wabe 0.6.14 → 0.6.15

package/dist/index.js

@@ -17231,14 +17231,14 @@ var require_plugin_crypto = __commonJS((exports) => {
   function _interopDefault(ex) {
     return ex && typeof ex === "object" && "default" in ex ? ex["default"] : ex;
   }
-  var crypto3 = _interopDefault(__require("crypto"));
+  var crypto2 = _interopDefault(__require("crypto"));
   var createDigest = (algorithm, hmacKey, counter) => {
-    const hmac = crypto3.createHmac(algorithm, Buffer.from(hmacKey, "hex"));
+    const hmac = crypto2.createHmac(algorithm, Buffer.from(hmacKey, "hex"));
     const digest = hmac.update(Buffer.from(counter, "hex")).digest();
     return digest.toString("hex");
   };
   var createRandomBytes = (size, encoding) => {
-    return crypto3.randomBytes(size).toString(encoding);
+    return crypto2.randomBytes(size).toString(encoding);
   };
   exports.createDigest = createDigest;
   exports.createRandomBytes = createRandomBytes;
@@ -28905,13 +28905,13 @@ var SecondaryFactor;
   SecondaryFactor2["QRCodeOTP"] = "qrcodeOTP";
 })(SecondaryFactor ||= {});
 // ../wabe/src/authentication/oauth/utils.ts
-import crypto2 from "node:crypto";
+import crypto from "node:crypto";
 var base64URLencode = (content) => {
-  const hasher = crypto2.createHash("sha256").update(content);
+  const hasher = crypto.createHash("sha256").update(content);
   const result = hasher.digest("base64");
   return result.split("=")[0].replaceAll("+", "-").replaceAll("/", "_");
 };
-var generateRandomValues = () => crypto2.randomBytes(60).toString("base64url");
+var generateRandomValues = () => crypto.randomBytes(60).toString("base64url");
 
 // ../wabe/src/authentication/oauth/Oauth2Client.ts
 class OAuth2Client {
@@ -29048,7 +29048,7 @@ class Google {
 }
 // ../wabe/src/authentication/OTP.ts
 var import_otplib = __toESM(require_otplib(), 1);
-import { createHash } from "node:crypto";
+import { createHash, randomBytes as randomBytes2 } from "node:crypto";
 
 // ../wabe/src/utils/index.ts
 import { timingSafeEqual } from "node:crypto";
@@ -29149,10 +29149,14 @@ var getNestedProperty = (obj, path) => {
 };
 var firstLetterInUpperCase = (str) => {
   const indexOfFirstLetter = str.search(/[a-z]/i);
+  if (indexOfFirstLetter < 0)
+    return str;
   return str.slice(0, indexOfFirstLetter) + str[indexOfFirstLetter]?.toUpperCase() + str.slice(indexOfFirstLetter + 1);
 };
 var firstLetterInLowerCase = (str) => {
   const indexOfFirstLetter = str.search(/[a-z]/i);
+  if (indexOfFirstLetter < 0)
+    return str;
   return str.slice(0, indexOfFirstLetter) + str[indexOfFirstLetter]?.toLowerCase() + str.slice(indexOfFirstLetter + 1);
 };
 var getClassFromClassName = (className, config) => {
@@ -29186,56 +29190,15 @@ var tokenize = (value) => {
   return tmpValue.replace(/[\W_]+/g, " ").trim();
 };
 
-// ../wabe/src/authentication/OTP.ts
-var ONE_WINDOW = 1;
-
-class OTP {
-  secret;
-  internalTotp;
-  constructor(rootKey) {
-    this.secret = rootKey;
-    this.internalTotp = import_otplib.totp.clone({
-      window: [ONE_WINDOW, 0]
-    });
-  }
-  deriveSecret(userId) {
-    const hash = createHash("sha256").update(`${this.secret}:${userId}`).digest();
-    return base32Encode(hash, "RFC4648", { padding: false });
-  }
-  generate(userId) {
-    const secret = this.deriveSecret(userId);
-    return this.internalTotp.generate(secret);
-  }
-  verify(otp, userId) {
-    const secret = this.deriveSecret(userId);
-    return this.internalTotp.verify({ secret, token: otp });
-  }
-  authenticatorGenerate(userId) {
-    const secret = this.deriveSecret(userId);
-    return import_otplib.authenticator.generate(secret);
-  }
-  authenticatorVerify(otp, userId) {
-    const secret = this.deriveSecret(userId);
-    return import_otplib.authenticator.verify({
-      secret,
-      token: otp
-    });
-  }
-  generateKeyuri({
-    userId,
-    emailOrUsername,
-    applicationName
-  }) {
-    const secret = this.deriveSecret(userId);
-    return import_otplib.authenticator.keyuri(emailOrUsername, applicationName, secret);
-  }
-}
-// ../wabe/src/authentication/Session.ts
-var import_jsonwebtoken = __toESM(require_jsonwebtoken(), 1);
-import crypto4 from "node:crypto";
-
 // ../wabe/src/utils/crypto.ts
-import { randomBytes, createCipheriv, createDecipheriv, createHmac } from "node:crypto";
+import {
+  randomBytes,
+  createCipheriv,
+  createDecipheriv,
+  createHmac,
+  timingSafeEqual as timingSafeEqual2
+} from "node:crypto";
+import * as nodeCrypto from "node:crypto";
 import { promisify } from "node:util";
 var params = {
   parallelism: 1,
@@ -29243,12 +29206,18 @@ var params = {
   memory: 65536,
   passes: 2
 };
+var getNodeArgon2 = () => {
+  const argon22 = nodeCrypto.argon2;
+  if (!argon22)
+    throw new Error("Argon2 is not supported in this runtime");
+  return argon22;
+};
 var hashArgon2 = async (text) => {
   if (process.versions.bun)
     return Bun.password.hash(text, { algorithm: "argon2id" });
-  const argon2 = promisify(__require("node:crypto").argon2);
+  const argon22 = promisify(getNodeArgon2());
   const nonce = randomBytes(16);
-  const result = await argon2("argon2id", {
+  const result = await argon22("argon2id", {
     message: text,
     nonce,
     ...params
@@ -29259,6 +29228,8 @@ var verifyArgon2 = async (password, hash) => {
   if (process.versions.bun)
     return Bun.password.verify(password, hash, "argon2id");
   const [, algorithm, , paramString, nonceHex, storedHashHex] = hash.split("$");
+  if (!algorithm || !paramString || !nonceHex || !storedHashHex)
+    return false;
   const kvPairs = paramString?.split(",");
   const parsedParams = Object.fromEntries(kvPairs?.map((pair) => {
     const [key, value] = pair.split("=");
@@ -29267,15 +29238,18 @@ var verifyArgon2 = async (password, hash) => {
   const memory = parsedParams.m;
   const passes = parsedParams.t;
   const parallelism = parsedParams.p;
-  const newDerived = await promisify(__require("node:crypto"))(algorithm, {
-    nonce: Buffer.from(nonceHex || "", "base64"),
+  if ([memory, passes, parallelism].some((value) => Number.isNaN(value)))
+    return false;
+  const argon2Async = promisify(getNodeArgon2());
+  const newDerived = await argon2Async(algorithm, {
+    nonce: Buffer.from(nonceHex, "base64"),
     parallelism,
-    tagLength: 64,
+    tagLength: params.tagLength,
     memory,
     passes,
     message: password
   });
-  const isMatch = crypto.timingSafeEqual(Buffer.from(newDerived), Buffer.from(storedHashHex || "", "base64"));
+  const isMatch = timingSafeEqual2(Buffer.from(newDerived), Buffer.from(storedHashHex, "base64"));
   return isMatch;
 };
 var isArgon2Hash = (value) => typeof value === "string" && value.startsWith("$argon2");
@@ -29319,7 +29293,76 @@ var contextWithRoot = (context) => ({
 });
 var notEmpty = (value) => value !== null && value !== undefined;
 
