@oglofus/auth 1.0.0 → 1.1.0

package/README.md

@@ -8,8 +8,8 @@ Type-safe, plugin-first authentication core for TypeScript applications.
 - Strongly typed register/authenticate payloads inferred from enabled plugins.
 - Path-based issue model (`{ message, path }`) for field-level error mapping.
 - Built-in methods: password, email OTP, magic link, OAuth2, passkey.
-- Built-in domain plugins: two-factor auth (TOTP/recovery), organizations/RBAC.
-- Framework-agnostic core (works with Next.js, SvelteKit, Workers, Node servers).
+- Built-in domain plugins: two-factor auth (TOTP/recovery code), organizations/RBAC.
+- Framework-agnostic core for TypeScript apps running in Node-compatible server environments.
 
 ## Install
 
@@ -87,10 +87,20 @@ const loggedIn = await auth.authenticate({
 - `method(pluginMethod)` for plugin-specific APIs
 - `verifySecondFactor(input, request?)`
 - `completeProfile(input, request?)`
-- `setActiveOrganization(sessionId, organizationId, request?)`
 - `validateSession(sessionId, request?)`
 - `signOut(sessionId, request?)`
 
+Organization session switching is exposed by the organizations plugin API:
+
+```ts
+const orgApi = auth.method("organizations");
+await orgApi.setActiveOrganization({
+  sessionId: "session_123",
+  organizationId: "org_123",
+});
+await orgApi.setActiveOrganization({ sessionId: "session_123" }); // clear
+```
+
 ## Result and Error Shape
 
 All operations return structured results.
@@ -154,19 +164,19 @@ createIssue("Generic failure");
 ### OAuth2 (Arctic)
 
 - Method: `"oauth2"`
-- Uses provider clients with `validateAuthorizationCode(...)` (Arctic-compatible).
+- Uses provider exchange callbacks. Arctic clients can be wrapped with `arcticAuthorizationCodeExchange(...)`.
 - Supports profile completion when required fields are missing.
 
 ```ts
 import { Google } from "arctic";
-import { oauth2Plugin } from "@oglofus/auth";
+import { arcticAuthorizationCodeExchange, oauth2Plugin } from "@oglofus/auth";
 
 const google = new Google(process.env.GOOGLE_CLIENT_ID!, process.env.GOOGLE_CLIENT_SECRET!, process.env.GOOGLE_REDIRECT_URI!);
 
 oauth2Plugin<AppUser, "google", "given_name" | "family_name">({
   providers: {
     google: {
-      client: google,
+      exchangeAuthorizationCode: arcticAuthorizationCodeExchange(google),
       resolveProfile: async ({ tokens }) => {
         const res = await fetch("https://openidconnect.googleapis.com/v1/userinfo", {
           headers: { Authorization: `Bearer ${tokens.accessToken()}` },
@@ -201,6 +211,7 @@ const result = await auth.authenticate({
   authorizationCode: "code-from-callback",
   redirectUri: process.env.GOOGLE_REDIRECT_URI!,
   codeVerifier: "pkce-code-verifier",
+  idempotencyKey: "oauth-state",
 });
 ```
 
@@ -208,12 +219,15 @@ const result = await auth.authenticate({
 
 - Method: `"passkey"`
 - Register + authenticate supported.
+- The package consumes already-verified passkey results; it does not perform raw WebAuthn attestation/assertion verification.
+- Verify WebAuthn with `@simplewebauthn/server` or equivalent first, then pass the verified result into `auth.register(...)` / `auth.authenticate(...)`.
 - Config: `requiredProfileFields`, `passkeys` adapter.
 
 ### Two-Factor (Domain Plugin)
 
 - Method: `"two_factor"`
 - Adds post-primary verification (`TWO_FACTOR_REQUIRED`).
+- This release supports `totp` and `recovery_code`.
 - Uses `@oslojs/otp` internally for TOTP verification and enrollment URI generation.
 - Plugin API:
   - `beginTotpEnrollment(userId)`

