@revealui/auth 0.2.1 → 0.3.0

package/dist/react/useSignIn.js

@@ -6,18 +6,33 @@
 'use client';
 import { useCallback, useRef, useState } from 'react';
 import { z } from 'zod/v4';
+// Zod validates the required fields; .passthrough() preserves the rest.
+// The API returns JSON-serialized User objects (Dates as ISO strings).
+// z.infer output has an index signature incompatible with the concrete User
+// interface, so we extract the validated user via the helper below.
+const SignInUserSchema = z
+    .object({
+    id: z.string(),
+    email: z.string(),
+    name: z.string().nullable().optional(),
+})
+    .passthrough();
+/**
+ * Narrow Zod-validated API response data to User.
+ *
+ * The cast is safe because: (1) Zod verified the required fields (id, email),
+ * (2) .passthrough() preserves all other properties from the API response,
+ * and (3) the API serializes a full User row (Dates become ISO strings in JSON).
+ */
+function toUser(validated) {
+    return validated;
+}
 // Validation schemas for sign-in response
 const SignInErrorResponseSchema = z.object({
     error: z.string().optional(),
 });
 const SignInSuccessResponseSchema = z.object({
-    user: z
-        .object({
-        id: z.string(),
-        email: z.string(),
-        name: z.string().nullable().optional(),
-    })
-        .passthrough(), // Allow all other User properties
+    user: SignInUserSchema,
 });
 /**
  * Hook to sign in a user
@@ -68,12 +83,19 @@ export function useSignIn() {
                     error: errorData.error || 'Failed to sign in',
                 };
             }
+            // Check for MFA challenge before parsing as full success
+            const jsonObj = json;
+            if (jsonObj.requiresMfa === true && typeof jsonObj.mfaUserId === 'string') {
+                return {
+                    success: false,
+                    requiresMfa: true,
+                    mfaUserId: jsonObj.mfaUserId,
+                };
+            }
             const successData = SignInSuccessResponseSchema.parse(json);
             return {
                 success: true,
-                // Type assertion through unknown is safe because Zod validation ensures the shape is correct
-                // The API returns serialized data, so we cast to expected type
-                user: successData.user,
+                user: toUser(successData.user),
             };
         }
         catch (err) {

package/dist/react/useSignOut.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"useSignOut.d.ts","sourceRoot":"","sources":["../../src/react/useSignOut.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAA;IAC5B,SAAS,EAAE,OAAO,CAAA;IAClB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAA;CACpB;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,UAAU,IAAI,gBAAgB,CAkC7C"}
+{"version":3,"file":"useSignOut.d.ts","sourceRoot":"","sources":["../../src/react/useSignOut.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7B,SAAS,EAAE,OAAO,CAAC;IACnB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;CACrB;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,UAAU,IAAI,gBAAgB,CAkC7C"}

package/dist/react/useSignUp.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"useSignUp.d.ts","sourceRoot":"","sources":["../../src/react/useSignUp.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,aAAa,CAAA;AAiBvC,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAA;IACb,QAAQ,EAAE,MAAM,CAAA;IAChB,IAAI,EAAE,MAAM,CAAA;IACZ,WAAW,EAAE,IAAI,CAAA;CAClB;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,CAAC,KAAK,EAAE,WAAW,KAAK,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,IAAI,CAAC,EAAE,IAAI,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IAC1F,SAAS,EAAE,OAAO,CAAA;IAClB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAA;CACpB;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,SAAS,IAAI,eAAe,CAoD3C"}
+{"version":3,"file":"useSignUp.d.ts","sourceRoot":"","sources":["../../src/react/useSignUp.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,aAAa,CAAC;AAmCxC,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,IAAI,CAAC;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,CAAC,KAAK,EAAE,WAAW,KAAK,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,IAAI,CAAC,EAAE,IAAI,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC3F,SAAS,EAAE,OAAO,CAAC;IACnB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;CACrB;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,SAAS,IAAI,eAAe,CAoD3C"}

