modelence 0.8.0 → 0.9.0-dev.0

package/dist/auth/resetPassword.js

@@ -0,0 +1,108 @@
+import { z } from 'zod';
+import { randomBytes } from 'crypto';
+import { usersCollection, resetPasswordTokensCollection } from './db';
+import { getEmailConfig } from '../app/emailConfig';
+import { time } from '../time';
+import { htmlToText } from '../utils';
+import { validateEmail, validatePassword } from './validators';
+import { hashPassword } from './password';
+function resolveUrl(baseUrl, configuredUrl) {
+    if (!configuredUrl) {
+        return baseUrl;
+    }
+    if (configuredUrl.startsWith('http://') || configuredUrl.startsWith('https://')) {
+        return configuredUrl;
+    }
+    // Handle relative URL
+    return `${baseUrl}${configuredUrl.startsWith('/') ? '' : '/'}${configuredUrl}`;
+}
+function defaultPasswordResetTemplate({ email, resetUrl }) {
+    return `
+    <p>Hi,</p>
+    <p>We received a request to reset your password for ${email}.</p>
+    <p>Click the link below to reset your password:</p>
+    <p><a href="${resetUrl}">${resetUrl}</a></p>
+    <p>This link will expire in 1 hour.</p>
+    <p>If you did not request this password reset, please ignore this email.</p>
+  `;
+}
+const passwordResetSent = {
+    success: true,
+    message: 'If an account with that email exists, a password reset link has been sent',
+};
+export async function handleSendResetPasswordToken(args, { connectionInfo }) {
+    const email = validateEmail(args.email);
+    // Find user by email
+    const userDoc = await usersCollection.findOne({ 'emails.address': email, status: { $nin: ['deleted', 'disabled'] } }, { collation: { locale: 'en', strength: 2 } });
+    if (!userDoc) {
+        // For security, don't reveal if email exists or not
+        return passwordResetSent;
+    }
+    // Check if user has password auth method
+    if (!userDoc.authMethods?.password) {
+        return passwordResetSent;
+    }
+    const emailProvider = getEmailConfig().provider;
+    if (!emailProvider) {
+        throw new Error('Email provider is not configured');
+    }
+    // Generate reset token
+    const resetToken = randomBytes(32).toString('hex');
+    const now = Date.now();
+    const createdAt = new Date(now);
+    const expiresAt = new Date(now + time.hours(1)); // 1 hour expiry
+    // Store reset token
+    await resetPasswordTokensCollection.insertOne({
+        userId: userDoc._id,
+        token: resetToken,
+        createdAt,
+        expiresAt,
+    });
+    // Build reset URL
+    const baseUrl = process.env.MODELENCE_SITE_URL || connectionInfo?.baseUrl;
+    const resetPasswordUrl = resolveUrl(baseUrl, getEmailConfig().passwordReset?.redirectUrl);
+    const resetUrl = `${resetPasswordUrl}?token=${resetToken}`;
+    // Send email
+    const template = getEmailConfig()?.passwordReset?.template || defaultPasswordResetTemplate;
+    const htmlTemplate = template({ email, resetUrl, name: '' });
+    const textContent = htmlToText(htmlTemplate);
+    await emailProvider.sendEmail({
+        to: email,
+        from: getEmailConfig()?.from || 'noreply@modelence.com',
+        subject: getEmailConfig()?.passwordReset?.subject || 'Reset your password',
+        text: textContent,
+        html: htmlTemplate,
+    });
+    return passwordResetSent;
+}
+export async function handleResetPassword(args, {}) {
+    const token = z.string().parse(args.token);
+    const password = validatePassword(args.password);
+    // Find the reset token
+    const resetTokenDoc = await resetPasswordTokensCollection.findOne({ token });
+    if (!resetTokenDoc) {
+        throw new Error('Invalid or expired reset token');
+    }
+    // Check if token is expired
+    if (resetTokenDoc.expiresAt < new Date()) {
+        await resetPasswordTokensCollection.deleteOne({ token });
+        throw new Error('Reset token has expired');
+    }
+    // Find the user
+    const userDoc = await usersCollection.findOne({ _id: resetTokenDoc.userId });
+    if (!userDoc) {
+        throw new Error('User not found');
+    }
+    // Hash the new password
+    const hash = await hashPassword(password);
+    // Update user's password
+    await usersCollection.updateOne({ _id: userDoc._id }, {
+        $set: {
+            'authMethods.password.hash': hash,
+        },
+    });
+    // Delete the used reset token
+    await resetPasswordTokensCollection.deleteOne({ token });
+    return { success: true, message: 'Password has been reset successfully' };
+}
+//# sourceMappingURL=resetPassword.js.map

