrollDialog(props) {
+    const fetchImpl = props.fetchImpl ?? fetch;
+    const [step, setStep] = useState('loading');
+    const [data, setData] = useState(null);
+    const [code, setCode] = useState('');
+    const [error, setError] = useState(null);
+    const [acknowledged, setAcknowledged] = useState(false);
+    React.useEffect(() => {
+        let cancelled = false;
+        (async () => {
+            try {
+                const res = await fetchImpl(props.enrollEndpoint, {
+                    method: 'POST',
+                    headers: { 'content-type': 'application/json' },
+                    body: JSON.stringify({ accountName: props.accountName, issuer: props.issuer }),
+                });
+                if (!res.ok)
+                    throw new Error(`Enroll failed (${res.status})`);
+                const payload = (await res.json());
+                if (cancelled)
+                    return;
+                setData(payload);
+                setStep('show-qr');
+            }
+            catch (e) {
+                if (cancelled)
+                    return;
+                setError(e.message);
+                setStep('error');
+            }
+        })();
+        return () => { cancelled = true; };
+    }, []);
+    async function handleConfirm() {
+        if (!data)
+            return;
+        setError(null);
+        try {
+            const res = await fetchImpl(props.confirmEndpoint, {
+                method: 'POST',
+                headers: { 'content-type': 'application/json' },
+                body: JSON.stringify({ factorId: data.factorId, code: code.replace(/\s/g, '') }),
+            });
+            const result = await res.json();
+            if (!res.ok || result.ok !== true) {
+                setError(result.reason ?? 'wrong_code');
+                return;
+            }
+            setStep('done');
+            props.onComplete?.();
+        }
+        catch (e) {
+            setError(e.message);
+        }
+    }
+    return (_jsxs("div", { className: "mostajs-mfa-enroll", role: "dialog", "aria-labelledby": "mfa-enroll-title", children: [_jsx("h2", { id: "mfa-enroll-title", children: "Activer l'authentification \u00E0 deux facteurs" }), step === 'loading' && _jsx("p", { children: "Pr\u00E9paration du facteur..." }), step === 'show-qr' && data && (_jsxs("div", { className: "mostajs-mfa-step", children: [_jsx("p", { children: "1. Scanne ce QR code avec ton application d'authentification (Google Authenticator, Authy, 1Password\u2026)." }), _jsx("img", { src: data.qrCodeDataUrl, alt: "QR code TOTP", width: 240, height: 240 }), _jsxs("details", { children: [_jsx("summary", { children: "Ne peux pas scanner ? Saisis ce code manuellement" }), _jsx("code", { className: "mostajs-mfa-secret", children: data.secret })] }), _jsx("button", { type: "button", onClick: () => setStep('show-backup-codes'), children: "Continuer" }), _jsx("button", { type: "button", onClick: () => props.onCancel?.(), children: "Annuler" })] })), step === 'show-backup-codes' && data && (_jsxs("div", { className: "mostajs-mfa-step", children: [_jsxs("p", { children: [_jsx("strong", { children: "2. Sauvegarde tes 10 codes de secours" }), " \u2014 utilise-les si tu perds ton appareil. Ils ne seront ", _jsx("strong", { children: "plus jamais affich\u00E9s" }), "."] }), _jsx("ul", { className: "mostajs-mfa-backup-codes", children: data.backupCodes.map((c) => _jsx("li", { children: _jsx("code", { children: c }) }, c)) }), _jsxs("label", { children: [_jsx("input", { type: "checkbox", checked: acknowledged, onChange: (e) => setAcknowledged(e.target.checked) }), "J'ai sauvegard\u00E9 ces codes dans un endroit s\u00FBr."] }), _jsx("button", { type: "button", onClick: () => setStep('confirm-code'), disabled: !acknowledged, children: "Continuer" })] })), step === 'confirm-code' && (_jsxs("div", { className: "mostajs-mfa-step", children: [_jsx("p", { children: "3. Saisis un code de 6 chiffres affich\u00E9 par ton application pour confirmer." }), _jsx("input", { type: "text", inputMode: "numeric", autoComplete: "one-time-code", pattern: "[0-9]{6}", maxLength: 6, value: code, onChange: (e) => setCode(e.target.value), placeholder: "000000", className: "mostajs-mfa-code-input" }), error && _jsx("p", { className: "mostajs-mfa-error", role: "alert", children: "Code incorrect, r\u00E9essaie." }), _jsx("button", { type: "button", onClick: handleConfirm, disabled: code.length !== 6, children: "Confirmer" })] })), step === 'done' && (_jsx("div", { className: "mostajs-mfa-step", children: _jsx("p", { children: "\u2713 Authentification \u00E0 deux facteurs activ\u00E9e." }) })), step === 'error' && (_jsxs("div", { className: "mostajs-mfa-step", role: "alert", children: [_jsxs("p", { children: ["Erreur : ", error] }), _jsx("button", { type: "button", onClick: () => props.onCancel?.(), children: "Fermer" })] }))] }));
+}
+export default MfaEnrollDialog;

