@revealui/auth 0.2.0 → 0.3.0

package/dist/server/passkey.js

@@ -0,0 +1,257 @@
+/**
+ * WebAuthn Passkey Module
+ *
+ * Implements passkey registration, authentication, and management using
+ * @simplewebauthn/server v13. Passkeys enable passwordless authentication
+ * via biometrics, security keys, or platform authenticators.
+ *
+ * @see https://simplewebauthn.dev/
+ */
+import crypto from 'node:crypto';
+import { getClient } from '@revealui/db/client';
+import { passkeys, users } from '@revealui/db/schema';
+import { generateAuthenticationOptions, generateRegistrationOptions, verifyAuthenticationResponse, verifyRegistrationResponse, } from '@simplewebauthn/server';
+import { and, count, eq } from 'drizzle-orm';
+const DEFAULT_CONFIG = {
+    maxPasskeysPerUser: 10,
+    challengeTtlMs: 5 * 60 * 1000,
+    rpId: 'localhost',
+    rpName: 'RevealUI',
+    origin: 'http://localhost:4000',
+};
+let config = { ...DEFAULT_CONFIG };
+export function configurePasskey(overrides) {
+    config = { ...DEFAULT_CONFIG, ...overrides };
+}
+export function resetPasskeyConfig() {
+    config = { ...DEFAULT_CONFIG };
+}
+// =============================================================================
+// Registration
+// =============================================================================
+/**
+ * Generate WebAuthn registration options for a user.
+ *
+ * The returned object should be passed to the browser's navigator.credentials.create().
+ * The challenge is embedded in the options and should be stored server-side
+ * for verification.
+ *
+ * @param userId - User's database ID
+ * @param userEmail - User's email (used as userName in WebAuthn)
+ * @param existingCredentialIds - Credential IDs to exclude (prevent re-registration)
+ */
+export async function generateRegistrationChallenge(userId, userEmail, existingCredentialIds) {
+    const excludeCredentials = existingCredentialIds?.map((id) => ({
+        id,
+    }));
+    // Encode userId as Uint8Array for WebAuthn userID field
+    const userIdBytes = new TextEncoder().encode(userId);
+    const options = await generateRegistrationOptions({
+        rpName: config.rpName,
+        rpID: config.rpId,
+        userName: userEmail,
+        userID: userIdBytes,
+        userDisplayName: userEmail,
+        excludeCredentials,
+        authenticatorSelection: {
+            residentKey: 'preferred',
+            userVerification: 'preferred',
+        },
+        timeout: config.challengeTtlMs,
+    });
+    return options;
+}
+/**
+ * Verify a WebAuthn registration response from the browser.
+ *
+ * @param response - The RegistrationResponseJSON from the browser
+ * @param expectedChallenge - The challenge from generateRegistrationChallenge
+ * @param expectedOrigin - Override origin (defaults to config.origin)
+ * @returns Verified registration data including credential info
+ * @throws If verification fails
+ */
+export async function verifyRegistration(response, expectedChallenge, expectedOrigin) {
+    const verification = await verifyRegistrationResponse({
+        response,
+        expectedChallenge,
+        expectedOrigin: expectedOrigin ?? config.origin,
+        expectedRPID: config.rpId,
+    });
+    if (!(verification.verified && verification.registrationInfo)) {
+        throw new Error('Passkey registration verification failed');
+    }
+    return verification;
+}
+// =============================================================================
+// Credential Storage
+// =============================================================================
+/**
+ * Store a verified passkey credential in the database.
+ *
+ * Enforces the per-user passkey limit before insertion.
+ *
+ * @param userId - User's database ID
+ * @param credential - Verified credential from verifyRegistration
+ * @param deviceName - Optional user-friendly name (e.g., "MacBook Pro Touch ID")
+ * @returns The stored passkey record
+ */
+export async function storePasskey(userId, credential, deviceName) {
+    const db = getClient();
+    // Enforce per-user passkey limit
+    const [result] = await db
+        .select({ total: count() })
+        .from(passkeys)
+        .where(eq(passkeys.userId, userId));
+    const currentCount = result?.total ?? 0;
+    if (currentCount >= config.maxPasskeysPerUser) {
+        throw new Error(`Maximum of ${config.maxPasskeysPerUser} passkeys per user reached`);
+    }
+    const id = crypto.randomUUID();
+    const now = new Date();
+    await db.insert(passkeys).values({
+        id,
+        userId,
+        credentialId: credential.id,
+        publicKey: Buffer.from(credential.publicKey),
+        counter: credential.counter,
+        transports: credential.transports ?? null,
+        aaguid: credential.aaguid ?? null,
+        deviceName: deviceName ?? null,
