@withstudiocms/auth-kit 0.1.0-beta.1

package/dist/utils/lists/usernames.d.ts

@@ -0,0 +1,3 @@
+export declare const usernames: Set<string>;
+export default usernames;
+export declare const isReservedUsername: (name: string) => boolean;

package/dist/utils/lists/usernames.js

@@ -0,0 +1,555 @@
+const usernames = /* @__PURE__ */ new Set([
+  ".git",
+  ".htaccess",
+  ".htpasswd",
+  ".well-known",
+  "400",
+  "401",
+  "403",
+  "404",
+  "405",
+  "406",
+  "407",
+  "408",
+  "409",
+  "410",
+  "411",
+  "412",
+  "413",
+  "414",
+  "415",
+  "416",
+  "417",
+  "421",
+  "422",
+  "423",
+  "424",
+  "426",
+  "428",
+  "429",
+  "431",
+  "500",
+  "501",
+  "502",
+  "503",
+  "504",
+  "505",
+  "506",
+  "507",
+  "508",
+  "509",
+  "510",
+  "511",
+  "_domainkey",
+  "about",
+  "about-us",
+  "abuse",
+  "access",
+  "account",
+  "accounts",
+  "ad",
+  "add",
+  "admin",
+  "administration",
+  "administrator",
+  "ads",
+  "ads.txt",
+  "advertise",
+  "advertising",
+  "aes128-ctr",
+  "aes128-gcm",
+  "aes192-ctr",
+  "aes256-ctr",
+  "aes256-gcm",
+  "affiliate",
+  "affiliates",
+  "ajax",
+  "alert",
+  "alerts",
+  "alpha",
+  "amp",
+  "analytics",
+  "api",
+  "app",
+  "app-ads.txt",
+  "apps",
+  "asc",
+  "assets",
+  "atom",
+  "auth",
+  "authentication",
+  "authorize",
+  "autoconfig",
+  "autodiscover",
+  "avatar",
+  "backup",
+  "banner",
+  "banners",
+  "bbs",
+  "beta",
+  "billing",
+  "billings",
+  "blog",
+  "blogs",
+  "board",
+  "bookmark",
+  "bookmarks",
+  "broadcasthost",
+  "business",
+  "buy",
+  "cache",
+  "calendar",
+  "campaign",
+  "captcha",
+  "careers",
+  "cart",
+  "cas",
+  "categories",
+  "category",
+  "cdn",
+  "cgi",
+  "cgi-bin",
+  "chacha20-poly1305",
+  "change",
+  "channel",
+  "channels",
+  "chart",
+  "chat",
+  "checkout",
+  "clear",
+  "client",
+  "close",
+  "cloud",
+  "cms",
+  "com",
+  "comment",
+  "comments",
+  "community",
+  "compare",
+  "compose",
+  "config",
+  "connect",
+  "contact",
+  "contest",
+  "cookies",
+  "copy",
+  "copyright",
+  "count",
+  "cp",
+  "cpanel",
+  "create",
+  "crossdomain.xml",
+  "css",
+  "curve25519-sha256",
+  "customer",
+  "customers",
+  "customize",
+  "dashboard",
+  "db",
+  "deals",
+  "debug",
+  "delete",
+  "desc",
+  "destroy",
+  "dev",
+  "developer",
+  "developers",
+  "diffie-hellman-group-exchange-sha256",
+  "diffie-hellman-group14-sha1",
+  "disconnect",
+  "discuss",
+  "dns",
+  "dns0",
+  "dns1",
+  "dns2",
+  "dns3",
+  "dns4",
+  "docs",
+  "documentation",
+  "domain",
+  "download",
+  "downloads",
+  "downvote",
+  "draft",
+  "drop",
+  "ecdh-sha2-nistp256",
+  "ecdh-sha2-nistp384",
+  "ecdh-sha2-nistp521",
+  "edit",
+  "editor",
+  "email",
+  "enterprise",
+  "error",
+  "errors",
+  "event",
+  "events",
+  "example",
+  "exception",
+  "exit",
+  "explore",
+  "export",
+  "extensions",
+  "false",
+  "family",
+  "faq",
+  "faqs",
+  "favicon.ico",
+  "features",
+  "feed",
+  "feedback",
+  "feeds",
+  "file",
+  "files",
+  "filter",
+  "follow",
+  "follower",
+  "followers",
+  "following",
+  "fonts",
+  "forgot",
+  "forgot-password",
+  "forgotpassword",
+  "form",
+  "forms",
+  "forum",
+  "forums",
+  "friend",
+  "friends",
+  "ftp",
+  "get",
+  "git",
+  "go",
+  "graphql",
+  "group",
+  "groups",
+  "guest",
+  "guidelines",
+  "guides",
+  "head",
+  "header",
+  "help",
+  "hide",
+  "hmac-sha",
+  "hmac-sha1",
+  "hmac-sha1-etm",
+  "hmac-sha2-256",
+  "hmac-sha2-256-etm",
+  "hmac-sha2-512",
+  "hmac-sha2-512-etm",
+  "home",
+  "host",
+  "hosting",
+  "hostmaster",
+  "htpasswd",
+  "http",
+  "httpd",
+  "https",
+  "humans.txt",
+  "icons",
+  "images",
+  "imap",
+  "img",
+  "import",
+  "index",
+  "info",
+  "insert",
+  "investors",
+  "invitations",
+  "invite",
+  "invites",
+  "invoice",
+  "is",
+  "isatap",
+  "issues",
+  "it",
+  "jobs",
+  "join",
+  "js",
+  "json",
+  "keybase.txt",
+  "learn",
