@rebasepro/server-core 0.6.0 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (168) hide show
  1. package/package.json +14 -14
  2. package/src/api/errors.ts +16 -2
  3. package/src/api/graphql/graphql-schema-generator.ts +45 -10
  4. package/src/api/rest/api-generator.ts +19 -2
  5. package/src/api/server.ts +10 -2
  6. package/src/api/types.ts +6 -0
  7. package/src/auth/adapter-middleware.ts +10 -2
  8. package/src/auth/admin-roles-route.ts +36 -0
  9. package/src/auth/admin-users-route.ts +302 -0
  10. package/src/auth/api-keys/api-key-middleware.ts +4 -3
  11. package/src/auth/api-keys/api-key-routes.ts +12 -2
  12. package/src/auth/api-keys/api-key-store.ts +83 -66
  13. package/src/auth/api-keys/api-key-types.ts +8 -0
  14. package/src/auth/apple-oauth.ts +2 -1
  15. package/src/auth/auth-hooks.ts +21 -0
  16. package/src/auth/bitbucket-oauth.ts +2 -1
  17. package/src/auth/builtin-auth-adapter.ts +28 -4
  18. package/src/auth/custom-auth-adapter.ts +2 -0
  19. package/src/auth/discord-oauth.ts +2 -1
  20. package/src/auth/facebook-oauth.ts +2 -1
  21. package/src/auth/github-oauth.ts +2 -1
  22. package/src/auth/gitlab-oauth.ts +2 -1
  23. package/src/auth/google-oauth.ts +8 -4
  24. package/src/auth/index.ts +2 -0
  25. package/src/auth/interfaces.ts +27 -0
  26. package/src/auth/linkedin-oauth.ts +2 -1
  27. package/src/auth/magic-link-routes.ts +167 -0
  28. package/src/auth/mfa-crypto.ts +91 -0
  29. package/src/auth/mfa-routes.ts +34 -10
  30. package/src/auth/microsoft-oauth.ts +2 -1
  31. package/src/auth/middleware.ts +10 -1
  32. package/src/auth/reset-password-admin.ts +17 -1
  33. package/src/auth/routes.ts +77 -8
  34. package/src/auth/session-routes.ts +15 -3
  35. package/src/auth/slack-oauth.ts +2 -1
  36. package/src/auth/spotify-oauth.ts +2 -1
  37. package/src/auth/twitter-oauth.ts +8 -1
  38. package/src/cron/cron-store.ts +25 -23
  39. package/src/email/index.ts +3 -2
  40. package/src/email/templates.ts +82 -0
  41. package/src/email/types.ts +16 -0
  42. package/src/init.ts +137 -5
  43. package/src/services/routed-realtime-service.ts +113 -0
  44. package/src/storage/routes.ts +4 -0
  45. package/src/utils/dev-port.ts +13 -7
  46. package/test/auth-routes.test.ts +54 -4
  47. package/test/custom-auth-adapter.test.ts +20 -1
  48. package/test/env.test.ts +9 -19
  49. package/test/multi-datasource-routing.test.ts +113 -0
  50. package/test/routed-realtime-service.test.ts +86 -0
  51. package/test/transform-auth-response.test.ts +305 -0
  52. package/vite.config.ts +5 -0
  53. package/build-errors.txt +0 -52
  54. package/dist/api/ast-schema-editor.d.ts +0 -21
  55. package/dist/api/collections_for_test/callbacks_test_collection.d.ts +0 -2
  56. package/dist/api/errors.d.ts +0 -53
  57. package/dist/api/graphql/graphql-schema-generator.d.ts +0 -35
  58. package/dist/api/graphql/index.d.ts +0 -1
  59. package/dist/api/index.d.ts +0 -9
  60. package/dist/api/logs-routes.d.ts +0 -37
  61. package/dist/api/openapi-generator.d.ts +0 -16
  62. package/dist/api/rest/api-generator.d.ts +0 -88
  63. package/dist/api/rest/index.d.ts +0 -1
  64. package/dist/api/rest/query-parser.d.ts +0 -11
  65. package/dist/api/schema-editor-routes.d.ts +0 -3
  66. package/dist/api/server.d.ts +0 -40
  67. package/dist/api/types.d.ts +0 -98
  68. package/dist/auth/adapter-middleware.d.ts +0 -37
  69. package/dist/auth/admin-user-ops.d.ts +0 -79
  70. package/dist/auth/api-keys/api-key-middleware.d.ts +0 -39
  71. package/dist/auth/api-keys/api-key-permission-guard.d.ts +0 -32
  72. package/dist/auth/api-keys/api-key-routes.d.ts +0 -20
  73. package/dist/auth/api-keys/api-key-store.d.ts +0 -35
  74. package/dist/auth/api-keys/api-key-types.d.ts +0 -88
  75. package/dist/auth/api-keys/index.d.ts +0 -17