package/dist/auth/resetPassword.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resetPassword.js","sourceRoot":"","sources":["../../src/auth/resetPassword.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AAGrC,OAAO,EAAE,eAAe,EAAE,6BAA6B,EAAE,MAAM,MAAM,CAAC;AACtE,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,EAAE,IAAI,EAAE,MAAM,QAAQ,CAAC;AAC9B,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE1C,SAAS,UAAU,CAAC,OAAe,EAAE,aAAsB;IACzD,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,IAAI,aAAa,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,aAAa,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAChF,OAAO,aAAa,CAAC;IACvB,CAAC;IAED,sBAAsB;IACtB,OAAO,GAAG,OAAO,GAAG,aAAa,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,GAAG,aAAa,EAAE,CAAC;AACjF,CAAC;AAED,SAAS,4BAA4B,CAAC,EAAE,KAAK,EAAE,QAAQ,EAAuC;IAC5F,OAAO;;0DAEiD,KAAK;;kBAE7C,QAAQ,KAAK,QAAQ;;;GAGpC,CAAC;AACJ,CAAC;AAED,MAAM,iBAAiB,GAAG;IACxB,OAAO,EAAE,IAAI;IACb,OAAO,EAAE,2EAA2E;CACrF,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAAC,IAAU,EAAE,EAAE,cAAc,EAAW;IACxF,MAAM,KAAK,GAAG,aAAa,CAAC,IAAI,CAAC,KAAe,CAAC,CAAC;IAElD,qBAAqB;IACrB,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,OAAO,CAC3C,EAAE,gBAAgB,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,CAAC,SAAS,EAAE,UAAU,CAAC,EAAE,EAAE,EACtE,EAAE,SAAS,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,EAAE,EAAE,CAC7C,CAAC;IAEF,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,oDAAoD;QACpD,OAAO,iBAAiB,CAAC;IAC3B,CAAC;IAED,yCAAyC;IACzC,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,QAAQ,EAAE,CAAC;QACnC,OAAO,iBAAiB,CAAC;IAC3B,CAAC;IAED,MAAM,aAAa,GAAG,cAAc,EAAE,CAAC,QAAQ,CAAC;IAChD,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IAED,uBAAuB;IACvB,MAAM,UAAU,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IACnD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC;IAChC,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,gBAAgB;IAEjE,oBAAoB;IACpB,MAAM,6BAA6B,CAAC,SAAS,CAAC;QAC5C,MAAM,EAAE,OAAO,CAAC,GAAG;QACnB,KAAK,EAAE,UAAU;QACjB,SAAS;QACT,SAAS;KACV,CAAC,CAAC;IAEH,kBAAkB;IAClB,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAI,cAAc,EAAE,OAAO,CAAC;IAC1E,MAAM,gBAAgB,GAAG,UAAU,CAAC,OAAQ,EAAE,cAAc,EAAE,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC;IAC3F,MAAM,QAAQ,GAAG,GAAG,gBAAgB,UAAU,UAAU,EAAE,CAAC;IAE3D,aAAa;IACb,MAAM,QAAQ,GAAG,cAAc,EAAE,EAAE,aAAa,EAAE,QAAQ,IAAI,4BAA4B,CAAC;IAC3F,MAAM,YAAY,GAAG,QAAQ,CAAC,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;IAC7D,MAAM,WAAW,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC;IAE7C,MAAM,aAAa,CAAC,SAAS,CAAC;QAC5B,EAAE,EAAE,KAAK;QACT,IAAI,EAAE,cAAc,EAAE,EAAE,IAAI,IAAI,uBAAuB;QACvD,OAAO,EAAE,cAAc,EAAE,EAAE,aAAa,EAAE,OAAO,IAAI,qBAAqB;QAC1E,IAAI,EAAE,WAAW;QACjB,IAAI,EAAE,YAAY;KACnB,CAAC,CAAC;IAEH,OAAO,iBAAiB,CAAC;AAC3B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,IAAU,EAAE,EAAW;IAC/D,MAAM,KAAK,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC3C,MAAM,QAAQ,GAAG,gBAAgB,CAAC,IAAI,CAAC,QAAkB,CAAC,CAAC;IAE3D,uBAAuB;IACvB,MAAM,aAAa,GAAG,MAAM,6BAA6B,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;IAC7E,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;IACpD,CAAC;IAED,4BAA4B;IAC5B,IAAI,aAAa,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;QACzC,MAAM,6BAA6B,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;QACzD,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAC7C,CAAC;IAED,gBAAgB;IAChB,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,OAAO,CAAC,EAAE,GAAG,EAAE,aAAa,CAAC,MAAM,EAAE,CAAC,CAAC;IAC7E,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC;IACpC,CAAC;IAED,wBAAwB;IACxB,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAC;IAE1C,yBAAyB;IACzB,MAAM,eAAe,CAAC,SAAS,CAC7B,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,EACpB;QACE,IAAI,EAAE;YACJ,2BAA2B,EAAE,IAAI;SAClC;KACF,CACF,CAAC;IAEF,8BAA8B;IAC9B,MAAM,6BAA6B,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;IAEzD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,sCAAsC,EAAE,CAAC;AAC5E,CAAC"}

package/dist/auth/role.d.ts

@@ -0,0 +1,8 @@
+import { RoleDefinition, Role, Permission } from './types';
+export declare function initRoles(roles: Record<Role, RoleDefinition>, _defaultRoles: Record<string, Role>): void;
+export declare function getUnauthenticatedRoles(): string[];
+export declare function getDefaultAuthenticatedRoles(): string[];
+export declare function hasAccess(roles: Role[], requiredPermissions: Permission[]): boolean;
+export declare function requireAccess(roles: Role[], requiredPermissions: Permission[]): void;
+export declare function hasPermission(roles: Role[], permission: Permission): boolean;
+//# sourceMappingURL=role.d.ts.map

package/dist/auth/role.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"role.d.ts","sourceRoot":"","sources":["../../src/auth/role.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,IAAI,EAAgB,UAAU,EAAE,MAAM,SAAS,CAAC;AAQzE,wBAAgB,SAAS,CACvB,KAAK,EAAE,MAAM,CAAC,IAAI,EAAE,cAAc,CAAC,EACnC,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,QAQpC;AAED,wBAAgB,uBAAuB,aAEtC;AAED,wBAAgB,4BAA4B,aAE3C;AAED,wBAAgB,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,mBAAmB,EAAE,UAAU,EAAE,WAEzE;AAED,wBAAgB,aAAa,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,mBAAmB,EAAE,UAAU,EAAE,QAQ7E;AAED,wBAAgB,aAAa,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,UAAU,EAAE,UAAU,WAUlE"}