package/dist/core/auth.d.ts

@@ -13,10 +13,6 @@ export declare class OglofusAuth<U extends UserBase, P extends readonly AnyPlugi
     method<M extends PluginMethodsWithApi<P>>(method: M): PluginApiMap<P>[M];
     verifySecondFactor(input: TwoFactorVerifyInput, request?: AuthRequestContext): Promise<AuthResult<U>>;
     completeProfile(input: CompleteProfileInput<U>, request?: AuthRequestContext): Promise<AuthResult<U>>;
-    setActiveOrganization(sessionId: string, organizationId: string, request?: AuthRequestContext): Promise<OperationResult<{
-        sessionId: string;
-        activeOrganizationId: string;
-    }>>;
     validateSession(sessionId: string, _request?: AuthRequestContext): Promise<{
         ok: true;
         userId: string;
@@ -25,10 +21,15 @@ export declare class OglofusAuth<U extends UserBase, P extends readonly AnyPlugi
     }>;
     signOut(sessionId: string, request?: AuthRequestContext): Promise<void>;
     private normalizeAuthInput;
+    private persistCompletedProfile;
     private makeContext;
     private createSession;
     private getAuthMethodPlugin;
     private tryGetTwoFactorApi;
+    private resolveRateLimitPolicy;
+    private consumeRateLimit;
+    private makeRateLimitKey;
+    private getRateLimitIdentity;
     private runValidator;
     private validatePlugins;
     private assertAcyclicRoleInheritance;