package/dist/react/useSignUp.js

@@ -6,18 +6,34 @@
 'use client';
 import { useState } from 'react';
 import { z } from 'zod/v4';
+// Zod validates the required fields; .passthrough() preserves the rest.
+// The API returns JSON-serialized User objects (Dates as ISO strings).
+// z.infer output has an index signature incompatible with the concrete User
+// interface, so we extract the validated user via the helper below.
+const SignUpUserSchema = z
+    .object({
+    id: z.string(),
+    email: z.string(),
+    name: z.string().nullable().optional(),
+})
+    .passthrough();
+/**
+ * Narrow Zod-validated API response data to User.
+ *
+ * The cast is safe because: (1) Zod verified the required fields (id, email),
+ * (2) .passthrough() preserves all other properties from the API response,
+ * and (3) the API serializes a full User row (Dates become ISO strings in JSON).
+ */
+function toUser(validated) {
+    return validated;
+}
 // Validation schemas for sign-up response
 const SignUpErrorResponseSchema = z.object({
+    message: z.string().optional(),
     error: z.string().optional(),
 });
 const SignUpSuccessResponseSchema = z.object({
-    user: z
-        .object({
-        id: z.string(),
-        email: z.string(),
-        name: z.string().nullable().optional(),
-    })
-        .passthrough(), // Allow all other User properties
+    user: SignUpUserSchema,
 });
 /**
  * Hook to sign up a new user
@@ -59,7 +75,7 @@ export function useSignUp() {
                 const errorData = SignUpErrorResponseSchema.parse(json);
                 return {
                     success: false,
-                    error: errorData.error || 'Failed to sign up',
+                    error: errorData.message || errorData.error || 'Failed to sign up',
                 };
             }
             const successData = SignUpSuccessResponseSchema.parse(json);
@@ -67,7 +83,7 @@ export function useSignUp() {
                 success: true,
                 // Type assertion through unknown is safe because Zod validation ensures the shape is correct
                 // The API returns serialized data, so we cast to expected type
-                user: successData.user,
+                user: toUser(successData.user),
             };
         }
         catch (err) {

package/dist/server/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/server/auth.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAQH,OAAO,KAAK,EAAE,YAAY,EAAE,YAAY,EAAQ,MAAM,aAAa,CAAA;AAMnE;;;;;;;GAOG;AACH,wBAAsB,MAAM,CAC1B,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;IACR,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB,GACA,OAAO,CAAC,YAAY,CAAC,CAwHvB;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAiBtD;AAED;;;;;;;;GAQG;AACH,wBAAsB,MAAM,CAC1B,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,OAAO,CAAC,EAAE;IACR,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,aAAa,CAAC,EAAE,IAAI,CAAA;IACpB,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB,GACA,OAAO,CAAC,YAAY,CAAC,CAkJvB"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/server/auth.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAQH,OAAO,KAAK,EAAE,YAAY,EAAE,YAAY,EAAQ,MAAM,aAAa,CAAC;AASpE;;;;;;;GAOG;AACH,wBAAsB,MAAM,CAC1B,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;IACR,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,GACA,OAAO,CAAC,YAAY,CAAC,CA2JvB;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAiBtD;AAED;;;;;;;;GAQG;AACH,wBAAsB,MAAM,CAC1B,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,OAAO,CAAC,EAAE;IACR,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,IAAI,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,GACA,OAAO,CAAC,YAAY,CAAC,CAsLvB"}

