kroxt 1.2.1 → 1.3.0

package/dist/auth/core/index.js

@@ -0,0 +1,143 @@
+import * as argon2 from "argon2";
+import { SignJWT, jwtVerify } from "jose";
+import crypto from "crypto";
+import { createRateLimiter } from "../security/rate-limit.js";
+function createAuth(options) {
+  const { adapter, secret, pepper, session, providers, rateLimit, ipBlocking } = options;
+  const encodedSecret = typeof secret === "string" ? new TextEncoder().encode(secret) : secret;
+  const expiration = session?.expires || "1h";
+  const refreshExpiration = session?.refreshExpires || "7d";
+  const configuredRateLimiter = createRateLimiter(adapter, rateLimit);
+  async function generateToken(user, type = "access") {
+    let payload = { sub: user.id, role: user.role, type };
+    if (user.passwordHash && (type === "refresh" || session?.enforceStrictRevocation)) {
+      payload.pw_frag = user.passwordHash.slice(-10);
+    }
+    if (options.jwt?.payload) {
+      const customPayload = options.jwt.payload(user, type);
+      payload = { ...payload, ...customPayload };
+    }
+    return new SignJWT(payload).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setExpirationTime(type === "access" ? expiration : refreshExpiration).sign(encodedSecret);
+  }
+  async function verifyToken(token, expectedType = "access") {
+    try {
+      const { payload } = await jwtVerify(token, encodedSecret);
+      if (payload.type !== expectedType) return null;
+      if (expectedType === "access" && session?.enforceStrictRevocation && payload.pw_frag) {
+        const user = await adapter.findUserById(payload.sub);
+        if (!user || payload.pw_frag !== user.passwordHash?.slice(-10)) {
+          throw new Error("Strict Revocation: Access Token revoked due to password change");
+        }
+      }
+      return payload;
+    } catch (e) {
+      return null;
+    }
+  }
+  async function refresh(refreshToken) {
+    const payload = await verifyToken(refreshToken, "refresh");
+    if (!payload || !payload.sub) {
+      throw new Error("Invalid or expired refresh token");
+    }
+    const user = await adapter.findUserById(payload.sub);
+    if (!user) {
+      throw new Error("User not found");
+    }
+    if (payload.pw_frag && user.passwordHash) {
+      if (payload.pw_frag !== user.passwordHash.slice(-10)) {
+        throw new Error("Session revoked (Password changed)");
+      }
+    }
+    const accessToken = await generateToken(user, "access");
+    return { accessToken };
+  }
+  function validatePassword(password) {
+    if (!password || !options.passwordPolicy) return;
+    const p = options.passwordPolicy;
+    if (p.minLength && password.length < p.minLength) {
+      throw new Error(`Password must be at least ${p.minLength} characters`);
+    }
+    if (p.requireUppercase && !/[A-Z]/.test(password)) {
+      throw new Error("Password must contain at least one uppercase letter");
+    }
+    if (p.requireLowercase && !/[a-z]/.test(password)) {
+      throw new Error("Password must contain at least one lowercase letter");
+    }
+    if (p.requireNumber && !/[0-9]/.test(password)) {
+      throw new Error("Password must contain at least one number");
+    }
+    if (p.requireSpecialCharacter && !/[^A-Za-z0-9]/.test(password)) {
+      throw new Error("Password must contain at least one special character");
+    }
+  }
+  async function signup(userData, password) {
+    let dataToSave = { ...userData };
+    if (password) {
+      validatePassword(password);
+      const passwordWithPepper = pepper ? `${password}${pepper}` : password;
+      dataToSave.passwordHash = await argon2.hash(passwordWithPepper);
+    }
+    const newUser = await adapter.createUser(dataToSave);
+    const accessToken = await generateToken(newUser, "access");
+    const refreshToken = await generateToken(newUser, "refresh");
+    return { user: newUser, accessToken, refreshToken };
+  }
+  async function loginWithPassword(email, password, clientIp) {
+    if (ipBlocking && clientIp && configuredRateLimiter) {
+      const strikeCheck = await configuredRateLimiter.check(`strike_${clientIp}`);
+      if (strikeCheck && strikeCheck.count >= ipBlocking.maxStrikes) {
+        throw new Error("IP is temporarily blocked.");
+      }
+    }
+    if (configuredRateLimiter) {
+      const limitStatus = await configuredRateLimiter.increment(`login_${email}`);
+      if (!limitStatus.success) {
+        if (ipBlocking && clientIp) {
+          await configuredRateLimiter.increment(`strike_${clientIp}`, ipBlocking.blockDurationMs);
+        }
+        throw new Error("Too many requests, please try again later.");
+      }
+    }
+    const user = await adapter.findUserByEmail(email);
+    const dummyHash = "$argon2id$v=19$m=65536,t=3,p=4$c29tZXNhbHQ$RytpInY7i6C9M5l0D4n8Q+7j/J+i";
+    const targetHash = user?.passwordHash || dummyHash;
+    const passwordWithPepper = pepper ? `${password}${pepper}` : password;
+    const isValid = await argon2.verify(targetHash, passwordWithPepper);
+    if (!user || !user.passwordHash || !isValid) {
+      throw new Error("Invalid credentials");
+    }
+    const accessToken = await generateToken(user, "access");
+    const refreshToken = await generateToken(user, "refresh");
+    return { user, accessToken, refreshToken };
+  }
+  async function changePassword(userId, newPassword) {
+    if (!adapter.updateUser) {
+      throw new Error("The AuthAdapter does not support updating user records natively.");
+    }
+    validatePassword(newPassword);
+    const passwordWithPepper = pepper ? `${newPassword}${pepper}` : newPassword;
+    const newHash = await argon2.hash(passwordWithPepper);
+    const updatedUser = await adapter.updateUser(userId, { passwordHash: newHash });
+    if (!updatedUser) {
+      throw new Error("User not found");
+    }
+    return updatedUser;
+  }
+  return {
+    signup,
+    loginWithPassword,
+    changePassword,
+    refresh,
+    verifyToken,
+    generateToken,
+    _providers: providers
+  };
+}
+function generateSecret(length = 32) {
+  return crypto.getRandomValues(new Uint8Array(length));
+}
+export {
+  createAuth,
+  generateSecret
+};
+//# sourceMappingURL=index.js.map

