npm - @revealui/auth - Versions diffs - 0.2.0 → 0.3.0 - Mend

@revealui/auth 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (87) hide show

package/README.md +58 -34
package/dist/index.d.ts.map +1 -1
package/dist/react/index.d.ts +4 -0
package/dist/react/index.d.ts.map +1 -1
package/dist/react/index.js +2 -0
package/dist/react/useMFA.d.ts +83 -0
package/dist/react/useMFA.d.ts.map +1 -0
package/dist/react/useMFA.js +182 -0
package/dist/react/usePasskey.d.ts +88 -0
package/dist/react/usePasskey.d.ts.map +1 -0
package/dist/react/usePasskey.js +203 -0
package/dist/react/useSession.d.ts.map +1 -1
package/dist/react/useSession.js +16 -5
package/dist/react/useSignIn.d.ts +9 -3
package/dist/react/useSignIn.d.ts.map +1 -1
package/dist/react/useSignIn.js +32 -10
package/dist/react/useSignOut.d.ts.map +1 -1
package/dist/react/useSignUp.d.ts +1 -0
package/dist/react/useSignUp.d.ts.map +1 -1
package/dist/react/useSignUp.js +25 -9
package/dist/server/auth.d.ts +2 -0
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +93 -5
package/dist/server/brute-force.d.ts +10 -1
package/dist/server/brute-force.d.ts.map +1 -1
package/dist/server/brute-force.js +46 -23
package/dist/server/errors.d.ts +4 -0
package/dist/server/errors.d.ts.map +1 -1
package/dist/server/errors.js +8 -0
package/dist/server/index.d.ts +17 -6
package/dist/server/index.d.ts.map +1 -1
package/dist/server/index.js +12 -5
package/dist/server/magic-link.d.ts +52 -0
package/dist/server/magic-link.d.ts.map +1 -0
package/dist/server/magic-link.js +111 -0
package/dist/server/mfa.d.ts +87 -0
package/dist/server/mfa.d.ts.map +1 -0
package/dist/server/mfa.js +263 -0
package/dist/server/oauth.d.ts +86 -0
package/dist/server/oauth.d.ts.map +1 -0
package/dist/server/oauth.js +355 -0
package/dist/server/passkey.d.ts +132 -0
package/dist/server/passkey.d.ts.map +1 -0
package/dist/server/passkey.js +257 -0
package/dist/server/password-reset.d.ts +32 -6
package/dist/server/password-reset.d.ts.map +1 -1
package/dist/server/password-reset.js +116 -47
package/dist/server/password-validation.d.ts.map +1 -1
package/dist/server/providers/github.d.ts +14 -0
package/dist/server/providers/github.d.ts.map +1 -0
package/dist/server/providers/github.js +89 -0
package/dist/server/providers/google.d.ts +11 -0
package/dist/server/providers/google.d.ts.map +1 -0
package/dist/server/providers/google.js +69 -0
package/dist/server/providers/vercel.d.ts +11 -0
package/dist/server/providers/vercel.d.ts.map +1 -0
package/dist/server/providers/vercel.js +63 -0
package/dist/server/rate-limit.d.ts +10 -1
package/dist/server/rate-limit.d.ts.map +1 -1
package/dist/server/rate-limit.js +61 -43
package/dist/server/session.d.ts +48 -1
package/dist/server/session.d.ts.map +1 -1
package/dist/server/session.js +126 -7
package/dist/server/signed-cookie.d.ts +32 -0
package/dist/server/signed-cookie.d.ts.map +1 -0
package/dist/server/signed-cookie.js +67 -0
package/dist/server/storage/database.d.ts +10 -1
package/dist/server/storage/database.d.ts.map +1 -1
package/dist/server/storage/database.js +43 -5
package/dist/server/storage/in-memory.d.ts +4 -0
package/dist/server/storage/in-memory.d.ts.map +1 -1
package/dist/server/storage/in-memory.js +16 -6
package/dist/server/storage/index.d.ts +11 -3
package/dist/server/storage/index.d.ts.map +1 -1
package/dist/server/storage/index.js +18 -4
package/dist/server/storage/interface.d.ts +11 -1
package/dist/server/storage/interface.d.ts.map +1 -1
package/dist/server/storage/interface.js +1 -1
package/dist/types.d.ts +23 -8
package/dist/types.d.ts.map +1 -1
package/dist/types.js +2 -2
package/dist/utils/database.d.ts.map +1 -1
package/dist/utils/database.js +12 -2
package/dist/utils/token.d.ts +9 -1
package/dist/utils/token.d.ts.map +1 -1
package/dist/utils/token.js +9 -1
package/package.json +26 -8