package/dist/server/auth.js

@@ -6,13 +6,15 @@
 import { createHash, randomBytes } from 'node:crypto';
 import { logger } from '@revealui/core/observability/logger';
 import { getClient } from '@revealui/db/client';
-import { users } from '@revealui/db/schema';
+import { oauthAccounts, users } from '@revealui/db/schema';
 import bcrypt from 'bcryptjs';
-import { eq } from 'drizzle-orm';
+import { and, eq, isNull } from 'drizzle-orm';
 import { clearFailedAttempts, isAccountLocked, recordFailedAttempt } from './brute-force.js';
 import { validatePasswordStrength } from './password-validation.js';
 import { checkRateLimit } from './rate-limit.js';
 import { createSession } from './session.js';
+/** Grace period after signup during which unverified users can still sign in (24 hours) */
+const EMAIL_VERIFICATION_GRACE_PERIOD_MS = 24 * 60 * 60 * 1000;
 /**
  * Sign in with email and password
  *
@@ -29,6 +31,7 @@ export async function signIn(email, password, options) {
         if (!rateLimit.allowed) {
             return {
                 success: false,
+                reason: 'rate_limited',
                 error: 'Too many login attempts. Please try again later.',
             };
         }
@@ -40,6 +43,7 @@ export async function signIn(email, password, options) {
                 : 30;
             return {
                 success: false,
+                reason: 'account_locked',
                 error: `Account locked due to too many failed attempts. Please try again in ${lockMinutes} minutes.`,
             };
         }
@@ -51,19 +55,25 @@ export async function signIn(email, password, options) {
             logger.error('Error getting database client');
             return {
                 success: false,
+                reason: 'database_error',
                 error: 'Database connection failed',
             };
         }
         // Find user by email
         let user;
         try {
-            const result = await db.select().from(users).where(eq(users.email, email)).limit(1);
+            const result = await db
+                .select()
+                .from(users)
+                .where(and(eq(users.email, email), isNull(users.deletedAt)))
+                .limit(1);
             user = result[0];
         }
         catch {
             logger.error('Error querying user');
             return {
                 success: false,
+                reason: 'database_error',
                 error: 'Database error',
             };
         }
@@ -73,6 +83,7 @@ export async function signIn(email, password, options) {
             await recordFailedAttempt(email);
             return {
                 success: false,
+                reason: 'invalid_credentials',
                 error: invalidCredentialsMessage,
             };
         }
@@ -81,6 +92,7 @@ export async function signIn(email, password, options) {
             await recordFailedAttempt(email);
             return {
                 success: false,
+                reason: 'invalid_credentials',
                 error: invalidCredentialsMessage,
             };
         }
@@ -94,6 +106,7 @@ export async function signIn(email, password, options) {
             await recordFailedAttempt(email);
             return {
                 success: false,
+                reason: 'invalid_credentials',
                 error: invalidCredentialsMessage,
             };
         }
@@ -101,11 +114,31 @@ export async function signIn(email, password, options) {
             await recordFailedAttempt(email);
             return {
                 success: false,
+                reason: 'invalid_credentials',
                 error: invalidCredentialsMessage,
             };
         }
         // Successful login - clear failed attempts
         await clearFailedAttempts(email);
+        // Check email verification (with grace period for new accounts)
+        if (!user.emailVerified) {
+            const accountAge = Date.now() - user.createdAt.getTime();
+            if (accountAge > EMAIL_VERIFICATION_GRACE_PERIOD_MS) {
+                return {
+                    success: false,
+                    reason: 'email_not_verified',
+                    error: 'Please verify your email address before signing in.',
+                };
+            }
+        }
+        // Check if MFA is enabled — if so, return early and require TOTP verification
+        if (user.mfaEnabled) {
+            return {
+                success: true,
+                requiresMfa: true,
+                mfaUserId: user.id,
+            };
+        }
         // Create session
         let token;
         try {
@@ -119,6 +152,7 @@ export async function signIn(email, password, options) {
             logger.error('Error creating session');
             return {
                 success: false,
+                reason: 'session_error',
                 error: 'Failed to create session',
             };
         }
@@ -132,6 +166,7 @@ export async function signIn(email, password, options) {
         logger.error('Unexpected error in signIn');
         return {
             success: false,
+            reason: 'unexpected_error',
             error: 'Unexpected error',
         };
     }
@@ -208,7 +243,9 @@ export async function signUp(email, password, name, options) {
                 error: 'Database connection failed',
             };
         }
-        // Check if user already exists
+        // Check if user already exists (by email in users table or OAuth accounts).
+        // Both checks prevent account collision: a password signup must not collide
+        // with an existing OAuth identity for the same email address.
         let existing;
         try {
             const result = await db.select().from(users).where(eq(users.email, email)).limit(1);
@@ -227,6 +264,29 @@ export async function signUp(email, password, name, options) {
                 error: 'Unable to create account',
             };
         }
+        // Block signup if an OAuth account already uses this email.
+        // Without this check, an attacker could create a password account
+        // for an email that was registered via OAuth, enabling account takeover.
+        try {
+            const [existingOAuth] = await db
+                .select({ id: oauthAccounts.id })
+                .from(oauthAccounts)
+                .where(eq(oauthAccounts.providerEmail, email))
+                .limit(1);
+            if (existingOAuth) {
+                return {
+                    success: false,
+                    error: 'Unable to create account',
+                };
+            }
+        }
+        catch {
+            logger.error('Error checking OAuth accounts');
+            return {
+                success: false,
+                error: 'Database error',
+            };
+        }
         // Hash password
         let hashedPassword;
         try {
@@ -290,6 +350,17 @@ export async function signUp(email, password, name, options) {
         }
         catch {
             logger.error('Error creating session');
+            // Clean up orphaned user so the email isn't permanently locked out.
+            // Without this, a retry would fail with "Unable to create account"
+            // because the user row already exists but has no valid session.
+            try {
+                await db.delete(users).where(eq(users.id, user.id));
+            }
+            catch {
+                logger.error('Failed to clean up orphaned user after session creation failure', undefined, {
+                    userId: user.id,
+                });
+            }
             return {
                 success: false,
                 error: 'Failed to create session',

package/dist/server/brute-force.d.ts

@@ -2,13 +2,22 @@
  * Brute Force Protection
  *
  * Tracks failed login attempts and locks accounts after threshold.
- * Uses storage abstraction (Redis, database, or in-memory).
+ * Uses storage abstraction (database or in-memory).
  */
 export interface BruteForceConfig {
     maxAttempts: number;
     lockDurationMs: number;
     windowMs: number;
 }
+/**
+ * Override default brute force configuration globally.
+ * Per-call config parameters still take precedence.
+ */
+export declare function configureBruteForce(overrides: Partial<BruteForceConfig>): void;
+/**
+ * Reset brute force configuration to defaults (for testing).
+ */
+export declare function resetBruteForceConfig(): void;
 /**
  * Records a failed login attempt
  *

