@revealui/auth 0.2.1 → 0.3.2

package/dist/server/password-reset.js

@@ -37,7 +37,10 @@ function generateSalt() {
 export async function generatePasswordResetToken(email) {
     try {
         const db = getClient();
-        // Find user by email
+        // Find user by email — intentionally does NOT check user.password.
+        // OAuth-only users (password: null) can use this flow to set a password,
+        // giving them a fallback login method independent of their OAuth provider.
+        // This is safe because the reset link is sent to their verified email.
         const [user] = await db.select().from(users).where(eq(users.email, email)).limit(1);
         if (!user) {
             // Don't reveal if user exists (security best practice)
@@ -195,6 +198,46 @@ export async function resetPasswordWithToken(tokenId, token, newPassword) {
         };
     }
 }
+/**
+ * Change password for an authenticated user.
+ *
+ * Verifies the current password before updating. Does not touch sessions —
+ * the caller is responsible for revoking other sessions if desired.
+ *
+ * @param userId - Authenticated user ID
+ * @param currentPassword - Plain-text current password to verify
+ * @param newPassword - Plain-text new password to hash and store
+ */
+export async function changePassword(userId, currentPassword, newPassword) {
+    try {
+        const db = getClient();
+        const [user] = await db
+            .select({ id: users.id, password: users.password })
+            .from(users)
+            .where(eq(users.id, userId))
+            .limit(1);
+        if (!user) {
+            return { success: false, error: 'User not found.' };
+        }
+        if (!user.password) {
+            return {
+                success: false,
+                error: 'No password is set on this account. Use the password reset link to set one.',
+            };
+        }
+        const currentValid = await bcrypt.compare(currentPassword, user.password);
+        if (!currentValid) {
+            return { success: false, error: 'Current password is incorrect.' };
+        }
+        const newHash = await bcrypt.hash(newPassword, 12);
+        await db.update(users).set({ password: newHash }).where(eq(users.id, userId));
+        return { success: true };
+    }
+    catch (error) {
+        logger.error('Error changing password', error instanceof Error ? error : new Error(String(error)));
+        return { success: false, error: 'An unexpected error occurred.' };
+    }
+}
 /**
  * Invalidates a password reset token
  *

package/dist/server/password-validation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"password-validation.d.ts","sourceRoot":"","sources":["../../src/server/password-validation.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,MAAM,WAAW,wBAAwB;IACvC,KAAK,EAAE,OAAO,CAAA;IACd,MAAM,EAAE,MAAM,EAAE,CAAA;CACjB;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CAAC,QAAQ,EAAE,MAAM,GAAG,wBAAwB,CAgCnF;AAED;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAE1E"}
+{"version":3,"file":"password-validation.d.ts","sourceRoot":"","sources":["../../src/server/password-validation.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,MAAM,WAAW,wBAAwB;IACvC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CAAC,QAAQ,EAAE,MAAM,GAAG,wBAAwB,CAgCnF;AAED;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAE1E"}

package/dist/server/providers/github.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"github.d.ts","sourceRoot":"","sources":["../../../src/server/providers/github.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAE/C,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAOzF;AAED,wBAAsB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CA4BrF;AAED,wBAAsB,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CA2C1E"}
+{"version":3,"file":"github.d.ts","sourceRoot":"","sources":["../../../src/server/providers/github.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAEhD,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAOzF;AAED,wBAAsB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAoCrF;AAED,wBAAsB,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAkD1E"}

