@revealui/auth 0.2.0 → 0.3.0

package/dist/server/brute-force.d.ts

@@ -2,13 +2,22 @@
  * Brute Force Protection
  *
  * Tracks failed login attempts and locks accounts after threshold.
- * Uses storage abstraction (Redis, database, or in-memory).
+ * Uses storage abstraction (database or in-memory).
  */
 export interface BruteForceConfig {
     maxAttempts: number;
     lockDurationMs: number;
     windowMs: number;
 }
+/**
+ * Override default brute force configuration globally.
+ * Per-call config parameters still take precedence.
+ */
+export declare function configureBruteForce(overrides: Partial<BruteForceConfig>): void;
+/**
+ * Reset brute force configuration to defaults (for testing).
+ */
+export declare function resetBruteForceConfig(): void;
 /**
  * Records a failed login attempt
  *

package/dist/server/brute-force.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"brute-force.d.ts","sourceRoot":"","sources":["../../src/server/brute-force.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAUH,MAAM,WAAW,gBAAgB;IAC/B,WAAW,EAAE,MAAM,CAAA;IACnB,cAAc,EAAE,MAAM,CAAA;IACtB,QAAQ,EAAE,MAAM,CAAA;CACjB;AAqCD;;;;;GAKG;AACH,wBAAsB,mBAAmB,CACvC,KAAK,EAAE,MAAM,EACb,MAAM,GAAE,gBAAiC,GACxC,OAAO,CAAC,IAAI,CAAC,CAiCf;AAED;;;;GAIG;AACH,wBAAsB,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAItE;AAED;;;;;;GAMG;AACH,wBAAsB,eAAe,CACnC,KAAK,EAAE,MAAM,EACb,MAAM,GAAE,gBAAiC,GACxC,OAAO,CAAC;IAAE,MAAM,EAAE,OAAO,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAAC,iBAAiB,EAAE,MAAM,CAAA;CAAE,CAAC,CA6C7E;AAED;;;;;GAKG;AACH,wBAAsB,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAQ1E"}
+{"version":3,"file":"brute-force.d.ts","sourceRoot":"","sources":["../../src/server/brute-force.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAUH,MAAM,WAAW,gBAAgB;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAUD;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,SAAS,EAAE,OAAO,CAAC,gBAAgB,CAAC,GAAG,IAAI,CAE9E;AAED;;GAEG;AACH,wBAAgB,qBAAqB,IAAI,IAAI,CAE5C;AA+BD;;;;;GAKG;AACH,wBAAsB,mBAAmB,CACvC,KAAK,EAAE,MAAM,EACb,MAAM,GAAE,gBAA+B,GACtC,OAAO,CAAC,IAAI,CAAC,CA0Cf;AAED;;;;GAIG;AACH,wBAAsB,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAItE;AAED;;;;;;GAMG;AACH,wBAAsB,eAAe,CACnC,KAAK,EAAE,MAAM,EACb,MAAM,GAAE,gBAA+B,GACtC,OAAO,CAAC;IAAE,MAAM,EAAE,OAAO,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAAC,iBAAiB,EAAE,MAAM,CAAA;CAAE,CAAC,CA6C7E;AAED;;;;;GAKG;AACH,wBAAsB,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAQ1E"}

