dbsc-toolkit 2.1.0 → 2.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +24 -1
  2. package/dist/client/index.js +1 -1
  3. package/package.json +1 -1
package/README.md CHANGED
@@ -87,7 +87,30 @@ Full walk-through, including the post-login race and how to absorb it: [docs/get
87
87
 
88
88
  ## Adding to an existing app
89
89
 
90
- Already have a session cookie? You don't migrate the store, you don't rewrite login. Add one `bindSession()` call at the end of your existing login route, or set `autoBind` on the middleware and never touch login at all. Per-route policy table and rollout timeline in [docs/integrating-existing-auth.md](./docs/integrating-existing-auth.md).
90
+ You don't rewrite login, you don't migrate the session store. DBSC sits alongside your existing session cookie and binds to the same session id. For a typical Express app with cookie-based sessions and a guard on protected routes, integration is **6 setup lines, plus one guard per sensitive route**.
91
+
92
+ **The 6 setup lines:**
93
+
94
+ 1. Top of the file — `import { dbsc, bindSession, requireBoundProof } from "dbsc-toolkit/express";`
95
+ 2. Top of the file — `import { RedisStorage } from "dbsc-toolkit/storage/redis";`
96
+ 3. During app boot — `const dbscStorage = new RedisStorage(new Redis(process.env.REDIS_URL));`
97
+ 4. During app boot, once — `app.use(dbsc({ storage: dbscStorage }));`
98
+ 5. At the end of `/login`, after the password check — `await bindSession(res, sessionId, dbscStorage, { userId: user.id });`
99
+ 6. At the start of `/logout`, before tearing down your own session — `await res.locals.dbsc.revoke();`
100
+
101
+ `sessionId` on line 5 is whatever id your existing session store already issues. DBSC binds to that same id; you don't manage a second id-space.
102
+
103
+ **One guard per sensitive route — required, not optional:**
104
+
105
+ ```ts
106
+ app.post("/payment", requireBoundProof({ storage: dbscStorage }), paymentHandler);
107
+ app.post("/settings/password", requireBoundProof({ storage: dbscStorage }), passwordHandler);
108
+ app.use("/admin", requireBoundProof({ storage: dbscStorage })); // gates everything under /admin
109
+ ```
110
+
111
+ The `tier` field on every request is informational. Without a guard, a stolen cookie still reaches your handler — the library cannot infer which routes are sensitive, you mark them. `requireBoundProof` lets native DBSC traffic (`tier: "dbsc"`) through automatically (Chromium enforces session validity browser-side); Firefox / Safari traffic (`tier: "bound"`) must carry a fresh per-request signature, which the client-side [`wrapFetch()`](./docs/per-request-signing.md) adds for you.
112
+
113
+ Fastify / Hono / Next.js variants of these six lines, plus the per-route policy table and a 30-day rollout timeline, are in [docs/integrating-existing-auth.md](./docs/integrating-existing-auth.md).
91
114
 
92
115
  ## Subpath imports
93
116
 
package/dist/client/index.js CHANGED
@@ -6,7 +6,7 @@ const DEFAULTS = {
6
6
  challengePath: "/dbsc-bound/challenge",
7
7
  registrationPath: "/dbsc-bound/registration",
8
8
  refreshPath: "/dbsc-bound/refresh",
9
- nativeProbeWindowMs: 3000,
9
+ nativeProbeWindowMs: 5000,
10
10
  refreshMarginMs: 5000,
11
11
  };
12
12
  let refreshTimer = null;
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "dbsc-toolkit",
3
- "version": "2.1.0",
3
+ "version": "2.1.1",
4
4
  "description": "Server-side Device Bound Session Credentials (DBSC) for Node.js plus a Web Crypto polyfill for Firefox, Safari, and older Chromium. Cookie-theft protection on every modern browser.",
5
5
  "license": "Apache-2.0",
6
6
  "type": "module",