package/dist/auth/core/index.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/auth/core/index.ts"],
+  "sourcesContent": ["import * as argon2 from \"argon2\";\r\nimport { SignJWT, jwtVerify } from \"jose\";\r\nimport crypto from \"crypto\";\r\nimport type { AuthAdapter, User } from \"../adapters/index.js\";\r\nimport type { Provider } from \"../providers/index.js\";\r\nimport { createRateLimiter, type RateLimitOptions } from \"../security/rate-limit.js\";\r\n\r\nexport interface CreateAuthOptions {\r\n    adapter: AuthAdapter<any>;\r\n    secret: string | Uint8Array;\r\n    pepper?: string;\r\n    session?: {\r\n        expires?: string | number; // For access tokens\r\n        refreshExpires?: string | number; // For refresh tokens\r\n        enforceStrictRevocation?: boolean; // If true, DB check on access tokens\r\n    };\r\n    providers?: Provider[];\r\n    jwt?: {\r\n        /**\r\n         * A callback to add custom fields to the JWT payload.\r\n         * It receives the user object and the token type ('access' or 'refresh').\r\n         * Return an object containing the fields to be merged into the payload.\r\n         * You can also override default fields like 'sub'.\r\n         */\r\n        payload?: (user: User<any>, type: \"access\" | \"refresh\") => Record<string, any>;\r\n    };\r\n    rateLimit?: RateLimitOptions;\r\n    ipBlocking?: { maxStrikes: number; blockDurationMs: number };\r\n    passwordPolicy?: {\r\n        minLength?: number;\r\n        requireUppercase?: boolean;\r\n        requireLowercase?: boolean;\r\n        requireNumber?: boolean;\r\n        requireSpecialCharacter?: boolean;\r\n    };\r\n}\r\n\r\nexport function createAuth(options: CreateAuthOptions) {\r\n    const { adapter, secret, pepper, session, providers, rateLimit, ipBlocking } = options;\r\n    const encodedSecret = typeof secret === \"string\" ? new TextEncoder().encode(secret) : secret;\r\n    const expiration = session?.expires || \"1h\"; // Default access token to 1h\r\n    const refreshExpiration = session?.refreshExpires || \"7d\";\r\n\r\n    const configuredRateLimiter = createRateLimiter(adapter, rateLimit);\r\n\r\n    /**\r\n     * Generates a stateless JWT for a user session\r\n     */\r\n    async function generateToken(user: User<any>, type: \"access\" | \"refresh\" = \"access\") {\r\n        let payload: Record<string, any> = { sub: user.id, role: user.role, type };\r\n\r\n        // Lightweight Session Revocation: Link token to current password hash state\r\n        if (user.passwordHash && (type === \"refresh\" || session?.enforceStrictRevocation)) {\r\n            payload.pw_frag = user.passwordHash.slice(-10);\r\n        }\r\n\r\n        if (options.jwt?.payload) {\r\n            const customPayload = options.jwt.payload(user, type);\r\n            payload = { ...payload, ...customPayload };\r\n        }\r\n\r\n        return new SignJWT(payload)\r\n            .setProtectedHeader({ alg: \"HS256\" })\r\n            .setIssuedAt()\r\n            .setExpirationTime(type === \"access\" ? expiration : refreshExpiration)\r\n            .sign(encodedSecret);\r\n    }\r\n\r\n    /**\r\n     * Verifies a JWT and returns the payload.\r\n     * Optionally checks for a specific token type (access/refresh).\r\n     */\r\n    async function verifyToken(token: string, expectedType: \"access\" | \"refresh\" = \"access\") {\r\n        try {\r\n            const { payload } = await jwtVerify(token, encodedSecret);\r\n            if (payload.type !== expectedType) return null;\r\n\r\n            if (expectedType === \"access\" && session?.enforceStrictRevocation && payload.pw_frag) {\r\n                const user = await adapter.findUserById(payload.sub as string);\r\n                if (!user || payload.pw_frag !== user.passwordHash?.slice(-10)) {\r\n                    throw new Error(\"Strict Revocation: Access Token revoked due to password change\");\r\n                }\r\n            }\r\n\r\n            return payload;\r\n        } catch (e) {\r\n            return null;\r\n        }\r\n    }\r\n\r\n    /**\r\n     * Refreshes an access token using a valid refresh token.\r\n     */\r\n    async function refresh(refreshToken: string) {\r\n        const payload = await verifyToken(refreshToken, \"refresh\");\r\n        if (!payload || !payload.sub) {\r\n            throw new Error(\"Invalid or expired refresh token\");\r\n        }\r\n\r\n        const user = await adapter.findUserById(payload.sub as string);\r\n        if (!user) {\r\n            throw new Error(\"User not found\");\r\n        }\r\n\r\n        // Lightweight Session Revocation: Validate password hasn't changed since token issuance\r\n        if (payload.pw_frag && user.passwordHash) {\r\n            if (payload.pw_frag !== user.passwordHash.slice(-10)) {\r\n                throw new Error(\"Session revoked (Password changed)\");\r\n            }\r\n        }\r\n\r\n        const accessToken = await generateToken(user, \"access\");\r\n        return { accessToken };\r\n    }\r\n\r\n    function validatePassword(password?: string) {\r\n        if (!password || !options.passwordPolicy) return;\r\n        \r\n        const p = options.passwordPolicy;\r\n        if (p.minLength && password.length < p.minLength) {\r\n            throw new Error(`Password must be at least ${p.minLength} characters`);\r\n        }\r\n        if (p.requireUppercase && !/[A-Z]/.test(password)) {\r\n            throw new Error(\"Password must contain at least one uppercase letter\");\r\n        }\r\n        if (p.requireLowercase && !/[a-z]/.test(password)) {\r\n            throw new Error(\"Password must contain at least one lowercase letter\");\r\n        }\r\n        if (p.requireNumber && !/[0-9]/.test(password)) {\r\n            throw new Error(\"Password must contain at least one number\");\r\n        }\r\n        if (p.requireSpecialCharacter && !/[^A-Za-z0-9]/.test(password)) {\r\n            throw new Error(\"Password must contain at least one special character\");\r\n        }\r\n    }\r\n\r\n    /**\r\n     * Signup with a new user payload.\r\n     * Incorporates server-side pepper for password hashing if provided.\r\n     */\r\n    async function signup(userData: Omit<User<any>, \"id\">, password?: string) {\r\n        let dataToSave = { ...userData };\r\n\r\n        if (password) {\r\n            validatePassword(password);\r\n            const passwordWithPepper = pepper ? `${password}${pepper}` : password;\r\n            dataToSave.passwordHash = await argon2.hash(passwordWithPepper);\r\n        }\r\n\r\n        const newUser = await adapter.createUser(dataToSave);\r\n        const accessToken = await generateToken(newUser, \"access\");\r\n        const refreshToken = await generateToken(newUser, \"refresh\");\r\n\r\n        return { user: newUser, accessToken, refreshToken };\r\n    }\r\n\r\n    /**\r\n     * Standard Email/Password Login.\r\n     * Includes timing attack protection and password peppering.