package/dist/server/mfa.js ADDED Viewed

@@ -0,0 +1,263 @@
+/**
+ * MFA/2FA — TOTP-based Multi-Factor Authentication
+ *
+ * Uses the timing-safe TOTP implementation from @revealui/core/security/auth.
+ * Backup codes are bcrypt-hashed for storage (one-time use, consumed on verify).
+ */
+import { randomBytes } from 'node:crypto';
+import { TwoFactorAuth } from '@revealui/core/security';
+import { getClient } from '@revealui/db/client';
+import { users } from '@revealui/db/schema';
+import bcrypt from 'bcryptjs';
+import { eq } from 'drizzle-orm';
+const DEFAULT_MFA_CONFIG = {
+    backupCodeCount: 8,
+    backupCodeLength: 5,
+    issuer: 'RevealUI',
+};
+let config = { ...DEFAULT_MFA_CONFIG };
+export function configureMFA(overrides) {
+    config = { ...DEFAULT_MFA_CONFIG, ...overrides };
+}
+export function resetMFAConfig() {
+    config = { ...DEFAULT_MFA_CONFIG };
+}
+// =============================================================================
+// Backup Code Generation
+// =============================================================================
+/**
+ * Generate a set of plaintext backup codes.
+ * Returns both the plaintext codes (to show the user once) and bcrypt hashes (to store).
+ */
+async function generateBackupCodes() {
+    const plaintext = [];
+    const hashed = [];
+    for (let i = 0; i < config.backupCodeCount; i++) {
+        const code = randomBytes(config.backupCodeLength).toString('hex');
+        plaintext.push(code);
+        hashed.push(await bcrypt.hash(code, 10));
+    }
+    return { plaintext, hashed };
+}
+// =============================================================================
+// TOTP Provisioning URI
+// =============================================================================
+/**
+ * Build an otpauth:// URI for QR code generation in authenticator apps.
+ */
+function buildProvisioningUri(secret, email) {
+    const issuer = encodeURIComponent(config.issuer);
+    const account = encodeURIComponent(email);
+    return `otpauth://totp/${issuer}:${account}?secret=${secret}&issuer=${issuer}&algorithm=SHA1&digits=6&period=30`;
+}
+/**
+ * Initiate MFA setup for a user.
+ * Generates a TOTP secret and backup codes. The user must verify with a TOTP
+ * code before MFA is activated (see `verifyMFASetup`).
+ */
+export async function initiateMFASetup(userId, email) {
+    const db = getClient();
+    // Check if MFA is already enabled
+    const [user] = await db
+        .select({ mfaEnabled: users.mfaEnabled })
+        .from(users)
+        .where(eq(users.id, userId))
+        .limit(1);
+    if (!user) {
+        return { success: false, error: 'User not found' };
+    }
+    if (user.mfaEnabled) {
+        return { success: false, error: 'MFA is already enabled' };
+    }
+    // Generate TOTP secret and backup codes
+    const secret = TwoFactorAuth.generateSecret();
+    const { plaintext, hashed } = await generateBackupCodes();
+    const uri = buildProvisioningUri(secret, email);
+    // Store secret and backup codes (MFA stays disabled until verified)
+    await db
+        .update(users)
+        .set({
+        mfaSecret: secret,
+        mfaBackupCodes: hashed,
+        updatedAt: new Date(),
+    })
+        .where(eq(users.id, userId));
+    return {
+        success: true,
+        secret,
+        uri,
+        backupCodes: plaintext,
+    };
+}
+/**
+ * Verify MFA setup by confirming the user's authenticator app works.
+ * This activates MFA on the account.
+ */
+export async function verifyMFASetup(userId, code) {
+    const db = getClient();
+    const [user] = await db
+        .select({ mfaSecret: users.mfaSecret, mfaEnabled: users.mfaEnabled })
+        .from(users)
+        .where(eq(users.id, userId))
+        .limit(1);
+    if (!user) {
+        return { success: false, error: 'User not found' };
+    }
+    if (user.mfaEnabled) {
+        return { success: false, error: 'MFA is already enabled' };
+    }
+    if (!user.mfaSecret) {
+        return { success: false, error: 'MFA setup not initiated' };
+    }
+    // Verify the TOTP code against the stored secret
+    const valid = TwoFactorAuth.verifyCode(user.mfaSecret, code);
+    if (!valid) {
+        return { success: false, error: 'Invalid verification code' };
+    }
+    // Activate MFA
+    await db
+        .update(users)
+        .set({
+        mfaEnabled: true,
+        mfaVerifiedAt: new Date(),
+        updatedAt: new Date(),
+    })
+        .where(eq(users.id, userId));
+    return { success: true };
