@revealui/auth 0.2.0 → 0.2.1

package/dist/server/password-reset.d.ts

@@ -12,6 +12,7 @@ export interface PasswordResetResult {
     success: boolean;
     error?: string;
     token?: string;
+    tokenId?: string;
 }
 /**
  * Generates a password reset token for a user
@@ -23,22 +24,32 @@ export declare function generatePasswordResetToken(email: string): Promise<Passw
 /**
  * Validates a password reset token
  *
- * @param token - Reset token (plain text)
+ * Uses O(1) lookup by token ID, then verifies the token hash with timingSafeEqual
+ * against the single matching row.
+ *
+ * @param tokenId - Token row ID (from the reset URL)
+ * @param token - Reset token (plain text, from the reset URL)
  * @returns User ID if valid, null otherwise
  */
-export declare function validatePasswordResetToken(token: string): Promise<string | null>;
+export declare function validatePasswordResetToken(tokenId: string, token: string): Promise<string | null>;
 /**
  * Resets password using a token
  *
- * @param token - Reset token (plain text)
+ * Uses O(1) lookup by token ID, then verifies the token hash.
+ *
+ * @param tokenId - Token row ID (from the reset URL)
+ * @param token - Reset token (plain text, from the reset URL)
  * @param newPassword - New password
  * @returns Success result
  */
-export declare function resetPasswordWithToken(token: string, newPassword: string): Promise<PasswordResetResult>;
+export declare function resetPasswordWithToken(tokenId: string, token: string, newPassword: string): Promise<PasswordResetResult>;
 /**
  * Invalidates a password reset token
  *
- * @param token - Reset token (plain text)
+ * Uses O(1) lookup by token ID, then verifies the token hash before marking as used.
+ *
+ * @param tokenId - Token row ID (from the reset URL)
+ * @param token - Reset token (plain text, from the reset URL)
  */
-export declare function invalidatePasswordResetToken(token: string): Promise<void>;
+export declare function invalidatePasswordResetToken(tokenId: string, token: string): Promise<void>;
 //# sourceMappingURL=password-reset.d.ts.map

package/dist/server/password-reset.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"password-reset.d.ts","sourceRoot":"","sources":["../../src/server/password-reset.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AASH,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,IAAI,CAAA;CAChB;AAED,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAA;IAChB,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AAuBD;;;;;GAKG;AACH,wBAAsB,0BAA0B,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC,CA4D5F;AAED;;;;;GAKG;AACH,wBAAsB,0BAA0B,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAgCtF;AAED;;;;;;GAMG;AACH,wBAAsB,sBAAsB,CAC1C,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,mBAAmB,CAAC,CA6D9B;AAED;;;;GAIG;AACH,wBAAsB,4BAA4B,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CA0B/E"}
+{"version":3,"file":"password-reset.d.ts","sourceRoot":"","sources":["../../src/server/password-reset.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AASH,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,IAAI,CAAA;CAChB;AAED,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAA;IAChB,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,OAAO,CAAC,EAAE,MAAM,CAAA;CACjB;AAuBD;;;;;GAKG;AACH,wBAAsB,0BAA0B,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAqE5F;AAED;;;;;;;;;GASG;AACH,wBAAsB,0BAA0B,CAC9C,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAqCxB;AAED;;;;;;;;;GASG;AACH,wBAAsB,sBAAsB,CAC1C,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,mBAAmB,CAAC,CA4E9B;AAED;;;;;;;GAOG;AACH,wBAAsB,4BAA4B,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAqChG"}