package/dist/core/auth.js

@@ -1,6 +1,6 @@
 import { AuthError } from "../errors/index.js";
 import { errorOperation, errorResult, successOperation, successResult, } from "../types/results.js";
-import { DEFAULT_SESSION_TTL_SECONDS, addSeconds, createId, normalizeEmailDefault, now, } from "./utils.js";
+import { DEFAULT_SESSION_TTL_SECONDS, addSeconds, createId, deterministicTokenHash, normalizeEmailDefault, now, } from "./utils.js";
 import { createIssue } from "../issues/index.js";
 const hasEmail = (value) => typeof value === "object" && value !== null && "email" in value && typeof value.email === "string";
 const toAuthError = (error) => {
@@ -9,6 +9,14 @@ const toAuthError = (error) => {
     }
     return new AuthError("INTERNAL_ERROR", "Internal error.", 500);
 };
+const DEFAULT_RATE_LIMIT_POLICIES = {
+    discover: { limit: 10, windowSeconds: 60 },
+    register: { limit: 5, windowSeconds: 300 },
+    authenticate: { limit: 10, windowSeconds: 300 },
+    emailOtpRequest: { limit: 3, windowSeconds: 300 },
+    magicLinkRequest: { limit: 3, windowSeconds: 300 },
+    otpVerify: { limit: 10, windowSeconds: 300 },
+};
 export class OglofusAuth {
     config;
     pluginMap = new Map();
@@ -24,12 +32,17 @@ export class OglofusAuth {
                 this.apiMap.set(plugin.method, plugin.createApi({
                     adapters: this.config.adapters,
                     now,
+                    security: this.config.security,
                 }));
             }
         }
     }
     async discover(input, request) {
         const email = this.normalizeEmail(input.email);
+        const rateLimitError = await this.consumeRateLimit("discover", email, request);
+        if (rateLimitError) {
+            return errorOperation(rateLimitError);
+        }
         const mode = this.config.accountDiscovery?.mode ?? "private";
         if (mode === "private") {
             return successOperation({
@@ -83,6 +96,17 @@ export class OglofusAuth {
             return errorResult(new AuthError("METHOD_DISABLED", `Method ${method} is disabled.`, 400));
         }
         const normalized = this.normalizeAuthInput(input);
+        const rateLimitError = await this.consumeRateLimit("authenticate", this.getRateLimitIdentity(normalized), request);
+        if (rateLimitError) {
+            await this.writeAudit({
+                action: "authenticate",
+                method,
+                requestId: request?.requestId,
+                success: false,
+                errorCode: rateLimitError.code,
+            });
+            return errorResult(rateLimitError);
+        }
         const validated = this.runValidator(plugin.validators?.authenticate, normalized);
         if (!validated.ok) {
             return validated.result;
@@ -145,6 +169,17 @@ export class OglofusAuth {
             return errorResult(new AuthError("METHOD_NOT_REGISTERABLE", `Method ${method} does not support register.`, 400));
         }
         const normalized = this.normalizeAuthInput(input);
+        const rateLimitError = await this.consumeRateLimit("register", this.getRateLimitIdentity(normalized), request);
+        if (rateLimitError) {
+            await this.writeAudit({
+                action: "register",
+                method,
+                requestId: request?.requestId,
+                success: false,
+                errorCode: rateLimitError.code,
+            });
+            return errorResult(rateLimitError);
+        }
         const validated = this.runValidator(plugin.validators?.register, normalized);
         if (!validated.ok) {
             return validated.result;
@@ -195,6 +230,16 @@ export class OglofusAuth {
         }
         const record = await pending.findById(input.pendingProfileId);
         if (!record || record.consumedAt || record.expiresAt.getTime() <= now().getTime()) {
+            await this.writeAudit({
+                action: "complete_profile",
+                method: "complete_profile",
+                requestId: request?.requestId,
+                success: false,
+                errorCode: "PROFILE_COMPLETION_EXPIRED",
+                meta: {
+                    pendingProfileId: input.pendingProfileId,
+                },
+            });
             return errorResult(new AuthError("PROFILE_COMPLETION_EXPIRED", "Profile completion has expired.", 400));
         }
         const missingIssues = [];
@@ -205,12 +250,18 @@ export class OglofusAuth {
             }
         }
         if (missingIssues.length > 0) {
+            await this.writeAudit({
+                action: "complete_profile",
+                method: record.sourceMethod,
+                requestId: request?.requestId,
+                success: false,
+                errorCode: "INVALID_INPUT",
+                meta: {
+                    pendingProfileId: input.pendingProfileId,
+                },
+            });
             return errorResult(new AuthError("INVALID_INPUT", "Missing required profile fields.", 400, missingIssues), missingIssues);
         }
-        const consumed = await pending.consume(input.pendingProfileId);
-        if (!consumed) {
-            return errorResult(new AuthError("PROFILE_COMPLETION_EXPIRED", "Profile completion has expired.", 400));
-        }
         const email = record.email ? this.normalizeEmail(record.email) : undefined;
         const merged = {
             ...record.prefill,
@@ -220,44 +271,94 @@ export class OglofusAuth {
         if (merged.emailVerified === undefined) {
             merged.emailVerified = false;
         }
-        let user;
-        if (email) {
-            const existing = await this.config.adapters.users.findByEmail(email);
-            if (existing) {
-                user = await this.config.adapters.users.update(existing.id, merged);
+        const plugin = this.getAuthMethodPlugin(record.sourceMethod);
+        if (record.continuation && (!plugin || !plugin.completePendingProfile)) {
+            const error = new AuthError("PLUGIN_MISCONFIGURED", `Pending profile for '${record.sourceMethod}' cannot be completed by the current plugin set.`, 500);
+            await this.writeAudit({
+                action: "complete_profile",
+                method: record.sourceMethod,
+                requestId: request?.requestId,
+                success: false,
+                errorCode: error.code,
+                meta: {
+                    pendingProfileId: input.pendingProfileId,
+                },
+            });
+            return errorResult(error);
+        }
+        const ctx = this.makeContext(request);
+        let finalizedUserId;
+        const finalize = async () => {
+            const persisted = await this.persistCompletedProfile(email, merged);
+            if (!persisted.ok) {
+                return persisted;
             }
-            else {
-                user = await this.config.adapters.users.create(merged);
+            finalizedUserId = persisted.user.id;
+            if (plugin?.completePendingProfile) {
+                const continuation = await plugin.completePendingProfile(ctx, {
+                    record,
+                    user: persisted.user,
+                });
+                if (!continuation.ok) {
+                    return { ok: false, error: continuation.error };
+                }
             }
+            const consumed = await pending.consume(input.pendingProfileId);
+            if (!consumed) {
+                return {
+                    ok: false,
+                    error: new AuthError("PROFILE_COMPLETION_EXPIRED", "Profile completion has expired.", 400),
+                };
+            }
+            return { ok: true, user: persisted.user };
+        };
+        let finalized;
+        try {
+            finalized = this.config.adapters.withTransaction
+                ? await this.config.adapters.withTransaction(finalize)
+                : await finalize();
         }
