@niledatabase/server 5.1.0 → 5.2.0-alpha.0

package/dist/index.d.mts

@@ -78,6 +78,7 @@ type Routes = {
     VERIFY_EMAIL: string;
     INVITES: string;
     INVITE: string;
+    MULTI_FACTOR: string;
 };
 
 interface CreateBasicUserRequest {
@@ -124,6 +125,7 @@ interface User {
     created: string;
     updated?: string;
     emailVerified?: string | null;
+    multiFactor?: string | null;
     tenants: string[];
 }
 
@@ -362,6 +364,13 @@ type ActiveSession = {
     };
 };
 
+type MfaPayload = {
+    token?: string;
+    scope?: 'setup' | 'challenge';
+    method?: 'authenticator' | 'email';
+    code?: string;
+    remove?: boolean;
+};
 type SignUpPayload = {
     email: string;
     password: string;
@@ -495,6 +504,7 @@ declare class Auth {
         email: string;
         password: string;
     }, rawResponse?: true): Promise<T>;
+    mfa<T = Response>(params: MfaPayload, rawResponse?: true): Promise<T>;
 }
 /**
  * Extract the CSRF cookie from a set of headers.

package/dist/index.d.ts

@@ -78,6 +78,7 @@ type Routes = {
     VERIFY_EMAIL: string;
     INVITES: string;
     INVITE: string;
+    MULTI_FACTOR: string;
 };
 
 interface CreateBasicUserRequest {
@@ -124,6 +125,7 @@ interface User {
     created: string;
     updated?: string;
     emailVerified?: string | null;
+    multiFactor?: string | null;
     tenants: string[];
 }
 
@@ -362,6 +364,13 @@ type ActiveSession = {
     };
 };
 
+type MfaPayload = {
+    token?: string;
+    scope?: 'setup' | 'challenge';
+    method?: 'authenticator' | 'email';
+    code?: string;
+    remove?: boolean;
+};
 type SignUpPayload = {
     email: string;
     password: string;
@@ -495,6 +504,7 @@ declare class Auth {
         email: string;
         password: string;
     }, rawResponse?: true): Promise<T>;
+    mfa<T = Response>(params: MfaPayload, rawResponse?: true): Promise<T>;
 }
 /**
  * Extract the CSRF cookie from a set of headers.