package/dist/server/providers/github.js

@@ -20,7 +20,6 @@ export async function exchangeCode(code, redirectUri) {
         method: 'POST',
         headers: {
             'Content-Type': 'application/x-www-form-urlencoded',
-            // biome-ignore lint/style/useNamingConvention: HTTP header names are case-sensitive per RFC 7230
             Accept: 'application/json',
         },
         body: new URLSearchParams({
@@ -31,7 +30,15 @@ export async function exchangeCode(code, redirectUri) {
         }),
     });
     if (!response.ok) {
-        throw new Error(`GitHub token exchange failed: ${response.status}`);
+        let detail = '';
+        try {
+            const err = (await response.json());
+            detail = err.error_description ?? err.error ?? '';
+        }
+        catch {
+            // Response body not JSON — use status only
+        }
+        throw new Error(`GitHub token exchange failed: ${response.status}${detail ? ` — ${detail}` : ''}`);
     }
     const data = (await response.json());
     if (data.error) {
@@ -44,14 +51,20 @@ export async function exchangeCode(code, redirectUri) {
 }
 export async function fetchUser(accessToken) {
     const headers = {
-        // biome-ignore lint/style/useNamingConvention: HTTP header names are case-sensitive per RFC 7230
         Authorization: `Bearer ${accessToken}`,
-        // biome-ignore lint/style/useNamingConvention: HTTP header names are case-sensitive per RFC 7230
         Accept: 'application/vnd.github+json',
     };
     const userResponse = await fetch('https://api.github.com/user', { headers });
     if (!userResponse.ok) {
-        throw new Error(`GitHub user fetch failed: ${userResponse.status}`);
+        let detail = '';
+        try {
+            const err = (await userResponse.json());
+            detail = err.message ?? '';
+        }
+        catch {
+            // Response body not JSON
+        }
+        throw new Error(`GitHub user fetch failed: ${userResponse.status}${detail ? ` — ${detail}` : ''}`);
     }
     const user = (await userResponse.json());
     let email = user.email ?? null;

package/dist/server/providers/google.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"google.d.ts","sourceRoot":"","sources":["../../../src/server/providers/google.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAE/C,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CASzF;AAED,wBAAsB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAsBrF;AAED,wBAAsB,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAuB1E"}
+{"version":3,"file":"google.d.ts","sourceRoot":"","sources":["../../../src/server/providers/google.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAEhD,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CASzF;AAED,wBAAsB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CA+BrF;AAED,wBAAsB,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CA+B1E"}

package/dist/server/providers/google.js

@@ -27,7 +27,15 @@ export async function exchangeCode(code, redirectUri) {
         }),
     });
     if (!response.ok) {
-        throw new Error(`Google token exchange failed: ${response.status}`);
+        let detail = '';
+        try {
+            const err = (await response.json());
+            detail = err.error_description ?? err.error ?? '';
+        }
+        catch {
+            // Response body not JSON — use status only
+        }
+        throw new Error(`Google token exchange failed: ${response.status}${detail ? ` — ${detail}` : ''}`);
     }
     const data = (await response.json());
     if (!data.access_token || typeof data.access_token !== 'string') {
@@ -37,11 +45,18 @@ export async function exchangeCode(code, redirectUri) {
 }
 export async function fetchUser(accessToken) {
     const response = await fetch('https://openidconnect.googleapis.com/v1/userinfo', {
-        // biome-ignore lint/style/useNamingConvention: HTTP header names are case-sensitive per RFC 7230
         headers: { Authorization: `Bearer ${accessToken}` },
     });
     if (!response.ok) {
-        throw new Error(`Google userinfo fetch failed: ${response.status}`);
+        let detail = '';
+        try {
+            const err = (await response.json());
+            detail = err.error?.message ?? '';
+        }
+        catch {
+            // Response body not JSON
+        }
+        throw new Error(`Google userinfo fetch failed: ${response.status}${detail ? ` — ${detail}` : ''}`);
     }
     const data = (await response.json());
     return {

package/dist/server/providers/vercel.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"vercel.d.ts","sourceRoot":"","sources":["../../../src/server/providers/vercel.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAE/C,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAMzF;AAED,wBAAsB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAkBrF;AAED,wBAAsB,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CA2B1E"}
+{"version":3,"file":"vercel.d.ts","sourceRoot":"","sources":["../../../src/server/providers/vercel.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAEhD,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAMzF;AAED,wBAAsB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CA2BrF;AAED,wBAAsB,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAiC1E"}