-        else {
-            user = await this.config.adapters.users.create(merged);
-        }
-        const sessionId = await this.createSession(user.id);
-        return successResult(user, sessionId);
-    }
-    async setActiveOrganization(sessionId, organizationId, request) {
-        const session = await this.config.adapters.sessions.findById(sessionId);
-        if (!session) {
-            return errorOperation(new AuthError("SESSION_NOT_FOUND", "Session not found.", 404));
-        }
-        const organizationsApi = this.apiMap.get("organizations");
-        if (!organizationsApi) {
-            return errorOperation(new AuthError("METHOD_DISABLED", "organizations plugin is not enabled.", 400));
-        }
-        const memberships = await organizationsApi.listMemberships({ userId: session.userId }, request);
-        if (!memberships.ok) {
-            return memberships;
+        catch (error) {
+            const authError = toAuthError(error);
+            await this.writeAudit({
+                action: "complete_profile",
+                method: record.sourceMethod,
+                requestId: request?.requestId,
+                success: false,
+                errorCode: authError.code,
+                userId: finalizedUserId,
+                meta: {
+                    pendingProfileId: input.pendingProfileId,
+                },
+            });
+            return errorResult(authError);
         }
-        const active = memberships.data.memberships.find((membership) => membership.organizationId === organizationId && membership.status === "active");
-        if (!active) {
-            return errorOperation(new AuthError("MEMBERSHIP_FORBIDDEN", "No active membership for organization.", 403));
+        if (!finalized.ok) {
+            await this.writeAudit({
+                action: "complete_profile",
+                method: record.sourceMethod,
+                requestId: request?.requestId,
+                success: false,
+                errorCode: finalized.error.code,
+                userId: finalizedUserId,
+                meta: {
+                    pendingProfileId: input.pendingProfileId,
+                },
+            });
+            return errorResult(finalized.error);
         }
-        await this.config.adapters.sessions.setActiveOrganization(sessionId, organizationId);
-        return successOperation({
-            sessionId,
-            activeOrganizationId: organizationId,
+        const sessionId = await this.createSession(finalized.user.id);
+        await this.writeAudit({
+            action: "complete_profile",
+            method: record.sourceMethod,
+            requestId: request?.requestId,
+            success: true,
+            userId: finalized.user.id,
+            meta: {
+                pendingProfileId: input.pendingProfileId,
+            },
         });
+        return successResult(finalized.user, sessionId);
     }
     async validateSession(sessionId, _request) {
         const session = await this.config.adapters.sessions.findById(sessionId);
@@ -289,10 +390,25 @@ export class OglofusAuth {
             email: this.normalizeEmail(input.email),
         };
     }
+    async persistCompletedProfile(email, merged) {
+        if (email) {
+            const existing = await this.config.adapters.users.findByEmail(email);
+            if (existing) {
+                const updated = await this.config.adapters.users.update(existing.id, merged);
+                if (!updated) {
+                    return { ok: false, error: new AuthError("USER_NOT_FOUND", "User not found.", 404) };
+                }
+                return { ok: true, user: updated };
+            }
+        }
+        const created = await this.config.adapters.users.create(merged);
+        return { ok: true, user: created };
+    }
     makeContext(request) {
         return {
             adapters: this.config.adapters,
             now,
+            security: this.config.security,
             request,
         };
     }
@@ -322,6 +438,68 @@ export class OglofusAuth {
         }
         return api;
     }
+    resolveRateLimitPolicy(scope) {
+        if (!this.config.adapters.rateLimiter) {
+            return null;
+        }
+        return this.config.security?.rateLimits?.[scope] ?? DEFAULT_RATE_LIMIT_POLICIES[scope];
+    }
+    async consumeRateLimit(scope, identity, request) {
+        const policy = this.resolveRateLimitPolicy(scope);
+        if (!policy || !this.config.adapters.rateLimiter) {
+            return null;
+        }
+        const result = await this.config.adapters.rateLimiter.consume(this.makeRateLimitKey(scope, identity, request), policy.limit, policy.windowSeconds);
+        if (result.allowed) {
+            return null;
+        }
+        return new AuthError("RATE_LIMITED", "Too many requests.", 429, [], result.retryAfterSeconds === undefined
+            ? undefined
+            : { retryAfterSeconds: result.retryAfterSeconds });
+    }
+    makeRateLimitKey(scope, identity, request) {
+        if (!request?.ip) {
+            return `${scope}:identity:${identity}`;
+        }
+        return `${scope}:ip:${request.ip}:identity:${identity}`;
+    }
+    getRateLimitIdentity(input) {
+        if (hasEmail(input)) {
+            return this.normalizeEmail(input.email);
+        }
+        if (!input || typeof input !== "object") {
+            return "anonymous";
+        }
+        const record = input;
+        if (typeof record.challengeId === "string" && record.challengeId.length > 0) {
+            return `challenge:${record.challengeId}`;
+        }
+        if (typeof record.pendingAuthId === "string" && record.pendingAuthId.length > 0) {
+            return `pending:${record.pendingAuthId}`;
+        }
+        if (typeof record.token === "string" && record.token.length > 0) {
+            return `token:${deterministicTokenHash(record.token, "rate-limit:magic-link")}`;
+        }
+        if (typeof record.provider === "string" && record.provider.length > 0) {
+            return `provider:${record.provider}`;
+        }
+        const authentication = record.authentication;
+        if (authentication &&
+            typeof authentication === "object" &&
+            typeof authentication.credentialId === "string") {
+            return `credential:${String(authentication.credentialId)}`;
+        }
+        const registration = record.registration;
+        if (registration &&
+            typeof registration === "object" &&
+            typeof registration.credentialId === "string") {
+            return `credential:${String(registration.credentialId)}`;
+        }
+        if (typeof record.method === "string" && record.method.length > 0) {
+            return `method:${record.method}`;
+        }
+        return "anonymous";
+    }
     runValidator(validator, input) {
         if (!validator) {
             return { ok: true, input: input };
@@ -378,8 +556,11 @@ export class OglofusAuth {
         if ((this.config.accountDiscovery?.mode ?? "private") === "explicit" && !this.config.adapters.identity) {
             throw new AuthError("PLUGIN_MISCONFIGURED", "identity adapter is required when accountDiscovery.mode is explicit.", 500);
         }
+        const orgPlugin = this.config.plugins.find((plugin) => plugin.method === "organizations");
+        if (orgPlugin && !orgPlugin.__organizationConfig?.handlers?.organizationSessions) {
+            throw new AuthError("PLUGIN_MISCONFIGURED", "organizations plugin requires handlers.organizationSessions.", 500);
+        }
         if (this.config.validateConfigOnStart) {
-            const orgPlugin = this.config.plugins.find((plugin) => plugin.method === "organizations");
             const roleConfig = orgPlugin?.__organizationConfig?.handlers?.roles;
             const defaultRole = orgPlugin?.__organizationConfig?.handlers?.defaultRole;
             if (roleConfig && defaultRole) {