package/dist/components/PasskeyLoginButton.d.ts

@@ -0,0 +1,20 @@
+export interface PasskeyLoginButtonProps {
+    /** POST endpoint qui retourne PublicKeyCredentialRequestOptionsJSON. */
+    startEndpoint: string;
+    /** POST endpoint qui prend AuthenticationResponseJSON + retourne {ok, userId}. */
+    finishEndpoint: string;
+    /** Mode d'usage attendu — 'primary' pour login passwordless, 'factor' pour 2nd touch. */
+    expectedUsage: 'primary' | 'factor';
+    /** Callback succès. */
+    onSuccess?: (info: {
+        userId: string;
+        credentialId: string;
+    }) => void;
+    onError?: (err: Error) => void;
+    label?: string;
+    disabled?: boolean;
+    className?: string;
+    fetchImpl?: typeof fetch;
+}
+export declare function PasskeyLoginButton(props: PasskeyLoginButtonProps): import("react/jsx-runtime").JSX.Element;
+export default PasskeyLoginButton;

package/dist/components/PasskeyLoginButton.js

@@ -0,0 +1,53 @@
+// @mostajs/auth — <PasskeyLoginButton/> — Lot 5 / v2.10.0+
+// Author: Dr Hamid MADANI <drmdh@msn.com>
+//
+// Bouton qui orchestre la cérémonie WebAuthn authentication côté client.
+// Mode primary : l'user clique sans avoir saisi son email — le browser propose
+// les passkeys discoverable. Mode factor : appelé après password OK pour 2nd touch.
+//
+// Pour l'autofill (conditional UI), utiliser à la place un useEffect avec
+// `startAuthentication({ optionsJSON, useBrowserAutofill: true })` sur l'input email
+// — exemple dans la doc.
+'use client';
+import { jsx as _jsx } from "react/jsx-runtime";
+import { useState } from 'react';
+import { startAuthentication } from '@simplewebauthn/browser';
+export function PasskeyLoginButton(props) {
+    const fetchImpl = props.fetchImpl ?? fetch;
+    const [busy, setBusy] = useState(false);
+    async function handleClick() {
+        setBusy(true);
+        try {
+            const optsRes = await fetchImpl(props.startEndpoint, {
+                method: 'POST',
+                headers: { 'content-type': 'application/json' },
+                body: JSON.stringify({ expectedUsage: props.expectedUsage }),
+            });
+            if (!optsRes.ok)
+                throw new Error(`start failed (${optsRes.status})`);
+            const opts = await optsRes.json();
+            const response = await startAuthentication(opts);
+            const finRes = await fetchImpl(props.finishEndpoint, {
+                method: 'POST',
+                headers: { 'content-type': 'application/json' },
+                body: JSON.stringify({ response, expectedUsage: props.expectedUsage }),
+            });
+            const result = await finRes.json();
+            if (!finRes.ok || result.ok !== true) {
+                throw new Error(result.reason ?? 'auth_failed');
+            }
+            props.onSuccess?.({ userId: result.userId, credentialId: result.credentialId });
+        }
+        catch (e) {
+            props.onError?.(e);
+        }
+        finally {
+            setBusy(false);
+        }
+    }
+    const defaultLabel = props.expectedUsage === 'primary'
+        ? 'Se connecter avec une passkey'
+        : 'Confirmer avec ma passkey';
+    return (_jsx("button", { type: "button", onClick: handleClick, disabled: busy || props.disabled, className: `mostajs-passkey-login ${props.className ?? ''}`, children: busy ? 'Vérification…' : (props.label ?? defaultLabel) }));
+}
+export default PasskeyLoginButton;