package/dist/server/password-reset.js

@@ -7,10 +7,10 @@
 import crypto from 'node:crypto';
 import { logger } from '@revealui/core/observability/logger';
 import { getClient } from '@revealui/db/client';
-import { passwordResetTokens, users } from '@revealui/db/schema';
+import { passwordResetTokens, sessions, users } from '@revealui/db/schema';
 import bcrypt from 'bcryptjs';
 import { and, eq, gt, isNull } from 'drizzle-orm';
-const TOKEN_EXPIRY_MS = 60 * 60 * 1000; // 1 hour
+const TOKEN_EXPIRY_MS = 15 * 60 * 1000; // 15 minutes
 /**
  * Hash a token using HMAC-SHA256 with a per-token salt.
  * The salt is stored in the DB alongside the hash; this defeats rainbow
@@ -46,6 +46,13 @@ export async function generatePasswordResetToken(email) {
                 token: crypto.randomBytes(32).toString('hex'),
             };
         }
+        // Invalidate any existing unused reset tokens for this user before creating a new one.
+        // This limits active tokens to one per user, preventing table accumulation that would
+        // slow the time-bounded full-table scan in validatePasswordResetToken.
+        await db
+            .update(passwordResetTokens)
+            .set({ usedAt: new Date() })
+            .where(and(eq(passwordResetTokens.userId, user.id), isNull(passwordResetTokens.usedAt)));
         // Generate secure token with per-token salt
         const token = crypto.randomBytes(32).toString('hex');
         const tokenSalt = generateSalt();
@@ -63,6 +70,7 @@ export async function generatePasswordResetToken(email) {
         return {
             success: true,
             token,
+            tokenId: id,
         };
     }
     catch (error) {
@@ -86,29 +94,31 @@ export async function generatePasswordResetToken(email) {
 /**
  * Validates a password reset token
  *
- * @param token - Reset token (plain text)
+ * Uses O(1) lookup by token ID, then verifies the token hash with timingSafeEqual
+ * against the single matching row.
+ *
+ * @param tokenId - Token row ID (from the reset URL)
+ * @param token - Reset token (plain text, from the reset URL)
  * @returns User ID if valid, null otherwise
  */
-export async function validatePasswordResetToken(token) {
+export async function validatePasswordResetToken(tokenId, token) {
     try {
         const db = getClient();
-        // We cannot look up by hash directly without the salt.
-        // Strategy: find unexpired unused tokens for any user, then verify via HMAC.
-        // To avoid full-table scans we include a time filter. In practice, there are
-        // very few active reset tokens at any given moment.
-        //
-        // A common alternative is to encode the token ID in the reset URL (e.g.,
-        // /reset?id=<uuid>&token=<token>), but this requires a URL format change.
-        // For now we do a time-bounded scan — acceptable at low token volume.
-        const candidates = await db
+        // O(1) lookup by primary key, filtered to unexpired and unused tokens
+        const [entry] = await db
             .select()
             .from(passwordResetTokens)
-            .where(and(gt(passwordResetTokens.expiresAt, new Date()), isNull(passwordResetTokens.usedAt)));
-        for (const entry of candidates) {
-            const expectedHash = hashToken(token, entry.tokenSalt);
-            if (expectedHash === entry.tokenHash) {
-                return entry.userId;
-            }
+            .where(and(eq(passwordResetTokens.id, tokenId), gt(passwordResetTokens.expiresAt, new Date()), isNull(passwordResetTokens.usedAt)))
+            .limit(1);
+        if (!entry) {
+            return null;
+        }
+        // Verify the token hash using timing-safe comparison
+        const expectedHash = hashToken(token, entry.tokenSalt);
+        const expectedBuf = Buffer.from(expectedHash);
+        const actualBuf = Buffer.from(entry.tokenHash);
+        if (expectedBuf.length === actualBuf.length && crypto.timingSafeEqual(expectedBuf, actualBuf)) {
+            return entry.userId;
         }
         return null;
     }
@@ -120,32 +130,38 @@ export async function validatePasswordResetToken(token) {
 /**
  * Resets password using a token
  *
- * @param token - Reset token (plain text)
+ * Uses O(1) lookup by token ID, then verifies the token hash.
+ *
+ * @param tokenId - Token row ID (from the reset URL)
+ * @param token - Reset token (plain text, from the reset URL)
  * @param newPassword - New password
  * @returns Success result
  */
-export async function resetPasswordWithToken(token, newPassword) {