package/dist/auth/role.js

@@ -0,0 +1,37 @@
+const roleMap = new Map();
+const defaultRoles = {
+    authenticated: null,
+    unauthenticated: null,
+};
+export function initRoles(roles, _defaultRoles) {
+    defaultRoles.authenticated = _defaultRoles.authenticated;
+    defaultRoles.unauthenticated = _defaultRoles.unauthenticated;
+    for (const [name, definition] of Object.entries(roles)) {
+        roleMap.set(name, definition);
+    }
+}
+export function getUnauthenticatedRoles() {
+    return defaultRoles.unauthenticated ? [defaultRoles.unauthenticated] : [];
+}
+export function getDefaultAuthenticatedRoles() {
+    return defaultRoles.authenticated ? [defaultRoles.authenticated] : [];
+}
+export function hasAccess(roles, requiredPermissions) {
+    return requiredPermissions.every((permission) => hasPermission(roles, permission));
+}
+export function requireAccess(roles, requiredPermissions) {
+    const missingPermission = requiredPermissions.find((permission) => !hasPermission(roles, permission));
+    if (missingPermission) {
+        throw new Error(`Access denied - missing permission: '${missingPermission}'`);
+    }
+}
+export function hasPermission(roles, permission) {
+    for (const role of roles) {
+        const definition = roleMap.get(role);
+        if (definition && definition.permissions.includes(permission)) {
+            return true;
+        }
+    }
+    return false;
+}
+//# sourceMappingURL=role.js.map

package/dist/auth/role.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"role.js","sourceRoot":"","sources":["../../src/auth/role.ts"],"names":[],"mappings":"AAEA,MAAM,OAAO,GAAG,IAAI,GAAG,EAAwB,CAAC;AAChD,MAAM,YAAY,GAAiB;IACjC,aAAa,EAAE,IAAI;IACnB,eAAe,EAAE,IAAI;CACtB,CAAC;AAEF,MAAM,UAAU,SAAS,CACvB,KAAmC,EACnC,aAAmC;IAEnC,YAAY,CAAC,aAAa,GAAG,aAAa,CAAC,aAAa,CAAC;IACzD,YAAY,CAAC,eAAe,GAAG,aAAa,CAAC,eAAe,CAAC;IAE7D,KAAK,MAAM,CAAC,IAAI,EAAE,UAAU,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACvD,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;IAChC,CAAC;AACH,CAAC;AAED,MAAM,UAAU,uBAAuB;IACrC,OAAO,YAAY,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;AAC5E,CAAC;AAED,MAAM,UAAU,4BAA4B;IAC1C,OAAO,YAAY,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;AACxE,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,KAAa,EAAE,mBAAiC;IACxE,OAAO,mBAAmB,CAAC,KAAK,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,aAAa,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC;AACrF,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,KAAa,EAAE,mBAAiC;IAC5E,MAAM,iBAAiB,GAAG,mBAAmB,CAAC,IAAI,CAChD,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,aAAa,CAAC,KAAK,EAAE,UAAU,CAAC,CAClD,CAAC;IAEF,IAAI,iBAAiB,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,wCAAwC,iBAAiB,GAAG,CAAC,CAAC;IAChF,CAAC;AACH,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,KAAa,EAAE,UAAsB;IACjE,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAErC,IAAI,UAAU,IAAI,UAAU,CAAC,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9D,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/auth/session.d.ts

@@ -0,0 +1,24 @@
+import { ObjectId } from 'mongodb';
+import { Module } from '../app/module';
+import { Store } from '../data/store';
+import { Session } from './types';
+export declare const sessionsCollection: Store<{
+    authToken: import("zod").ZodString;
+    createdAt: import("zod").ZodDate;
+    expiresAt: import("zod").ZodDate;
+    userId: import("zod").ZodNullable<import("zod").ZodType<ObjectId, import("zod").ZodTypeDef, ObjectId>>;
+}, Record<string, (this: Pick<import("../types").InferDocumentType<{
+    authToken: import("zod").ZodString;
+    createdAt: import("zod").ZodDate;
+    expiresAt: import("zod").ZodDate;
+    userId: import("zod").ZodNullable<import("zod").ZodType<ObjectId, import("zod").ZodTypeDef, ObjectId>>;
+}>, "authToken" | "createdAt" | "expiresAt" | "userId"> & {
+    _id: ObjectId;
+}, ...args: any[]) => any>>;
+export declare function obtainSession(authToken: string | null): Promise<Session>;
+export declare function setSessionUser(authToken: string, userId: ObjectId): Promise<void>;
+export declare function clearSessionUser(authToken: string): Promise<void>;
+export declare function createSession(userId?: ObjectId | null): Promise<Session>;
+declare const _default: Module;
+export default _default;
+//# sourceMappingURL=session.d.ts.map

package/dist/auth/session.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../src/auth/session.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AACnC,OAAO,EAAE,MAAM,EAAE,MAAM,eAAe,CAAC;AAEvC,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAC;AAGtC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAElC,eAAO,MAAM,kBAAkB;;;;;;;;;;;;2BAS7B,CAAC;AAEH,wBAAsB,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,CAY9E;AAED,wBAAsB,cAAc,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,iBAOvE;AAED,wBAAsB,gBAAgB,CAAC,SAAS,EAAE,MAAM,iBAOvD;AAED,wBAAsB,aAAa,CAAC,MAAM,GAAE,QAAQ,GAAG,IAAW,GAAG,OAAO,CAAC,OAAO,CAAC,CAmBpF;;AAiBD,wBAmBG"}