package/dist/components/PasskeyRegisterButton.d.ts

@@ -0,0 +1,26 @@
+export interface PasskeyRegisterButtonProps {
+    /** POST endpoint qui retourne PublicKeyCredentialCreationOptionsJSON. */
+    startEndpoint: string;
+    /** POST endpoint qui prend la RegistrationResponseJSON + retourne {ok, record}. */
+    finishEndpoint: string;
+    /** Label utilisateur du device (rempli côté composant ou fourni). */
+    deviceName?: string;
+    /** Mode d'usage prévu (default 'both'). */
+    usage?: 'primary' | 'factor' | 'both';
+    /** Callback succès. */
+    onSuccess?: (info: {
+        credentialId: string;
+    }) => void;
+    /** Callback erreur. */
+    onError?: (err: Error) => void;
+    /** Texte du bouton. */
+    label?: string;
+    /** Disabled state externe. */
+    disabled?: boolean;
+    /** className passthrough. */
+    className?: string;
+    /** Fetch implementation (test override). */
+    fetchImpl?: typeof fetch;
+}
+export declare function PasskeyRegisterButton(props: PasskeyRegisterButtonProps): import("react/jsx-runtime").JSX.Element;
+export default PasskeyRegisterButton;

package/dist/components/PasskeyRegisterButton.js

@@ -0,0 +1,47 @@
+// @mostajs/auth — <PasskeyRegisterButton/> — Lot 5 / v2.10.0+
+// Author: Dr Hamid MADANI <drmdh@msn.com>
+//
+// Bouton qui orchestre la cérémonie WebAuthn registration côté client :
+//   1. POST endpoint start → reçoit PublicKeyCredentialCreationOptionsJSON
+//   2. startRegistration() de @simplewebauthn/browser ouvre le prompt natif
+//   3. POST endpoint finish avec la réponse → user enrolled
+'use client';
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { useState } from 'react';
+import { startRegistration } from '@simplewebauthn/browser';
+export function PasskeyRegisterButton(props) {
+    const fetchImpl = props.fetchImpl ?? fetch;
+    const [busy, setBusy] = useState(false);
+    const [name, setName] = useState(props.deviceName ?? '');
+    async function handleClick() {
+        setBusy(true);
+        try {
+            // Étape 1 : récupère les options du serveur.
+            const optsRes = await fetchImpl(props.startEndpoint, { method: 'POST' });
+            if (!optsRes.ok)
+                throw new Error(`start failed (${optsRes.status})`);
+            const opts = await optsRes.json();
+            // Étape 2 : prompt natif WebAuthn (TouchID / Face ID / YubiKey / passkey iCloud).
+            const response = await startRegistration(opts);
+            // Étape 3 : poste la réponse au serveur pour vérification + persistance.
+            const finRes = await fetchImpl(props.finishEndpoint, {
+                method: 'POST',
+                headers: { 'content-type': 'application/json' },
+                body: JSON.stringify({ response, deviceName: name || undefined, usage: props.usage ?? 'both' }),
+            });
+            const result = await finRes.json();
+            if (!finRes.ok || result.ok !== true) {
+                throw new Error(result.reason ?? 'finish_failed');
+            }
+            props.onSuccess?.({ credentialId: result.record?.credentialId ?? response.id });
+        }
+        catch (e) {
+            props.onError?.(e);
+        }
+        finally {
+            setBusy(false);
+        }
+    }
+    return (_jsxs("div", { className: `mostajs-passkey-register ${props.className ?? ''}`, children: [_jsx("input", { type: "text", placeholder: "Nom du device (ex: iPhone 15, YubiKey)", value: name, onChange: (e) => setName(e.target.value), disabled: busy, className: "mostajs-passkey-name-input" }), _jsx("button", { type: "button", onClick: handleClick, disabled: busy || props.disabled, children: busy ? 'Enregistrement…' : (props.label ?? 'Ajouter une passkey') })] }));
+}
+export default PasskeyRegisterButton;