+export async function resetPasswordWithToken(tokenId, token, newPassword) {
     try {
         const db = getClient();
-        // Find valid token by HMAC verification (same time-bounded scan as validatePasswordResetToken)
-        const candidates = await db
+        // O(1) lookup by primary key, filtered to unexpired and unused tokens
+        const [entry] = await db
             .select()
             .from(passwordResetTokens)
-            .where(and(gt(passwordResetTokens.expiresAt, new Date()), isNull(passwordResetTokens.usedAt)));
-        let entry;
-        for (const candidate of candidates) {
-            const expectedHash = hashToken(token, candidate.tokenSalt);
-            if (expectedHash === candidate.tokenHash) {
-                entry = candidate;
-                break;
-            }
-        }
+            .where(and(eq(passwordResetTokens.id, tokenId), gt(passwordResetTokens.expiresAt, new Date()), isNull(passwordResetTokens.usedAt)))
+            .limit(1);
         if (!entry) {
             return {
                 success: false,
                 error: 'Invalid or expired reset token',
             };
         }
+        // Verify the token hash using timing-safe comparison
+        const expectedHash = hashToken(token, entry.tokenSalt);
+        const expectedBuf = Buffer.from(expectedHash);
+        const actualBuf = Buffer.from(entry.tokenHash);
+        if (!(expectedBuf.length === actualBuf.length && crypto.timingSafeEqual(expectedBuf, actualBuf))) {
+            return {
+                success: false,
+                error: 'Invalid or expired reset token',
+            };
+        }
         // Validate password strength
         const { validatePasswordStrength } = await import('./password-validation.js');
         const passwordValidation = validatePasswordStrength(newPassword);
@@ -159,6 +175,9 @@ export async function resetPasswordWithToken(token, newPassword) {
         const password = await bcrypt.hash(newPassword, 12);
         // Update user password
         await db.update(users).set({ password }).where(eq(users.id, entry.userId));
+        // Invalidate all existing sessions for this user so any attacker who had
+        // a compromised session can no longer use it after the password change.
+        await db.delete(sessions).where(eq(sessions.userId, entry.userId));
         // Mark token as used (single-use enforcement)
         await db
             .update(passwordResetTokens)
@@ -179,25 +198,32 @@ export async function resetPasswordWithToken(token, newPassword) {
 /**
  * Invalidates a password reset token
  *
- * @param token - Reset token (plain text)
+ * Uses O(1) lookup by token ID, then verifies the token hash before marking as used.
+ *
+ * @param tokenId - Token row ID (from the reset URL)
+ * @param token - Reset token (plain text, from the reset URL)
  */
-export async function invalidatePasswordResetToken(token) {
+export async function invalidatePasswordResetToken(tokenId, token) {
     try {
         const db = getClient();
-        // Find the token entry by HMAC verification (time-bounded scan)
-        const candidates = await db
+        // O(1) lookup by primary key
+        const [entry] = await db
             .select()
             .from(passwordResetTokens)
-            .where(and(gt(passwordResetTokens.expiresAt, new Date()), isNull(passwordResetTokens.usedAt)));
-        for (const candidate of candidates) {
-            const expectedHash = hashToken(token, candidate.tokenSalt);
-            if (expectedHash === candidate.tokenHash) {
-                await db
-                    .update(passwordResetTokens)
-                    .set({ usedAt: new Date() })
-                    .where(eq(passwordResetTokens.id, candidate.id));
-                break;
-            }
+            .where(and(eq(passwordResetTokens.id, tokenId), gt(passwordResetTokens.expiresAt, new Date()), isNull(passwordResetTokens.usedAt)))
+            .limit(1);
+        if (!entry) {
+            return;
+        }
+        // Verify the token hash before invalidating
+        const expectedHash = hashToken(token, entry.tokenSalt);
+        const expectedBuf = Buffer.from(expectedHash);
+        const actualBuf = Buffer.from(entry.tokenHash);
+        if (expectedBuf.length === actualBuf.length && crypto.timingSafeEqual(expectedBuf, actualBuf)) {
+            await db
+                .update(passwordResetTokens)
+                .set({ usedAt: new Date() })
+                .where(eq(passwordResetTokens.id, entry.id));
         }
     }
     catch (error) {