package/dist/server/brute-force.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"brute-force.d.ts","sourceRoot":"","sources":["../../src/server/brute-force.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAUH,MAAM,WAAW,gBAAgB;IAC/B,WAAW,EAAE,MAAM,CAAA;IACnB,cAAc,EAAE,MAAM,CAAA;IACtB,QAAQ,EAAE,MAAM,CAAA;CACjB;AAqCD;;;;;GAKG;AACH,wBAAsB,mBAAmB,CACvC,KAAK,EAAE,MAAM,EACb,MAAM,GAAE,gBAAiC,GACxC,OAAO,CAAC,IAAI,CAAC,CA0Cf;AAED;;;;GAIG;AACH,wBAAsB,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAItE;AAED;;;;;;GAMG;AACH,wBAAsB,eAAe,CACnC,KAAK,EAAE,MAAM,EACb,MAAM,GAAE,gBAAiC,GACxC,OAAO,CAAC;IAAE,MAAM,EAAE,OAAO,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAAC,iBAAiB,EAAE,MAAM,CAAA;CAAE,CAAC,CA6C7E;AAED;;;;;GAKG;AACH,wBAAsB,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAQ1E"}
+{"version":3,"file":"brute-force.d.ts","sourceRoot":"","sources":["../../src/server/brute-force.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAUH,MAAM,WAAW,gBAAgB;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAUD;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,SAAS,EAAE,OAAO,CAAC,gBAAgB,CAAC,GAAG,IAAI,CAE9E;AAED;;GAEG;AACH,wBAAgB,qBAAqB,IAAI,IAAI,CAE5C;AA+BD;;;;;GAKG;AACH,wBAAsB,mBAAmB,CACvC,KAAK,EAAE,MAAM,EACb,MAAM,GAAE,gBAA+B,GACtC,OAAO,CAAC,IAAI,CAAC,CA0Cf;AAED;;;;GAIG;AACH,wBAAsB,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAItE;AAED;;;;;;GAMG;AACH,wBAAsB,eAAe,CACnC,KAAK,EAAE,MAAM,EACb,MAAM,GAAE,gBAA+B,GACtC,OAAO,CAAC;IAAE,MAAM,EAAE,OAAO,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAAC,iBAAiB,EAAE,MAAM,CAAA;CAAE,CAAC,CA6C7E;AAED;;;;;GAKG;AACH,wBAAsB,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAQ1E"}

package/dist/server/brute-force.js

@@ -2,7 +2,7 @@
  * Brute Force Protection
  *
  * Tracks failed login attempts and locks accounts after threshold.
- * Uses storage abstraction (Redis, database, or in-memory).
+ * Uses storage abstraction (database or in-memory).
  */
 import { getStorage } from './storage/index.js';
 const DEFAULT_CONFIG = {
@@ -10,6 +10,20 @@ const DEFAULT_CONFIG = {
     lockDurationMs: 30 * 60 * 1000, // 30 minutes
     windowMs: 15 * 60 * 1000, // 15 minutes
 };
+let globalConfig = { ...DEFAULT_CONFIG };
+/**
+ * Override default brute force configuration globally.
+ * Per-call config parameters still take precedence.
+ */
+export function configureBruteForce(overrides) {
+    globalConfig = { ...DEFAULT_CONFIG, ...overrides };
+}
+/**
+ * Reset brute force configuration to defaults (for testing).
+ */
+export function resetBruteForceConfig() {
+    globalConfig = { ...DEFAULT_CONFIG };
+}
 /**
  * Serialize failed attempt entry
  */
@@ -42,7 +56,7 @@ function getStorageKey(email) {
  * @param email - User email
  * @param config - Brute force configuration
  */
-export async function recordFailedAttempt(email, config = DEFAULT_CONFIG) {
+export async function recordFailedAttempt(email, config = globalConfig) {
     const storage = getStorage();
     const storageKey = getStorageKey(email);
     const updater = (entryData) => {
@@ -94,7 +108,7 @@ export async function clearFailedAttempts(email) {
  * @param config - Brute force configuration
  * @returns Lock status
  */
-export async function isAccountLocked(email, config = DEFAULT_CONFIG) {
+export async function isAccountLocked(email, config = globalConfig) {
     const storage = getStorage();
     const storageKey = getStorageKey(email);
     const now = Date.now();