+// ../wabe/src/authentication/OTP.ts
+var ONE_WINDOW = 1;
+var generateOtpSalt = () => randomBytes2(32).toString("hex");
+var getOrCreateOtpSalt = async (context, userId) => {
+  const rootContext = contextWithRoot(context);
+  const user = await context.wabe.controllers.database.getObject({
+    className: "User",
+    id: userId,
+    context: rootContext,
+    select: { otpSalt: true }
+  });
+  if (user?.otpSalt)
+    return user.otpSalt;
+  const salt = generateOtpSalt();
+  await context.wabe.controllers.database.updateObject({
+    className: "User",
+    id: userId,
+    context: rootContext,
+    data: { otpSalt: salt },
+    select: {}
+  });
+  return salt;
+};
+
+class OTP {
+  secret;
+  internalTotp;
+  constructor(rootKey) {
+    this.secret = rootKey;
+    this.internalTotp = import_otplib.totp.clone({
+      window: [ONE_WINDOW, 0]
+    });
+  }
+  deriveSecret(userId, salt) {
+    const material = salt ? `${this.secret}:${userId}:${salt}` : `${this.secret}:${userId}`;
+    const hash = createHash("sha256").update(material).digest();
+    return base32Encode(hash, "RFC4648", { padding: false });
+  }
+  generate(userId, salt) {
+    const secret = this.deriveSecret(userId, salt);
+    return this.internalTotp.generate(secret);
+  }
+  verify(otp, userId, salt) {
+    const secret = this.deriveSecret(userId, salt);
+    return this.internalTotp.verify({ secret, token: otp });
+  }
+  authenticatorGenerate(userId, salt) {
+    const secret = this.deriveSecret(userId, salt);
+    return import_otplib.authenticator.generate(secret);
+  }
+  authenticatorVerify(otp, userId, salt) {
+    const secret = this.deriveSecret(userId, salt);
+    return import_otplib.authenticator.verify({
+      secret,
+      token: otp
+    });
+  }
+  generateKeyuri({
+    userId,
+    emailOrUsername,
+    applicationName,
+    salt
+  }) {
+    const secret = this.deriveSecret(userId, salt);
+    return import_otplib.authenticator.keyuri(emailOrUsername, applicationName, secret);
+  }
+}
 // ../wabe/src/authentication/Session.ts
+var import_jsonwebtoken = __toESM(require_jsonwebtoken(), 1);
+import crypto3 from "node:crypto";
 var getJwtSecret = (context) => {
   const secret = context.wabe.config.authentication?.session?.jwtSecret;
   if (!secret)
@@ -29338,7 +29381,7 @@ var safeVerify = (token, secret, options = {}) => {
   }
 };
 var getTokenSecret = (context) => context.wabe.config.authentication?.session?.tokenSecret ?? getJwtSecret(context);
-var getTokenEncryptionKey = (context) => crypto4.createHash("sha256").update(getTokenSecret(context)).digest();
+var getTokenEncryptionKey = (context) => crypto3.createHash("sha256").update(getTokenSecret(context)).digest();
 var getJwtVerifyOptions = (context) => {
   const opts = {};
   const audience = context.wabe.config.authentication?.session?.jwtAudience;
@@ -29434,7 +29477,7 @@ class Session {
       const currentSessionId = session.id;
       const message = `${currentSessionId.length}!${currentSessionId}!${receivedRandomValue?.length}!${receivedRandomValue}`;
       const csrfSecret = context.wabe.config.authentication?.session?.csrfSecret || getJwtSecret(context);
-      const expectedHmac = crypto4.createHmac("sha256", csrfSecret).update(message).digest("hex");
+      const expectedHmac = crypto3.createHmac("sha256", csrfSecret).update(message).digest("hex");
       const isHex = /^[0-9a-f]+$/i;
       if (!isHex.test(receivedHmacHex) || receivedHmacHex.length !== expectedHmac.length)
         return {
@@ -29443,7 +29486,7 @@ class Session {
           accessToken: null,
           refreshToken: null
         };
-      const isValid = crypto4.timingSafeEqual(Buffer.from(receivedHmacHex, "hex"), Buffer.from(expectedHmac, "hex"));
+      const isValid = crypto3.timingSafeEqual(Buffer.from(receivedHmacHex, "hex"), Buffer.from(expectedHmac, "hex"));
       if (!isValid)
         return {
           sessionId: null,
@@ -29502,7 +29545,7 @@ class Session {
     }) : undefined;
     const secretKey = getJwtSecret(context);
     const signOptions = {
-      jwtid: crypto4.randomUUID(),
+      jwtid: crypto3.randomUUID(),
       algorithm: JWT_ALGORITHM
     };
     const audience = context.wabe.config.authentication?.session?.jwtAudience;
@@ -29544,10 +29587,10 @@ class Session {
     if (!res)
       throw new Error("Session not created");
     const sessionId = res.id;
-    const randomValue = crypto4.randomBytes(16).toString("hex");
+    const randomValue = crypto3.randomBytes(16).toString("hex");
     const message = `${sessionId.length}!${sessionId}!${randomValue.length}!${randomValue}`;
     const csrfSecret = context.wabe.config.authentication?.session?.csrfSecret || secretKey;
-    const hmac = crypto4.createHmac("sha256", csrfSecret).update(message).digest("hex");
+    const hmac = crypto3.createHmac("sha256", csrfSecret).update(message).digest("hex");
     const csrfToken = `${hmac}.${randomValue}`;
     return {
       accessToken: this.accessToken,
@@ -29626,7 +29669,7 @@ class Session {
     }) : undefined;
     const nowSeconds = Math.floor(Date.now() / 1000);
     const signOptions = {
-      jwtid: crypto4.randomUUID(),
+      jwtid: crypto3.randomUUID(),
       algorithm: JWT_ALGORITHM
     };
     const audience = context.wabe.config.authentication?.session?.jwtAudience;
@@ -29699,6 +29742,7 @@ var signOutResolver = async (_, __, context) => {
   if (context.wabe.config.authentication?.session?.cookieSession) {
     context.response?.deleteCookie("accessToken");
     context.response?.deleteCookie("refreshToken");
+    context.response?.deleteCookie("csrfToken");
   }
   return true;
 };
@@ -29713,7 +29757,7 @@ var getSessionCookieSameSite = (config) => {
 };
 
