@revealui/auth 0.2.0 → 0.3.0

package/dist/react/usePasskey.js

@@ -0,0 +1,203 @@
+/**
+ * Passkey Hooks
+ *
+ * React hooks for WebAuthn passkey registration and authentication.
+ * Uses dynamic imports for @simplewebauthn/browser to avoid SSR issues.
+ */
+'use client';
+import { useEffect, useState } from 'react';
+/**
+ * Hook for passkey registration (sign-up and security settings).
+ *
+ * @returns Register function, loading state, error, and browser support flag
+ *
+ * @example
+ * ```tsx
+ * function AddPasskey() {
+ *   const { register, isLoading, error, supported } = usePasskeyRegister();
+ *
+ *   if (!supported) return <p>Passkeys are not supported in this browser.</p>;
+ *
+ *   const handleAdd = async () => {
+ *     const result = await register({ deviceName: 'My Laptop' });
+ *     if (result) {
+ *       // Passkey registered successfully
+ *     }
+ *   };
+ * }
+ * ```
+ */
+export function usePasskeyRegister() {
+    const [isLoading, setIsLoading] = useState(false);
+    const [error, setError] = useState(null);
+    const [supported, setSupported] = useState(false);
+    useEffect(() => {
+        setSupported(!!window.PublicKeyCredential);
+    }, []);
+    const register = async (options) => {
+        if (!supported) {
+            setError('Passkeys are not supported in this browser');
+            return null;
+        }
+        try {
+            setIsLoading(true);
+            setError(null);
+            // Step 1: Get registration options from the server
+            const optionsResponse = await fetch('/api/auth/passkey/register-options', {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                credentials: 'include',
+                body: JSON.stringify({
+                    email: options?.email,
+                    name: options?.name,
+                }),
+            });
+            const optionsJson = await optionsResponse.json();
+            if (!optionsResponse.ok) {
+                const errorData = optionsJson;
+                setError(errorData.error ?? 'Failed to get registration options');
+                return null;
+            }
+            // Step 2: Start browser WebAuthn registration ceremony
+            // Server wraps options: { options: { challenge, ... } }
+            // @simplewebauthn/browser v13+ expects { optionsJSON: ... }
+            const { startRegistration } = await import('@simplewebauthn/browser');
+            const optionsData = optionsJson;
+            const attestationResponse = await startRegistration({ optionsJSON: optionsData.options });
+            // Step 3: Verify with the server
+            const verifyResponse = await fetch('/api/auth/passkey/register-verify', {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                credentials: 'include',
+                body: JSON.stringify({
+                    attestationResponse,
+                    deviceName: options?.deviceName,
+                }),
+            });
+            const verifyJson = await verifyResponse.json();
+            if (!verifyResponse.ok) {
+                const errorData = verifyJson;
+                setError(errorData.error ?? 'Failed to verify passkey registration');
+                return null;
+            }
+            const result = verifyJson;
+            return result;
+        }
+        catch (err) {
+            // Handle user cancellation of the WebAuthn ceremony
+            if (err instanceof DOMException && err.name === 'NotAllowedError') {
+                setError('Passkey registration was cancelled');
+                return null;
+            }
+            const message = err instanceof Error ? err.message : String(err);
+            setError(message);
+            return null;
+        }
+        finally {
+            setIsLoading(false);
+        }
+    };
+    return {
+        register,
+        isLoading,
+        error,
+        supported,
+    };
+}
+/**
+ * Hook for passkey authentication (login page).
+ *
+ * @returns Sign-in function, loading state, error, and browser support flag
+ *
+ * @example
+ * ```tsx
+ * function LoginPage() {
+ *   const { signIn, isLoading, error, supported } = usePasskeySignIn();
+ *
+ *   const handlePasskeyLogin = async () => {
+ *     const success = await signIn();
+ *     if (success) {
+ *       router.push('/admin');
+ *     }
+ *   };
+ *
+ *   return (
+ *     <>
+ *       {supported && (
+ *         <button onClick={handlePasskeyLogin} disabled={isLoading}>
+ *           Sign in with Passkey
+ *         </button>
+ *       )}
+ *       {error && <p>{error}</p>}
+ *     </>
+ *   );
+ * }
+ * ```
+ */
+export function usePasskeySignIn() {
+    const [isLoading, setIsLoading] = useState(false);
+    const [error, setError] = useState(null);
+    const [supported, setSupported] = useState(false);
+    useEffect(() => {
+        setSupported(!!window.PublicKeyCredential);
+    }, []);
+    const signIn = async () => {
+        if (!supported) {
+            setError('Passkeys are not supported in this browser');
+            return false;
+        }
+        try {
+            setIsLoading(true);
+            setError(null);
+            // Step 1: Get authentication options from the server
+            const optionsResponse = await fetch('/api/auth/passkey/authenticate-options', {
+                method: 'POST',
+                credentials: 'include',
+            });
+            const optionsJson = await optionsResponse.json();
+            if (!optionsResponse.ok) {
+                const errorData = optionsJson;
+                setError(errorData.error ?? 'Failed to get authentication options');
+                return false;
+            }
+            // Step 2: Start browser WebAuthn authentication ceremony
+            // @simplewebauthn/browser v13+ expects { optionsJSON: ... }
+            const { startAuthentication } = await import('@simplewebauthn/browser');
+            const authOptionsData = optionsJson;
+            const assertionResponse = await startAuthentication({ optionsJSON: authOptionsData.options });
+            // Step 3: Verify with the server
+            const verifyResponse = await fetch('/api/auth/passkey/authenticate-verify', {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                credentials: 'include',
+                body: JSON.stringify({ authenticationResponse: assertionResponse }),
+            });
+            const verifyJson = await verifyResponse.json();
+            if (!verifyResponse.ok) {
+                const errorData = verifyJson;
+                setError(errorData.error ?? 'Passkey authentication failed');
+                return false;
+            }
+            return true;
+        }
+        catch (err) {
+            // Handle user cancellation of the WebAuthn ceremony
+            if (err instanceof DOMException && err.name === 'NotAllowedError') {
+                setError('Passkey authentication was cancelled');
+                return false;
+            }
+            const message = err instanceof Error ? err.message : String(err);
+            setError(message);
+            return false;
+        }
+        finally {
+            setIsLoading(false);
+        }
+    };
+    return {
+        signIn,
+        isLoading,
+        error,
+        supported,
+    };
+}

