@pya-platform/auth 0.1.0

package/src/recovery-codes.ts

@@ -0,0 +1,148 @@
+/**
+ * Recovery-code lifecycle: generate, hash, store, redeem.
+ *
+ * Format on display (one per line): `XXXX-XXXX-XXXX` where X is a base32
+ * letter from the unambiguous alphabet `23456789ABCDEFGHJKMNPQRSTUVWXYZ`
+ * (no 0/O, 1/I/L). 12 chars = 60 bits of entropy. We generate 8 codes per
+ * `generate` call — past industry standard (GitHub, Google, etc).
+ *
+ * Storage: only `(salt_hex, code_hash)` ever lands in D1. Plaintext is shown
+ * to the user exactly once, then dropped from memory.
+ */
+
+const ALPHABET = '23456789ABCDEFGHJKMNPQRSTUVWXYZ'
+const CODE_LEN = 12 // characters, formatted as 4-4-4
+const CODE_COUNT = 8
+
+const randomChars = (n: number): string => {
+  const bytes = new Uint8Array(n)
+  crypto.getRandomValues(bytes)
+  // Modulo-bias against 30 chars is negligible at 8-bit input.
+  let s = ''
+  for (let i = 0; i < n; i++) s += ALPHABET.charAt((bytes[i] ?? 0) % ALPHABET.length)
+  return s
+}
+
+const formatCode = (raw: string): string =>
+  `${raw.slice(0, 4)}-${raw.slice(4, 8)}-${raw.slice(8, 12)}`
+
+const stripFormat = (input: string): string => input.replace(/[\s-]/g, '').toUpperCase()
+
+const toHex = (buf: ArrayBuffer): string =>
+  [...new Uint8Array(buf)].map((b) => b.toString(16).padStart(2, '0')).join('')
+
+const fromHex = (hex: string): Uint8Array => {
+  const out = new Uint8Array(hex.length / 2)
+  for (let i = 0; i < out.length; i++) out[i] = Number.parseInt(hex.slice(i * 2, i * 2 + 2), 16)
+  return out
+}
+
+/** Per-row salt + PBKDF2-SHA256 single round. Plenty of cost for 60-bit
+ *  unguessable inputs; not Argon2 because we're tight on Worker CPU time. */
+const hashCode = async (plaintext: string, saltHex: string): Promise<string> => {
+  const enc = new TextEncoder()
+  const key = await crypto.subtle.importKey(
+    'raw',
+    enc.encode(plaintext),
+    { name: 'PBKDF2' },
+    false,
+    ['deriveBits'],
+  )
+  const bits = await crypto.subtle.deriveBits(
+    {
+      name: 'PBKDF2',
+      hash: 'SHA-256',
+      salt: fromHex(saltHex) as BufferSource,
+      iterations: 1,
+    },
+    key,
+    256,
+  )
+  return toHex(bits)
+}
+
+const randomSaltHex = (): string => {
+  const bytes = new Uint8Array(32)
+  crypto.getRandomValues(bytes)
+  return [...bytes].map((b) => b.toString(16).padStart(2, '0')).join('')
+}
+
+export interface GeneratedSet {
+  /** Plaintext codes — display to user, never persisted. */
+  readonly codes: ReadonlyArray<string>
+  readonly count: number
+}
+
+/** Generate a fresh set, replacing any prior unused codes for the user. */
+export const regenerateRecoveryCodes = async (
+  db: D1Database,
+  userId: string,
+): Promise<GeneratedSet> => {
+  // Wipe prior codes — regeneration is total, no partial overlap with old.