  76. package/dist/auth/apple-oauth.d.ts +0 -30
  77. package/dist/auth/auth-hooks.d.ts +0 -225
  78. package/dist/auth/bitbucket-oauth.d.ts +0 -11
  79. package/dist/auth/builtin-auth-adapter.d.ts +0 -49
  80. package/dist/auth/crypto-utils.d.ts +0 -16
  81. package/dist/auth/custom-auth-adapter.d.ts +0 -39
  82. package/dist/auth/discord-oauth.d.ts +0 -14
  83. package/dist/auth/facebook-oauth.d.ts +0 -14
  84. package/dist/auth/github-oauth.d.ts +0 -15
  85. package/dist/auth/gitlab-oauth.d.ts +0 -13
  86. package/dist/auth/google-oauth.d.ts +0 -47
  87. package/dist/auth/index.d.ts +0 -36
  88. package/dist/auth/interfaces.d.ts +0 -401
  89. package/dist/auth/jwt.d.ts +0 -55
  90. package/dist/auth/linkedin-oauth.d.ts +0 -18
  91. package/dist/auth/mfa-routes.d.ts +0 -6
  92. package/dist/auth/mfa.d.ts +0 -49
  93. package/dist/auth/microsoft-oauth.d.ts +0 -16
  94. package/dist/auth/middleware.d.ts +0 -106
  95. package/dist/auth/password.d.ts +0 -22
  96. package/dist/auth/rate-limiter.d.ts +0 -50
  97. package/dist/auth/reset-password-admin.d.ts +0 -29
  98. package/dist/auth/rls-scope.d.ts +0 -31
  99. package/dist/auth/routes.d.ts +0 -33
  100. package/dist/auth/session-routes.d.ts +0 -25
  101. package/dist/auth/slack-oauth.d.ts +0 -12
  102. package/dist/auth/spotify-oauth.d.ts +0 -12
  103. package/dist/auth/twitter-oauth.d.ts +0 -18
  104. package/dist/backend-CIxN4FVm.js +0 -15
  105. package/dist/backend-CIxN4FVm.js.map +0 -1
  106. package/dist/chunk-Dze3rakg.js +0 -42
  107. package/dist/collections/BackendCollectionRegistry.d.ts +0 -13
  108. package/dist/collections/loader.d.ts +0 -5
  109. package/dist/cron/cron-loader.d.ts +0 -17
  110. package/dist/cron/cron-routes.d.ts +0 -14
  111. package/dist/cron/cron-scheduler.d.ts +0 -106
  112. package/dist/cron/cron-store.d.ts +0 -32
  113. package/dist/cron/index.d.ts +0 -6
  114. package/dist/db/interfaces.d.ts +0 -18
  115. package/dist/dist-CZKP-Xz4.js +0 -832
  116. package/dist/dist-CZKP-Xz4.js.map +0 -1
  117. package/dist/email/index.d.ts +0 -6
  118. package/dist/email/smtp-email-service.d.ts +0 -25
  119. package/dist/email/templates.d.ts +0 -42
  120. package/dist/email/types.d.ts +0 -108
  121. package/dist/env.d.ts +0 -102
  122. package/dist/from-VbwD7xRf.js +0 -3849
  123. package/dist/from-VbwD7xRf.js.map +0 -1
  124. package/dist/functions/function-loader.d.ts +0 -17
  125. package/dist/functions/function-routes.d.ts +0 -10
  126. package/dist/functions/index.d.ts +0 -3
  127. package/dist/history/history-routes.d.ts +0 -23
  128. package/dist/history/index.d.ts +0 -1
  129. package/dist/index.d.ts +0 -33
  130. package/dist/index.es.js +0 -61726
  131. package/dist/index.es.js.map +0 -1
  132. package/dist/index.umd.js +0 -73216
  133. package/dist/index.umd.js.map +0 -1
  134. package/dist/init/docs.d.ts +0 -4
  135. package/dist/init/health.d.ts +0 -2
  136. package/dist/init/middlewares.d.ts +0 -10
  137. package/dist/init/shutdown.d.ts +0 -11
  138. package/dist/init/storage.d.ts +0 -5
  139. package/dist/init.d.ts +0 -258
  140. package/dist/jwt-DHcQRGC3.js +0 -4168
  141. package/dist/jwt-DHcQRGC3.js.map +0 -1
  142. package/dist/logger-BYU66ENZ.js +0 -94
  143. package/dist/logger-BYU66ENZ.js.map +0 -1
  144. package/dist/ms-BeBSuOXN.js +0 -125
  145. package/dist/ms-BeBSuOXN.js.map +0 -1
  146. package/dist/multipart-parser-CedBDOeC.js +0 -299
  147. package/dist/multipart-parser-CedBDOeC.js.map +0 -1
  148. package/dist/serve-spa.d.ts +0 -30
  149. package/dist/services/driver-registry.d.ts +0 -78
  150. package/dist/services/webhook-service.d.ts +0 -29
  151. package/dist/singleton.d.ts +0 -35
  152. package/dist/src-COaj0G3P.js +0 -1182
  153. package/dist/src-COaj0G3P.js.map +0 -1
