@revealui/auth 0.2.1 → 0.3.0

package/dist/server/rate-limit.js

@@ -2,7 +2,7 @@
  * Rate Limiting Utilities
  *
  * Rate limiting for authentication endpoints using storage abstraction.
- * Supports in-memory (dev), Redis (production), or database (fallback).
+ * Supports in-memory (dev) or database (production) backends.
  */
 import { getStorage } from './storage/index.js';
 const DEFAULT_CONFIG = {
@@ -10,6 +10,20 @@ const DEFAULT_CONFIG = {
     windowMs: 15 * 60 * 1000, // 15 minutes
     blockDurationMs: 30 * 60 * 1000, // 30 minutes block after max attempts
 };
+let globalConfig = { ...DEFAULT_CONFIG };
+/**
+ * Override default rate limit configuration globally.
+ * Per-call config parameters still take precedence.
+ */
+export function configureRateLimit(overrides) {
+    globalConfig = { ...DEFAULT_CONFIG, ...overrides };
+}
+/**
+ * Reset rate limit configuration to defaults (for testing).
+ */
+export function resetRateLimitConfig() {
+    globalConfig = { ...DEFAULT_CONFIG };
+}
 /**
  * Serialize rate limit entry to string
  */
@@ -43,54 +57,58 @@ function getStorageKey(key) {
  * @param config - Rate limit configuration
  * @returns Rate limit result
  */
-export async function checkRateLimit(key, config = DEFAULT_CONFIG) {
+export async function checkRateLimit(key, config = globalConfig) {
     const storage = getStorage();
     const storageKey = getStorageKey(key);
     const now = Date.now();
-    // Get existing entry
-    const entryData = await storage.get(storageKey);
-    let entry = deserializeEntry(entryData);
-    // Clean up expired entries
-    if (entry && entry.resetAt < now) {
-        await storage.del(storageKey);
-        entry = null;
-    }
-    // Get or create entry
-    const currentEntry = entry || {
-        count: 0,
-        resetAt: now + config.windowMs,
-    };
-    // Check if blocked
-    if (config.blockDurationMs && currentEntry.count >= config.maxAttempts) {
-        const blockUntil = now + config.blockDurationMs;
-        // Extend the storage TTL so the entry outlives the block period.
-        // Without this, the entry expires at resetAt (end of the rate-limit window)
-        // before the block expires, letting the user back in prematurely.
-        const blockTtlSeconds = Math.ceil(config.blockDurationMs / 1000);
-        await storage.set(storageKey, serializeEntry(currentEntry), blockTtlSeconds);
-        return {
-            allowed: false,
-            remaining: 0,
-            resetAt: blockUntil,
+    // Use atomicUpdate to avoid the read-modify-write race condition.
+    // The result is captured via closure since atomicUpdate returns void.
+    let result;
+    const updater = (entryData) => {
+        let entry = deserializeEntry(entryData);
+        // Clean up expired entries
+        if (entry && entry.resetAt < now) {
+            entry = null;
+        }
+        // Get or create entry
+        const currentEntry = entry || {
+            count: 0,
+            resetAt: now + config.windowMs,
         };
-    }
-    // Check if within window
-    if (currentEntry.count >= config.maxAttempts) {
-        return {
-            allowed: false,
-            remaining: 0,
+        // Check if blocked
+        if (config.blockDurationMs && currentEntry.count >= config.maxAttempts) {
+            const blockUntil = now + config.blockDurationMs;
+            const blockTtlSeconds = Math.ceil(config.blockDurationMs / 1000);
+            result = { allowed: false, remaining: 0, resetAt: blockUntil };
+            return { value: serializeEntry(currentEntry), ttlSeconds: blockTtlSeconds };
+        }
+        // Check if within window
+        if (currentEntry.count >= config.maxAttempts) {
+            const ttlSeconds = Math.ceil((currentEntry.resetAt - now) / 1000);
+            result = { allowed: false, remaining: 0, resetAt: currentEntry.resetAt };
+            return { value: serializeEntry(currentEntry), ttlSeconds };
+        }
+        // Increment and update
+        currentEntry.count++;
+        const ttlSeconds = Math.ceil((currentEntry.resetAt - now) / 1000);
+        result = {
+            allowed: true,
+            remaining: config.maxAttempts - currentEntry.count,
             resetAt: currentEntry.resetAt,
         };
-    }
-    // Increment and update
-    currentEntry.count++;
-    const ttlSeconds = Math.ceil((currentEntry.resetAt - now) / 1000);
-    await storage.set(storageKey, serializeEntry(currentEntry), ttlSeconds);
-    return {
-        allowed: true,
-        remaining: config.maxAttempts - currentEntry.count,
-        resetAt: currentEntry.resetAt,
+        return { value: serializeEntry(currentEntry), ttlSeconds };
     };
+    if (storage.atomicUpdate) {
+        await storage.atomicUpdate(storageKey, updater);
+    }
+    else {
+        // Fallback for storage backends without atomicUpdate
+        const existing = await storage.get(storageKey);
+        const { value, ttlSeconds } = updater(existing);
+        await storage.set(storageKey, value, ttlSeconds);
+    }
+    // biome-ignore lint/style/noNonNullAssertion: result is always assigned by updater before this point
+    return result;
 }
 /**
  * Resets rate limit for a key
@@ -109,7 +127,7 @@ export async function resetRateLimit(key) {
  * @param config - Rate limit configuration
  * @returns Rate limit status
  */
-export async function getRateLimitStatus(key, config = DEFAULT_CONFIG) {
+export async function getRateLimitStatus(key, config = globalConfig) {
     const storage = getStorage();
     const storageKey = getStorageKey(key);
     const now = Date.now();