package/dist/server/providers/vercel.js

@@ -23,18 +23,33 @@ export async function exchangeCode(code, redirectUri) {
         }),
     });
     if (!response.ok) {
-        throw new Error(`Vercel token exchange failed: ${response.status}`);
+        let detail = '';
+        try {
+            const err = (await response.json());
+            detail = err.error_description ?? err.error ?? '';
+        }
+        catch {
+            // Response body not JSON — use status only
+        }
+        throw new Error(`Vercel token exchange failed: ${response.status}${detail ? ` — ${detail}` : ''}`);
     }
     const data = (await response.json());
     return data.access_token;
 }
 export async function fetchUser(accessToken) {
     const response = await fetch('https://api.vercel.com/v2/user', {
-        // biome-ignore lint/style/useNamingConvention: HTTP header names are case-sensitive per RFC 7230
         headers: { Authorization: `Bearer ${accessToken}` },
     });
     if (!response.ok) {
-        throw new Error(`Vercel user fetch failed: ${response.status}`);
+        let detail = '';
+        try {
+            const err = (await response.json());
+            detail = err.error?.message ?? '';
+        }
+        catch {
+            // Response body not JSON
+        }
+        throw new Error(`Vercel user fetch failed: ${response.status}${detail ? ` — ${detail}` : ''}`);
     }
     const data = (await response.json());
     const u = data.user;

package/dist/server/rate-limit.d.ts

@@ -2,7 +2,7 @@
  * Rate Limiting Utilities
  *
  * Rate limiting for authentication endpoints using storage abstraction.
- * Supports in-memory (dev), Redis (production), or database (fallback).
+ * Supports in-memory (dev) or database (production) backends.
  */
 /**
  * Rate limit configuration
@@ -12,6 +12,15 @@ export interface RateLimitConfig {
     windowMs: number;
     blockDurationMs?: number;
 }
+/**
+ * Override default rate limit configuration globally.
+ * Per-call config parameters still take precedence.
+ */
+export declare function configureRateLimit(overrides: Partial<RateLimitConfig>): void;
+/**
+ * Reset rate limit configuration to defaults (for testing).
+ */
+export declare function resetRateLimitConfig(): void;
 /**
  * Checks if an action should be rate limited
  *

package/dist/server/rate-limit.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../src/server/rate-limit.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AASH;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,WAAW,EAAE,MAAM,CAAA;IACnB,QAAQ,EAAE,MAAM,CAAA;IAChB,eAAe,CAAC,EAAE,MAAM,CAAA;CACzB;AAqCD;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,GAAG,EAAE,MAAM,EACX,MAAM,GAAE,eAAgC,GACvC,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAuDnE;AAED;;;;GAIG;AACH,wBAAsB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAI/D;AAED;;;;;;GAMG;AACH,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,MAAM,EACX,MAAM,GAAE,eAAgC,GACvC,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAqBhE"}
+{"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../src/server/rate-limit.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AASH;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAUD;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,OAAO,CAAC,eAAe,CAAC,GAAG,IAAI,CAE5E;AAED;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,IAAI,CAE3C;AA+BD;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,GAAG,EAAE,MAAM,EACX,MAAM,GAAE,eAA8B,GACrC,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CA4DnE;AAED;;;;GAIG;AACH,wBAAsB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAI/D;AAED;;;;;;GAMG;AACH,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,MAAM,EACX,MAAM,GAAE,eAA8B,GACrC,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAqBhE"}