package/dist/server/brute-force.js

@@ -2,7 +2,7 @@
  * Brute Force Protection
  *
  * Tracks failed login attempts and locks accounts after threshold.
- * Uses storage abstraction (Redis, database, or in-memory).
+ * Uses storage abstraction (database or in-memory).
  */
 import { getStorage } from './storage/index.js';
 const DEFAULT_CONFIG = {
@@ -10,6 +10,20 @@ const DEFAULT_CONFIG = {
     lockDurationMs: 30 * 60 * 1000, // 30 minutes
     windowMs: 15 * 60 * 1000, // 15 minutes
 };
+let globalConfig = { ...DEFAULT_CONFIG };
+/**
+ * Override default brute force configuration globally.
+ * Per-call config parameters still take precedence.
+ */
+export function configureBruteForce(overrides) {
+    globalConfig = { ...DEFAULT_CONFIG, ...overrides };
+}
+/**
+ * Reset brute force configuration to defaults (for testing).
+ */
+export function resetBruteForceConfig() {
+    globalConfig = { ...DEFAULT_CONFIG };
+}
 /**
  * Serialize failed attempt entry
  */
@@ -42,31 +56,40 @@ function getStorageKey(email) {
  * @param email - User email
  * @param config - Brute force configuration
  */
-export async function recordFailedAttempt(email, config = DEFAULT_CONFIG) {
+export async function recordFailedAttempt(email, config = globalConfig) {
     const storage = getStorage();
     const storageKey = getStorageKey(email);
-    const now = Date.now();
-    const entryData = await storage.get(storageKey);
-    const entry = deserializeEntry(entryData) || { count: 0, windowStart: now };
-    // Reset if lock expired
-    if (entry.lockUntil && entry.lockUntil < now) {
-        entry.count = 0;
-        entry.lockUntil = undefined;
-        entry.windowStart = now;
-    }
-    // Reset if window expired
-    if (now - entry.windowStart > config.windowMs) {
-        entry.count = 0;
-        entry.windowStart = now;
+    const updater = (entryData) => {
+        const now = Date.now();
+        const entry = deserializeEntry(entryData) || { count: 0, windowStart: now };
+        // Reset if lock expired
+        if (entry.lockUntil && entry.lockUntil < now) {
+            entry.count = 0;
+            entry.lockUntil = undefined;
+            entry.windowStart = now;
+        }
+        // Reset if window expired
+        if (now - entry.windowStart > config.windowMs) {
+            entry.count = 0;
+            entry.windowStart = now;
+        }
+        entry.count++;
+        // Lock account if threshold reached
+        if (entry.count >= config.maxAttempts) {
+            entry.lockUntil = now + config.lockDurationMs;
+        }
+        const ttlSeconds = Math.ceil(Math.max(config.windowMs, entry.lockUntil ? entry.lockUntil - now : config.windowMs) / 1000);
+        return { value: serializeEntry(entry), ttlSeconds };
+    };
+    if (storage.atomicUpdate) {
+        await storage.atomicUpdate(storageKey, updater);
     }
-    entry.count++;
-    // Lock account if threshold reached
-    if (entry.count >= config.maxAttempts) {
-        entry.lockUntil = now + config.lockDurationMs;
+    else {
+        // Fallback for storage backends that don't support atomic updates
+        const existing = await storage.get(storageKey);
+        const { value, ttlSeconds } = updater(existing);
+        await storage.set(storageKey, value, ttlSeconds);
     }
-    // Store with TTL (window duration or lock duration, whichever is longer)
-    const ttlSeconds = Math.ceil(Math.max(config.windowMs, entry.lockUntil ? entry.lockUntil - now : config.windowMs) / 1000);
-    await storage.set(storageKey, serializeEntry(entry), ttlSeconds);
 }
 /**
  * Clears failed attempts for an email (on successful login)
@@ -85,7 +108,7 @@ export async function clearFailedAttempts(email) {
  * @param config - Brute force configuration
  * @returns Lock status
  */
-export async function isAccountLocked(email, config = DEFAULT_CONFIG) {
+export async function isAccountLocked(email, config = globalConfig) {
     const storage = getStorage();
     const storageKey = getStorageKey(email);
     const now = Date.now();

package/dist/server/errors.d.ts

@@ -21,4 +21,8 @@ export declare class DatabaseError extends AuthError {
 export declare class TokenError extends AuthError {
     constructor(message?: string, statusCode?: number);
 }
+export declare class OAuthAccountConflictError extends AuthError {
+    email: string;
+    constructor(email: string);
+}
 //# sourceMappingURL=errors.d.ts.map

