@sirketio/auth 0.0.1

package/dist/plugins/phone-number/types.d.mts

@@ -0,0 +1,118 @@
+import { User } from "../../types/models.mjs";
+import { InferOptionSchema } from "../../types/plugins.mjs";
+import "../../types/index.mjs";
+import { schema } from "./schema.mjs";
+import { Awaitable, GenericEndpointContext } from "@better-auth/core";
+
+//#region src/plugins/phone-number/types.d.ts
+interface UserWithPhoneNumber extends User {
+  phoneNumber: string;
+  phoneNumberVerified: boolean;
+}
+interface PhoneNumberOptions {
+  /**
+   * Length of the OTP code
+   * @default 6
+   */
+  otpLength?: number | undefined;
+  /**
+   * Send OTP code to the user
+   *
+   * @param phoneNumber
+   * @param code
+   * @returns
+   */
+  sendOTP: (data: {
+    phoneNumber: string;
+    code: string;
+  }, ctx?: GenericEndpointContext | undefined) => Awaitable<void>;
+  /**
+   * Custom OTP verification function
+   *
+   * If provided, this function will be called instead of the internal verification logic.
+   * This is useful when using SMS providers that handle their own OTP generation and verification.
+   *
+   * @param data - Contains phone number and OTP code
+   * @param request - The request object
+   * @returns true if OTP is valid, false otherwise
+   */
+  verifyOTP?: ((data: {
+    phoneNumber: string;
+    code: string;
+  }, ctx?: GenericEndpointContext) => Awaitable<boolean>) | undefined;
+  /**
+   * a callback to send otp on user requesting to reset their password
+   *
+   * @param data - contains phone number and code
+   * @param request - the request object
+   * @returns
+   */
+  sendPasswordResetOTP?: ((data: {
+    phoneNumber: string;
+    code: string;
+  }, ctx?: GenericEndpointContext) => Awaitable<void>) | undefined;
+  /**
+   * Expiry time of the OTP code in seconds
+   * @default 300
+   */
+  expiresIn?: number | undefined;
+  /**
+   * Function to validate phone number
+   *
+   * by default any string is accepted
+   */
+  phoneNumberValidator?: ((phoneNumber: string) => Awaitable<boolean>) | undefined;
+  /**
+   * Require a phone number verification before signing in
+   *
+   * @default false
+   */
+  requireVerification?: boolean | undefined;
+  /**
+   * Callback when phone number is verified
+   */
+  callbackOnVerification?: ((data: {
+    phoneNumber: string;
+    user: UserWithPhoneNumber;
+  }, ctx?: GenericEndpointContext) => Awaitable<void>) | undefined;
+  /**
+   * Sign up user after phone number verification
+   *
+   * the user will be signed up with the temporary email
+   * and the phone number will be updated after verification
+   */
+  signUpOnVerification?: {
+    /**
+     * When a user signs up, a temporary email will be need to be created
+     * to sign up the user. This function should return a temporary email
+     * for the user given the phone number
+     *
+     * @param phoneNumber
+     * @returns string (temporary email)
+     */
+    getTempEmail: (phoneNumber: string) => string;
+    /**
+     * When a user signs up, a temporary name will be need to be created
+     * to sign up the user. This function should return a temporary name
+     * for the user given the phone number
+     *
+     * @param phoneNumber
+     * @returns string (temporary name)
+     *
+     * @default phoneNumber - the phone number will be used as the name
+     */
+    getTempName?: (phoneNumber: string) => string;
+  } | undefined;
+  /**
+   * Custom schema for the admin plugin
+   */
+  schema?: InferOptionSchema<typeof schema> | undefined;
+  /**
+   * Allowed attempts for the OTP code
+   * @default 3
+   */
+  allowedAttempts?: number | undefined;
+}
+//#endregion
+export { PhoneNumberOptions, UserWithPhoneNumber };
+//# sourceMappingURL=types.d.mts.map

package/dist/plugins/two-factor/backup-codes/index.d.mts

@@ -0,0 +1,279 @@
+import { UserWithTwoFactor } from "../types.mjs";
+import * as better_call0 from "better-call";
+import * as z from "zod";
+
+//#region src/plugins/two-factor/backup-codes/index.d.ts
+interface BackupCodeOptions {
+  /**
+   * The amount of backup codes to generate
+   *
+   * @default 10
+   */
+  amount?: number | undefined;
+  /**
+   * The length of the backup codes
+   *
+   * @default 10
+   */
+  length?: number | undefined;
+  /**
+   * An optional custom function to generate backup codes
+   */
+  customBackupCodesGenerate?: (() => string[]) | undefined;
+  /**
+   * How to store the backup codes in the database, whether encrypted or plain.