package/dist/server/errors.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/server/errors.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,qBAAa,SAAU,SAAQ,KAAK;IAGzB,IAAI,EAAE,MAAM;IACZ,UAAU,EAAE,MAAM;gBAFzB,OAAO,EAAE,MAAM,EACR,IAAI,EAAE,MAAM,EACZ,UAAU,GAAE,MAAY;CAKlC;AAED,qBAAa,YAAa,SAAQ,SAAS;gBAC7B,OAAO,GAAE,MAAwB,EAAE,UAAU,GAAE,MAAY;CAIxE;AAED,qBAAa,mBAAoB,SAAQ,SAAS;gBACpC,OAAO,GAAE,MAAgC,EAAE,UAAU,GAAE,MAAY;CAIhF;AAED,qBAAa,aAAc,SAAQ,SAAS;IACnC,aAAa,CAAC,EAAE,KAAK,CAAA;gBAEhB,OAAO,GAAE,MAAyB,EAAE,aAAa,CAAC,EAAE,OAAO;CAOxE;AAED,qBAAa,UAAW,SAAQ,SAAS;gBAC3B,OAAO,GAAE,MAAsB,EAAE,UAAU,GAAE,MAAY;CAItE;AAED,qBAAa,yBAA0B,SAAQ,SAAS;IAC/C,KAAK,EAAE,MAAM,CAAA;gBAER,KAAK,EAAE,MAAM;CAS1B"}
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/server/errors.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,qBAAa,SAAU,SAAQ,KAAK;IAGzB,IAAI,EAAE,MAAM;IACZ,UAAU,EAAE,MAAM;gBAFzB,OAAO,EAAE,MAAM,EACR,IAAI,EAAE,MAAM,EACZ,UAAU,GAAE,MAAY;CAKlC;AAED,qBAAa,YAAa,SAAQ,SAAS;gBAC7B,OAAO,GAAE,MAAwB,EAAE,UAAU,GAAE,MAAY;CAIxE;AAED,qBAAa,mBAAoB,SAAQ,SAAS;gBACpC,OAAO,GAAE,MAAgC,EAAE,UAAU,GAAE,MAAY;CAIhF;AAED,qBAAa,aAAc,SAAQ,SAAS;IACnC,aAAa,CAAC,EAAE,KAAK,CAAC;gBAEjB,OAAO,GAAE,MAAyB,EAAE,aAAa,CAAC,EAAE,OAAO;CAOxE;AAED,qBAAa,UAAW,SAAQ,SAAS;gBAC3B,OAAO,GAAE,MAAsB,EAAE,UAAU,GAAE,MAAY;CAItE;AAED,qBAAa,yBAA0B,SAAQ,SAAS;IAC/C,KAAK,EAAE,MAAM,CAAC;gBAET,KAAK,EAAE,MAAM;CAS1B"}