+  "legal",
+  "license",
+  "licensing",
+  "like",
+  "limit",
+  "live",
+  "load",
+  "local",
+  "localdomain",
+  "localhost",
+  "lock",
+  "login",
+  "logout",
+  "lost-password",
+  "m",
+  "mail",
+  "mail0",
+  "mail1",
+  "mail2",
+  "mail3",
+  "mail4",
+  "mail5",
+  "mail6",
+  "mail7",
+  "mail8",
+  "mail9",
+  "mailer-daemon",
+  "mailerdaemon",
+  "map",
+  "marketing",
+  "marketplace",
+  "master",
+  "me",
+  "media",
+  "member",
+  "members",
+  "message",
+  "messages",
+  "metrics",
+  "mis",
+  "mobile",
+  "moderator",
+  "modify",
+  "more",
+  "mx",
+  "mx1",
+  "my",
+  "net",
+  "network",
+  "new",
+  "news",
+  "newsletter",
+  "newsletters",
+  "next",
+  "nil",
+  "no-reply",
+  "nobody",
+  "noc",
+  "none",
+  "noreply",
+  "notification",
+  "notifications",
+  "ns",
+  "ns0",
+  "ns1",
+  "ns2",
+  "ns3",
+  "ns4",
+  "ns5",
+  "ns6",
+  "ns7",
+  "ns8",
+  "ns9",
+  "null",
+  "oauth",
+  "oauth2",
+  "offer",
+  "offers",
+  "online",
+  "openid",
+  "order",
+  "orders",
+  "overview",
+  "owa",
+  "owner",
+  "page",
+  "pages",
+  "partners",
+  "passwd",
+  "password",
+  "pay",
+  "payment",
+  "payments",
+  "paypal",
+  "photo",
+  "photos",
+  "pixel",
+  "plans",
+  "plugins",
+  "policies",
+  "policy",
+  "pop",
+  "pop3",
+  "popular",
+  "portal",
+  "portfolio",
+  "post",
+  "postfix",
+  "postmaster",
+  "poweruser",
+  "preferences",
+  "premium",
+  "press",
+  "previous",
+  "pricing",
+  "print",
+  "privacy",
+  "privacy-policy",
+  "private",
+  "prod",
+  "product",
+  "production",
+  "profile",
+  "profiles",
+  "project",
+  "projects",
+  "promo",
+  "public",
+  "purchase",
+  "put",
+  "quota",
+  "redirect",
+  "reduce",
+  "refund",
+  "refunds",
+  "register",
+  "registration",
+  "remove",
+  "replies",
+  "reply",
+  "report",
+  "request",
+  "request-password",
+  "reset",
+  "reset-password",
+  "response",
+  "return",
+  "returns",
+  "review",
+  "reviews",
+  "robots.txt",
+  "root",
+  "rootuser",
+  "rsa-sha2-2",
+  "rsa-sha2-512",
+  "rss",
+  "rules",
+  "sales",
+  "save",
+  "script",
+  "sdk",
+  "search",
+  "secure",
+  "security",
+  "select",
+  "services",
+  "session",
+  "sessions",
+  "settings",
+  "setup",
+  "share",
+  "shift",
+  "shop",
+  "signin",
+  "signup",
+  "site",
+  "sitemap",
+  "sites",
+  "smtp",
+  "sort",
+  "source",
+  "sql",
+  "ssh",
+  "ssh-rsa",
+  "ssl",
+  "ssladmin",
+  "ssladministrator",
+  "sslwebmaster",
+  "stage",
+  "staging",
+  "stat",
+  "static",
+  "statistics",
+  "stats",
+  "status",
+  "store",
+  "style",
+  "styles",
+  "stylesheet",
+  "stylesheets",
+  "subdomain",
+  "subscribe",
+  "sudo",
+  "super",
+  "superuser",
+  "support",
+  "survey",
+  "sync",
+  "sysadmin",
+  "sysadmin",
+  "system",
+  "tablet",
+  "tag",
+  "tags",
+  "team",
+  "telnet",
+  "terms",
+  "terms-of-use",
+  "test",
+  "testimonials",
+  "theme",
+  "themes",
+  "today",
+  "tools",
+  "topic",
+  "topics",
+  "tour",
+  "training",
+  "translate",
+  "translations",
+  "trending",
+  "trial",
+  "true",
+  "umac-128",
+  "umac-128-etm",
+  "umac-64",
+  "umac-64-etm",
+  "undefined",
+  "unfollow",
+  "unlike",
+  "unsubscribe",
+  "update",
+  "upgrade",
+  "usenet",
+  "user",
+  "username",
+  "users",
+  "uucp",
+  "var",
+  "verify",
+  "video",
+  "view",
+  "void",
+  "vote",
+  "vpn",
+  "webmail",
+  "webmaster",
+  "website",
+  "widget",
+  "widgets",
+  "wiki",
+  "wpad",
+  "write",
+  "www",
+  "www-data",
+  "www1",
+  "www2",
+  "www3",
+  "www4",
+  "you",
+  "yourname",
+  "yourusername",
+  "zlib"
+]);
+var usernames_default = usernames;
+const canonicalizeUsername = (name) => (name ?? "").trim().normalize("NFKC").toLowerCase();
+const isReservedUsername = (name) => {
+  const normalized = canonicalizeUsername(name);
+  return usernames.has(normalized);
+};
+export {
+  usernames_default as default,
+  isReservedUsername,
+  usernames
+};

