@tinyrack/tinyauth-server 0.0.7

package/dist/routes/api/auth/passkey/verify/post.js

@@ -0,0 +1,75 @@
+import { Hono } from 'hono';
+import { describeRoute, resolver, validator } from 'hono-openapi';
+import { z } from 'zod';
+import { OPENAPI_SECURITY } from "../../../../../lib/openapi.js";
+import { TAGS } from "../../../../../lib/swagger-tags.js";
+import { verifyPasskeyChallenge, verifyPending2FAUser, } from "../../../../../middleware/auth.js";
+import { e } from "../../../../../schemas/error.js";
+import { r } from "../../../../../schemas/response.js";
+export const authPasskeyVerifyPost = new Hono().post('/auth/passkey/verify', describeRoute({
+    tags: [TAGS.AUTH],
+    security: OPENAPI_SECURITY.cookieSession,
+    summary: 'Verify Passkey Authentication',
+    description: 'Verify WebAuthn authentication response and create session. ' +
+        'Supports both passwordless login and 2FA. ' +
+        'If a pending 2FA session exists, verifies the passkey belongs to ' +
+        'that user and completes the 2FA flow.',
+    responses: {
+        200: {
+            content: {
+                'application/json': { schema: resolver(r.AuthResponse) },
+            },
+            description: 'Success',
+        },
+        400: {
+            content: {
+                'application/json': {
+                    schema: resolver(e.PasskeyNotEnabled.Schema),
+                },
+            },
+            description: 'Passkey not enabled, challenge not found, or verification failed',
+        },
+        403: {
+            content: {
+                'application/json': {
+                    schema: resolver(e.PasskeyUserMismatch.Schema),
+                },
+            },
+            description: 'Passkey user mismatch',
+        },
+        404: {
+            content: {
+                'application/json': {
+                    schema: resolver(e.PasskeyNotFound.Schema),
+                },
+            },
+            description: 'Passkey not found',
+        },
+    },
+}), validator('json', z.object({
+    response: r.AuthenticationResponseJSON,
+})), verifyPending2FAUser({ optional: true }), verifyPasskeyChallenge(), async (c) => {
+    const config = c.var.services.config;
+    if (!config.auth.passkey.enabled) {
+        throw new e.PasskeyNotEnabled.Error();
+    }
+    const body = c.req.valid('json');
+    const session = c.var.session;
+    const { mikro, passkeyService, userService } = c.var.services;
+    const pending2FA = c.var.verifiedPending2FAUser;
+    const challenge = c.var.verifiedPasskeyChallenge;
+    // Cast for @simplewebauthn compatibility - Zod's inferred type
+    // differs from @simplewebauthn's AuthenticationResponseJSON due to
+    // exactOptionalPropertyTypes (userHandle?: string | undefined vs string).
+    const authResponse = body.response;
+    const passkeyUser = await passkeyService.verifyAuthentication(authResponse, challenge);
+    if (pending2FA && passkeyUser.sub !== pending2FA.user.sub) {
+        throw new e.PasskeyUserMismatch.Error();
+    }
+    const userEntity = await mikro.user.verifyBySub(passkeyUser.sub);
+    const sessionUser = await userService.userEntityToSessionUser(userEntity);
+    const authTime = pending2FA?.authenticatedAt ?? Math.floor(Date.now() / 1000);
+    session.setUserSession(passkeyUser.sub, authTime);
+    return c.json({ user: sessionUser }, 200);
+});
+//# sourceMappingURL=post.js.map

package/dist/routes/api/auth/passkey/verify/post.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"post.js","sourceRoot":"","sources":["../../../../../../src/routes/api/auth/passkey/verify/post.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAClE,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,gBAAgB,EAAE,MAAM,+BAA+B,CAAC;AACjE,OAAO,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAC1D,OAAO,EACL,sBAAsB,EACtB,oBAAoB,GACrB,MAAM,mCAAmC,CAAC;AAC3C,OAAO,EAAE,CAAC,EAAE,MAAM,iCAAiC,CAAC;AACpD,OAAO,EAAE,CAAC,EAAE,MAAM,oCAAoC,CAAC;AAEvD,MAAM,CAAC,MAAM,qBAAqB,GAAG,IAAI,IAAI,EAAU,CAAC,IAAI,CAC1D,sBAAsB,EACtB,aAAa,CAAC;IACZ,IAAI,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;IACjB,QAAQ,EAAE,gBAAgB,CAAC,aAAa;IACxC,OAAO,EAAE,+BAA+B;IACxC,WAAW,EACT,8DAA8D;QAC9D,4CAA4C;QAC5C,mEAAmE;QACnE,uCAAuC;IACzC,SAAS,EAAE;QACT,GAAG,EAAE;YACH,OAAO,EAAE;gBACP,kBAAkB,EAAE,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,EAAE;aACzD;YACD,WAAW,EAAE,SAAS;SACvB;QACD,GAAG,EAAE;YACH,OAAO,EAAE;gBACP,kBAAkB,EAAE;oBAClB,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,iBAAiB,CAAC,MAAM,CAAC;iBAC7C;aACF;YACD,WAAW,EACT,kEAAkE;SACrE;QACD,GAAG,EAAE;YACH,OAAO,EAAE;gBACP,kBAAkB,EAAE;oBAClB,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,mBAAmB,CAAC,MAAM,CAAC;iBAC/C;aACF;YACD,WAAW,EAAE,uBAAuB;SACrC;QACD,GAAG,EAAE;YACH,OAAO,EAAE;gBACP,kBAAkB,EAAE;oBAClB,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,eAAe,CAAC,MAAM,CAAC;iBAC3C;aACF;YACD,WAAW,EAAE,mBAAmB;SACjC;KACF;CACF,CAAC,EACF,SAAS,CACP,MAAM,EACN,CAAC,CAAC,MAAM,CAAC;IACP,QAAQ,EAAE,CAAC,CAAC,0BAA0B;CACvC,CAAC,CACH,EACD,oBAAoB,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,EACxC,sBAAsB,EAAE,EACxB,KAAK,EAAE,CAAC,EAAE,EAAE;IACV,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC;IACrC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;QACjC,MAAM,IAAI,CAAC,CAAC,iBAAiB,CAAC,KAAK,EAAE,CAAC;IACxC,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IACjC,MAAM,OAAO,GAAG,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC;IAC9B,MAAM,EAAE,KAAK,EAAE,cAAc,EAAE,WAAW,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC;IAE9D,MAAM,UAAU,GAAG,CAAC,CAAC,GAAG,CAAC,sBAAsB,CAAC;IAChD,MAAM,SAAS,GAAG,CAAC,CAAC,GAAG,CAAC,wBAAwB,CAAC;IAEjD,+DAA+D;IAC/D,mEAAmE;IACnE,0EAA0E;IAC1E,MAAM,YAAY,GAAG,IAAI,CAAC,QAAsC,CAAC;IAEjE,MAAM,WAAW,GAAG,MAAM,cAAc,CAAC,oBAAoB,CAC3D,YAAY,EACZ,SAAS,CACV,CAAC;IAEF,IAAI,UAAU,IAAI,WAAW,CAAC,GAAG,KAAK,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;QAC1D,MAAM,IAAI,CAAC,CAAC,mBAAmB,CAAC,KAAK,EAAE,CAAC;IAC1C,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACjE,MAAM,WAAW,GAAG,MAAM,WAAW,CAAC,uBAAuB,CAAC,UAAU,CAAC,CAAC;IAE1E,MAAM,QAAQ,GACZ,UAAU,EAAE,eAAe,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAE/D,OAAO,CAAC,cAAc,CAAC,WAAW,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IAElD,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,EAAE,GAAG,CAAC,CAAC;AAC5C,CAAC,CACF,CAAC"}