package/dist/server/rate-limit.js

@@ -2,7 +2,7 @@
  * Rate Limiting Utilities
  *
  * Rate limiting for authentication endpoints using storage abstraction.
- * Supports in-memory (dev), Redis (production), or database (fallback).
+ * Supports in-memory (dev) or database (production) backends.
  */
 import { getStorage } from './storage/index.js';
 const DEFAULT_CONFIG = {
@@ -10,6 +10,20 @@ const DEFAULT_CONFIG = {
     windowMs: 15 * 60 * 1000, // 15 minutes
     blockDurationMs: 30 * 60 * 1000, // 30 minutes block after max attempts
 };
+let globalConfig = { ...DEFAULT_CONFIG };
+/**
+ * Override default rate limit configuration globally.
+ * Per-call config parameters still take precedence.
+ */
+export function configureRateLimit(overrides) {
+    globalConfig = { ...DEFAULT_CONFIG, ...overrides };
+}
+/**
+ * Reset rate limit configuration to defaults (for testing).
+ */
+export function resetRateLimitConfig() {
+    globalConfig = { ...DEFAULT_CONFIG };
+}
 /**
  * Serialize rate limit entry to string
  */
@@ -43,54 +57,58 @@ function getStorageKey(key) {
  * @param config - Rate limit configuration
  * @returns Rate limit result
  */
-export async function checkRateLimit(key, config = DEFAULT_CONFIG) {
+export async function checkRateLimit(key, config = globalConfig) {
     const storage = getStorage();
     const storageKey = getStorageKey(key);
     const now = Date.now();
-    // Get existing entry
-    const entryData = await storage.get(storageKey);
-    let entry = deserializeEntry(entryData);
-    // Clean up expired entries
-    if (entry && entry.resetAt < now) {
-        await storage.del(storageKey);
-        entry = null;
-    }
-    // Get or create entry
-    const currentEntry = entry || {
-        count: 0,
-        resetAt: now + config.windowMs,
-    };
-    // Check if blocked
-    if (config.blockDurationMs && currentEntry.count >= config.maxAttempts) {
-        const blockUntil = now + config.blockDurationMs;
-        // Extend the storage TTL so the entry outlives the block period.
-        // Without this, the entry expires at resetAt (end of the rate-limit window)
-        // before the block expires, letting the user back in prematurely.
-        const blockTtlSeconds = Math.ceil(config.blockDurationMs / 1000);
-        await storage.set(storageKey, serializeEntry(currentEntry), blockTtlSeconds);
-        return {
-            allowed: false,
-            remaining: 0,
-            resetAt: blockUntil,
+    // Use atomicUpdate to avoid the read-modify-write race condition.
+    // The result is captured via closure since atomicUpdate returns void.
+    let result;
+    const updater = (entryData) => {
+        let entry = deserializeEntry(entryData);
+        // Clean up expired entries
+        if (entry && entry.resetAt < now) {
+            entry = null;
+        }
+        // Get or create entry
+        const currentEntry = entry || {
+            count: 0,
+            resetAt: now + config.windowMs,
         };
-    }
-    // Check if within window
-    if (currentEntry.count >= config.maxAttempts) {
-        return {
-            allowed: false,
-            remaining: 0,
+        // Check if blocked
+        if (config.blockDurationMs && currentEntry.count >= config.maxAttempts) {
+            const blockUntil = now + config.blockDurationMs;
+            const blockTtlSeconds = Math.ceil(config.blockDurationMs / 1000);
+            result = { allowed: false, remaining: 0, resetAt: blockUntil };
+            return { value: serializeEntry(currentEntry), ttlSeconds: blockTtlSeconds };
+        }
+        // Check if within window
+        if (currentEntry.count >= config.maxAttempts) {
+            const ttlSeconds = Math.ceil((currentEntry.resetAt - now) / 1000);
+            result = { allowed: false, remaining: 0, resetAt: currentEntry.resetAt };
+            return { value: serializeEntry(currentEntry), ttlSeconds };
+        }
+        // Increment and update
+        currentEntry.count++;
+        const ttlSeconds = Math.ceil((currentEntry.resetAt - now) / 1000);
+        result = {
+            allowed: true,
+            remaining: config.maxAttempts - currentEntry.count,
             resetAt: currentEntry.resetAt,
         };
-    }
-    // Increment and update
-    currentEntry.count++;
-    const ttlSeconds = Math.ceil((currentEntry.resetAt - now) / 1000);
-    await storage.set(storageKey, serializeEntry(currentEntry), ttlSeconds);
-    return {
-        allowed: true,
-        remaining: config.maxAttempts - currentEntry.count,
-        resetAt: currentEntry.resetAt,
+        return { value: serializeEntry(currentEntry), ttlSeconds };
     };
+    if (storage.atomicUpdate) {
+        await storage.atomicUpdate(storageKey, updater);
+    }
+    else {
+        // Fallback for storage backends without atomicUpdate
+        const existing = await storage.get(storageKey);
+        const { value, ttlSeconds } = updater(existing);
+        await storage.set(storageKey, value, ttlSeconds);
+    }
+    // biome-ignore lint/style/noNonNullAssertion: result is always assigned by updater before this point
+    return result;
 }
 /**
  * Resets rate limit for a key
@@ -109,7 +127,7 @@ export async function resetRateLimit(key) {
  * @param config - Rate limit configuration
  * @returns Rate limit status
  */
-export async function getRateLimitStatus(key, config = DEFAULT_CONFIG) {
+export async function getRateLimitStatus(key, config = globalConfig) {
     const storage = getStorage();
     const storageKey = getStorageKey(key);
     const now = Date.now();