  154. package/dist/storage/LocalStorageController.d.ts +0 -46
  155. package/dist/storage/S3StorageController.d.ts +0 -36
  156. package/dist/storage/image-transform.d.ts +0 -50
  157. package/dist/storage/index.d.ts +0 -28
  158. package/dist/storage/routes.d.ts +0 -38
  159. package/dist/storage/storage-registry.d.ts +0 -78
  160. package/dist/storage/tus-handler.d.ts +0 -51
  161. package/dist/storage/types.d.ts +0 -103
  162. package/dist/types/index.d.ts +0 -11
  163. package/dist/utils/dev-port.d.ts +0 -35
  164. package/dist/utils/logger.d.ts +0 -31
  165. package/dist/utils/logging.d.ts +0 -9
  166. package/dist/utils/request-id.d.ts +0 -4
  167. package/dist/utils/request-logger.d.ts +0 -19
  168. package/dist/utils/sql.d.ts +0 -27
@@ -1,401 +0,0 @@
1
- import { z } from "zod";
2
- /**
3
- * Authentication Abstraction Interfaces
4
- *
5
- * These interfaces define the contracts for authentication-related operations.
6
- * Implementations can use different databases (PostgreSQL, MongoDB, etc.) to
7
- * store user, role, and token data.
8
- */
9
- /**
10
- * User data structure
11
- */
12
- export interface UserData {
13
- id: string;
14
- email: string;
15
- passwordHash?: string | null;
16
- displayName?: string | null;
17
- photoUrl?: string | null;
18
- emailVerified: boolean;
19
- emailVerificationToken?: string | null;
20
- emailVerificationSentAt?: Date | null;
21
- isAnonymous?: boolean;
22
- metadata?: Record<string, unknown>;
23
- createdAt: Date;
24
- updatedAt: Date;
25
- }
26
- /**
27
- * Data for creating a new user
28
- */
29
- export interface CreateUserData {
30
- email: string;
31
- passwordHash?: string;
32
- displayName?: string;
33
- photoUrl?: string;
34
- emailVerified?: boolean;
35
- isAnonymous?: boolean;
36
- metadata?: Record<string, unknown>;
37
- }
38
- /**
39
- * User Identity Data (OAuth accounts linked to user)
40
- */
41
- export interface UserIdentityData {
42
- id: string;
43
- userId: string;
44
- provider: string;
45
- providerId: string;
46
- profileData?: Record<string, unknown> | null;
47
- createdAt: Date;
48
- updatedAt: Date;
49
- }
50
- /**
51
- * Standardized profile data returned by an OAuth provider verification payload
52
- */
53
- export interface OAuthProviderProfile {
54
- providerId: string;
55
- email: string;
56
- displayName?: string | null;
57
- photoUrl?: string | null;
58
- }
59
- /**
60
- * Pluggable OAuth Provider integration strategy
61
- */
62
- export interface OAuthProvider<T = unknown> {
63
- /** The identifier of the provider (e.g. "github", "google") */
64
- id: string;
65
- /** Zod schema validating the expected request payload (e.g. { code: string }) */
66
- schema: z.ZodSchema<T>;
67
- /** Verify external tokens/codes and return a standardized user profile */
68
- verify: (payload: T) => Promise<OAuthProviderProfile | null>;
69
- }
70
- /**
71
- * Role data structure
72
- */
73
- export interface RoleData {
74
- id: string;
75
- name: string;
76
- isAdmin: boolean;
77
- defaultPermissions: {
78
- read?: boolean;
79
- create?: boolean;
80
- edit?: boolean;
81
- delete?: boolean;
82
- } | null;
83
- collectionPermissions: Record<string, {
84
- read?: boolean;
85
- create?: boolean;
86
- edit?: boolean;
87
- delete?: boolean;
88
- }> | null;
89
- }
90
- /**
91
- * Data for creating a new role
92
- */
93
- export interface CreateRoleData {
94
- id: string;
95
- name: string;
96
- isAdmin?: boolean;
97
- defaultPermissions?: RoleData["defaultPermissions"];
98
- collectionPermissions?: RoleData["collectionPermissions"];
99
- }
100
- /**
101
- * Refresh token info
102
- */
103
- export interface RefreshTokenInfo {
104
- id: string;
105
- userId: string;
106
- tokenHash: string;
107
- expiresAt: Date;
108
- createdAt: Date;
109
- userAgent?: string | null;
110