+        backedUp: credential.backedUp ?? false,
+        createdAt: now,
+    });
+    return {
+        id,
+        userId,
+        credentialId: credential.id,
+        deviceName: deviceName ?? null,
+        createdAt: now,
+    };
+}
+// =============================================================================
+// Authentication
+// =============================================================================
+/**
+ * Generate WebAuthn authentication options.
+ *
+ * The returned object should be passed to the browser's navigator.credentials.get().
+ *
+ * @param allowCredentials - Optional list of credential IDs to allow
+ */
+export async function generateAuthenticationChallenge(allowCredentials) {
+    const options = await generateAuthenticationOptions({
+        rpID: config.rpId,
+        allowCredentials: allowCredentials?.map((cred) => ({
+            id: cred.id,
+            transports: cred.transports,
+        })),
+        timeout: config.challengeTtlMs,
+        userVerification: 'preferred',
+    });
+    return options;
+}
+/**
+ * Verify a WebAuthn authentication response and update the credential counter.
+ *
+ * @param response - The AuthenticationResponseJSON from the browser
+ * @param credential - The stored credential (id, publicKey, counter)
+ * @param expectedChallenge - The challenge from generateAuthenticationChallenge
+ * @param expectedOrigin - Override origin (defaults to config.origin)
+ * @returns Verification result with new counter value
+ */
+export async function verifyAuthentication(response, credential, expectedChallenge, expectedOrigin) {
+    const verification = await verifyAuthenticationResponse({
+        response,
+        expectedChallenge,
+        expectedOrigin: expectedOrigin ?? config.origin,
+        expectedRPID: [config.rpId],
+        credential,
+    });
+    if (verification.verified) {
+        // Update counter and lastUsedAt in the database
+        const db = getClient();
+        await db
+            .update(passkeys)
+            .set({
+            counter: verification.authenticationInfo.newCounter,
+            lastUsedAt: new Date(),
+        })
+            .where(eq(passkeys.credentialId, credential.id));
+    }
+    return {
+        verified: verification.verified,
+        newCounter: verification.authenticationInfo.newCounter,
+    };
+}
+// =============================================================================
+// Management
+// =============================================================================
+/**
+ * List all passkeys for a user (safe for client — excludes publicKey and counter).
+ */
+export async function listPasskeys(userId) {
+    const db = getClient();
+    const rows = await db
+        .select({
+        id: passkeys.id,
+        credentialId: passkeys.credentialId,
+        deviceName: passkeys.deviceName,
+        backedUp: passkeys.backedUp,
+        createdAt: passkeys.createdAt,
+        lastUsedAt: passkeys.lastUsedAt,
+    })
+        .from(passkeys)
+        .where(eq(passkeys.userId, userId));
+    return rows;
+}
+/**
+ * Delete a passkey. Blocks deletion if it's the user's last sign-in method.
+ *
+ * @param userId - User's database ID
+ * @param passkeyId - The passkey record ID to delete
+ * @throws If this is the user's only sign-in method
+ */
+export async function deletePasskey(userId, passkeyId) {
+    const { passkeyCount, hasPassword } = await countUserCredentials(userId);
+    if (passkeyCount <= 1 && !hasPassword) {
+        throw new Error('Cannot delete last sign-in method');
+    }
+    const db = getClient();
+    await db.delete(passkeys).where(and(eq(passkeys.id, passkeyId), eq(passkeys.userId, userId)));
+}
+/**
+ * Rename a passkey's device name.
+ *
+ * @param userId - User's database ID
+ * @param passkeyId - The passkey record ID to rename
+ * @param name - New friendly name
+ */
+export async function renamePasskey(userId, passkeyId, name) {
+    const db = getClient();
+    await db
+        .update(passkeys)
+        .set({ deviceName: name })
+        .where(and(eq(passkeys.id, passkeyId), eq(passkeys.userId, userId)));
+}
+/**
+ * Count a user's sign-in credentials (passkeys + password).
+ *
+ * @param userId - User's database ID
+ * @returns Passkey count and whether user has a password set
+ */
+export async function countUserCredentials(userId) {
+    const db = getClient();
+    const [passkeyResult] = await db
+        .select({ total: count() })
+        .from(passkeys)
+        .where(eq(passkeys.userId, userId));
+    const [userResult] = await db
+        .select({ password: users.password })
+        .from(users)
+        .where(eq(users.id, userId))
+        .limit(1);
+    return {
+        passkeyCount: passkeyResult?.total ?? 0,
+        hasPassword: userResult?.password != null,
+    };
+}