package/dist/server/providers/github.d.ts

@@ -0,0 +1,14 @@
+/**
+ * GitHub OAuth Provider
+ *
+ * Uses native fetch — no additional npm dependencies.
+ * Scopes: read:user user:email
+ *
+ * Note: GitHub may return null email if user has set it private.
+ * In that case we fetch from /user/emails and pick the primary verified one.
+ */
+import type { ProviderUser } from '../oauth.js';
+export declare function buildAuthUrl(clientId: string, redirectUri: string, state: string): string;
+export declare function exchangeCode(code: string, redirectUri: string): Promise<string>;
+export declare function fetchUser(accessToken: string): Promise<ProviderUser>;
+//# sourceMappingURL=github.d.ts.map

package/dist/server/providers/github.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"github.d.ts","sourceRoot":"","sources":["../../../src/server/providers/github.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAE/C,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAOzF;AAED,wBAAsB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CA4BrF;AAED,wBAAsB,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CA2C1E"}

package/dist/server/providers/github.js

@@ -0,0 +1,73 @@
+/**
+ * GitHub OAuth Provider
+ *
+ * Uses native fetch — no additional npm dependencies.
+ * Scopes: read:user user:email
+ *
+ * Note: GitHub may return null email if user has set it private.
+ * In that case we fetch from /user/emails and pick the primary verified one.
+ */
+export function buildAuthUrl(clientId, redirectUri, state) {
+    const url = new URL('https://github.com/login/oauth/authorize');
+    url.searchParams.set('client_id', clientId);
+    url.searchParams.set('redirect_uri', redirectUri);
+    url.searchParams.set('scope', 'read:user user:email');
+    url.searchParams.set('state', state);
+    return url.toString();
+}
+export async function exchangeCode(code, redirectUri) {
+    const response = await fetch('https://github.com/login/oauth/access_token', {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+            // biome-ignore lint/style/useNamingConvention: HTTP header names are case-sensitive per RFC 7230
+            Accept: 'application/json',
+        },
+        body: new URLSearchParams({
+            code,
+            client_id: process.env.GITHUB_CLIENT_ID ?? '',
+            client_secret: process.env.GITHUB_CLIENT_SECRET ?? '',
+            redirect_uri: redirectUri,
+        }),
+    });
+    if (!response.ok) {
+        throw new Error(`GitHub token exchange failed: ${response.status}`);
+    }
+    const data = (await response.json());
+    if (data.error) {
+        throw new Error(`GitHub token exchange error: ${data.error}`);
+    }
+    if (!data.access_token || typeof data.access_token !== 'string') {
+        throw new Error('GitHub token exchange returned no access_token');
+    }
+    return data.access_token;
+}
+export async function fetchUser(accessToken) {
+    const headers = {
+        // biome-ignore lint/style/useNamingConvention: HTTP header names are case-sensitive per RFC 7230
+        Authorization: `Bearer ${accessToken}`,
+        // biome-ignore lint/style/useNamingConvention: HTTP header names are case-sensitive per RFC 7230
+        Accept: 'application/vnd.github+json',
+    };
+    const userResponse = await fetch('https://api.github.com/user', { headers });
+    if (!userResponse.ok) {
+        throw new Error(`GitHub user fetch failed: ${userResponse.status}`);
+    }
+    const user = (await userResponse.json());
+    let email = user.email ?? null;
+    // Fetch emails if not public
+    if (!email) {
+        const emailsResponse = await fetch('https://api.github.com/user/emails', { headers });
+        if (emailsResponse.ok) {
+            const emails = (await emailsResponse.json());
+            const primary = emails.find((e) => e.primary && e.verified);
+            email = primary?.email ?? null;
+        }
+    }
+    return {
+        id: String(user.id),
+        email,
+        name: user.name ?? user.login,
+        avatarUrl: user.avatar_url ?? null,
+    };
+}