package/dist/server/session.d.ts

@@ -5,6 +5,30 @@
  * Sessions are stored in PostgreSQL and validated on each request.
  */
 import type { Session, User } from '../types.js';
+export interface SessionBindingConfig {
+    /** Invalidate session when user-agent changes (default: true) */
+    enforceUserAgent: boolean;
+    /** Invalidate session when IP address changes (default: false — users roam) */
+    enforceIp: boolean;
+    /** Log a warning when IP changes but don't invalidate (default: true) */
+    warnOnIpChange: boolean;
+}
+/** Override session binding behaviour (useful for tests or strict deployments). */
+export declare function configureSessionBinding(overrides: Partial<SessionBindingConfig>): void;
+/** Reset to defaults (for tests). */
+export declare function resetSessionBindingConfig(): void;
+export interface RequestContext {
+    userAgent?: string;
+    ipAddress?: string;
+}
+/**
+ * Validate that the current request context matches the session's stored
+ * binding values (IP address, user-agent).
+ *
+ * @returns `null` when the session is valid, or a reason string when it should
+ *          be invalidated.
+ */
+export declare function validateSessionBinding(session: Session, ctx: RequestContext): string | null;
 export interface SessionData {
     session: Session;
     user: User;
@@ -13,9 +37,10 @@ export interface SessionData {
  * Get session from request headers (cookie)
  *
  * @param headers - Request headers containing cookies
+ * @param requestContext - Optional IP / user-agent for session binding validation
  * @returns Session data with user, or null if invalid/expired
  */
-export declare function getSession(headers: Headers): Promise<SessionData | null>;
+export declare function getSession(headers: Headers, requestContext?: RequestContext): Promise<SessionData | null>;
 /**
  * Create a new session for a user
  *
@@ -27,6 +52,28 @@ export declare function createSession(userId: string, options?: {
     persistent?: boolean;
     userAgent?: string;
     ipAddress?: string;
+    expiresAt?: Date;
+    metadata?: Record<string, unknown>;
+}): Promise<{
+    token: string;
+    session: Session;
+}>;
+/**
+ * Rotate a user's session to prevent session fixation attacks.
+ *
+ * Deletes the old session (by token hash) or all sessions for the user,
+ * then creates a fresh session with a new token.
+ *
+ * @param userId - User ID to rotate sessions for
+ * @param options - Rotation options
+ * @returns New session token and session data
+ */
+export declare function rotateSession(userId: string, options?: {
+    /** Raw token of the old session to invalidate. When omitted, all user sessions are deleted. */
+    oldSessionToken?: string;
+    persistent?: boolean;
+    userAgent?: string;
+    ipAddress?: string;
 }): Promise<{
     token: string;
     session: Session;