+   */
+  storeBackupCodes?: ("plain" | "encrypted" | {
+    encrypt: (token: string) => Promise<string>;
+    decrypt: (token: string) => Promise<string>;
+  }) | undefined;
+}
+declare function generateBackupCodes(secret: string, options?: BackupCodeOptions | undefined): Promise<{
+  backupCodes: string[];
+  encryptedBackupCodes: string;
+}>;
+declare function verifyBackupCode(data: {
+  backupCodes: string;
+  code: string;
+}, key: string, options?: BackupCodeOptions | undefined): Promise<{
+  status: boolean;
+  updated: null;
+} | {
+  status: boolean;
+  updated: string[];
+}>;
+declare function getBackupCodes(backupCodes: string, key: string, options?: BackupCodeOptions | undefined): Promise<string[] | null>;
+declare const backupCode2fa: (opts: BackupCodeOptions) => {
+  id: "backup_code";
+  endpoints: {
+    /**
+     * ### Endpoint
+     *
+     * POST `/two-factor/verify-backup-code`
+     *
+     * ### API Methods
+     *
+     * **server:**
+     * `auth.api.verifyBackupCode`
+     *
+     * **client:**
+     * `authClient.twoFactor.verifyBackupCode`
+     *
+     * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/2fa#api-method-two-factor-verify-backup-code)
+     */
+    verifyBackupCode: better_call0.StrictEndpoint<"/two-factor/verify-backup-code", {
+      method: "POST";
+      body: z.ZodObject<{
+        code: z.ZodString;
+        disableSession: z.ZodOptional<z.ZodBoolean>;
+        trustDevice: z.ZodOptional<z.ZodBoolean>;
+      }, z.core.$strip>;
+      metadata: {
+        openapi: {
+          description: string;
+          responses: {
+            "200": {
+              description: string;
+              content: {
+                "application/json": {
+                  schema: {
+                    type: "object";
+                    properties: {
+                      user: {
+                        type: string;
+                        properties: {
+                          id: {
+                            type: string;
+                            description: string;
+                          };
+                          email: {
+                            type: string;
+                            format: string;
+                            nullable: boolean;
+                            description: string;
+                          };
+                          emailVerified: {
+                            type: string;
+                            nullable: boolean;
+                            description: string;
+                          };
+                          name: {
+                            type: string;
+                            nullable: boolean;
+                            description: string;
+                          };
+                          image: {
+                            type: string;
+                            format: string;
+                            nullable: boolean;
+                            description: string;
+                          };
+                          twoFactorEnabled: {
+                            type: string;
+                            description: string;
+                          };
+                          createdAt: {
+                            type: string;
+                            format: string;
+                            description: string;
+                          };
+                          updatedAt: {
+                            type: string;
+                            format: string;
+                            description: string;
+                          };
+                        };
+                        required: string[];
+                        description: string;
+                      };
+                      session: {
+                        type: string;
+                        properties: {
+                          token: {
+                            type: string;
+                            description: string;
+                          };
+                          userId: {
+                            type: string;
+                            description: string;
+                          };
+                          createdAt: {
+                            type: string;
+                            format: string;
+                            description: string;
+                          };
+                          expiresAt: {
+                            type: string;
+                            format: string;
+                            description: string;