package/dist/lib/account-lifecycle.d.ts

@@ -0,0 +1,130 @@
+/**
+ * Chaque module sibling implémente cette interface pour participer au purge/export.
+ * Le consumer collecte les hooks et les passe à `lib/account-lifecycle` au boot.
+ */
+export interface DataSubjectHook {
+    /** Identifiant lisible du module pour audit ('rbac', 'auth', 'storage', 'payment', …). */
+    module: string;
+    /**
+     * Renvoie les données de l'user en une structure JSON-serializable.
+     * Format libre — chaque module met ce qu'il a (table users → row, table refresh_tokens → liste, …).
+     * Utilisé par export RGPD.
+     */
+    exportUserData(userId: string): Promise<unknown>;
+    /**
+     * Supprime DÉFINITIVEMENT toutes les données de l'user.
+     * Idempotent. Doit être atomique côté module (transaction si possible).
+     * Retourne le nombre de rows supprimées (audit trail).
+     */
+    purgeUserData(userId: string): Promise<{
+        rowsDeleted: number;
+    }>;
+}
+export interface DeletionTokenConfig {
+    /** Secret HMAC (≥ 32 bytes). À fournir via @mostajs/config. */
+    secret: string;
+    /** TTL en secondes — RFC RGPD : pas de bornes ; choix safe ≤ 24h pour limiter exposition. */
+    ttlSec?: number;
+}
+declare function base64urlJSON(obj: unknown): string;
+declare function hmacSign(payloadB64: string, secret: string): string;
+export declare function generateDeletionToken(config: DeletionTokenConfig, userId: string): {
+    token: string;
+    nonce: string;
+    expiresAt: Date;
+};
+export type VerifyDeletionResult = {
+    ok: true;
+    userId: string;
+    nonce: string;
+} | {
+    ok: false;
+    reason: 'malformed' | 'bad_signature' | 'expired';
+};
+export declare function verifyDeletionToken(config: DeletionTokenConfig, token: string): VerifyDeletionResult;
+declare function constantTimeEqual(a: string, b: string): boolean;
+export interface DeletionNonceRepo {
+    /** Persiste un nonce avec son expiration. Throw si déjà existant (collision freak case). */
+    insert(args: {
+        nonce: string;
+        userId: string;
+        expiresAt: Date;
+    }): Promise<void>;
+    /** Consume atomiquement : retourne true si le nonce existait et n'était pas expiré, et le supprime. */
+    consume(nonce: string): Promise<boolean>;
+    /** Cleanup périodique. */
+    deleteExpired(now: Date): Promise<number>;
+}
+export interface RequestDeletionResult {
+    ok: true;
+    /** Token à embarquer dans l'email de confirmation. */
+    token: string;
+    /** Date d'expiration absolue. */
+    expiresAt: Date;
+}
+export interface RequestDeletionArgs {
+    config: DeletionTokenConfig;
+    nonceRepo: DeletionNonceRepo;
+    userId: string;
+    /** Mailer optionnel — si fourni, envoie l'email immédiatement. */
+    mailer?: (args: {
+        token: string;
+        expiresAt: Date;
+    }) => Promise<void>;
+}
+export declare function requestAccountDeletion(args: RequestDeletionArgs): Promise<RequestDeletionResult>;
+export type ConfirmDeletionResult = {
+    ok: true;
+    purgeReports: {
+        module: string;
+        rowsDeleted: number;
+    }[];
+} | {
+    ok: false;
+    reason: 'malformed' | 'bad_signature' | 'expired' | 'consumed_or_unknown' | 'partial_failure';
+    partialReports?: {
+        module: string;
+        rowsDeleted: number;
+    }[];
+    errors?: {
+        module: string;
+        error: string;
+    }[];
+};
+export interface ConfirmDeletionArgs {
+    config: DeletionTokenConfig;
+    nonceRepo: DeletionNonceRepo;
+    hooks: DataSubjectHook[];
+    token: string;
+}
+export declare function confirmAccountDeletion(args: ConfirmDeletionArgs): Promise<ConfirmDeletionResult>;
+export interface ExportArgs {
+    hooks: DataSubjectHook[];
+    userId: string;
+}
+export interface ExportResult {
+    /** Données structurées par module — clé = module, valeur = ce que le hook retourne. */
+    byModule: Record<string, unknown>;
+    /** Métadonnées de l'export. */
+    metadata: {
+        userId: string;
+        generatedAt: string;
+        moduleCount: number;
+        errors: {
+            module: string;
+            error: string;
+        }[];
+    };
+}
+/**
+ * Collecte les données via les hooks. Le consumer prend le résultat, ZIPe, upload via
+ * @mostajs/storage signed URL, et email à l'user. Ces étapes sont hors module pour
+ * garder la pureté du Lot 6 (pas de dep storage / mailer obligatoire).
+ */
+export declare function collectAccountExport(args: ExportArgs): Promise<ExportResult>;
+export declare const __testing: {
+    hmacSign: typeof hmacSign;
+    base64urlJSON: typeof base64urlJSON;
+    constantTimeEqual: typeof constantTimeEqual;
+};
+export {};