package/dist/server/session.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../src/server/session.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,OAAO,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,aAAa,CAAA;AAIhD,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,OAAO,CAAA;IAChB,IAAI,EAAE,IAAI,CAAA;CACX;AAED;;;;;GAKG;AACH,wBAAsB,UAAU,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAsF9E;AAED;;;;;;GAMG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE;IACR,UAAU,CAAC,EAAE,OAAO,CAAA;IACpB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB,GACA,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,OAAO,CAAA;CAAE,CAAC,CAgE9C;AAED;;;;;GAKG;AACH,wBAAsB,aAAa,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAmBtE;AAED;;;;GAIG;AACH,wBAAsB,qBAAqB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAyBzE"}
+{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../src/server/session.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,OAAO,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,aAAa,CAAC;AAQjD,MAAM,WAAW,oBAAoB;IACnC,iEAAiE;IACjE,gBAAgB,EAAE,OAAO,CAAC;IAC1B,+EAA+E;IAC/E,SAAS,EAAE,OAAO,CAAC;IACnB,yEAAyE;IACzE,cAAc,EAAE,OAAO,CAAC;CACzB;AAUD,mFAAmF;AACnF,wBAAgB,uBAAuB,CAAC,SAAS,EAAE,OAAO,CAAC,oBAAoB,CAAC,GAAG,IAAI,CAEtF;AAED,qCAAqC;AACrC,wBAAgB,yBAAyB,IAAI,IAAI,CAEhD;AAMD,MAAM,WAAW,cAAc;IAC7B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,cAAc,GAAG,MAAM,GAAG,IAAI,CA0B3F;AAMD,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,IAAI,CAAC;CACZ;AAED;;;;;;GAMG;AACH,wBAAsB,UAAU,CAC9B,OAAO,EAAE,OAAO,EAChB,cAAc,CAAC,EAAE,cAAc,GAC9B,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CA4G7B;AAED;;;;;;GAMG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE;IACR,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC,GACA,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,OAAO,CAAA;CAAE,CAAC,CAmE9C;AAED;;;;;;;;;GASG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE;IACR,+FAA+F;IAC/F,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,GACA,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,OAAO,CAAA;CAAE,CAAC,CAoC9C;AAED;;;;;GAKG;AACH,wBAAsB,aAAa,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAoBtE;AAED;;;;GAIG;AACH,wBAAsB,qBAAqB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAyBzE"}