+}
+/**
+ * Verify a TOTP code during login (step 2 of MFA login flow).
+ */
+export async function verifyMFACode(userId, code) {
+    const db = getClient();
+    const [user] = await db
+        .select({ mfaSecret: users.mfaSecret, mfaEnabled: users.mfaEnabled })
+        .from(users)
+        .where(eq(users.id, userId))
+        .limit(1);
+    if (!(user?.mfaEnabled && user.mfaSecret)) {
+        return { success: false, error: 'MFA not enabled' };
+    }
+    const valid = TwoFactorAuth.verifyCode(user.mfaSecret, code);
+    if (!valid) {
+        return { success: false, error: 'Invalid code' };
+    }
+    return { success: true };
+}
+/**
+ * Verify a backup code (one-time use). Consumes the code on success.
+ */
+export async function verifyBackupCode(userId, code) {
+    const db = getClient();
+    const [user] = await db
+        .select({ mfaBackupCodes: users.mfaBackupCodes, mfaEnabled: users.mfaEnabled })
+        .from(users)
+        .where(eq(users.id, userId))
+        .limit(1);
+    if (!user?.mfaEnabled) {
+        return { success: false, error: 'MFA not enabled' };
+    }
+    const storedCodes = (user.mfaBackupCodes ?? []);
+    if (storedCodes.length === 0) {
+        return { success: false, error: 'No backup codes available' };
+    }
+    // Find and consume the matching backup code
+    for (let i = 0; i < storedCodes.length; i++) {
+        const storedCode = storedCodes[i];
+        if (!storedCode)
+            continue;
+        const matches = await bcrypt.compare(code, storedCode);
+        if (matches) {
+            // Remove the consumed code
+            const remaining = [...storedCodes.slice(0, i), ...storedCodes.slice(i + 1)];
+            await db
+                .update(users)
+                .set({
+                mfaBackupCodes: remaining,
+                updatedAt: new Date(),
+            })
+                .where(eq(users.id, userId));
+            return { success: true, remainingCodes: remaining.length };
+        }
+    }
+    return { success: false, error: 'Invalid backup code' };
+}
+/**
+ * Regenerate backup codes (requires active MFA).
+ */
+export async function regenerateBackupCodes(userId) {
+    const db = getClient();
+    const [user] = await db
+        .select({ mfaEnabled: users.mfaEnabled })
+        .from(users)
+        .where(eq(users.id, userId))
+        .limit(1);
+    if (!user?.mfaEnabled) {
+        return { success: false, error: 'MFA not enabled' };
+    }
+    const { plaintext, hashed } = await generateBackupCodes();
+    await db
+        .update(users)
+        .set({
+        mfaBackupCodes: hashed,
+        updatedAt: new Date(),
+    })
+        .where(eq(users.id, userId));
+    return { success: true, backupCodes: plaintext };
+}
+/**
+ * Disable MFA on a user account. Requires re-authentication proof.
+ */
+export async function disableMFA(userId, proof) {
+    const db = getClient();
+    const [user] = await db
+        .select({
+        mfaEnabled: users.mfaEnabled,
+        password: users.password,
+    })
+        .from(users)
+        .where(eq(users.id, userId))
+        .limit(1);
+    if (!user) {
+        return { success: false, error: 'User not found' };
+    }
+    if (!user.mfaEnabled) {
+        return { success: false, error: 'MFA is not enabled' };
+    }
+    // Verify re-authentication proof
+    if (proof.method === 'password') {
+        if (!user.password) {
+            return { success: false, error: 'Password verification required' };
+        }
+        const passwordValid = await bcrypt.compare(proof.password, user.password);
+        if (!passwordValid) {
+            return { success: false, error: 'Invalid password' };
+        }
+    }
+    // For passkey proof, the API route has already performed the WebAuthn assertion —
+    // the `verified: true` flag is trusted as a server-side signal.
+    // Clear all MFA data
+    await db
+        .update(users)
+        .set({
+        mfaEnabled: false,
+        mfaSecret: null,
+        mfaBackupCodes: null,
+        mfaVerifiedAt: null,
+        updatedAt: new Date(),
+    })
+        .where(eq(users.id, userId));
+    return { success: true };
+}
+/**
+ * Check if a user has MFA enabled.
+ */
+export async function isMFAEnabled(userId) {
+    const db = getClient();
+    const [user] = await db
+        .select({ mfaEnabled: users.mfaEnabled })
+        .from(users)
+        .where(eq(users.id, userId))
+        .limit(1);
+    return user?.mfaEnabled ?? false;
+}