package/dist/server/index.d.ts

@@ -6,12 +6,22 @@
  */
 export type { SignInResult, SignUpResult } from '../types.js';
 export { isSignupAllowed, signIn, signUp } from './auth.js';
-export { clearFailedAttempts, getFailedAttemptCount, isAccountLocked, recordFailedAttempt, } from './brute-force.js';
+export { clearFailedAttempts, configureBruteForce, getFailedAttemptCount, isAccountLocked, recordFailedAttempt, resetBruteForceConfig, } from './brute-force.js';
 export { AuthError, AuthenticationError, DatabaseError, OAuthAccountConflictError, SessionError, TokenError, } from './errors.js';
-export { buildAuthUrl, exchangeCode, fetchProviderUser, generateOAuthState, type ProviderUser, upsertOAuthUser, verifyOAuthState, } from './oauth.js';
-export type { PasswordResetResult, PasswordResetToken } from './password-reset.js';
-export { generatePasswordResetToken, invalidatePasswordResetToken, resetPasswordWithToken, validatePasswordResetToken, } from './password-reset.js';
+export type { MagicLinkConfig } from './magic-link.js';
+export { configureMagicLink, createMagicLink, resetMagicLinkConfig, verifyMagicLink, } from './magic-link.js';
+export type { MFAConfig, MFADisableProof, MFASetupResult } from './mfa.js';
+export { configureMFA, disableMFA, initiateMFASetup, isMFAEnabled, regenerateBackupCodes, resetMFAConfig, verifyBackupCode, verifyMFACode, verifyMFASetup, } from './mfa.js';
+export { buildAuthUrl, exchangeCode, fetchProviderUser, generateOAuthState, getLinkedProviders, linkOAuthAccount, type ProviderUser, unlinkOAuthAccount, upsertOAuthUser, verifyOAuthState, } from './oauth.js';
+export type { PasskeyConfig } from './passkey.js';
+export { configurePasskey, countUserCredentials, deletePasskey, generateAuthenticationChallenge, generateRegistrationChallenge, listPasskeys, renamePasskey, resetPasskeyConfig, storePasskey, verifyAuthentication, verifyRegistration, } from './passkey.js';
+export type { ChangePasswordResult, PasswordResetResult, PasswordResetToken, } from './password-reset.js';
+export { changePassword, generatePasswordResetToken, invalidatePasswordResetToken, resetPasswordWithToken, validatePasswordResetToken, } from './password-reset.js';
 export { meetsMinimumPasswordRequirements, validatePasswordStrength, } from './password-validation.js';
-export { checkRateLimit, getRateLimitStatus, resetRateLimit, } from './rate-limit.js';
-export { createSession, deleteAllUserSessions, deleteSession, getSession, } from './session.js';
+export { checkRateLimit, configureRateLimit, getRateLimitStatus, resetRateLimit, resetRateLimitConfig, } from './rate-limit.js';
+export type { RequestContext, SessionBindingConfig, SessionData } from './session.js';
+export { configureSessionBinding, createSession, deleteAllUserSessions, deleteSession, getSession, resetSessionBindingConfig, rotateSession, validateSessionBinding, } from './session.js';
+export { signCookiePayload, verifyCookiePayload } from './signed-cookie.js';
+export type { Storage } from './storage/index.js';
+export { createStorage, DatabaseStorage, getStorage, InMemoryStorage, resetStorage, } from './storage/index.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/server/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC7D,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,WAAW,CAAA;AAC3D,OAAO,EACL,mBAAmB,EACnB,qBAAqB,EACrB,eAAe,EACf,mBAAmB,GACpB,MAAM,kBAAkB,CAAA;AACzB,OAAO,EACL,SAAS,EACT,mBAAmB,EACnB,aAAa,EACb,yBAAyB,EACzB,YAAY,EACZ,UAAU,GACX,MAAM,aAAa,CAAA;AACpB,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,iBAAiB,EACjB,kBAAkB,EAClB,KAAK,YAAY,EACjB,eAAe,EACf,gBAAgB,GACjB,MAAM,YAAY,CAAA;AACnB,YAAY,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAA;AAClF,OAAO,EACL,0BAA0B,EAC1B,4BAA4B,EAC5B,sBAAsB,EACtB,0BAA0B,GAC3B,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EACL,gCAAgC,EAChC,wBAAwB,GACzB,MAAM,0BAA0B,CAAA;AACjC,OAAO,EACL,cAAc,EACd,kBAAkB,EAClB,cAAc,GACf,MAAM,iBAAiB,CAAA;AACxB,OAAO,EACL,aAAa,EACb,qBAAqB,EACrB,aAAa,EACb,UAAU,GACX,MAAM,cAAc,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC9D,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,WAAW,CAAC;AAC5D,OAAO,EACL,mBAAmB,EACnB,mBAAmB,EACnB,qBAAqB,EACrB,eAAe,EACf,mBAAmB,EACnB,qBAAqB,GACtB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,SAAS,EACT,mBAAmB,EACnB,aAAa,EACb,yBAAyB,EACzB,YAAY,EACZ,UAAU,GACX,MAAM,aAAa,CAAC;AAErB,YAAY,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,EACL,kBAAkB,EAClB,eAAe,EACf,oBAAoB,EACpB,eAAe,GAChB,MAAM,iBAAiB,CAAC;AACzB,YAAY,EAAE,SAAS,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAC3E,OAAO,EACL,YAAY,EACZ,UAAU,EACV,gBAAgB,EAChB,YAAY,EACZ,qBAAqB,EACrB,cAAc,EACd,gBAAgB,EAChB,aAAa,EACb,cAAc,GACf,MAAM,UAAU,CAAC;AAClB,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,iBAAiB,EACjB,kBAAkB,EAClB,kBAAkB,EAClB,gBAAgB,EAChB,KAAK,YAAY,EACjB,kBAAkB,EAClB,eAAe,EACf,gBAAgB,GACjB,MAAM,YAAY,CAAC;AAEpB,YAAY,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAClD,OAAO,EACL,gBAAgB,EAChB,oBAAoB,EACpB,aAAa,EACb,+BAA+B,EAC/B,6BAA6B,EAC7B,YAAY,EACZ,aAAa,EACb,kBAAkB,EAClB,YAAY,EACZ,oBAAoB,EACpB,kBAAkB,GACnB,MAAM,cAAc,CAAC;AACtB,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,cAAc,EACd,0BAA0B,EAC1B,4BAA4B,EAC5B,sBAAsB,EACtB,0BAA0B,GAC3B,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,gCAAgC,EAChC,wBAAwB,GACzB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,cAAc,EACd,kBAAkB,EAClB,kBAAkB,EAClB,cAAc,EACd,oBAAoB,GACrB,MAAM,iBAAiB,CAAC;AACzB,YAAY,EAAE,cAAc,EAAE,oBAAoB,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AACtF,OAAO,EACL,uBAAuB,EACvB,aAAa,EACb,qBAAqB,EACrB,aAAa,EACb,UAAU,EACV,yBAAyB,EACzB,aAAa,EACb,sBAAsB,GACvB,MAAM,cAAc,CAAC;AAEtB,OAAO,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC5E,YAAY,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EACL,aAAa,EACb,eAAe,EACf,UAAU,EACV,eAAe,EACf,YAAY,GACb,MAAM,oBAAoB,CAAC"}