package/dist/server/errors.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/server/errors.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,qBAAa,SAAU,SAAQ,KAAK;IAGzB,IAAI,EAAE,MAAM;IACZ,UAAU,EAAE,MAAM;gBAFzB,OAAO,EAAE,MAAM,EACR,IAAI,EAAE,MAAM,EACZ,UAAU,GAAE,MAAY;CAKlC;AAED,qBAAa,YAAa,SAAQ,SAAS;gBAC7B,OAAO,GAAE,MAAwB,EAAE,UAAU,GAAE,MAAY;CAIxE;AAED,qBAAa,mBAAoB,SAAQ,SAAS;gBACpC,OAAO,GAAE,MAAgC,EAAE,UAAU,GAAE,MAAY;CAIhF;AAED,qBAAa,aAAc,SAAQ,SAAS;IACnC,aAAa,CAAC,EAAE,KAAK,CAAA;gBAEhB,OAAO,GAAE,MAAyB,EAAE,aAAa,CAAC,EAAE,OAAO;CAOxE;AAED,qBAAa,UAAW,SAAQ,SAAS;gBAC3B,OAAO,GAAE,MAAsB,EAAE,UAAU,GAAE,MAAY;CAItE"}
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/server/errors.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,qBAAa,SAAU,SAAQ,KAAK;IAGzB,IAAI,EAAE,MAAM;IACZ,UAAU,EAAE,MAAM;gBAFzB,OAAO,EAAE,MAAM,EACR,IAAI,EAAE,MAAM,EACZ,UAAU,GAAE,MAAY;CAKlC;AAED,qBAAa,YAAa,SAAQ,SAAS;gBAC7B,OAAO,GAAE,MAAwB,EAAE,UAAU,GAAE,MAAY;CAIxE;AAED,qBAAa,mBAAoB,SAAQ,SAAS;gBACpC,OAAO,GAAE,MAAgC,EAAE,UAAU,GAAE,MAAY;CAIhF;AAED,qBAAa,aAAc,SAAQ,SAAS;IACnC,aAAa,CAAC,EAAE,KAAK,CAAC;gBAEjB,OAAO,GAAE,MAAyB,EAAE,aAAa,CAAC,EAAE,OAAO;CAOxE;AAED,qBAAa,UAAW,SAAQ,SAAS;gBAC3B,OAAO,GAAE,MAAsB,EAAE,UAAU,GAAE,MAAY;CAItE;AAED,qBAAa,yBAA0B,SAAQ,SAAS;IAC/C,KAAK,EAAE,MAAM,CAAC;gBAET,KAAK,EAAE,MAAM;CAS1B"}

package/dist/server/errors.js

@@ -41,3 +41,11 @@ export class TokenError extends AuthError {
         this.name = 'TokenError';
     }
 }
+export class OAuthAccountConflictError extends AuthError {
+    email;
+    constructor(email) {
+        super('An account with this email already exists. Sign in with your password or original provider.', 'OAUTH_ACCOUNT_CONFLICT', 409);
+        this.name = 'OAuthAccountConflictError';
+        this.email = email;
+    }
+}

