npm - wabe - Versions diffs - 0.6.14 → 0.6.15 - Mend

wabe 0.6.14 → 0.6.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/authentication/OTP.d.ts +10 -6
package/dist/authentication/interface.d.ts +3 -5
package/dist/authentication/security.d.ts +1 -2
package/dist/database/DatabaseController.d.ts +11 -2
package/dist/database/interface.d.ts +2 -0
package/dist/index.js +455 -367
package/dist/server/generateCodegen.d.ts +17 -0
package/dist/server/index.d.ts +5 -0
package/package.json +1 -1

package/dist/authentication/OTP.d.ts CHANGED Viewed

@@ -1,16 +1,20 @@
 import type { TOTP } from "otplib/core";
+import type { WabeContext } from "../server/interface";
+export declare const generateOtpSalt: () => string;
+export declare const getOrCreateOtpSalt: (context: WabeContext<any>, userId: string) => Promise<string>;
 export declare class OTP {
 	private secret;
 	internalTotp: TOTP;
 	constructor(rootKey: string);
-	deriveSecret(userId: string): string;
-	generate(userId: string): string;
-	verify(otp: string, userId: string): boolean;
-	authenticatorGenerate(userId: string): string;
-	authenticatorVerify(otp: string, userId: string): boolean;
-	generateKeyuri({ userId, emailOrUsername, applicationName }: {
+	deriveSecret(userId: string, salt?: string): string;
+	generate(userId: string, salt?: string): string;
+	verify(otp: string, userId: string, salt?: string): boolean;
+	authenticatorGenerate(userId: string, salt?: string): string;
+	authenticatorVerify(otp: string, userId: string, salt?: string): boolean;
+	generateKeyuri({ userId, emailOrUsername, applicationName, salt }: {
 		userId: string;
 		emailOrUsername: string;
 		applicationName: string;
+		salt?: string;
 	}): string;
 }

package/dist/authentication/interface.d.ts CHANGED Viewed

@@ -123,7 +123,7 @@ export interface SessionConfig<T extends WabeTypes> {
 }
 export interface AuthenticationRateLimitConfig {
 	/**
-	* Enable this rate limiter. Enabled by default in production.
+	* Enable this rate limiter. Enabled by default.
 	*/
 	enabled?: boolean;
 	maxAttempts?: number;
@@ -134,11 +134,9 @@ export interface AuthenticationSecurityConfig {
 	signInRateLimit?: AuthenticationRateLimitConfig;
 	signUpRateLimit?: AuthenticationRateLimitConfig;
 	verifyChallengeRateLimit?: AuthenticationRateLimitConfig;
+	sendOtpCodeRateLimit?: AuthenticationRateLimitConfig;
+	resetPasswordRateLimit?: AuthenticationRateLimitConfig;
 	mfaChallengeTtlMs?: number;
-	/**
-	* Require a valid challenge token during verifyChallenge in production.
-	*/
-	requireMfaChallengeInProduction?: boolean;
 }
 export interface AuthenticationConfig<T extends WabeTypes> {
 	session?: SessionConfig<T>;

package/dist/authentication/security.d.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 import type { WabeContext } from "../server/interface";
 import type { WabeTypes } from "../server";
 import { DevWabeTypes } from "src/utils/helper";
-type RateLimitScope = "signIn" | "signUp" | "verifyChallenge";
+type RateLimitScope = "signIn" | "signUp" | "verifyChallenge" | "sendOtpCode" | "resetPassword";
 export declare const isRateLimited: <T extends WabeTypes>(context: WabeContext<T>, scope: RateLimitScope, key: string) => boolean;
 export declare const registerRateLimitFailure: unknown;
 export declare const clearRateLimit: unknown;
@@ -14,5 +14,4 @@ export declare const consumeMfaChallenge: (context: WabeContext<DevWabeTypes>, {
 	userId: string;
 	provider: string;
 }) => Promise<boolean>;
-export declare const shouldRequireMfaChallenge: unknown;
 export {};

package/dist/database/DatabaseController.d.ts CHANGED Viewed

@@ -70,7 +70,16 @@ export declare class DatabaseController<T extends WabeTypes> {
 	_isFieldOfType(originClassName: string, pointerField: string, expectedType: "Pointer" | "Relation", context: WabeContext<T>, currentClassName?: string): boolean;
 	_extractPointerId(pointerValue: unknown): string | undefined;
 	_extractRelationIds(relationValue: unknown): string[];
-	_getWhereObjectWithPointerOrRelation<U extends keyof T["types"]>(className: U, where: WhereType<T, U>, context: WabeContext<T>);
+	_getWhereObjectWithPointerOrRelation<U extends keyof T["types"]>(className: U, where: WhereType<T, U>, context: WabeContext<T>, depth?: number);
+	/**
+	* Adds ACL-based conditions to the where clause.
+	*
+	* IMPORTANT: Objects with `acl == null` are accessible to ANY authenticated
+	* user. If you only use class-level permissions (CLP) without setting
+	* per-object ACLs, any user with the required role can read/update/delete
+	* any row. To restrict access to the owner, set `acl` on each object at
+	* creation time via hooks or custom logic.
+	*/
 	_buildWhereWithACL<K extends keyof T["types"]>(where: WhereType<T, K>, context: WabeContext<T>, operation: "write" | "read"): WhereType<T, K>;
 	/**
 	* Private helper to load a single object for hooks (skips hooks to avoid recursion)
@@ -140,7 +149,7 @@ export declare class DatabaseController<T extends WabeTypes> {
 		K extends keyof T["types"],
 		U extends keyof T["types"][K],
 		W extends keyof T["types"][K]
-	>({ className, select, context, where, _skipHooks, first, offset, order }: GetObjectsOptions<T, K, U, W>): Promise<OutputType<T, K, W>[]>;
+	>({ className, select, context, where, _skipHooks, first, offset, order, _whereRecursionDepth }: GetObjectsOptions<T, K, U, W>): Promise<OutputType<T, K, W>[]>;
 	createObject<
 		K extends keyof T["types"],
 		U extends keyof T["types"][K],

package/dist/database/interface.d.ts CHANGED Viewed

@@ -118,6 +118,8 @@ export interface GetObjectsOptions<
 	context: WabeContext<T>;
 	_skipHooks?: boolean;
 	select?: SelectType<T, K, W>;
+	/** @internal For security: limits recursion depth of where with Pointer/Relation */
+	_whereRecursionDepth?: number;
 }
 export interface CreateObjectOptions<
 	T extends WabeTypes,