@ursalock/server 0.2.0 → 0.3.0

package/dist/index.js

@@ -2,12 +2,14 @@
 import { Hono as Hono5 } from "hono";
 import { cors } from "hono/cors";
 import { logger } from "hono/logger";
+import { bodyLimit } from "hono/body-limit";
+import { secureHeaders } from "hono/secure-headers";
 import { ZodError } from "zod";
 
 // src/api/auth/router.ts
-import { createHash as createHash2, randomBytes } from "crypto";
 import { Hono as Hono3 } from "hono";
 import { zValidator as zValidator3 } from "@hono/zod-validator";
+import bcrypt from "bcryptjs";
 
 // src/db/client.ts
 import Database from "better-sqlite3";
@@ -20,7 +22,7 @@ var envSchema = {
   PORT: numeric.default("3456"),
   /** SQLite database file path */
   DATABASE_PATH: z.string().default("./data/vault.db"),
-  /** JWT secret for signing tokens (32+ bytes recommended) */
+  /** JWT secret for signing tokens (32+ chars required). Comma-separated for rotation. */
   JWT_SECRET: z.string().min(32),
   /** JWT token expiry in seconds (default: 7 days) */
   JWT_EXPIRY: numeric.default("604800"),
@@ -31,11 +33,41 @@ var envSchema = {
    * e.g., "https://app1.example.com,https://app2.example.com"
    * The RP_ID is derived from the hostname of the validated origin
    */
-  RP_ORIGINS: z.string().default("http://localhost:5173")
+  RP_ORIGINS: z.string().default("http://localhost:5173").refine(
+    (val) => {
+      const origins = val.split(",").map((s) => s.trim()).filter(Boolean);
+      return origins.every((o) => {
+        try {
+          const url = new URL(o);
+          return url.protocol === "https:" || url.protocol === "http:";
+        } catch {
+          return false;
+        }
+      });
+    },
+    { message: "RP_ORIGINS must be valid URLs (http or https)" }
+  ).refine(
+    (val) => {
+      if (process.env["NODE_ENV"] !== "production") return true;
+      const origins = val.split(",").map((s) => s.trim()).filter(Boolean);
+      return origins.every((o) => new URL(o).protocol === "https:");
+    },
+    { message: "RP_ORIGINS must use HTTPS in production" }
+  )
 };
-var skipEnvValidation = process.env["NODE_ENV"] === "test";
+var TEST_JWT_SECRET = "ursalock-test-secret-DO-NOT-USE-IN-PRODUCTION-x9k2m";
+var isTestEnv = process.env["NODE_ENV"] === "test";
 var env = (() => {
-  if (skipEnvValidation) {
+  if (isTestEnv && !process.env["JWT_SECRET"]) {
+    process.env["JWT_SECRET"] = TEST_JWT_SECRET;
+  }
+  const jwtSecret = process.env["JWT_SECRET"];
+  if (!jwtSecret || jwtSecret.length < 32) {
+    throw new Error(
+      `JWT_SECRET must be at least 32 characters (got ${jwtSecret?.length ?? 0}). Set a strong secret in your environment.`
+    );
+  }
+  if (isTestEnv) {
     return Object.fromEntries(
       Object.entries(envSchema).map(([key, schema]) => {
         const result = schema.safeParse(process.env[key]);
@@ -51,6 +83,9 @@ ${errors2}`);
   }
   return parsed.data;
 })();
+function getAllowedOrigins() {
+  return env.RP_ORIGINS.split(",").map((s) => s.trim()).filter(Boolean);
+}
 
 // src/db/schema.ts
 var CREATE_TABLES_SQL = `
@@ -123,6 +158,7 @@ function getDb() {
     _db = new Database(env.DATABASE_PATH);
     _db.pragma("journal_mode = WAL");
     _db.pragma("foreign_keys = ON");
+    _db.pragma("secure_delete = ON");
     _db.exec(CREATE_TABLES_SQL);
     runMigrations(_db);
   }
@@ -148,14 +184,31 @@ function closeDb() {
     _db = null;
   }
 }
+var USER_COLUMNS = `id, uid, email, password_hash as passwordHash,
+           opaque_id as opaqueId, display_name as displayName,
+           created_at as createdAt, updated_at as updatedAt`;
+var USER_JOIN_COLUMNS = `u.id as "user.id", u.uid as "user.uid", u.email as "user.email",
+      u.password_hash as "user.passwordHash", u.opaque_id as "user.opaqueId",
+      u.display_name as "user.displayName", u.created_at as "user.createdAt",
+      u.updated_at as "user.updatedAt"`;
+function userFromRow(row) {
+  return {
+    id: row["user.id"],
+    uid: row["user.uid"],
+    email: row["user.email"] ?? null,
+    passwordHash: row["user.passwordHash"] ?? null,
+    opaqueId: row["user.opaqueId"] ?? null,
+    displayName: row["user.displayName"] ?? null,
+    createdAt: row["user.createdAt"],
+    updatedAt: row["user.updatedAt"]
+  };
+}
 function createUser(input) {
   const db = getDb();
   const stmt = db.prepare(`
     INSERT INTO users (email, password_hash, opaque_id, display_name)
     VALUES (?, ?, ?, ?)