\r\n     */\r\n    async function loginWithPassword(email: string, password: string, clientIp?: string) {\r\n        if (ipBlocking && clientIp && configuredRateLimiter) {\r\n            const strikeCheck = await configuredRateLimiter.check(`strike_${clientIp}`);\r\n            if (strikeCheck && strikeCheck.count >= ipBlocking.maxStrikes) {\r\n                throw new Error(\"IP is temporarily blocked.\");\r\n            }\r\n        }\r\n\r\n        if (configuredRateLimiter) {\r\n            const limitStatus = await configuredRateLimiter.increment(`login_${email}`);\r\n            if (!limitStatus.success) {\r\n                if (ipBlocking && clientIp) {\r\n                    await configuredRateLimiter.increment(`strike_${clientIp}`, ipBlocking.blockDurationMs);\r\n                }\r\n                throw new Error(\"Too many requests, please try again later.\");\r\n            }\r\n        }\r\n\r\n        const user = await adapter.findUserByEmail(email);\r\n\r\n        // Timing attack protection: Always verify a hash, even if user doesn't exist.\r\n        // We use a dummy hash to keep execution time consistent.\r\n        const dummyHash = \"$argon2id$v=19$m=65536,t=3,p=4$c29tZXNhbHQ$RytpInY7i6C9M5l0D4n8Q+7j/J+i\";\r\n        const targetHash = user?.passwordHash || dummyHash;\r\n        const passwordWithPepper = pepper ? `${password}${pepper}` : password;\r\n\r\n        const isValid = await argon2.verify(targetHash, passwordWithPepper);\r\n\r\n        if (!user || !user.passwordHash || !isValid) {\r\n            throw new Error(\"Invalid credentials\");\r\n        }\r\n\r\n        const accessToken = await generateToken(user, \"access\");\r\n        const refreshToken = await generateToken(user, \"refresh\");\r\n\r\n        return { user, accessToken, refreshToken };\r\n    }\r\n\r\n    /**\r\n     * Changes a user's password securely using the configured pepper and hashing algorithm.\r\n     * Instantly revokes all active refresh tokens for the user globally.\r\n     */\r\n    async function changePassword(userId: string, newPassword: string) {\r\n        if (!adapter.updateUser) {\r\n            throw new Error(\"The AuthAdapter does not support updating user records natively.\");\r\n        }\r\n\r\n        validatePassword(newPassword);\r\n        const passwordWithPepper = pepper ? `${newPassword}${pepper}` : newPassword;\r\n        const newHash = await argon2.hash(passwordWithPepper);\r\n\r\n        const updatedUser = await adapter.updateUser(userId, { passwordHash: newHash } as any);\r\n        if (!updatedUser) {\r\n            throw new Error(\"User not found\");\r\n        }\r\n        \r\n        return updatedUser;\r\n    }\r\n\r\n    return {\r\n        signup,\r\n        loginWithPassword,\r\n        changePassword,\r\n        refresh,\r\n        verifyToken,\r\n        generateToken,\r\n        _providers: providers\r\n    };\r\n}\r\n\r\n/**\r\n * Utility to generate a high-entropy cryptographically secure secret.\r\n * Useful for initializing the 'secret' option in createAuth.\r\n */\r\nexport function generateSecret(length: number = 32): Uint8Array {\r\n    return crypto.getRandomValues(new Uint8Array(length));\r\n}\r\n"],
+  "mappings": "AAAA,YAAY,YAAY;AACxB,SAAS,SAAS,iBAAiB;AACnC,OAAO,YAAY;AAGnB,SAAS,yBAAgD;AAgClD,SAAS,WAAW,SAA4B;AACnD,QAAM,EAAE,SAAS,QAAQ,QAAQ,SAAS,WAAW,WAAW,WAAW,IAAI;AAC/E,QAAM,gBAAgB,OAAO,WAAW,WAAW,IAAI,YAAY,EAAE,OAAO,MAAM,IAAI;AACtF,QAAM,aAAa,SAAS,WAAW;AACvC,QAAM,oBAAoB,SAAS,kBAAkB;AAErD,QAAM,wBAAwB,kBAAkB,SAAS,SAAS;AAKlE,iBAAe,cAAc,MAAiB,OAA6B,UAAU;AACjF,QAAI,UAA+B,EAAE,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,KAAK;AAGzE,QAAI,KAAK,iBAAiB,SAAS,aAAa,SAAS,0BAA0B;AAC/E,cAAQ,UAAU,KAAK,aAAa,MAAM,GAAG;AAAA,IACjD;AAEA,QAAI,QAAQ,KAAK,SAAS;AACtB,YAAM,gBAAgB,QAAQ,IAAI,QAAQ,MAAM,IAAI;AACpD,gBAAU,EAAE,GAAG,SAAS,GAAG,cAAc;AAAA,IAC7C;AAEA,WAAO,IAAI,QAAQ,OAAO,EACrB,mBAAmB,EAAE,KAAK,QAAQ,CAAC,EACnC,YAAY,EACZ,kBAAkB,SAAS,WAAW,aAAa,iBAAiB,EACpE,KAAK,aAAa;AAAA,EAC3B;AAMA,iBAAe,YAAY,OAAe,eAAqC,UAAU;AACrF,QAAI;AACA,YAAM,EAAE,QAAQ,IAAI,MAAM,UAAU,OAAO,aAAa;AACxD,UAAI,QAAQ,SAAS,aAAc,QAAO;AAE1C,UAAI,iBAAiB,YAAY,SAAS,2BAA2B,QAAQ,SAAS;AAClF,cAAM,OAAO,MAAM,QAAQ,aAAa,QAAQ,GAAa;AAC7D,YAAI,CAAC,QAAQ,QAAQ,YAAY,KAAK,cAAc,MAAM,GAAG,GAAG;AAC5D,gBAAM,IAAI,MAAM,gEAAgE;AAAA,QACpF;AAAA,MACJ;AAEA,aAAO;AAAA,IACX,SAAS,GAAG;AACR,aAAO;AAAA,IACX;AAAA,EACJ;AAKA,iBAAe,QAAQ,cAAsB;AACzC,UAAM,UAAU,MAAM,YAAY,cAAc,SAAS;AACzD,QAAI,CAAC,WAAW,CAAC,QAAQ,KAAK;AAC1B,YAAM,IAAI,MAAM,kCAAkC;AAAA,IACtD;AAEA,UAAM,OAAO,MAAM,QAAQ,aAAa,QAAQ,GAAa;AAC7D,QAAI,CAAC,MAAM;AACP,YAAM,IAAI,MAAM,gBAAgB;AAAA,IACpC;AAGA,QAAI,QAAQ,WAAW,KAAK,cAAc;AACtC,UAAI,QAAQ,YAAY,KAAK,aAAa,MAAM,GAAG,GAAG;AAClD,cAAM,IAAI,MAAM,oCAAoC;AAAA,MACxD;AAAA,IACJ;AAEA,UAAM,cAAc,MAAM,cAAc,MAAM,QAAQ;AACtD,WAAO,EAAE,YAAY;AAAA,EACzB;AAEA,WAAS,iBAAiB,UAAmB;AACzC,QAAI,CAAC,YAAY,CAAC,QAAQ,eAAgB;AAE1C,UAAM,IAAI,QAAQ;AAClB,QAAI,EAAE,aAAa,SAAS,SAAS,EAAE,WAAW;AAC9C,YAAM,IAAI,MAAM,6BAA6B,EAAE,SAAS,aAAa;AAAA,IACzE;AACA,QAAI,EAAE,oBAAoB,CAAC,QAAQ,KAAK,QAAQ,GAAG;AAC/C,YAAM,IAAI,MAAM,qDAAqD;AAAA,IACzE;AACA,QAAI,EAAE,oBAAoB,CAAC,QAAQ,KAAK,QAAQ,GAAG;AAC/C,YAAM,IAAI,MAAM,qDAAqD;AAAA,IACzE;AACA,QAAI,EAAE,iBAAiB,CAAC,QAAQ,KAAK,QAAQ,GAAG;AAC5C,YAAM,IAAI,MAAM,2CAA2C;AAAA,IAC/D;AACA,QAAI,EAAE,2BAA2B,CAAC,eAAe,KAAK,QAAQ,GAAG;AAC7D,YAAM,IAAI,MAAM,sDAAsD;AAAA,IAC1E;AAAA,EACJ;AAMA,iBAAe,OAAO,UAAiC,UAAmB;AACtE,QAAI,aAAa,EAAE,GAAG,SAAS;AAE/B,QAAI,UAAU;AACV,uBAAiB,QAAQ;AACzB,YAAM,qBAAqB,SAAS,GAAG,QAAQ,GAAG,MAAM,KAAK;AAC7D,iBAAW,eAAe,MAAM,OAAO,KAAK,kBAAkB;AAAA,IAClE;AAEA,UAAM,UAAU,MAAM,QAAQ,WAAW,UAAU;AACnD,UAAM,cAAc,MAAM,cAAc,SAAS,QAAQ;AACzD,UAAM,eAAe,MAAM,cAAc,SAAS,SAAS;AAE3D,WAAO,EAAE,MAAM,SAAS,aAAa,aAAa;AAAA,EACtD;AAMA,iBAAe,kBAAkB,OAAe,UAAkB,UAAmB;AACjF,QAAI,cAAc,YAAY,uBAAuB;AACjD,YAAM,cAAc,MAAM,sBAAsB,MAAM,UAAU,QAAQ,EAAE;AAC1E,UAAI,eAAe,YAAY,SAAS,WAAW,YAAY;AAC3D,cAAM,IAAI,MAAM,4BAA4B;AAAA,MAChD;AAAA,IACJ;AAEA,QAAI,uBAAuB;AACvB,YAAM,cAAc,MAAM,sBAAsB,UAAU,SAAS,KAAK,EAAE;AAC1E,UAAI,CAAC,YAAY,SAAS;AACtB,YAAI,cAAc,UAAU;AACxB,gBAAM,sBAAsB,UAAU,UAAU,QAAQ,IAAI,WAAW,eAAe;AAAA,QAC1F;AACA,cAAM,IAAI,MAAM,4CAA4C;AAAA,MAChE;AAAA,IACJ;AAEA,UAAM,OAAO,MAAM,QAAQ,gBAAgB,KAAK;AAIhD,UAAM,YAAY;AAClB,UAAM,aAAa,MAAM,gBAAgB;AACzC,UAAM,qBAAqB,SAAS,GAAG,QAAQ,GAAG,MAAM,KAAK;AAE7D,UAAM,UAAU,MAAM,OAAO,OAAO,YAAY,kBAAkB;AAElE,QAAI,CAAC,QAAQ,CAAC,KAAK,gBAAgB,CAAC,SAAS;AACzC,YAAM,IAAI,MAAM,qBAAqB;AAAA,IACzC;AAEA,UAAM,cAAc,MAAM,cAAc,MAAM,QAAQ;AACtD,UAAM,eAAe,MAAM,cAAc,MAAM,SAAS;AAExD,WAAO,EAAE,MAAM,aAAa,aAAa;AAAA,EAC7C;AAMA,iBAAe,eAAe,QAAgB,aAAqB;AAC/D,QAAI,CAAC,QAAQ,YAAY;AACrB,YAAM,IAAI,MAAM,kEAAkE;AAAA,IACtF;AAEA,qBAAiB,WAAW;AAC5B,UAAM,qBAAqB,SAAS,GAAG,WAAW,GAAG,MAAM,KAAK;AAChE,UAAM,UAAU,MAAM,OAAO,KAAK,kBAAkB;AAEpD,UAAM,cAAc,MAAM,QAAQ,WAAW,QAAQ,EAAE,cAAc,QAAQ,CAAQ;AACrF,QAAI,CAAC,aAAa;AACd,YAAM,IAAI,MAAM,gBAAgB;AAAA,IACpC;AAEA,WAAO;AAAA,EACX;AAEA,SAAO;AAAA,IACH;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,YAAY;AAAA,EAChB;AACJ;AAMO,SAAS,eAAe,SAAiB,IAAgB;AAC5D,SAAO,OAAO,gBAAgB,IAAI,WAAW,MAAM,CAAC;AACxD;",
+  "names": []
+}