package/dist/routes/api/auth/password/forgot/post.d.ts

@@ -0,0 +1,22 @@
+import type { AppEnv } from '../../../../../lib/app-env.ts';
+export declare const authPasswordForgotPost: import("hono/hono-base").HonoBase<AppEnv, {
+    "/auth/password/forgot": {
+        $post: {
+            input: {
+                header: {
+                    'accept-language'?: string;
+                };
+            } & {
+                json: {
+                    email: string;
+                };
+            };
+            output: {
+                ok: true;
+            };
+            outputFormat: "json";
+            status: 200;
+        };
+    };
+}, "/", "/auth/password/forgot">;
+//# sourceMappingURL=post.d.ts.map

package/dist/routes/api/auth/password/forgot/post.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"post.d.ts","sourceRoot":"","sources":["../../../../../../src/routes/api/auth/password/forgot/post.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,+BAA+B,CAAC;AAM5D,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;gCAoFlC,CAAC"}

package/dist/routes/api/auth/password/forgot/post.js

@@ -0,0 +1,72 @@
+import { Hono } from 'hono';
+import { describeRoute, resolver, validator } from 'hono-openapi';
+import { z } from 'zod';
+import { TAGS } from "../../../../../lib/swagger-tags.js";
+import { e } from "../../../../../schemas/error.js";
+import { f } from "../../../../../schemas/field.js";
+import { r } from "../../../../../schemas/response.js";
+export const authPasswordForgotPost = new Hono().post('/auth/password/forgot', describeRoute({
+    tags: [TAGS.AUTH],
+    summary: 'Request password reset',
+    description: 'Sends a password reset email to the user. Always returns success to prevent email enumeration.',
+    responses: {
+        200: {
+            content: {
+                'application/json': { schema: resolver(r.OkResponse) },
+            },
+            description: 'Success',
+        },
+        400: {
+            content: {
+                'application/json': {
+                    schema: resolver(e.ValidationError.Schema),
+                },
+            },
+            description: 'Validation error',
+        },
+        403: {
+            content: {
+                'application/json': {
+                    schema: resolver(e.EmailNotActivated.Schema),
+                },
+            },
+            description: 'Email service not activated',
+        },
+    },
+}), validator('header', z.object({
+    'accept-language': f.acceptLanguage,
+})), validator('json', z.object({
+    email: f.userEmail,
+})), async (c) => {
+    const services = c.var.services;
+    if (!services.config.auth.password.enabled) {
+        throw new e.ValidationError.Error('Password authentication is disabled');
+    }
+    // Only enable if email service is available
+    if (!services.config.email) {
+        throw new e.EmailNotActivated.Error();
+    }
+    const body = c.req.valid('json');
+    const headers = c.req.valid('header');
+    const { email } = body;
+    try {
+        const resetEntity = await services.passwordResetService.requestPasswordReset(email);
+        if (resetEntity) {
+            services.emailService.sendPasswordResetEmailAsync({
+                email,
+                token: resetEntity.token,
+                locale: headers['accept-language'],
+            });
+        }
+        return c.json({ ok: true }, 200);
+    }
+    catch (error) {
+        // Always return success to prevent email enumeration
+        if (error instanceof e.UserNotEditable.Error ||
+            error instanceof e.UserNotFound.Error) {
+            return c.json({ ok: true }, 200);
+        }
+        throw error;
+    }
+});
+//# sourceMappingURL=post.js.map