package/dist/server/index.d.ts

@@ -6,11 +6,22 @@
  */
 export type { SignInResult, SignUpResult } from '../types.js';
 export { isSignupAllowed, signIn, signUp } from './auth.js';
-export { clearFailedAttempts, getFailedAttemptCount, isAccountLocked, recordFailedAttempt, } from './brute-force.js';
-export { AuthError, AuthenticationError, DatabaseError, SessionError, TokenError, } from './errors.js';
-export type { PasswordResetResult, PasswordResetToken } from './password-reset.js';
-export { generatePasswordResetToken, invalidatePasswordResetToken, resetPasswordWithToken, validatePasswordResetToken, } from './password-reset.js';
+export { clearFailedAttempts, configureBruteForce, getFailedAttemptCount, isAccountLocked, recordFailedAttempt, resetBruteForceConfig, } from './brute-force.js';
+export { AuthError, AuthenticationError, DatabaseError, OAuthAccountConflictError, SessionError, TokenError, } from './errors.js';
+export type { MagicLinkConfig } from './magic-link.js';
+export { configureMagicLink, createMagicLink, resetMagicLinkConfig, verifyMagicLink, } from './magic-link.js';
+export type { MFAConfig, MFADisableProof, MFASetupResult } from './mfa.js';
+export { configureMFA, disableMFA, initiateMFASetup, isMFAEnabled, regenerateBackupCodes, resetMFAConfig, verifyBackupCode, verifyMFACode, verifyMFASetup, } from './mfa.js';
+export { buildAuthUrl, exchangeCode, fetchProviderUser, generateOAuthState, getLinkedProviders, linkOAuthAccount, type ProviderUser, unlinkOAuthAccount, upsertOAuthUser, verifyOAuthState, } from './oauth.js';
+export type { PasskeyConfig } from './passkey.js';
+export { configurePasskey, countUserCredentials, deletePasskey, generateAuthenticationChallenge, generateRegistrationChallenge, listPasskeys, renamePasskey, resetPasskeyConfig, storePasskey, verifyAuthentication, verifyRegistration, } from './passkey.js';
+export type { ChangePasswordResult, PasswordResetResult, PasswordResetToken, } from './password-reset.js';
+export { changePassword, generatePasswordResetToken, invalidatePasswordResetToken, resetPasswordWithToken, validatePasswordResetToken, } from './password-reset.js';
 export { meetsMinimumPasswordRequirements, validatePasswordStrength, } from './password-validation.js';
-export { checkRateLimit, getRateLimitStatus, resetRateLimit, } from './rate-limit.js';
-export { createSession, deleteAllUserSessions, deleteSession, getSession, } from './session.js';
+export { checkRateLimit, configureRateLimit, getRateLimitStatus, resetRateLimit, resetRateLimitConfig, } from './rate-limit.js';
+export type { RequestContext, SessionBindingConfig, SessionData } from './session.js';
+export { configureSessionBinding, createSession, deleteAllUserSessions, deleteSession, getSession, resetSessionBindingConfig, rotateSession, validateSessionBinding, } from './session.js';
+export { signCookiePayload, verifyCookiePayload } from './signed-cookie.js';
+export type { Storage } from './storage/index.js';
+export { createStorage, DatabaseStorage, getStorage, InMemoryStorage, resetStorage, } from './storage/index.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/server/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC7D,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,WAAW,CAAA;AAC3D,OAAO,EACL,mBAAmB,EACnB,qBAAqB,EACrB,eAAe,EACf,mBAAmB,GACpB,MAAM,kBAAkB,CAAA;AACzB,OAAO,EACL,SAAS,EACT,mBAAmB,EACnB,aAAa,EACb,YAAY,EACZ,UAAU,GACX,MAAM,aAAa,CAAA;AACpB,YAAY,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAA;AAClF,OAAO,EACL,0BAA0B,EAC1B,4BAA4B,EAC5B,sBAAsB,EACtB,0BAA0B,GAC3B,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EACL,gCAAgC,EAChC,wBAAwB,GACzB,MAAM,0BAA0B,CAAA;AACjC,OAAO,EACL,cAAc,EACd,kBAAkB,EAClB,cAAc,GACf,MAAM,iBAAiB,CAAA;AACxB,OAAO,EACL,aAAa,EACb,qBAAqB,EACrB,aAAa,EACb,UAAU,GACX,MAAM,cAAc,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC9D,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,WAAW,CAAC;AAC5D,OAAO,EACL,mBAAmB,EACnB,mBAAmB,EACnB,qBAAqB,EACrB,eAAe,EACf,mBAAmB,EACnB,qBAAqB,GACtB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,SAAS,EACT,mBAAmB,EACnB,aAAa,EACb,yBAAyB,EACzB,YAAY,EACZ,UAAU,GACX,MAAM,aAAa,CAAC;AAErB,YAAY,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,EACL,kBAAkB,EAClB,eAAe,EACf,oBAAoB,EACpB,eAAe,GAChB,MAAM,iBAAiB,CAAC;AACzB,YAAY,EAAE,SAAS,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAC3E,OAAO,EACL,YAAY,EACZ,UAAU,EACV,gBAAgB,EAChB,YAAY,EACZ,qBAAqB,EACrB,cAAc,EACd,gBAAgB,EAChB,aAAa,EACb,cAAc,GACf,MAAM,UAAU,CAAC;AAClB,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,iBAAiB,EACjB,kBAAkB,EAClB,kBAAkB,EAClB,gBAAgB,EAChB,KAAK,YAAY,EACjB,kBAAkB,EAClB,eAAe,EACf,gBAAgB,GACjB,MAAM,YAAY,CAAC;AAEpB,YAAY,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAClD,OAAO,EACL,gBAAgB,EAChB,oBAAoB,EACpB,aAAa,EACb,+BAA+B,EAC/B,6BAA6B,EAC7B,YAAY,EACZ,aAAa,EACb,kBAAkB,EAClB,YAAY,EACZ,oBAAoB,EACpB,kBAAkB,GACnB,MAAM,cAAc,CAAC;AACtB,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,cAAc,EACd,0BAA0B,EAC1B,4BAA4B,EAC5B,sBAAsB,EACtB,0BAA0B,GAC3B,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,gCAAgC,EAChC,wBAAwB,GACzB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,cAAc,EACd,kBAAkB,EAClB,kBAAkB,EAClB,cAAc,EACd,oBAAoB,GACrB,MAAM,iBAAiB,CAAC;AACzB,YAAY,EAAE,cAAc,EAAE,oBAAoB,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AACtF,OAAO,EACL,uBAAuB,EACvB,aAAa,EACb,qBAAqB,EACrB,aAAa,EACb,UAAU,EACV,yBAAyB,EACzB,aAAa,EACb,sBAAsB,GACvB,MAAM,cAAc,CAAC;AAEtB,OAAO,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC5E,YAAY,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EACL,aAAa,EACb,eAAe,EACf,UAAU,EACV,eAAe,EACf,YAAY,GACb,MAAM,oBAAoB,CAAC"}