 // ../wabe/src/authentication/security.ts
-import crypto5 from "node:crypto";
+import crypto4 from "node:crypto";
 var DEFAULT_SIGN_IN_RATE_LIMIT = {
   maxAttempts: 10,
   windowMs: 10 * 60 * 1000,
@@ -29729,6 +29773,16 @@ var DEFAULT_VERIFY_CHALLENGE_RATE_LIMIT = {
   windowMs: 10 * 60 * 1000,
   blockDurationMs: 15 * 60 * 1000
 };
+var DEFAULT_SEND_OTP_CODE_RATE_LIMIT = {
+  maxAttempts: 5,
+  windowMs: 10 * 60 * 1000,
+  blockDurationMs: 30 * 60 * 1000
+};
+var DEFAULT_RESET_PASSWORD_RATE_LIMIT = {
+  maxAttempts: 10,
+  windowMs: 10 * 60 * 1000,
+  blockDurationMs: 15 * 60 * 1000
+};
 var DEFAULT_MFA_CHALLENGE_TTL_MS = 5 * 60 * 1000;
 var rateLimitStorage = new Map;
 var getRateLimitOptions = (context, scope) => {
@@ -29737,17 +29791,21 @@ var getRateLimitOptions = (context, scope) => {
   const scopeConfigMap = {
     signIn: securityConfig?.signInRateLimit,
     signUp: securityConfig?.signUpRateLimit,
-    verifyChallenge: securityConfig?.verifyChallengeRateLimit
+    verifyChallenge: securityConfig?.verifyChallengeRateLimit,
+    sendOtpCode: securityConfig?.sendOtpCodeRateLimit,
+    resetPassword: securityConfig?.resetPasswordRateLimit
   };
   const defaultsMap = {
     signIn: DEFAULT_SIGN_IN_RATE_LIMIT,
     signUp: DEFAULT_SIGN_UP_RATE_LIMIT,
-    verifyChallenge: DEFAULT_VERIFY_CHALLENGE_RATE_LIMIT
+    verifyChallenge: DEFAULT_VERIFY_CHALLENGE_RATE_LIMIT,
+    sendOtpCode: DEFAULT_SEND_OTP_CODE_RATE_LIMIT,
+    resetPassword: DEFAULT_RESET_PASSWORD_RATE_LIMIT
   };
   const scopeConfig = scopeConfigMap[scope];
   const defaults = defaultsMap[scope];
   return {
-    enabled: scopeConfig?.enabled ?? !!wabeConfig?.isProduction,
+    enabled: scopeConfig?.enabled ?? true,
     maxAttempts: scopeConfig?.maxAttempts ?? defaults.maxAttempts,
     windowMs: scopeConfig?.windowMs ?? defaults.windowMs,
     blockDurationMs: scopeConfig?.blockDurationMs ?? defaults.blockDurationMs
@@ -29826,19 +29884,15 @@ var pruneExpiredChallenges = (challenges) => {
   return challenges.filter((challenge) => challenge.expiresAt > now);
 };
 var getUserPendingChallenges = async (context, userId) => {
-  try {
-    const user = await getDatabaseController(context).getObject({
-      className: "User",
-      id: userId,
-      context: contextWithRoot(context),
-      select: {
-        pendingChallenges: true
-      }
-    });
-    return parsePendingChallenges(user?.pendingChallenges);
-  } catch {
-    return null;
-  }
+  const user = await getDatabaseController(context).getObject({
+    className: "User",
+    id: userId,
+    context: contextWithRoot(context),
+    select: {
+      pendingChallenges: true
+    }
+  });
+  return parsePendingChallenges(user?.pendingChallenges);
 };
 var saveUserPendingChallenges = async (context, userId, challenges) => getDatabaseController(context).updateObject({
   className: "User",
@@ -29854,9 +29908,9 @@ var saveUserPendingChallenges = async (context, userId, challenges) => getDataba
   select: {}
 });
 var createMfaChallenge = async (context, { userId, provider }) => {
-  const token = crypto5.randomUUID();
+  const token = crypto4.randomUUID();
   const expiresAt = Date.now() + getMfaChallengeTTL(context);
-  const currentChallenges = await getUserPendingChallenges(context, userId) || [];
+  const currentChallenges = await getUserPendingChallenges(context, userId);
   const nextChallenges = [
     ...pruneExpiredChallenges(currentChallenges),
     {
@@ -29868,24 +29922,35 @@ var createMfaChallenge = async (context, { userId, provider }) => {
   await saveUserPendingChallenges(context, userId, nextChallenges);
   return token;
 };
+var mfaLocks = new Map;
 var consumeMfaChallenge = async (context, {
   challengeToken,
   userId,
   provider
 }) => {
-  const currentChallenges = await getUserPendingChallenges(context, userId);
-  if (!currentChallenges)
-    return false;
-  const activeChallenges = pruneExpiredChallenges(currentChallenges);
-  const normalizedProvider = provider.toLowerCase();
-  const isValid = activeChallenges.some((challenge) => challenge.token === challengeToken && challenge.provider === normalizedProvider);
-  const remainingChallenges = activeChallenges.filter((challenge) => !(challenge.token === challengeToken && challenge.provider === normalizedProvider));
-  if (remainingChallenges.length !== currentChallenges.length || isValid) {
-    await saveUserPendingChallenges(context, userId, remainingChallenges);
-  }
-  return isValid;
+  const lockKey = `mfa:${userId}`;
+  const previous = mfaLocks.get(lockKey) ?? Promise.resolve(false);
+  const current = previous.catch(() => false).then(async () => {
+    const currentChallenges = await getUserPendingChallenges(context, userId);
+    if (!currentChallenges)
+      return false;
+    const activeChallenges = pruneExpiredChallenges(currentChallenges);
+    const normalizedProvider = provider.toLowerCase();
+    const isValid = activeChallenges.some((challenge) => challenge.token === challengeToken && challenge.provider === normalizedProvider);
+    const remainingChallenges = activeChallenges.filter((challenge) => !(challenge.token === challengeToken && challenge.provider === normalizedProvider));
+    if (remainingChallenges.length !== currentChallenges.length || isValid) {
+      await saveUserPendingChallenges(context, userId, remainingChallenges);
+    }
+    return isValid;
+  });
+  mfaLocks.set(lockKey, current);
+  try {
+    return await current;
+  } finally {
+    if (mfaLocks.get(lockKey) === current)
+      mfaLocks.delete(lockKey);
+  }
 };
-var shouldRequireMfaChallenge = (context) => context.wabe.config?.authentication?.security?.requireMfaChallengeInProduction ?? !!context.wabe.config?.isProduction;
 
 // ../wabe/src/authentication/utils.ts
 var getAuthenticationMethod = (listOfMethods, context) => {
@@ -29918,18 +29983,16 @@ var verifyChallengeResolver = async (_, {
   });
   if (!result?.userId)
     throw new Error("Invalid challenge");
-  if (shouldRequireMfaChallenge(context)) {
-    const challengeToken = input.challengeToken;
-    if (!challengeToken)
-      throw new Error("Invalid challenge");
-    const isValidChallenge = await consumeMfaChallenge(context, {
-      challengeToken,
-      userId: result.userId,
-      provider: name
-    });
-    if (!isValidChallenge)
-      throw new Error("Invalid challenge");
-  }
+  const challengeToken = input.challengeToken;
+  if (!challengeToken)
+    throw new Error("Invalid challenge");
+  const isValidChallenge = await consumeMfaChallenge(context, {
+    challengeToken,
+    userId: result.userId,
+    provider: name
+  });
+  if (!isValidChallenge)
+    throw new Error("Invalid challenge");
   const session = new Session;
   const { accessToken, refreshToken } = await session.create(result.userId, context);
   if (context.wabe.config.authentication?.session?.cookieSession) {
@@ -29966,14 +30029,26 @@ var meResolver = (_, __, context) => {
 // ../wabe/src/schema/resolvers/resetPassword.ts
 var DUMMY_USER_ID = "00000000-0000-0000-0000-000000000000";
 var resetPasswordResolver = async (_, { input: { email, phone, password, otp } }, context) => {
-  if (!email && !phone)
+  const normalizedEmail = email?.trim().toLowerCase();
+  const normalizedPhone = phone?.trim();
+  if (!normalizedEmail && !normalizedPhone)
+    throw new Error("Email or phone is required");
+  if (normalizedEmail && normalizedPhone)
     throw new Error("Email or phone is required");
+  const identifier = normalizedEmail || normalizedPhone;
+  if (!identifier)
+    throw new Error("Email or phone is required");
+  const rateLimitKey = `resetPassword:${identifier}`;
+  if (isRateLimited(context, "resetPassword", rateLimitKey))
+    throw new Error("Too many attempts. Please try again later.");
   const users = await context.wabe.controllers.database.getObjects({
     className: "User",
     where: {
-      ...email && { email: { equalTo: email } },
-      ...phone && {
-        authentication: { phonePassword: { phone: { equalTo: phone } } }
+      ...normalizedEmail && { email: { equalTo: normalizedEmail } },
+      ...normalizedPhone && {
+        authentication: {
+          phonePassword: { phone: { equalTo: normalizedPhone } }
+        }
       }
     },
     select: { id: true, authentication: true },
@@ -29983,21 +30058,24 @@ var resetPasswordResolver = async (_, { input: { email, phone, password, otp } }
   const realUser = users.length > 0 ? users[0] : null;
   const userId = realUser?.id ?? DUMMY_USER_ID;
   const otpClass = new OTP(context.wabe.config.rootKey);
-  const isOtpValid = otpClass.verify(otp, userId);
+  const salt = realUser ? await getOrCreateOtpSalt(context, userId) : undefined;
+  const isOtpValid = otpClass.verify(otp, userId, salt);
   if (realUser) {
-    if (!isOtpValid)
+    if (!isOtpValid) {
+      registerRateLimitFailure(context, "resetPassword", rateLimitKey);
       throw new Error("Invalid OTP code");
-    const providerKey = phone ? "phonePassword" : "emailPassword";
+    }
+    const providerKey = normalizedPhone ? "phonePassword" : "emailPassword";
     await context.wabe.controllers.database.updateObject({
       className: "User",
       id: realUser.id,
       data: {
         authentication: {
           [providerKey]: {
-            ...phone && {
+            ...normalizedPhone && {
               phone: realUser.authentication?.phonePassword?.phone
             },
-            ...email && { email },
+            ...normalizedEmail && { email: normalizedEmail },
             password
           }
         }
@@ -30013,6 +30091,9 @@ var resetPasswordResolver = async (_, { input: { email, phone, password, otp } }
       select: {},
       context: contextWithRoot(context)
     });
+    clearRateLimit(context, "resetPassword", rateLimitKey);
+  } else {
+    registerRateLimitFailure(context, "resetPassword", rateLimitKey);
   }
   return true;
 };
@@ -30144,11 +30225,17 @@ var sendOtpCodeResolver = async (_, { input }, context) => {
   const emailController = context.wabe.controllers.email;
   if (!emailController)
     throw new Error("Email adapter not defined");
+  const normalizedEmail = input.email.trim().toLowerCase();
+  if (!normalizedEmail)
+    return true;
+  const rateLimitKey = `sendOtpCode:${normalizedEmail}`;
+  if (isRateLimited(context, "sendOtpCode", rateLimitKey))
+    return true;
   const user = await context.wabe.controllers.database.getObjects({
     className: "User",
     where: {
       email: {
-        equalTo: input.email
+        equalTo: normalizedEmail
       }
     },
     select: { id: true },
@@ -30161,15 +30248,17 @@ var sendOtpCodeResolver = async (_, { input }, context) => {
   if (!userId)
     return false;
   const otpClass = new OTP(context.wabe.config.rootKey);
-  const otp = otpClass.generate(userId);
+  const salt = await getOrCreateOtpSalt(context, userId);
+  const otp = otpClass.generate(userId, salt);
   const mainEmail = context.wabe.config.email?.mainEmail || "noreply@wabe.com";
   const template = context.wabe.config.email?.htmlTemplates?.sendOTPCode;
   await emailController.send({
     from: mainEmail,
-    to: [input.email],
+    to: [normalizedEmail],
     subject: template?.subject || "Your OTP code",
     html: template?.fn ? await template.fn({ otp }) : sendOtpCodeTemplate(otp)
   });
+  registerRateLimitFailure(context, "sendOtpCode", rateLimitKey);
   return true;
 };
 