package/dist/auth/session.js

@@ -0,0 +1,84 @@
+import { randomBytes } from 'crypto';
+import { Module } from '../app/module';
+import { getPublicConfigs } from '../config/server';
+import { Store } from '../data/store';
+import { schema } from '../data/types';
+import { time } from '../time';
+export const sessionsCollection = new Store('_modelenceSessions', {
+    schema: {
+        authToken: schema.string(),
+        createdAt: schema.date(),
+        expiresAt: schema.date(),
+        userId: schema.userId().nullable(),
+    },
+    indexes: [{ key: { authToken: 1 }, unique: true }, { key: { expiresAt: 1 } }],
+    // TODO: add TTL index on expiresAt
+});
+export async function obtainSession(authToken) {
+    const existingSession = authToken ? await sessionsCollection.findOne({ authToken }) : null;
+    if (existingSession) {
+        return {
+            authToken: String(existingSession.authToken),
+            expiresAt: new Date(existingSession.expiresAt),
+            userId: existingSession.userId ?? null,
+        };
+    }
+    return await createSession();
+}
+export async function setSessionUser(authToken, userId) {
+    await sessionsCollection.updateOne({ authToken }, {
+        $set: { userId },
+    });
+}
+export async function clearSessionUser(authToken) {
+    await sessionsCollection.updateOne({ authToken }, {
+        $set: { userId: null },
+    });
+}
+export async function createSession(userId = null) {
+    // TODO: add rate-limiting and captcha handling
+    const authToken = randomBytes(32).toString('base64url');
+    const now = Date.now();
+    const expiresAt = new Date(now + time.days(7));
+    await sessionsCollection.insertOne({
+        authToken,
+        createdAt: new Date(now),
+        expiresAt,
+        userId,
+    });
+    return {
+        authToken,
+        expiresAt,
+        userId,
+    };
+}
+async function processSessionHeartbeat(session) {
+    const now = Date.now();
+    const newExpiresAt = new Date(now + time.days(7));
+    await sessionsCollection.updateOne({ authToken: session.authToken }, {
+        $set: {
+            lastActiveDate: new Date(now),
+            expiresAt: newExpiresAt,
+        },
+    });
+}
+export default new Module('_system.session', {
+    stores: [sessionsCollection],
+    mutations: {
+        init: async function (args, { session, user }) {
+            // TODO: mark or track app load somewhere
+            return {
+                session,
+                user,
+                configs: getPublicConfigs(),
+            };
+        },
+        heartbeat: async function (args, { session }) {
+            // Session might not exist if there is no database/authentication setup
+            if (session) {
+                await processSessionHeartbeat(session);
+            }
+        },
+    },
+});
+//# sourceMappingURL=session.js.map

package/dist/auth/session.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.js","sourceRoot":"","sources":["../../src/auth/session.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AAErC,OAAO,EAAE,MAAM,EAAE,MAAM,eAAe,CAAC;AACvC,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAC;AACtC,OAAO,EAAE,MAAM,EAAE,MAAM,eAAe,CAAC;AACvC,OAAO,EAAE,IAAI,EAAE,MAAM,SAAS,CAAC;AAG/B,MAAM,CAAC,MAAM,kBAAkB,GAAG,IAAI,KAAK,CAAC,oBAAoB,EAAE;IAChE,MAAM,EAAE;QACN,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE;QAC1B,SAAS,EAAE,MAAM,CAAC,IAAI,EAAE;QACxB,SAAS,EAAE,MAAM,CAAC,IAAI,EAAE;QACxB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KACnC;IACD,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,EAAE,SAAS,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,SAAS,EAAE,CAAC,EAAE,EAAE,CAAC;IAC7E,mCAAmC;CACpC,CAAC,CAAC;AAEH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,SAAwB;IAC1D,MAAM,eAAe,GAAG,SAAS,CAAC,CAAC,CAAC,MAAM,kBAAkB,CAAC,OAAO,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAE3F,IAAI,eAAe,EAAE,CAAC;QACpB,OAAO;YACL,SAAS,EAAE,MAAM,CAAC,eAAe,CAAC,SAAS,CAAC;YAC5C,SAAS,EAAE,IAAI,IAAI,CAAC,eAAe,CAAC,SAAS,CAAC;YAC9C,MAAM,EAAE,eAAe,CAAC,MAAM,IAAI,IAAI;SACvC,CAAC;IACJ,CAAC;IAED,OAAO,MAAM,aAAa,EAAE,CAAC;AAC/B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,SAAiB,EAAE,MAAgB;IACtE,MAAM,kBAAkB,CAAC,SAAS,CAChC,EAAE,SAAS,EAAE,EACb;QACE,IAAI,EAAE,EAAE,MAAM,EAAE;KACjB,CACF,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,SAAiB;IACtD,MAAM,kBAAkB,CAAC,SAAS,CAChC,EAAE,SAAS,EAAE,EACb;QACE,IAAI,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE;KACvB,CACF,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,SAA0B,IAAI;IAChE,+CAA+C;IAE/C,MAAM,SAAS,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACxD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IAE/C,MAAM,kBAAkB,CAAC,SAAS,CAAC;QACjC,SAAS;QACT,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC;QACxB,SAAS;QACT,MAAM;KACP,CAAC,CAAC;IAEH,OAAO;QACL,SAAS;QACT,SAAS;QACT,MAAM;KACP,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,uBAAuB,CAAC,OAAgB;IACrD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,YAAY,GAAG,IAAI,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IAElD,MAAM,kBAAkB,CAAC,SAAS,CAChC,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE,EAChC;QACE,IAAI,EAAE;YACJ,cAAc,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC;YAC7B,SAAS,EAAE,YAAY;SACxB;KACF,CACF,CAAC;AACJ,CAAC;AAED,eAAe,IAAI,MAAM,CAAC,iBAAiB,EAAE;IAC3C,MAAM,EAAE,CAAC,kBAAkB,CAAC;IAC5B,SAAS,EAAE;QACT,IAAI,EAAE,KAAK,WAAW,IAAI,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE;YAC3C,yCAAyC;YAEzC,OAAO;gBACL,OAAO;gBACP,IAAI;gBACJ,OAAO,EAAE,gBAAgB,EAAE;aAC5B,CAAC;QACJ,CAAC;QACD,SAAS,EAAE,KAAK,WAAW,IAAI,EAAE,EAAE,OAAO,EAAE;YAC1C,uEAAuE;YACvE,IAAI,OAAO,EAAE,CAAC;gBACZ,MAAM,uBAAuB,CAAC,OAAO,CAAC,CAAC;YACzC,CAAC;QACH,CAAC;KACF;CACF,CAAC,CAAC"}