-    RETURNING id, uid, email, password_hash as passwordHash, 
-              opaque_id as opaqueId, display_name as displayName,
-              created_at as createdAt, updated_at as updatedAt
+    RETURNING ${USER_COLUMNS}
   `);
   return stmt.get(
     input.email ?? null,
@@ -166,10 +219,9 @@ function createUser(input) {
 }
 function getUserByEmail(email) {
   const db = getDb();
+  email = email.toLowerCase().trim();
   const stmt = db.prepare(`
-    SELECT id, uid, email, password_hash as passwordHash,
-           opaque_id as opaqueId, display_name as displayName,
-           created_at as createdAt, updated_at as updatedAt
+    SELECT ${USER_COLUMNS}
     FROM users WHERE email = ?
   `);
   return stmt.get(email);
@@ -177,9 +229,7 @@ function getUserByEmail(email) {
 function getUserByOpaqueId(opaqueId) {
   const db = getDb();
   const stmt = db.prepare(`
-    SELECT id, uid, email, password_hash as passwordHash,
-           opaque_id as opaqueId, display_name as displayName,
-           created_at as createdAt, updated_at as updatedAt
+    SELECT ${USER_COLUMNS}
     FROM users WHERE opaque_id = ?
   `);
   return stmt.get(opaqueId);
@@ -209,7 +259,7 @@ function getPasskeyByCredentialId(credentialId) {
     SELECT 
       p.id, p.user_id as userId, p.credential_id as credentialId, p.public_key as publicKey,
       p.counter, p.device_type as deviceType, p.backed_up as backedUp, p.transports, p.created_at as createdAt,
-      u.id as "user.id", u.uid as "user.uid", u.email as "user.email"
+      ${USER_JOIN_COLUMNS}
     FROM passkeys p
     JOIN users u ON p.user_id = u.id
     WHERE p.credential_id = ?
@@ -226,16 +276,7 @@ function getPasskeyByCredentialId(credentialId) {
     backedUp: Boolean(row["backedUp"]),
     transports: row["transports"],
     createdAt: row["createdAt"],
-    user: {
-      id: row["user.id"],
-      uid: row["user.uid"],
-      email: row["user.email"],
-      passwordHash: null,
-      opaqueId: null,
-      displayName: null,
-      createdAt: 0,
-      updatedAt: 0
-    }
+    user: userFromRow(row)
   };
 }
 function getPasskeysByUserId(userId) {
@@ -252,8 +293,24 @@ function updatePasskeyCounter(credentialId, counter) {
   const stmt = db.prepare(`UPDATE passkeys SET counter = ? WHERE credential_id = ?`);
   stmt.run(counter, credentialId);
 }
+var MAX_SESSIONS = 10;
 function createSession(input) {
   const db = getDb();
+  const countStmt = db.prepare(
+    `SELECT COUNT(*) as cnt FROM sessions WHERE user_id = ? AND expires_at > unixepoch()`
+  );
+  const { cnt } = countStmt.get(input.userId);
+  if (cnt >= MAX_SESSIONS) {
+    const deleteOldest = db.prepare(`
+      DELETE FROM sessions WHERE id IN (
+        SELECT id FROM sessions
+        WHERE user_id = ? AND expires_at > unixepoch()
+        ORDER BY created_at ASC
+        LIMIT ?
+      )
+    `);
+    deleteOldest.run(input.userId, cnt - MAX_SESSIONS + 1);
+  }
   const stmt = db.prepare(`
     INSERT INTO sessions (user_id, token_hash, expires_at)
     VALUES (?, ?, ?)