+                          };
+                        };
+                        required: string[];
+                        description: string;
+                      };
+                    };
+                    required: string[];
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    }, {
+      token: string | undefined;
+      user: (Record<string, any> & {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        email: string;
+        emailVerified: boolean;
+        name: string;
+        image?: string | null | undefined;
+      }) | UserWithTwoFactor;
+    }>;
+    /**
+     * ### Endpoint
+     *
+     * POST `/two-factor/generate-backup-codes`
+     *
+     * ### API Methods
+     *
+     * **server:**
+     * `auth.api.generateBackupCodes`
+     *
+     * **client:**
+     * `authClient.twoFactor.generateBackupCodes`
+     *
+     * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/2fa#api-method-two-factor-generate-backup-codes)
+     */
+    generateBackupCodes: better_call0.StrictEndpoint<"/two-factor/generate-backup-codes", {
+      method: "POST";
+      body: z.ZodObject<{
+        password: z.ZodString;
+      }, z.core.$strip>;
+      use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
+        session: {
+          session: Record<string, any> & {
+            id: string;
+            createdAt: Date;
+            updatedAt: Date;
+            userId: string;
+            expiresAt: Date;
+            token: string;
+            ipAddress?: string | null | undefined;
+            userAgent?: string | null | undefined;
+          };
+          user: Record<string, any> & {
+            id: string;
+            createdAt: Date;
+            updatedAt: Date;
+            email: string;
+            emailVerified: boolean;
+            name: string;
+            image?: string | null | undefined;
+          };
+        };
+      }>)[];
+      metadata: {
+        openapi: {
+          description: string;
+          responses: {
+            "200": {
+              description: string;
+              content: {
+                "application/json": {
+                  schema: {
+                    type: "object";
+                    properties: {
+                      status: {
+                        type: string;
+                        description: string;
+                        enum: boolean[];
+                      };
+                      backupCodes: {
+                        type: string;
+                        items: {
+                          type: string;
+                        };
+                        description: string;
+                      };
+                    };
+                    required: string[];
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    }, {
+      status: boolean;
+      backupCodes: string[];
+    }>;
+    /**
+     * ### Endpoint
+     *
+     * POST `/two-factor/view-backup-codes`
+     *
+     * ### API Methods
+     *
+     * **server:**
+     * `auth.api.viewBackupCodes`
+     *
+     * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/2fa#api-method-two-factor-view-backup-codes)
+     */
+    viewBackupCodes: better_call0.StrictEndpoint<string, {
+      method: "POST";
+      body: z.ZodObject<{
+        userId: z.ZodCoercedString<unknown>;
+      }, z.core.$strip>;
+    }, {
+      status: boolean;
+      backupCodes: string[];
+    }>;
+  };
+};
+//#endregion
+export { BackupCodeOptions, backupCode2fa, generateBackupCodes, getBackupCodes, verifyBackupCode };
+//# sourceMappingURL=index.d.mts.map

package/dist/plugins/two-factor/backup-codes/index.mjs

@@ -0,0 +1,277 @@
+import { parseUserOutput } from "../../../db/schema.mjs";
+import { generateRandomString } from "../../../crypto/random.mjs";
+import { symmetricDecrypt, symmetricEncrypt } from "../../../crypto/index.mjs";
+import { sessionMiddleware } from "../../../api/routes/session.mjs";
+import "../../../api/index.mjs";
+import { TWO_FACTOR_ERROR_CODES } from "../error-code.mjs";
+import { verifyTwoFactor } from "../verify-two-factor.mjs";
+import { APIError } from "@better-auth/core/error";
+import { safeJSONParse } from "@better-auth/core/utils/json";
+import { createAuthEndpoint } from "@better-auth/core/api";
+import * as z from "zod";
+
+//#region src/plugins/two-factor/backup-codes/index.ts
+function generateBackupCodesFn(options) {
+	return Array.from({ length: options?.amount ?? 10 }).fill(null).map(() => generateRandomString(options?.length ?? 10, "a-z", "0-9", "A-Z")).map((code) => `${code.slice(0, 5)}-${code.slice(5)}`);