package/dist/core/utils.d.ts

@@ -6,6 +6,7 @@ export declare const createId: () => string;
 export declare const createToken: (size?: number) => string;
 export declare const createNumericCode: (length?: number) => string;
 export declare const secretHash: (value: string, salt?: string) => string;
+export declare const deterministicTokenHash: (value: string, namespace: string) => string;
 export declare const secretVerify: (value: string, encoded: string) => boolean;
 export declare const cloneWithout: <T extends Record<string, unknown>, K extends readonly (keyof T)[]>(input: T, keys: K) => Omit<T, K[number]>;
 export declare const ensureRecord: (value: unknown) => value is Record<string, unknown>;

package/dist/core/utils.js

@@ -1,4 +1,4 @@
-import { pbkdf2Sync, randomBytes, randomUUID, timingSafeEqual } from "node:crypto";
+import { createHash, pbkdf2Sync, randomBytes, randomUUID, timingSafeEqual } from "node:crypto";
 export const DEFAULT_SESSION_TTL_SECONDS = 60 * 60 * 24 * 30;
 export const normalizeEmailDefault = (value) => value.trim().toLowerCase();
 export const now = () => new Date();
@@ -18,6 +18,7 @@ export const secretHash = (value, salt = randomBytes(16).toString("hex")) => {
     const derived = pbkdf2Sync(value, salt, 120_000, 32, "sha256").toString("hex");
     return `${salt}:${derived}`;
 };
+export const deterministicTokenHash = (value, namespace) => createHash("sha256").update(namespace).update(":").update(value).digest("hex");
 export const secretVerify = (value, encoded) => {
     const [salt, hash] = encoded.split(":");
     if (!salt || !hash) {