@@ -266,7 +323,7 @@ function getSessionByTokenHash(tokenHash) {
   const stmt = db.prepare(`
     SELECT 
       s.id, s.user_id as userId, s.token_hash as tokenHash, s.expires_at as expiresAt, s.created_at as createdAt,
-      u.id as "user.id", u.uid as "user.uid", u.email as "user.email"
+      ${USER_JOIN_COLUMNS}
     FROM sessions s
     JOIN users u ON s.user_id = u.id
     WHERE s.token_hash = ? AND s.expires_at > unixepoch()
@@ -279,16 +336,7 @@ function getSessionByTokenHash(tokenHash) {
     tokenHash: row["tokenHash"],
     expiresAt: row["expiresAt"],
     createdAt: row["createdAt"],
-    user: {
-      id: row["user.id"],
-      uid: row["user.uid"],
-      email: row["user.email"],
-      passwordHash: null,
-      opaqueId: null,
-      displayName: null,
-      createdAt: 0,
-      updatedAt: 0
-    }
+    user: userFromRow(row)
   };
 }
 function deleteSession(tokenHash) {
@@ -332,12 +380,20 @@ function getVaultsByUserId(userId) {
 }
 function updateVault(uid, userId, input) {
   const db = getDb();
+  if (input.version != null) {
+    const stmt2 = db.prepare(`
+      UPDATE vaults SET data = ?, salt = ?, version = ? + 1, updated_at = unixepoch()
+      WHERE uid = ? AND user_id = ? AND version = ?
+      RETURNING id, uid, user_id as userId, name, data, salt, version, created_at as createdAt, updated_at as updatedAt
+    `);
+    return stmt2.get(input.data, input.salt, input.version, uid, userId, input.version);
+  }
   const stmt = db.prepare(`
-    UPDATE vaults SET data = ?, salt = ?, version = COALESCE(?, version), updated_at = unixepoch()
+    UPDATE vaults SET data = ?, salt = ?, version = version + 1, updated_at = unixepoch()
     WHERE uid = ? AND user_id = ?
     RETURNING id, uid, user_id as userId, name, data, salt, version, created_at as createdAt, updated_at as updatedAt
   `);
-  return stmt.get(input.data, input.salt, input.version ?? null, uid, userId);
+  return stmt.get(input.data, input.salt, uid, userId);
 }
 function deleteVault(uid, userId) {
   const db = getDb();
@@ -348,24 +404,43 @@ function deleteVault(uid, userId) {
 // src/features/auth/jwt.ts
 import { createHash } from "crypto";
 import { SignJWT, jwtVerify } from "jose";
-function getSecretKey() {
-  return new TextEncoder().encode(env.JWT_SECRET);
+function getSecretKeys() {
+  if (!env.JWT_SECRET) {
+    throw new Error("JWT_SECRET is not set. Refusing to sign/verify tokens with an empty secret.");
+  }
+  const secrets = env.JWT_SECRET.split(",").map((s) => s.trim()).filter(Boolean);
+  if (secrets.length === 0) {
+    throw new Error("JWT_SECRET is empty after parsing. Refusing to sign/verify tokens.");
+  }
+  return secrets.map((s) => new TextEncoder().encode(s));
+}
+function getCurrentSecretKey() {
+  return getSecretKeys()[0];
 }
 async function createToken(payload) {
   const jti = crypto.randomUUID();
   const jwt = new SignJWT({ email: payload.email }).setSubject(payload.userId).setJti(jti).setIssuedAt().setExpirationTime(`${env.JWT_EXPIRY}s`).setProtectedHeader({ alg: "HS256" });
-  return jwt.sign(getSecretKey());
+  return jwt.sign(getCurrentSecretKey());
 }
 async function verifyToken(token) {
-  try {
-    const { payload } = await jwtVerify(token, getSecretKey());
-    if (!payload.sub) {
-      return null;
+  const keys = getSecretKeys();
+  for (let i = 0; i < keys.length; i++) {
+    try {
+      const { payload } = await jwtVerify(token, keys[i]);
+      if (!payload.sub) {
+        return null;
+      }
+      if (i > 0) {
+        console.warn(
+          `[auth/jwt] Token for sub=${payload.sub} validated with rotated secret (index=${i}). The token was signed with a previous JWT_SECRET. It will stop working once that secret is removed.`
+        );
+      }
+      return payload;
+    } catch {
+      continue;
     }
-    return payload;
-  } catch {
-    return null;
   }
+  return null;
 }
 function hashToken(token) {
   return createHash("sha256").update(token).digest("hex");
@@ -381,12 +456,14 @@ var ErrorCode = z2.enum([
   "unauthorized",
   "invalid_credentials",
   "email_already_exists",