package/dist/server/providers/google.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Google OAuth 2.0 Provider
+ *
+ * Uses native fetch — no additional npm dependencies.
+ * Scopes: openid email profile
+ */
+import type { ProviderUser } from '../oauth.js';
+export declare function buildAuthUrl(clientId: string, redirectUri: string, state: string): string;
+export declare function exchangeCode(code: string, redirectUri: string): Promise<string>;
+export declare function fetchUser(accessToken: string): Promise<ProviderUser>;
+//# sourceMappingURL=google.d.ts.map

package/dist/server/providers/google.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"google.d.ts","sourceRoot":"","sources":["../../../src/server/providers/google.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAE/C,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CASzF;AAED,wBAAsB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAsBrF;AAED,wBAAsB,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAuB1E"}

package/dist/server/providers/google.js

@@ -0,0 +1,53 @@
+/**
+ * Google OAuth 2.0 Provider
+ *
+ * Uses native fetch — no additional npm dependencies.
+ * Scopes: openid email profile
+ */
+export function buildAuthUrl(clientId, redirectUri, state) {
+    const url = new URL('https://accounts.google.com/o/oauth2/v2/auth');
+    url.searchParams.set('client_id', clientId);
+    url.searchParams.set('redirect_uri', redirectUri);
+    url.searchParams.set('response_type', 'code');
+    url.searchParams.set('scope', 'openid email profile');
+    url.searchParams.set('state', state);
+    url.searchParams.set('access_type', 'online');
+    return url.toString();
+}
+export async function exchangeCode(code, redirectUri) {
+    const response = await fetch('https://oauth2.googleapis.com/token', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: new URLSearchParams({
+            code,
+            client_id: process.env.GOOGLE_CLIENT_ID ?? '',
+            client_secret: process.env.GOOGLE_CLIENT_SECRET ?? '',
+            redirect_uri: redirectUri,
+            grant_type: 'authorization_code',
+        }),
+    });
+    if (!response.ok) {
+        throw new Error(`Google token exchange failed: ${response.status}`);
+    }
+    const data = (await response.json());
+    if (!data.access_token || typeof data.access_token !== 'string') {
+        throw new Error('Google token exchange returned no access_token');
+    }
+    return data.access_token;
+}
+export async function fetchUser(accessToken) {
+    const response = await fetch('https://openidconnect.googleapis.com/v1/userinfo', {
+        // biome-ignore lint/style/useNamingConvention: HTTP header names are case-sensitive per RFC 7230
+        headers: { Authorization: `Bearer ${accessToken}` },
+    });
+    if (!response.ok) {
+        throw new Error(`Google userinfo fetch failed: ${response.status}`);
+    }
+    const data = (await response.json());
+    return {
+        id: data.sub,
+        email: data.email ?? null,
+        name: data.name ?? 'Google User',
+        avatarUrl: data.picture ?? null,
+    };
+}

package/dist/server/providers/vercel.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Vercel OAuth Provider
+ *
+ * Uses native fetch — no additional npm dependencies.
+ * No scopes required — Vercel uses full access by default.
+ */
+import type { ProviderUser } from '../oauth.js';
+export declare function buildAuthUrl(clientId: string, redirectUri: string, state: string): string;
+export declare function exchangeCode(code: string, redirectUri: string): Promise<string>;
+export declare function fetchUser(accessToken: string): Promise<ProviderUser>;
+//# sourceMappingURL=vercel.d.ts.map