package/dist/{index.cjs → auth/index.cjs}

@@ -17,28 +17,36 @@ var __copyProps = (to, from, except, desc) => {
 };
 var __reExport = (target, mod, secondTarget) => (__copyProps(target, mod, "default"), secondTarget && __copyProps(secondTarget, mod, "default"));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-var index_exports = {};
-__export(index_exports, {
+var auth_exports = {};
+__export(auth_exports, {
   GitHub: () => import_providers.GitHub,
   Google: () => import_providers.Google,
   createAuth: () => import_core.createAuth,
+  createDrizzleAdapter: () => import_drizzle.createDrizzleAdapter,
   createMemoryAdapter: () => import_memory.createMemoryAdapter,
   createMongoAdapter: () => import_mongoose.createMongoAdapter,
+  createPrismaAdapter: () => import_prisma.createPrismaAdapter,
+  createRateLimitModel: () => import_mongoose.createRateLimitModel,
   generateSecret: () => import_core.generateSecret
 });
-module.exports = __toCommonJS(index_exports);
+module.exports = __toCommonJS(auth_exports);
 var import_providers = require("./providers/index.js");
 var import_core = require("./core/index.js");
 var import_memory = require("./adapters/memory.js");
 var import_mongoose = require("./adapters/mongoose.js");
-__reExport(index_exports, require("./security/index.js"), module.exports);
+var import_prisma = require("./adapters/prisma.js");
+var import_drizzle = require("./adapters/drizzle.js");
+__reExport(auth_exports, require("./security/index.js"), module.exports);
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   GitHub,
   Google,
   createAuth,
+  createDrizzleAdapter,
   createMemoryAdapter,
   createMongoAdapter,
+  createPrismaAdapter,
+  createRateLimitModel,
   generateSecret,
   ...require("./security/index.js")
 });

package/dist/auth/index.cjs.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../src/auth/index.ts"],
+  "sourcesContent": ["export type { AuthAdapter, User, BaseUser } from \"./adapters/index.js\";\r\nexport { GitHub, Google } from \"./providers/index.js\";\r\nexport type { Provider, ProviderConfig } from \"./providers/index.js\";\r\nexport { createAuth, generateSecret } from \"./core/index.js\";\r\nexport type { CreateAuthOptions } from \"./core/index.js\";\r\nexport { createMemoryAdapter } from \"./adapters/memory.js\";\r\nexport { createMongoAdapter, createRateLimitModel } from \"./adapters/mongoose.js\";\r\nexport { createPrismaAdapter } from \"./adapters/prisma.js\";\r\nexport { createDrizzleAdapter } from \"./adapters/drizzle.js\";\r\nexport * from \"./security/index.js\";\r\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AACA,uBAA+B;AAE/B,kBAA2C;AAE3C,oBAAoC;AACpC,sBAAyD;AACzD,oBAAoC;AACpC,qBAAqC;AACrC,yBAAc,gCATd;",
+  "names": []
+}

package/dist/{index.js → auth/index.js}

@@ -1,14 +1,19 @@
 import { GitHub, Google } from "./providers/index.js";
 import { createAuth, generateSecret } from "./core/index.js";
 import { createMemoryAdapter } from "./adapters/memory.js";
-import { createMongoAdapter } from "./adapters/mongoose.js";
+import { createMongoAdapter, createRateLimitModel } from "./adapters/mongoose.js";
+import { createPrismaAdapter } from "./adapters/prisma.js";
+import { createDrizzleAdapter } from "./adapters/drizzle.js";
 export * from "./security/index.js";
 export {
   GitHub,
   Google,
   createAuth,
+  createDrizzleAdapter,
   createMemoryAdapter,
   createMongoAdapter,
+  createPrismaAdapter,
+  createRateLimitModel,
   generateSecret
 };
 //# sourceMappingURL=index.js.map

