@vatts/auth 1.0.2-alpha.1 → 1.0.2-alpha.3

package/dist/client.js

@@ -26,7 +26,7 @@ async function getSession() {
         return data.session || null;
     }
     catch (error) {
-        console.error('[hweb-auth] Error fetching session:', error);
+        console.error('[vatts-auth] Error fetching session:', error);
         return null;
     }
 }
@@ -45,7 +45,7 @@ async function getCsrfToken() {
         return data.csrfToken || null;
     }
     catch (error) {
-        console.error('[hweb-auth] Error fetching CSRF token:', error);
+        console.error('[vatts-auth] Error fetching CSRF token:', error);
         return null;
     }
 }
@@ -64,7 +64,7 @@ async function getProviders() {
         return data.providers || [];
     }
     catch (error) {
-        console.error('[hweb-auth] Error searching for providers:', error);
+        console.error('[vatts-auth] Error searching for providers:', error);
         return null;
     }
 }
@@ -119,7 +119,7 @@ async function signIn(provider = 'credentials', options = {}) {
         }
     }
     catch (error) {
-        console.error('[hweb-auth] Error on signIn:', error);
+        console.error('[vatts-auth] Error on signIn:', error);
         return {
             error: 'Network error',
             status: 500,
@@ -141,6 +141,6 @@ async function signOut(options = {}) {
         }
     }
     catch (error) {
-        console.error('[hweb-auth] Error on signOut:', error);
+        console.error('[vatts-auth] Error on signOut:', error);
     }
 }

package/dist/core.d.ts

@@ -1,6 +1,6 @@
 import { VattsRequest, VattsResponse } from 'vatts';
 import type { AuthConfig, AuthProviderClass, Session } from './types';
-export declare class HWebAuth {
+export declare class VattsAuth {
     private config;
     private sessionManager;
     constructor(config: AuthConfig);

package/dist/core.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.HWebAuth = void 0;
+exports.VattsAuth = void 0;
 /*
  * This file is part of the Vatts.js Project.
  * Copyright (c) 2026 itsmuzin
@@ -19,7 +19,7 @@ exports.HWebAuth = void 0;
  */
 const vatts_1 = require("vatts");
 const jwt_1 = require("./jwt");
-class HWebAuth {
+class VattsAuth {
     constructor(config) {
         this.config = {
             session: { strategy: 'jwt', maxAge: 86400, ...config.session },
@@ -48,7 +48,7 @@ class HWebAuth {
     async signIn(providerId, credentials) {
         const provider = this.config.providers.find(p => p.id === providerId);
         if (!provider) {
-            console.error(`[hweb-auth] Provider not found: ${providerId}`);
+            console.error(`[vatts-auth] Provider not found: ${providerId}`);
             return null;
         }
         try {
@@ -76,7 +76,7 @@ class HWebAuth {
             return sessionResult;
         }
         catch (error) {
-            console.error(`[hweb-auth] Error signing in with provider ${providerId}:`, error);
+            console.error(`[vatts-auth] Error signing in with provider ${providerId}:`, error);
             return null;
         }
     }
@@ -93,13 +93,13 @@ class HWebAuth {
                     await provider.handleSignOut();
                 }
                 catch (error) {
-                    console.error(`[hweb-auth] Signout error on provider ${provider.id}:`, error);
+                    console.error(`[vatts-auth] Signout error on provider ${provider.id}:`, error);
                 }
             }
         }
         return vatts_1.VattsResponse
             .json({ success: true })
-            .clearCookie('hweb-auth-token', {
+            .clearCookie('vatts-auth-token', {
             path: '/',
             httpOnly: true,
             secure: this.config.secureCookies || false,
@@ -157,7 +157,7 @@ class HWebAuth {
     createAuthResponse(token, data) {
         return vatts_1.VattsResponse
             .json(data)
-            .cookie('hweb-auth-token', token, {
+            .cookie('vatts-auth-token', token, {
             httpOnly: true,
             secure: this.config.secureCookies || false, // Always secure, even in development
             sameSite: 'strict', // Prevent CSRF attacks
@@ -165,17 +165,21 @@ class HWebAuth {
             path: '/',
             domain: undefined // Let browser set automatically for security
         })
+            // SECURITY: Comprehensive security headers
             .header('X-Content-Type-Options', 'nosniff')
             .header('X-Frame-Options', 'DENY')
             .header('X-XSS-Protection', '1; mode=block')
-            .header('Referrer-Policy', 'strict-origin-when-cross-origin');
+            .header('Referrer-Policy', 'strict-origin-when-cross-origin')
+            .header('Content-Security-Policy', "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none';")
+            .header('Strict-Transport-Security', 'max-age=31536000; includeSubDomains')
+            .header('Permissions-Policy', 'geolocation=(), microphone=(), camera=()');
     }
     /**
      * Extrai token da requisição (cookie ou header)
      */
     getTokenFromRequest(req) {
         // Primeiro tenta pegar do cookie
-        const cookieToken = req.cookie('hweb-auth-token');
+        const cookieToken = req.cookie('vatts-auth-token');
         if (cookieToken)
             return cookieToken;
         // Depois tenta do header Authorization
@@ -186,4 +190,4 @@ class HWebAuth {
         return null;
     }
 }
-exports.HWebAuth = HWebAuth;
+exports.VattsAuth = VattsAuth;