package/dist/server/oauth.d.ts ADDED Viewed

@@ -0,0 +1,86 @@
+/**
+ * OAuth Core — State Management + User Upsert
+ *
+ * CSRF state: signed cookie using HMAC-SHA256 over a base64url payload.
+ * Provider dispatch: routes to Google / GitHub / Vercel provider modules.
+ * User upsert: links OAuth identities to local users via oauth_accounts table.
+ */
+import type { User } from '../types.js';
+export interface ProviderUser {
+    id: string;
+    email: string | null;
+    name: string;
+    avatarUrl: string | null;
+}
+/**
+ * Generate a signed OAuth state token.
+ *
+ * State encodes provider + redirectTo + nonce as base64url JSON.
+ * Cookie value is `<state>.<hmac>` — the HMAC is over the state string
+ * using REVEALUI_SECRET, providing CSRF protection without a DB table.
+ */
+export declare function generateOAuthState(provider: string, redirectTo: string): {
+    state: string;
+    cookieValue: string;
+};
+/**
+ * Verify a signed OAuth state token from the callback.
+ *
+ * Returns the decoded provider + redirectTo if valid, null otherwise.
+ */
+export declare function verifyOAuthState(state: string | null | undefined, cookieValue: string | null | undefined): {
+    provider: string;
+    redirectTo: string;
+} | null;
+export declare function buildAuthUrl(provider: string, redirectUri: string, state: string): string;
+export declare function exchangeCode(provider: string, code: string, redirectUri: string): Promise<string>;
+export declare function fetchProviderUser(provider: string, accessToken: string): Promise<ProviderUser>;
+/**
+ * Find or create a local user for the given OAuth identity.
+ *
+ * Flow:
+ * 1. Look up oauth_accounts by (provider, providerUserId) → get userId
+ * 2. If found: refresh metadata + return user
+ * 3. If not found: check users by email → link if match
+ * 4. If no match: create new user (role: 'admin', no password)
+ * 5. Insert oauth_accounts row
+ */
+export declare function upsertOAuthUser(provider: string, providerUser: ProviderUser): Promise<User>;
+/**
+ * Link an OAuth provider to an existing authenticated user.
+ *
+ * Unlike upsertOAuthUser(), this function requires the caller to be
+ * authenticated and explicitly requests the link. This is safe because
+ * the user has already proven ownership of the local account via their
+ * session.
+ *
+ * @param userId - The authenticated user's ID (from session)
+ * @param provider - OAuth provider name
+ * @param providerUser - Profile returned by the OAuth provider
+ * @returns The linked user
+ * @throws Error if the provider account is already linked to a different user
+ */
+export declare function linkOAuthAccount(userId: string, provider: string, providerUser: ProviderUser): Promise<User>;
+/**
+ * Unlink an OAuth provider from a user's account.
+ *
+ * Safety: refuses to unlink the last auth method (if user has no password
+ * and this is their only OAuth link, unlinking would lock them out).
+ *
+ * @param userId - The authenticated user's ID
+ * @param provider - The provider to unlink
+ * @throws Error if unlinking would leave the user with no authentication method
+ */
+export declare function unlinkOAuthAccount(userId: string, provider: string): Promise<void>;
+/**
+ * Get all linked OAuth providers for a user.
+ *
+ * @param userId - The user's ID
+ * @returns Array of linked provider info (provider name, email, avatar)
+ */
+export declare function getLinkedProviders(userId: string): Promise<Array<{
+    provider: string;
+    providerEmail: string | null;
+    providerName: string | null;
+}>>;
+//# sourceMappingURL=oauth.d.ts.map

package/dist/server/oauth.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../../src/server/oauth.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAOH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,aAAa,CAAC;AAMxC,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAMD;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAChC,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,GACjB;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,CAaxC;AAED;;;;GAIG;AACH,wBAAgB,gBAAgB,CAC9B,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAChC,WAAW,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GACrC;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAgDjD;AAwBD,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CASzF;AAED,wBAAsB,YAAY,CAChC,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,MAAM,CAAC,CAQjB;AAED,wBAAsB,iBAAiB,CACrC,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,YAAY,CAAC,CAQvB;AAMD;;;;;;;;;GASG;AACH,wBAAsB,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA6FjG;AAMD;;;;;;;;;;;;;GAaG;AACH,wBAAsB,gBAAgB,CACpC,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,YAAY,GACzB,OAAO,CAAC,IAAI,CAAC,CAiEf;AAED;;;;;;;;;GASG;AACH,wBAAsB,kBAAkB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAsCxF;AAED;;;;;GAKG;AACH,wBAAsB,kBAAkB,CACtC,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,KAAK,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,CAAC,CAAC,CAajG"}