package/dist/auth/signup.d.ts

@@ -0,0 +1,3 @@
+import { Args, Context } from '../methods/types';
+export declare function handleSignupWithPassword(args: Args, { user, session, connectionInfo }: Context): Promise<import("bson").ObjectId>;
+//# sourceMappingURL=signup.d.ts.map

package/dist/auth/signup.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signup.d.ts","sourceRoot":"","sources":["../../src/auth/signup.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AASjD,wBAAsB,wBAAwB,CAC5C,IAAI,EAAE,IAAI,EACV,EAAE,IAAI,EAAE,OAAO,EAAE,cAAc,EAAE,EAAE,OAAO,oCAwG3C"}

package/dist/auth/signup.js

@@ -0,0 +1,89 @@
+import { usersCollection } from './db';
+import { isDisposableEmail } from './disposableEmails';
+import { consumeRateLimit } from '../rate-limit/rules';
+import { sendVerificationEmail } from './verification';
+import { validateEmail, validatePassword } from './validators';
+import { getAuthConfig } from '../app/authConfig';
+import { hashPassword } from './password';
+export async function handleSignupWithPassword(args, { user, session, connectionInfo }) {
+    try {
+        const email = validateEmail(args.email);
+        const password = validatePassword(args.password);
+        const ip = connectionInfo?.ip;
+        if (ip) {
+            await consumeRateLimit({
+                bucket: 'signupAttempt',
+                type: 'ip',
+                value: ip,
+            });
+        }
+        if (await isDisposableEmail(email)) {
+            throw new Error('Please use a permanent email address');
+        }
+        // TODO: captcha check
+        if (user) {
+            // TODO: handle cases where a user is already logged in
+        }
+        const existingUser = await usersCollection.findOne({ 'emails.address': email }, { collation: { locale: 'en', strength: 2 } });
+        if (existingUser) {
+            const existingEmail = existingUser.emails?.find((e) => e.address === email);
+            if (existingUser.status === 'disabled') {
+                throw new Error(`User is marked for deletion, please contact support if you want to restore the account.`);
+            }
+            throw new Error(`User with email already exists: ${existingEmail?.address}`);
+        }
+        if (ip) {
+            await consumeRateLimit({
+                bucket: 'signup',
+                type: 'ip',
+                value: ip,
+            });
+        }
+        // Hash password with native crypto scrypt (salt is automatically generated)
+        const hash = await hashPassword(password);
+        const result = await usersCollection.insertOne({
+            handle: email,
+            status: 'active',
+            emails: [
+                {
+                    address: email,
+                    verified: false,
+                },
+            ],
+            createdAt: new Date(),
+            authMethods: {
+                password: {
+                    hash,
+                },
+            },
+        });
+        const userDocument = await usersCollection.findOne({ _id: result.insertedId }, { readPreference: 'primary' });
+        if (!userDocument) {
+            throw new Error('User not found');
+        }
+        await sendVerificationEmail({
+            userId: result?.insertedId,
+            email,
+            baseUrl: connectionInfo?.baseUrl,
+        });
+        getAuthConfig().onAfterSignup?.({
+            user: userDocument,
+            session,
+            connectionInfo,
+        });
+        getAuthConfig().signup?.onSuccess?.(userDocument);
+        return result.insertedId;
+    }
+    catch (error) {
+        if (error instanceof Error) {
+            getAuthConfig().onSignupError?.({
+                error,
+                session,
+                connectionInfo,
+            });
+            getAuthConfig().signup?.onError?.(error);
+        }
+        throw error;
+    }
+}
+//# sourceMappingURL=signup.js.map