@@ -30307,12 +30396,16 @@ var signInWithResolver = async (_, {
     };
   }
   if (name === "emailPasswordSRP") {
+    const challengeToken = await createMfaChallenge(context, {
+      userId,
+      provider: "emailPasswordSRPChallenge"
+    });
     return {
       accessToken: null,
       refreshToken: null,
       user,
       srp: srp || null,
-      challengeToken: null
+      challengeToken
     };
   }
   const session = new Session;
@@ -30731,6 +30824,13 @@ class Schema {
           }
         }
       },
+      otpSalt: {
+        type: "String",
+        protected: {
+          authorizedRoles: ["rootOnly"],
+          protectedOperations: ["create", "read", "update"]
+        }
+      },
       pendingChallenges: {
         type: "Array",
         typeValue: "Object",
@@ -30918,7 +31018,7 @@ var getFile = async (hookObject) => {
   const schema = hookObject.context.wabe.config.schema?.classes?.find((currentClass) => currentClass.name === hookObject.className);
   if (!schema)
     return;
-  const urlCacheInSeconds = hookObject.context.wabe.config.file?.urlCacheInSeconds || 3600 * 24;
+  const urlCacheInSeconds = hookObject.context.wabe.config.file?.urlCacheInSeconds ?? 3600 * 24;
   await Promise.all(Object.entries(schema.fields).filter(([_, value]) => value.type === "File").map(async ([fieldName]) => {
     const fileInfo = hookObject.object?.[fieldName];
     if (!fileInfo)
@@ -30932,17 +31032,21 @@ var getFile = async (hookObject) => {
     if (!hookObject.context.wabe.controllers.file)
       throw new Error("No file adapter found");
     const fileUrlFromBucket = await hookObject.context.wabe.controllers.file?.readFile(fileName);
-    const newUrl = fileUrlFromBucket || fileInfo.url;
+    if (!fileUrlFromBucket)
+      return;
+    const newUrl = fileUrlFromBucket;
     const newUrlGeneratedAt = new Date;
     hookObject.object[fieldName] = {
       ...fileInfo,
       urlGeneratedAt: newUrlGeneratedAt,
       url: newUrl
     };
+    if (!hookObject.object?.id)
+      return;
     return hookObject.context.wabe.controllers.database.updateObject({
       className: hookObject.className,
       context: hookObject.context,
-      id: hookObject.object?.id || "",
+      id: hookObject.object.id,
       data: {
         [fieldName]: {
           ...fileInfo,
@@ -30957,7 +31061,7 @@ var getFile = async (hookObject) => {
 var defaultAfterReadFile = (hookObject) => getFile(hookObject);
 
 // ../wabe/src/file/security.ts
-import crypto6 from "node:crypto";
+import crypto5 from "node:crypto";
 import path from "node:path";
 var DEFAULT_MAX_FILE_SIZE_BYTES = 10 * 1024 * 1024;
 var DEFAULT_ALLOWED_MIME_TYPES = [
@@ -31018,7 +31122,7 @@ var detectMimeTypeFromContent = async (file) => {
 };
 var getUploadSecurityConfig = (context) => {
   const security = context.wabe.config.file?.security;
-  const enabled = security?.enabled ?? context.wabe.config.isProduction;
+  const enabled = security?.enabled ?? true;
   const maxFileSizeBytes = security?.maxFileSizeBytes ?? DEFAULT_MAX_FILE_SIZE_BYTES;
   const allowedMimeTypes = (security?.allowedMimeTypes || DEFAULT_ALLOWED_MIME_TYPES).map(normalizeMimeType);
   const allowedExtensions = (security?.allowedExtensions || DEFAULT_ALLOWED_EXTENSIONS).map((value) => value.trim().toLowerCase());
@@ -31032,7 +31136,7 @@ var getUploadSecurityConfig = (context) => {
   };
 };
 var createRandomizedFile = async (file, extension) => {
-  const uniqueName = `${crypto6.randomUUID()}.${extension}`;
+  const uniqueName = `${crypto5.randomUUID()}.${extension}`;
   const content = await file.arrayBuffer();
   return new File([content], uniqueName, {
     type: file.type,
@@ -31052,6 +31156,9 @@ var secureUploadedFile = async (file, context) => {
   if (!mimeType || !allowedMimeTypes.includes(mimeType))
     throw new Error("File MIME type is not allowed");
   const detectedMimeType = await detectMimeTypeFromContent(file);
+  const mimeTypeHasKnownSignature = MIME_SIGNATURES.some((signature) => signature.mimeType === mimeType);
+  if (mimeTypeHasKnownSignature && detectedMimeType !== mimeType)
+    throw new Error("File content does not match MIME type");
   if (detectedMimeType && detectedMimeType !== mimeType)
     throw new Error("File content does not match MIME type");
   if (detectedMimeType && !allowedMimeTypes.includes(detectedMimeType))
@@ -31065,6 +31172,19 @@ var secureUploadedFile = async (file, context) => {
 };
 
 // ../wabe/src/file/hookUploadFile.ts
+var ALLOWED_URL_PROTOCOLS = ["https:"];
+var validateFileUrl = (url) => {
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch {
+    throw new Error("Invalid file URL");
+  }
+  if (!ALLOWED_URL_PROTOCOLS.includes(parsed.protocol))
+    throw new Error("File URL must use HTTPS");
+  if (parsed.hostname === "localhost" || parsed.hostname === "127.0.0.1" || parsed.hostname === "[::1]")
+    throw new Error("File URL must not point to localhost");
+};
 var handleFile = async (hookObject) => {
   const newData = hookObject.getNewData();
   const schema = hookObject.context.wabe.config.schema?.classes?.find((currentClass) => currentClass.name === hookObject.className);
@@ -31077,6 +31197,7 @@ var handleFile = async (hookObject) => {
     if (!file && !url)
       return;
     if (url) {
+      validateFileUrl(url);
       hookObject.upsertNewData(keyName, {
         url,
         isPresignedUrl: false
@@ -31129,7 +31250,9 @@ class HookObject {
     return this.context.user;
   }
   isFieldUpdated(field) {
-    return !!(this.newData && !!this.newData[field]);
+    if (!this.newData)
+      return false;
+    return Object.prototype.hasOwnProperty.call(this.newData, field);
   }
   upsertNewData(field, value) {
     if (!this.newData)
@@ -31930,6 +32053,7 @@ var getDefaultHooks = () => [
 ];
 