package/dist/auth/index.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../src/auth/index.ts"],
+  "sourcesContent": ["export type { AuthAdapter, User, BaseUser } from \"./adapters/index.js\";\r\nexport { GitHub, Google } from \"./providers/index.js\";\r\nexport type { Provider, ProviderConfig } from \"./providers/index.js\";\r\nexport { createAuth, generateSecret } from \"./core/index.js\";\r\nexport type { CreateAuthOptions } from \"./core/index.js\";\r\nexport { createMemoryAdapter } from \"./adapters/memory.js\";\r\nexport { createMongoAdapter, createRateLimitModel } from \"./adapters/mongoose.js\";\r\nexport { createPrismaAdapter } from \"./adapters/prisma.js\";\r\nexport { createDrizzleAdapter } from \"./adapters/drizzle.js\";\r\nexport * from \"./security/index.js\";\r\n"],
+  "mappings": "AACA,SAAS,QAAQ,cAAc;AAE/B,SAAS,YAAY,sBAAsB;AAE3C,SAAS,2BAA2B;AACpC,SAAS,oBAAoB,4BAA4B;AACzD,SAAS,2BAA2B;AACpC,SAAS,4BAA4B;AACrC,cAAc;",
+  "names": []
+}

package/dist/auth/providers/index.cjs.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/auth/providers/index.ts"],
+  "sourcesContent": ["import { GitHub as ArcticGitHub, Google as ArcticGoogle } from \"arctic\";\r\n\r\nexport interface ProviderConfig {\r\n    clientId: string;\r\n    clientSecret: string;\r\n    redirectURI?: string;\r\n}\r\n\r\nexport interface Provider {\r\n    id: string;\r\n    handler: any; // `arctic` provider instance\r\n}\r\n\r\nexport function GitHub(config: ProviderConfig): Provider {\r\n    return {\r\n        id: \"github\",\r\n        handler: new ArcticGitHub(config.clientId, config.clientSecret, null),\r\n    };\r\n}\r\n\r\nexport function Google(config: ProviderConfig): Provider {\r\n    if (!config.redirectURI) {\r\n        throw new Error(\"redirectURI is required for Google OAuth provider\");\r\n    }\r\n    return {\r\n        id: \"google\",\r\n        handler: new ArcticGoogle(\r\n            config.clientId,\r\n            config.clientSecret,\r\n            config.redirectURI\r\n        ),\r\n    };\r\n}\r\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,oBAA+D;AAaxD,SAAS,OAAO,QAAkC;AACrD,SAAO;AAAA,IACH,IAAI;AAAA,IACJ,SAAS,IAAI,cAAAA,OAAa,OAAO,UAAU,OAAO,cAAc,IAAI;AAAA,EACxE;AACJ;AAEO,SAAS,OAAO,QAAkC;AACrD,MAAI,CAAC,OAAO,aAAa;AACrB,UAAM,IAAI,MAAM,mDAAmD;AAAA,EACvE;AACA,SAAO;AAAA,IACH,IAAI;AAAA,IACJ,SAAS,IAAI,cAAAC;AAAA,MACT,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,IACX;AAAA,EACJ;AACJ;",
+  "names": ["ArcticGitHub", "ArcticGoogle"]
+}

package/dist/auth/providers/index.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/auth/providers/index.ts"],
+  "sourcesContent": ["import { GitHub as ArcticGitHub, Google as ArcticGoogle } from \"arctic\";\r\n\r\nexport interface ProviderConfig {\r\n    clientId: string;\r\n    clientSecret: string;\r\n    redirectURI?: string;\r\n}\r\n\r\nexport interface Provider {\r\n    id: string;\r\n    handler: any; // `arctic` provider instance\r\n}\r\n\r\nexport function GitHub(config: ProviderConfig): Provider {\r\n    return {\r\n        id: \"github\",\r\n        handler: new ArcticGitHub(config.clientId, config.clientSecret, null),\r\n    };\r\n}\r\n\r\nexport function Google(config: ProviderConfig): Provider {\r\n    if (!config.redirectURI) {\r\n        throw new Error(\"redirectURI is required for Google OAuth provider\");\r\n    }\r\n    return {\r\n        id: \"google\",\r\n        handler: new ArcticGoogle(\r\n            config.clientId,\r\n            config.clientSecret,\r\n            config.redirectURI\r\n        ),\r\n    };\r\n}\r\n"],
+  "mappings": "AAAA,SAAS,UAAU,cAAc,UAAU,oBAAoB;AAaxD,SAAS,OAAO,QAAkC;AACrD,SAAO;AAAA,IACH,IAAI;AAAA,IACJ,SAAS,IAAI,aAAa,OAAO,UAAU,OAAO,cAAc,IAAI;AAAA,EACxE;AACJ;AAEO,SAAS,OAAO,QAAkC;AACrD,MAAI,CAAC,OAAO,aAAa;AACrB,UAAM,IAAI,MAAM,mDAAmD;AAAA,EACvE;AACA,SAAO;AAAA,IACH,IAAI;AAAA,IACJ,SAAS,IAAI;AAAA,MACT,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,IACX;AAAA,EACJ;AACJ;",
+  "names": []
+}

package/dist/{security → auth/security}/index.cjs

@@ -17,6 +17,7 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
+var __reExport = (target, mod, secondTarget) => (__copyProps(target, mod, "default"), secondTarget && __copyProps(secondTarget, mod, "default"));
 var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
   // If the importer is in node compatibility mode or this is not an ESM
   // file that has been converted to a CommonJS file using a Babel-
@@ -33,23 +34,23 @@ __export(security_exports, {
 });
 module.exports = __toCommonJS(security_exports);
 var import_crypto = __toESM(require("crypto"), 1);
+__reExport(security_exports, require("./rate-limit.js"), module.exports);
 function generateCsrfToken() {
   return import_crypto.default.randomBytes(32).toString("hex");
 }
 function verifyCsrf(tokenInRequest, tokenInCookie) {
   if (!tokenInRequest || !tokenInCookie) return false;
-  try {
-    return import_crypto.default.timingSafeEqual(
-      Buffer.from(tokenInRequest),
-      Buffer.from(tokenInCookie)
-    );
-  } catch {
-    return false;
-  }
+  const isValid = /^[a-f0-9]{64}$/i.test(tokenInRequest) && /^[a-f0-9]{64}$/i.test(tokenInCookie);
+  if (!isValid) return false;
+  const bufA = Buffer.from(tokenInRequest, "hex");
+  const bufB = Buffer.from(tokenInCookie, "hex");
+  if (bufA.length !== bufB.length) return false;
+  return import_crypto.default.timingSafeEqual(bufA, bufB);
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   generateCsrfToken,
-  verifyCsrf
+  verifyCsrf,
+  ...require("./rate-limit.js")
 });
 //# sourceMappingURL=index.cjs.map