package/dist/plugins/email-otp.js

@@ -5,13 +5,28 @@ import { addSeconds, createId, createNumericCode, secretHash, secretVerify, } fr
 import { cloneWithout } from "../core/utils.js";
 import { ensureFields } from "../core/validators.js";
 const PENDING_PREFIX = "pending:";
+const EMAIL_OTP_REQUEST_POLICY = { limit: 3, windowSeconds: 300 };
+const OTP_VERIFY_POLICY = { limit: 10, windowSeconds: 300 };
 const isPendingUserId = (value) => value.startsWith(PENDING_PREFIX);
+const createRateLimitedError = (retryAfterSeconds) => new AuthError("RATE_LIMITED", "Too many requests.", 429, [], retryAfterSeconds === undefined ? undefined : { retryAfterSeconds });
 export const emailOtpPlugin = (config) => {
     const ttl = config.challengeTtlSeconds ?? 10 * 60;
     const maxAttempts = config.maxAttempts ?? 5;
     const codeLength = config.codeLength ?? 6;
-    const verifyChallenge = async (challengeId, code, now) => {
+    const verifyChallenge = async (challengeId, code, now, request, security, rateLimiter) => {
         const challenge = await config.otp.findChallengeById(challengeId);
+        if (rateLimiter) {
+            const policy = security?.rateLimits?.otpVerify ?? OTP_VERIFY_POLICY;
+            const result = await rateLimiter.consume(request?.ip
+                ? `otpVerify:ip:${request.ip}:identity:${challenge?.email ?? `challenge:${challengeId}`}`
+                : `otpVerify:identity:${challenge?.email ?? `challenge:${challengeId}`}`, policy.limit, policy.windowSeconds);
+            if (!result.allowed) {
+                return {
+                    ok: false,
+                    error: createRateLimitedError(result.retryAfterSeconds),
+                };
+            }
+        }
         if (!challenge) {
             return {
                 ok: false,
@@ -68,7 +83,7 @@ export const emailOtpPlugin = (config) => {
     return {
         kind: "auth_method",
         method: "email_otp",
-        version: "1.0.0",
+        version: "2.0.0",
         supports: {
             register: true,
         },
@@ -79,6 +94,15 @@ export const emailOtpPlugin = (config) => {
         createApi: (ctx) => ({
             request: async (input, request) => {
                 const email = input.email.trim().toLowerCase();
+                if (ctx.adapters.rateLimiter) {
+                    const policy = ctx.security?.rateLimits?.emailOtpRequest ?? EMAIL_OTP_REQUEST_POLICY;
+                    const limited = await ctx.adapters.rateLimiter.consume(request?.ip
+                        ? `emailOtpRequest:ip:${request.ip}:identity:${email}`
+                        : `emailOtpRequest:identity:${email}`, policy.limit, policy.windowSeconds);
+                    if (!limited.allowed) {
+                        return errorOperation(createRateLimitedError(limited.retryAfterSeconds));
+                    }
+                }
                 const user = await ctx.adapters.users.findByEmail(email);
                 const code = createNumericCode(codeLength);
                 const challenge = await config.otp.createChallenge({
@@ -116,7 +140,7 @@ export const emailOtpPlugin = (config) => {
             },
         }),
         register: async (ctx, input) => {
-            const verified = await verifyChallenge(input.challengeId, input.code, ctx.now());
+            const verified = await verifyChallenge(input.challengeId, input.code, ctx.now(), ctx.request, ctx.security, ctx.adapters.rateLimiter);
             if (!verified.ok) {
                 return errorOperation(verified.error);
             }
@@ -141,7 +165,7 @@ export const emailOtpPlugin = (config) => {
             return successOperation({ user });
         },
         authenticate: async (ctx, input) => {
-            const verified = await verifyChallenge(input.challengeId, input.code, ctx.now());
+            const verified = await verifyChallenge(input.challengeId, input.code, ctx.now(), ctx.request, ctx.security, ctx.adapters.rateLimiter);
             if (!verified.ok) {
                 return errorOperation(verified.error);
             }