package/dist/utils/password.d.ts

@@ -0,0 +1,63 @@
+import { Effect, Platform } from '@withstudiocms/effect';
+import { PasswordError } from '../errors.js';
+/**
+ * Compares two strings in constant time to prevent timing attacks.
+ *
+ * This function ensures that the comparison time is independent of the
+ * input strings' content, making it resistant to timing attacks that
+ * could reveal information about the strings.
+ *
+ * @param a - The first string to compare.
+ * @param b - The second string to compare.
+ * @returns `true` if the strings are equal, `false` otherwise.
+ * @private
+ */
+export declare const constantTimeEqual: (a: string, b: string) => boolean;
+/**
+ * The generation prefix for the secure password format.
+ * This is used to identify the version of the password hashing scheme.
+ */
+export declare const PASS_GEN1_0_PREFIX = "gen1.0";
+/**
+ * Builds a secure password hash from the generation, salt, and hash.
+ *
+ * The format of the secure password is: `gen1.0:salt:hash`.
+ * If any of the components are invalid, a PasswordError is thrown.
+ *
+ * @param generation - The generation identifier (e.g., 'gen1.0').
+ * @param salt - The salt used in the hashing process.
+ * @param hash - The hashed password.
+ * @returns A string representing the secure password.
+ */
+export declare const buildSecurePassword: (args_0: {
+    generation: string;
+    salt: string;
+    hash: string;
+}) => Effect.Effect.AsEffect<Effect.Effect<string, never, never>>;
+/**
+ * Breaks down a secure password hash into its components.
+ *
+ * The hash is expected to be in the format: `gen1.0:salt:hash`.
+ * If the hash does not match this format, or if it uses an unsupported generation,
+ * a PasswordError is thrown.
+ *
+ * @param hash - The secure password hash to break down.
+ * @returns An object containing the generation, salt, and hash value.
+ */
+export declare const breakSecurePassword: (hash: string) => Effect.Effect.AsEffect<Effect.Effect<{
+    generation: string;
+    salt: string;
+    hash: string;
+}, PasswordError, never>>;
+/**
+ * @private Internal function for the `verifyPasswordStrength` function
+ */
+export declare const verifyPasswordLength: (pass: string) => Effect.Effect.AsEffect<Effect.Effect<"Password must be between 6 and 255 characters long." | undefined, PasswordError, never>>;
+/**
+ * @private Internal function for the `verifyPasswordStrength` function
+ */
+export declare const verifySafe: (pass: string) => Effect.Effect<string | undefined, import("../errors.js").CheckIfUnsafeError, never>;
+/**
+ * @private Internal function for the `verifyPasswordStrength` function
+ */
+export declare const checkPwnedDB: (pass: string) => Effect.Effect<string | undefined, Platform.HttpClientError.ResponseError, never>;