package/dist/jwt.js

@@ -23,13 +23,39 @@ exports.SessionManager = exports.JWTManager = void 0;
 const crypto_1 = __importDefault(require("crypto"));
 class JWTManager {
     constructor(secret) {
-        if (!secret && !process.env.HWEB_AUTH_SECRET) {
-            throw new Error('JWT secret is required. Set HWEB_AUTH_SECRET environment variable or provide secret parameter.');
+        if (!secret && !process.env.VATTS_AUTH_SECRET) {
+            throw new Error('JWT secret is required. Set VATTS_AUTH_SECRET environment variable or provide secret parameter.');
         }
-        this.secret = secret || process.env.HWEB_AUTH_SECRET;
+        this.secret = secret || process.env.VATTS_AUTH_SECRET;
+        // SECURITY: Enforce minimum secret length
         if (this.secret.length < 32) {
             throw new Error('JWT secret must be at least 32 characters long for security.');
         }
+        // SECURITY: Warn about weak/common secrets in development
+        const weakSecrets = [
+            'your-secret-key',
+            'vatts-test-secret-key-change-in-production',
+            'secret',
+            'changeme',
+            'password',
+            '12345678',
+            'test-secret',
+            'development-secret'
+        ];
+        if (weakSecrets.some(weak => this.secret.toLowerCase().includes(weak))) {
+            console.warn('\x1b[33m%s\x1b[0m', '⚠️  SECURITY WARNING: You are using a weak/common JWT secret!');
+            console.warn('\x1b[33m%s\x1b[0m', '   This is a CRITICAL security risk in production.');
+            console.warn('\x1b[33m%s\x1b[0m', '   Generate a strong secret: node -e "console.log(require(\'crypto\').randomBytes(64).toString(\'base64\'))"');
+            // SECURITY: Refuse to start in production with weak secret
+            if (process.env.NODE_ENV === 'production') {
+                throw new Error('PRODUCTION: Weak JWT secret detected. Application refused to start for security reasons.');
+            }
+        }
+        // SECURITY: Check for sufficient entropy (basic check)
+        const uniqueChars = new Set(this.secret).size;
+        if (uniqueChars < 16) {
+            console.warn('\x1b[33m%s\x1b[0m', '⚠️  WARNING: JWT secret has low entropy (few unique characters). Consider using a more random secret.');
+        }
     }
     /**
      * Cria um JWT token com validação de algoritmo
@@ -75,13 +101,14 @@ class JWTManager {
             // Validate algorithm in payload matches header
             if (decodedPayload.alg !== 'HS256')
                 return null;
-            // Verifica expiração com margem de erro de 30 segundos
+            // SECURITY: Verifica expiração com margem de erro de 5 segundos (clock skew)
+            // Reduzido de 30s para minimizar janela de replay attacks
             const now = Math.floor(Date.now() / 1000);
-            if (decodedPayload.exp && decodedPayload.exp < (now - 30)) {
+            if (decodedPayload.exp && decodedPayload.exp < (now - 5)) {
                 return null;
             }
-            // Validate issued at time (not too far in future)
-            if (decodedPayload.iat && decodedPayload.iat > (now + 300)) {
+            // SECURITY: Validate issued at time (not too far in future - 60s tolerance)
+            if (decodedPayload.iat && decodedPayload.iat > (now + 60)) {
                 return null;
             }
             return decodedPayload;
@@ -96,11 +123,21 @@ class JWTManager {
         }
         const sanitized = {};
         for (const [key, value] of Object.entries(payload)) {
-            // Skip dangerous properties
+            // SECURITY: Skip dangerous properties that could lead to prototype pollution
             if (key.startsWith('__') || key === 'constructor' || key === 'prototype') {
                 continue;
             }
-            sanitized[key] = value;
+            // SECURITY: Recursively sanitize nested objects to prevent deep prototype pollution
+            if (value && typeof value === 'object' && !Array.isArray(value)) {
+                sanitized[key] = this.sanitizePayload(value);
+            }
+            else if (Array.isArray(value)) {
+                // Sanitize arrays recursively
+                sanitized[key] = value.map(item => (item && typeof item === 'object') ? this.sanitizePayload(item) : item);
+            }
+            else {
+                sanitized[key] = value;
+            }
         }
         return sanitized;
     }
@@ -121,6 +158,11 @@ class JWTManager {
             .replace(/=/g, '');
     }
     base64UrlDecode(str) {
+        // SECURITY: Prevent DoS attacks with extremely large strings
+        // JWT tokens are typically < 4KB, we allow up to 16KB to be safe
+        if (str.length > 16384) {
+            throw new Error('Token too large');
+        }
         str += '='.repeat(4 - str.length % 4);
         return Buffer.from(str.replace(/-/g, '+').replace(/_/g, '/'), 'base64').toString();
     }