package/dist/server/password-reset.d.ts

@@ -12,6 +12,7 @@ export interface PasswordResetResult {
     success: boolean;
     error?: string;
     token?: string;
+    tokenId?: string;
 }
 /**
  * Generates a password reset token for a user
@@ -23,22 +24,47 @@ export declare function generatePasswordResetToken(email: string): Promise<Passw
 /**
  * Validates a password reset token
  *
- * @param token - Reset token (plain text)
+ * Uses O(1) lookup by token ID, then verifies the token hash with timingSafeEqual
+ * against the single matching row.
+ *
+ * @param tokenId - Token row ID (from the reset URL)
+ * @param token - Reset token (plain text, from the reset URL)
  * @returns User ID if valid, null otherwise
  */
-export declare function validatePasswordResetToken(token: string): Promise<string | null>;
+export declare function validatePasswordResetToken(tokenId: string, token: string): Promise<string | null>;
 /**
  * Resets password using a token
  *
- * @param token - Reset token (plain text)
+ * Uses O(1) lookup by token ID, then verifies the token hash.
+ *
+ * @param tokenId - Token row ID (from the reset URL)
+ * @param token - Reset token (plain text, from the reset URL)
  * @param newPassword - New password
  * @returns Success result
  */
-export declare function resetPasswordWithToken(token: string, newPassword: string): Promise<PasswordResetResult>;
+export declare function resetPasswordWithToken(tokenId: string, token: string, newPassword: string): Promise<PasswordResetResult>;
+export interface ChangePasswordResult {
+    success: boolean;
+    error?: string;
+}
+/**
+ * Change password for an authenticated user.
+ *
+ * Verifies the current password before updating. Does not touch sessions —
+ * the caller is responsible for revoking other sessions if desired.
+ *
+ * @param userId - Authenticated user ID
+ * @param currentPassword - Plain-text current password to verify
+ * @param newPassword - Plain-text new password to hash and store
+ */
+export declare function changePassword(userId: string, currentPassword: string, newPassword: string): Promise<ChangePasswordResult>;
 /**
  * Invalidates a password reset token
  *
- * @param token - Reset token (plain text)
+ * Uses O(1) lookup by token ID, then verifies the token hash before marking as used.
+ *
+ * @param tokenId - Token row ID (from the reset URL)
+ * @param token - Reset token (plain text, from the reset URL)
  */
-export declare function invalidatePasswordResetToken(token: string): Promise<void>;
+export declare function invalidatePasswordResetToken(tokenId: string, token: string): Promise<void>;
 //# sourceMappingURL=password-reset.d.ts.map

package/dist/server/password-reset.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"password-reset.d.ts","sourceRoot":"","sources":["../../src/server/password-reset.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AASH,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,IAAI,CAAA;CAChB;AAED,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAA;IAChB,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AAuBD;;;;;GAKG;AACH,wBAAsB,0BAA0B,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC,CA4D5F;AAED;;;;;GAKG;AACH,wBAAsB,0BAA0B,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAgCtF;AAED;;;;;;GAMG;AACH,wBAAsB,sBAAsB,CAC1C,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,mBAAmB,CAAC,CA6D9B;AAED;;;;GAIG;AACH,wBAAsB,4BAA4B,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CA0B/E"}
+{"version":3,"file":"password-reset.d.ts","sourceRoot":"","sources":["../../src/server/password-reset.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AASH,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAuBD;;;;;GAKG;AACH,wBAAsB,0BAA0B,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAwE5F;AAED;;;;;;;;;GASG;AACH,wBAAsB,0BAA0B,CAC9C,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAqCxB;AAED;;;;;;;;;GASG;AACH,wBAAsB,sBAAsB,CAC1C,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,mBAAmB,CAAC,CA4E9B;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;;;;GASG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,MAAM,EACd,eAAe,EAAE,MAAM,EACvB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,oBAAoB,CAAC,CAqC/B;AAED;;;;;;;GAOG;AACH,wBAAsB,4BAA4B,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAqChG"}