package/dist/server/providers/vercel.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vercel.d.ts","sourceRoot":"","sources":["../../../src/server/providers/vercel.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAE/C,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAMzF;AAED,wBAAsB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAkBrF;AAED,wBAAsB,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CA2B1E"}

package/dist/server/providers/vercel.js

@@ -0,0 +1,47 @@
+/**
+ * Vercel OAuth Provider
+ *
+ * Uses native fetch — no additional npm dependencies.
+ * No scopes required — Vercel uses full access by default.
+ */
+export function buildAuthUrl(clientId, redirectUri, state) {
+    const url = new URL('https://vercel.com/oauth/authorize');
+    url.searchParams.set('client_id', clientId);
+    url.searchParams.set('redirect_uri', redirectUri);
+    url.searchParams.set('state', state);
+    return url.toString();
+}
+export async function exchangeCode(code, redirectUri) {
+    const response = await fetch('https://api.vercel.com/v2/oauth/access_token', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: new URLSearchParams({
+            code,
+            client_id: process.env.VERCEL_CLIENT_ID ?? '',
+            client_secret: process.env.VERCEL_CLIENT_SECRET ?? '',
+            redirect_uri: redirectUri,
+        }),
+    });
+    if (!response.ok) {
+        throw new Error(`Vercel token exchange failed: ${response.status}`);
+    }
+    const data = (await response.json());
+    return data.access_token;
+}
+export async function fetchUser(accessToken) {
+    const response = await fetch('https://api.vercel.com/v2/user', {
+        // biome-ignore lint/style/useNamingConvention: HTTP header names are case-sensitive per RFC 7230
+        headers: { Authorization: `Bearer ${accessToken}` },
+    });
+    if (!response.ok) {
+        throw new Error(`Vercel user fetch failed: ${response.status}`);
+    }
+    const data = (await response.json());
+    const u = data.user;
+    return {
+        id: u.id,
+        email: u.email,
+        name: u.name ?? u.username ?? 'Vercel User',
+        avatarUrl: u.avatar ? `https://avatar.vercel.sh/${u.avatar}` : null,
+    };
+}

package/dist/server/rate-limit.js

@@ -62,17 +62,17 @@ export async function checkRateLimit(key, config = DEFAULT_CONFIG) {
     };
     // Check if blocked
     if (config.blockDurationMs && currentEntry.count >= config.maxAttempts) {
-        const blockUntil = currentEntry.resetAt + (config.blockDurationMs - config.windowMs);
-        if (now < blockUntil) {
-            return {
-                allowed: false,
-                remaining: 0,
-                resetAt: blockUntil,
-            };
-        }
-        // Block expired, reset
-        currentEntry.count = 0;
-        currentEntry.resetAt = now + config.windowMs;
+        const blockUntil = now + config.blockDurationMs;
+        // Extend the storage TTL so the entry outlives the block period.
+        // Without this, the entry expires at resetAt (end of the rate-limit window)
+        // before the block expires, letting the user back in prematurely.
+        const blockTtlSeconds = Math.ceil(config.blockDurationMs / 1000);
+        await storage.set(storageKey, serializeEntry(currentEntry), blockTtlSeconds);
+        return {
+            allowed: false,
+            remaining: 0,
+            resetAt: blockUntil,
+        };
     }
     // Check if within window
     if (currentEntry.count >= config.maxAttempts) {

package/dist/server/session.js

@@ -235,7 +235,7 @@ function extractSessionToken(cookieHeader) {
     if (!sessionCookie) {
         return null;
     }
-    return sessionCookie.substring('revealui-session='.length);
+    return decodeURIComponent(sessionCookie.substring('revealui-session='.length));
 }
 /**
  * Generate a secure random session token