package/dist/routes/api/auth/password/forgot/post.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"post.js","sourceRoot":"","sources":["../../../../../../src/routes/api/auth/password/forgot/post.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAClE,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAC1D,OAAO,EAAE,CAAC,EAAE,MAAM,iCAAiC,CAAC;AACpD,OAAO,EAAE,CAAC,EAAE,MAAM,iCAAiC,CAAC;AACpD,OAAO,EAAE,CAAC,EAAE,MAAM,oCAAoC,CAAC;AAEvD,MAAM,CAAC,MAAM,sBAAsB,GAAG,IAAI,IAAI,EAAU,CAAC,IAAI,CAC3D,uBAAuB,EACvB,aAAa,CAAC;IACZ,IAAI,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;IACjB,OAAO,EAAE,wBAAwB;IACjC,WAAW,EACT,gGAAgG;IAClG,SAAS,EAAE;QACT,GAAG,EAAE;YACH,OAAO,EAAE;gBACP,kBAAkB,EAAE,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,EAAE;aACvD;YACD,WAAW,EAAE,SAAS;SACvB;QACD,GAAG,EAAE;YACH,OAAO,EAAE;gBACP,kBAAkB,EAAE;oBAClB,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,eAAe,CAAC,MAAM,CAAC;iBAC3C;aACF;YACD,WAAW,EAAE,kBAAkB;SAChC;QACD,GAAG,EAAE;YACH,OAAO,EAAE;gBACP,kBAAkB,EAAE;oBAClB,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,iBAAiB,CAAC,MAAM,CAAC;iBAC7C;aACF;YACD,WAAW,EAAE,6BAA6B;SAC3C;KACF;CACF,CAAC,EACF,SAAS,CACP,QAAQ,EACR,CAAC,CAAC,MAAM,CAAC;IACP,iBAAiB,EAAE,CAAC,CAAC,cAAc;CACpC,CAAC,CACH,EACD,SAAS,CACP,MAAM,EACN,CAAC,CAAC,MAAM,CAAC;IACP,KAAK,EAAE,CAAC,CAAC,SAAS;CACnB,CAAC,CACH,EACD,KAAK,EAAE,CAAC,EAAE,EAAE;IACV,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC;IAEhC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;QAC3C,MAAM,IAAI,CAAC,CAAC,eAAe,CAAC,KAAK,CAAC,qCAAqC,CAAC,CAAC;IAC3E,CAAC;IAED,4CAA4C;IAC5C,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;QAC3B,MAAM,IAAI,CAAC,CAAC,iBAAiB,CAAC,KAAK,EAAE,CAAC;IACxC,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IACjC,MAAM,OAAO,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IACtC,MAAM,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC;IAEvB,IAAI,CAAC;QACH,MAAM,WAAW,GACf,MAAM,QAAQ,CAAC,oBAAoB,CAAC,oBAAoB,CAAC,KAAK,CAAC,CAAC;QAElE,IAAI,WAAW,EAAE,CAAC;YAChB,QAAQ,CAAC,YAAY,CAAC,2BAA2B,CAAC;gBAChD,KAAK;gBACL,KAAK,EAAE,WAAW,CAAC,KAAK;gBACxB,MAAM,EAAE,OAAO,CAAC,iBAAiB,CAAC;aACnC,CAAC,CAAC;QACL,CAAC;QAED,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAa,EAAE,EAAE,GAAG,CAAC,CAAC;IAC5C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,qDAAqD;QACrD,IACE,KAAK,YAAY,CAAC,CAAC,eAAe,CAAC,KAAK;YACxC,KAAK,YAAY,CAAC,CAAC,YAAY,CAAC,KAAK,EACrC,CAAC;YACD,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAa,EAAE,EAAE,GAAG,CAAC,CAAC;QAC5C,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC,CACF,CAAC"}

package/dist/routes/api/auth/password/reset/post.d.ts

@@ -0,0 +1,19 @@
+import type { AppEnv } from '../../../../../lib/app-env.ts';
+export declare const authPasswordResetPost: import("hono/hono-base").HonoBase<AppEnv, {
+    "/auth/password/reset": {
+        $post: {
+            input: {
+                json: {
+                    token: string;
+                    password: string;
+                };
+            };
+            output: {
+                message: string;
+            };
+            outputFormat: "json";
+            status: 200;
+        };
+    };
+}, "/", "/auth/password/reset">;
+//# sourceMappingURL=post.d.ts.map

package/dist/routes/api/auth/password/reset/post.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"post.d.ts","sourceRoot":"","sources":["../../../../../../src/routes/api/auth/password/reset/post.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,+BAA+B,CAAC;AAM5D,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;+BAyEjC,CAAC"}

package/dist/routes/api/auth/password/reset/post.js

@@ -0,0 +1,62 @@
+import { Hono } from 'hono';
+import { describeRoute, resolver, validator } from 'hono-openapi';
+import { z } from 'zod';
+import { TAGS } from "../../../../../lib/swagger-tags.js";
+import { e } from "../../../../../schemas/error.js";
+import { f } from "../../../../../schemas/field.js";
+import { r } from "../../../../../schemas/response.js";
+export const authPasswordResetPost = new Hono().post('/auth/password/reset', describeRoute({
+    tags: [TAGS.AUTH],
+    summary: 'Reset password',
+    description: 'Resets the user password using a valid reset token.',
+    responses: {
+        200: {
+            content: {
+                'application/json': {
+                    schema: resolver(r.MessageResponse),
+                },
+            },
+            description: 'Success',
+        },
+        400: {
+            content: {
+                'application/json': {
+                    schema: resolver(z.union([
+                        e.InvalidPasswordResetToken.Schema,
+                        e.ValidationError.Schema,
+                    ])),
+                },
+            },
+            description: 'Invalid password reset token or validation error',
+        },
+        403: {
+            content: {
+                'application/json': {
+                    schema: resolver(z.union([e.UserNotEditable.Schema, e.EmailNotActivated.Schema])),
+                },
+            },
+            description: 'User not editable or email service not activated',
+        },
+    },
+}), validator('json', z.object({
+    token: f.token,
+    password: f.newUserPassword,
+})), async (c) => {
+    const services = c.var.services;
+    if (!services.config.auth.password.enabled) {
+        throw new e.ValidationError.Error('Password authentication is disabled');
+    }
+    if (!services.config.email) {
+        throw new e.EmailNotActivated.Error();
+    }
+    const body = c.req.valid('json');
+    const { token, password } = body;
+    await services.passwordResetService.resetPassword({
+        token,
+        password,
+    });
+    return c.json({
+        message: 'Password has been reset successfully.',
+    }, 200);
+});
+//# sourceMappingURL=post.js.map