package/dist/server/password-reset.js

@@ -7,10 +7,10 @@
 import crypto from 'node:crypto';
 import { logger } from '@revealui/core/observability/logger';
 import { getClient } from '@revealui/db/client';
-import { passwordResetTokens, users } from '@revealui/db/schema';
+import { passwordResetTokens, sessions, users } from '@revealui/db/schema';
 import bcrypt from 'bcryptjs';
 import { and, eq, gt, isNull } from 'drizzle-orm';
-const TOKEN_EXPIRY_MS = 60 * 60 * 1000; // 1 hour
+const TOKEN_EXPIRY_MS = 15 * 60 * 1000; // 15 minutes
 /**
  * Hash a token using HMAC-SHA256 with a per-token salt.
  * The salt is stored in the DB alongside the hash; this defeats rainbow
@@ -37,7 +37,10 @@ function generateSalt() {
 export async function generatePasswordResetToken(email) {
     try {
         const db = getClient();
-        // Find user by email
+        // Find user by email — intentionally does NOT check user.password.
+        // OAuth-only users (password: null) can use this flow to set a password,
+        // giving them a fallback login method independent of their OAuth provider.
+        // This is safe because the reset link is sent to their verified email.
         const [user] = await db.select().from(users).where(eq(users.email, email)).limit(1);
         if (!user) {
             // Don't reveal if user exists (security best practice)
@@ -46,6 +49,13 @@ export async function generatePasswordResetToken(email) {
                 token: crypto.randomBytes(32).toString('hex'),
             };
         }
+        // Invalidate any existing unused reset tokens for this user before creating a new one.
+        // This limits active tokens to one per user, preventing table accumulation that would
+        // slow the time-bounded full-table scan in validatePasswordResetToken.
+        await db
+            .update(passwordResetTokens)
+            .set({ usedAt: new Date() })
+            .where(and(eq(passwordResetTokens.userId, user.id), isNull(passwordResetTokens.usedAt)));
         // Generate secure token with per-token salt
         const token = crypto.randomBytes(32).toString('hex');
         const tokenSalt = generateSalt();
@@ -63,6 +73,7 @@ export async function generatePasswordResetToken(email) {
         return {
             success: true,
             token,
+            tokenId: id,
         };
     }
     catch (error) {
@@ -86,29 +97,31 @@ export async function generatePasswordResetToken(email) {
 /**
  * Validates a password reset token
  *
- * @param token - Reset token (plain text)
+ * Uses O(1) lookup by token ID, then verifies the token hash with timingSafeEqual
+ * against the single matching row.
+ *
+ * @param tokenId - Token row ID (from the reset URL)
+ * @param token - Reset token (plain text, from the reset URL)
  * @returns User ID if valid, null otherwise
  */
-export async function validatePasswordResetToken(token) {
+export async function validatePasswordResetToken(tokenId, token) {
     try {
         const db = getClient();
-        // We cannot look up by hash directly without the salt.
-        // Strategy: find unexpired unused tokens for any user, then verify via HMAC.
-        // To avoid full-table scans we include a time filter. In practice, there are
-        // very few active reset tokens at any given moment.
-        //
-        // A common alternative is to encode the token ID in the reset URL (e.g.,
-        // /reset?id=<uuid>&token=<token>), but this requires a URL format change.
-        // For now we do a time-bounded scan — acceptable at low token volume.
-        const candidates = await db
+        // O(1) lookup by primary key, filtered to unexpired and unused tokens
+        const [entry] = await db
             .select()
             .from(passwordResetTokens)
-            .where(and(gt(passwordResetTokens.expiresAt, new Date()), isNull(passwordResetTokens.usedAt)));
-        for (const entry of candidates) {
-            const expectedHash = hashToken(token, entry.tokenSalt);
-            if (expectedHash === entry.tokenHash) {
-                return entry.userId;
-            }
+            .where(and(eq(passwordResetTokens.id, tokenId), gt(passwordResetTokens.expiresAt, new Date()), isNull(passwordResetTokens.usedAt)))
+            .limit(1);
+        if (!entry) {
+            return null;
+        }
+        // Verify the token hash using timing-safe comparison
+        const expectedHash = hashToken(token, entry.tokenSalt);
+        const expectedBuf = Buffer.from(expectedHash);
+        const actualBuf = Buffer.from(entry.tokenHash);
+        if (expectedBuf.length === actualBuf.length && crypto.timingSafeEqual(expectedBuf, actualBuf)) {
+            return entry.userId;
         }
         return null;
     }
@@ -120,32 +133,38 @@ export async function validatePasswordResetToken(token) {
 /**
  * Resets password using a token
  *
- * @param token - Reset token (plain text)
+ * Uses O(1) lookup by token ID, then verifies the token hash.
+ *
+ * @param tokenId - Token row ID (from the reset URL)
+ * @param token - Reset token (plain text, from the reset URL)
  * @param newPassword - New password
  * @returns Success result
  */
-export async function resetPasswordWithToken(token, newPassword) {
+export async function resetPasswordWithToken(tokenId, token, newPassword) {
     try {
         const db = getClient();
-        // Find valid token by HMAC verification (same time-bounded scan as validatePasswordResetToken)
-        const candidates = await db
+        // O(1) lookup by primary key, filtered to unexpired and unused tokens
+        const [entry] = await db
             .select()
             .from(passwordResetTokens)
-            .where(and(gt(passwordResetTokens.expiresAt, new Date()), isNull(passwordResetTokens.usedAt)));