package/dist/react/useSession.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"useSession.d.ts","sourceRoot":"","sources":["../../src/react/useSession.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AAmB9C,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,WAAW,GAAG,IAAI,CAAA;IACxB,SAAS,EAAE,OAAO,CAAA;IAClB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAA;IACnB,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAA;CAC7B;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,UAAU,IAAI,gBAAgB,CA6D7C"}
+{"version":3,"file":"useSession.d.ts","sourceRoot":"","sources":["../../src/react/useSession.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAiC/C,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,WAAW,GAAG,IAAI,CAAC;IACzB,SAAS,EAAE,OAAO,CAAC;IACnB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;IACpB,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC9B;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,UAAU,IAAI,gBAAgB,CA2D7C"}

package/dist/react/useSession.js

@@ -7,7 +7,10 @@
 'use client';
 import { useCallback, useEffect, useRef, useState } from 'react';
 import { z } from 'zod/v4';
-// Validation schema for session response - uses passthrough to allow all User properties
+// Zod validates the required fields; .passthrough() preserves the rest.
+// The API returns JSON-serialized session/user objects (Dates as ISO strings).
+// z.infer output has an index signature incompatible with the concrete
+// AuthSession interface, so we convert via the helper below.
 const AuthSessionSchema = z.object({
     session: z
         .object({
@@ -21,8 +24,18 @@ const AuthSessionSchema = z.object({
         email: z.string(),
         name: z.string().nullable().optional(),
     })
-        .passthrough(), // Allow all other User properties
+        .passthrough(),
 });
+/**
+ * Narrow Zod-validated API response data to AuthSession.
+ *
+ * The cast is safe because: (1) Zod verified the required fields on both
+ * session and user, (2) .passthrough() preserves all other properties, and
+ * (3) the API serializes full Session + User rows (Dates become ISO strings).
+ */
+function toAuthSession(validated) {
+    return validated;
+}
 /**
  * Hook to get the current session
  *
@@ -66,9 +79,7 @@ export function useSession() {
             }
             const json = await response.json();
             const validated = AuthSessionSchema.parse(json);
-            // Type assertion through unknown is safe because Zod validation ensures the shape is correct
-            // The API returns serialized data (Dates as strings), so we cast to expected type
-            setData(validated);
+            setData(toAuthSession(validated));
         }
         catch (err) {
             if (err instanceof DOMException && err.name === 'AbortError') {