package/dist/routes/api/auth/password/reset/post.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"post.js","sourceRoot":"","sources":["../../../../../../src/routes/api/auth/password/reset/post.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAClE,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAC1D,OAAO,EAAE,CAAC,EAAE,MAAM,iCAAiC,CAAC;AACpD,OAAO,EAAE,CAAC,EAAE,MAAM,iCAAiC,CAAC;AACpD,OAAO,EAAE,CAAC,EAAE,MAAM,oCAAoC,CAAC;AAEvD,MAAM,CAAC,MAAM,qBAAqB,GAAG,IAAI,IAAI,EAAU,CAAC,IAAI,CAC1D,sBAAsB,EACtB,aAAa,CAAC;IACZ,IAAI,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;IACjB,OAAO,EAAE,gBAAgB;IACzB,WAAW,EAAE,qDAAqD;IAClE,SAAS,EAAE;QACT,GAAG,EAAE;YACH,OAAO,EAAE;gBACP,kBAAkB,EAAE;oBAClB,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,eAAe,CAAC;iBACpC;aACF;YACD,WAAW,EAAE,SAAS;SACvB;QACD,GAAG,EAAE;YACH,OAAO,EAAE;gBACP,kBAAkB,EAAE;oBAClB,MAAM,EAAE,QAAQ,CACd,CAAC,CAAC,KAAK,CAAC;wBACN,CAAC,CAAC,yBAAyB,CAAC,MAAM;wBAClC,CAAC,CAAC,eAAe,CAAC,MAAM;qBACzB,CAAC,CACH;iBACF;aACF;YACD,WAAW,EAAE,kDAAkD;SAChE;QACD,GAAG,EAAE;YACH,OAAO,EAAE;gBACP,kBAAkB,EAAE;oBAClB,MAAM,EAAE,QAAQ,CACd,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,eAAe,CAAC,MAAM,EAAE,CAAC,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAChE;iBACF;aACF;YACD,WAAW,EAAE,kDAAkD;SAChE;KACF;CACF,CAAC,EACF,SAAS,CACP,MAAM,EACN,CAAC,CAAC,MAAM,CAAC;IACP,KAAK,EAAE,CAAC,CAAC,KAAK;IACd,QAAQ,EAAE,CAAC,CAAC,eAAe;CAC5B,CAAC,CACH,EACD,KAAK,EAAE,CAAC,EAAE,EAAE;IACV,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC;IAEhC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;QAC3C,MAAM,IAAI,CAAC,CAAC,eAAe,CAAC,KAAK,CAAC,qCAAqC,CAAC,CAAC;IAC3E,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;QAC3B,MAAM,IAAI,CAAC,CAAC,iBAAiB,CAAC,KAAK,EAAE,CAAC;IACxC,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IACjC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC;IAEjC,MAAM,QAAQ,CAAC,oBAAoB,CAAC,aAAa,CAAC;QAChD,KAAK;QACL,QAAQ;KACT,CAAC,CAAC;IAEH,OAAO,CAAC,CAAC,IAAI,CACX;QACE,OAAO,EAAE,uCAAuC;KACjD,EACD,GAAG,CACJ,CAAC;AACJ,CAAC,CACF,CAAC"}

package/dist/routes/api/auth/register/post.d.ts

@@ -0,0 +1,39 @@
+import type { AppEnv } from '../../../../lib/app-env.ts';
+export declare const authRegisterPost: import("hono/hono-base").HonoBase<AppEnv, {
+    "/auth/register": {
+        $post: {
+            input: {
+                header: {
+                    'accept-language'?: string;
+                };
+            } & {
+                json: {
+                    email: string;
+                    password: string;
+                    consents?: {
+                        termsId: string;
+                        agreed: boolean;
+                        consentType?: "explicit" | "implicit" | undefined;
+                    }[] | undefined;
+                };
+            };
+            output: {
+                user: {
+                    managed_by: "database" | "config";
+                    sub: string;
+                    email: string;
+                    email_verified: boolean;
+                    email_verification_required: boolean;
+                    has_password: boolean;
+                    totp_registered: boolean;
+                    totp_recovery_codes_missing: boolean;
+                    second_factor_required: boolean;
+                    passkey_count: number;
+                };
+            };
+            outputFormat: "json";
+            status: 200;
+        };
+    };
+}, "/", "/auth/register">;
+//# sourceMappingURL=post.d.ts.map

package/dist/routes/api/auth/register/post.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"post.d.ts","sourceRoot":"","sources":["../../../../../src/routes/api/auth/register/post.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAC;AAQzD,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;yBA4G5B,CAAC"}