package/dist/providers/credentials.d.ts

@@ -54,7 +54,7 @@ export declare class CredentialsProvider implements AuthProviderClass {
      */
     validateCredentials(credentials: Record<string, string>): boolean;
     /**
-     * Validação simples de email
+     * Validação robusta de email (RFC 5322 simplificado)
      */
     private isValidEmail;
 }

package/dist/providers/credentials.js

@@ -87,11 +87,32 @@ class CredentialsProvider {
         return true;
     }
     /**
-     * Validação simples de email
+     * Validação robusta de email (RFC 5322 simplificado)
      */
     isValidEmail(email) {
-        const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
-        return emailRegex.test(email);
+        // SECURITY: Validate email length to prevent DoS
+        if (!email || email.length > 320) { // RFC 5321: max 320 chars
+            return false;
+        }
+        // SECURITY: More robust email validation regex
+        // Prevents common bypasses like multiple @, script tags, etc.
+        const emailRegex = /^[a-zA-Z0-9.!#$%&'*+\/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/;
+        if (!emailRegex.test(email)) {
+            return false;
+        }
+        // SECURITY: Validate parts separately
+        const parts = email.split('@');
+        if (parts.length !== 2)
+            return false;
+        const [local, domain] = parts;
+        if (local.length > 64 || domain.length > 255) { // RFC 5321 limits
+            return false;
+        }
+        // SECURITY: Prevent consecutive dots
+        if (email.includes('..')) {
+            return false;
+        }
+        return true;
     }
 }
 exports.CredentialsProvider = CredentialsProvider;

package/dist/providers/github.d.ts

@@ -0,0 +1,63 @@
+import type { AuthProviderClass, AuthRoute, User } from '../types';
+export interface GithubConfig {
+    id?: string;
+    name?: string;
+    clientId: string;
+    clientSecret: string;
+    callbackUrl?: string;
+    successUrl?: string;
+    scope?: string[];
+}
+/**
+ * Provider para autenticação com GitHub OAuth2
+ *
+ * Este provider permite autenticação usando GitHub.
+ * Automaticamente gerencia o fluxo OAuth completo e rotas necessárias.
+ *
+ * Exemplo de uso:
+ * ```typescript
+ * new GithubProvider({
+ * clientId: process.env.GITHUB_CLIENT_ID!,
+ * clientSecret: process.env.GITHUB_CLIENT_SECRET!,
+ * callbackUrl: "http://localhost:3000/api/auth/callback/github"
+ * })
+ * ```
+ *
+ * Fluxo de autenticação:
+ * 1. GET /api/auth/signin/github - Gera URL e redireciona para GitHub
+ * 2. GitHub redireciona para /api/auth/callback/github com código
+ * 3. Provider troca código por token e busca dados do usuário
+ * 4. Retorna objeto User com dados do GitHub
+ */
+export declare class GithubProvider implements AuthProviderClass {
+    readonly id: string;
+    readonly name: string;
+    readonly type: string;
+    private config;
+    private readonly defaultScope;
+    constructor(config: GithubConfig);
+    /**
+     * Método para gerar URL OAuth (usado pelo handleSignIn)
+     */
+    handleOauth(credentials?: Record<string, string>): string;
+    /**
+     * Método principal - redireciona para OAuth ou processa o callback
+     */
+    handleSignIn(credentials: Record<string, string>): Promise<User | string | null>;
+    /**
+     * Processa o callback do OAuth (troca o código pelo usuário)
+     */
+    private processOAuthCallback;
+    /**
+     * Rotas adicionais específicas do GitHub OAuth
+     */
+    additionalRoutes: AuthRoute[];
+    /**
+     * Gera a URL de autorização do GitHub
+     */
+    getAuthorizationUrl(): string;
+    /**
+     * Retorna a configuração pública do provider
+     */
+    getConfig(): any;
+}