package/dist/auth/security/index.cjs.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/auth/security/index.ts"],
+  "sourcesContent": ["import crypto from \"crypto\";\r\n\r\n/**\r\n * Generates a stateless CSRF token using the double-submit cookie pattern.\r\n * This is recommended for Express/Kroxt setups using cookies for sessions.\r\n */\r\nexport function generateCsrfToken(): string {\r\n    return crypto.randomBytes(32).toString(\"hex\");\r\n}\r\n\r\n/**\r\n * Simple middleware-ready check for CSRF tokens.\r\n * Matches a token from the request body/headers against a cookie.\r\n */\r\nexport function verifyCsrf(tokenInRequest: string, tokenInCookie: string): boolean {\r\n    if (!tokenInRequest || !tokenInCookie) return false;\r\n\r\n    const isValid =\r\n        /^[a-f0-9]{64}$/i.test(tokenInRequest) &&\r\n        /^[a-f0-9]{64}$/i.test(tokenInCookie);\r\n\r\n    if (!isValid) return false;\r\n\r\n    const bufA = Buffer.from(tokenInRequest, \"hex\");\r\n    const bufB = Buffer.from(tokenInCookie, \"hex\");\r\n\r\n    if (bufA.length !== bufB.length) return false;\r\n\r\n    return crypto.timingSafeEqual(bufA, bufB);\r\n}\r\n\r\n/**\r\n * Security Recommendations for Kroxt:\r\n * 1. Always set cookies with: httpOnly: true, secure: true, sameSite: 'strict'\r\n * 2. Use a 'pepper' in createAuth to protect hashes.\r\n * 3. Implement rate limiting on /login and /register endpoints.\r\n */\r\n\r\nexport * from \"./rate-limit.js\";\r\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,oBAAmB;AAsCnB,6BAAc,4BAtCd;AAMO,SAAS,oBAA4B;AACxC,SAAO,cAAAA,QAAO,YAAY,EAAE,EAAE,SAAS,KAAK;AAChD;AAMO,SAAS,WAAW,gBAAwB,eAAgC;AAC/E,MAAI,CAAC,kBAAkB,CAAC,cAAe,QAAO;AAE9C,QAAM,UACF,kBAAkB,KAAK,cAAc,KACrC,kBAAkB,KAAK,aAAa;AAExC,MAAI,CAAC,QAAS,QAAO;AAErB,QAAM,OAAO,OAAO,KAAK,gBAAgB,KAAK;AAC9C,QAAM,OAAO,OAAO,KAAK,eAAe,KAAK;AAE7C,MAAI,KAAK,WAAW,KAAK,OAAQ,QAAO;AAExC,SAAO,cAAAA,QAAO,gBAAgB,MAAM,IAAI;AAC5C;",
+  "names": ["crypto"]
+}

package/dist/auth/security/index.js

@@ -0,0 +1,19 @@
+import crypto from "crypto";
+function generateCsrfToken() {
+  return crypto.randomBytes(32).toString("hex");
+}
+function verifyCsrf(tokenInRequest, tokenInCookie) {
+  if (!tokenInRequest || !tokenInCookie) return false;
+  const isValid = /^[a-f0-9]{64}$/i.test(tokenInRequest) && /^[a-f0-9]{64}$/i.test(tokenInCookie);
+  if (!isValid) return false;
+  const bufA = Buffer.from(tokenInRequest, "hex");
+  const bufB = Buffer.from(tokenInCookie, "hex");
+  if (bufA.length !== bufB.length) return false;
+  return crypto.timingSafeEqual(bufA, bufB);
+}
+export * from "./rate-limit.js";
+export {
+  generateCsrfToken,
+  verifyCsrf
+};
+//# sourceMappingURL=index.js.map

package/dist/auth/security/index.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/auth/security/index.ts"],
+  "sourcesContent": ["import crypto from \"crypto\";\r\n\r\n/**\r\n * Generates a stateless CSRF token using the double-submit cookie pattern.\r\n * This is recommended for Express/Kroxt setups using cookies for sessions.\r\n */\r\nexport function generateCsrfToken(): string {\r\n    return crypto.randomBytes(32).toString(\"hex\");\r\n}\r\n\r\n/**\r\n * Simple middleware-ready check for CSRF tokens.\r\n * Matches a token from the request body/headers against a cookie.\r\n */\r\nexport function verifyCsrf(tokenInRequest: string, tokenInCookie: string): boolean {\r\n    if (!tokenInRequest || !tokenInCookie) return false;\r\n\r\n    const isValid =\r\n        /^[a-f0-9]{64}$/i.test(tokenInRequest) &&\r\n        /^[a-f0-9]{64}$/i.test(tokenInCookie);\r\n\r\n    if (!isValid) return false;\r\n\r\n    const bufA = Buffer.from(tokenInRequest, \"hex\");\r\n    const bufB = Buffer.from(tokenInCookie, \"hex\");\r\n\r\n    if (bufA.length !== bufB.length) return false;\r\n\r\n    return crypto.timingSafeEqual(bufA, bufB);\r\n}\r\n\r\n/**\r\n * Security Recommendations for Kroxt:\r\n * 1. Always set cookies with: httpOnly: true, secure: true, sameSite: 'strict'\r\n * 2. Use a 'pepper' in createAuth to protect hashes.\r\n * 3. Implement rate limiting on /login and /register endpoints.\r\n */\r\n\r\nexport * from \"./rate-limit.js\";\r\n"],
+  "mappings": "AAAA,OAAO,YAAY;AAMZ,SAAS,oBAA4B;AACxC,SAAO,OAAO,YAAY,EAAE,EAAE,SAAS,KAAK;AAChD;AAMO,SAAS,WAAW,gBAAwB,eAAgC;AAC/E,MAAI,CAAC,kBAAkB,CAAC,cAAe,QAAO;AAE9C,QAAM,UACF,kBAAkB,KAAK,cAAc,KACrC,kBAAkB,KAAK,aAAa;AAExC,MAAI,CAAC,QAAS,QAAO;AAErB,QAAM,OAAO,OAAO,KAAK,gBAAgB,KAAK;AAC9C,QAAM,OAAO,OAAO,KAAK,eAAe,KAAK;AAE7C,MAAI,KAAK,WAAW,KAAK,OAAQ,QAAO;AAExC,SAAO,OAAO,gBAAgB,MAAM,IAAI;AAC5C;AASA,cAAc;",
+  "names": []
+}

package/dist/auth/security/rate-limit.cjs

@@ -0,0 +1,82 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var rate_limit_exports = {};
+__export(rate_limit_exports, {
+  MemoryRateLimitStore: () => MemoryRateLimitStore,
+  createRateLimiter: () => createRateLimiter
+});
+module.exports = __toCommonJS(rate_limit_exports);
+class MemoryRateLimitStore {
+  hits = /* @__PURE__ */ new Map();
+  async increment(key, windowMs) {
+    const now = Date.now();
+    const record = this.hits.get(key);
+    if (!record || now > record.resetTime) {
+      const newRecord = { count: 1, resetTime: now + windowMs };
+      this.hits.set(key, newRecord);
+      return newRecord;
+    }
+    record.count += 1;
+    return record;
+  }
+  async getRateLimit(key) {
+    const now = Date.now();
+    const record = this.hits.get(key);
+    if (!record || now > record.resetTime) return null;
+    return record;
+  }
+}
+function createRateLimiter(adapter, options) {
+  if (!options) return null;
+  const memoryFallback = new MemoryRateLimitStore();
+  let hasWarned = false;
+  return {
+    async increment(key, overrideWindowMs) {
+      let result;
+      const windowMs = overrideWindowMs || options.windowMs;
+      if (adapter.incrementRateLimit) {
+        result = await adapter.incrementRateLimit(key, windowMs);
+      } else {
+        if (!hasWarned && process.env.NODE_ENV !== "production") {
+          console.warn("[Kroxt] Warning: AuthAdapter does not implement incrementRateLimit. Falling back to in-memory rate limiter. This is not recommended for serverless or multi-instance deployments.");
+          hasWarned = true;
+        }
+        result = await memoryFallback.increment(key, windowMs);
+      }
+      return {
+        success: result.count <= options.max,
+        limit: options.max,
+        remaining: Math.max(0, options.max - result.count),
+        reset: result.resetTime
+      };
+    },
+    async check(key) {
+      if (adapter.getRateLimit) {
+        return await adapter.getRateLimit(key);
+      }
+      return memoryFallback.getRateLimit(key);
+    }
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  MemoryRateLimitStore,
+  createRateLimiter
+});
+//# sourceMappingURL=rate-limit.cjs.map