package/dist/server/index.js

@@ -5,9 +5,16 @@
  * Inspired by Better Auth and Neon Auth patterns.
  */
 export { isSignupAllowed, signIn, signUp } from './auth.js';
-export { clearFailedAttempts, getFailedAttemptCount, isAccountLocked, recordFailedAttempt, } from './brute-force.js';
-export { AuthError, AuthenticationError, DatabaseError, SessionError, TokenError, } from './errors.js';
-export { generatePasswordResetToken, invalidatePasswordResetToken, resetPasswordWithToken, validatePasswordResetToken, } from './password-reset.js';
+export { clearFailedAttempts, configureBruteForce, getFailedAttemptCount, isAccountLocked, recordFailedAttempt, resetBruteForceConfig, } from './brute-force.js';
+export { AuthError, AuthenticationError, DatabaseError, OAuthAccountConflictError, SessionError, TokenError, } from './errors.js';
+export { configureMagicLink, createMagicLink, resetMagicLinkConfig, verifyMagicLink, } from './magic-link.js';
+export { configureMFA, disableMFA, initiateMFASetup, isMFAEnabled, regenerateBackupCodes, resetMFAConfig, verifyBackupCode, verifyMFACode, verifyMFASetup, } from './mfa.js';
+export { buildAuthUrl, exchangeCode, fetchProviderUser, generateOAuthState, getLinkedProviders, linkOAuthAccount, unlinkOAuthAccount, upsertOAuthUser, verifyOAuthState, } from './oauth.js';
+export { configurePasskey, countUserCredentials, deletePasskey, generateAuthenticationChallenge, generateRegistrationChallenge, listPasskeys, renamePasskey, resetPasskeyConfig, storePasskey, verifyAuthentication, verifyRegistration, } from './passkey.js';
+export { changePassword, generatePasswordResetToken, invalidatePasswordResetToken, resetPasswordWithToken, validatePasswordResetToken, } from './password-reset.js';
 export { meetsMinimumPasswordRequirements, validatePasswordStrength, } from './password-validation.js';
-export { checkRateLimit, getRateLimitStatus, resetRateLimit, } from './rate-limit.js';
-export { createSession, deleteAllUserSessions, deleteSession, getSession, } from './session.js';
+export { checkRateLimit, configureRateLimit, getRateLimitStatus, resetRateLimit, resetRateLimitConfig, } from './rate-limit.js';
+export { configureSessionBinding, createSession, deleteAllUserSessions, deleteSession, getSession, resetSessionBindingConfig, rotateSession, validateSessionBinding, } from './session.js';
+// Signed Cookie
+export { signCookiePayload, verifyCookiePayload } from './signed-cookie.js';
+export { createStorage, DatabaseStorage, getStorage, InMemoryStorage, resetStorage, } from './storage/index.js';