package/dist/providers/github.js

@@ -0,0 +1,218 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GithubProvider = void 0;
+const vatts_1 = require("vatts");
+/**
+ * Provider para autenticação com GitHub OAuth2
+ *
+ * Este provider permite autenticação usando GitHub.
+ * Automaticamente gerencia o fluxo OAuth completo e rotas necessárias.
+ *
+ * Exemplo de uso:
+ * ```typescript
+ * new GithubProvider({
+ * clientId: process.env.GITHUB_CLIENT_ID!,
+ * clientSecret: process.env.GITHUB_CLIENT_SECRET!,
+ * callbackUrl: "http://localhost:3000/api/auth/callback/github"
+ * })
+ * ```
+ *
+ * Fluxo de autenticação:
+ * 1. GET /api/auth/signin/github - Gera URL e redireciona para GitHub
+ * 2. GitHub redireciona para /api/auth/callback/github com código
+ * 3. Provider troca código por token e busca dados do usuário
+ * 4. Retorna objeto User com dados do GitHub
+ */
+class GithubProvider {
+    constructor(config) {
+        this.type = 'github';
+        this.defaultScope = [
+            'read:user',
+            'user:email'
+        ];
+        /**
+         * Rotas adicionais específicas do GitHub OAuth
+         */
+        this.additionalRoutes = [
+            // Rota de callback do GitHub
+            {
+                method: 'GET',
+                path: '/api/auth/callback/github',
+                handler: async (req, params) => {
+                    const url = new URL(req.url || '', 'http://localhost');
+                    const code = url.searchParams.get('code');
+                    if (!code) {
+                        return vatts_1.VattsResponse.json({ error: 'Authorization code not provided' }, { status: 400 });
+                    }
+                    try {
+                        // Delega o 'code' para o endpoint de signin principal
+                        const authResponse = await fetch(`${req.headers.origin || 'http://localhost:3000'}/api/auth/signin`, {
+                            method: 'POST',
+                            headers: {
+                                'Content-Type': 'application/json',
+                            },
+                            body: JSON.stringify({
+                                provider: this.id,
+                                code,
+                            })
+                        });
+                        if (authResponse.ok) {
+                            // Propaga o cookie de sessão e redireciona para a URL de sucesso
+                            const setCookieHeader = authResponse.headers.get('set-cookie');
+                            if (this.config.successUrl) {
+                                return vatts_1.VattsResponse
+                                    .redirect(this.config.successUrl)
+                                    .header('Set-Cookie', setCookieHeader || '');
+                            }
+                            return vatts_1.VattsResponse.json({ success: true })
+                                .header('Set-Cookie', setCookieHeader || '');
+                        }
+                        else {
+                            const errorText = await authResponse.text();
+                            console.error(`[${this.id} Provider] Session creation failed during callback. Status: ${authResponse.status}, Body: ${errorText}`);
+                            return vatts_1.VattsResponse.json({ error: 'Session creation failed' }, { status: 500 });
+                        }
+                    }
+                    catch (error) {
+                        console.error(`[${this.id} Provider] Callback handler fetch error:`, error);
+                        return vatts_1.VattsResponse.json({ error: 'Internal server error' }, { status: 500 });
+                    }
+                }
+            }
+        ];
+        this.config = config;
+        this.id = config.id || 'github';
+        this.name = config.name || 'GitHub';
+    }
+    /**
+     * Método para gerar URL OAuth (usado pelo handleSignIn)
+     */
+    handleOauth(credentials = {}) {
+        return this.getAuthorizationUrl();
+    }
+    /**
+     * Método principal - redireciona para OAuth ou processa o callback
+     */
+    async handleSignIn(credentials) {
+        // Se tem código, é o callback - processa a autenticação
+        if (credentials.code) {
+            return await this.processOAuthCallback(credentials);
+        }
+        // Se não tem código, é o início do OAuth - retorna a URL
+        return this.handleOauth(credentials);
+    }
+    /**
+     * Processa o callback do OAuth (troca o código pelo usuário)
+     */
+    async processOAuthCallback(credentials) {
+        try {
+            const { code } = credentials;
+            if (!code) {
+                throw new Error('Authorization code not provided');
+            }
+            // Troca o código por um access token
+            // Nota: O GitHub requer o header Accept: application/json para retornar JSON
