@revealui/auth 0.2.1 → 0.3.0

package/dist/server/passkey.d.ts

@@ -0,0 +1,132 @@
+/**
+ * WebAuthn Passkey Module
+ *
+ * Implements passkey registration, authentication, and management using
+ * @simplewebauthn/server v13. Passkeys enable passwordless authentication
+ * via biometrics, security keys, or platform authenticators.
+ *
+ * @see https://simplewebauthn.dev/
+ */
+import type { AuthenticationResponseJSON, PublicKeyCredentialCreationOptionsJSON, PublicKeyCredentialRequestOptionsJSON, RegistrationResponseJSON, VerifiedRegistrationResponse, WebAuthnCredential } from '@simplewebauthn/server';
+export interface PasskeyConfig {
+    /** Maximum passkeys per user (default: 10) */
+    maxPasskeysPerUser: number;
+    /** Challenge TTL in ms (default: 5 minutes) */
+    challengeTtlMs: number;
+    /** Relying Party ID — domain name (default: 'localhost') */
+    rpId: string;
+    /** Relying Party name — user-visible (default: 'RevealUI') */
+    rpName: string;
+    /** Expected origin(s) for verification (default: 'http://localhost:4000') */
+    origin: string | string[];
+}
+export declare function configurePasskey(overrides: Partial<PasskeyConfig>): void;
+export declare function resetPasskeyConfig(): void;
+/**
+ * Generate WebAuthn registration options for a user.
+ *
+ * The returned object should be passed to the browser's navigator.credentials.create().
+ * The challenge is embedded in the options and should be stored server-side
+ * for verification.
+ *
+ * @param userId - User's database ID
+ * @param userEmail - User's email (used as userName in WebAuthn)
+ * @param existingCredentialIds - Credential IDs to exclude (prevent re-registration)
+ */
+export declare function generateRegistrationChallenge(userId: string, userEmail: string, existingCredentialIds?: string[]): Promise<PublicKeyCredentialCreationOptionsJSON>;
+/**
+ * Verify a WebAuthn registration response from the browser.
+ *
+ * @param response - The RegistrationResponseJSON from the browser
+ * @param expectedChallenge - The challenge from generateRegistrationChallenge
+ * @param expectedOrigin - Override origin (defaults to config.origin)
+ * @returns Verified registration data including credential info
+ * @throws If verification fails
+ */
+export declare function verifyRegistration(response: RegistrationResponseJSON, expectedChallenge: string, expectedOrigin?: string | string[]): Promise<VerifiedRegistrationResponse>;
+/**
+ * Store a verified passkey credential in the database.
+ *
+ * Enforces the per-user passkey limit before insertion.
+ *
+ * @param userId - User's database ID
+ * @param credential - Verified credential from verifyRegistration
+ * @param deviceName - Optional user-friendly name (e.g., "MacBook Pro Touch ID")
+ * @returns The stored passkey record
+ */
+export declare function storePasskey(userId: string, credential: {
+    id: string;
+    publicKey: Uint8Array;
+    counter: number;
+    transports?: string[];
+    aaguid?: string;
+    backedUp?: boolean;
+}, deviceName?: string): Promise<{
+    id: string;
+    userId: string;
+    credentialId: string;
+    deviceName: string | null;
+    createdAt: Date;
+}>;
+/**
+ * Generate WebAuthn authentication options.
+ *
+ * The returned object should be passed to the browser's navigator.credentials.get().
+ *
+ * @param allowCredentials - Optional list of credential IDs to allow
+ */
+export declare function generateAuthenticationChallenge(allowCredentials?: {
+    id: string;
+    transports?: string[];
+}[]): Promise<PublicKeyCredentialRequestOptionsJSON>;
+/**
+ * Verify a WebAuthn authentication response and update the credential counter.
+ *
+ * @param response - The AuthenticationResponseJSON from the browser
+ * @param credential - The stored credential (id, publicKey, counter)
+ * @param expectedChallenge - The challenge from generateAuthenticationChallenge
+ * @param expectedOrigin - Override origin (defaults to config.origin)
+ * @returns Verification result with new counter value
+ */
+export declare function verifyAuthentication(response: AuthenticationResponseJSON, credential: WebAuthnCredential, expectedChallenge: string, expectedOrigin?: string | string[]): Promise<{
+    verified: boolean;
+    newCounter: number;
+}>;
+/**
+ * List all passkeys for a user (safe for client — excludes publicKey and counter).
+ */
+export declare function listPasskeys(userId: string): Promise<{
+    id: string;
+    credentialId: string;
+    deviceName: string | null;
+    backedUp: boolean;
+    createdAt: Date;
+    lastUsedAt: Date | null;
+}[]>;
+/**
+ * Delete a passkey. Blocks deletion if it's the user's last sign-in method.
+ *
+ * @param userId - User's database ID
+ * @param passkeyId - The passkey record ID to delete
+ * @throws If this is the user's only sign-in method
+ */
+export declare function deletePasskey(userId: string, passkeyId: string): Promise<void>;
+/**
+ * Rename a passkey's device name.
+ *
+ * @param userId - User's database ID
+ * @param passkeyId - The passkey record ID to rename
+ * @param name - New friendly name
+ */
+export declare function renamePasskey(userId: string, passkeyId: string, name: string): Promise<void>;
+/**
+ * Count a user's sign-in credentials (passkeys + password).
+ *
+ * @param userId - User's database ID
+ * @returns Passkey count and whether user has a password set
+ */
+export declare function countUserCredentials(userId: string): Promise<{
+    passkeyCount: number;
+    hasPassword: boolean;
+}>;
+//# sourceMappingURL=passkey.d.ts.map