package/dist/index.js

@@ -57,6 +57,7 @@ var appRoutes = (prefix = DEFAULT_PREFIX) => ({
   CSRF: `${prefix}${"/auth/csrf" /* CSRF */}`,
   CALLBACK: `${prefix}${"/auth/callback" /* CALLBACK */}`,
   SIGNOUT: `${prefix}${"/auth/signout" /* SIGNOUT */}`,
+  MULTI_FACTOR: `${prefix}${"/auth/mfa" /* MULTI_FACTOR */}`,
   ERROR: `${prefix}/auth/error`,
   VERIFY_REQUEST: `${prefix}/auth/verify-request`,
   VERIFY_EMAIL: `${prefix}${"/auth/verify-email" /* VERIFY_EMAIL */}`,
@@ -96,7 +97,8 @@ var proxyRoutes = (config) => ({
   ERROR: makeRestUrl(config, "/auth/error"),
   VERIFY_REQUEST: makeRestUrl(config, "/auth/verify-request"),
   PASSWORD_RESET: makeRestUrl(config, "/auth/reset-password" /* PASSWORD_RESET */),
-  VERIFY_EMAIL: makeRestUrl(config, "/auth/verify-email" /* VERIFY_EMAIL */)
+  VERIFY_EMAIL: makeRestUrl(config, "/auth/verify-email" /* VERIFY_EMAIL */),
+  MULTI_FACTOR: makeRestUrl(config, "/auth/mfa" /* MULTI_FACTOR */)
 });
 function filterNullUndefined(obj) {
   if (!obj) {
@@ -121,9 +123,9 @@ function makeRestUrl(apiUrl, path, qp) {
   const strParams = params.toString();
   return `${[url, path.substring(1, path.length)].join("/")}${strParams ? `?${strParams}` : ""}`;
 }
-function urlMatches(requestUrl, route20) {
+function urlMatches(requestUrl, route21) {
   const url = new URL(requestUrl);
-  return url.pathname.startsWith(route20);
+  return url.pathname.startsWith(route21);
 }
 function isUUID(value) {
   if (!value) {
@@ -255,7 +257,10 @@ function bindRunExtensions(instance) {
             continue;
           }
           const previousHeaders = new Headers(previousContext.headers);
-          await ext.onRequest(_init.request, ctx);
+          try {
+            await ext.onRequest(_init.request, ctx);
+          } catch {
+          }
           const updatedContext = ctx.get();
           if (updatedContext?.headers) {
             const cookie = updatedContext.headers.get("cookie");
@@ -298,8 +303,8 @@ function mergeCookies(...cookieStrings) {
   for (const str of cookieStrings) {
     if (!str) continue;
     for (const part of str.split(";")) {
-      const [key17, value] = part.split("=").map((s) => s.trim());
-      if (key17 && value) cookieMap.set(key17, value);
+      const [key18, value] = part.split("=").map((s) => s.trim());
+      if (key18 && value) cookieMap.set(key18, value);
     }
   }
   return [...cookieMap.entries()].map(([k, v]) => `${k}=${v}`).join("; ");
@@ -359,8 +364,8 @@ var ctx = {
     if (partial.headers === null) {
       store.headers = new Headers();
     } else if (partial.headers && store.headers instanceof Headers) {
-      for (const [key17, value] of new Headers(partial.headers).entries()) {
-        if (key17.toLowerCase() === "cookie") {
+      for (const [key18, value] of new Headers(partial.headers).entries()) {
+        if (key18.toLowerCase() === "cookie") {
           const existingCookies = parseCookieHeader(
             store.headers.get("cookie") || ""
           );
@@ -368,7 +373,7 @@ var ctx = {
           const mergedCookies = { ...existingCookies, ...newCookies };
           store.headers.set("cookie", serializeCookies(mergedCookies));
         } else {
-          store.headers.set(key17, value);
+          store.headers.set(key18, value);
         }
       }
     }
@@ -388,16 +393,16 @@ async function withNileContext(config, fn, name = "unknown") {
   let tenantId = existing.tenantId;
   let userId = existing.userId;
   if (initialContext instanceof Request) {
-    initialContext.headers.forEach((value, key17) => {
-      mergedHeaders.set(key17, value);
+    initialContext.headers.forEach((value, key18) => {
+      mergedHeaders.set(key18, value);
     });
   } else {
     if (initialContext.headers === null) {
       mergedHeaders = new Headers();
     } else if (initialContext.headers) {
       const incoming = initialContext.headers instanceof Headers ? initialContext.headers : new Headers(initialContext.headers);
-      incoming.forEach((value, key17) => {
-        mergedHeaders.set(key17, value);
+      incoming.forEach((value, key18) => {
+        mergedHeaders.set(key18, value);
       });
     }
     if ("tenantId" in initialContext) {
@@ -408,11 +413,11 @@ async function withNileContext(config, fn, name = "unknown") {
     }
   }
   if (extensionOverrides?.headers) {
-    for (const key17 of extensionOverrides.headers.removed) {
-      mergedHeaders.delete(key17);
+    for (const key18 of extensionOverrides.headers.removed) {