- ipAddress?: string | null;
111
- }
112
- /**
113
- * Password reset token info
114
- */
115
- export interface PasswordResetTokenInfo {
116
- userId: string;
117
- expiresAt: Date;
118
- }
119
- /**
120
- * Options for paginated user listing
121
- */
122
- export interface ListUsersOptions {
123
- /** Max results per page (default 25) */
124
- limit?: number;
125
- /** Number of results to skip (default 0) */
126
- offset?: number;
127
- /** Search term — matches against email and displayName (case-insensitive) */
128
- search?: string;
129
- /** Field to sort by (default "createdAt") */
130
- orderBy?: string;
131
- /** Sort direction (default "desc") */
132
- orderDir?: "asc" | "desc";
133
- /** Filter by role ID */
134
- roleId?: string;
135
- }
136
- /**
137
- * Result of a paginated user listing
138
- */
139
- export interface PaginatedUsersResult {
140
- users: UserData[];
141
- /** Total number of users matching the filters (ignoring limit/offset) */
142
- total: number;
143
- limit: number;
144
- offset: number;
145
- }
146
- /**
147
- * Abstract user repository interface.
148
- * Handles all user-related database operations.
149
- */
150
- export interface UserRepository {
151
- /**
152
- * Create a new user
153
- */
154
- createUser(data: CreateUserData): Promise<UserData>;
155
- /**
156
- * Get a user by ID
157
- */
158
- getUserById(id: string): Promise<UserData | null>;
159
- /**
160
- * Get a user by email
161
- */
162
- getUserByEmail(email: string): Promise<UserData | null>;
163
- /**
164
- * Get a user by an OAuth identity
165
- */
166
- getUserByIdentity(provider: string, providerId: string): Promise<UserData | null>;
167
- /**
168
- * Get all identities linked to a user
169
- */
170
- getUserIdentities(userId: string): Promise<UserIdentityData[]>;
171
- /**
172
- * Link a new OAuth identity to a user
173
- */
174
- linkUserIdentity(userId: string, provider: string, providerId: string, profileData?: Record<string, unknown>): Promise<void>;
175
- /**
176
- * Update a user
177
- */
178
- updateUser(id: string, data: Partial<Omit<CreateUserData, "id">>): Promise<UserData | null>;
179
- /**
180
- * Delete a user
181
- */
182
- deleteUser(id: string): Promise<void>;
183
- /**
184
- * List all users (unbounded — use listUsersPaginated for large datasets)
185
- */
186
- listUsers(): Promise<UserData[]>;
187
- /**
188
- * List users with server-side pagination, search, and sorting.
189
- */
190
- listUsersPaginated(options?: ListUsersOptions): Promise<PaginatedUsersResult>;
191
- /**
192
- * Update user's password hash
193
- */
194
- updatePassword(id: string, passwordHash: string): Promise<void>;
195
- /**
196
- * Set email verification status
197
- */
198
- setEmailVerified(id: string, verified: boolean): Promise<void>;
199
- /**
200
- * Set email verification token
201
- */
202
- setVerificationToken(id: string, token: string | null): Promise<void>;
203
- /**
204
- * Find user by email verification token
205
- */
206
- getUserByVerificationToken(token: string): Promise<UserData | null>;
207
- /**
208
- * Get roles for a user
209
- */
210
- getUserRoles(userId: string): Promise<RoleData[]>;
211
- /**
212
- * Get role IDs for a user
213
- */
214
- getUserRoleIds(userId: string): Promise<string[]>;
215
- /**
216
- * Set roles for a user (replaces existing roles)
217
- */
218
- setUserRoles(userId: string, roleIds: string[]): Promise<void>;
219
- /**
220
- * Assign a specific role to a new user
221
- */
222
- assignDefaultRole(userId: string, roleId: string): Promise<void>;
223
- /**
224
- * Get user with their roles
225
- */
226
- getUserWithRoles(userId: string): Promise<{
227
- user: UserData;
228
- roles: RoleData[];
229
- } | null>;
230
- }
231
- /**
232
- * Abstract role repository interface.