+  "opaque_id_exists",
   "passkey_not_found",
   "session_expired",
   "invalid_origin",
   // Vault errors
   "vault_not_found",
   "vault_already_exists",
+  "vault_conflict",
   "invalid_vault_data",
   // Validation errors
   "validation_error",
@@ -407,6 +484,7 @@ var errors = {
   unauthorized: { code: "unauthorized", message: "Unauthorized" },
   invalid_credentials: { code: "invalid_credentials", message: "Invalid email or password" },
   email_already_exists: { code: "email_already_exists", message: "Email already registered" },
+  opaque_id_exists: { code: "opaque_id_exists", message: "Opaque ID already registered" },
   passkey_not_found: { code: "passkey_not_found", message: "Passkey not found" },
   session_expired: { code: "session_expired", message: "Session expired" },
   invalid_origin: { code: "invalid_origin", message: "Origin not allowed" },
@@ -416,6 +494,7 @@ var errors = {
     code: "vault_already_exists",
     message: `Vault "${name}" already exists`
   }),
+  vault_conflict: { code: "vault_conflict", message: "Version conflict - vault has been modified. Please refresh and retry." },
   invalid_vault_data: { code: "invalid_vault_data", message: "Invalid vault data" },
   // Validation errors
   validation_error: (details) => ({
@@ -529,19 +608,18 @@ var PasskeyLoginOptionsRequest = z3.object({
 var PasskeyLoginVerifyRequest = z3.object({
   credential: z3.record(z3.unknown())
 });
-var PasskeyCheckResponse = z3.object({
-  hasPasskey: z3.boolean()
-});
+var MAX_DATA_SIZE = 5 * 1024 * 1024;
+var MAX_SALT_LENGTH = 64;
+var BASE64_RE = /^[A-Za-z0-9+/\-_=]*$/;
+var VAULT_NAME_RE = /^[A-Za-z0-9_-]+$/;
 var CreateVaultRequest = z3.object({
-  name: z3.string().min(1).max(255),
-  data: z3.string(),
-  // Encrypted blob (base64)
-  salt: z3.string()
-  // Salt (base64)
+  name: z3.string().min(1).max(255).regex(VAULT_NAME_RE, "Name must be alphanumeric (hyphens and underscores allowed)"),
+  data: z3.string().max(MAX_DATA_SIZE, `Data must not exceed ${MAX_DATA_SIZE} bytes`).regex(BASE64_RE, "Data must be valid base64"),
+  salt: z3.string().max(MAX_SALT_LENGTH, `Salt must not exceed ${MAX_SALT_LENGTH} characters`).regex(BASE64_RE, "Salt must be valid base64")
 });
 var UpdateVaultRequest = z3.object({
-  data: z3.string(),
-  salt: z3.string(),
+  data: z3.string().max(MAX_DATA_SIZE, `Data must not exceed ${MAX_DATA_SIZE} bytes`).regex(BASE64_RE, "Data must be valid base64"),
+  salt: z3.string().max(MAX_SALT_LENGTH, `Salt must not exceed ${MAX_SALT_LENGTH} characters`).regex(BASE64_RE, "Salt must be valid base64"),
   version: z3.number().optional()
 });
 var VaultResponse = z3.object({
@@ -569,7 +647,7 @@ import {
 
 // src/features/auth/origin.ts
 var allowedOrigins = null;
-function getAllowedOrigins() {
+function getAllowedOrigins2() {
   if (!allowedOrigins) {
     allowedOrigins = env.RP_ORIGINS.split(",").map((o) => o.trim()).filter(Boolean);
   }
@@ -579,7 +657,7 @@ function validateOrigin(origin) {
   if (!origin) {
     throw new ApiException(errors.invalid_origin, 403);
   }
-  const allowed = getAllowedOrigins();
+  const allowed = getAllowedOrigins2();
   if (!allowed.includes(origin)) {
     console.warn(`[auth] Rejected origin: ${origin}. Allowed: ${allowed.join(", ")}`);
     throw new ApiException(errors.invalid_origin, 403);
@@ -593,15 +671,54 @@ function getRpConfigFromRequest(c) {
   return validateOrigin(origin);
 }
 
+// src/features/auth/audit-log.ts
+function logAuthEvent(event) {
+  console.log(JSON.stringify({ ...event, _tag: "auth_audit" }));
+}
+function extractRequestMeta(c) {
+  return {
+    ip: c.req.header("x-forwarded-for")?.split(",")[0]?.trim() ?? c.req.header("x-real-ip") ?? "unknown",
+    userAgent: c.req.header("user-agent") ?? "unknown"
+  };
+}
+
 // src/api/auth/passkey.ts
+var MAX_CHALLENGES = 1e3;
 var challengeStore = /* @__PURE__ */ new Map();
-setInterval(() => {
+function pruneExpiredChallenges() {
   const now = Date.now();
   for (const [key, value] of challengeStore) {
     if (value.expiresAt < now) {
       challengeStore.delete(key);