+      mergedHeaders.delete(key18);
     }
-    for (const [key17, value] of extensionOverrides.headers.set) {
-      mergedHeaders.set(key17, value);
+    for (const [key18, value] of extensionOverrides.headers.set) {
+      mergedHeaders.set(key18, value);
     }
   }
   if (extensionOverrides?.tenantId) {
@@ -435,8 +440,8 @@ async function withNileContext(config, fn, name = "unknown") {
 function serializeContext(context) {
   const headers = {};
   const rawHeaders = new Headers(context.headers);
-  rawHeaders.forEach((value, key17) => {
-    headers[key17] = value;
+  rawHeaders.forEach((value, key18) => {
+    headers[key18] = value;
   });
   return JSON.stringify({
     headers,
@@ -446,8 +451,8 @@ function serializeContext(context) {
 }
 function parseCookieHeader(header) {
   return header.split(";").map((c) => c.trim()).filter(Boolean).reduce((acc, curr) => {
-    const [key17, ...val] = curr.split("=");
-    if (key17) acc[key17] = val.join("=");
+    const [key18, ...val] = curr.split("=");
+    if (key18) acc[key18] = val.join("=");
     return acc;
   }, {});
 }
@@ -503,14 +508,14 @@ function diffHeaders(before, after) {
   const afterMap = headersToMap(after);
   const set = [];
   const removed = [];
-  for (const [key17, value] of afterMap.entries()) {
-    if (beforeMap.get(key17) !== value) {
-      set.push([key17, value]);
+  for (const [key18, value] of afterMap.entries()) {
+    if (beforeMap.get(key18) !== value) {
+      set.push([key18, value]);
     }
   }
-  for (const key17 of beforeMap.keys()) {
-    if (!afterMap.has(key17)) {
-      removed.push(key17);
+  for (const key18 of beforeMap.keys()) {
+    if (!afterMap.has(key18)) {
+      removed.push(key18);
     }
   }
   if (set.length === 0 && removed.length === 0) {
@@ -520,8 +525,8 @@ function diffHeaders(before, after) {
 }
 function headersToMap(headers) {
   const map = /* @__PURE__ */ new Map();
-  headers.forEach((value, key17) => {
-    map.set(key17.toLowerCase(), value);
+  headers.forEach((value, key18) => {
+    map.set(key18.toLowerCase(), value);
   });
   return map;
 }
@@ -645,7 +650,7 @@ async function request(url, _init, config) {
   }
 }
 function getProtocolFromHeaders(headers) {
-  const get = (key17) => headers instanceof Headers ? headers.get(key17) : headers[key17.toLowerCase()];
+  const get = (key18) => headers instanceof Headers ? headers.get(key18) : headers[key18.toLowerCase()];
   const xfp = get("x-forwarded-proto");
   if (xfp) return xfp.toLowerCase();
   const forwarded = get("forwarded");
@@ -865,11 +870,11 @@ async function route3(request2, config) {
 function matches3(configRoutes, request2) {
   const url = new URL(request2.url);
   const [userId, possibleTenantId, tenantId] = url.pathname.split("/").reverse();
-  let route20 = configRoutes[key3].replace("{tenantId}", tenantId).replace("{userId}", userId);
+  let route21 = configRoutes[key3].replace("{tenantId}", tenantId).replace("{userId}", userId);
   if (userId === "users") {
-    route20 = configRoutes[key3].replace("{tenantId}", possibleTenantId);
+    route21 = configRoutes[key3].replace("{tenantId}", possibleTenantId);
   }
-  return urlMatches(request2.url, route20);
+  return urlMatches(request2.url, route21);
 }
 async function fetchTenantUsers(config, method, payload) {
   const { body, params } = {};
@@ -958,8 +963,8 @@ async function route4(request2, config) {
 function matches4(configRoutes, request2) {
   const url = new URL(request2.url);
   const [, tenantId] = url.pathname.split("/").reverse();
-  const route20 = configRoutes[key4].replace("{tenantId}", tenantId);
-  return urlMatches(request2.url, route20);
+  const route21 = configRoutes[key4].replace("{tenantId}", tenantId);
+  return urlMatches(request2.url, route21);
 }
 async function fetchInvite(config, method, body) {
   const { headers, tenantId } = ctx.get();
@@ -1014,8 +1019,8 @@ async function route5(request2, config) {
 function matches5(configRoutes, request2) {
   const url = new URL(request2.url);
   const [, tenantId] = url.pathname.split("/").reverse();
-  const route20 = configRoutes[key5].replace("{tenantId}", tenantId);
-  return url.pathname.endsWith(route20);
+  const route21 = configRoutes[key5].replace("{tenantId}", tenantId);
+  return url.pathname.endsWith(route21);
 }
 async function fetchInvites(config) {
   const { tenantId, headers } = ctx.get();
@@ -1472,6 +1477,33 @@ async function fetchVerifyEmail(config, method, body) {
   return await config.handlers[method](req);
 }
 