233
- * Handles all role-related database operations.
234
- */
235
- export interface RoleRepository {
236
- /**
237
- * Get a role by ID
238
- */
239
- getRoleById(id: string): Promise<RoleData | null>;
240
- /**
241
- * List all roles
242
- */
243
- listRoles(): Promise<RoleData[]>;
244
- /**
245
- * Create a new role
246
- */
247
- createRole(data: CreateRoleData): Promise<RoleData>;
248
- /**
249
- * Update a role
250
- */
251
- updateRole(id: string, data: Partial<Omit<RoleData, "id">>): Promise<RoleData | null>;
252
- /**
253
- * Delete a role
254
- */
255
- deleteRole(id: string): Promise<void>;
256
- }
257
- /**
258
- * Abstract token repository interface.
259
- * Handles refresh tokens and password reset tokens.
260
- */
261
- export interface TokenRepository {
262
- /**
263
- * Create a new refresh token
264
- */
265
- createRefreshToken(userId: string, tokenHash: string, expiresAt: Date, userAgent?: string, ipAddress?: string): Promise<void>;
266
- /**
267
- * Find a refresh token by hash
268
- */
269
- findRefreshTokenByHash(tokenHash: string): Promise<RefreshTokenInfo | null>;
270
- /**
271
- * Delete a refresh token by hash
272
- */
273
- deleteRefreshToken(tokenHash: string): Promise<void>;
274
- /**
275
- * Delete all refresh tokens for a user
276
- */
277
- deleteAllRefreshTokensForUser(userId: string): Promise<void>;
278
- /**
279
- * List all refresh tokens for a user
280
- */
281
- listRefreshTokensForUser(userId: string): Promise<RefreshTokenInfo[]>;
282
- /**
283
- * Delete a specific refresh token by its primary key ID
284
- */
285
- deleteRefreshTokenById(id: string, userId: string): Promise<void>;
286
- /**
287
- * Create a password reset token
288
- */
289
- createPasswordResetToken(userId: string, tokenHash: string, expiresAt: Date): Promise<void>;
290
- /**
291
- * Find a valid (not expired, not used) password reset token by hash
292
- */
293
- findValidPasswordResetToken(tokenHash: string): Promise<PasswordResetTokenInfo | null>;
294
- /**
295
- * Mark a password reset token as used
296
- */
297
- markPasswordResetTokenUsed(tokenHash: string): Promise<void>;
298
- /**
299
- * Delete all password reset tokens for a user
300
- */
301
- deleteAllPasswordResetTokensForUser(userId: string): Promise<void>;
302
- /**
303
- * Clean up expired tokens
304
- */
305
- deleteExpiredTokens(): Promise<void>;
306
- }
307
- /**
308
- * MFA factor data structure
309
- */
310
- export interface MfaFactor {
311
- id: string;
312
- userId: string;
313
- factorType: "totp";
314
- friendlyName?: string;
315
- verified: boolean;
316
- createdAt: Date;
317
- updatedAt: Date;
318
- }
319
- /**
320
- * MFA challenge information
321
- */
322
- export interface MfaChallengeInfo {
323
- id: string;
324
- factorId: string;
325
- createdAt: Date;
326
- verifiedAt?: Date;
327
- ipAddress?: string;
328
- }
329
- /**
330
- * Recovery code data structure
331
- */
332
- export interface RecoveryCode {
333
- id: string;
334
- userId: string;
335
- usedAt?: Date;
336
- }
337
- /**
338
- * Abstract MFA repository interface.
339
- * Handles all MFA-related database operations.