package/dist/server/passkey.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"passkey.d.ts","sourceRoot":"","sources":["../../src/server/passkey.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAKH,OAAO,KAAK,EACV,0BAA0B,EAC1B,sCAAsC,EACtC,qCAAqC,EACrC,wBAAwB,EACxB,4BAA4B,EAC5B,kBAAkB,EACnB,MAAM,wBAAwB,CAAC;AAahC,MAAM,WAAW,aAAa;IAC5B,8CAA8C;IAC9C,kBAAkB,EAAE,MAAM,CAAC;IAC3B,+CAA+C;IAC/C,cAAc,EAAE,MAAM,CAAC;IACvB,4DAA4D;IAC5D,IAAI,EAAE,MAAM,CAAC;IACb,8DAA8D;IAC9D,MAAM,EAAE,MAAM,CAAC;IACf,6EAA6E;IAC7E,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;CAC3B;AAYD,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,OAAO,CAAC,aAAa,CAAC,GAAG,IAAI,CAExE;AAED,wBAAgB,kBAAkB,IAAI,IAAI,CAEzC;AAMD;;;;;;;;;;GAUG;AACH,wBAAsB,6BAA6B,CACjD,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,EACjB,qBAAqB,CAAC,EAAE,MAAM,EAAE,GAC/B,OAAO,CAAC,sCAAsC,CAAC,CAuBjD;AAED;;;;;;;;GAQG;AACH,wBAAsB,kBAAkB,CACtC,QAAQ,EAAE,wBAAwB,EAClC,iBAAiB,EAAE,MAAM,EACzB,cAAc,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,GACjC,OAAO,CAAC,4BAA4B,CAAC,CAavC;AAMD;;;;;;;;;GASG;AACH,wBAAsB,YAAY,CAChC,MAAM,EAAE,MAAM,EACd,UAAU,EAAE;IACV,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,UAAU,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB,EACD,UAAU,CAAC,EAAE,MAAM,GAClB,OAAO,CAAC;IACT,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,SAAS,EAAE,IAAI,CAAC;CACjB,CAAC,CAqCD;AAMD;;;;;;GAMG;AACH,wBAAsB,+BAA+B,CACnD,gBAAgB,CAAC,EAAE;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,EAAE,CAAA;CAAE,EAAE,GACzD,OAAO,CAAC,qCAAqC,CAAC,CAoBhD;AAED;;;;;;;;GAQG;AACH,wBAAsB,oBAAoB,CACxC,QAAQ,EAAE,0BAA0B,EACpC,UAAU,EAAE,kBAAkB,EAC9B,iBAAiB,EAAE,MAAM,EACzB,cAAc,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,GACjC,OAAO,CAAC;IACT,QAAQ,EAAE,OAAO,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB,CAAC,CAyBD;AAMD;;GAEG;AACH,wBAAsB,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CACzD;IACE,EAAE,EAAE,MAAM,CAAC;IACX,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,QAAQ,EAAE,OAAO,CAAC;IAClB,SAAS,EAAE,IAAI,CAAC;IAChB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;CACzB,EAAE,CACJ,CAgBA;AAED;;;;;;GAMG;AACH,wBAAsB,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CASpF;AAED;;;;;;GAMG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,IAAI,CAAC,CAMf;AAED;;;;;GAKG;AACH,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,MAAM,GACb,OAAO,CAAC;IAAE,YAAY,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,OAAO,CAAA;CAAE,CAAC,CAkBzD"}