-        let entry;
-        for (const candidate of candidates) {
-            const expectedHash = hashToken(token, candidate.tokenSalt);
-            if (expectedHash === candidate.tokenHash) {
-                entry = candidate;
-                break;
-            }
-        }
+            .where(and(eq(passwordResetTokens.id, tokenId), gt(passwordResetTokens.expiresAt, new Date()), isNull(passwordResetTokens.usedAt)))
+            .limit(1);
         if (!entry) {
             return {
                 success: false,
                 error: 'Invalid or expired reset token',
             };
         }
+        // Verify the token hash using timing-safe comparison
+        const expectedHash = hashToken(token, entry.tokenSalt);
+        const expectedBuf = Buffer.from(expectedHash);
+        const actualBuf = Buffer.from(entry.tokenHash);
+        if (!(expectedBuf.length === actualBuf.length && crypto.timingSafeEqual(expectedBuf, actualBuf))) {
+            return {
+                success: false,
+                error: 'Invalid or expired reset token',
+            };
+        }
         // Validate password strength
         const { validatePasswordStrength } = await import('./password-validation.js');
         const passwordValidation = validatePasswordStrength(newPassword);
@@ -159,6 +178,9 @@ export async function resetPasswordWithToken(token, newPassword) {
         const password = await bcrypt.hash(newPassword, 12);
         // Update user password
         await db.update(users).set({ password }).where(eq(users.id, entry.userId));
+        // Invalidate all existing sessions for this user so any attacker who had
+        // a compromised session can no longer use it after the password change.
+        await db.delete(sessions).where(eq(sessions.userId, entry.userId));
         // Mark token as used (single-use enforcement)
         await db
             .update(passwordResetTokens)
@@ -176,28 +198,75 @@ export async function resetPasswordWithToken(token, newPassword) {
         };
     }
 }
+/**
+ * Change password for an authenticated user.
+ *
+ * Verifies the current password before updating. Does not touch sessions —
+ * the caller is responsible for revoking other sessions if desired.
+ *
+ * @param userId - Authenticated user ID
+ * @param currentPassword - Plain-text current password to verify
+ * @param newPassword - Plain-text new password to hash and store
+ */
+export async function changePassword(userId, currentPassword, newPassword) {
+    try {
+        const db = getClient();
+        const [user] = await db
+            .select({ id: users.id, password: users.password })
+            .from(users)
+            .where(eq(users.id, userId))
+            .limit(1);
+        if (!user) {
+            return { success: false, error: 'User not found.' };
+        }
+        if (!user.password) {
+            return {
+                success: false,
+                error: 'No password is set on this account. Use the password reset link to set one.',
+            };
+        }
+        const currentValid = await bcrypt.compare(currentPassword, user.password);
+        if (!currentValid) {
+            return { success: false, error: 'Current password is incorrect.' };
+        }
+        const newHash = await bcrypt.hash(newPassword, 12);
+        await db.update(users).set({ password: newHash }).where(eq(users.id, userId));
+        return { success: true };
+    }
+    catch (error) {
+        logger.error('Error changing password', error instanceof Error ? error : new Error(String(error)));
+        return { success: false, error: 'An unexpected error occurred.' };
+    }
+}
 /**
  * Invalidates a password reset token
  *
- * @param token - Reset token (plain text)
+ * Uses O(1) lookup by token ID, then verifies the token hash before marking as used.
+ *
+ * @param tokenId - Token row ID (from the reset URL)
+ * @param token - Reset token (plain text, from the reset URL)
  */
-export async function invalidatePasswordResetToken(token) {
+export async function invalidatePasswordResetToken(tokenId, token) {
     try {
         const db = getClient();
-        // Find the token entry by HMAC verification (time-bounded scan)
-        const candidates = await db
+        // O(1) lookup by primary key
+        const [entry] = await db
             .select()
             .from(passwordResetTokens)
-            .where(and(gt(passwordResetTokens.expiresAt, new Date()), isNull(passwordResetTokens.usedAt)));
-        for (const candidate of candidates) {
-            const expectedHash = hashToken(token, candidate.tokenSalt);
-            if (expectedHash === candidate.tokenHash) {
-                await db
-                    .update(passwordResetTokens)
-                    .set({ usedAt: new Date() })
-                    .where(eq(passwordResetTokens.id, candidate.id));
-                break;
-            }
+            .where(and(eq(passwordResetTokens.id, tokenId), gt(passwordResetTokens.expiresAt, new Date()), isNull(passwordResetTokens.usedAt)))
+            .limit(1);
+        if (!entry) {
+            return;
+        }
+        // Verify the token hash before invalidating
+        const expectedHash = hashToken(token, entry.tokenSalt);
+        const expectedBuf = Buffer.from(expectedHash);
+        const actualBuf = Buffer.from(entry.tokenHash);
+        if (expectedBuf.length === actualBuf.length && crypto.timingSafeEqual(expectedBuf, actualBuf)) {
+            await db
+                .update(passwordResetTokens)
+                .set({ usedAt: new Date() })
+                .where(eq(passwordResetTokens.id, entry.id));
         }
     }
     catch (error) {