340
- */
341
- export interface MfaRepository {
342
- /**
343
- * Create a new MFA factor for a user
344
- */
345
- createMfaFactor(userId: string, factorType: "totp", secretEncrypted: string, friendlyName?: string): Promise<MfaFactor>;
346
- /**
347
- * Get all MFA factors for a user
348
- */
349
- getMfaFactors(userId: string): Promise<MfaFactor[]>;
350
- /**
351
- * Get a specific MFA factor by ID
352
- */
353
- getMfaFactorById(factorId: string): Promise<(MfaFactor & {
354
- secretEncrypted: string;
355
- }) | null>;
356
- /**
357
- * Mark an MFA factor as verified
358
- */
359
- verifyMfaFactor(factorId: string): Promise<void>;
360
- /**
361
- * Delete an MFA factor
362
- */
363
- deleteMfaFactor(factorId: string, userId: string): Promise<void>;
364
- /**
365
- * Create an MFA challenge
366
- */
367
- createMfaChallenge(factorId: string, ipAddress?: string): Promise<MfaChallengeInfo>;
368
- /**
369
- * Get an MFA challenge by ID
370
- */
371
- getMfaChallengeById(challengeId: string): Promise<MfaChallengeInfo | null>;
372
- /**
373
- * Mark an MFA challenge as verified
374
- */
375
- verifyMfaChallenge(challengeId: string): Promise<void>;
376
- /**
377
- * Create recovery codes for a user
378
- */
379
- createRecoveryCodes(userId: string, codeHashes: string[]): Promise<void>;
380
- /**
381
- * Use a recovery code (mark as used)
382
- */
383
- useRecoveryCode(userId: string, codeHash: string): Promise<boolean>;
384
- /**
385
- * Get unused recovery code count for a user
386
- */
387
- getUnusedRecoveryCodeCount(userId: string): Promise<number>;
388
- /**
389
- * Delete all recovery codes for a user
390
- */
391
- deleteAllRecoveryCodes(userId: string): Promise<void>;
392
- /**
393
- * Check if a user has any verified MFA factors
394
- */
395
- hasVerifiedMfaFactors(userId: string): Promise<boolean>;
396
- }
397
- /**
398
- * Combined auth repository interface for convenience
399
- */
400
- export interface AuthRepository extends UserRepository, RoleRepository, TokenRepository, MfaRepository {
401
- }
@@ -1,55 +0,0 @@
1
- export interface JwtConfig {
2
- secret: string;
3
- accessExpiresIn?: string;
4
- refreshExpiresIn?: string;
5
- }
6
- export interface AccessTokenPayload {
7
- userId: string;
8
- roles: string[];
9
- uid?: string;
10
- /** Authentication Assurance Level: aal1 = password/oauth, aal2 = MFA verified */
11
- aal?: "aal1" | "aal2";
12
- /** Email claim from the JWT, if present */
13
- email?: string;
14
- /** Display name claim from the JWT, if present */
15
- displayName?: string;
16
- /** Photo URL claim from the JWT, if present */
17
- photoURL?: string;
18
- /** Whether MFA has been verified for this session */
19
- mfa_verified?: boolean;
20
- /** Authentication Methods Reference — list of methods used (e.g. 'pwd', 'otp') */
21
- amr?: string[];
22
- }
23
- /**
24
- * Configure JWT settings - call this during initialization.
25
- * Validates the secret strength to prevent deployment with default/weak secrets.
26
- */
27
- export declare function configureJwt(config: JwtConfig): void;
28
- /**
29
- * Generate an access token (short-lived, 1 hour by default)
30
- */
31
- export declare function generateAccessToken(userId: string, roles: string[], aal?: "aal1" | "aal2", customClaims?: Record<string, unknown>): string;
32
- /**
33
- * Get the expiration time of an access token in milliseconds from now
34
- */
35
- export declare function getAccessTokenExpiryMs(): number;
36
- /**
37
- * Get the expiration timestamp for an access token
38
- */
39
- export declare function getAccessTokenExpiry(): number;
40
- /**
41
- * Verify and decode an access token
42
- */
43
- export declare function verifyAccessToken(token: string): AccessTokenPayload | null;
44
- /**
45
- * Generate a random refresh token (long-lived, 30 days by default)
46
- */
47
- export declare function generateRefreshToken(): string;
48
- /**
49
- * Hash a refresh token for database storage (don't store raw tokens)
50
- */
51
- export declare function hashRefreshToken(token: string): string;
52
- /**
53
- * Calculate refresh token expiration date
54
- */
55
- export declare function getRefreshTokenExpiry(): Date;
@@ -1,18 +0,0 @@
1
- import type { OAuthProvider } from "./interfaces";
2
- export interface LinkedinUserInfo {
3
- linkedinId: string;
4
- email: string;
5
- displayName: string | null;
6
- photoUrl: string | null;
7
- emailVerified: boolean;
8
- }
9
- /**
10
- * Creates a LinkedIn OAuth Provider integration
11
- */
12
- export declare function createLinkedinProvider(config: {
13
- clientId: string;
14
- clientSecret: string;
15
- }): OAuthProvider<{
16
- code: string;
17
- redirectUri: string;
18
- }>;
@@ -1,6 +0,0 @@
1
- import { Hono } from "hono";
2
- import { z } from "zod";
3
- import { HonoEnv } from "../api/types";
4
- import type { AuthModuleConfig } from "./routes";
5
- import { resolveAuthHooks } from "./auth-hooks";
6
- export declare function mountMfaRoutes(router: Hono<HonoEnv>, config: AuthModuleConfig, ops: ReturnType<typeof resolveAuthHooks>, parseBody: <T>(schema: z.ZodSchema<T>, body: unknown) => T): void;
@@ -1,49 +0,0 @@
1
- /**
2
- * TOTP (Time-based One-Time Password) implementation.