package/dist/server/passkey.js

@@ -0,0 +1,257 @@
+/**
+ * WebAuthn Passkey Module
+ *
+ * Implements passkey registration, authentication, and management using
+ * @simplewebauthn/server v13. Passkeys enable passwordless authentication
+ * via biometrics, security keys, or platform authenticators.
+ *
+ * @see https://simplewebauthn.dev/
+ */
+import crypto from 'node:crypto';
+import { getClient } from '@revealui/db/client';
+import { passkeys, users } from '@revealui/db/schema';
+import { generateAuthenticationOptions, generateRegistrationOptions, verifyAuthenticationResponse, verifyRegistrationResponse, } from '@simplewebauthn/server';
+import { and, count, eq } from 'drizzle-orm';
+const DEFAULT_CONFIG = {
+    maxPasskeysPerUser: 10,
+    challengeTtlMs: 5 * 60 * 1000,
+    rpId: 'localhost',
+    rpName: 'RevealUI',
+    origin: 'http://localhost:4000',
+};
+let config = { ...DEFAULT_CONFIG };
+export function configurePasskey(overrides) {
+    config = { ...DEFAULT_CONFIG, ...overrides };
+}
+export function resetPasskeyConfig() {
+    config = { ...DEFAULT_CONFIG };
+}
+// =============================================================================
+// Registration
+// =============================================================================
+/**
+ * Generate WebAuthn registration options for a user.
+ *
+ * The returned object should be passed to the browser's navigator.credentials.create().
+ * The challenge is embedded in the options and should be stored server-side
+ * for verification.
+ *
+ * @param userId - User's database ID
+ * @param userEmail - User's email (used as userName in WebAuthn)
+ * @param existingCredentialIds - Credential IDs to exclude (prevent re-registration)
+ */
+export async function generateRegistrationChallenge(userId, userEmail, existingCredentialIds) {
+    const excludeCredentials = existingCredentialIds?.map((id) => ({
+        id,
+    }));
+    // Encode userId as Uint8Array for WebAuthn userID field
+    const userIdBytes = new TextEncoder().encode(userId);
+    const options = await generateRegistrationOptions({
+        rpName: config.rpName,
+        rpID: config.rpId,
+        userName: userEmail,
+        userID: userIdBytes,
+        userDisplayName: userEmail,
+        excludeCredentials,
+        authenticatorSelection: {
+            residentKey: 'preferred',
+            userVerification: 'preferred',
+        },
+        timeout: config.challengeTtlMs,
+    });
+    return options;
+}
+/**
+ * Verify a WebAuthn registration response from the browser.
+ *
+ * @param response - The RegistrationResponseJSON from the browser
+ * @param expectedChallenge - The challenge from generateRegistrationChallenge
+ * @param expectedOrigin - Override origin (defaults to config.origin)
+ * @returns Verified registration data including credential info
+ * @throws If verification fails
+ */
+export async function verifyRegistration(response, expectedChallenge, expectedOrigin) {
+    const verification = await verifyRegistrationResponse({
+        response,
+        expectedChallenge,
+        expectedOrigin: expectedOrigin ?? config.origin,
+        expectedRPID: config.rpId,
+    });
+    if (!(verification.verified && verification.registrationInfo)) {
+        throw new Error('Passkey registration verification failed');
+    }
+    return verification;
+}
+// =============================================================================
+// Credential Storage
+// =============================================================================
+/**
+ * Store a verified passkey credential in the database.
+ *
+ * Enforces the per-user passkey limit before insertion.
+ *
+ * @param userId - User's database ID
+ * @param credential - Verified credential from verifyRegistration
+ * @param deviceName - Optional user-friendly name (e.g., "MacBook Pro Touch ID")
+ * @returns The stored passkey record
+ */
+export async function storePasskey(userId, credential, deviceName) {
+    const db = getClient();
+    // Enforce per-user passkey limit
+    const [result] = await db
+        .select({ total: count() })
+        .from(passkeys)
+        .where(eq(passkeys.userId, userId));
+    const currentCount = result?.total ?? 0;
+    if (currentCount >= config.maxPasskeysPerUser) {
+        throw new Error(`Maximum of ${config.maxPasskeysPerUser} passkeys per user reached`);
+    }
+    const id = crypto.randomUUID();
+    const now = new Date();
+    await db.insert(passkeys).values({
+        id,
+        userId,
+        credentialId: credential.id,
+        publicKey: Buffer.from(credential.publicKey),
+        counter: credential.counter,
+        transports: credential.transports ?? null,
+        aaguid: credential.aaguid ?? null,
+        deviceName: deviceName ?? null,
+        backedUp: credential.backedUp ?? false,