package/dist/routes/api/auth/register/post.js

@@ -0,0 +1,95 @@
+import { Hono } from 'hono';
+import { describeRoute, resolver, validator } from 'hono-openapi';
+import { z } from 'zod';
+import { isEmailAllowed } from "../../../../lib/email-pattern.js";
+import { TAGS } from "../../../../lib/swagger-tags.js";
+import { e } from "../../../../schemas/error.js";
+import { f } from "../../../../schemas/field.js";
+import { r } from "../../../../schemas/response.js";
+import { termsSchema } from "../../../../schemas/terms.js";
+export const authRegisterPost = new Hono().post('/auth/register', describeRoute({
+    tags: [TAGS.AUTH],
+    summary: 'Register',
+    description: 'Register a new user with terms consent and send email verification',
+    responses: {
+        200: {
+            content: {
+                'application/json': { schema: resolver(r.AuthResponse) },
+            },
+            description: 'Success',
+        },
+        400: {
+            content: {
+                'application/json': {
+                    schema: resolver(e.ValidationError.Schema),
+                },
+            },
+            description: 'Validation error',
+        },
+        403: {
+            content: {
+                'application/json': {
+                    schema: resolver(z.union([
+                        e.RegistrationDisabled.Schema,
+                        e.RegistrationEmailNotAllowed.Schema,
+                    ])),
+                },
+            },
+            description: 'Registration disabled or email not allowed',
+        },
+        409: {
+            content: {
+                'application/json': {
+                    schema: resolver(e.EmailAlreadyExists.Schema),
+                },
+            },
+            description: 'Email already exists',
+        },
+    },
+}), validator('header', z.object({
+    'accept-language': f.acceptLanguage,
+})), validator('json', z.object({
+    email: f.userEmail,
+    password: f.newUserPassword,
+    consents: z
+        .array(termsSchema.ConsentItem)
+        .optional()
+        .describe('Terms consent decisions'),
+})), async (c) => {
+    const body = c.req.valid('json');
+    const headers = c.req.valid('header');
+    const { email, password, consents } = body;
+    const { config, userService } = c.var.services;
+    const session = c.var.session;
+    if (!config.auth.password.enabled) {
+        throw new e.ValidationError.Error('Password authentication is disabled');
+    }
+    const { enabled, allowed_email_patterns } = config.registration;
+    // Check if signup is disabled entirely
+    if (!enabled) {
+        throw new e.RegistrationDisabled.Error();
+    }
+    // Check if the email matches allowed patterns
+    if (allowed_email_patterns.length > 0 &&
+        !isEmailAllowed(email, allowed_email_patterns)) {
+        throw new e.RegistrationEmailNotAllowed.Error();
+    }
+    // Register the user (terms consent validation and recording handled inside)
+    const userSession = await userService.register({
+        email,
+        password,
+        locale: headers['accept-language'],
+        ...(consents && { consents }),
+    });
+    if (userSession.email_verification_required) {
+        return c.json({ user: userSession }, 200);
+    }
+    if (userSession.second_factor_required) {
+        session.setPending2FASetupSession(userSession.sub);
+    }
+    else {
+        session.setUserSession(userSession.sub);
+    }
+    return c.json({ user: userSession }, 200);
+});
+//# sourceMappingURL=post.js.map

package/dist/routes/api/auth/register/post.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"post.js","sourceRoot":"","sources":["../../../../../src/routes/api/auth/register/post.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAClE,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,cAAc,EAAE,MAAM,kCAAkC,CAAC;AAClE,OAAO,EAAE,IAAI,EAAE,MAAM,iCAAiC,CAAC;AACvD,OAAO,EAAE,CAAC,EAAE,MAAM,8BAA8B,CAAC;AACjD,OAAO,EAAE,CAAC,EAAE,MAAM,8BAA8B,CAAC;AACjD,OAAO,EAAE,CAAC,EAAE,MAAM,iCAAiC,CAAC;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAE3D,MAAM,CAAC,MAAM,gBAAgB,GAAG,IAAI,IAAI,EAAU,CAAC,IAAI,CACrD,gBAAgB,EAChB,aAAa,CAAC;IACZ,IAAI,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;IACjB,OAAO,EAAE,UAAU;IACnB,WAAW,EACT,oEAAoE;IACtE,SAAS,EAAE;QACT,GAAG,EAAE;YACH,OAAO,EAAE;gBACP,kBAAkB,EAAE,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,EAAE;aACzD;YACD,WAAW,EAAE,SAAS;SACvB;QACD,GAAG,EAAE;YACH,OAAO,EAAE;gBACP,kBAAkB,EAAE;oBAClB,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,eAAe,CAAC,MAAM,CAAC;iBAC3C;aACF;YACD,WAAW,EAAE,kBAAkB;SAChC;QACD,GAAG,EAAE;YACH,OAAO,EAAE;gBACP,kBAAkB,EAAE;oBAClB,MAAM,EAAE,QAAQ,CACd,CAAC,CAAC,KAAK,CAAC;wBACN,CAAC,CAAC,oBAAoB,CAAC,MAAM;wBAC7B,CAAC,CAAC,2BAA2B,CAAC,MAAM;qBACrC,CAAC,CACH;iBACF;aACF;YACD,WAAW,EAAE,4CAA4C;SAC1D;QACD,GAAG,EAAE;YACH,OAAO,EAAE;gBACP,kBAAkB,EAAE;oBAClB,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,kBAAkB,CAAC,MAAM,CAAC;iBAC9C;aACF;YACD,WAAW,EAAE,sBAAsB;SACpC;KACF;CACF,CAAC,EACF,SAAS,CACP,QAAQ,EACR,CAAC,CAAC,MAAM,CAAC;IACP,iBAAiB,EAAE,CAAC,CAAC,cAAc;CACpC,CAAC,CACH,EACD,SAAS,CACP,MAAM,EACN,CAAC,CAAC,MAAM,CAAC;IACP,KAAK,EAAE,CAAC,CAAC,SAAS;IAClB,QAAQ,EAAE,CAAC,CAAC,eAAe;IAC3B,QAAQ,EAAE,CAAC;SACR,KAAK,CAAC,WAAW,CAAC,WAAW,CAAC;SAC9B,QAAQ,EAAE;SACV,QAAQ,CAAC,yBAAyB,CAAC;CACvC,CAAC,CACH,EACD,KAAK,EAAE,CAAC,EAAE,EAAE;IACV,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IACjC,MAAM,OAAO,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IACtC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC;IAC3C,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC;IAC/C,MAAM,OAAO,GAAG,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC;IAE9B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;QAClC,MAAM,IAAI,CAAC,CAAC,eAAe,CAAC,KAAK,CAAC,qCAAqC,CAAC,CAAC;IAC3E,CAAC;IAED,MAAM,EAAE,OAAO,EAAE,sBAAsB,EAAE,GAAG,MAAM,CAAC,YAAY,CAAC;IAEhE,uCAAuC;IACvC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,CAAC,CAAC,oBAAoB,CAAC,KAAK,EAAE,CAAC;IAC3C,CAAC;IAED,8CAA8C;IAC9C,IACE,sBAAsB,CAAC,MAAM,GAAG,CAAC;QACjC,CAAC,cAAc,CAAC,KAAK,EAAE,sBAAsB,CAAC,EAC9C,CAAC;QACD,MAAM,IAAI,CAAC,CAAC,2BAA2B,CAAC,KAAK,EAAE,CAAC;IAClD,CAAC;IAED,4EAA4E;IAC5E,MAAM,WAAW,GAAG,MAAM,WAAW,CAAC,QAAQ,CAAC;QAC7C,KAAK;QACL,QAAQ;QACR,MAAM,EAAE,OAAO,CAAC,iBAAiB,CAAC;QAClC,GAAG,CAAC,QAAQ,IAAI,EAAE,QAAQ,EAAE,CAAC;KAC9B,CAAC,CAAC;IAEH,IAAI,WAAW,CAAC,2BAA2B,EAAE,CAAC;QAC5C,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,EAAE,GAAG,CAAC,CAAC;IAC5C,CAAC;IAED,IAAI,WAAW,CAAC,sBAAsB,EAAE,CAAC;QACvC,OAAO,CAAC,yBAAyB,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACrD,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,cAAc,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IAC1C,CAAC;IAED,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,EAAE,GAAG,CAAC,CAAC;AAC5C,CAAC,CACF,CAAC"}