+  await db.prepare('DELETE FROM recovery_codes WHERE user_id = ?').bind(userId).run()
+  const now = Math.floor(Date.now() / 1000)
+  const plaintextCodes: string[] = []
+  const inserts: Array<{ saltHex: string; hash: string }> = []
+  for (let i = 0; i < CODE_COUNT; i++) {
+    const raw = randomChars(CODE_LEN)
+    const saltHex = randomSaltHex()
+    const hash = await hashCode(raw, saltHex)
+    plaintextCodes.push(formatCode(raw))
+    inserts.push({ saltHex, hash })
+  }
+  const stmt = db.prepare(
+    'INSERT INTO recovery_codes (user_id, salt_hex, code_hash, used_at, created_at) VALUES (?, ?, ?, NULL, ?)',
+  )
+  await db.batch(inserts.map((r) => stmt.bind(userId, r.saltHex, r.hash, now)))
+  return { codes: plaintextCodes, count: plaintextCodes.length }
+}
+
+export interface RedeemResult {
+  readonly ok: boolean
+}
+
+/** Try every unused code-row for the user; constant-time compare not needed
+ *  (the candidate hash already incorporates a per-row salt). */
+export const redeemRecoveryCode = async (
+  db: D1Database,
+  userId: string,
+  candidatePlaintext: string,
+): Promise<RedeemResult> => {
+  const candidate = stripFormat(candidatePlaintext)
+  if (candidate.length !== CODE_LEN) return { ok: false }
+  // biome-ignore lint/style/useNamingConvention: D1 raw columns
+  type Row = { salt_hex: string; code_hash: string }
+  const { results } = await db
+    .prepare('SELECT salt_hex, code_hash FROM recovery_codes WHERE user_id = ? AND used_at IS NULL')
+    .bind(userId)
+    .all<Row>()
+  for (const row of results) {
+    const candidateHash = await hashCode(candidate, row.salt_hex)
+    if (candidateHash === row.code_hash) {
+      const now = Math.floor(Date.now() / 1000)
+      await db
+        .prepare('UPDATE recovery_codes SET used_at = ? WHERE user_id = ? AND code_hash = ?')
+        .bind(now, userId, row.code_hash)
+        .run()
+      return { ok: true }
+    }
+  }
+  return { ok: false }
+}
+
+export const countUnusedCodes = async (db: D1Database, userId: string): Promise<number> => {
+  const row = await db
+    .prepare('SELECT COUNT(*) AS n FROM recovery_codes WHERE user_id = ? AND used_at IS NULL')
+    .bind(userId)
+    .first<{ n: number }>()
+  return row?.n ?? 0
+}
+
+/** Wipe ALL passkeys for a user — fired on successful recovery-code redeem
+ *  because the redeeming party may not be the legitimate user. */
+export const invalidateAllPasskeysForUser = async (
+  db: D1Database,
+  userId: string,
+): Promise<void> => {
+  await db.prepare('DELETE FROM passkeys WHERE user_id = ?').bind(userId).run()
+}

package/src/routes/dev-bypass.ts

@@ -0,0 +1,109 @@
+import { uuidV7 } from '@pya-platform/shared'
+import { ForbiddenError } from '@pya-platform/shared'
+import { Hono } from 'hono'
+import { setCookie } from 'hono/cookie'
+import { newSessionId, writeSession } from '../store/session-store.ts'
+
+// Optional sweep hook the host app can inject (e.g. PyaEats wires up its
+// stale-order cancel sweep). The router accepts undefined and skips
+// /cron-sweep when not provided.
+type DevSweepFn = (env: Env) => Promise<Record<string, unknown>>
+
+const COOKIE_NAME = 'pya_sid'
+const CSRF_COOKIE = 'pya_csrf'
+const SESSION_LIFETIME_SEC = 60 * 60 * 24 * 30
+
+/** Dev-only "magic login" — creates a fake customer session.
+ *  Disabled in production (ENVIRONMENT==='production' returns 403). */
+export const createDevBypassRoutes = (
+  opts: { readonly onCronSweep?: DevSweepFn } = {},
+): Hono<{ Bindings: Env }> => {
+  const app = new Hono<{ Bindings: Env }>()
+
+  app.post('/login', async (c) => {
+    if (c.env.ENVIRONMENT === 'production') {
+      throw new ForbiddenError({ required: 'non-production environment' })
+    }
+
+    const email = c.req.query('email') ?? `dev+${Date.now()}@pya.local`
+    const role = (c.req.query('role') ?? 'customer') as 'customer' | 'store_owner' | 'admin'
+    const now = Math.floor(Date.now() / 1000)
+
+    // Reuse the existing user when the email is already registered — otherwise
+    // we'd write a session keyed on a userId that points to nothing in `users`.