package/dist/server/index.js

@@ -5,10 +5,16 @@
  * Inspired by Better Auth and Neon Auth patterns.
  */
 export { isSignupAllowed, signIn, signUp } from './auth.js';
-export { clearFailedAttempts, getFailedAttemptCount, isAccountLocked, recordFailedAttempt, } from './brute-force.js';
+export { clearFailedAttempts, configureBruteForce, getFailedAttemptCount, isAccountLocked, recordFailedAttempt, resetBruteForceConfig, } from './brute-force.js';
 export { AuthError, AuthenticationError, DatabaseError, OAuthAccountConflictError, SessionError, TokenError, } from './errors.js';
-export { buildAuthUrl, exchangeCode, fetchProviderUser, generateOAuthState, upsertOAuthUser, verifyOAuthState, } from './oauth.js';
-export { generatePasswordResetToken, invalidatePasswordResetToken, resetPasswordWithToken, validatePasswordResetToken, } from './password-reset.js';
+export { configureMagicLink, createMagicLink, resetMagicLinkConfig, verifyMagicLink, } from './magic-link.js';
+export { configureMFA, disableMFA, initiateMFASetup, isMFAEnabled, regenerateBackupCodes, resetMFAConfig, verifyBackupCode, verifyMFACode, verifyMFASetup, } from './mfa.js';
+export { buildAuthUrl, exchangeCode, fetchProviderUser, generateOAuthState, getLinkedProviders, linkOAuthAccount, unlinkOAuthAccount, upsertOAuthUser, verifyOAuthState, } from './oauth.js';
+export { configurePasskey, countUserCredentials, deletePasskey, generateAuthenticationChallenge, generateRegistrationChallenge, listPasskeys, renamePasskey, resetPasskeyConfig, storePasskey, verifyAuthentication, verifyRegistration, } from './passkey.js';
+export { changePassword, generatePasswordResetToken, invalidatePasswordResetToken, resetPasswordWithToken, validatePasswordResetToken, } from './password-reset.js';
 export { meetsMinimumPasswordRequirements, validatePasswordStrength, } from './password-validation.js';
-export { checkRateLimit, getRateLimitStatus, resetRateLimit, } from './rate-limit.js';
-export { createSession, deleteAllUserSessions, deleteSession, getSession, } from './session.js';
+export { checkRateLimit, configureRateLimit, getRateLimitStatus, resetRateLimit, resetRateLimitConfig, } from './rate-limit.js';
+export { configureSessionBinding, createSession, deleteAllUserSessions, deleteSession, getSession, resetSessionBindingConfig, rotateSession, validateSessionBinding, } from './session.js';
+// Signed Cookie
+export { signCookiePayload, verifyCookiePayload } from './signed-cookie.js';
+export { createStorage, DatabaseStorage, getStorage, InMemoryStorage, resetStorage, } from './storage/index.js';

package/dist/server/magic-link.d.ts

@@ -0,0 +1,52 @@
+/**
+ * Magic Link Token Module
+ *
+ * Generates and verifies single-use, time-limited tokens for passwordless
+ * email authentication and account recovery flows.
+ *
+ * Tokens are stored in the database as HMAC-SHA256 hashes with per-token salts,
+ * following the same security pattern as password-reset.ts.
+ */
+export interface MagicLinkConfig {
+    /** Token expiry in ms (default: 15 minutes) */
+    tokenExpiryMs: number;
+    /** Temp session duration in ms (default: 30 minutes) */
+    tempSessionDurationMs: number;
+    /** Max requests per hour per email (default: 3) */
+    maxRequestsPerHour: number;
+}
+export declare function configureMagicLink(overrides: Partial<MagicLinkConfig>): void;
+export declare function resetMagicLinkConfig(): void;
+/**
+ * Creates a magic link token for a user.
+ *
+ * - Generates a 32-byte random token
+ * - Hashes it with HMAC-SHA256 + per-token salt
+ * - Cleans up expired magic links for the same user (opportunistic)
+ * - Inserts the hashed token into the database
+ *
+ * @param userId - User ID to create the magic link for
+ * @returns The plaintext token (to embed in the email link) and its expiry
+ */
+export declare function createMagicLink(userId: string): Promise<{
+    token: string;
+    expiresAt: Date;
+}>;
+/**
+ * Verifies a magic link token.
+ *
+ * Selects all unexpired, unused magic links and checks each one against the
+ * provided token using HMAC-SHA256 + timingSafeEqual. This is a table scan
+ * by design (same approach as password-reset.ts validation). The table stays
+ * small due to opportunistic cleanup in createMagicLink.
+ *
+ * On match: marks the token as used and returns the userId.
+ * On no match: returns null.
+ *
+ * @param token - Plaintext token from the magic link URL
+ * @returns Object with userId if valid, null otherwise
+ */
+export declare function verifyMagicLink(token: string): Promise<{
+    userId: string;
+} | null>;
+//# sourceMappingURL=magic-link.d.ts.map