package/dist/routes/api/auth/totp/recovery/verify/post.d.ts

@@ -0,0 +1,36 @@
+import type { AppEnv } from '../../../../../../lib/app-env.ts';
+/**
+ * POST /api/auth/totp/recovery/verify
+ *
+ * Complete login by verifying a TOTP recovery code.
+ * Requires pending 2FA session from password login.
+ * Each recovery code is single-use and invalidated upon use.
+ */
+export declare const authTotpRecoveryVerifyPost: import("hono/hono-base").HonoBase<AppEnv, {
+    "/auth/totp/recovery/verify": {
+        $post: {
+            input: {
+                json: {
+                    code: string;
+                };
+            };
+            output: {
+                user: {
+                    managed_by: "database" | "config";
+                    sub: string;
+                    email: string;
+                    email_verified: boolean;
+                    email_verification_required: boolean;
+                    has_password: boolean;
+                    totp_registered: boolean;
+                    totp_recovery_codes_missing: boolean;
+                    second_factor_required: boolean;
+                    passkey_count: number;
+                };
+            };
+            outputFormat: "json";
+            status: 200;
+        };
+    };
+}, "/", "/auth/totp/recovery/verify">;
+//# sourceMappingURL=post.d.ts.map

package/dist/routes/api/auth/totp/recovery/verify/post.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"post.d.ts","sourceRoot":"","sources":["../../../../../../../src/routes/api/auth/totp/recovery/verify/post.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,kCAAkC,CAAC;AAQ/D;;;;;;GAMG;AACH,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;;qCAmEtC,CAAC"}

package/dist/routes/api/auth/totp/recovery/verify/post.js

@@ -0,0 +1,68 @@
+import { Hono } from 'hono';
+import { describeRoute, resolver, validator } from 'hono-openapi';
+import { z } from 'zod';
+import { OPENAPI_SECURITY } from "../../../../../../lib/openapi.js";
+import { TAGS } from "../../../../../../lib/swagger-tags.js";
+import { verifyPending2FAUser } from "../../../../../../middleware/auth.js";
+import { e } from "../../../../../../schemas/error.js";
+import { f } from "../../../../../../schemas/field.js";
+import { r } from "../../../../../../schemas/response.js";
+/**
+ * POST /api/auth/totp/recovery/verify
+ *
+ * Complete login by verifying a TOTP recovery code.
+ * Requires pending 2FA session from password login.
+ * Each recovery code is single-use and invalidated upon use.
+ */
+export const authTotpRecoveryVerifyPost = new Hono().post('/auth/totp/recovery/verify', describeRoute({
+    tags: [TAGS.AUTH],
+    security: OPENAPI_SECURITY.cookieSession,
+    summary: 'Verify TOTP recovery code for login',
+    description: 'Complete login by verifying a one-time TOTP recovery code. ' +
+        'Requires pending 2FA session from password login. ' +
+        'Each recovery code can only be used once.',
+    responses: {
+        200: {
+            content: {
+                'application/json': {
+                    schema: resolver(r.UserSessionResponse),
+                },
+            },
+            description: 'Success',
+        },
+        400: {
+            content: {
+                'application/json': {
+                    schema: resolver(e.ValidationError.Schema),
+                },
+            },
+            description: 'Validation error, invalid recovery code, no recovery codes available, or TOTP not enabled',
+        },
+        401: {
+            content: {
+                'application/json': {
+                    schema: resolver(e.SecondFactorSessionExpired.Schema),
+                },
+            },
+            description: 'Second factor session expired',
+        },
+    },
+}), validator('json', z.object({
+    code: f.recoveryCode,
+})), verifyPending2FAUser(), async (c) => {
+    const config = c.var.services.config;
+    if (!config.auth.password.enabled || !config.auth.password.totp.enabled) {
+        throw new e.ValidationError.Error('TOTP authentication is disabled');
+    }
+    const body = c.req.valid('json');
+    const session = c.var.session;
+    const { user: pending2FAUser, authenticatedAt } = c.var.verifiedPending2FAUser;
+    const { mikro, userService, totpService } = c.var.services;
+    await totpService.verifyRecoveryCode(pending2FAUser.sub, body.code);
+    session.setUserSession(pending2FAUser.sub, authenticatedAt);
+    // Load full user data with relations for response
+    const fullUser = await mikro.user.verifyBySub(pending2FAUser.sub);
+    const userSession = await userService.userEntityToSessionUser(fullUser);
+    return c.json({ user: userSession }, 200);
+});
+//# sourceMappingURL=post.js.map