 // ../wabe/src/database/DatabaseController.ts
+var DEFAULT_MAX_WHERE_RECURSION_DEPTH = 10;
 var scalarWhereOperators = new Set([
   "equalTo",
   "notEqualTo",
@@ -32158,7 +32282,10 @@ class DatabaseController {
       return [];
     return relationValue.map((value) => this._extractPointerId(value)).filter((id) => typeof id === "string");
   }
-  async _getWhereObjectWithPointerOrRelation(className, where, context) {
+  async _getWhereObjectWithPointerOrRelation(className, where, context, depth = 0) {
+    const maxDepth = context.wabe.config.security?.maxWhereRecursionDepth ?? DEFAULT_MAX_WHERE_RECURSION_DEPTH;
+    if (depth > maxDepth)
+      throw new Error(`Query recursion depth exceeded maximum (${maxDepth}). Reduce nested where conditions.`);
     const whereKeys = Object.keys(where);
     const realClass = this._getClass(className, context);
     const newWhereObject = await whereKeys.reduce(async (acc, whereKey) => {
@@ -32166,7 +32293,7 @@ class DatabaseController {
       const typedWhereKey = whereKey;
       const field = realClass?.fields[typedWhereKey];
       if (typedWhereKey === "AND" || typedWhereKey === "OR") {
-        const newWhere = await Promise.all(where[typedWhereKey].map((whereObject) => this._getWhereObjectWithPointerOrRelation(className, whereObject, context)));
+        const newWhere = await Promise.all(where[typedWhereKey].map((whereObject) => this._getWhereObjectWithPointerOrRelation(className, whereObject, context, depth + 1)));
         return {
           ...currentAcc,
           [typedWhereKey]: newWhere
@@ -32203,7 +32330,8 @@ class DatabaseController {
         className: fieldTargetClass,
         select: { id: true },
         where: defaultWhere,
-        context
+        context,
+        _whereRecursionDepth: depth + 1
       });
       const relationWhere = objects.length > 0 ? objects.map((object) => object?.id).filter(notEmpty) : [];
       const neverMatchWhere = {
@@ -32544,7 +32672,8 @@ class DatabaseController {
       operationType: "beforeRead" /* BeforeRead */,
       id
     });
-    const whereWithACLCondition = this._buildWhereWithACL(where || {}, context, "read");
+    const whereWithPointer = await this._getWhereObjectWithPointerOrRelation(className, where || {}, context);
+    const whereWithACLCondition = this._buildWhereWithACL(whereWithPointer || {}, context, "read");
     const selectWithPointersAndRelationsToGetId = this._buildSelectWithPointers({
       adapterSelect,
       pointers
@@ -32586,7 +32715,8 @@ class DatabaseController {
     _skipHooks,
     first,
     offset,
-    order
+    order,
+    _whereRecursionDepth
   }) {
     const { pointers, selectWithoutPointers } = this._getSelectMinusPointersAndRelations({
       className,
@@ -32598,7 +32728,7 @@ class DatabaseController {
       context,
       selectWithoutPointers
     });
-    const whereWithPointer = await this._getWhereObjectWithPointerOrRelation(className, where || {}, context);
+    const whereWithPointer = await this._getWhereObjectWithPointerOrRelation(className, where || {}, context, _whereRecursionDepth ?? 0);
     const whereWithACLCondition = this._buildWhereWithACL(whereWithPointer || {}, context, "read");
     const selectWithPointersAndRelationsToGetId = this._buildSelectWithPointers({
       adapterSelect,
@@ -32728,10 +32858,11 @@ class DatabaseController {
     })));
     if (this._isEmptySelect(select))
       return [];
+    const selectWithoutPrivateFields = select ? selectFieldsWithoutPrivateFields(select) : undefined;
     return this.getObjects({
       className,
       context: contextWithRoot(context),
-      select,
+      select: selectWithoutPrivateFields,
       where: { id: { in: ids } },
       first,
       offset,
@@ -36023,11 +36154,20 @@ var add = async ({
     context
   });
   const idsToAdd = add2.map(getPointerId).filter(notEmpty);
-  if (typeOfExecution === "create")
+  if (typeOfExecution === "create") {
+    const linkedObjects = await Promise.all(idsToAdd.map((id2) => context.wabe.controllers.database.getObject({
+      className: targetClass,
+      id: id2,
+      select: { id: true },
+      context
+    })));
+    if (linkedObjects.some((object) => !object))
+      throw new Error("Object not found");
     return idsToAdd.map((id2) => toPointerObject2({
       className: targetClass,
       id: id2
     }));
+  }
   if (typeOfExecution === "update" && id) {
     const currentValue = await context.wabe.controllers.database.getObject({
       className,
@@ -36198,6 +36338,14 @@ var executeRelationOnFields = ({
       const targetClass = getTargetClassFromField2(fieldName);
       if (!linkedId)
         throw new Error(`Invalid link value for ${className}.${fieldName}`);
+      const linkedObject = await context.wabe.controllers.database.getObject({
+        className: targetClass,
+        id: linkedId,
+        select: { id: true },
+        context: contextWithoutGraphQLCall(context)
+      });
+      if (!linkedObject)
+        throw new Error(`Object not found`);
       newAcc[fieldName] = {
         class: targetClass,
         id: linkedId,
@@ -38327,6 +38475,7 @@ class GitHub {
 }
 
 // ../wabe/src/server/routes/authHandler.ts
+var validProviders = new Set(Object.values(ProviderEnum));
 var oauthHandlerCallback = async (context, wabeContext) => {
   try {
     const state = decodeURIComponent(context.query.state || "");
@@ -38336,6 +38485,8 @@ var oauthHandlerCallback = async (context, wabeContext) => {
       throw new Error("Authentication failed");
     const codeVerifier = context.getCookie("code_verifier");
     const provider = context.getCookie("provider");
+    if (!provider || !validProviders.has(provider))
+      throw new Error("Authentication failed, invalid provider");
     const { signInWith } = await getGraphqlClient(wabeContext.wabe.config.port).request(gql`
 				mutation signInWith(
 					$authorizationCode: String!
@@ -38372,7 +38523,7 @@ var oauthHandlerCallback = async (context, wabeContext) => {
     context.res.setCookie("refreshToken", refreshToken, {
       httpOnly: isCookieSession,
       path: "/",
-      maxAge: (wabeContext.wabe.config.authentication?.session?.accessTokenExpiresInMs || 60 * 15 * 1000) / 1000,
+      maxAge: (wabeContext.wabe.config.authentication?.session?.refreshTokenExpiresInMs || 1000 * 60 * 60 * 24 * 7) / 1000,
       sameSite,
       secure: true
     });
@@ -38441,6 +38592,7 @@ var authHandler = (context, wabeContext, provider) => {
 };
 