package/dist/server/session.d.ts

@@ -5,17 +5,54 @@
  * Sessions are stored in PostgreSQL and validated on each request.
  */
 import type { Session, User } from '../types.js';
+export interface SessionBindingConfig {
+    /** Invalidate session when user-agent changes (default: true) */
+    enforceUserAgent: boolean;
+    /** Invalidate session when IP address changes (default: false — users roam) */
+    enforceIp: boolean;
+    /** Log a warning when IP changes but don't invalidate (default: true) */
+    warnOnIpChange: boolean;
+}
+/** Override session binding behaviour (useful for tests or strict deployments). */
+export declare function configureSessionBinding(overrides: Partial<SessionBindingConfig>): void;
+/** Reset to defaults (for tests). */
+export declare function resetSessionBindingConfig(): void;
+export interface RequestContext {
+    userAgent?: string;
+    ipAddress?: string;
+}
+/**
+ * Validate that the current request context matches the session's stored
+ * binding values (IP address, user-agent).
+ *
+ * @returns `null` when the session is valid, or a reason string when it should
+ *          be invalidated.
+ */
+export declare function validateSessionBinding(session: Session, ctx: RequestContext): string | null;
 export interface SessionData {
     session: Session;
     user: User;
 }
+/**
+ * Check if a session is a recovery session (created via magic link recovery).
+ *
+ * Recovery sessions are restricted — they should only be used for:
+ * - Changing the password (`/api/auth/change-password`)
+ * - Signing out (`/api/auth/sign-out`)
+ * - Viewing current session (`/api/auth/me`, `/api/auth/session`)
+ *
+ * All other operations (MFA management, passkey management, OAuth linking,
+ * admin actions) should reject recovery sessions.
+ */
+export declare function isRecoverySession(sessionData: SessionData | null): boolean;
 /**
  * Get session from request headers (cookie)
  *
  * @param headers - Request headers containing cookies
+ * @param requestContext - Optional IP / user-agent for session binding validation
  * @returns Session data with user, or null if invalid/expired
  */
-export declare function getSession(headers: Headers): Promise<SessionData | null>;
+export declare function getSession(headers: Headers, requestContext?: RequestContext): Promise<SessionData | null>;
 /**
  * Create a new session for a user
  *
@@ -27,6 +64,28 @@ export declare function createSession(userId: string, options?: {
     persistent?: boolean;
     userAgent?: string;
     ipAddress?: string;
+    expiresAt?: Date;
+    metadata?: Record<string, unknown>;
+}): Promise<{
+    token: string;
+    session: Session;
+}>;
+/**
+ * Rotate a user's session to prevent session fixation attacks.
+ *
+ * Deletes the old session (by token hash) or all sessions for the user,
+ * then creates a fresh session with a new token.
+ *
+ * @param userId - User ID to rotate sessions for
+ * @param options - Rotation options
+ * @returns New session token and session data
+ */
+export declare function rotateSession(userId: string, options?: {
+    /** Raw token of the old session to invalidate. When omitted, all user sessions are deleted. */
+    oldSessionToken?: string;
+    persistent?: boolean;
+    userAgent?: string;
+    ipAddress?: string;
 }): Promise<{
     token: string;
     session: Session;
@@ -43,5 +102,10 @@ export declare function deleteSession(headers: Headers): Promise<boolean>;
  *
  * @param userId - User ID
  */
+/**
+ * Delete all sessions for a user EXCEPT the specified session.
+ * Used for "sign out all other devices" functionality.
+ */
+export declare function deleteOtherUserSessions(userId: string, exceptSessionId: string): Promise<void>;
 export declare function deleteAllUserSessions(userId: string): Promise<void>;
 //# sourceMappingURL=session.d.ts.map