package/dist/lib/account-lifecycle.js

@@ -0,0 +1,136 @@
+// @mostajs/auth — Account lifecycle & RGPD — Lot 6 / v3.0.0+
+// Author: Dr Hamid MADANI <drmdh@msn.com>
+//
+// Suppression définitive d'un compte + export RGPD ZIP async.
+//
+// Pattern Lots 1-5 : interfaces + DI, le module ne stocke rien lui-même.
+//
+// Suppression :
+//   1. requestAccountDeletion(userId, email) → token signé HMAC + TTL 24h, envoyé
+//      par email à l'user (anti-erreur, anti-takeover si session compromise).
+//   2. confirmAccountDeletion(token) → vérifie sig + TTL + nonce single-use,
+//      orchestre le purge cross-modules :
+//        - appelle chaque DataSubjectHook.purgeUserData(userId) enregistré
+//          (rbac/auth/storage/realtime/audit/payment/...)
+//        - chaque module sibling se nettoie atomiquement
+//        - emit AuthEvent 'account.deleted'
+//
+// Export RGPD :
+//   1. requestAccountExport(userId) → job async, retourne un job_id.
+//   2. La machine async appelle DataSubjectHook.exportUserData(userId) pour chaque
+//      module enregistré → concatène en ZIP → upload via @mostajs/storage signed URL
+//      (TTL 7 jours) → email à l'user avec le lien.
+//   3. emit AuthEvent 'account.exported' à la complétion.
+//
+// Le module ne ship pas le ZIP-er ni le mailer — DI au consumer (typiquement Octonet
+// branche un job runner BullMQ + nodemailer + @mostajs/storage).
+import crypto from 'node:crypto';
+const DELETION_TTL_DEFAULT = 24 * 3600;
+function base64urlJSON(obj) {
+    return Buffer.from(JSON.stringify(obj)).toString('base64url');
+}
+function hmacSign(payloadB64, secret) {
+    return crypto.createHmac('sha256', secret).update(payloadB64).digest('base64url');
+}
+export function generateDeletionToken(config, userId) {
+    const ttl = config.ttlSec ?? DELETION_TTL_DEFAULT;
+    const nonce = crypto.randomBytes(16).toString('base64url');
+    const exp = Math.floor(Date.now() / 1000) + ttl;
+    const payload = { userId, nonce, exp };
+    const payloadB64 = base64urlJSON(payload);
+    const sig = hmacSign(payloadB64, config.secret);
+    return { token: `${payloadB64}.${sig}`, nonce, expiresAt: new Date(exp * 1000) };
+}
+export function verifyDeletionToken(config, token) {
+    const parts = token.split('.');
+    if (parts.length !== 2)
+        return { ok: false, reason: 'malformed' };
+    const [payloadB64, sig] = parts;
+    const expectedSig = hmacSign(payloadB64, config.secret);
+    if (!constantTimeEqual(sig, expectedSig))
+        return { ok: false, reason: 'bad_signature' };
+    let payload;
+    try {
+        payload = JSON.parse(Buffer.from(payloadB64, 'base64url').toString());
+    }
+    catch {
+        return { ok: false, reason: 'malformed' };
+    }
+    if (typeof payload?.userId !== 'string' || typeof payload?.exp !== 'number' || typeof payload?.nonce !== 'string') {