+}
+async function generateBackupCodes(secret, options) {
+	const backupCodes = options?.customBackupCodesGenerate ? options.customBackupCodesGenerate() : generateBackupCodesFn(options);
+	if (options?.storeBackupCodes === "encrypted") return {
+		backupCodes,
+		encryptedBackupCodes: await symmetricEncrypt({
+			data: JSON.stringify(backupCodes),
+			key: secret
+		})
+	};
+	if (typeof options?.storeBackupCodes === "object" && "encrypt" in options?.storeBackupCodes) return {
+		backupCodes,
+		encryptedBackupCodes: await options?.storeBackupCodes.encrypt(JSON.stringify(backupCodes))
+	};
+	return {
+		backupCodes,
+		encryptedBackupCodes: JSON.stringify(backupCodes)
+	};
+}
+async function verifyBackupCode(data, key, options) {
+	const codes = await getBackupCodes(data.backupCodes, key, options);
+	if (!codes) return {
+		status: false,
+		updated: null
+	};
+	return {
+		status: codes.includes(data.code),
+		updated: codes.filter((code) => code !== data.code)
+	};
+}
+async function getBackupCodes(backupCodes, key, options) {
+	if (options?.storeBackupCodes === "encrypted") return safeJSONParse(await symmetricDecrypt({
+		key,
+		data: backupCodes
+	}));
+	if (typeof options?.storeBackupCodes === "object" && "decrypt" in options?.storeBackupCodes) return safeJSONParse(await options?.storeBackupCodes.decrypt(backupCodes));
+	return safeJSONParse(backupCodes);
+}
+const verifyBackupCodeBodySchema = z.object({
+	code: z.string().meta({ description: `A backup code to verify. Eg: "123456"` }),
+	disableSession: z.boolean().meta({ description: "If true, the session cookie will not be set." }).optional(),
+	trustDevice: z.boolean().meta({ description: "If true, the device will be trusted for 30 days. It'll be refreshed on every sign in request within this time. Eg: true" }).optional()
+});
+const viewBackupCodesBodySchema = z.object({ userId: z.coerce.string().meta({ description: `The user ID to view all backup codes. Eg: "user-id"` }) });
+const generateBackupCodesBodySchema = z.object({ password: z.string().meta({ description: "The users password." }) });
+const backupCode2fa = (opts) => {
+	const twoFactorTable = "twoFactor";
+	return {
+		id: "backup_code",
+		endpoints: {
+			verifyBackupCode: createAuthEndpoint("/two-factor/verify-backup-code", {
+				method: "POST",
+				body: verifyBackupCodeBodySchema,
+				metadata: { openapi: {
+					description: "Verify a backup code for two-factor authentication",
+					responses: { "200": {
+						description: "Backup code verified successfully",
+						content: { "application/json": { schema: {
+							type: "object",
+							properties: {
+								user: {
+									type: "object",
+									properties: {
+										id: {
+											type: "string",
+											description: "Unique identifier of the user"
+										},
+										email: {
+											type: "string",
+											format: "email",
+											nullable: true,
+											description: "User's email address"
+										},
+										emailVerified: {
+											type: "boolean",
+											nullable: true,
+											description: "Whether the email is verified"
+										},
+										name: {
+											type: "string",
+											nullable: true,
+											description: "User's name"
+										},
+										image: {
+											type: "string",
+											format: "uri",
+											nullable: true,
+											description: "User's profile image URL"
+										},
+										twoFactorEnabled: {
+											type: "boolean",
+											description: "Whether two-factor authentication is enabled for the user"
+										},
+										createdAt: {
+											type: "string",
+											format: "date-time",
+											description: "Timestamp when the user was created"
+										},
+										updatedAt: {
+											type: "string",
+											format: "date-time",
+											description: "Timestamp when the user was last updated"
+										}
+									},
+									required: [
+										"id",
+										"twoFactorEnabled",
+										"createdAt",
+										"updatedAt"
+									],
+									description: "The authenticated user object with two-factor details"
+								},
+								session: {
+									type: "object",
+									properties: {
+										token: {
+											type: "string",
+											description: "Session token"
+										},
+										userId: {
+											type: "string",
+											description: "ID of the user associated with the session"
+										},
+										createdAt: {
+											type: "string",
+											format: "date-time",