package/dist/server/magic-link.d.ts

@@ -0,0 +1,52 @@
+/**
+ * Magic Link Token Module
+ *
+ * Generates and verifies single-use, time-limited tokens for passwordless
+ * email authentication and account recovery flows.
+ *
+ * Tokens are stored in the database as HMAC-SHA256 hashes with per-token salts,
+ * following the same security pattern as password-reset.ts.
+ */
+export interface MagicLinkConfig {
+    /** Token expiry in ms (default: 15 minutes) */
+    tokenExpiryMs: number;
+    /** Temp session duration in ms (default: 30 minutes) */
+    tempSessionDurationMs: number;
+    /** Max requests per hour per email (default: 3) */
+    maxRequestsPerHour: number;
+}
+export declare function configureMagicLink(overrides: Partial<MagicLinkConfig>): void;
+export declare function resetMagicLinkConfig(): void;
+/**
+ * Creates a magic link token for a user.
+ *
+ * - Generates a 32-byte random token
+ * - Hashes it with HMAC-SHA256 + per-token salt
+ * - Cleans up expired magic links for the same user (opportunistic)
+ * - Inserts the hashed token into the database
+ *
+ * @param userId - User ID to create the magic link for
+ * @returns The plaintext token (to embed in the email link) and its expiry
+ */
+export declare function createMagicLink(userId: string): Promise<{
+    token: string;
+    expiresAt: Date;
+}>;
+/**
+ * Verifies a magic link token.
+ *
+ * Selects all unexpired, unused magic links and checks each one against the
+ * provided token using HMAC-SHA256 + timingSafeEqual. This is a table scan
+ * by design (same approach as password-reset.ts validation). The table stays
+ * small due to opportunistic cleanup in createMagicLink.
+ *
+ * On match: marks the token as used and returns the userId.
+ * On no match: returns null.
+ *
+ * @param token - Plaintext token from the magic link URL
+ * @returns Object with userId if valid, null otherwise
+ */
+export declare function verifyMagicLink(token: string): Promise<{
+    userId: string;
+} | null>;
+//# sourceMappingURL=magic-link.d.ts.map

package/dist/server/magic-link.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"magic-link.d.ts","sourceRoot":"","sources":["../../src/server/magic-link.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAWH,MAAM,WAAW,eAAe;IAC9B,+CAA+C;IAC/C,aAAa,EAAE,MAAM,CAAC;IACtB,wDAAwD;IACxD,qBAAqB,EAAE,MAAM,CAAC;IAC9B,mDAAmD;IACnD,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AAUD,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,OAAO,CAAC,eAAe,CAAC,GAAG,IAAI,CAE5E;AAED,wBAAgB,oBAAoB,IAAI,IAAI,CAE3C;AA0BD;;;;;;;;;;GAUG;AACH,wBAAsB,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,IAAI,CAAA;CAAE,CAAC,CAyBjG;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;IAAE,MAAM,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CAuBvF"}