+            const tokenResponse = await fetch('https://github.com/login/oauth/access_token', {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json',
+                    'Accept': 'application/json'
+                },
+                body: JSON.stringify({
+                    client_id: this.config.clientId,
+                    client_secret: this.config.clientSecret,
+                    code,
+                    redirect_uri: this.config.callbackUrl || undefined,
+                }),
+            });
+            if (!tokenResponse.ok) {
+                const error = await tokenResponse.text();
+                throw new Error(`Failed to exchange code for token: ${error}`);
+            }
+            const tokens = await tokenResponse.json();
+            if (tokens.error) {
+                throw new Error(`GitHub Token Error: ${tokens.error_description || tokens.error}`);
+            }
+            // Busca os dados do usuário com o access token
+            const userResponse = await fetch('https://api.github.com/user', {
+                headers: {
+                    'Authorization': `Bearer ${tokens.access_token}`,
+                    'Accept': 'application/vnd.github.v3+json',
+                },
+            });
+            if (!userResponse.ok) {
+                throw new Error('Failed to fetch user data');
+            }
+            const githubUser = await userResponse.json();
+            // Lógica específica do GitHub: O email pode ser privado e não vir no objeto user principal
+            let email = githubUser.email;
+            if (!email) {
+                try {
+                    const emailsResponse = await fetch('https://api.github.com/user/emails', {
+                        headers: {
+                            'Authorization': `Bearer ${tokens.access_token}`,
+                            'Accept': 'application/vnd.github.v3+json',
+                        },
+                    });
+                    if (emailsResponse.ok) {
+                        const emails = await emailsResponse.json();
+                        // Tenta pegar o email primário e verificado, ou o primeiro disponível
+                        const primaryEmail = emails.find((e) => e.primary && e.verified) ||
+                            emails.find((e) => e.verified) ||
+                            emails[0];
+                        if (primaryEmail) {
+                            email = primaryEmail.email;
+                        }
+                    }
+                }
+                catch (emailError) {
+                    console.warn(`[${this.id} Provider] Could not fetch private emails`, emailError);
+                }
+            }
+            // Retorna o objeto User padronizado
+            return {
+                id: String(githubUser.id), // GitHub retorna ID numérico
+                name: githubUser.name || githubUser.login, // Fallback para o username se não tiver nome configurado
+                email: email,
+                image: githubUser.avatar_url || null,
+                provider: this.id,
+                providerId: String(githubUser.id),
+                accessToken: tokens.access_token,
+                // GitHub geralmente não retorna refresh tokens em Apps OAuth padrão (web flow)
+                // a menos que especificamente configurado, mas mantemos o campo se vier
+                refreshToken: tokens.refresh_token || undefined
+            };
+        }
+        catch (error) {
+            console.error(`[${this.id} Provider] Error during OAuth callback:`, error);
+            return null;
+        }
+    }
+    /**
+     * Gera a URL de autorização do GitHub
+     */
+    getAuthorizationUrl() {
+        const params = new URLSearchParams({
+            client_id: this.config.clientId,
+            redirect_uri: this.config.callbackUrl || '',
+            scope: (this.config.scope || this.defaultScope).join(' '),
+            // GitHub não usa 'response_type=code' explicitamente na URL padrão, mas aceita.
+            // O padrão é web application flow.
+        });
+        return `https://github.com/login/oauth/authorize?${params.toString()}`;
+    }
+    /**
+     * Retorna a configuração pública do provider
+     */
+    getConfig() {
+        return {
+            id: this.id,
+            name: this.name,
+            type: this.type,
+            clientId: this.config.clientId, // Público
+            scope: this.config.scope || this.defaultScope,
+            callbackUrl: this.config.callbackUrl
+        };
+    }
+}
+exports.GithubProvider = GithubProvider;

package/dist/providers.d.ts

@@ -1,3 +1,4 @@
 export { CredentialsProvider } from './providers/credentials';
 export { DiscordProvider } from './providers/discord';
 export { GoogleProvider } from './providers/google';
+export { GithubProvider } from "./providers/github";