 // ../wabe/src/server/routes/index.ts
+var validProviders2 = new Set(Object.values(ProviderEnum));
 var defaultRoutes = ({
   devDirectory,
   enableBucketRoute
@@ -38451,8 +38603,8 @@ var defaultRoutes = ({
       path: "/auth/oauth",
       handler: (context) => {
         const provider = context.query.provider;
-        if (!provider)
-          throw new Error("Authentication failed, provider not found");
+        if (!provider || !validProviders2.has(provider))
+          throw new Error("Authentication failed, invalid provider");
         return authHandler(context, context.wabe, provider);
       }
     },
@@ -38484,18 +38636,25 @@ var wabePrimaryTypesToTypescriptTypes = {
   Email: "string",
   Phone: "string",
   Date: "Date",
-  File: "{url: string, name: string}",
   Hash: "string"
 };
+var getIndent = (options) => options?.indent ?? "\t";
+var getEndChar = (options) => options?.semi ? ";" : options?.comma ? "," : "";
+var getQuoteChar = (options) => options?.quote === "double" ? '"' : "'";
+var getFileTypeString = (options) => {
+  const sep2 = options?.semi ? "; " : ", ";
+  return `{ url: string${sep2}name: string }`;
+};
 var wabeTypesToTypescriptTypes = ({
   field,
-  isInput = false
+  isInput = false,
+  formatOptions
 }) => {
   switch (field.type) {
     case "Date":
-      if (isInput)
-        return "Date";
-      return "string";
+      return isInput ? "Date" : "string";
+    case "File":
+      return getFileTypeString(formatOptions);
     case "Boolean":
     case "Int":
     case "Float":
@@ -38503,12 +38662,13 @@ var wabeTypesToTypescriptTypes = ({
     case "Any":
     case "Email":
     case "Phone":
-    case "File":
     case "Hash":
       return wabePrimaryTypesToTypescriptTypes[field.type];
     case "Array":
       if (field.typeValue === "Object")
         return `Array<${field.object.name}>`;
+      if (field.typeValue === "File")
+        return `Array<${getFileTypeString(formatOptions)}>`;
       return `Array<${wabePrimaryTypesToTypescriptTypes[field.typeValue]}>`;
     case "Pointer":
       return field.class;
@@ -38520,28 +38680,31 @@ var wabeTypesToTypescriptTypes = ({
       return field.type;
   }
 };
+var fieldKey = (name, required) => `${name}${required ? "" : "undefined"}`;
 var generateWabeObject = ({
   object,
   isInput = false,
-  prefix = ""
+  prefix = "",
+  formatOptions
 }) => {
-  const objectName = object.name;
+  const objectNameWithPrefix = `${prefix}${firstLetterUpperCase(object.name)}`;
   return Object.entries(object.fields).reduce((acc, [fieldName, field]) => {
-    const type = wabeTypesToTypescriptTypes({ field, isInput });
-    const objectNameWithPrefix = `${prefix}${firstLetterUpperCase(objectName)}`;
+    const type = wabeTypesToTypescriptTypes({ field, isInput, formatOptions });
     if (field.type === "Object" || field.type === "Array" && field.typeValue === "Object") {
       const subObject = generateWabeObject({
         object: field.object,
         isInput,
-        prefix: objectNameWithPrefix
+        prefix: objectNameWithPrefix,
+        formatOptions
       });
       const isArray = field.type === "Array";
+      const subTypeName = `${objectNameWithPrefix}${firstLetterUpperCase(field.object.name)}`;
       return {
         ...acc,
         ...subObject,
         [objectNameWithPrefix]: {
           ...acc[objectNameWithPrefix],
-          [`${fieldName}${field.required ? "" : "undefined"}`]: `${isArray ? "Array<" : ""}${objectNameWithPrefix}${firstLetterUpperCase(field.object.name)}${isArray ? ">" : ""}`
+          [fieldKey(fieldName, field.required)]: isArray ? `Array<${subTypeName}>` : subTypeName
         }
       };
     }
@@ -38549,242 +38712,165 @@ var generateWabeObject = ({
       ...acc,
       [objectNameWithPrefix]: {
         ...acc[objectNameWithPrefix],
-        [`${fieldName}${field.required ? "" : "undefined"}`]: `${type}`
+        [fieldKey(fieldName, field.required)]: `${type}`
       }
     };
   }, {});
 };
-var generateWabeTypes = (classes) => {
-  const wabeTypes = classes.reduce((acc, classType) => {
-    const { name, fields } = classType;
-    const objectsToLoad = [];
-    const currentClass = Object.entries(fields).reduce((acc2, [name2, field]) => {
-      const type = wabeTypesToTypescriptTypes({ field });
-      if (field.type === "Object" || field.type === "Array" && field.typeValue === "Object") {
-        const wabeObject = generateWabeObject({ object: field.object });
-        objectsToLoad.push(wabeObject);
-      }
-      return {
-        ...acc2,
-        [`${name2}${field.required ? "" : "undefined"}`]: type
-      };
-    }, {});
-    const objects = mergeNestedStringRecords(objectsToLoad);
-    return {
-      ...acc,
-      ...objects,
-      [name]: { id: "string", ...currentClass }
-    };
-  }, {});
-  return wabeTypes;
-};
-var generateWabeWhereTypes = (classes) => {
-  const wabeTypes = classes.reduce((acc, classType) => {
-    const { name, fields } = classType;
-    const completeName = `Where${firstLetterUpperCase(name)}`;
-    const objectsToLoad = [];
-    const currentClass = Object.entries(fields).reduce((acc2, [name2, field]) => {
-      const type = wabeTypesToTypescriptTypes({ field, isInput: true });
-      if (field.type === "Object" || field.type === "Array" && field.typeValue === "Object") {
-        const wabeObject = generateWabeObject({
-          object: field.object,
-          isInput: true
-        });
-        objectsToLoad.push(wabeObject);
-      }
-      return {
-        ...acc2,
-        [`${name2}${field.required ? "" : "undefined"}`]: type
-      };
-    }, {});
-    const objects = mergeNestedStringRecords(objectsToLoad);
-    return {
-      ...acc,
-      ...objects,
-      [completeName]: { id: "string", ...currentClass }
-    };
-  }, {});
-  return wabeTypes;
-};
-var generateWabeEnumTypes = (enums) => {
-  return Object.values(enums).reduce((acc, { name, values }) => {
-    return {
-      ...acc,
-      [name]: values
-    };
-  }, {});
-};
-var generateWabeScalarTypes = (scalars) => {
-  return Object.values(scalars).reduce((acc, { name }) => {
+var mergeNestedStringRecords = (records) => Object.assign({}, ...records);
+var generateClassTypes = (classes, formatOptions, namePrefix = "", isInput = false) => classes.reduce((acc, { name, fields }) => {
+  const objectsToLoad = [];
+  const currentClass = Object.entries(fields).reduce((acc2, [fieldName, field]) => {
+    const type = wabeTypesToTypescriptTypes({ field, isInput, formatOptions });
+    if (field.type === "Object" || field.type === "Array" && field.typeValue === "Object") {
+      objectsToLoad.push(generateWabeObject({ object: field.object, isInput, formatOptions }));
+    }
     return {
-      ...acc,
-      [name]: "string"
+      ...acc2,
+      [fieldKey(fieldName, field.required)]: type
     };
   }, {});
-};
-var generateWabeMutationOrQueryInput = (mutationOrQueryName, resolver, isMutation) => {
+  const completeName = namePrefix ? `${namePrefix}${firstLetterUpperCase(name)}` : name;
+  return {
+    ...acc,
+    ...mergeNestedStringRecords(objectsToLoad),
+    [completeName]: { id: "string", ...currentClass }
+  };
+}, {});
+var generateWabeEnumTypes = (enums) => enums.reduce((acc, { name, values }) => ({ ...acc, [name]: values }), {});
+var generateWabeScalarTypes = (scalars) => scalars.reduce((acc, { name }) => ({ ...acc, [name]: "string" }), {});
+var generateWabeMutationOrQueryInput = (mutationOrQueryName, resolver, isMutation, formatOptions) => {
   const objectsToLoad = [];
-  const mutationNameWithFirstLetterUpperCase = firstLetterUpperCase(mutationOrQueryName);
-  const mutationObject = Object.entries((isMutation ? resolver.args?.input : resolver.args) || {}).reduce((acc, [name, field]) => {
-    let type = wabeTypesToTypescriptTypes({ field, isInput: true });
+  const upperName = firstLetterUpperCase(mutationOrQueryName);
+  const resolvedArgs = Object.entries((isMutation ? resolver.args?.input : resolver.args) || {}).reduce((acc, [name, field]) => {
     if (field.type === "Object") {
-      type = firstLetterInUpperCase(name);
-      const wabeObject = generateWabeObject({
-        object: {
-          ...field.object,
-          name: type
-        },
-        prefix: mutationNameWithFirstLetterUpperCase
-      });
-      objectsToLoad.push(wabeObject);
+      const typeName = firstLetterInUpperCase(name);
+      objectsToLoad.push(generateWabeObject({
+        object: { ...field.object, name: typeName },
+        prefix: upperName,
+        formatOptions
+      }));
       return {
         ...acc,
-        [`${name}${field.required ? "" : "undefined"}`]: `${mutationNameWithFirstLetterUpperCase}${type}`
+        [fieldKey(name, field.required)]: `${upperName}${typeName}`
       };
     }
     return {
       ...acc,
-      [`${name}${field.required ? "" : "undefined"}`]: type
-    };
-  }, {});
-  const objects = mergeNestedStringRecords(objectsToLoad);
-  return {
-    ...isMutation ? {
-      [`${firstLetterInUpperCase(mutationOrQueryName)}Input`]: mutationObject
-    } : {},
-    [`${isMutation ? "Mutation" : "Query"}${firstLetterInUpperCase(mutationOrQueryName)}Args`]: isMutation ? {
-      input: `${firstLetterInUpperCase(mutationOrQueryName)}Input`
-    } : mutationObject,
-    ...objects
-  };
-};
-var generateWabeMutationsAndQueriesTypes = (resolver) => {
-  const mutationsObject = Object.entries(resolver.mutations || {}).reduce((acc, [mutationName, mutation]) => {
-    return {
-      ...acc,
-      ...generateWabeMutationOrQueryInput(mutationName, mutation, true)
-    };
-  }, {});
-  const queriesObject = Object.entries(resolver.queries || {}).reduce((acc, [queryName, query]) => {
-    return {
-      ...acc,
-      ...generateWabeMutationOrQueryInput(queryName, query, false)
+      [fieldKey(name, field.required)]: wabeTypesToTypescriptTypes({
+        field,
+        isInput: true,
+        formatOptions
+      })
     };
   }, {});
+  const prettyName = firstLetterInUpperCase(mutationOrQueryName);
   return {
-    ...mutationsObject,
-    ...queriesObject
+    ...isMutation ? { [`${prettyName}Input`]: resolvedArgs } : {},
+    [`${isMutation ? "Mutation" : "Query"}${prettyName}Args`]: isMutation ? { input: `${prettyName}Input` } : resolvedArgs,
+    ...mergeNestedStringRecords(objectsToLoad)
   };
 };
-var normalizeGraphqlSchemaForComparison = (schemaContent) => {
-  try {
-    return import_graphql7.print(import_graphql7.parse(schemaContent));
-  } catch {
-    return schemaContent;
-  }
-};
-var mergeNestedStringRecords = (records) => {
-  return records.reduce((acc, currentRecord) => ({
+var generateWabeMutationsAndQueriesTypes = (resolver, formatOptions) => ({
+  ...Object.entries(resolver.mutations || {}).reduce((acc, [name, mutation]) => ({
     ...acc,
-    ...currentRecord
-  }), {});
-};
-var wrapLongGraphqlFieldArguments = ({
-  content,
-  indent,
-  printWidth
-}) => {
-  return content.split(`
-`).map((line) => {
-    if (line.length <= printWidth)
-      return line;
-    const fieldWithArgsMatch = line.match(/^(\s*)([_A-Za-z][_0-9A-Za-z]*)\((.+)\):\s*(.+)$/);
-    if (!fieldWithArgsMatch)
-      return line;
-    const [, fieldIndent = "", fieldName = "", argsString = "", returnType = ""] = fieldWithArgsMatch;
-    if (!fieldName || !argsString || !returnType)
-      return line;
-    const args = argsString.split(",").map((arg) => arg.trim()).filter((arg) => arg.length > 0);
-    if (args.length <= 1)
-      return line;
-    return `${fieldIndent}${fieldName}(
-${args.map((arg) => `${fieldIndent}${indent}${arg}`).join(`
-`)}
-${fieldIndent}): ${returnType}`;
-  }).join(`
-`);
-};
+    ...generateWabeMutationOrQueryInput(name, mutation, true, formatOptions)
+  }), {}),
+  ...Object.entries(resolver.queries || {}).reduce((acc, [name, query]) => ({
+    ...acc,
+    ...generateWabeMutationOrQueryInput(name, query, false, formatOptions)
+  }), {})
+});
 var wabeClassRecordToString = (wabeClass, options) => {
-  const indent = options?.indent ?? "\t";
-  const endChar = options?.semi ? ";" : options?.comma ? "," : "";
+  const indent = getIndent(options);
+  const endChar = getEndChar(options);
   return Object.entries(wabeClass).reduce((acc, [className, fields]) => {
-    const fieldsLength = Object.keys(fields).length;
-    if (fieldsLength === 0)
+    if (Object.keys(fields).length === 0)
       return `${acc}export type ${className} = {}
 