package/dist/server/storage/database.d.ts

@@ -13,5 +13,14 @@ export declare class DatabaseStorage implements Storage {
     del(key: string): Promise<void>;
     incr(key: string): Promise<number>;
     exists(key: string): Promise<boolean>;
+    /**
+     * Atomically read and update a value using a database transaction.
+     * Falls back to non-atomic get-then-set if transactions are unavailable
+     * (e.g., Neon HTTP mode in environments that don't support advisory locks).
+     */
+    atomicUpdate(key: string, updater: (existing: string | null) => {
+        value: string;
+        ttlSeconds: number;
+    }): Promise<void>;
 }
 //# sourceMappingURL=database.d.ts.map

package/dist/server/storage/database.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"database.d.ts","sourceRoot":"","sources":["../../../src/server/storage/database.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAOH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAA;AAE7C,qBAAa,eAAgB,YAAW,OAAO;IAC7C,OAAO,CAAC,EAAE,CAAU;gBAER,gBAAgB,CAAC,EAAE,MAAM;IAkB/B,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAcxC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAsBnE,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI/B,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAOlC,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;CAI5C"}
+{"version":3,"file":"database.d.ts","sourceRoot":"","sources":["../../../src/server/storage/database.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAOH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAA;AAE7C,qBAAa,eAAgB,YAAW,OAAO;IAC7C,OAAO,CAAC,EAAE,CAAU;gBAER,gBAAgB,CAAC,EAAE,MAAM;IAkB/B,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAcxC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAsBnE,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI/B,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAOlC,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAK3C;;;;OAIG;IACG,YAAY,CAChB,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,KAAK;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,GAC1E,OAAO,CAAC,IAAI,CAAC;CAwBjB"}

package/dist/server/storage/database.js

@@ -69,4 +69,34 @@ export class DatabaseStorage {
         const result = await this.get(key);
         return result !== null;
     }
+    /**
+     * Atomically read and update a value using a database transaction.
+     * Falls back to non-atomic get-then-set if transactions are unavailable
+     * (e.g., Neon HTTP mode in environments that don't support advisory locks).
+     */
+    async atomicUpdate(key, updater) {
+        try {
+            await this.db.transaction(async (tx) => {
+                const now = new Date();
+                const result = await tx.query.rateLimits.findFirst({
+                    where: and(eq(rateLimits.key, key), gte(rateLimits.resetAt, now)),
+                });
+                const { value, ttlSeconds } = updater(result?.value ?? null);
+                const resetAt = new Date(Date.now() + ttlSeconds * 1000);
+                await tx
+                    .insert(rateLimits)
+                    .values({ key, value, resetAt })
+                    .onConflictDoUpdate({
+                    target: rateLimits.key,
+                    set: { value, resetAt, updatedAt: new Date() },
+                });
+            });
+        }
+        catch {
+            // Transaction not supported (e.g., Neon HTTP serverless) — fall back to non-atomic
+            const existing = await this.get(key);
+            const { value, ttlSeconds } = updater(existing);
+            await this.set(key, value, ttlSeconds);
+        }
+    }
 }

package/dist/server/storage/in-memory.d.ts

@@ -12,6 +12,10 @@ export declare class InMemoryStorage implements Storage {
     del(key: string): Promise<void>;
     incr(key: string): Promise<number>;
     exists(key: string): Promise<boolean>;
+    atomicUpdate(key: string, updater: (existing: string | null) => {
+        value: string;
+        ttlSeconds: number;
+    }): Promise<void>;
     /**
      * Clean up expired entries (should be called periodically)
      */