package/dist/server/session.js

@@ -7,16 +7,61 @@
 import { logger } from '@revealui/core/observability/logger';
 import { getClient } from '@revealui/db/client';
 import { sessions, users } from '@revealui/db/schema';
-import { and, eq, gt } from 'drizzle-orm';
+import { and, eq, gt, isNull } from 'drizzle-orm';
 import { hashToken } from '../utils/token.js';
 import { DatabaseError, TokenError } from './errors.js';
+const DEFAULT_SESSION_BINDING = {
+    enforceUserAgent: true,
+    enforceIp: false,
+    warnOnIpChange: true,
+};
+let sessionBindingConfig = { ...DEFAULT_SESSION_BINDING };
+/** Override session binding behaviour (useful for tests or strict deployments). */
+export function configureSessionBinding(overrides) {
+    sessionBindingConfig = { ...DEFAULT_SESSION_BINDING, ...overrides };
+}
+/** Reset to defaults (for tests). */
+export function resetSessionBindingConfig() {
+    sessionBindingConfig = { ...DEFAULT_SESSION_BINDING };
+}
+/**
+ * Validate that the current request context matches the session's stored
+ * binding values (IP address, user-agent).
+ *
+ * @returns `null` when the session is valid, or a reason string when it should
+ *          be invalidated.
+ */
+export function validateSessionBinding(session, ctx) {
+    // User-agent enforcement
+    if (sessionBindingConfig.enforceUserAgent &&
+        ctx.userAgent &&
+        session.userAgent &&
+        ctx.userAgent !== session.userAgent) {
+        return 'user-agent mismatch';
+    }
+    // IP enforcement / warning
+    if (ctx.ipAddress && session.ipAddress && ctx.ipAddress !== session.ipAddress) {
+        if (sessionBindingConfig.enforceIp) {
+            return 'ip-address mismatch';
+        }
+        if (sessionBindingConfig.warnOnIpChange) {
+            logger.warn('Session IP changed', {
+                sessionId: session.id,
+                storedIp: session.ipAddress,
+                currentIp: ctx.ipAddress,
+            });
+        }
+    }
+    return null;
+}
 /**
  * Get session from request headers (cookie)
  *
  * @param headers - Request headers containing cookies
+ * @param requestContext - Optional IP / user-agent for session binding validation
  * @returns Session data with user, or null if invalid/expired
  */
-export async function getSession(headers) {
+export async function getSession(headers, requestContext) {
     try {
         const cookieHeader = headers.get('cookie');
         if (!cookieHeader) {
@@ -61,10 +106,32 @@ export async function getSession(headers) {
         if (!session) {
             return null;
         }
+        // Session binding validation (IP / user-agent)
+        if (requestContext) {
+            const bindingError = validateSessionBinding(session, requestContext);
+            if (bindingError) {
+                logger.warn('Session binding violation — invalidating session', {
+                    sessionId: session.id,
+                    reason: bindingError,
+                });
+                // Delete the compromised session
+                try {
+                    await db.delete(sessions).where(eq(sessions.id, session.id));
+                }
+                catch {
+                    logger.error('Failed to delete session after binding violation');
+                }
+                return null;
+            }
+        }
         // Get user data
         let user;
         try {
-            const result = await db.select().from(users).where(eq(users.id, session.userId)).limit(1);
+            const result = await db
+                .select()
+                .from(users)
+                .where(and(eq(users.id, session.userId), isNull(users.deletedAt)))
+                .limit(1);
             user = result[0];
         }
         catch (error) {
@@ -128,9 +195,11 @@ export async function createSession(userId, options) {
             logger.error('Error generating session token');
             throw new TokenError('Failed to generate session token');
         }
-        // Calculate expiration (7 days for persistent, 1 day for regular)
-        const expiresAt = new Date();
-        expiresAt.setDate(expiresAt.getDate() + (options?.persistent ? 7 : 1));
+        // Calculate expiration (custom override, 7 days for persistent, 1 day for regular)
+        const expiresAt = options?.expiresAt ?? new Date();
+        if (!options?.expiresAt) {
+            expiresAt.setDate(expiresAt.getDate() + (options?.persistent ? 7 : 1));
+        }
         // Create session in database
         let session;
         try {
@@ -145,6 +214,7 @@ export async function createSession(userId, options) {
                 userAgent: options?.userAgent,
                 ipAddress: options?.ipAddress,
                 lastActivityAt: new Date(),
+                metadata: options?.metadata ?? null,
             })
                 .returning();
             session = result[0];
@@ -171,6 +241,55 @@ export async function createSession(userId, options) {
         throw new DatabaseError('Unexpected error creating session', err);
     }
 }
+/**
+ * Rotate a user's session to prevent session fixation attacks.
+ *
+ * Deletes the old session (by token hash) or all sessions for the user,
+ * then creates a fresh session with a new token.
+ *
+ * @param userId - User ID to rotate sessions for
+ * @param options - Rotation options
+ * @returns New session token and session data
+ */
+export async function rotateSession(userId, options) {
+    try {
+        let db;
+        try {
+            db = getClient();
+        }
+        catch (error) {
+            logger.error('Error getting database client in rotateSession');
+            throw new DatabaseError('Database connection failed', error);
+        }
+        // Invalidate old session(s)
+        try {
+            if (options?.oldSessionToken) {
+                const oldTokenHash = hashToken(options.oldSessionToken);
+                await db.delete(sessions).where(eq(sessions.tokenHash, oldTokenHash));
+            }
+            else {
+                await db.delete(sessions).where(eq(sessions.userId, userId));
+            }
+        }
+        catch (error) {
+            logger.error('Error deleting old session(s) during rotation');
+            throw new DatabaseError('Failed to delete old session(s)', error);
+        }
+        // Create a fresh session
+        return await createSession(userId, {
+            persistent: options?.persistent,
+            userAgent: options?.userAgent,
+            ipAddress: options?.ipAddress,
+        });
+    }
+    catch (err) {
+        if (err instanceof DatabaseError || err instanceof TokenError) {
+            throw err;
+        }
+        logger.error('Unexpected error in rotateSession');
+        throw new DatabaseError('Unexpected error rotating session', err);
+    }
+}
 /**
  * Delete a session (sign out)
  *