+    const existing = await c.env.DB.prepare(
+      "SELECT id FROM users WHERE email = ? AND status != 'deleted'",
+    )
+      .bind(email)
+      .first<{ id: string }>()
+    const userId = existing?.id ?? uuidV7()
+    if (existing === null) {
+      await c.env.DB.prepare(
+        `INSERT INTO users (id, email, email_verified, display_name, locale, created_at, status)
+       VALUES (?, ?, 1, ?, 'es-PY', ?, 'active')`,
+      )
+        .bind(userId, email, `Dev ${role}`, now)
+        .run()
+    }
+
+    const sid = newSessionId()
+    const ipHash = await sha256(
+      (c.req.header('CF-Connecting-IP') ?? '') + (c.env.SESSION_PEPPER ?? ''),
+    )
+    const uaHash = await sha256(c.req.header('User-Agent') ?? '')
+
+    await writeSession(c.env.SESSIONS, sid, {
+      userId,
+      roles: [role],
+      storeIds: [],
+      iat: now,
+      lastSeen: now,
+      ipHash,
+      uaHash,
+    })
+
+    // Preview/staging serves site and api from different eTLD+1 (pages.dev vs workers.dev),
+    // so cookies must be SameSite=None to ride cross-origin fetches.
+    // Note: production branch was thrown above, so ENVIRONMENT is narrowed to 'preview' | 'staging'.
+    const sameSite = 'None' as const
+    const csrfToken = newSessionId()
+    setCookie(c, COOKIE_NAME, sid, {
+      path: '/',
+      httpOnly: true,
+      secure: true,
+      sameSite,
+      maxAge: SESSION_LIFETIME_SEC,
+    })
+    setCookie(c, CSRF_COOKIE, csrfToken, {
+      path: '/',
+      secure: true,
+      sameSite,
+      maxAge: SESSION_LIFETIME_SEC,
+    })
+
+    // Return sessionToken + csrfToken in body so cross-origin clients (preview deploys
+    // where third-party cookies are blocked) can hold them and authenticate via
+    // Authorization: Bearer + X-CSRF-Token headers on subsequent requests.
+    return c.json({ ok: true, userId, email, role, sessionToken: sid, csrfToken })
+  })
+
+  const sha256 = async (s: string): Promise<string> => {
+    const buf = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(s))
+    return [...new Uint8Array(buf)].map((b) => b.toString(16).padStart(2, '0')).join('')
+  }
+
+  /** Dev-only manual trigger for a host-supplied sweep job. CF cron fires it
+   *  on its own; this lets us verify the logic on demand from tests. */
+  if (opts.onCronSweep !== undefined) {
+    const sweep = opts.onCronSweep
+    app.post('/cron-sweep', async (c) => {
+      if (c.env.ENVIRONMENT === 'production') {
+        throw new ForbiddenError({ required: 'non-production environment' })
+      }
+      const result = await sweep(c.env)
+      return c.json({ ok: true, ...result })
+    })
+  }
+
+  return app
+}

package/src/routes/oauth.ts

@@ -0,0 +1,114 @@
+import { type OAuthProvider, OAuthProviderSchema, type OAuthState } from '@pya-platform/shared'
+import { ValidationError } from '@pya-platform/shared'
+import { Hono } from 'hono'
+import { deleteCookie, getCookie, setCookie } from 'hono/cookie'
+import * as v from 'valibot'
+import { buildRedirectUri, handleOAuthCallback } from '../oauth-callback.ts'
+import { revokeSession } from '../session.ts'
+
+const STATE_TTL_SEC = 600