package/dist/auth/signup.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signup.js","sourceRoot":"","sources":["../../src/auth/signup.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,MAAM,CAAC;AACvC,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAC/D,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE1C,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,IAAU,EACV,EAAE,IAAI,EAAE,OAAO,EAAE,cAAc,EAAW;IAE1C,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,aAAa,CAAC,IAAI,CAAC,KAAe,CAAC,CAAC;QAClD,MAAM,QAAQ,GAAG,gBAAgB,CAAC,IAAI,CAAC,QAAkB,CAAC,CAAC;QAE3D,MAAM,EAAE,GAAG,cAAc,EAAE,EAAE,CAAC;QAC9B,IAAI,EAAE,EAAE,CAAC;YACP,MAAM,gBAAgB,CAAC;gBACrB,MAAM,EAAE,eAAe;gBACvB,IAAI,EAAE,IAAI;gBACV,KAAK,EAAE,EAAE;aACV,CAAC,CAAC;QACL,CAAC;QAED,IAAI,MAAM,iBAAiB,CAAC,KAAK,CAAC,EAAE,CAAC;YACnC,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC1D,CAAC;QAED,sBAAsB;QAEtB,IAAI,IAAI,EAAE,CAAC;YACT,uDAAuD;QACzD,CAAC;QAED,MAAM,YAAY,GAAG,MAAM,eAAe,CAAC,OAAO,CAChD,EAAE,gBAAgB,EAAE,KAAK,EAAE,EAC3B,EAAE,SAAS,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,EAAE,EAAE,CAC7C,CAAC;QAEF,IAAI,YAAY,EAAE,CAAC;YACjB,MAAM,aAAa,GAAG,YAAY,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,KAAK,CAAC,CAAC;YAC5E,IAAI,YAAY,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;gBACvC,MAAM,IAAI,KAAK,CACb,yFAAyF,CAC1F,CAAC;YACJ,CAAC;YACD,MAAM,IAAI,KAAK,CAAC,mCAAmC,aAAa,EAAE,OAAO,EAAE,CAAC,CAAC;QAC/E,CAAC;QAED,IAAI,EAAE,EAAE,CAAC;YACP,MAAM,gBAAgB,CAAC;gBACrB,MAAM,EAAE,QAAQ;gBAChB,IAAI,EAAE,IAAI;gBACV,KAAK,EAAE,EAAE;aACV,CAAC,CAAC;QACL,CAAC;QAED,4EAA4E;QAC5E,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAC;QAE1C,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,SAAS,CAAC;YAC7C,MAAM,EAAE,KAAK;YACb,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE;gBACN;oBACE,OAAO,EAAE,KAAK;oBACd,QAAQ,EAAE,KAAK;iBAChB;aACF;YACD,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,WAAW,EAAE;gBACX,QAAQ,EAAE;oBACR,IAAI;iBACL;aACF;SACF,CAAC,CAAC;QAEH,MAAM,YAAY,GAAG,MAAM,eAAe,CAAC,OAAO,CAChD,EAAE,GAAG,EAAE,MAAM,CAAC,UAAU,EAAE,EAC1B,EAAE,cAAc,EAAE,SAAS,EAAE,CAC9B,CAAC;QAEF,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC;QACpC,CAAC;QAED,MAAM,qBAAqB,CAAC;YAC1B,MAAM,EAAE,MAAM,EAAE,UAAU;YAC1B,KAAK;YACL,OAAO,EAAE,cAAc,EAAE,OAAO;SACjC,CAAC,CAAC;QAEH,aAAa,EAAE,CAAC,aAAa,EAAE,CAAC;YAC9B,IAAI,EAAE,YAAY;YAClB,OAAO;YACP,cAAc;SACf,CAAC,CAAC;QAEH,aAAa,EAAE,CAAC,MAAM,EAAE,SAAS,EAAE,CAAC,YAAY,CAAC,CAAC;QAElD,OAAO,MAAM,CAAC,UAAU,CAAC;IAC3B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;YAC3B,aAAa,EAAE,CAAC,aAAa,EAAE,CAAC;gBAC9B,KAAK;gBACL,OAAO;gBACP,cAAc;aACf,CAAC,CAAC;YAEH,aAAa,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC,KAAK,CAAC,CAAC;QAC3C,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/auth/templates/emailVerficationTemplate.d.ts

@@ -0,0 +1,6 @@
+export declare function emailVerificationTemplate({ name, email, verificationUrl, }: {
+    name?: string;
+    email: string;
+    verificationUrl: string;
+}): string;
+//# sourceMappingURL=emailVerficationTemplate.d.ts.map

package/dist/auth/templates/emailVerficationTemplate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"emailVerficationTemplate.d.ts","sourceRoot":"","sources":["../../../src/auth/templates/emailVerficationTemplate.ts"],"names":[],"mappings":"AAAA,wBAAgB,yBAAyB,CAAC,EACxC,IAAI,EACJ,KAAK,EACL,eAAe,GAChB,EAAE;IACD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,eAAe,EAAE,MAAM,CAAC;CACzB,UAOA"}

package/dist/auth/templates/emailVerficationTemplate.js

@@ -0,0 +1,9 @@
+export function emailVerificationTemplate({ name, email, verificationUrl, }) {
+    return `
+    <p>Hi${name ? ` ${name}` : ''},</p>
+    <p>Please verify your email address ${email} by clicking the link below:</p>
+    <p><a href="${verificationUrl}">${verificationUrl}</a></p>
+    <p>If you did not request this, please ignore this email.</p>
+  `;
+}
+//# sourceMappingURL=emailVerficationTemplate.js.map

package/dist/auth/templates/emailVerficationTemplate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"emailVerficationTemplate.js","sourceRoot":"","sources":["../../../src/auth/templates/emailVerficationTemplate.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,yBAAyB,CAAC,EACxC,IAAI,EACJ,KAAK,EACL,eAAe,GAKhB;IACC,OAAO;WACE,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE;0CACS,KAAK;kBAC7B,eAAe,KAAK,eAAe;;GAElD,CAAC;AACJ,CAAC"}

package/dist/auth/types.d.ts

@@ -0,0 +1,22 @@
+import { Document, ObjectId } from 'mongodb';
+export type User = Document;
+export type UserInfo = {
+    id: string;
+    handle: string;
+    roles: string[];
+    hasRole: (role: string) => boolean;
+    requireRole: (role: string) => void;
+};
+export type Role = string;
+export type DefaultRoles = Record<'authenticated' | 'unauthenticated', Role | null>;
+export type Session = {
+    authToken: string;
+    expiresAt: Date;
+    userId: ObjectId | null;
+};
+export type Permission = string;
+export type RoleDefinition = {
+    description?: string;
+    permissions: Permission[];
+};
+//# sourceMappingURL=types.d.ts.map

package/dist/auth/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAE7C,MAAM,MAAM,IAAI,GAAG,QAAQ,CAAC;AAE5B,MAAM,MAAM,QAAQ,GAAG;IACrB,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,OAAO,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC;IACnC,WAAW,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,CAAC;CACrC,CAAC;AAEF,MAAM,MAAM,IAAI,GAAG,MAAM,CAAC;AAE1B,MAAM,MAAM,YAAY,GAAG,MAAM,CAAC,eAAe,GAAG,iBAAiB,EAAE,IAAI,GAAG,IAAI,CAAC,CAAC;AAEpF,MAAM,MAAM,OAAO,GAAG;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,IAAI,CAAC;IAChB,MAAM,EAAE,QAAQ,GAAG,IAAI,CAAC;CACzB,CAAC;AAEF,MAAM,MAAM,UAAU,GAAG,MAAM,CAAC;AAEhC,MAAM,MAAM,cAAc,GAAG;IAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,UAAU,EAAE,CAAC;CAC3B,CAAC"}