+        createdAt: now,
+    });
+    return {
+        id,
+        userId,
+        credentialId: credential.id,
+        deviceName: deviceName ?? null,
+        createdAt: now,
+    };
+}
+// =============================================================================
+// Authentication
+// =============================================================================
+/**
+ * Generate WebAuthn authentication options.
+ *
+ * The returned object should be passed to the browser's navigator.credentials.get().
+ *
+ * @param allowCredentials - Optional list of credential IDs to allow
+ */
+export async function generateAuthenticationChallenge(allowCredentials) {
+    const options = await generateAuthenticationOptions({
+        rpID: config.rpId,
+        allowCredentials: allowCredentials?.map((cred) => ({
+            id: cred.id,
+            transports: cred.transports,
+        })),
+        timeout: config.challengeTtlMs,
+        userVerification: 'preferred',
+    });
+    return options;
+}
+/**
+ * Verify a WebAuthn authentication response and update the credential counter.
+ *
+ * @param response - The AuthenticationResponseJSON from the browser
+ * @param credential - The stored credential (id, publicKey, counter)
+ * @param expectedChallenge - The challenge from generateAuthenticationChallenge
+ * @param expectedOrigin - Override origin (defaults to config.origin)
+ * @returns Verification result with new counter value
+ */
+export async function verifyAuthentication(response, credential, expectedChallenge, expectedOrigin) {
+    const verification = await verifyAuthenticationResponse({
+        response,
+        expectedChallenge,
+        expectedOrigin: expectedOrigin ?? config.origin,
+        expectedRPID: [config.rpId],
+        credential,
+    });
+    if (verification.verified) {
+        // Update counter and lastUsedAt in the database
+        const db = getClient();
+        await db
+            .update(passkeys)
+            .set({
+            counter: verification.authenticationInfo.newCounter,
+            lastUsedAt: new Date(),
+        })
+            .where(eq(passkeys.credentialId, credential.id));
+    }
+    return {
+        verified: verification.verified,
+        newCounter: verification.authenticationInfo.newCounter,
+    };
+}
+// =============================================================================
+// Management
+// =============================================================================
+/**
+ * List all passkeys for a user (safe for client — excludes publicKey and counter).
+ */
+export async function listPasskeys(userId) {
+    const db = getClient();
+    const rows = await db
+        .select({
+        id: passkeys.id,
+        credentialId: passkeys.credentialId,
+        deviceName: passkeys.deviceName,
+        backedUp: passkeys.backedUp,
+        createdAt: passkeys.createdAt,
+        lastUsedAt: passkeys.lastUsedAt,
+    })
+        .from(passkeys)
+        .where(eq(passkeys.userId, userId));
+    return rows;
+}
+/**
+ * Delete a passkey. Blocks deletion if it's the user's last sign-in method.
+ *
+ * @param userId - User's database ID
+ * @param passkeyId - The passkey record ID to delete
+ * @throws If this is the user's only sign-in method
+ */
+export async function deletePasskey(userId, passkeyId) {
+    const { passkeyCount, hasPassword } = await countUserCredentials(userId);
+    if (passkeyCount <= 1 && !hasPassword) {
+        throw new Error('Cannot delete last sign-in method');
+    }
+    const db = getClient();
+    await db.delete(passkeys).where(and(eq(passkeys.id, passkeyId), eq(passkeys.userId, userId)));
+}
+/**
+ * Rename a passkey's device name.
+ *
+ * @param userId - User's database ID
+ * @param passkeyId - The passkey record ID to rename
+ * @param name - New friendly name
+ */
+export async function renamePasskey(userId, passkeyId, name) {
+    const db = getClient();
+    await db
+        .update(passkeys)
+        .set({ deviceName: name })
+        .where(and(eq(passkeys.id, passkeyId), eq(passkeys.userId, userId)));
+}
+/**
+ * Count a user's sign-in credentials (passkeys + password).
+ *
+ * @param userId - User's database ID
+ * @returns Passkey count and whether user has a password set
+ */
+export async function countUserCredentials(userId) {
+    const db = getClient();
+    const [passkeyResult] = await db
+        .select({ total: count() })
+        .from(passkeys)
+        .where(eq(passkeys.userId, userId));
+    const [userResult] = await db
+        .select({ password: users.password })
+        .from(users)
+        .where(eq(users.id, userId))
+        .limit(1);
+    return {
+        passkeyCount: passkeyResult?.total ?? 0,
+        hasPassword: userResult?.password != null,
+    };
+}