package/dist/auth/security/rate-limit.cjs.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/auth/security/rate-limit.ts"],
+  "sourcesContent": ["import type { AuthAdapter } from \"../adapters/index.js\";\r\n\r\nexport interface RateLimitOptions {\r\n    windowMs: number;\r\n    max: number;\r\n}\r\n\r\nexport interface RateLimitResult {\r\n    success: boolean;\r\n    limit: number;\r\n    remaining: number;\r\n    reset: number;\r\n}\r\n\r\n/**\r\n * A zero-dependency in-memory store for rate limiting.\r\n * Used as a fallback if the provided AuthAdapter does not\r\n * implement `incrementRateLimit`.\r\n */\r\nexport class MemoryRateLimitStore {\r\n    private hits = new Map<string, { count: number; resetTime: number }>();\r\n\r\n    async increment(key: string, windowMs: number): Promise<{ count: number; resetTime: number }> {\r\n        const now = Date.now();\r\n        const record = this.hits.get(key);\r\n\r\n        if (!record || now > record.resetTime) {\r\n            const newRecord = { count: 1, resetTime: now + windowMs };\r\n            this.hits.set(key, newRecord);\r\n            return newRecord;\r\n        }\r\n\r\n        record.count += 1;\r\n        return record;\r\n    }\r\n\r\n    async getRateLimit(key: string): Promise<{ count: number; resetTime: number } | null> {\r\n        const now = Date.now();\r\n        const record = this.hits.get(key);\r\n        if (!record || now > record.resetTime) return null;\r\n        return record;\r\n    }\r\n}\r\n\r\n/**\r\n * Creates a rate limiter function that uses the Database Adapter\r\n * for state tracking (if supported), or falls back to Memory.\r\n */\r\nexport function createRateLimiter(adapter: AuthAdapter<any>, options?: RateLimitOptions) {\r\n    if (!options) return null;\r\n\r\n    const memoryFallback = new MemoryRateLimitStore();\r\n    let hasWarned = false;\r\n\r\n    return {\r\n        async increment(key: string, overrideWindowMs?: number): Promise<RateLimitResult> {\r\n            let result;\r\n            const windowMs = overrideWindowMs || options.windowMs;\r\n\r\n            if (adapter.incrementRateLimit) {\r\n                result = await adapter.incrementRateLimit(key, windowMs);\r\n            } else {\r\n                if (!hasWarned && process.env.NODE_ENV !== \"production\") {\r\n                    console.warn(\"[Kroxt] Warning: AuthAdapter does not implement incrementRateLimit. Falling back to in-memory rate limiter. This is not recommended for serverless or multi-instance deployments.\");\r\n                    hasWarned = true;\r\n                }\r\n                result = await memoryFallback.increment(key, windowMs);\r\n            }\r\n\r\n            return {\r\n                success: result.count <= options.max,\r\n                limit: options.max,\r\n                remaining: Math.max(0, options.max - result.count),\r\n                reset: result.resetTime,\r\n            };\r\n        },\r\n\r\n        async check(key: string): Promise<{ count: number; resetTime: number } | null> {\r\n            if (adapter.getRateLimit) {\r\n                return await adapter.getRateLimit(key);\r\n            }\r\n            return memoryFallback.getRateLimit(key);\r\n        }\r\n    };\r\n}\r\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAmBO,MAAM,qBAAqB;AAAA,EACtB,OAAO,oBAAI,IAAkD;AAAA,EAErE,MAAM,UAAU,KAAa,UAAiE;AAC1F,UAAM,MAAM,KAAK,IAAI;AACrB,UAAM,SAAS,KAAK,KAAK,IAAI,GAAG;AAEhC,QAAI,CAAC,UAAU,MAAM,OAAO,WAAW;AACnC,YAAM,YAAY,EAAE,OAAO,GAAG,WAAW,MAAM,SAAS;AACxD,WAAK,KAAK,IAAI,KAAK,SAAS;AAC5B,aAAO;AAAA,IACX;AAEA,WAAO,SAAS;AAChB,WAAO;AAAA,EACX;AAAA,EAEA,MAAM,aAAa,KAAmE;AAClF,UAAM,MAAM,KAAK,IAAI;AACrB,UAAM,SAAS,KAAK,KAAK,IAAI,GAAG;AAChC,QAAI,CAAC,UAAU,MAAM,OAAO,UAAW,QAAO;AAC9C,WAAO;AAAA,EACX;AACJ;AAMO,SAAS,kBAAkB,SAA2B,SAA4B;AACrF,MAAI,CAAC,QAAS,QAAO;AAErB,QAAM,iBAAiB,IAAI,qBAAqB;AAChD,MAAI,YAAY;AAEhB,SAAO;AAAA,IACH,MAAM,UAAU,KAAa,kBAAqD;AAC9E,UAAI;AACJ,YAAM,WAAW,oBAAoB,QAAQ;AAE7C,UAAI,QAAQ,oBAAoB;AAC5B,iBAAS,MAAM,QAAQ,mBAAmB,KAAK,QAAQ;AAAA,MAC3D,OAAO;AACH,YAAI,CAAC,aAAa,QAAQ,IAAI,aAAa,cAAc;AACrD,kBAAQ,KAAK,mLAAmL;AAChM,sBAAY;AAAA,QAChB;AACA,iBAAS,MAAM,eAAe,UAAU,KAAK,QAAQ;AAAA,MACzD;AAEA,aAAO;AAAA,QACH,SAAS,OAAO,SAAS,QAAQ;AAAA,QACjC,OAAO,QAAQ;AAAA,QACf,WAAW,KAAK,IAAI,GAAG,QAAQ,MAAM,OAAO,KAAK;AAAA,QACjD,OAAO,OAAO;AAAA,MAClB;AAAA,IACJ;AAAA,IAEA,MAAM,MAAM,KAAmE;AAC3E,UAAI,QAAQ,cAAc;AACtB,eAAO,MAAM,QAAQ,aAAa,GAAG;AAAA,MACzC;AACA,aAAO,eAAe,aAAa,GAAG;AAAA,IAC1C;AAAA,EACJ;AACJ;",
+  "names": []
+}