package/dist/routes/api/auth/totp/recovery/verify/post.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"post.js","sourceRoot":"","sources":["../../../../../../../src/routes/api/auth/totp/recovery/verify/post.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAClE,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,gBAAgB,EAAE,MAAM,kCAAkC,CAAC;AACpE,OAAO,EAAE,IAAI,EAAE,MAAM,uCAAuC,CAAC;AAC7D,OAAO,EAAE,oBAAoB,EAAE,MAAM,sCAAsC,CAAC;AAC5E,OAAO,EAAE,CAAC,EAAE,MAAM,oCAAoC,CAAC;AACvD,OAAO,EAAE,CAAC,EAAE,MAAM,oCAAoC,CAAC;AACvD,OAAO,EAAE,CAAC,EAAE,MAAM,uCAAuC,CAAC;AAE1D;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAG,IAAI,IAAI,EAAU,CAAC,IAAI,CAC/D,4BAA4B,EAC5B,aAAa,CAAC;IACZ,IAAI,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;IACjB,QAAQ,EAAE,gBAAgB,CAAC,aAAa;IACxC,OAAO,EAAE,qCAAqC;IAC9C,WAAW,EACT,6DAA6D;QAC7D,oDAAoD;QACpD,2CAA2C;IAC7C,SAAS,EAAE;QACT,GAAG,EAAE;YACH,OAAO,EAAE;gBACP,kBAAkB,EAAE;oBAClB,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,mBAAmB,CAAC;iBACxC;aACF;YACD,WAAW,EAAE,SAAS;SACvB;QACD,GAAG,EAAE;YACH,OAAO,EAAE;gBACP,kBAAkB,EAAE;oBAClB,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,eAAe,CAAC,MAAM,CAAC;iBAC3C;aACF;YACD,WAAW,EACT,2FAA2F;SAC9F;QACD,GAAG,EAAE;YACH,OAAO,EAAE;gBACP,kBAAkB,EAAE;oBAClB,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,0BAA0B,CAAC,MAAM,CAAC;iBACtD;aACF;YACD,WAAW,EAAE,+BAA+B;SAC7C;KACF;CACF,CAAC,EACF,SAAS,CACP,MAAM,EACN,CAAC,CAAC,MAAM,CAAC;IACP,IAAI,EAAE,CAAC,CAAC,YAAY;CACrB,CAAC,CACH,EACD,oBAAoB,EAAE,EACtB,KAAK,EAAE,CAAC,EAAE,EAAE;IACV,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC;IACrC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QACxE,MAAM,IAAI,CAAC,CAAC,eAAe,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC;IACvE,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IACjC,MAAM,OAAO,GAAG,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC;IAC9B,MAAM,EAAE,IAAI,EAAE,cAAc,EAAE,eAAe,EAAE,GAC7C,CAAC,CAAC,GAAG,CAAC,sBAAsB,CAAC;IAC/B,MAAM,EAAE,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC;IAE3D,MAAM,WAAW,CAAC,kBAAkB,CAAC,cAAc,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;IAEpE,OAAO,CAAC,cAAc,CAAC,cAAc,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC;IAE5D,kDAAkD;IAClD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;IAClE,MAAM,WAAW,GAAG,MAAM,WAAW,CAAC,uBAAuB,CAAC,QAAQ,CAAC,CAAC;IAExE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,EAAE,GAAG,CAAC,CAAC;AAC5C,CAAC,CACF,CAAC"}

package/dist/routes/api/auth/totp/verify/post.d.ts

@@ -0,0 +1,29 @@
+import type { AppEnv } from '../../../../../lib/app-env.ts';
+export declare const authTotpVerifyPost: import("hono/hono-base").HonoBase<AppEnv, {
+    "/auth/totp/verify": {
+        $post: {
+            input: {
+                json: {
+                    code: string;
+                };
+            };
+            output: {
+                user: {
+                    managed_by: "database" | "config";
+                    sub: string;
+                    email: string;
+                    email_verified: boolean;
+                    email_verification_required: boolean;
+                    has_password: boolean;
+                    totp_registered: boolean;
+                    totp_recovery_codes_missing: boolean;
+                    second_factor_required: boolean;
+                    passkey_count: number;
+                };
+            };
+            outputFormat: "json";
+            status: 200;
+        };
+    };
+}, "/", "/auth/totp/verify">;
+//# sourceMappingURL=post.d.ts.map

package/dist/routes/api/auth/totp/verify/post.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"post.d.ts","sourceRoot":"","sources":["../../../../../../src/routes/api/auth/totp/verify/post.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,+BAA+B,CAAC;AAQ5D,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;4BAgE9B,CAAC"}