     }
   }
+}
+function evictOldestChallenges() {
+  if (challengeStore.size <= MAX_CHALLENGES) return;
+  const excess = challengeStore.size - MAX_CHALLENGES;
+  let deleted = 0;
+  for (const key of challengeStore.keys()) {
+    if (deleted >= excess) break;
+    challengeStore.delete(key);
+    deleted++;
+  }
+}
+function setChallenge(key, entry) {
+  pruneExpiredChallenges();
+  challengeStore.set(key, entry);
+  evictOldestChallenges();
+}
+function getChallenge(key) {
+  const entry = challengeStore.get(key);
+  if (!entry) return void 0;
+  if (entry.expiresAt < Date.now()) {
+    challengeStore.delete(key);
+    return void 0;
+  }
+  return entry;
+}
+setInterval(() => {
+  pruneExpiredChallenges();
 }, 6e4);
 var PasskeyRegisterOptionsRequest2 = z4.object({
   email: z4.string().email().optional()
@@ -625,7 +742,8 @@ var passkeyRouter = new Hono().post(
   "/register/options",
   zValidator("json", PasskeyRegisterOptionsRequest2),
   async (c) => {
-    const { email } = c.req.valid("json");
+    const { email: rawEmail } = c.req.valid("json");
+    const email = rawEmail ? rawEmail.toLowerCase().trim() : void 0;
     if (email) {
       const existing = getUserByEmail(email);
       if (existing) {
@@ -647,7 +765,7 @@ var passkeyRouter = new Hono().post(
       },
       timeout: 6e4
     });
-    challengeStore.set(options.challenge, {
+    setChallenge(options.challenge, {
       challenge: options.challenge,
       email: email ?? void 0,
       expiresAt: Date.now() + 12e4
@@ -659,13 +777,14 @@ var passkeyRouter = new Hono().post(
   "/register/verify",
   zValidator("json", PasskeyRegisterVerifyRequest2),
   async (c) => {
-    const { email, credential } = c.req.valid("json");
+    const { email: rawEmail, credential } = c.req.valid("json");
+    const email = rawEmail ? rawEmail.toLowerCase().trim() : void 0;
     const response = credential;
     const clientDataJSON = JSON.parse(
       Buffer.from(response.response.clientDataJSON, "base64url").toString("utf-8")
     );
     const challenge = clientDataJSON.challenge;
-    const stored = challengeStore.get(challenge);
+    const stored = getChallenge(challenge);
     if (!stored) {
       throw new ApiException(errors.invalid_credentials, 401);
     }
@@ -713,7 +832,13 @@ var passkeyRouter = new Hono().post(
       });
     } catch (error) {
       if (error instanceof ApiException) throw error;
-      console.error("Passkey registration error:", error);
+      logAuthEvent({
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        level: "warn",
+        event: "passkey_register_fail",
+        ...extractRequestMeta(c),
+        details: { reason: String(error) }
+      });
       throw new ApiException(errors.invalid_credentials, 401);
     }
   }
@@ -721,7 +846,8 @@ var passkeyRouter = new Hono().post(
   "/login/options",
   zValidator("json", PasskeyLoginOptionsRequest2),
   async (c) => {
-    const { email } = c.req.valid("json");
+    const { email: rawEmail } = c.req.valid("json");
+    const email = rawEmail ? rawEmail.toLowerCase().trim() : void 0;
     let allowCredentials;
     if (email) {
       const user = getUserByEmail(email);
@@ -741,7 +867,7 @@ var passkeyRouter = new Hono().post(
       timeout: 6e4
     });
     const challengeKey = `auth:${options.challenge}`;
-    challengeStore.set(challengeKey, {
+    setChallenge(challengeKey, {
       challenge: options.challenge,
       expiresAt: Date.now() + 12e4
     });
@@ -757,16 +883,16 @@ var passkeyRouter = new Hono().post(
     if (!passkey) {
       throw new ApiException(errors.passkey_not_found, 401);
     }
-    let storedChallenge = null;
-    for (const [key, value] of challengeStore) {
-      if (key.startsWith("auth:") && value.expiresAt > Date.now()) {
-        storedChallenge = value.challenge;
-        break;
-      }
-    }
-    if (!storedChallenge) {
+    const clientDataJSON = JSON.parse(
+      Buffer.from(response.response.clientDataJSON, "base64url").toString("utf-8")
+    );
+    const challengeFromResponse = clientDataJSON.challenge;