package/dist/react/useSignIn.d.ts

@@ -10,9 +10,15 @@ export interface SignInInput {
 }
 export interface UseSignInResult {
     signIn: (input: SignInInput) => Promise<{
-        success: boolean;
-        user?: User;
-        error?: string;
+        success: true;
+        user: User;
+    } | {
+        success: false;
+        error: string;
+    } | {
+        success: false;
+        requiresMfa: true;
+        mfaUserId: string;
     }>;
     isLoading: boolean;
     error: Error | null;

package/dist/react/useSignIn.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"useSignIn.d.ts","sourceRoot":"","sources":["../../src/react/useSignIn.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,aAAa,CAAA;AAiBvC,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAA;IACb,QAAQ,EAAE,MAAM,CAAA;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,CAAC,KAAK,EAAE,WAAW,KAAK,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,IAAI,CAAC,EAAE,IAAI,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IAC1F,SAAS,EAAE,OAAO,CAAA;IAClB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAA;CACpB;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,SAAS,IAAI,eAAe,CA8D3C"}
+{"version":3,"file":"useSignIn.d.ts","sourceRoot":"","sources":["../../src/react/useSignIn.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,aAAa,CAAC;AAkCxC,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,CACN,KAAK,EAAE,WAAW,KACf,OAAO,CACR;QAAE,OAAO,EAAE,IAAI,CAAC;QAAC,IAAI,EAAE,IAAI,CAAA;KAAE,GAC7B;QAAE,OAAO,EAAE,KAAK,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GACjC;QAAE,OAAO,EAAE,KAAK,CAAC;QAAC,WAAW,EAAE,IAAI,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAC3D,CAAC;IACF,SAAS,EAAE,OAAO,CAAC;IACnB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;CACrB;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,SAAS,IAAI,eAAe,CAsE3C"}

package/dist/react/useSignIn.js

@@ -6,18 +6,33 @@
 'use client';
 import { useCallback, useRef, useState } from 'react';
 import { z } from 'zod/v4';
+// Zod validates the required fields; .passthrough() preserves the rest.
+// The API returns JSON-serialized User objects (Dates as ISO strings).
+// z.infer output has an index signature incompatible with the concrete User
+// interface, so we extract the validated user via the helper below.
+const SignInUserSchema = z
+    .object({
+    id: z.string(),
+    email: z.string(),
+    name: z.string().nullable().optional(),
+})
+    .passthrough();
+/**
+ * Narrow Zod-validated API response data to User.
+ *
+ * The cast is safe because: (1) Zod verified the required fields (id, email),
+ * (2) .passthrough() preserves all other properties from the API response,
+ * and (3) the API serializes a full User row (Dates become ISO strings in JSON).
+ */
+function toUser(validated) {
+    return validated;
+}
 // Validation schemas for sign-in response
 const SignInErrorResponseSchema = z.object({
     error: z.string().optional(),
 });
 const SignInSuccessResponseSchema = z.object({
-    user: z
-        .object({
-        id: z.string(),
-        email: z.string(),
-        name: z.string().nullable().optional(),
-    })
-        .passthrough(), // Allow all other User properties
+    user: SignInUserSchema,
 });
 /**
  * Hook to sign in a user
@@ -68,12 +83,19 @@ export function useSignIn() {
                     error: errorData.error || 'Failed to sign in',
                 };
             }
+            // Check for MFA challenge before parsing as full success
+            const jsonObj = json;
+            if (jsonObj.requiresMfa === true && typeof jsonObj.mfaUserId === 'string') {
+                return {
+                    success: false,
+                    requiresMfa: true,
+                    mfaUserId: jsonObj.mfaUserId,
+                };
+            }
             const successData = SignInSuccessResponseSchema.parse(json);
             return {
                 success: true,
-                // Type assertion through unknown is safe because Zod validation ensures the shape is correct
-                // The API returns serialized data, so we cast to expected type
-                user: successData.user,
+                user: toUser(successData.user),
             };
         }
         catch (err) {

package/dist/react/useSignOut.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"useSignOut.d.ts","sourceRoot":"","sources":["../../src/react/useSignOut.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAA;IAC5B,SAAS,EAAE,OAAO,CAAA;IAClB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAA;CACpB;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,UAAU,IAAI,gBAAgB,CAkC7C"}
+{"version":3,"file":"useSignOut.d.ts","sourceRoot":"","sources":["../../src/react/useSignOut.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7B,SAAS,EAAE,OAAO,CAAC;IACnB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;CACrB;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,UAAU,IAAI,gBAAgB,CAkC7C"}