package/dist/server/signed-cookie.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Signed Cookie Utility
+ *
+ * Signs and verifies JSON payloads for stateless storage in httpOnly cookies.
+ * Used by MFA pre-auth flow and WebAuthn challenge flow.
+ *
+ * Format: base64url(JSON payload) + '.' + base64url(HMAC-SHA256 signature)
+ */
+/**
+ * Sign a payload for storage in an httpOnly cookie.
+ * Format: base64url(JSON payload) + '.' + base64url(HMAC-SHA256 signature)
+ *
+ * @param payload - Must include `expiresAt` (Unix ms timestamp)
+ * @param secret - HMAC signing key (e.g., REVEALUI_SECRET)
+ * @returns Signed string safe for cookie value
+ */
+export declare function signCookiePayload<T extends {
+    expiresAt: number;
+}>(payload: T, secret: string): string;
+/**
+ * Verify and decode a signed cookie payload.
+ * Returns null if: signature invalid, expired, or malformed.
+ * Uses timing-safe comparison to prevent timing attacks.
+ *
+ * @param signed - Signed cookie string from `signCookiePayload`
+ * @param secret - HMAC signing key (must match the one used to sign)
+ * @returns Decoded payload or null if invalid
+ */
+export declare function verifyCookiePayload<T extends {
+    expiresAt: number;
+}>(signed: string, secret: string): T | null;
+//# sourceMappingURL=signed-cookie.d.ts.map

package/dist/server/signed-cookie.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signed-cookie.d.ts","sourceRoot":"","sources":["../../src/server/signed-cookie.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAAC,CAAC,SAAS;IAAE,SAAS,EAAE,MAAM,CAAA;CAAE,EAC/D,OAAO,EAAE,CAAC,EACV,MAAM,EAAE,MAAM,GACb,MAAM,CAQR;AAED;;;;;;;;GAQG;AACH,wBAAgB,mBAAmB,CAAC,CAAC,SAAS;IAAE,SAAS,EAAE,MAAM,CAAA;CAAE,EACjE,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,GACb,CAAC,GAAG,IAAI,CAyCV"}

package/dist/server/signed-cookie.js

@@ -0,0 +1,67 @@
+/**
+ * Signed Cookie Utility
+ *
+ * Signs and verifies JSON payloads for stateless storage in httpOnly cookies.
+ * Used by MFA pre-auth flow and WebAuthn challenge flow.
+ *
+ * Format: base64url(JSON payload) + '.' + base64url(HMAC-SHA256 signature)
+ */
+import crypto from 'node:crypto';
+/**
+ * Sign a payload for storage in an httpOnly cookie.
+ * Format: base64url(JSON payload) + '.' + base64url(HMAC-SHA256 signature)
+ *
+ * @param payload - Must include `expiresAt` (Unix ms timestamp)
+ * @param secret - HMAC signing key (e.g., REVEALUI_SECRET)
+ * @returns Signed string safe for cookie value
+ */
+export function signCookiePayload(payload, secret) {
+    const payloadJson = JSON.stringify(payload);
+    const payloadB64 = Buffer.from(payloadJson).toString('base64url');
+    const signature = crypto.createHmac('sha256', secret).update(payloadB64).digest();
+    const signatureB64 = signature.toString('base64url');
+    return `${payloadB64}.${signatureB64}`;
+}
+/**
+ * Verify and decode a signed cookie payload.
+ * Returns null if: signature invalid, expired, or malformed.
+ * Uses timing-safe comparison to prevent timing attacks.
+ *
+ * @param signed - Signed cookie string from `signCookiePayload`
+ * @param secret - HMAC signing key (must match the one used to sign)
+ * @returns Decoded payload or null if invalid
+ */
+export function verifyCookiePayload(signed, secret) {
+    try {
+        if (!signed) {
+            return null;
+        }
+        const parts = signed.split('.');
+        if (parts.length !== 2) {
+            return null;
+        }
+        const [payloadB64, signatureB64] = parts;
+        // Recompute the expected signature
+        const expectedSignature = crypto.createHmac('sha256', secret).update(payloadB64).digest();
+        const actualSignature = Buffer.from(signatureB64, 'base64url');
+        // Timing-safe comparison — buffers must be same length
+        if (expectedSignature.length !== actualSignature.length) {
+            return null;
+        }
+        if (!crypto.timingSafeEqual(expectedSignature, actualSignature)) {
+            return null;
+        }
+        // Signature valid — decode and parse the payload
+        const payloadJson = Buffer.from(payloadB64, 'base64url').toString('utf8');
+        const payload = JSON.parse(payloadJson);
+        // Check expiry
+        if (typeof payload.expiresAt !== 'number' || payload.expiresAt <= Date.now()) {
+            return null;
+        }
+        return payload;
+    }
+    catch {
+        // Malformed input (bad base64, bad JSON, etc.) → null
+        return null;
+    }
+}