+// src/api/routes/auth/mfa.ts
+var key14 = "MULTI_FACTOR";
+async function route17(req, config) {
+  return request(
+    proxyRoutes(config.apiUrl)[key14],
+    {
+      method: req.method,
+      request: req
+    },
+    config
+  );
+}
+function matches17(configRoutes, request2) {
+  return urlMatches(request2.url, configRoutes[key14]);
+}
+async function fetchMfa(config, method, body) {
+  const clientUrl = `${config.serverOrigin}${config.routePrefix}${"/auth/mfa" /* MULTI_FACTOR */}`;
+  const { headers } = ctx.get();
+  const init = {
+    headers,
+    method,
+    body
+  };
+  const req = new Request(clientUrl, init);
+  return await config.handlers[method](req);
+}
+
 // src/api/handlers/GET.ts
 function GETTER(configRoutes, config) {
   const { error, info, warn: warn2 } = config.logger("[GET MATCHER]");
@@ -1567,8 +1599,8 @@ async function POST5(config, init) {
 }
 
 // src/api/routes/signup/index.tsx
-var key14 = "SIGNUP";
-async function route17(request2, config) {
+var key15 = "SIGNUP";
+async function route18(request2, config) {
   switch (request2.method) {
     case "POST":
       return await POST5(config, { request: request2 });
@@ -1576,8 +1608,8 @@ async function route17(request2, config) {
       return new Response("method not allowed", { status: 405 });
   }
 }
-function matches17(configRoutes, request2) {
-  return urlMatches(request2.url, configRoutes[key14]);
+function matches18(configRoutes, request2) {
+  return urlMatches(request2.url, configRoutes[key15]);
 }
 async function fetchSignUp(config, payload) {
   const { body, params } = payload ?? {};
@@ -1632,9 +1664,9 @@ function POSTER(configRoutes, config) {
       info("matches tenant invite");
       return route4(req, config);
     }
-    if (matches17(configRoutes, req)) {
+    if (matches18(configRoutes, req)) {
       info("matches signup");
-      return route17(req, config);
+      return route18(req, config);
     }
     if (matches6(configRoutes, req)) {
       info("matches tenants");
@@ -1648,6 +1680,10 @@ function POSTER(configRoutes, config) {
       info("matches signin");
       return route7(req, config);
     }
+    if (matches17(configRoutes, req)) {
+      info("matches mfa");
+      return route17(req, config);
+    }
     if (matches15(configRoutes, req)) {
       info("matches password reset");
       return route15(req, config);
@@ -1696,9 +1732,9 @@ async function PUT5(config, init) {
 }
 
 // src/api/routes/tenants/[tenantId]/users/[userId]/index.ts
-var key15 = "TENANT_USER";
-async function route18(request2, config) {
-  const { info } = config.logger(`[ROUTES][${key15}]`);
+var key16 = "TENANT_USER";
+async function route19(request2, config) {
+  const { info } = config.logger(`[ROUTES][${key16}]`);
   const session = await auth(request2, config);
   if (!session) {
     info("401");
@@ -1719,14 +1755,14 @@ async function route18(request2, config) {
       return new Response("method not allowed", { status: 405 });
   }
 }
-function matches18(configRoutes, request2) {
+function matches19(configRoutes, request2) {
   const url = new URL(request2.url);
   const [, userId, possibleTenantId, tenantId] = url.pathname.split("/").reverse();
-  let route20 = configRoutes[key15].replace("{tenantId}", tenantId).replace("{userId}", userId);
+  let route21 = configRoutes[key16].replace("{tenantId}", tenantId).replace("{userId}", userId);
   if (userId === "users") {
-    route20 = configRoutes[key15].replace("{tenantId}", possibleTenantId);
+    route21 = configRoutes[key16].replace("{tenantId}", possibleTenantId);
   }
-  return urlMatches(request2.url, route20);
+  return urlMatches(request2.url, route21);
 }
 async function fetchTenantUser(config, method) {
   const { headers, tenantId, userId } = ctx.get();
@@ -1765,8 +1801,8 @@ async function DELETE4(config, init) {
 }
 
 // src/api/routes/tenants/[tenantId]/invite/[inviteId]/index.ts
-var key16 = "INVITE";
-async function route19(request2, config) {
+var key17 = "INVITE";
+async function route20(request2, config) {
   switch (request2.method) {
     case "DELETE":
       return await DELETE4(config, { request: request2 });
@@ -1774,11 +1810,11 @@ async function route19(request2, config) {
       return new Response("method not allowed", { status: 405 });
   }
 }
-function matches19(configRoutes, request2) {
+function matches20(configRoutes, request2) {
   const url = new URL(request2.url);
   const [inviteId, , tenantId] = url.pathname.split("/").reverse();
-  const route20 = configRoutes[key16].replace("{tenantId}", tenantId).replace("{inviteId}", inviteId);
-  return urlMatches(request2.url, route20);
+  const route21 = configRoutes[key17].replace("{tenantId}", tenantId).replace("{inviteId}", inviteId);
+  return urlMatches(request2.url, route21);
 }
 