package/dist/server/password-reset.d.ts

@@ -43,6 +43,21 @@ export declare function validatePasswordResetToken(tokenId: string, token: strin
  * @returns Success result
  */
 export declare function resetPasswordWithToken(tokenId: string, token: string, newPassword: string): Promise<PasswordResetResult>;
+export interface ChangePasswordResult {
+    success: boolean;
+    error?: string;
+}
+/**
+ * Change password for an authenticated user.
+ *
+ * Verifies the current password before updating. Does not touch sessions —
+ * the caller is responsible for revoking other sessions if desired.
+ *
+ * @param userId - Authenticated user ID
+ * @param currentPassword - Plain-text current password to verify
+ * @param newPassword - Plain-text new password to hash and store
+ */
+export declare function changePassword(userId: string, currentPassword: string, newPassword: string): Promise<ChangePasswordResult>;
 /**
  * Invalidates a password reset token
  *

package/dist/server/password-reset.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"password-reset.d.ts","sourceRoot":"","sources":["../../src/server/password-reset.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AASH,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,IAAI,CAAA;CAChB;AAED,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAA;IAChB,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,OAAO,CAAC,EAAE,MAAM,CAAA;CACjB;AAuBD;;;;;GAKG;AACH,wBAAsB,0BAA0B,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAqE5F;AAED;;;;;;;;;GASG;AACH,wBAAsB,0BAA0B,CAC9C,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAqCxB;AAED;;;;;;;;;GASG;AACH,wBAAsB,sBAAsB,CAC1C,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,mBAAmB,CAAC,CA4E9B;AAED;;;;;;;GAOG;AACH,wBAAsB,4BAA4B,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAqChG"}
+{"version":3,"file":"password-reset.d.ts","sourceRoot":"","sources":["../../src/server/password-reset.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AASH,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAuBD;;;;;GAKG;AACH,wBAAsB,0BAA0B,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAwE5F;AAED;;;;;;;;;GASG;AACH,wBAAsB,0BAA0B,CAC9C,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAqCxB;AAED;;;;;;;;;GASG;AACH,wBAAsB,sBAAsB,CAC1C,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,mBAAmB,CAAC,CA4E9B;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;;;;GASG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,MAAM,EACd,eAAe,EAAE,MAAM,EACvB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,oBAAoB,CAAC,CAqC/B;AAED;;;;;;;GAOG;AACH,wBAAsB,4BAA4B,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAqChG"}

package/dist/server/password-reset.js

@@ -37,7 +37,10 @@ function generateSalt() {
 export async function generatePasswordResetToken(email) {
     try {
         const db = getClient();
-        // Find user by email
+        // Find user by email — intentionally does NOT check user.password.
+        // OAuth-only users (password: null) can use this flow to set a password,
+        // giving them a fallback login method independent of their OAuth provider.
+        // This is safe because the reset link is sent to their verified email.
         const [user] = await db.select().from(users).where(eq(users.email, email)).limit(1);
         if (!user) {
             // Don't reveal if user exists (security best practice)
@@ -195,6 +198,46 @@ export async function resetPasswordWithToken(tokenId, token, newPassword) {
         };
     }
 }
+/**
+ * Change password for an authenticated user.
+ *
+ * Verifies the current password before updating. Does not touch sessions —
+ * the caller is responsible for revoking other sessions if desired.
+ *
+ * @param userId - Authenticated user ID
+ * @param currentPassword - Plain-text current password to verify
+ * @param newPassword - Plain-text new password to hash and store
+ */
+export async function changePassword(userId, currentPassword, newPassword) {
+    try {
+        const db = getClient();
+        const [user] = await db
+            .select({ id: users.id, password: users.password })
+            .from(users)
+            .where(eq(users.id, userId))
+            .limit(1);
+        if (!user) {
+            return { success: false, error: 'User not found.' };
+        }
+        if (!user.password) {
+            return {
+                success: false,
+                error: 'No password is set on this account. Use the password reset link to set one.',
+            };
+        }
+        const currentValid = await bcrypt.compare(currentPassword, user.password);
+        if (!currentValid) {
+            return { success: false, error: 'Current password is incorrect.' };
+        }
+        const newHash = await bcrypt.hash(newPassword, 12);
+        await db.update(users).set({ password: newHash }).where(eq(users.id, userId));
+        return { success: true };
+    }
+    catch (error) {
+        logger.error('Error changing password', error instanceof Error ? error : new Error(String(error)));
+        return { success: false, error: 'An unexpected error occurred.' };
+    }
+}
 /**
  * Invalidates a password reset token
  *