+											description: "Timestamp when the session was created"
+										},
+										expiresAt: {
+											type: "string",
+											format: "date-time",
+											description: "Timestamp when the session expires"
+										}
+									},
+									required: [
+										"token",
+										"userId",
+										"createdAt",
+										"expiresAt"
+									],
+									description: "The current session object, included unless disableSession is true"
+								}
+							},
+							required: ["user", "session"]
+						} } }
+					} }
+				} }
+			}, async (ctx) => {
+				const { session, valid } = await verifyTwoFactor(ctx);
+				const user = session.user;
+				const twoFactor = await ctx.context.adapter.findOne({
+					model: twoFactorTable,
+					where: [{
+						field: "userId",
+						value: user.id
+					}]
+				});
+				if (!twoFactor) throw APIError.from("BAD_REQUEST", TWO_FACTOR_ERROR_CODES.BACKUP_CODES_NOT_ENABLED);
+				const validate = await verifyBackupCode({
+					backupCodes: twoFactor.backupCodes,
+					code: ctx.body.code
+				}, ctx.context.secret, opts);
+				if (!validate.status) throw APIError.from("UNAUTHORIZED", TWO_FACTOR_ERROR_CODES.INVALID_BACKUP_CODE);
+				const updatedBackupCodes = await symmetricEncrypt({
+					key: ctx.context.secret,
+					data: JSON.stringify(validate.updated)
+				});
+				if (!await ctx.context.adapter.update({
+					model: twoFactorTable,
+					update: { backupCodes: updatedBackupCodes },
+					where: [{
+						field: "id",
+						value: twoFactor.id
+					}, {
+						field: "backupCodes",
+						value: twoFactor.backupCodes
+					}]
+				})) throw APIError.fromStatus("CONFLICT", { message: "Failed to verify backup code. Please try again." });
+				if (!ctx.body.disableSession) return valid(ctx);
+				return ctx.json({
+					token: session.session?.token,
+					user: parseUserOutput(ctx.context.options, session.user)
+				});
+			}),
+			generateBackupCodes: createAuthEndpoint("/two-factor/generate-backup-codes", {
+				method: "POST",
+				body: generateBackupCodesBodySchema,
+				use: [sessionMiddleware],
+				metadata: { openapi: {
+					description: "Generate new backup codes for two-factor authentication",
+					responses: { "200": {
+						description: "Backup codes generated successfully",
+						content: { "application/json": { schema: {
+							type: "object",
+							properties: {
+								status: {
+									type: "boolean",
+									description: "Indicates if the backup codes were generated successfully",
+									enum: [true]
+								},
+								backupCodes: {
+									type: "array",
+									items: { type: "string" },
+									description: "Array of generated backup codes in plain text"
+								}
+							},
+							required: ["status", "backupCodes"]
+						} } }
+					} }
+				} }
+			}, async (ctx) => {
+				const user = ctx.context.session.user;
+				if (!user.twoFactorEnabled) throw APIError.from("BAD_REQUEST", TWO_FACTOR_ERROR_CODES.TWO_FACTOR_NOT_ENABLED);
+				await ctx.context.password.checkPassword(user.id, ctx);
+				const twoFactor = await ctx.context.adapter.findOne({
+					model: twoFactorTable,
+					where: [{
+						field: "userId",
+						value: user.id
+					}]
+				});
+				if (!twoFactor) throw APIError.from("BAD_REQUEST", TWO_FACTOR_ERROR_CODES.TWO_FACTOR_NOT_ENABLED);
+				const backupCodes = await generateBackupCodes(ctx.context.secret, opts);
+				await ctx.context.adapter.update({
+					model: twoFactorTable,
+					update: { backupCodes: backupCodes.encryptedBackupCodes },
+					where: [{
+						field: "id",
+						value: twoFactor.id
+					}]
+				});
+				return ctx.json({
+					status: true,
+					backupCodes: backupCodes.backupCodes
+				});
+			}),
+			viewBackupCodes: createAuthEndpoint({
+				method: "POST",
+				body: viewBackupCodesBodySchema
+			}, async (ctx) => {
+				const twoFactor = await ctx.context.adapter.findOne({
+					model: twoFactorTable,
+					where: [{
+						field: "userId",
+						value: ctx.body.userId
+					}]
+				});
+				if (!twoFactor) throw APIError.from("BAD_REQUEST", TWO_FACTOR_ERROR_CODES.BACKUP_CODES_NOT_ENABLED);
+				const decryptedBackupCodes = await getBackupCodes(twoFactor.backupCodes, ctx.context.secret, opts);
+				if (!decryptedBackupCodes) throw APIError.from("BAD_REQUEST", TWO_FACTOR_ERROR_CODES.INVALID_BACKUP_CODE);
+				return ctx.json({
+					status: true,
+					backupCodes: decryptedBackupCodes
+				});
+			})
+		}
+	};
+};
+
+//#endregion
+export { backupCode2fa, generateBackupCodes };
+//# sourceMappingURL=index.mjs.map