 `;
+    const body = Object.entries(fields).map(([name, type]) => `${indent}${name.replace("undefined", "?")}: ${type}`).join(`${endChar}
+`);
     return `${acc}export type ${className} = {
-${Object.entries(fields).map(([fieldName, fieldType]) => `${indent}${fieldName.replace("undefined", "?")}: ${fieldType}`).join(`${endChar}
-`)}${endChar}
+${body}${endChar}
 }
 
 `;
   }, "");
 };
 var wabeEnumRecordToString = (wabeEnum, options) => {
-  const indent = options?.indent ?? "\t";
+  const indent = getIndent(options);
   const endChar = options?.semi ? ";" : options?.comma ?? true ? "," : "";
-  const quoteString = options?.quote === "double" ? '"' : "'";
+  const quote = getQuoteChar(options);
   return Object.entries(wabeEnum).reduce((acc, [enumName, values]) => {
-    const valuesLength = Object.keys(values).length;
+    const hasValues = Object.keys(values).length > 0;
+    const body = Object.entries(values).map(([k, v]) => `${indent}${k} = ${quote}${v}${quote}`).join(`${endChar}
+`);
     return `${acc}export enum ${enumName} {
-${Object.entries(values).map(([valueName, value]) => `${indent}${valueName} = ${quoteString}${value}${quoteString}`).join(`${endChar}
-`)}${valuesLength > 0 ? endChar : ""}
+${body}${hasValues ? endChar : ""}
 }
 
 `;
   }, "");
 };
-var wabeScalarRecordToString = (wabeScalar) => {
-  return Object.entries(wabeScalar).reduce((acc, [scalarName, scalarType]) => {
-    return `${acc}export type ${scalarName} = ${scalarType}
+var wabeScalarRecordToString = (wabeScalar) => Object.entries(wabeScalar).reduce((acc, [name, type]) => `${acc}export type ${name} = ${type}
 
-`;
-  }, "");
-};
+`, "");
+var wrapLongGraphqlFieldArguments = ({
+  content,
+  indent,
+  printWidth
+}) => content.split(`
+`).map((line) => {
+  if (line.length <= printWidth)
+    return line;
+  const match = line.match(/^(\s*)([_A-Za-z][_0-9A-Za-z]*)\((.+)\):\s*(.+)$/);
+  if (!match)
+    return line;
+  const [, fieldIndent = "", fieldName = "", argsString = "", returnType = ""] = match;
+  if (!fieldName || !argsString || !returnType)
+    return line;
+  const args = argsString.split(",").map((arg) => arg.trim()).filter((arg) => arg.length > 0);
+  if (args.length <= 1)
+    return line;
+  const wrappedArgs = args.map((arg) => `${fieldIndent}${indent}${arg}`).join(`
+`);
+  return `${fieldIndent}${fieldName}(
+${wrappedArgs}
+${fieldIndent}): ${returnType}`;
+}).join(`
+`);
 var generateWabeDevTypes = ({
   scalars,
   enums,
   classes,
   options
 }) => {
-  const indent = options?.indent ?? "\t";
-  const endChar = options?.semi ? ";" : options?.comma ? "," : "";
-  const quoteString = options?.quote === "double" ? '"' : "'";
-  const listOfScalars = scalars?.map((scalar) => `${quoteString}${scalar.name}${quoteString}`) || [];
-  const wabeScalarType = listOfScalars.length > 0 ? `export type WabeSchemaScalars = ${listOfScalars.join(" | ")}` : `export type WabeSchemaScalars = ${quoteString}${quoteString}`;
-  const wabeEnumsGlobalTypes = enums?.map((wabeEnum) => `${wabeEnum.name}: ${wabeEnum.name}`) || [];
-  const wabeEnumsGlobalTypesString = wabeEnumsGlobalTypes.length > 0 ? `export type WabeSchemaEnums = {
-${indent}${wabeEnumsGlobalTypes.join(`${endChar}
-${indent}`)}${endChar}
-}` : "";
-  const allNames = classes.map((schema) => `${schema.name}: ${schema.name}`).filter((schema) => schema);
-  const globalWabeTypeString = allNames.length > 0 ? `export type WabeSchemaTypes = {
-${indent}${allNames.join(`${endChar}
-${indent}`)}${endChar}
-}` : "";
-  const allWhereNames = classes.map((schema) => `${schema.name}: Where${firstLetterUpperCase(schema.name)}`).filter((schema) => schema);
-  const globalWabeWhereTypeString = allWhereNames.length > 0 ? `export type WabeSchemaWhereTypes = {
-${indent}${allWhereNames.join(`${endChar}
+  const indent = getIndent(options);
+  const endChar = getEndChar(options);
+  const quote = getQuoteChar(options);
+  const wabeScalarType = scalars && scalars.length > 0 ? `export type WabeSchemaScalars = ${scalars.map((s) => `${quote}${s.name}${quote}`).join(" | ")}` : `export type WabeSchemaScalars = ${quote}${quote}`;
+  const buildTypeMap = (typeName, entries) => entries.length > 0 ? `export type ${typeName} = {
+${indent}${entries.join(`${endChar}
 ${indent}`)}${endChar}
 }` : "";
+  const wabeEnumsString = buildTypeMap("WabeSchemaEnums", enums?.map((e) => `${e.name}: ${e.name}`) ?? []);
+  const wabeTypesString = buildTypeMap("WabeSchemaTypes", classes.map((c) => `${c.name}: ${c.name}`));
+  const wabeWhereString = buildTypeMap("WabeSchemaWhereTypes", classes.map((c) => `${c.name}: Where${firstLetterUpperCase(c.name)}`));
   return `${wabeScalarType}
 