package/dist/server/storage/database.d.ts

@@ -2,7 +2,7 @@
  * Database Storage
  *
  * Database backend using Drizzle ORM
- * Slower than Redis but uses existing database infrastructure
+ * Uses existing database infrastructure with no external cache dependency
  */
 import type { Storage } from './interface.js';
 export declare class DatabaseStorage implements Storage {

package/dist/server/storage/database.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"database.d.ts","sourceRoot":"","sources":["../../../src/server/storage/database.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAOH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAA;AAE7C,qBAAa,eAAgB,YAAW,OAAO;IAC7C,OAAO,CAAC,EAAE,CAAU;gBAER,gBAAgB,CAAC,EAAE,MAAM;IAkB/B,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAcxC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAsBnE,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI/B,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAOlC,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAK3C;;;;OAIG;IACG,YAAY,CAChB,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,KAAK;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,GAC1E,OAAO,CAAC,IAAI,CAAC;CAwBjB"}
+{"version":3,"file":"database.d.ts","sourceRoot":"","sources":["../../../src/server/storage/database.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAQH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC;AAE9C,qBAAa,eAAgB,YAAW,OAAO;IAC7C,OAAO,CAAC,EAAE,CAAW;gBAET,gBAAgB,CAAC,EAAE,MAAM;IAkB/B,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAcxC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAsBnE,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI/B,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IASlC,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAK3C;;;;OAIG;IACG,YAAY,CAChB,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,KAAK;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,GAC1E,OAAO,CAAC,IAAI,CAAC;CA6BjB"}

package/dist/server/storage/database.js

@@ -2,13 +2,14 @@
  * Database Storage
  *
  * Database backend using Drizzle ORM
- * Slower than Redis but uses existing database infrastructure
+ * Uses existing database infrastructure with no external cache dependency
  */
 // Import config module (ESM)
 // Config uses proxy for lazy loading, so import is safe - validation only happens on property access
 import configModule from '@revealui/config';
 import { createClient } from '@revealui/db/client';
-import { and, eq, gte, rateLimits } from '@revealui/db/schema';
+import { rateLimits } from '@revealui/db/schema';
+import { and, eq, gte } from 'drizzle-orm';
 export class DatabaseStorage {
     db;
     constructor(connectionString) {
@@ -60,9 +61,11 @@ export class DatabaseStorage {
         await this.db.delete(rateLimits).where(eq(rateLimits.key, key));
     }
     async incr(key) {
-        const current = await this.get(key);
-        const newValue = current ? parseInt(current, 10) + 1 : 1;
-        await this.set(key, String(newValue));
+        let newValue = 1;
+        await this.atomicUpdate(key, (existing) => {
+            newValue = existing ? parseInt(existing, 10) + 1 : 1;
+            return { value: String(newValue), ttlSeconds: 24 * 60 * 60 };
+        });
         return newValue;
     }
     async exists(key) {
@@ -92,8 +95,13 @@ export class DatabaseStorage {
                 });
             });
         }
-        catch {
-            // Transaction not supported (e.g., Neon HTTP serverless) — fall back to non-atomic
+        catch (error) {
+            // Only fall back for transaction-not-supported errors (e.g., Neon HTTP serverless).
+            // Re-throw real DB errors (connection failures, constraint violations, deadlocks).
+            const msg = error instanceof Error ? error.message : String(error);
+            if (!(msg.includes('transaction') || msg.includes('Transaction'))) {
+                throw error;
+            }
             const existing = await this.get(key);
             const { value, ttlSeconds } = updater(existing);
             await this.set(key, value, ttlSeconds);

package/dist/server/storage/in-memory.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"in-memory.d.ts","sourceRoot":"","sources":["../../../src/server/storage/in-memory.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAA;AAO7C,qBAAa,eAAgB,YAAW,OAAO;IAC7C,OAAO,CAAC,KAAK,CAAuC;IAG9C,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAiBxC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAUnE,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI/B,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAQlC,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAiBrC,YAAY,CAChB,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,KAAK;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,GAC1E,OAAO,CAAC,IAAI,CAAC;IAUhB;;OAEG;IACH,OAAO,IAAI,IAAI;IASf;;OAEG;IACH,KAAK,IAAI,IAAI;CAGd"}
+{"version":3,"file":"in-memory.d.ts","sourceRoot":"","sources":["../../../src/server/storage/in-memory.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC;AAO9C,qBAAa,eAAgB,YAAW,OAAO;IAC7C,OAAO,CAAC,KAAK,CAAwC;IAE/C,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAgBxC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IASnE,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI/B,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAYlC,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAgBrC,YAAY,CAChB,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,KAAK;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,GAC1E,OAAO,CAAC,IAAI,CAAC;IAUhB;;OAEG;IACH,OAAO,IAAI,IAAI;IASf;;OAEG;IACH,KAAK,IAAI,IAAI;CAGd"}