+        return { ok: false, reason: 'malformed' };
+    }
+    if (Math.floor(Date.now() / 1000) >= payload.exp)
+        return { ok: false, reason: 'expired' };
+    return { ok: true, userId: payload.userId, nonce: payload.nonce };
+}
+function constantTimeEqual(a, b) {
+    if (a.length !== b.length)
+        return false;
+    try {
+        return crypto.timingSafeEqual(Buffer.from(a), Buffer.from(b));
+    }
+    catch {
+        return false;
+    }
+}
+export async function requestAccountDeletion(args) {
+    const { token, nonce, expiresAt } = generateDeletionToken(args.config, args.userId);
+    await args.nonceRepo.insert({ nonce, userId: args.userId, expiresAt });
+    if (args.mailer) {
+        await args.mailer({ token, expiresAt });
+    }
+    return { ok: true, token, expiresAt };
+}
+export async function confirmAccountDeletion(args) {
+    const v = verifyDeletionToken(args.config, args.token);
+    if (!v.ok)
+        return { ok: false, reason: v.reason };
+    const consumed = await args.nonceRepo.consume(v.nonce);
+    if (!consumed)
+        return { ok: false, reason: 'consumed_or_unknown' };
+    const purgeReports = [];
+    const errors = [];
+    // Purge sequentiel — chaque module nettoie le sien. On collecte les rapports même
+    // en cas d'échec partiel pour permettre re-tentatives ciblées.
+    for (const hook of args.hooks) {
+        try {
+            const report = await hook.purgeUserData(v.userId);
+            purgeReports.push({ module: hook.module, rowsDeleted: report.rowsDeleted });
+        }
+        catch (e) {
+            errors.push({ module: hook.module, error: e.message });
+        }
+    }
+    if (errors.length > 0) {
+        return { ok: false, reason: 'partial_failure', partialReports: purgeReports, errors };
+    }
+    return { ok: true, purgeReports };
+}
+/**
+ * Collecte les données via les hooks. Le consumer prend le résultat, ZIPe, upload via
+ * @mostajs/storage signed URL, et email à l'user. Ces étapes sont hors module pour
+ * garder la pureté du Lot 6 (pas de dep storage / mailer obligatoire).
+ */
+export async function collectAccountExport(args) {
+    const byModule = {};
+    const errors = [];
+    for (const hook of args.hooks) {
+        try {
+            byModule[hook.module] = await hook.exportUserData(args.userId);
+        }
+        catch (e) {
+            errors.push({ module: hook.module, error: e.message });
+        }
+    }
+    return {
+        byModule,
+        metadata: {
+            userId: args.userId,
+            generatedAt: new Date().toISOString(),
+            moduleCount: args.hooks.length,
+            errors,
+        },
+    };
+}
+// Test-only helpers
+export const __testing = { hmacSign, base64urlJSON, constantTimeEqual };