package/dist/server/password-validation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"password-validation.d.ts","sourceRoot":"","sources":["../../src/server/password-validation.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,MAAM,WAAW,wBAAwB;IACvC,KAAK,EAAE,OAAO,CAAA;IACd,MAAM,EAAE,MAAM,EAAE,CAAA;CACjB;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CAAC,QAAQ,EAAE,MAAM,GAAG,wBAAwB,CAgCnF;AAED;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAE1E"}
+{"version":3,"file":"password-validation.d.ts","sourceRoot":"","sources":["../../src/server/password-validation.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,MAAM,WAAW,wBAAwB;IACvC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CAAC,QAAQ,EAAE,MAAM,GAAG,wBAAwB,CAgCnF;AAED;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAE1E"}

package/dist/server/providers/github.d.ts

@@ -0,0 +1,14 @@
+/**
+ * GitHub OAuth Provider
+ *
+ * Uses native fetch — no additional npm dependencies.
+ * Scopes: read:user user:email
+ *
+ * Note: GitHub may return null email if user has set it private.
+ * In that case we fetch from /user/emails and pick the primary verified one.
+ */
+import type { ProviderUser } from '../oauth.js';
+export declare function buildAuthUrl(clientId: string, redirectUri: string, state: string): string;
+export declare function exchangeCode(code: string, redirectUri: string): Promise<string>;
+export declare function fetchUser(accessToken: string): Promise<ProviderUser>;
+//# sourceMappingURL=github.d.ts.map

package/dist/server/providers/github.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"github.d.ts","sourceRoot":"","sources":["../../../src/server/providers/github.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAEhD,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAOzF;AAED,wBAAsB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAqCrF;AAED,wBAAsB,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAoD1E"}