+    const challengeKey = `auth:${challengeFromResponse}`;
+    const storedChallengeData = getChallenge(challengeKey);
+    if (!storedChallengeData) {
       throw new ApiException(errors.invalid_credentials, 401);
     }
+    const storedChallenge = storedChallengeData.challenge;
     const { rpId, rpOrigin } = getRpConfigFromRequest(c);
     try {
       const verification = await verifyAuthenticationResponse({
@@ -784,7 +910,20 @@ var passkeyRouter = new Hono().post(
       if (!verification.verified) {
         throw new ApiException(errors.invalid_credentials, 401);
       }
-      updatePasskeyCounter(passkey.credentialId, verification.authenticationInfo.newCounter);
+      const newCounter = verification.authenticationInfo.newCounter;
+      if (newCounter > 0 && newCounter <= passkey.counter) {
+        console.warn(
+          `[SECURITY] Possible cloned authenticator detected! credentialId=${passkey.credentialId}, storedCounter=${passkey.counter}, newCounter=${newCounter}, userId=${passkey.user.uid}`
+        );
+        throw new ApiException(
+          {
+            code: "invalid_credentials",
+            message: "Authentication rejected: authenticator counter regression detected (possible cloned authenticator)"
+          },
+          401
+        );
+      }
+      updatePasskeyCounter(passkey.credentialId, newCounter);
       const token = await createToken({
         userId: passkey.user.uid,
         email: passkey.user.email ?? void 0
@@ -792,7 +931,7 @@ var passkeyRouter = new Hono().post(
       const tokenHash = hashToken(token);
       const expiresAt = Math.floor(Date.now() / 1e3) + env.JWT_EXPIRY;
       createSession({ userId: passkey.user.id, tokenHash, expiresAt });
-      challengeStore.delete(`auth:${storedChallenge}`);
+      challengeStore.delete(challengeKey);
       return c.json({
         user: {
           id: passkey.user.uid,
@@ -803,7 +942,13 @@ var passkeyRouter = new Hono().post(
       });
     } catch (error) {
       if (error instanceof ApiException) throw error;
-      console.error("Passkey authentication error:", error);
+      logAuthEvent({
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        level: "warn",
+        event: "passkey_login_fail",
+        ...extractRequestMeta(c),
+        details: { credentialId: response.id, reason: String(error) }
+      });
       throw new ApiException(errors.invalid_credentials, 401);
     }
   }
@@ -811,7 +956,8 @@ var passkeyRouter = new Hono().post(
   "/check",
   zValidator("json", PasskeyCheckRequest),
   (c) => {
-    const { email } = c.req.valid("json");
+    const { email: rawEmail } = c.req.valid("json");
+    const email = rawEmail.toLowerCase().trim();
     const user = getUserByEmail(email);
     if (!user) {
       return c.json({ hasPasskey: false });
@@ -843,10 +989,18 @@ var zkcRouter = new Hono2().post(
   "/register",
   zValidator2("json", ZkcRegisterRequest),
   async (c) => {
+    getRpConfigFromRequest(c);
     const { opaqueId, displayName } = c.req.valid("json");
     const existing = getUserByOpaqueId(opaqueId);
     if (existing) {
-      throw new ApiException(errors.email_already_exists, 409);
+      logAuthEvent({
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        level: "warn",
+        event: "zkc_register_fail",
+        ...extractRequestMeta(c),
+        details: { reason: "opaque_id_exists" }
+      });
+      throw new ApiException(errors.opaque_id_exists, 409);
     }
     const user = createUser({
       opaqueId,
@@ -868,9 +1022,17 @@ var zkcRouter = new Hono2().post(
   "/authenticate",
   zValidator2("json", ZkcAuthenticateRequest),
   async (c) => {
+    getRpConfigFromRequest(c);
     const { opaqueId } = c.req.valid("json");
     const user = getUserByOpaqueId(opaqueId);
     if (!user) {
+      logAuthEvent({
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        level: "warn",
+        event: "zkc_auth_fail",
+        ...extractRequestMeta(c),
+        details: { reason: "opaque_id_not_found" }
+      });
       throw new ApiException(errors.passkey_not_found, 401);