package/dist/plugins/magic-link.js

@@ -1,18 +1,15 @@
 import { AuthError } from "../errors/index.js";
 import { createIssue } from "../issues/index.js";
 import { errorOperation, successOperation } from "../types/results.js";
-import { addSeconds, createId, createToken, secretHash, secretVerify } from "../core/utils.js";
+import { addSeconds, createId, createToken, deterministicTokenHash } from "../core/utils.js";
 import { cloneWithout } from "../core/utils.js";
 import { ensureFields } from "../core/validators.js";
+const MAGIC_LINK_REQUEST_POLICY = { limit: 3, windowSeconds: 300 };
+const createRateLimitedError = (retryAfterSeconds) => new AuthError("RATE_LIMITED", "Too many requests.", 429, [], retryAfterSeconds === undefined ? undefined : { retryAfterSeconds });
 export const magicLinkPlugin = (config) => {
     const ttl = config.tokenTtlSeconds ?? 15 * 60;
     const verifyToken = async (token, now) => {
-        const hashed = secretHash(token, "magic-link");
-        // `secretHash` is salted; this branch should use deterministic hash.
-        // We keep compatibility by also trying deterministic fallback below.
-        const deterministicHash = secretHash(token, "deterministic_magic_link");
-        const candidate = (await config.links.findActiveTokenByHash(deterministicHash)) ??
-            (await config.links.findActiveTokenByHash(hashed));
+        const candidate = await config.links.findActiveTokenByHash(deterministicTokenHash(token, "magic_link"));
         if (!candidate) {
             return {
                 ok: false,
@@ -21,15 +18,6 @@ export const magicLinkPlugin = (config) => {
                 ]),
             };
         }
-        // Defensive verify for deterministic hash implementations.
-        if (!secretVerify(token, candidate.tokenHash) && candidate.tokenHash !== deterministicHash) {
-            return {
-                ok: false,
-                error: new AuthError("MAGIC_LINK_INVALID", "Invalid magic link.", 400, [
-                    createIssue("Invalid token", ["token"]),
-                ]),
-            };
-        }
         if (candidate.expiresAt.getTime() <= now.getTime()) {
             return {
                 ok: false,
@@ -55,7 +43,7 @@ export const magicLinkPlugin = (config) => {
     return {
         kind: "auth_method",
         method: "magic_link",
-        version: "1.0.0",
+        version: "2.0.0",
         supports: {
             register: true,
         },
@@ -66,9 +54,18 @@ export const magicLinkPlugin = (config) => {
         createApi: (ctx) => ({
             request: async (input, request) => {
                 const email = input.email.trim().toLowerCase();
+                if (ctx.adapters.rateLimiter) {
+                    const policy = ctx.security?.rateLimits?.magicLinkRequest ?? MAGIC_LINK_REQUEST_POLICY;
+                    const limited = await ctx.adapters.rateLimiter.consume(request?.ip
+                        ? `magicLinkRequest:ip:${request.ip}:identity:${email}`
+                        : `magicLinkRequest:identity:${email}`, policy.limit, policy.windowSeconds);
+                    if (!limited.allowed) {
+                        return errorOperation(createRateLimitedError(limited.retryAfterSeconds));
+                    }
+                }
                 const user = await ctx.adapters.users.findByEmail(email);
                 const rawToken = createToken();
-                const tokenHash = secretHash(rawToken, "deterministic_magic_link");
+                const tokenHash = deterministicTokenHash(rawToken, "magic_link");
                 const expiresAt = addSeconds(ctx.now(), ttl);
                 const token = await config.links.createToken({
                     userId: user?.id,

package/dist/plugins/oauth2.d.ts

@@ -14,6 +14,12 @@ export type ArcticAuthorizationCodeClient = {
 } | {
     validateAuthorizationCode(code: string, codeVerifier: string | null): Promise<OAuth2Tokens>;
 };
+export type OAuth2AuthorizationCodeExchangeInput = {
+    authorizationCode: string;
+    codeVerifier?: string;
+    redirectUri: string;
+};
+export type OAuth2AuthorizationCodeExchange = (input: OAuth2AuthorizationCodeExchangeInput) => Promise<OAuth2Tokens>;
 export type OAuth2ResolvedProfile<U extends UserBase, P extends string> = {
     provider?: P;
     providerUserId: string;
@@ -22,7 +28,7 @@ export type OAuth2ResolvedProfile<U extends UserBase, P extends string> = {
     profile?: Partial<U>;
 };
 export type OAuth2ProviderConfig<U extends UserBase, P extends string> = {
-    client: ArcticAuthorizationCodeClient;
+    exchangeAuthorizationCode: OAuth2AuthorizationCodeExchange;
     resolveProfile: (input: {
         provider: P;
         tokens: OAuth2Tokens;
@@ -38,4 +44,5 @@ export type OAuth2PluginConfig<U extends UserBase, P extends string, K extends k
     requiredProfileFields?: readonly K[];
     pendingProfileTtlSeconds?: number;
 };
+export declare const arcticAuthorizationCodeExchange: (client: ArcticAuthorizationCodeClient) => OAuth2AuthorizationCodeExchange;
 export declare const oauth2Plugin: <U extends UserBase, P extends string, K extends keyof U = never>(config: OAuth2PluginConfig<U, P, K>) => AuthMethodPlugin<"oauth2", OAuth2AuthenticateInput<P>, OAuth2AuthenticateInput<P>, U>;