package/dist/auth/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/auth/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":""}

package/dist/auth/user.d.ts

@@ -0,0 +1,5 @@
+import { Module } from '../app/module';
+export declare function createGuestUser(): Promise<import("bson").ObjectId>;
+declare const _default: Module;
+export default _default;
+//# sourceMappingURL=user.d.ts.map

package/dist/auth/user.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user.d.ts","sourceRoot":"","sources":["../../src/auth/user.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,MAAM,EAAE,MAAM,eAAe,CAAC;AAevC,wBAAsB,eAAe,qCAkBpC;;AAED,wBA6HG"}

package/dist/auth/user.js

@@ -0,0 +1,152 @@
+import { randomBytes } from 'crypto';
+import { Module } from '../app/module';
+import { time } from '../time';
+import { dbDisposableEmailDomains, emailVerificationTokensCollection, resetPasswordTokensCollection, usersCollection, } from './db';
+import { updateDisposableEmailListCron } from './disposableEmails';
+import { handleLoginWithPassword, handleLogout } from './login';
+import { getOwnProfile } from './profile';
+import { handleSignupWithPassword } from './signup';
+import { handleVerifyEmail } from './verification';
+import { handleResetPassword, handleSendResetPasswordToken } from './resetPassword';
+export async function createGuestUser() {
+    // TODO: add rate-limiting and captcha handling
+    const guestId = randomBytes(9)
+        .toString('base64')
+        .replace(/[+/]/g, (c) => (c === '+' ? 'a' : 'b'));
+    const handle = `guest_${guestId}`;
+    // TODO: re-try on handle collision
+    const result = await usersCollection.insertOne({
+        handle,
+        status: 'active',
+        createdAt: new Date(),
+        authMethods: {},
+    });
+    return result.insertedId;
+}
+export default new Module('_system.user', {
+    stores: [
+        usersCollection,
+        dbDisposableEmailDomains,
+        emailVerificationTokensCollection,
+        resetPasswordTokensCollection,
+    ],
+    queries: {
+        getOwnProfile,
+    },
+    mutations: {
+        signupWithPassword: handleSignupWithPassword,
+        loginWithPassword: handleLoginWithPassword,
+        logout: handleLogout,
+        sendResetPasswordToken: handleSendResetPasswordToken,
+        resetPassword: handleResetPassword,
+    },
+    cronJobs: {
+        updateDisposableEmailList: updateDisposableEmailListCron,
+    },
+    rateLimits: [
+        {
+            bucket: 'signup',
+            type: 'ip',
+            window: time.minutes(15),
+            limit: 20,
+        },
+        {
+            bucket: 'signup',
+            type: 'ip',
+            window: time.days(1),
+            limit: 200,
+        },
+        {
+            bucket: 'signupAttempt',
+            type: 'ip',
+            window: time.minutes(15),
+            limit: 50,
+        },
+        {
+            bucket: 'signupAttempt',
+            type: 'ip',
+            window: time.days(1),
+            limit: 500,
+        },
+        {
+            bucket: 'signin',
+            type: 'ip',
+            window: time.minutes(15),
+            limit: 50,
+        },
+        {
+            bucket: 'signin',
+            type: 'ip',
+            window: time.days(1),
+            limit: 500,
+        },
+        {
+            bucket: 'verification',
+            type: 'user',
+            window: time.minutes(15),
+            limit: 3,
+        },
+        {
+            bucket: 'verification',
+            type: 'user',
+            window: time.days(1),
+            limit: 10,
+        },
+    ],
+    configSchema: {
+        'auth.email.enabled': {
+            type: 'boolean',
+            isPublic: true,
+            default: true,
+        },
+        'auth.email.from': {
+            type: 'string',
+            isPublic: false,
+            default: '',
+        },
+        'auth.email.verification': {
+            type: 'boolean',
+            isPublic: true,
+            default: false,
+        },
+        'auth.google.enabled': {
+            type: 'boolean',
+            isPublic: true,
+            default: false,
+        },
+        'auth.google.clientId': {
+            type: 'string',
+            isPublic: false,
+            default: '',
+        },
+        'auth.google.clientSecret': {
+            type: 'secret',
+            isPublic: false,
+            default: '',
+        },
+        'auth.github.enabled': {
+            type: 'boolean',
+            isPublic: true,
+            default: false,
+        },
+        'auth.github.clientId': {
+            type: 'string',
+            isPublic: false,
+            default: '',
+        },
+        'auth.github.clientSecret': {
+            type: 'secret',
+            isPublic: false,
+            default: '',
+        },
+    },
+    routes: [
+        {
+            path: '/api/_internal/auth/verify-email',
+            handlers: {
+                get: handleVerifyEmail,
+            },
+        },
+    ],
+});
+//# sourceMappingURL=user.js.map