package/dist/server/session.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../src/server/session.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,OAAO,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,aAAa,CAAA;AAIhD,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,OAAO,CAAA;IAChB,IAAI,EAAE,IAAI,CAAA;CACX;AAED;;;;;GAKG;AACH,wBAAsB,UAAU,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAsF9E;AAED;;;;;;GAMG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE;IACR,UAAU,CAAC,EAAE,OAAO,CAAA;IACpB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB,GACA,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,OAAO,CAAA;CAAE,CAAC,CAgE9C;AAED;;;;;GAKG;AACH,wBAAsB,aAAa,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAmBtE;AAED;;;;GAIG;AACH,wBAAsB,qBAAqB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAyBzE"}
+{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../src/server/session.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,OAAO,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,aAAa,CAAC;AAQjD,MAAM,WAAW,oBAAoB;IACnC,iEAAiE;IACjE,gBAAgB,EAAE,OAAO,CAAC;IAC1B,+EAA+E;IAC/E,SAAS,EAAE,OAAO,CAAC;IACnB,yEAAyE;IACzE,cAAc,EAAE,OAAO,CAAC;CACzB;AAUD,mFAAmF;AACnF,wBAAgB,uBAAuB,CAAC,SAAS,EAAE,OAAO,CAAC,oBAAoB,CAAC,GAAG,IAAI,CAEtF;AAED,qCAAqC;AACrC,wBAAgB,yBAAyB,IAAI,IAAI,CAEhD;AAMD,MAAM,WAAW,cAAc;IAC7B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,cAAc,GAAG,MAAM,GAAG,IAAI,CA0B3F;AAMD,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,IAAI,CAAC;CACZ;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,iBAAiB,CAAC,WAAW,EAAE,WAAW,GAAG,IAAI,GAAG,OAAO,CAI1E;AAED;;;;;;GAMG;AACH,wBAAsB,UAAU,CAC9B,OAAO,EAAE,OAAO,EAChB,cAAc,CAAC,EAAE,cAAc,GAC9B,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAkH7B;AAED;;;;;;GAMG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE;IACR,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC,GACA,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,OAAO,CAAA;CAAE,CAAC,CAmE9C;AAED;;;;;;;;;GASG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE;IACR,+FAA+F;IAC/F,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,GACA,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,OAAO,CAAA;CAAE,CAAC,CAoC9C;AAED;;;;;GAKG;AACH,wBAAsB,aAAa,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAoBtE;AAED;;;;GAIG;AACH;;;GAGG;AACH,wBAAsB,uBAAuB,CAC3C,MAAM,EAAE,MAAM,EACd,eAAe,EAAE,MAAM,GACtB,OAAO,CAAC,IAAI,CAAC,CAyBf;AAED,wBAAsB,qBAAqB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAyBzE"}