3
- *
4
- * Pure Node.js crypto implementation — no external dependencies required.
5
- * Implements RFC 6238 (TOTP) and RFC 4226 (HOTP).
6
- */
7
- /**
8
- * Encode a Buffer to Base32 string (RFC 4648)
9
- */
10
- export declare function base32Encode(buffer: Buffer): string;
11
- /**
12
- * Decode a Base32 string to Buffer
13
- */
14
- export declare function base32Decode(encoded: string): Buffer;
15
- /**
16
- * Generate a TOTP value for the current time step
17
- */
18
- export declare function generateTotp(secret: Buffer, timeStep?: number): string;
19
- /**
20
- * Verify a TOTP token with a configurable time window
21
- *
22
- * @param secret - The shared secret as a Buffer
23
- * @param token - The 6-digit TOTP code to verify
24
- * @param window - Number of time steps to check on each side (default: 1)
25
- * @returns true if the token is valid within the window
26
- */
27
- export declare function verifyTotp(secret: Buffer, token: string, window?: number): boolean;
28
- /**
29
- * Generate a new TOTP secret and return the setup information
30
- *
31
- * @param issuer - The issuer name (app name) for the QR code
32
- * @param accountName - The account identifier (usually email)
33
- * @returns Object with base32 secret and otpauth URI
34
- */
35
- export declare function generateTotpSecret(issuer: string, accountName: string): {
36
- secret: string;
37
- uri: string;
38
- };
39
- /**
40
- * Generate a set of one-time recovery codes
41
- *
42
- * @param count - Number of recovery codes to generate (default: 10)
43
- * @returns Array of formatted recovery code strings (e.g. "A1B2C-D3E4F")
44
- */
45
- export declare function generateRecoveryCodes(count?: number): string[];
46
- /**
47
- * Hash a recovery code for storage
48
- */
49
- export declare function hashRecoveryCode(code: string): string;
@@ -1,16 +0,0 @@
1
- import type { OAuthProvider } from "./interfaces";
2
- /**
3
- * Creates a Microsoft / Entra ID (Azure AD) OAuth Provider integration.
4
- *
5
- * Supports both personal Microsoft accounts and work/school (Azure AD) accounts
6
- * via the "common" tenant endpoint. Uses the authorization code flow.
7
- */
8
- export declare function createMicrosoftProvider(config: {
9
- clientId: string;
10
- clientSecret: string;
11
- /** Tenant ID. Defaults to "common" which allows both personal and organizational accounts. */
12
- tenantId?: string;
13
- }): OAuthProvider<{
14
- code: string;
15
- redirectUri: string;
16
- }>;
@@ -1,106 +0,0 @@
1
- import { MiddlewareHandler, Context } from "hono";
2
- import { DataDriver } from "@rebasepro/types";
3
- import { AccessTokenPayload } from "./jwt";
4
- import { HonoEnv } from "../api/types";
5
- import type { ApiKeyStore } from "./api-keys/api-key-store";
6
- /**
7
- * Result from a custom auth validator.
8
- * - `false`/`null`/`undefined` = not authenticated
9
- * - `true` = authenticated as default user
10
- * - object with `userId` or `uid` = authenticated with user info
11
- */
12
- export type AuthResult = boolean | null | undefined | {
13
- userId?: string;
14
- uid?: string;
15
- roles?: string[];
16
- [key: string]: unknown;
17
- };
18
- /**
19
- * Options for creating an auth middleware via createAuthMiddleware()
20
- */
21
- export interface AuthMiddlewareOptions {
22
- /** DataDriver to scope via withAuth() for RLS */
23
- driver: DataDriver;
24
- /**
25
- * If true, return 401 when no valid token is present.
26
- *
27
- * **Defaults to `true` (secure by default).** Set to `false` only for
28
- * intentionally public endpoints where access control is fully delegated
29
- * to Postgres Row-Level Security policies.