package/dist/server/password-validation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"password-validation.d.ts","sourceRoot":"","sources":["../../src/server/password-validation.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,MAAM,WAAW,wBAAwB;IACvC,KAAK,EAAE,OAAO,CAAA;IACd,MAAM,EAAE,MAAM,EAAE,CAAA;CACjB;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CAAC,QAAQ,EAAE,MAAM,GAAG,wBAAwB,CAgCnF;AAED;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAE1E"}
+{"version":3,"file":"password-validation.d.ts","sourceRoot":"","sources":["../../src/server/password-validation.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,MAAM,WAAW,wBAAwB;IACvC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CAAC,QAAQ,EAAE,MAAM,GAAG,wBAAwB,CAgCnF;AAED;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAE1E"}

package/dist/server/providers/github.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"github.d.ts","sourceRoot":"","sources":["../../../src/server/providers/github.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAE/C,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAOzF;AAED,wBAAsB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CA4BrF;AAED,wBAAsB,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CA2C1E"}
+{"version":3,"file":"github.d.ts","sourceRoot":"","sources":["../../../src/server/providers/github.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAEhD,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAOzF;AAED,wBAAsB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAqCrF;AAED,wBAAsB,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAoD1E"}

package/dist/server/providers/github.js

@@ -31,7 +31,15 @@ export async function exchangeCode(code, redirectUri) {
         }),
     });
     if (!response.ok) {
-        throw new Error(`GitHub token exchange failed: ${response.status}`);
+        let detail = '';
+        try {
+            const err = (await response.json());
+            detail = err.error_description ?? err.error ?? '';
+        }
+        catch {
+            // Response body not JSON — use status only
+        }
+        throw new Error(`GitHub token exchange failed: ${response.status}${detail ? ` — ${detail}` : ''}`);
     }
     const data = (await response.json());
     if (data.error) {
@@ -51,7 +59,15 @@ export async function fetchUser(accessToken) {
     };
     const userResponse = await fetch('https://api.github.com/user', { headers });
     if (!userResponse.ok) {
-        throw new Error(`GitHub user fetch failed: ${userResponse.status}`);
+        let detail = '';
+        try {
+            const err = (await userResponse.json());
+            detail = err.message ?? '';
+        }
+        catch {
+            // Response body not JSON
+        }
+        throw new Error(`GitHub user fetch failed: ${userResponse.status}${detail ? ` — ${detail}` : ''}`);
     }
     const user = (await userResponse.json());
     let email = user.email ?? null;

package/dist/server/providers/google.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"google.d.ts","sourceRoot":"","sources":["../../../src/server/providers/google.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAE/C,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CASzF;AAED,wBAAsB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAsBrF;AAED,wBAAsB,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAuB1E"}
+{"version":3,"file":"google.d.ts","sourceRoot":"","sources":["../../../src/server/providers/google.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAEhD,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CASzF;AAED,wBAAsB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CA+BrF;AAED,wBAAsB,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAgC1E"}

package/dist/server/providers/google.js

@@ -27,7 +27,15 @@ export async function exchangeCode(code, redirectUri) {
         }),
     });
     if (!response.ok) {
-        throw new Error(`Google token exchange failed: ${response.status}`);
+        let detail = '';
+        try {
+            const err = (await response.json());
+            detail = err.error_description ?? err.error ?? '';
+        }
+        catch {
+            // Response body not JSON — use status only
+        }
+        throw new Error(`Google token exchange failed: ${response.status}${detail ? ` — ${detail}` : ''}`);
     }
     const data = (await response.json());
     if (!data.access_token || typeof data.access_token !== 'string') {
@@ -41,7 +49,15 @@ export async function fetchUser(accessToken) {
         headers: { Authorization: `Bearer ${accessToken}` },
     });
     if (!response.ok) {
-        throw new Error(`Google userinfo fetch failed: ${response.status}`);
+        let detail = '';
+        try {
+            const err = (await response.json());
+            detail = err.error?.message ?? '';
+        }
+        catch {
+            // Response body not JSON
+        }
+        throw new Error(`Google userinfo fetch failed: ${response.status}${detail ? ` — ${detail}` : ''}`);
     }
     const data = (await response.json());
     return {