 // src/api/handlers/DELETE.ts
@@ -1798,13 +1834,17 @@ function DELETER(configRoutes, config) {
       error("Proxy requests failed, a Request object was not passed.");
       return;
     }
-    if (matches19(configRoutes, req)) {
+    if (matches20(configRoutes, req)) {
       info("matches tenant invite id");
-      return route19(req, config);
+      return route20(req, config);
     }
-    if (matches18(configRoutes, req)) {
+    if (matches17(configRoutes, req)) {
+      info("matches MFA");
+      return route17(req, config);
+    }
+    if (matches19(configRoutes, req)) {
       info("matches tenant user");
-      return route18(req, config);
+      return route19(req, config);
     }
     if (matches6(configRoutes, req)) {
       info("matches tenants");
@@ -1840,9 +1880,9 @@ function PUTER(configRoutes, config) {
       info("matches tenant invite");
       return route4(req, config);
     }
-    if (matches18(configRoutes, req)) {
+    if (matches19(configRoutes, req)) {
       info("matches tenant user");
-      return route18(req, config);
+      return route19(req, config);
     }
     if (matches3(configRoutes, req)) {
       info("matches tenant users");
@@ -1860,6 +1900,10 @@ function PUTER(configRoutes, config) {
       info("matches reset password");
       return route15(req, config);
     }
+    if (matches17(configRoutes, req)) {
+      info("matches mfa");
+      return route17(req, config);
+    }
     warn2("No PUT routes matched");
     return new Response(null, { status: 404 });
   };
@@ -2811,6 +2855,17 @@ var Auth = class {
         callbackUrl: credentials.callbackUrl
       });
       const signInRes = await this.callback(provider, body);
+      const twoFactor = await is2FA(signInRes);
+      if (twoFactor) {
+        if (rawResponse) {
+          return signInRes;
+        }
+        try {
+          return await signInRes.clone().json();
+        } catch {
+          return signInRes;
+        }
+      }
       const authCookie = signInRes?.headers.get("set-cookie");
       if (!authCookie) {
         throw new Error("authentication failed");
@@ -2862,6 +2917,30 @@ var Auth = class {
       }
     });
   }
+  async mfa(params, rawResponse) {
+    return withNileContext(this.#config, async () => {
+      let method = "POST";
+      if (params.scope === "setup") {
+        method = "PUT";
+      }
+      if (params.remove) {
+        method = "DELETE";
+      }
+      const res = await fetchMfa(
+        this.#config,
+        method,
+        JSON.stringify({ ...params, method: params.method ?? "authenticator" })
+      );
+      if (rawResponse) {
+        return res;
+      }
+      try {
+        return await res.clone().json();
+      } catch {
+        return res;
+      }
+    });
+  }
 };
 function parseCSRF(headers) {
   let cookie = headers?.get("set-cookie");
@@ -2951,6 +3030,17 @@ function fQUrl(path, config) {
   }
   return path;
 }
+async function is2FA(signInRes) {
+  try {
+    const cloned = await signInRes.clone();
+    const json = await cloned.json();
+    if ("method" in json && "secret" in json) {
+      return signInRes;
+    }
+  } catch {
+  }
+  return null;
+}
 
 // src/auth/obtainCsrf.ts
 async function obtainCsrf(config, rawResponse = false) {
@@ -3512,8 +3602,8 @@ function updateConfig(response, config) {
     }
     const setCookies = [];
     if (response?.headers) {
-      for (const [key17, value] of response.headers) {
-        if (key17.toLowerCase() === "set-cookie") {
+      for (const [key18, value] of response.headers) {
+        if (key18.toLowerCase() === "set-cookie") {
           setCookies.push(value);
         }
       }
@@ -3702,25 +3792,25 @@ var Server = class {
       }
     }
     if (headers instanceof Headers) {
-      headers.forEach((value, key17) => {
-        updates.push([key17.toLowerCase(), value]);
+      headers.forEach((value, key18) => {
+        updates.push([key18.toLowerCase(), value]);
       });
     } else {
-      for (const [key17, value] of Object.entries(headers ?? {})) {
-        updates.push([key17.toLowerCase(), value]);
+      for (const [key18, value] of Object.entries(headers ?? {})) {
+        updates.push([key18.toLowerCase(), value]);
       }
     }
     const merged = {};
-    this.#config.context.headers?.forEach((value, key17) => {
-      if (key17.toLowerCase() !== "cookie") {
-        merged[key17.toLowerCase()] = value;
+    this.#config.context.headers?.forEach((value, key18) => {
+      if (key18.toLowerCase() !== "cookie") {
+        merged[key18.toLowerCase()] = value;
       }
     });
-    for (const [key17, value] of updates) {
-      merged[key17] = value;
+    for (const [key18, value] of updates) {
+      merged[key18] = value;
     }
-    for (const [key17, value] of Object.entries(merged)) {
-      this.#config.context.headers.set(key17, value);
+    for (const [key18, value] of Object.entries(merged)) {
+      this.#config.context.headers.set(key18, value);
     }
     this.#config.logger("[handleHeaders]").debug(JSON.stringify(merged));
   }