package/dist/auth/user.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"user.js","sourceRoot":"","sources":["../../src/auth/user.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AAErC,OAAO,EAAE,MAAM,EAAE,MAAM,eAAe,CAAC;AACvC,OAAO,EAAE,IAAI,EAAE,MAAM,SAAS,CAAC;AAC/B,OAAO,EACL,wBAAwB,EACxB,iCAAiC,EACjC,6BAA6B,EAC7B,eAAe,GAChB,MAAM,MAAM,CAAC;AACd,OAAO,EAAE,6BAA6B,EAAE,MAAM,oBAAoB,CAAC;AACnE,OAAO,EAAE,uBAAuB,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAChE,OAAO,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,wBAAwB,EAAE,MAAM,UAAU,CAAC;AACpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACnD,OAAO,EAAE,mBAAmB,EAAE,4BAA4B,EAAE,MAAM,iBAAiB,CAAC;AAEpF,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,+CAA+C;IAE/C,MAAM,OAAO,GAAG,WAAW,CAAC,CAAC,CAAC;SAC3B,QAAQ,CAAC,QAAQ,CAAC;SAClB,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAEpD,MAAM,MAAM,GAAG,SAAS,OAAO,EAAE,CAAC;IAClC,mCAAmC;IAEnC,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,SAAS,CAAC;QAC7C,MAAM;QACN,MAAM,EAAE,QAAQ;QAChB,SAAS,EAAE,IAAI,IAAI,EAAE;QACrB,WAAW,EAAE,EAAE;KAChB,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC,UAAU,CAAC;AAC3B,CAAC;AAED,eAAe,IAAI,MAAM,CAAC,cAAc,EAAE;IACxC,MAAM,EAAE;QACN,eAAe;QACf,wBAAwB;QACxB,iCAAiC;QACjC,6BAA6B;KAC9B;IACD,OAAO,EAAE;QACP,aAAa;KACd;IACD,SAAS,EAAE;QACT,kBAAkB,EAAE,wBAAwB;QAC5C,iBAAiB,EAAE,uBAAuB;QAC1C,MAAM,EAAE,YAAY;QACpB,sBAAsB,EAAE,4BAA4B;QACpD,aAAa,EAAE,mBAAmB;KACnC;IACD,QAAQ,EAAE;QACR,yBAAyB,EAAE,6BAA6B;KACzD;IACD,UAAU,EAAE;QACV;YACE,MAAM,EAAE,QAAQ;YAChB,IAAI,EAAE,IAAI;YACV,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YACxB,KAAK,EAAE,EAAE;SACV;QACD;YACE,MAAM,EAAE,QAAQ;YAChB,IAAI,EAAE,IAAI;YACV,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;YACpB,KAAK,EAAE,GAAG;SACX;QACD;YACE,MAAM,EAAE,eAAe;YACvB,IAAI,EAAE,IAAI;YACV,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YACxB,KAAK,EAAE,EAAE;SACV;QACD;YACE,MAAM,EAAE,eAAe;YACvB,IAAI,EAAE,IAAI;YACV,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;YACpB,KAAK,EAAE,GAAG;SACX;QACD;YACE,MAAM,EAAE,QAAQ;YAChB,IAAI,EAAE,IAAI;YACV,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YACxB,KAAK,EAAE,EAAE;SACV;QACD;YACE,MAAM,EAAE,QAAQ;YAChB,IAAI,EAAE,IAAI;YACV,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;YACpB,KAAK,EAAE,GAAG;SACX;QACD;YACE,MAAM,EAAE,cAAc;YACtB,IAAI,EAAE,MAAM;YACZ,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YACxB,KAAK,EAAE,CAAC;SACT;QACD;YACE,MAAM,EAAE,cAAc;YACtB,IAAI,EAAE,MAAM;YACZ,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;YACpB,KAAK,EAAE,EAAE;SACV;KACF;IACD,YAAY,EAAE;QACZ,oBAAoB,EAAE;YACpB,IAAI,EAAE,SAAS;YACf,QAAQ,EAAE,IAAI;YACd,OAAO,EAAE,IAAI;SACd;QACD,iBAAiB,EAAE;YACjB,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,KAAK;YACf,OAAO,EAAE,EAAE;SACZ;QACD,yBAAyB,EAAE;YACzB,IAAI,EAAE,SAAS;YACf,QAAQ,EAAE,IAAI;YACd,OAAO,EAAE,KAAK;SACf;QACD,qBAAqB,EAAE;YACrB,IAAI,EAAE,SAAS;YACf,QAAQ,EAAE,IAAI;YACd,OAAO,EAAE,KAAK;SACf;QACD,sBAAsB,EAAE;YACtB,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,KAAK;YACf,OAAO,EAAE,EAAE;SACZ;QACD,0BAA0B,EAAE;YAC1B,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,KAAK;YACf,OAAO,EAAE,EAAE;SACZ;QACD,qBAAqB,EAAE;YACrB,IAAI,EAAE,SAAS;YACf,QAAQ,EAAE,IAAI;YACd,OAAO,EAAE,KAAK;SACf;QACD,sBAAsB,EAAE;YACtB,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,KAAK;YACf,OAAO,EAAE,EAAE;SACZ;QACD,0BAA0B,EAAE;YAC1B,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,KAAK;YACf,OAAO,EAAE,EAAE;SACZ;KACF;IACD,MAAM,EAAE;QACN;YACE,IAAI,EAAE,kCAAkC;YACxC,QAAQ,EAAE;gBACR,GAAG,EAAE,iBAAiB;aACvB;SACF;KACF;CACF,CAAC,CAAC"}

package/dist/auth/validators.d.ts

@@ -0,0 +1,3 @@
+export declare function validatePassword(value: string): string;
+export declare function validateEmail(value: string): string;
+//# sourceMappingURL=validators.d.ts.map

package/dist/auth/validators.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validators.d.ts","sourceRoot":"","sources":["../../src/auth/validators.ts"],"names":[],"mappings":"AAEA,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,UAE7C;AAED,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,UAE1C"}

package/dist/auth/validators.js

@@ -0,0 +1,8 @@
+import { z } from 'zod';
+export function validatePassword(value) {
+    return z.string().min(8, { message: 'Password must contain at least 8 characters' }).parse(value);
+}
+export function validateEmail(value) {
+    return z.string().email({ message: 'Invalid email address' }).parse(value);
+}
+//# sourceMappingURL=validators.js.map