package/dist/auth/security/rate-limit.js

@@ -0,0 +1,57 @@
+class MemoryRateLimitStore {
+  hits = /* @__PURE__ */ new Map();
+  async increment(key, windowMs) {
+    const now = Date.now();
+    const record = this.hits.get(key);
+    if (!record || now > record.resetTime) {
+      const newRecord = { count: 1, resetTime: now + windowMs };
+      this.hits.set(key, newRecord);
+      return newRecord;
+    }
+    record.count += 1;
+    return record;
+  }
+  async getRateLimit(key) {
+    const now = Date.now();
+    const record = this.hits.get(key);
+    if (!record || now > record.resetTime) return null;
+    return record;
+  }
+}
+function createRateLimiter(adapter, options) {
+  if (!options) return null;
+  const memoryFallback = new MemoryRateLimitStore();
+  let hasWarned = false;
+  return {
+    async increment(key, overrideWindowMs) {
+      let result;
+      const windowMs = overrideWindowMs || options.windowMs;
+      if (adapter.incrementRateLimit) {
+        result = await adapter.incrementRateLimit(key, windowMs);
+      } else {
+        if (!hasWarned && process.env.NODE_ENV !== "production") {
+          console.warn("[Kroxt] Warning: AuthAdapter does not implement incrementRateLimit. Falling back to in-memory rate limiter. This is not recommended for serverless or multi-instance deployments.");
+          hasWarned = true;
+        }
+        result = await memoryFallback.increment(key, windowMs);
+      }
+      return {
+        success: result.count <= options.max,
+        limit: options.max,
+        remaining: Math.max(0, options.max - result.count),
+        reset: result.resetTime
+      };
+    },
+    async check(key) {
+      if (adapter.getRateLimit) {
+        return await adapter.getRateLimit(key);
+      }
+      return memoryFallback.getRateLimit(key);
+    }
+  };
+}
+export {
+  MemoryRateLimitStore,
+  createRateLimiter
+};
+//# sourceMappingURL=rate-limit.js.map

package/dist/auth/security/rate-limit.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/auth/security/rate-limit.ts"],
+  "sourcesContent": ["import type { AuthAdapter } from \"../adapters/index.js\";\r\n\r\nexport interface RateLimitOptions {\r\n    windowMs: number;\r\n    max: number;\r\n}\r\n\r\nexport interface RateLimitResult {\r\n    success: boolean;\r\n    limit: number;\r\n    remaining: number;\r\n    reset: number;\r\n}\r\n\r\n/**\r\n * A zero-dependency in-memory store for rate limiting.\r\n * Used as a fallback if the provided AuthAdapter does not\r\n * implement `incrementRateLimit`.\r\n */\r\nexport class MemoryRateLimitStore {\r\n    private hits = new Map<string, { count: number; resetTime: number }>();\r\n\r\n    async increment(key: string, windowMs: number): Promise<{ count: number; resetTime: number }> {\r\n        const now = Date.now();\r\n        const record = this.hits.get(key);\r\n\r\n        if (!record || now > record.resetTime) {\r\n            const newRecord = { count: 1, resetTime: now + windowMs };\r\n            this.hits.set(key, newRecord);\r\n            return newRecord;\r\n        }\r\n\r\n        record.count += 1;\r\n        return record;\r\n    }\r\n\r\n    async getRateLimit(key: string): Promise<{ count: number; resetTime: number } | null> {\r\n        const now = Date.now();\r\n        const record = this.hits.get(key);\r\n        if (!record || now > record.resetTime) return null;\r\n        return record;\r\n    }\r\n}\r\n\r\n/**\r\n * Creates a rate limiter function that uses the Database Adapter\r\n * for state tracking (if supported), or falls back to Memory.\r\n */\r\nexport function createRateLimiter(adapter: AuthAdapter<any>, options?: RateLimitOptions) {\r\n    if (!options) return null;\r\n\r\n    const memoryFallback = new MemoryRateLimitStore();\r\n    let hasWarned = false;\r\n\r\n    return {\r\n        async increment(key: string, overrideWindowMs?: number): Promise<RateLimitResult> {\r\n            let result;\r\n            const windowMs = overrideWindowMs || options.windowMs;\r\n\r\n            if (adapter.incrementRateLimit) {\r\n                result = await adapter.incrementRateLimit(key, windowMs);\r\n            } else {\r\n                if (!hasWarned && process.env.NODE_ENV !== \"production\") {\r\n                    console.warn(\"[Kroxt] Warning: AuthAdapter does not implement incrementRateLimit. Falling back to in-memory rate limiter. This is not recommended for serverless or multi-instance deployments.\");\r\n                    hasWarned = true;\r\n                }\r\n                result = await memoryFallback.increment(key, windowMs);\r\n            }\r\n\r\n            return {\r\n                success: result.count <= options.max,\r\n                limit: options.max,\r\n                remaining: Math.max(0, options.max - result.count),\r\n                reset: result.resetTime,\r\n            };\r\n        },\r\n\r\n        async check(key: string): Promise<{ count: number; resetTime: number } | null> {\r\n            if (adapter.getRateLimit) {\r\n                return await adapter.getRateLimit(key);\r\n            }\r\n            return memoryFallback.getRateLimit(key);\r\n        }\r\n    };\r\n}\r\n"],
+  "mappings": "AAmBO,MAAM,qBAAqB;AAAA,EACtB,OAAO,oBAAI,IAAkD;AAAA,EAErE,MAAM,UAAU,KAAa,UAAiE;AAC1F,UAAM,MAAM,KAAK,IAAI;AACrB,UAAM,SAAS,KAAK,KAAK,IAAI,GAAG;AAEhC,QAAI,CAAC,UAAU,MAAM,OAAO,WAAW;AACnC,YAAM,YAAY,EAAE,OAAO,GAAG,WAAW,MAAM,SAAS;AACxD,WAAK,KAAK,IAAI,KAAK,SAAS;AAC5B,aAAO;AAAA,IACX;AAEA,WAAO,SAAS;AAChB,WAAO;AAAA,EACX;AAAA,EAEA,MAAM,aAAa,KAAmE;AAClF,UAAM,MAAM,KAAK,IAAI;AACrB,UAAM,SAAS,KAAK,KAAK,IAAI,GAAG;AAChC,QAAI,CAAC,UAAU,MAAM,OAAO,UAAW,QAAO;AAC9C,WAAO;AAAA,EACX;AACJ;AAMO,SAAS,kBAAkB,SAA2B,SAA4B;AACrF,MAAI,CAAC,QAAS,QAAO;AAErB,QAAM,iBAAiB,IAAI,qBAAqB;AAChD,MAAI,YAAY;AAEhB,SAAO;AAAA,IACH,MAAM,UAAU,KAAa,kBAAqD;AAC9E,UAAI;AACJ,YAAM,WAAW,oBAAoB,QAAQ;AAE7C,UAAI,QAAQ,oBAAoB;AAC5B,iBAAS,MAAM,QAAQ,mBAAmB,KAAK,QAAQ;AAAA,MAC3D,OAAO;AACH,YAAI,CAAC,aAAa,QAAQ,IAAI,aAAa,cAAc;AACrD,kBAAQ,KAAK,mLAAmL;AAChM,sBAAY;AAAA,QAChB;AACA,iBAAS,MAAM,eAAe,UAAU,KAAK,QAAQ;AAAA,MACzD;AAEA,aAAO;AAAA,QACH,SAAS,OAAO,SAAS,QAAQ;AAAA,QACjC,OAAO,QAAQ;AAAA,QACf,WAAW,KAAK,IAAI,GAAG,QAAQ,MAAM,OAAO,KAAK;AAAA,QACjD,OAAO,OAAO;AAAA,MAClB;AAAA,IACJ;AAAA,IAEA,MAAM,MAAM,KAAmE;AAC3E,UAAI,QAAQ,cAAc;AACtB,eAAO,MAAM,QAAQ,aAAa,GAAG;AAAA,MACzC;AACA,aAAO,eAAe,aAAa,GAAG;AAAA,IAC1C;AAAA,EACJ;AACJ;",
+  "names": []
+}