package/dist/lib/auth-events.d.ts

@@ -0,0 +1,40 @@
+export type AuthEventKind = 'login.success' | 'login.failure' | 'logout' | 'register' | 'password.changed' | 'password.reset.requested' | 'password.reset.completed' | 'password.rehash' | 'email.verification.sent' | 'email.verification.confirmed' | 'magic_link.requested' | 'magic_link.consumed' | 'mfa.enrolled' | 'mfa.verified' | 'mfa.failure' | 'mfa.disabled' | 'webauthn.registered' | 'webauthn.authenticated' | 'oauth.linked' | 'oauth.unlinked' | 'refresh.issued' | 'refresh.rotated' | 'refresh.revoked' | 'refresh.replay_detected' | 'rate_limit.hit' | 'account.deleted' | 'account.exported' | 'device_flow.requested' | 'device_flow.approved' | 'device_flow.denied' | 'device_flow.expired' | 'device_flow.consumed' | 'device_flow.brute_force' | 'pkce.requested' | 'pkce.consumed' | 'pkce.denied' | 'pkce.bad_verifier';
+export interface AuthEvent {
+    kind: AuthEventKind;
+    /** Sujet (user account) — null pour les événements pré-auth (rate-limit, etc.). */
+    userId?: string | null;
+    /** Email cible si relevant (login KO sans userId connu, magic-link request). */
+    email?: string | null;
+    /** IP de l'appel HTTP (extraite par le consumer depuis les headers). */
+    ip?: string | null;
+    userAgent?: string | null;
+    /** Timestamp UTC ; le consumer peut écraser pour back-fill / replay. */
+    ts?: Date;
+    /** Payload libre — par convention :
+     *   - login.failure:           `{ reason: 'wrong_password' | 'unknown_user' | 'inactive' | 'mfa_required' }`
+     *   - mfa.failure:             `{ reason: 'wrong_code' | 'expired' }`
+     *   - rate_limit.hit:          `{ endpoint, retryAfter }`
+     *   - device_flow.requested:   `{ clientId, scopes, deviceCode }`
+     *   - device_flow.approved:    `{ clientId, deviceCode, accountId }`
+     *   - device_flow.denied:      `{ clientId, deviceCode, accountId? }`
+     *   - device_flow.expired:     `{ clientId, deviceCode, expiresInSec }`
+     *   - device_flow.consumed:    `{ clientId, deviceCode, accountId, scopes }`
+     *   - device_flow.brute_force: `{ ip, attempts, windowSec }`
+     *   - pkce.requested:          `{ clientId, scopes, redirectUri, state }`
+     *   - pkce.consumed:           `{ clientId, accountId, scopes }`
+     *   - pkce.denied:             `{ clientId, redirectUri, accountId? }`
+     *   - pkce.bad_verifier:       `{ clientId, redirectUri, ip }` ← attaque potentielle
+     */
+    metadata?: Record<string, unknown>;
+}
+export interface AuthEventEmitter {
+    emit(event: AuthEvent): void | Promise<void>;
+}
+/** No-op : utilisé par défaut si le consumer ne branche pas d'audit. */
+export declare const noopAuthEventEmitter: AuthEventEmitter;
+/**
+ * Wrapper safe : encapsule l'`emit` du consumer dans un try/catch + non-blocking.
+ * Une faille de l'audit ne doit JAMAIS faire échouer le flow auth utilisateur
+ * (un emit qui crash → on log, on continue).
+ */
+export declare function wrapEmitter(emitter: AuthEventEmitter): AuthEventEmitter;