30
- */
31
- requireAuth?: boolean;
32
- /** Optional custom validator (for non-JWT auth, e.g. Firebase Auth) */
33
- validator?: (c: Context<HonoEnv>) => Promise<AuthResult>;
34
- /**
35
- * A static secret key for server-to-server / script authentication.
36
- *
37
- * When a request sends `Authorization: Bearer <key>` and the key matches
38
- * this value, the request is granted admin-level access (uid: `service`,
39
- * roles: `["admin"]`) **without** JWT verification. The driver is scoped
40
- * via `withAuth()` with the service identity.
41
- *
42
- * This is the Rebase equivalent of a Firebase Service Account key.
43
- * Set via `REBASE_SERVICE_KEY` in `.env` and pass through the backend config.
44
- *
45
- * **Security:** The comparison uses constant-time equality to prevent
46
- * timing attacks. The key must be at least 32 characters.
47
- */
48
- serviceKey?: string;
49
- /**
50
- * API key store for authenticating `rk_` prefixed tokens.
51
- * When set, tokens starting with `rk_` are validated against the
52
- * database instead of being treated as JWTs.
53
- */
54
- apiKeyStore?: ApiKeyStore;
55
- }
56
- /**
57
- * Hono middleware that requires a valid JWT token
58
- * Returns 401 if token is missing or invalid
59
- */
60
- export declare const requireAuth: MiddlewareHandler<HonoEnv>;
61
- /**
62
- * Factory that creates a requireAuth middleware with optional service key support.
63
- *
64
- * When `serviceKey` is provided, the middleware will check if the Bearer token
65
- * matches the service key using constant-time comparison. If it matches, the
66
- * request is authenticated as a service user with admin privileges.
67
- *
68
- * This allows admin routes (which use standalone requireAuth + requireAdmin)
69
- * to be accessed via service keys for scripts and server-to-server calls.
70
- */
71
- export declare function createRequireAuth(options?: {
72
- serviceKey?: string;
73
- }): MiddlewareHandler<HonoEnv>;
74
- /**
75
- * Middleware that requires the user to have an admin or schema-admin role.
76
- * Must be used AFTER requireAuth or on a route where user is guaranteed.
77
- */
78
- export declare const requireAdmin: MiddlewareHandler<HonoEnv>;
79
- /**
80
- * Middleware that optionally extracts user from JWT
81
- * Does not return 401 if token is missing - allows anonymous access
82
- */
83
- export declare const optionalAuth: MiddlewareHandler<HonoEnv>;
84
- /**
85
- * Extract user from token - for WebSocket authentication
86
- */
87
- export declare function extractUserFromToken(token: string): AccessTokenPayload | null;
88
- /**
89
- * Create a configurable auth middleware that handles:
90
- * 1. Token extraction (via custom validator or JWT Bearer token)
91
- * 2. RLS-scoped DataDriver via withAuth()
92
- * 3. Enforcement (401 when requireAuth is true and no user)
93
- *
94
- * **Secure by default:** `requireAuth` defaults to `true`. Anonymous
95
- * access is only allowed when the developer explicitly opts out by
96
- * setting `requireAuth: false`, indicating that Postgres RLS policies
97
- * fully control access.
98
- *
99
- * **Fail-closed:** The raw unscoped driver is never placed in the
100
- * request context. Every code path either scopes via `withAuth()` or
101
- * rejects the request. This prevents silent RLS bypass.
102
- *
103
- * This is the single source of truth for HTTP auth in Rebase.
104
- * Use this instead of manually parsing tokens in route handlers.
105
- */
106
- export declare function createAuthMiddleware(options: AuthMiddlewareOptions): MiddlewareHandler<HonoEnv>;
@@ -1,22 +0,0 @@
1
- export interface PasswordValidationResult {
2
- valid: boolean;
3
- errors: string[];
4
- }
5
- /**
6
- * Password requirements:
7
- * - Minimum 8 characters
8
- * - At least 1 uppercase letter
9
- * - At least 1 lowercase letter
10
- * - At least 1 number
11
- */
12
- export declare function validatePasswordStrength(password: string): PasswordValidationResult;
13
- /**
14
- * Hash a password using Node's built-in scrypt
15
- * Returns format: salt:hash (both hex encoded)
16
- */
17
- export declare function hashPassword(password: string): Promise<string>;
18
- /**
19
- * Verify a password against a scrypt hash
20
- * Expects format: salt:hash (both hex encoded)
21
- */
22
- export declare function verifyPassword(password: string, storedHash: string): Promise<boolean>;