     }
     const token = await createToken({ userId: user.uid });
@@ -896,24 +1058,17 @@ var zkcRouter = new Hono2().post(
 );
 
 // src/api/auth/router.ts
-function hashPassword(password, salt) {
-  const crypto2 = createHash2("sha256");
-  return crypto2.update(password + salt).digest("hex");
-}
-function generateSalt() {
-  return randomBytes(16).toString("hex");
-}
 var authRouter = new Hono3().post(
   "/email/register",
   zValidator3("json", EmailRegisterRequest),
   async (c) => {
-    const { email, password } = c.req.valid("json");
+    const { email: rawEmail, password } = c.req.valid("json");
+    const email = rawEmail.toLowerCase().trim();
     const existing = getUserByEmail(email);
     if (existing) {
       throw new ApiException(errors.email_already_exists, 409);
     }
-    const salt = generateSalt();
-    const passwordHash = hashPassword(password, salt) + ":" + salt;
+    const passwordHash = await bcrypt.hash(password, 12);
     const user = createUser({ email, passwordHash });
     const token = await createToken({ userId: user.uid, email });
     const tokenHash = hashToken(token);
@@ -932,17 +1087,14 @@ var authRouter = new Hono3().post(
   "/email/login",
   zValidator3("json", EmailLoginRequest),
   async (c) => {
-    const { email, password } = c.req.valid("json");
+    const { email: rawEmail, password } = c.req.valid("json");
+    const email = rawEmail.toLowerCase().trim();
     const user = getUserByEmail(email);
     if (!user || !user.passwordHash) {
       throw new ApiException(errors.invalid_credentials, 401);
     }
-    const [storedHash, salt] = user.passwordHash.split(":");
-    if (!salt) {
-      throw new ApiException(errors.invalid_credentials, 401);
-    }
-    const inputHash = hashPassword(password, salt);
-    if (inputHash !== storedHash) {
+    const valid = await bcrypt.compare(password, user.passwordHash);
+    if (!valid) {
       throw new ApiException(errors.invalid_credentials, 401);
     }
     const token = await createToken({ userId: user.uid, email: user.email ?? void 0 });
@@ -967,8 +1119,7 @@ var authRouter = new Hono3().post(
       user: {
         id: session.user.uid,
         email: session.user.email,
-        createdAt: 0
-        // Not needed for /me
+        createdAt: session.user.createdAt
       }
     });
   }
@@ -1075,6 +1226,12 @@ var VaultService = class {
   updateVault(uid, userId, data) {
     const vault = this.vaultRepo.update(uid, userId, data);
     if (!vault) {
+      if (data.version != null) {
+        const existing = this.vaultRepo.findByUid(uid, userId);
+        if (existing) {
+          throw new ApiException(errors.vault_conflict, 409);
+        }
+      }
       throw new ApiException(errors.vault_not_found, 404);
     }
     return toVaultResponse(vault);
@@ -1167,6 +1324,109 @@ var vaultRouter = new Hono4().use("/*", requireAuthMiddleware).get(
   }
 );
 
+// src/features/auth/rate-limit.ts
+import { createMiddleware as createMiddleware2 } from "hono/factory";
+var DEFAULT_CONFIG = { max: 100, windowMs: 6e4 };
+var CLEANUP_INTERVAL_MS = 6e4;
+function createStore(windowMs) {
+  const buckets = /* @__PURE__ */ new Map();
+  const timer = setInterval(() => {
+    const cutoff = Date.now() - windowMs;
+    for (const [ip, entry] of buckets) {
+      entry.timestamps = entry.timestamps.filter((t) => t > cutoff);
+      if (entry.timestamps.length === 0) {
+        buckets.delete(ip);
+      }
+    }
+  }, CLEANUP_INTERVAL_MS);
+  if (timer.unref) timer.unref();
+  return {
+    /**
+     * Record a hit and return the current count within the window.
+     */
+    hit(ip) {
+      const now = Date.now();
+      const cutoff = now - windowMs;
+      let entry = buckets.get(ip);
+      if (!entry) {
+        entry = { timestamps: [] };
+        buckets.set(ip, entry);
+      }
+      entry.timestamps = entry.timestamps.filter((t) => t > cutoff);
+      entry.timestamps.push(now);
+      return entry.timestamps.length;
+    },
+    /**
+     * Return the oldest timestamp still in the window for Retry-After calculation.