package/dist/utils/password.js

@@ -0,0 +1,91 @@
+import { sha1 } from "@oslojs/crypto/sha1";
+import { encodeHexLowerCase } from "@oslojs/encoding";
+import { Effect, Platform } from "@withstudiocms/effect";
+import { PasswordError, usePasswordError } from "../errors.js";
+import { CheckIfUnsafe } from "./unsafeCheck.js";
+const constantTimeEqual = (a, b) => {
+  const len = Math.max(a.length, b.length);
+  let result = a.length ^ b.length;
+  for (let i = 0; i < len; i++) {
+    const ca = i < a.length ? a.charCodeAt(i) : 0;
+    const cb = i < b.length ? b.charCodeAt(i) : 0;
+    result |= ca ^ cb;
+  }
+  return result === 0;
+};
+const PASS_GEN1_0_PREFIX = "gen1.0";
+const buildSecurePassword = Effect.fn(
+  ({ generation, hash, salt }) => Effect.succeed(`${generation}:${salt}:${hash}`)
+);
+const breakSecurePassword = Effect.fn(
+  (hash) => usePasswordError(() => {
+    const parts = hash.split(":");
+    if (parts.length !== 3) {
+      throw new PasswordError({
+        cause: 'Invalid secure password format. Expected "gen1.0:salt:hash".'
+      });
+    }
+    const [generation, salt, hashValue] = parts;
+    if (generation !== PASS_GEN1_0_PREFIX) {
+      throw new PasswordError({
+        cause: "Legacy password hashes are not supported. Please reset any legacy passwords."
+      });
+    }
+    if (!salt || !hashValue) {
+      throw new PasswordError({
+        cause: "Invalid secure password format: missing salt or hash."
+      });
+    }
+    return { generation, salt, hash: hashValue };
+  })
+);
+const verifyPasswordLength = Effect.fn(
+  (pass) => usePasswordError(() => {
+    if (pass.length < 6 || pass.length > 255) {
+      return "Password must be between 6 and 255 characters long.";
+    }
+    return void 0;
+  })
+);
+const verifySafe = (pass) => Effect.gen(function* () {
+  const check = yield* CheckIfUnsafe;
+  const isUnsafe = yield* check.password(pass);
+  if (isUnsafe) {
+    return "Password must not be a commonly known unsafe password (admin, root, etc.)";
+  }
+  return void 0;
+}).pipe(Effect.provide(CheckIfUnsafe.Default));
+const checkPwnedDB = (pass) => Effect.gen(function* () {
+  const http = yield* Platform.HttpClient.HttpClient;
+  const encodedData = new TextEncoder().encode(pass);
+  const sha1Hash = sha1(encodedData);
+  const hashHex = encodeHexLowerCase(sha1Hash);
+  const hashPrefix = hashHex.slice(0, 5);
+  const response = yield* http.get(`https://api.pwnedpasswords.com/range/${hashPrefix}`).pipe(
+    Effect.catchTags({
+      RequestError: () => Effect.succeed({ text: Effect.succeed(""), status: 500 }),
+      ResponseError: () => Effect.succeed({ text: Effect.succeed(""), status: 500 })
+    })
+  );
+  if (response.status >= 400) {
+    return void 0;
+  }
+  const data = yield* response.text;
+  const lines = data.split("\n");
+  for (const line of lines) {
+    const hashSuffix = line.slice(0, 35).toLowerCase();
+    if (hashHex === hashPrefix + hashSuffix) {
+      return 'Password must not be in the <a href="https://haveibeenpwned.com/Passwords" target="_blank">pwned password database</a>.';
+    }
+  }
+  return void 0;
+}).pipe(Effect.provide(Platform.FetchHttpClient.layer));
+export {
+  PASS_GEN1_0_PREFIX,
+  breakSecurePassword,
+  buildSecurePassword,
+  checkPwnedDB,
+  constantTimeEqual,
+  verifyPasswordLength,
+  verifySafe
+};