package/dist/server/providers/vercel.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"vercel.d.ts","sourceRoot":"","sources":["../../../src/server/providers/vercel.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAE/C,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAMzF;AAED,wBAAsB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAkBrF;AAED,wBAAsB,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CA2B1E"}
+{"version":3,"file":"vercel.d.ts","sourceRoot":"","sources":["../../../src/server/providers/vercel.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAEhD,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAMzF;AAED,wBAAsB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CA2BrF;AAED,wBAAsB,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAkC1E"}

package/dist/server/providers/vercel.js

@@ -23,7 +23,15 @@ export async function exchangeCode(code, redirectUri) {
         }),
     });
     if (!response.ok) {
-        throw new Error(`Vercel token exchange failed: ${response.status}`);
+        let detail = '';
+        try {
+            const err = (await response.json());
+            detail = err.error_description ?? err.error ?? '';
+        }
+        catch {
+            // Response body not JSON — use status only
+        }
+        throw new Error(`Vercel token exchange failed: ${response.status}${detail ? ` — ${detail}` : ''}`);
     }
     const data = (await response.json());
     return data.access_token;
@@ -34,7 +42,15 @@ export async function fetchUser(accessToken) {
         headers: { Authorization: `Bearer ${accessToken}` },
     });
     if (!response.ok) {
-        throw new Error(`Vercel user fetch failed: ${response.status}`);
+        let detail = '';
+        try {
+            const err = (await response.json());
+            detail = err.error?.message ?? '';
+        }
+        catch {
+            // Response body not JSON
+        }
+        throw new Error(`Vercel user fetch failed: ${response.status}${detail ? ` — ${detail}` : ''}`);
     }
     const data = (await response.json());
     const u = data.user;

package/dist/server/rate-limit.d.ts

@@ -2,7 +2,7 @@
  * Rate Limiting Utilities
  *
  * Rate limiting for authentication endpoints using storage abstraction.
- * Supports in-memory (dev), Redis (production), or database (fallback).
+ * Supports in-memory (dev) or database (production) backends.
  */
 /**
  * Rate limit configuration
@@ -12,6 +12,15 @@ export interface RateLimitConfig {
     windowMs: number;
     blockDurationMs?: number;
 }
+/**
+ * Override default rate limit configuration globally.
+ * Per-call config parameters still take precedence.
+ */
+export declare function configureRateLimit(overrides: Partial<RateLimitConfig>): void;
+/**
+ * Reset rate limit configuration to defaults (for testing).
+ */
+export declare function resetRateLimitConfig(): void;
 /**
  * Checks if an action should be rate limited
  *

package/dist/server/rate-limit.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../src/server/rate-limit.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AASH;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,WAAW,EAAE,MAAM,CAAA;IACnB,QAAQ,EAAE,MAAM,CAAA;IAChB,eAAe,CAAC,EAAE,MAAM,CAAA;CACzB;AAqCD;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,GAAG,EAAE,MAAM,EACX,MAAM,GAAE,eAAgC,GACvC,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAuDnE;AAED;;;;GAIG;AACH,wBAAsB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAI/D;AAED;;;;;;GAMG;AACH,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,MAAM,EACX,MAAM,GAAE,eAAgC,GACvC,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAqBhE"}
+{"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../src/server/rate-limit.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AASH;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAUD;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,OAAO,CAAC,eAAe,CAAC,GAAG,IAAI,CAE5E;AAED;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,IAAI,CAE3C;AA+BD;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,GAAG,EAAE,MAAM,EACX,MAAM,GAAE,eAA8B,GACrC,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CA4DnE;AAED;;;;GAIG;AACH,wBAAsB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAI/D;AAED;;;;;;GAMG;AACH,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,MAAM,EACX,MAAM,GAAE,eAA8B,GACrC,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAqBhE"}