package/dist/routes/api/auth/totp/verify/post.js

@@ -0,0 +1,59 @@
+import { Hono } from 'hono';
+import { describeRoute, resolver, validator } from 'hono-openapi';
+import { z } from 'zod';
+import { OPENAPI_SECURITY } from "../../../../../lib/openapi.js";
+import { TAGS } from "../../../../../lib/swagger-tags.js";
+import { verifyPending2FAUser } from "../../../../../middleware/auth.js";
+import { e } from "../../../../../schemas/error.js";
+import { f } from "../../../../../schemas/field.js";
+import { r } from "../../../../../schemas/response.js";
+export const authTotpVerifyPost = new Hono().post('/auth/totp/verify', describeRoute({
+    tags: [TAGS.AUTH],
+    security: OPENAPI_SECURITY.cookieSession,
+    summary: 'Verify TOTP for login',
+    description: 'Complete login by verifying TOTP code. Requires pending 2FA session from password login.',
+    responses: {
+        200: {
+            content: {
+                'application/json': {
+                    schema: resolver(r.UserSessionResponse),
+                },
+            },
+            description: 'Success',
+        },
+        400: {
+            content: {
+                'application/json': {
+                    schema: resolver(e.ValidationError.Schema),
+                },
+            },
+            description: 'Validation error or invalid TOTP code',
+        },
+        401: {
+            content: {
+                'application/json': {
+                    schema: resolver(e.SecondFactorSessionExpired.Schema),
+                },
+            },
+            description: 'Second factor session expired',
+        },
+    },
+}), validator('json', z.object({
+    code: f.totpCode,
+})), verifyPending2FAUser(), async (c) => {
+    const config = c.var.services.config;
+    if (!config.auth.password.enabled || !config.auth.password.totp.enabled) {
+        throw new e.ValidationError.Error('TOTP authentication is disabled');
+    }
+    const body = c.req.valid('json');
+    const session = c.var.session;
+    const { user: pending2FAUser, authenticatedAt } = c.var.verifiedPending2FAUser;
+    const { mikro, userService, totpService } = c.var.services;
+    await totpService.verifyForAuth(pending2FAUser.sub, body.code);
+    session.setUserSession(pending2FAUser.sub, authenticatedAt);
+    // Load full user data with relations for response
+    const fullUser = await mikro.user.verifyBySub(pending2FAUser.sub);
+    const userSession = await userService.userEntityToSessionUser(fullUser);
+    return c.json({ user: userSession }, 200);
+});
+//# sourceMappingURL=post.js.map

package/dist/routes/api/auth/totp/verify/post.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"post.js","sourceRoot":"","sources":["../../../../../../src/routes/api/auth/totp/verify/post.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAClE,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,gBAAgB,EAAE,MAAM,+BAA+B,CAAC;AACjE,OAAO,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAC1D,OAAO,EAAE,oBAAoB,EAAE,MAAM,mCAAmC,CAAC;AACzE,OAAO,EAAE,CAAC,EAAE,MAAM,iCAAiC,CAAC;AACpD,OAAO,EAAE,CAAC,EAAE,MAAM,iCAAiC,CAAC;AACpD,OAAO,EAAE,CAAC,EAAE,MAAM,oCAAoC,CAAC;AAEvD,MAAM,CAAC,MAAM,kBAAkB,GAAG,IAAI,IAAI,EAAU,CAAC,IAAI,CACvD,mBAAmB,EACnB,aAAa,CAAC;IACZ,IAAI,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;IACjB,QAAQ,EAAE,gBAAgB,CAAC,aAAa;IACxC,OAAO,EAAE,uBAAuB;IAChC,WAAW,EACT,0FAA0F;IAC5F,SAAS,EAAE;QACT,GAAG,EAAE;YACH,OAAO,EAAE;gBACP,kBAAkB,EAAE;oBAClB,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,mBAAmB,CAAC;iBACxC;aACF;YACD,WAAW,EAAE,SAAS;SACvB;QACD,GAAG,EAAE;YACH,OAAO,EAAE;gBACP,kBAAkB,EAAE;oBAClB,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,eAAe,CAAC,MAAM,CAAC;iBAC3C;aACF;YACD,WAAW,EAAE,uCAAuC;SACrD;QACD,GAAG,EAAE;YACH,OAAO,EAAE;gBACP,kBAAkB,EAAE;oBAClB,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,0BAA0B,CAAC,MAAM,CAAC;iBACtD;aACF;YACD,WAAW,EAAE,+BAA+B;SAC7C;KACF;CACF,CAAC,EACF,SAAS,CACP,MAAM,EACN,CAAC,CAAC,MAAM,CAAC;IACP,IAAI,EAAE,CAAC,CAAC,QAAQ;CACjB,CAAC,CACH,EACD,oBAAoB,EAAE,EACtB,KAAK,EAAE,CAAC,EAAE,EAAE;IACV,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC;IACrC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QACxE,MAAM,IAAI,CAAC,CAAC,eAAe,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC;IACvE,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IACjC,MAAM,OAAO,GAAG,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC;IAC9B,MAAM,EAAE,IAAI,EAAE,cAAc,EAAE,eAAe,EAAE,GAC7C,CAAC,CAAC,GAAG,CAAC,sBAAsB,CAAC;IAC/B,MAAM,EAAE,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC;IAE3D,MAAM,WAAW,CAAC,aAAa,CAAC,cAAc,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;IAE/D,OAAO,CAAC,cAAc,CAAC,cAAc,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC;IAE5D,kDAAkD;IAClD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;IAClE,MAAM,WAAW,GAAG,MAAM,WAAW,CAAC,uBAAuB,CAAC,QAAQ,CAAC,CAAC;IAExE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,EAAE,GAAG,CAAC,CAAC;AAC5C,CAAC,CACF,CAAC"}