package/dist/server/magic-link.js

@@ -0,0 +1,111 @@
+/**
+ * Magic Link Token Module
+ *
+ * Generates and verifies single-use, time-limited tokens for passwordless
+ * email authentication and account recovery flows.
+ *
+ * Tokens are stored in the database as HMAC-SHA256 hashes with per-token salts,
+ * following the same security pattern as password-reset.ts.
+ */
+import crypto from 'node:crypto';
+import { getClient } from '@revealui/db/client';
+import { magicLinks } from '@revealui/db/schema';
+import { and, eq, gt, isNull, lt } from 'drizzle-orm';
+const DEFAULT_CONFIG = {
+    tokenExpiryMs: 15 * 60 * 1000,
+    tempSessionDurationMs: 30 * 60 * 1000,
+    maxRequestsPerHour: 3,
+};
+let config = { ...DEFAULT_CONFIG };
+export function configureMagicLink(overrides) {
+    config = { ...DEFAULT_CONFIG, ...overrides };
+}
+export function resetMagicLinkConfig() {
+    config = { ...DEFAULT_CONFIG };
+}
+// =============================================================================
+// Crypto helpers (same pattern as password-reset.ts)
+// =============================================================================
+/**
+ * Hash a token using HMAC-SHA256 with a per-token salt.
+ * The salt is stored in the DB alongside the hash; this defeats rainbow
+ * table attacks even if the database is fully compromised.
+ */
+function hashToken(token, salt) {
+    return crypto.createHmac('sha256', salt).update(token).digest('hex');
+}
+/**
+ * Generate a 16-byte random salt (hex string).
+ */
+function generateSalt() {
+    return crypto.randomBytes(16).toString('hex');
+}
+// =============================================================================
+// Public API
+// =============================================================================
+/**
+ * Creates a magic link token for a user.
+ *
+ * - Generates a 32-byte random token
+ * - Hashes it with HMAC-SHA256 + per-token salt
+ * - Cleans up expired magic links for the same user (opportunistic)
+ * - Inserts the hashed token into the database
+ *
+ * @param userId - User ID to create the magic link for
+ * @returns The plaintext token (to embed in the email link) and its expiry
+ */
+export async function createMagicLink(userId) {
+    const db = getClient();
+    // Generate secure token with per-token salt
+    const token = crypto.randomBytes(32).toString('hex');
+    const tokenSalt = generateSalt();
+    const tokenHash = hashToken(token, tokenSalt);
+    const expiresAt = new Date(Date.now() + config.tokenExpiryMs);
+    const id = crypto.randomUUID();
+    // Opportunistic cleanup: delete expired magic links for this user
+    await db
+        .delete(magicLinks)
+        .where(and(eq(magicLinks.userId, userId), lt(magicLinks.expiresAt, new Date())));
+    // Store hashed token + salt in database
+    await db.insert(magicLinks).values({
+        id,
+        userId,
+        tokenHash,
+        tokenSalt,
+        expiresAt,
+    });
+    return { token, expiresAt };
+}
+/**
+ * Verifies a magic link token.
+ *
+ * Selects all unexpired, unused magic links and checks each one against the
+ * provided token using HMAC-SHA256 + timingSafeEqual. This is a table scan
+ * by design (same approach as password-reset.ts validation). The table stays
+ * small due to opportunistic cleanup in createMagicLink.
+ *
+ * On match: marks the token as used and returns the userId.
+ * On no match: returns null.
+ *
+ * @param token - Plaintext token from the magic link URL
+ * @returns Object with userId if valid, null otherwise
+ */
+export async function verifyMagicLink(token) {
+    const db = getClient();
+    // Select unexpired, unused magic links only — expired tokens can never match
+    const rows = await db
+        .select()
+        .from(magicLinks)
+        .where(and(isNull(magicLinks.usedAt), gt(magicLinks.expiresAt, new Date())));
+    for (const row of rows) {
+        const expectedHash = hashToken(token, row.tokenSalt);
+        const expectedBuf = Buffer.from(expectedHash);
+        const actualBuf = Buffer.from(row.tokenHash);
+        if (expectedBuf.length === actualBuf.length && crypto.timingSafeEqual(expectedBuf, actualBuf)) {
+            // Mark token as used (single-use enforcement)
+            await db.update(magicLinks).set({ usedAt: new Date() }).where(eq(magicLinks.id, row.id));
+            return { userId: row.userId };
+        }
+    }
+    return null;
+}