package/dist/react/useSignUp.d.ts

@@ -8,6 +8,7 @@ export interface SignUpInput {
     email: string;
     password: string;
     name: string;
+    tosAccepted: true;
 }
 export interface UseSignUpResult {
     signUp: (input: SignUpInput) => Promise<{

package/dist/react/useSignUp.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"useSignUp.d.ts","sourceRoot":"","sources":["../../src/react/useSignUp.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,aAAa,CAAA;AAiBvC,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAA;IACb,QAAQ,EAAE,MAAM,CAAA;IAChB,IAAI,EAAE,MAAM,CAAA;CACb;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,CAAC,KAAK,EAAE,WAAW,KAAK,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,IAAI,CAAC,EAAE,IAAI,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IAC1F,SAAS,EAAE,OAAO,CAAA;IAClB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAA;CACpB;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,SAAS,IAAI,eAAe,CAoD3C"}
+{"version":3,"file":"useSignUp.d.ts","sourceRoot":"","sources":["../../src/react/useSignUp.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,aAAa,CAAC;AAmCxC,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,IAAI,CAAC;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,CAAC,KAAK,EAAE,WAAW,KAAK,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,IAAI,CAAC,EAAE,IAAI,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC3F,SAAS,EAAE,OAAO,CAAC;IACnB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;CACrB;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,SAAS,IAAI,eAAe,CAoD3C"}

package/dist/react/useSignUp.js

@@ -6,18 +6,34 @@
 'use client';
 import { useState } from 'react';
 import { z } from 'zod/v4';
+// Zod validates the required fields; .passthrough() preserves the rest.
+// The API returns JSON-serialized User objects (Dates as ISO strings).
+// z.infer output has an index signature incompatible with the concrete User
+// interface, so we extract the validated user via the helper below.
+const SignUpUserSchema = z
+    .object({
+    id: z.string(),
+    email: z.string(),
+    name: z.string().nullable().optional(),
+})
+    .passthrough();
+/**
+ * Narrow Zod-validated API response data to User.
+ *
+ * The cast is safe because: (1) Zod verified the required fields (id, email),
+ * (2) .passthrough() preserves all other properties from the API response,
+ * and (3) the API serializes a full User row (Dates become ISO strings in JSON).
+ */
+function toUser(validated) {
+    return validated;
+}
 // Validation schemas for sign-up response
 const SignUpErrorResponseSchema = z.object({
+    message: z.string().optional(),
     error: z.string().optional(),
 });
 const SignUpSuccessResponseSchema = z.object({
-    user: z
-        .object({
-        id: z.string(),
-        email: z.string(),
-        name: z.string().nullable().optional(),
-    })
-        .passthrough(), // Allow all other User properties
+    user: SignUpUserSchema,
 });
 /**
  * Hook to sign up a new user
@@ -59,7 +75,7 @@ export function useSignUp() {
                 const errorData = SignUpErrorResponseSchema.parse(json);
                 return {
                     success: false,
-                    error: errorData.error || 'Failed to sign up',
+                    error: errorData.message || errorData.error || 'Failed to sign up',
                 };
             }
             const successData = SignUpSuccessResponseSchema.parse(json);
@@ -67,7 +83,7 @@ export function useSignUp() {
                 success: true,
                 // Type assertion through unknown is safe because Zod validation ensures the shape is correct
                 // The API returns serialized data, so we cast to expected type
-                user: successData.user,
+                user: toUser(successData.user),
             };
         }
         catch (err) {

package/dist/server/auth.d.ts

@@ -40,5 +40,7 @@ export declare function isSignupAllowed(email: string): boolean;
 export declare function signUp(email: string, password: string, name: string, options?: {
     userAgent?: string;
     ipAddress?: string;
+    tosAcceptedAt?: Date;
+    tosVersion?: string;
 }): Promise<SignUpResult>;
 //# sourceMappingURL=auth.d.ts.map