package/dist/server/storage/in-memory.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"in-memory.d.ts","sourceRoot":"","sources":["../../../src/server/storage/in-memory.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAA;AAO7C,qBAAa,eAAgB,YAAW,OAAO;IAC7C,OAAO,CAAC,KAAK,CAAuC;IAG9C,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAiBxC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAUnE,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI/B,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAQlC,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAgB3C;;OAEG;IACH,OAAO,IAAI,IAAI;IASf;;OAEG;IACH,KAAK,IAAI,IAAI;CAGd"}
+{"version":3,"file":"in-memory.d.ts","sourceRoot":"","sources":["../../../src/server/storage/in-memory.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAA;AAO7C,qBAAa,eAAgB,YAAW,OAAO;IAC7C,OAAO,CAAC,KAAK,CAAuC;IAG9C,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAiBxC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAUnE,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI/B,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAQlC,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAiBrC,YAAY,CAChB,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,KAAK;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,GAC1E,OAAO,CAAC,IAAI,CAAC;IAUhB;;OAEG;IACH,OAAO,IAAI,IAAI;IASf;;OAEG;IACH,KAAK,IAAI,IAAI;CAGd"}

package/dist/server/storage/in-memory.js

@@ -50,6 +50,16 @@ export class InMemoryStorage {
         }
         return true;
     }
+    // eslint-disable-next-line @typescript-eslint/require-await
+    async atomicUpdate(key, updater) {
+        // Read synchronously from the Map to avoid yielding to the event loop between
+        // read and write (JavaScript is single-threaded; no I/O = no interleaving).
+        const now = Date.now();
+        const entry = this.store.get(key);
+        const existing = entry && (!entry.expiresAt || entry.expiresAt >= now) ? entry.value : null;
+        const { value, ttlSeconds } = updater(existing);
+        this.store.set(key, { value, expiresAt: now + ttlSeconds * 1000 });
+    }
     /**
      * Clean up expired entries (should be called periodically)
      */

package/dist/server/storage/interface.d.ts

@@ -32,5 +32,15 @@ export interface Storage {
      * Set multiple key-value pairs
      */
     mset?(pairs: Array<[string, string]>, ttlSeconds?: number): Promise<void>;
+    /**
+     * Atomically read and update a value.
+     * The updater receives the current value (or null) and returns the new value + TTL.
+     * Implementations that support DB transactions should do so; others fall back to
+     * a non-atomic get-then-set, which is safe for low-concurrency scenarios.
+     */
+    atomicUpdate?(key: string, updater: (existing: string | null) => {
+        value: string;
+        ttlSeconds: number;
+    }): Promise<void>;
 }
 //# sourceMappingURL=interface.d.ts.map

package/dist/server/storage/interface.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"interface.d.ts","sourceRoot":"","sources":["../../../src/server/storage/interface.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,MAAM,WAAW,OAAO;IACtB;;OAEG;IACH,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAA;IAExC;;OAEG;IACH,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAEnE;;OAEG;IACH,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAE/B;;OAEG;IACH,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;IAElC;;OAEG;IACH,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;IAErC;;OAEG;IACH,IAAI,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,CAAC,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC,CAAA;IAEjD;;OAEG;IACH,IAAI,CAAC,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CAC1E"}
+{"version":3,"file":"interface.d.ts","sourceRoot":"","sources":["../../../src/server/storage/interface.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,MAAM,WAAW,OAAO;IACtB;;OAEG;IACH,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAA;IAExC;;OAEG;IACH,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAEnE;;OAEG;IACH,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAE/B;;OAEG;IACH,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;IAElC;;OAEG;IACH,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;IAErC;;OAEG;IACH,IAAI,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,CAAC,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC,CAAA;IAEjD;;OAEG;IACH,IAAI,CAAC,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAEzE;;;;;OAKG;IACH,YAAY,CAAC,CACX,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,KAAK;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,GAC1E,OAAO,CAAC,IAAI,CAAC,CAAA;CACjB"}

package/dist/types.d.ts

@@ -22,6 +22,9 @@ export interface User {
     agentModel: string | null;
     agentCapabilities: string[] | null;
     agentConfig: unknown;
+    emailVerified: boolean;
+    emailVerificationToken: string | null;
+    emailVerifiedAt: Date | null;
     preferences: unknown;
     createdAt: Date;
     updatedAt: Date;