package/dist/providers.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.GoogleProvider = exports.DiscordProvider = exports.CredentialsProvider = void 0;
+exports.GithubProvider = exports.GoogleProvider = exports.DiscordProvider = exports.CredentialsProvider = void 0;
 /*
  * This file is part of the Vatts.js Project.
  * Copyright (c) 2026 itsmuzin
@@ -24,3 +24,5 @@ var discord_1 = require("./providers/discord");
 Object.defineProperty(exports, "DiscordProvider", { enumerable: true, get: function () { return discord_1.DiscordProvider; } });
 var google_1 = require("./providers/google");
 Object.defineProperty(exports, "GoogleProvider", { enumerable: true, get: function () { return google_1.GoogleProvider; } });
+var github_1 = require("./providers/github");
+Object.defineProperty(exports, "GithubProvider", { enumerable: true, get: function () { return github_1.GithubProvider; } });

package/dist/react.js

@@ -50,7 +50,7 @@ function SessionProvider({ children, basePath = '/api/auth', refetchInterval = 0
             }
         }
         catch (error) {
-            console.error('[hweb-auth] Error fetching session:', error);
+            console.error('[vatts-auth] Error fetching session:', error);
             setSession(null);
             setStatus('unauthenticated');
             return null;
@@ -106,7 +106,7 @@ function SessionProvider({ children, basePath = '/api/auth', refetchInterval = 0
             }
         }
         catch (error) {
-            console.error('[hweb-auth] Error on signIn:', error);
+            console.error('[vatts-auth] Error on signIn:', error);
             return {
                 error: 'Network error',
                 status: 500,
@@ -133,7 +133,7 @@ function SessionProvider({ children, basePath = '/api/auth', refetchInterval = 0
             }
         }
         catch (error) {
-            console.error('[hweb-auth] Error on signOut:', error);
+            console.error('[vatts-auth] Error on signOut:', error);
         }
     }, [basePath]);
     // Update session

package/dist/routes.d.ts

@@ -1,6 +1,6 @@
 import { VattsRequest } from 'vatts';
 import type { AuthConfig } from './types';
-import { HWebAuth } from './core';
+import { VattsAuth } from './core';
 /**
  * Cria o handler catch-all para /api/auth/[...value]
  */
@@ -12,5 +12,5 @@ export declare function createAuthRoutes(config: AuthConfig): {
     POST(req: VattsRequest, params: {
         [key: string]: string;
     }): Promise<any>;
-    auth: HWebAuth;
+    auth: VattsAuth;
 };

package/dist/routes.js

@@ -23,7 +23,7 @@ const core_1 = require("./core");
  * Cria o handler catch-all para /api/auth/[...value]
  */
 function createAuthRoutes(config) {
-    const auth = new core_1.HWebAuth(config);
+    const auth = new core_1.VattsAuth(config);
     /**
      * Handler principal que gerencia todas as rotas de auth
      * Uso: /api/auth/[...value].ts
@@ -102,9 +102,10 @@ async function handleSession(req, auth) {
  * Handler para GET /api/auth/csrf
  */
 async function handleCsrf(req) {
-    // Token CSRF simples para proteção
-    const csrfToken = Math.random().toString(36).substring(2, 15) +
-        Math.random().toString(36).substring(2, 15);
+    // SECURITY: Usa crypto.randomBytes para token criptograficamente seguro
+    // 32 bytes = 256 bits de entropia, codificado em base64url (URL-safe)
+    const crypto = await import('crypto');
+    const csrfToken = crypto.randomBytes(32).toString('base64url');
     return vatts_1.VattsResponse.json({ csrfToken });
 }
 /**
@@ -140,7 +141,7 @@ async function handleSignIn(req, auth) {
         });
     }
     catch (error) {
-        console.error('[hweb-auth] Error on handleSignIn:', error);
+        console.error('[vatts-auth] Error on handleSignIn:', error);
         return vatts_1.VattsResponse.json({ error: 'Authentication failed' }, { status: 500 });
     }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vatts/auth",
-  "version": "1.0.2-alpha.1",
+  "version": "1.0.2-alpha.3",
   "description": "Authentication package for Vatts.js framework",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -42,7 +42,7 @@
   "peerDependencies": {
     "react": "^19.2.0",
     "react-dom": "^19.2.0",
-    "vatts": "^1.0.2-alpha.1"
+    "vatts": "^1.0.2-alpha.3"
   },
   "peerDependenciesMeta": {
     "react-dom": {