package/dist/server/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/server/auth.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAOH,OAAO,KAAK,EAAE,YAAY,EAAE,YAAY,EAAQ,MAAM,aAAa,CAAA;AAMnE;;;;;;;GAOG;AACH,wBAAsB,MAAM,CAC1B,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;IACR,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB,GACA,OAAO,CAAC,YAAY,CAAC,CAwHvB;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAiBtD;AAED;;;;;;;;GAQG;AACH,wBAAsB,MAAM,CAC1B,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,OAAO,CAAC,EAAE;IACR,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB,GACA,OAAO,CAAC,YAAY,CAAC,CAgIvB"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/server/auth.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAQH,OAAO,KAAK,EAAE,YAAY,EAAE,YAAY,EAAQ,MAAM,aAAa,CAAC;AASpE;;;;;;;GAOG;AACH,wBAAsB,MAAM,CAC1B,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;IACR,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,GACA,OAAO,CAAC,YAAY,CAAC,CA2JvB;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAiBtD;AAED;;;;;;;;GAQG;AACH,wBAAsB,MAAM,CAC1B,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,OAAO,CAAC,EAAE;IACR,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,IAAI,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,GACA,OAAO,CAAC,YAAY,CAAC,CAsLvB"}

package/dist/server/auth.js

@@ -3,15 +3,18 @@
  *
  * Sign in and sign up functionality with password hashing.
  */
+import { createHash, randomBytes } from 'node:crypto';
 import { logger } from '@revealui/core/observability/logger';
 import { getClient } from '@revealui/db/client';
-import { users } from '@revealui/db/schema';
+import { oauthAccounts, users } from '@revealui/db/schema';
 import bcrypt from 'bcryptjs';
-import { eq } from 'drizzle-orm';
+import { and, eq, isNull } from 'drizzle-orm';
 import { clearFailedAttempts, isAccountLocked, recordFailedAttempt } from './brute-force.js';
 import { validatePasswordStrength } from './password-validation.js';
 import { checkRateLimit } from './rate-limit.js';
 import { createSession } from './session.js';
+/** Grace period after signup during which unverified users can still sign in (24 hours) */
+const EMAIL_VERIFICATION_GRACE_PERIOD_MS = 24 * 60 * 60 * 1000;
 /**
  * Sign in with email and password
  *
@@ -28,6 +31,7 @@ export async function signIn(email, password, options) {
         if (!rateLimit.allowed) {
             return {
                 success: false,
+                reason: 'rate_limited',
                 error: 'Too many login attempts. Please try again later.',
             };
         }
@@ -39,6 +43,7 @@ export async function signIn(email, password, options) {
                 : 30;
             return {
                 success: false,
+                reason: 'account_locked',
                 error: `Account locked due to too many failed attempts. Please try again in ${lockMinutes} minutes.`,
             };
         }
@@ -50,19 +55,25 @@ export async function signIn(email, password, options) {
             logger.error('Error getting database client');
             return {
                 success: false,
+                reason: 'database_error',
                 error: 'Database connection failed',
             };
         }
         // Find user by email
         let user;
         try {
-            const result = await db.select().from(users).where(eq(users.email, email)).limit(1);
+            const result = await db
+                .select()
+                .from(users)
+                .where(and(eq(users.email, email), isNull(users.deletedAt)))
+                .limit(1);
             user = result[0];
         }
         catch {
             logger.error('Error querying user');
             return {
                 success: false,
+                reason: 'database_error',
                 error: 'Database error',
             };
         }
@@ -72,6 +83,7 @@ export async function signIn(email, password, options) {
             await recordFailedAttempt(email);
             return {
                 success: false,
+                reason: 'invalid_credentials',
                 error: invalidCredentialsMessage,
             };
         }
@@ -80,6 +92,7 @@ export async function signIn(email, password, options) {
             await recordFailedAttempt(email);
             return {
                 success: false,
+                reason: 'invalid_credentials',
                 error: invalidCredentialsMessage,
             };
         }
@@ -93,6 +106,7 @@ export async function signIn(email, password, options) {
             await recordFailedAttempt(email);
             return {
                 success: false,
+                reason: 'invalid_credentials',
                 error: invalidCredentialsMessage,
             };
         }
@@ -100,11 +114,31 @@ export async function signIn(email, password, options) {
             await recordFailedAttempt(email);
             return {
                 success: false,
+                reason: 'invalid_credentials',
                 error: invalidCredentialsMessage,
             };
         }
         // Successful login - clear failed attempts
         await clearFailedAttempts(email);
+        // Check email verification (with grace period for new accounts)
+        if (!user.emailVerified) {
+            const accountAge = Date.now() - user.createdAt.getTime();