package/dist/server/mfa.d.ts

@@ -0,0 +1,87 @@
+/**
+ * MFA/2FA — TOTP-based Multi-Factor Authentication
+ *
+ * Uses the timing-safe TOTP implementation from @revealui/core/security/auth.
+ * Backup codes are bcrypt-hashed for storage (one-time use, consumed on verify).
+ */
+export interface MFAConfig {
+    /** Number of backup codes to generate (default: 8) */
+    backupCodeCount: number;
+    /** Length of each backup code in bytes (default: 5, produces 10 hex chars) */
+    backupCodeLength: number;
+    /** Issuer name shown in authenticator apps */
+    issuer: string;
+}
+export declare function configureMFA(overrides: Partial<MFAConfig>): void;
+export declare function resetMFAConfig(): void;
+export interface MFASetupResult {
+    success: boolean;
+    /** Base32-encoded TOTP secret (show once) */
+    secret?: string;
+    /** otpauth:// URI for QR code */
+    uri?: string;
+    /** Plaintext backup codes (show once) */
+    backupCodes?: string[];
+    error?: string;
+}
+/**
+ * Initiate MFA setup for a user.
+ * Generates a TOTP secret and backup codes. The user must verify with a TOTP
+ * code before MFA is activated (see `verifyMFASetup`).
+ */
+export declare function initiateMFASetup(userId: string, email: string): Promise<MFASetupResult>;
+/**
+ * Verify MFA setup by confirming the user's authenticator app works.
+ * This activates MFA on the account.
+ */
+export declare function verifyMFASetup(userId: string, code: string): Promise<{
+    success: boolean;
+    error?: string;
+}>;
+/**
+ * Verify a TOTP code during login (step 2 of MFA login flow).
+ */
+export declare function verifyMFACode(userId: string, code: string): Promise<{
+    success: boolean;
+    error?: string;
+}>;
+/**
+ * Verify a backup code (one-time use). Consumes the code on success.
+ */
+export declare function verifyBackupCode(userId: string, code: string): Promise<{
+    success: boolean;
+    remainingCodes?: number;
+    error?: string;
+}>;
+/**
+ * Regenerate backup codes (requires active MFA).
+ */
+export declare function regenerateBackupCodes(userId: string): Promise<{
+    success: boolean;
+    backupCodes?: string[];
+    error?: string;
+}>;
+/**
+ * Discriminated union for MFA disable re-authentication proof.
+ * - `password`: traditional password confirmation
+ * - `passkey`: WebAuthn assertion already verified by the API route
+ */
+export type MFADisableProof = {
+    method: 'password';
+    password: string;
+} | {
+    method: 'passkey';
+    verified: true;
+};
+/**
+ * Disable MFA on a user account. Requires re-authentication proof.
+ */
+export declare function disableMFA(userId: string, proof: MFADisableProof): Promise<{
+    success: boolean;
+    error?: string;
+}>;
+/**
+ * Check if a user has MFA enabled.
+ */
+export declare function isMFAEnabled(userId: string): Promise<boolean>;
+//# sourceMappingURL=mfa.d.ts.map

package/dist/server/mfa.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mfa.d.ts","sourceRoot":"","sources":["../../src/server/mfa.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAaH,MAAM,WAAW,SAAS;IACxB,sDAAsD;IACtD,eAAe,EAAE,MAAM,CAAC;IACxB,8EAA8E;IAC9E,gBAAgB,EAAE,MAAM,CAAC;IACzB,8CAA8C;IAC9C,MAAM,EAAE,MAAM,CAAC;CAChB;AAUD,wBAAgB,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC,SAAS,CAAC,GAAG,IAAI,CAEhE;AAED,wBAAgB,cAAc,IAAI,IAAI,CAErC;AA2CD,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,6CAA6C;IAC7C,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,iCAAiC;IACjC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,yCAAyC;IACzC,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;;GAIG;AACH,wBAAsB,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC,CAuC7F;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,GACX,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAsC/C;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,GACX,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAmB/C;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,GACX,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAuCxE;AAED;;GAEG;AACH,wBAAsB,qBAAqB,CACzC,MAAM,EAAE,MAAM,GACb,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAwBvE;AAED;;;;GAIG;AACH,MAAM,MAAM,eAAe,GACvB;IAAE,MAAM,EAAE,UAAU,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GACxC;IAAE,MAAM,EAAE,SAAS,CAAC;IAAC,QAAQ,EAAE,IAAI,CAAA;CAAE,CAAC;AAE1C;;GAEG;AACH,wBAAsB,UAAU,CAC9B,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,eAAe,GACrB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA+C/C;AAED;;GAEG;AACH,wBAAsB,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAUnE"}