package/dist/server/magic-link.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"magic-link.d.ts","sourceRoot":"","sources":["../../src/server/magic-link.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAWH,MAAM,WAAW,eAAe;IAC9B,+CAA+C;IAC/C,aAAa,EAAE,MAAM,CAAC;IACtB,wDAAwD;IACxD,qBAAqB,EAAE,MAAM,CAAC;IAC9B,mDAAmD;IACnD,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AAUD,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,OAAO,CAAC,eAAe,CAAC,GAAG,IAAI,CAE5E;AAED,wBAAgB,oBAAoB,IAAI,IAAI,CAE3C;AA0BD;;;;;;;;;;GAUG;AACH,wBAAsB,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,IAAI,CAAA;CAAE,CAAC,CAyBjG;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;IAAE,MAAM,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CAuBvF"}

package/dist/server/magic-link.js

@@ -0,0 +1,111 @@
+/**
+ * Magic Link Token Module
+ *
+ * Generates and verifies single-use, time-limited tokens for passwordless
+ * email authentication and account recovery flows.
+ *
+ * Tokens are stored in the database as HMAC-SHA256 hashes with per-token salts,
+ * following the same security pattern as password-reset.ts.
+ */
+import crypto from 'node:crypto';
+import { getClient } from '@revealui/db/client';
+import { magicLinks } from '@revealui/db/schema';
+import { and, eq, gt, isNull, lt } from 'drizzle-orm';
+const DEFAULT_CONFIG = {
+    tokenExpiryMs: 15 * 60 * 1000,
+    tempSessionDurationMs: 30 * 60 * 1000,
+    maxRequestsPerHour: 3,
+};
+let config = { ...DEFAULT_CONFIG };
+export function configureMagicLink(overrides) {
+    config = { ...DEFAULT_CONFIG, ...overrides };
+}
+export function resetMagicLinkConfig() {
+    config = { ...DEFAULT_CONFIG };
+}
+// =============================================================================
+// Crypto helpers (same pattern as password-reset.ts)
+// =============================================================================
+/**
+ * Hash a token using HMAC-SHA256 with a per-token salt.
+ * The salt is stored in the DB alongside the hash; this defeats rainbow
+ * table attacks even if the database is fully compromised.
+ */
+function hashToken(token, salt) {
+    return crypto.createHmac('sha256', salt).update(token).digest('hex');
+}
+/**
+ * Generate a 16-byte random salt (hex string).
+ */
+function generateSalt() {
+    return crypto.randomBytes(16).toString('hex');
+}
+// =============================================================================
+// Public API
+// =============================================================================
+/**
+ * Creates a magic link token for a user.
+ *
+ * - Generates a 32-byte random token
+ * - Hashes it with HMAC-SHA256 + per-token salt
+ * - Cleans up expired magic links for the same user (opportunistic)
+ * - Inserts the hashed token into the database
+ *
+ * @param userId - User ID to create the magic link for
+ * @returns The plaintext token (to embed in the email link) and its expiry
+ */
+export async function createMagicLink(userId) {
+    const db = getClient();
+    // Generate secure token with per-token salt
+    const token = crypto.randomBytes(32).toString('hex');
+    const tokenSalt = generateSalt();
+    const tokenHash = hashToken(token, tokenSalt);
+    const expiresAt = new Date(Date.now() + config.tokenExpiryMs);
+    const id = crypto.randomUUID();
+    // Opportunistic cleanup: delete expired magic links for this user
+    await db
+        .delete(magicLinks)
+        .where(and(eq(magicLinks.userId, userId), lt(magicLinks.expiresAt, new Date())));
+    // Store hashed token + salt in database
+    await db.insert(magicLinks).values({
+        id,
+        userId,
+        tokenHash,
+        tokenSalt,
+        expiresAt,
+    });
+    return { token, expiresAt };
+}
+/**
+ * Verifies a magic link token.
+ *
+ * Selects all unexpired, unused magic links and checks each one against the
+ * provided token using HMAC-SHA256 + timingSafeEqual. This is a table scan
+ * by design (same approach as password-reset.ts validation). The table stays
+ * small due to opportunistic cleanup in createMagicLink.
+ *
+ * On match: marks the token as used and returns the userId.
+ * On no match: returns null.
+ *
+ * @param token - Plaintext token from the magic link URL
+ * @returns Object with userId if valid, null otherwise
+ */
+export async function verifyMagicLink(token) {
+    const db = getClient();
+    // Select unexpired, unused magic links only — expired tokens can never match
+    const rows = await db
+        .select()
+        .from(magicLinks)
+        .where(and(isNull(magicLinks.usedAt), gt(magicLinks.expiresAt, new Date())));
+    for (const row of rows) {
+        const expectedHash = hashToken(token, row.tokenSalt);
+        const expectedBuf = Buffer.from(expectedHash);
+        const actualBuf = Buffer.from(row.tokenHash);
+        if (expectedBuf.length === actualBuf.length && crypto.timingSafeEqual(expectedBuf, actualBuf)) {
+            // Mark token as used (single-use enforcement)
+            await db.update(magicLinks).set({ usedAt: new Date() }).where(eq(magicLinks.id, row.id));
+            return { userId: row.userId };
+        }
+    }
+    return null;
+}