+            if (accountAge > EMAIL_VERIFICATION_GRACE_PERIOD_MS) {
+                return {
+                    success: false,
+                    reason: 'email_not_verified',
+                    error: 'Please verify your email address before signing in.',
+                };
+            }
+        }
+        // Check if MFA is enabled — if so, return early and require TOTP verification
+        if (user.mfaEnabled) {
+            return {
+                success: true,
+                requiresMfa: true,
+                mfaUserId: user.id,
+            };
+        }
         // Create session
         let token;
         try {
@@ -118,6 +152,7 @@ export async function signIn(email, password, options) {
             logger.error('Error creating session');
             return {
                 success: false,
+                reason: 'session_error',
                 error: 'Failed to create session',
             };
         }
@@ -131,6 +166,7 @@ export async function signIn(email, password, options) {
         logger.error('Unexpected error in signIn');
         return {
             success: false,
+            reason: 'unexpected_error',
             error: 'Unexpected error',
         };
     }
@@ -207,7 +243,9 @@ export async function signUp(email, password, name, options) {
                 error: 'Database connection failed',
             };
         }
-        // Check if user already exists
+        // Check if user already exists (by email in users table or OAuth accounts).
+        // Both checks prevent account collision: a password signup must not collide
+        // with an existing OAuth identity for the same email address.
         let existing;
         try {
             const result = await db.select().from(users).where(eq(users.email, email)).limit(1);
@@ -226,6 +264,29 @@ export async function signUp(email, password, name, options) {
                 error: 'Unable to create account',
             };
         }
+        // Block signup if an OAuth account already uses this email.
+        // Without this check, an attacker could create a password account
+        // for an email that was registered via OAuth, enabling account takeover.
+        try {
+            const [existingOAuth] = await db
+                .select({ id: oauthAccounts.id })
+                .from(oauthAccounts)
+                .where(eq(oauthAccounts.providerEmail, email))
+                .limit(1);
+            if (existingOAuth) {
+                return {
+                    success: false,
+                    error: 'Unable to create account',
+                };
+            }
+        }
+        catch {
+            logger.error('Error checking OAuth accounts');
+            return {
+                success: false,
+                error: 'Database error',
+            };
+        }
         // Hash password
         let hashedPassword;
         try {
@@ -238,6 +299,14 @@ export async function signUp(email, password, name, options) {
                 error: 'Failed to process password',
             };
         }
+        // Generate email verification token.
+        // Store the SHA-256 hash in the DB; send the raw token in the email link.
+        // A DB breach cannot be used to verify arbitrary emails without the raw token.
+        const rawEmailVerificationToken = randomBytes(32).toString('hex');
+        const emailVerificationToken = createHash('sha256')
+            .update(rawEmailVerificationToken)
+            .digest('hex');
+        const emailVerificationTokenExpiresAt = new Date(Date.now() + 24 * 60 * 60 * 1000); // 24h
         // Create user
         let user;
         try {
@@ -248,6 +317,11 @@ export async function signUp(email, password, name, options) {
                 email,
                 name,
                 password: hashedPassword,
+                emailVerified: false,
+                emailVerificationToken,
+                emailVerificationTokenExpiresAt,
+                tosAcceptedAt: options?.tosAcceptedAt ?? null,
+                tosVersion: options?.tosVersion ?? null,
             })
                 .returning();
             user = result[0];
@@ -276,14 +350,28 @@ export async function signUp(email, password, name, options) {
         }
         catch {
             logger.error('Error creating session');
+            // Clean up orphaned user so the email isn't permanently locked out.
+            // Without this, a retry would fail with "Unable to create account"
+            // because the user row already exists but has no valid session.
+            try {
+                await db.delete(users).where(eq(users.id, user.id));
+            }
+            catch {
+                logger.error('Failed to clean up orphaned user after session creation failure', undefined, {
+                    userId: user.id,
+                });
+            }
             return {
                 success: false,
                 error: 'Failed to create session',
             };
         }
+        // Return the raw (unhashed) token so the caller can include it in the
+        // verification email link. The DB holds only the hash.
+        const userWithRawToken = { ...user, emailVerificationToken: rawEmailVerificationToken };
         return {
             success: true,
-            user,
+            user: userWithRawToken,
             sessionToken: token,
         };
     }