package/dist/server/storage/in-memory.js

@@ -6,7 +6,6 @@
  */
 export class InMemoryStorage {
     store = new Map();
-    // eslint-disable-next-line @typescript-eslint/require-await
     async get(key) {
         const entry = this.store.get(key);
         if (!entry) {
@@ -19,7 +18,6 @@ export class InMemoryStorage {
         }
         return entry.value;
     }
-    // eslint-disable-next-line @typescript-eslint/require-await
     async set(key, value, ttlSeconds) {
         const entry = {
             value,
@@ -27,17 +25,20 @@ export class InMemoryStorage {
         };
         this.store.set(key, entry);
     }
-    // eslint-disable-next-line @typescript-eslint/require-await
     async del(key) {
         this.store.delete(key);
     }
     async incr(key) {
-        const current = await this.get(key);
+        // Read and write synchronously on the Map to avoid yielding to the event loop
+        // between read and write (same approach as atomicUpdate).
+        const now = Date.now();
+        const entry = this.store.get(key);
+        const current = entry && (!entry.expiresAt || entry.expiresAt >= now) ? entry.value : null;
         const newValue = current ? parseInt(current, 10) + 1 : 1;
-        await this.set(key, String(newValue));
+        // Preserve the original TTL if the entry exists
+        this.store.set(key, { value: String(newValue), expiresAt: entry?.expiresAt });
         return newValue;
     }
-    // eslint-disable-next-line @typescript-eslint/require-await
     async exists(key) {
         const entry = this.store.get(key);
         if (!entry) {
@@ -50,7 +51,6 @@ export class InMemoryStorage {
         }
         return true;
     }
-    // eslint-disable-next-line @typescript-eslint/require-await
     async atomicUpdate(key, updater) {
         // Read synchronously from the Map to avoid yielding to the event loop between
         // read and write (JavaScript is single-threaded; no I/O = no interleaving).

package/dist/server/storage/index.d.ts

@@ -1,11 +1,19 @@
 /**
  * Storage Factory
  *
- * Selects storage backend based on configuration
+ * Selects storage backend based on configuration.
  * Priority: Database > In-Memory
  *
- * Note: Uses database storage for distributed rate limiting (works with ElectricSQL sync).
- * ElectricSQL handles client-side sync, database handles server-side storage.
+ * Architecture Decision (2026-03-11):
+ * Production deployments use DatabaseStorage backed by NeonDB (PostgreSQL).
+ * Neon's serverless driver uses HTTP (not persistent connections), so each
+ * rate limit check is a single HTTP round-trip (~30-50ms). State persists
+ * across Vercel cold starts because it lives in PostgreSQL, not process memory.
+ * This is acceptable for current scale. If sub-10ms latency becomes critical,
+ * add an ElectricSQL/PGlite adapter implementing the Storage interface.
+ *
+ * In-memory storage is ONLY used in development (throws in production if
+ * DATABASE_URL is missing).
  */
 import type { Storage } from './interface.js';
 /**

package/dist/server/storage/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/storage/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAMH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAA;AAI7C;;GAEG;AACH,wBAAgB,UAAU,IAAI,OAAO,CAkCpC;AAED;;GAEG;AACH,wBAAgB,aAAa,IAAI,OAAO,CAevC;AAED;;GAEG;AACH,wBAAgB,YAAY,IAAI,IAAI,CAEnC;AAED,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAA;AAE/C,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA;AAChD,YAAY,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/storage/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAMH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC;AAI9C;;GAEG;AACH,wBAAgB,UAAU,IAAI,OAAO,CA6CpC;AAED;;GAEG;AACH,wBAAgB,aAAa,IAAI,OAAO,CAevC;AAED;;GAEG;AACH,wBAAgB,YAAY,IAAI,IAAI,CAEnC;AAED,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAEhD,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,YAAY,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC"}