+     */
+    oldestInWindow(ip) {
+      return buckets.get(ip)?.timestamps[0];
+    }
+  };
+}
+function rateLimit(config = {}) {
+  const { max, windowMs } = { ...DEFAULT_CONFIG, ...config };
+  const store = createStore(windowMs);
+  return createMiddleware2(async (c, next) => {
+    const ip = c.req.header("x-forwarded-for")?.split(",")[0]?.trim() ?? c.req.header("x-real-ip") ?? "unknown";
+    const count = store.hit(ip);
+    const remaining = Math.max(0, max - count);
+    c.header("X-RateLimit-Limit", String(max));
+    c.header("X-RateLimit-Remaining", String(remaining));
+    if (count > max) {
+      const oldest = store.oldestInWindow(ip);
+      const retryAfterSec = oldest ? Math.ceil((oldest + windowMs - Date.now()) / 1e3) : Math.ceil(windowMs / 1e3);
+      c.header("Retry-After", String(Math.max(1, retryAfterSec)));
+      throw new ApiException(
+        { code: "invalid_request", message: "Too many requests, please try again later" },
+        429
+      );
+    }
+    await next();
+  });
+}
+
+// src/features/auth/csrf.ts
+import { createMiddleware as createMiddleware3 } from "hono/factory";
+import { getCookie, setCookie } from "hono/cookie";
+var CSRF_COOKIE_NAME = "__csrf";
+var CSRF_HEADER_NAME = "x-csrf-token";
+var TOKEN_BYTES = 32;
+var SAFE_METHODS = /* @__PURE__ */ new Set(["GET", "HEAD", "OPTIONS"]);
+function csrfCookieOptions() {
+  return {
+    path: "/",
+    httpOnly: false,
+    // Client JS must read this value
+    sameSite: "Strict",
+    secure: env.NODE_ENV === "production"
+  };
+}
+function generateToken() {
+  const bytes = new Uint8Array(TOKEN_BYTES);
+  crypto.getRandomValues(bytes);
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+var csrfProtection = createMiddleware3(async (c, next) => {
+  if (SAFE_METHODS.has(c.req.method)) {
+    const existing = getCookie(c, CSRF_COOKIE_NAME);
+    if (!existing) {
+      setCookie(c, CSRF_COOKIE_NAME, generateToken(), csrfCookieOptions());
+    }
+    return next();
+  }
+  const cookieToken = getCookie(c, CSRF_COOKIE_NAME);
+  const headerToken = c.req.header(CSRF_HEADER_NAME);
+  if (!cookieToken || !headerToken || cookieToken !== headerToken) {
+    throw new ApiException(
+      { code: "invalid_request", message: "Invalid or missing CSRF token" },
+      403
+    );
+  }
+  setCookie(c, CSRF_COOKIE_NAME, generateToken(), csrfCookieOptions());
+  await next();
+});
+
 // src/app.ts
 var errorHandler = (error, c) => {
   const requestId = c.req.header("x-request-id") ?? crypto.randomUUID();
@@ -1198,24 +1458,47 @@ var errorHandler = (error, c) => {
 };
 function createApp() {
   const app = new Hono5();
-  app.use("*", logger());
+  app.use("*", bodyLimit({ maxSize: 11 * 1024 * 1024 }));
+  app.use(
+    "*",
+    secureHeaders({
+      strictTransportSecurity: "max-age=63072000; includeSubDomains; preload",
+      contentSecurityPolicy: {
+        defaultSrc: ["'self'"],
+        scriptSrc: ["'self'"],
+        styleSrc: ["'self'", "'unsafe-inline'"],
+        connectSrc: ["'self'"],
+        frameAncestors: ["'none'"]
+      },
+      xFrameOptions: "DENY",
+      xContentTypeOptions: "nosniff",
+      referrerPolicy: "strict-origin-when-cross-origin"
+    })
+  );
+  if (env.NODE_ENV !== "production") {
+    app.use("*", logger());
+  }
+  const allowedOrigins2 = new Set(getAllowedOrigins());
   app.use(
     "*",
     cors({
-      origin: "*",
-      // Configure for production
+      origin: (origin) => allowedOrigins2.has(origin) ? origin : "",
       allowMethods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
-      allowHeaders: ["Content-Type", "Authorization"],
-      exposeHeaders: ["X-Request-Id"]
+      allowHeaders: ["Content-Type", "Authorization", "X-CSRF-Token"],
+      exposeHeaders: ["X-Request-Id", "X-RateLimit-Limit", "X-RateLimit-Remaining", "Retry-After"]
     })
   );
+  app.use("*", rateLimit({ max: 100, windowMs: 6e4 }));
+  app.use("*", csrfProtection);
   app.get("/health", (c) => c.json({ status: "ok", timestamp: Date.now() }));
+  app.use("/auth/*", rateLimit({ max: 10, windowMs: 6e4 }));
   app.route("/auth", authRouter);
   app.route("/vault", vaultRouter);
   app.onError(errorHandler);
   app.notFound((c) => {
+    const requestId = c.req.header("x-request-id") ?? crypto.randomUUID();
     return c.json(
-      { error: { code: "not_found", message: "Endpoint not found" } },
+      { error: { code: "not_found", message: "Endpoint not found" }, requestId },
       404
     );
   });
@@ -1228,7 +1511,6 @@ export {
   EmailLoginRequest,
   EmailRegisterRequest,
   MeResponse,
-  PasskeyCheckResponse,
   PasskeyLoginOptionsRequest,
   PasskeyLoginVerifyRequest,
   PasskeyRegisterOptionsRequest,