+const REDIRECT_ALLOWLIST: ReadonlyArray<RegExp> = [
+  /^\/$/,
+  /^\/stores\/[a-z0-9-]+$/,
+  /^\/cart$/,
+  /^\/checkout$/,
+  /^\/orders\/[a-z0-9-]+$/,
+  /^\/profile$/,
+]
+
+const app = new Hono<{ Bindings: Env }>()
+
+app.get('/start', async (c) => {
+  const providerRaw = c.req.query('provider')
+  const parsed = v.safeParse(OAuthProviderSchema, providerRaw)
+  if (!parsed.success) {
+    throw new ValidationError({ issues: [{ path: 'provider', message: 'Unknown provider' }] })
+  }
+  const provider = parsed.output
+
+  const redirectAfter = c.req.query('redirect') ?? '/'
+  const safeRedirect = REDIRECT_ALLOWLIST.some((re) => re.test(redirectAfter)) ? redirectAfter : '/'
+
+  const state = randomToken(32)
+  const verifier = randomToken(64)
+  const challenge = await s256Challenge(verifier)
+  const nonce = randomToken(16)
+
+  const stateRecord: OAuthState = {
+    verifier,
+    provider,
+    redirectAfter: safeRedirect,
+    nonce,
+    intent: 'login',
+  }
+  await c.env.OAUTH_STATE.put(`oauth:state:${state}`, JSON.stringify(stateRecord), {
+    expirationTtl: STATE_TTL_SEC,
+  })
+  setCookie(c, 'pya_oauth_state', state, {
+    path: '/api/auth',
+    httpOnly: true,
+    secure: true,
+    sameSite: 'Lax',
+    maxAge: STATE_TTL_SEC,
+  })
+
+  const authUrl = buildProviderAuthUrl(provider, c.env, state, challenge, nonce)
+  return c.redirect(authUrl, 302)
+})
+
+app.get('/callback/:provider', handleOAuthCallback)
+
+app.post('/logout', async (c) => {
+  const sid = getCookie(c, 'pya_sid')
+  if (sid !== undefined) await revokeSession(c, deleteCookie, sid, false)
+  return c.json({ ok: true })
+})
+
+const randomToken = (bytes: number): string => {
+  const buf = new Uint8Array(bytes)
+  crypto.getRandomValues(buf)
+  return btoa(String.fromCharCode(...buf))
+    .replaceAll('+', '-')
+    .replaceAll('/', '_')
+    .replaceAll('=', '')
+}
+
+const s256Challenge = async (verifier: string): Promise<string> => {
+  const digest = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(verifier))
+  return btoa(String.fromCharCode(...new Uint8Array(digest)))
+    .replaceAll('+', '-')
+    .replaceAll('/', '_')
+    .replaceAll('=', '')
+}
+
+const buildProviderAuthUrl = (
+  provider: OAuthProvider,
+  env: Env,
+  state: string,
+  challenge: string,
+  nonce: string,
+): string => {
+  const redirectUri = buildRedirectUri(env, provider)
+  const common = {
+    response_type: 'code',
+    state,
+    code_challenge: challenge,
+    code_challenge_method: 'S256',
+    redirect_uri: redirectUri,
+    scope: 'openid email profile',
+    nonce,
+  }
+  const params = new URLSearchParams(common)
+  switch (provider) {
+    case 'google':
+      params.set('client_id', env.GOOGLE_OAUTH_CLIENT_ID ?? '')
+      return `${env.GOOGLE_AUTH_URL ?? 'https://accounts.google.com/o/oauth2/v2/auth'}?${params}`
+    case 'facebook':
+      params.set('client_id', env.FACEBOOK_APP_ID ?? '')
+      return `https://www.facebook.com/v18.0/dialog/oauth?${params}`
+    case 'apple':
+      return `${env.SITE_ORIGIN}/login?error=apple_not_implemented`
+  }
+}
+
+export { app as oauthRoutes }