-${wabeEnumsGlobalTypesString}
+${wabeEnumsString}
 
-${globalWabeTypeString}
+${wabeTypesString}
 
-${globalWabeWhereTypeString}`;
+${wabeWhereString}`;
+};
+var normalizeGraphqlSchemaForComparison = (schemaContent) => {
+  try {
+    return import_graphql7.print(import_graphql7.parse(schemaContent));
+  } catch {
+    return schemaContent;
+  }
 };
 var generateCodegen = async ({
   schema,
@@ -38793,7 +38879,7 @@ var generateCodegen = async ({
   options
 }) => {
   let graphqlSchemaContent = import_graphql7.printSchema(graphqlSchema);
-  const indentStr = options?.indent ?? "\t";
+  const indentStr = getIndent(options);
   const printWidth = options?.printWidth ?? 100;
   const shouldEnsureFinalNewline = options?.finalNewline ?? true;
   const shouldUseSemanticComparison = options?.semanticCompare ?? true;
@@ -38817,22 +38903,13 @@ ${indentation}"""`);
   const resolvers = schema.resolvers ?? {};
   const enums = schema.enums ?? [];
   const scalars = schema.scalars ?? [];
-  const wabeClasses = generateWabeTypes(classes);
-  const wabeWhereTypes = generateWabeWhereTypes(classes);
-  const mutationsAndQueries = generateWabeMutationsAndQueriesTypes(resolvers);
+  const wabeClasses = generateClassTypes(classes, options);
+  const wabeWhereTypes = generateClassTypes(classes, options, "Where", true);
+  const mutationsAndQueries = generateWabeMutationsAndQueriesTypes(resolvers, options);
   const wabeEnumsInString = wabeEnumRecordToString(generateWabeEnumTypes(enums), options);
   const wabeScalarsInString = wabeScalarRecordToString(generateWabeScalarTypes(scalars));
-  const wabeObjectsInString = wabeClassRecordToString({
-    ...wabeClasses,
-    ...wabeWhereTypes,
-    ...mutationsAndQueries
-  }, options);
-  const wabeDevTypes = generateWabeDevTypes({
-    scalars,
-    enums,
-    classes,
-    options
-  });
+  const wabeObjectsInString = wabeClassRecordToString({ ...wabeClasses, ...wabeWhereTypes, ...mutationsAndQueries }, options);
+  const wabeDevTypes = generateWabeDevTypes({ scalars, enums, classes, options });
   const wabeTsContent = `${wabeEnumsInString}${wabeScalarsInString}${wabeObjectsInString}${wabeDevTypes}
 `;
   let shouldWriteGraphqlSchema = true;
@@ -39175,7 +39252,8 @@ class EmailOTP {
     if (!user.email)
       throw new Error("No user email found");
     const otpClass = new OTP(context.wabe.config.rootKey);
-    const otp = otpClass.generate(user.id);
+    const salt = await getOrCreateOtpSalt(context, user.id);
+    const otp = otpClass.generate(user.id, salt);
     const template = context.wabe.config.email?.htmlTemplates?.sendOTPCode;
     await emailController.send({
       from: mainEmail,
@@ -39215,10 +39293,10 @@ class EmailOTP {
     });
     const realUser = users.length > 0 ? users[0] : null;
     const userId = realUser?.id ?? DUMMY_USER_ID2;
-    const isDevBypass = !context.wabe.config.isProduction && input.otp === "000000" && realUser !== null;
     const otpClass = new OTP(context.wabe.config.rootKey);
-    const isOtpValid = otpClass.verify(input.otp, userId);
-    if (realUser && (isOtpValid || isDevBypass)) {
+    const salt = realUser ? await getOrCreateOtpSalt(context, userId) : undefined;
+    const isOtpValid = otpClass.verify(input.otp, userId, salt);
+    if (realUser && isOtpValid) {
       clearRateLimit(context, "verifyChallenge", rateLimitKey);
       return { userId: realUser.id };
     }
@@ -39262,10 +39340,10 @@ class QRCodeOTP {
     });
     const realUser = users.length > 0 ? users[0] : null;
     const userId = realUser?.id ?? DUMMY_USER_ID3;
-    const isDevBypass = !context.wabe.config.isProduction && input.otp === "000000" && realUser !== null;
     const otpClass = new OTP(context.wabe.config.rootKey);
-    const isOtpValid = otpClass.authenticatorVerify(input.otp, userId);
-    if (realUser && (isOtpValid || isDevBypass)) {
+    const salt = realUser ? await getOrCreateOtpSalt(context, userId) : undefined;
+    const isOtpValid = otpClass.authenticatorVerify(input.otp, userId, salt);
+    if (realUser && isOtpValid) {
       clearRateLimit(context, "verifyChallenge", rateLimitKey);
       return { userId: realUser.id };
     }
@@ -51773,34 +51851,39 @@ class Wabe {
     this.server.options("/*", (ctx) => {
       return ctx.res.send("OK");
     }, cors(this.config.security?.corsOptions));
-    const rateLimitOptions = this.config.security?.rateLimit;
+    const rateLimitOptions = this.config.security?.rateLimit || (this.config.isProduction ? {
+      numberOfRequests: 200,
+      interval: 60000
+    } : undefined);
     if (rateLimitOptions)
       this.server.beforeHandler(rateLimit(rateLimitOptions));
     this.server.beforeHandler(cors(this.config.security?.corsOptions));
     this.server.beforeHandler(this.config.authentication?.sessionHandler || defaultSessionHandler(this));
-    const maxDepth = this.config.security?.maxGraphqlDepth ?? 50;
+    const maxDepth = this.config.security?.maxGraphqlDepth ?? (this.config.isProduction ? 15 : 50);
+    const introspectionDisabled = this.config.security?.disableIntrospection ?? this.config.isProduction;
+    const disableGraphQLDashboard = this.config.security?.disableGraphQLDashboard ?? this.config.isProduction;
     await this.server.usePlugin(M({
       schema: this.config.graphqlSchema,
-      allowGetRequests: !(this.config.security?.disableGraphQLDashboard ?? false),
+      allowGetRequests: !disableGraphQLDashboard,
       maskedErrors: this.config.security?.hideSensitiveErrorMessage || this.config.isProduction,
-      allowIntrospection: !(this.config.security?.disableIntrospection ?? false),
+      allowIntrospection: !introspectionDisabled,
       maxDepth,
       allowMultipleOperations: true,
       graphqlEndpoint: "/graphql",
       plugins: [
         (() => {
-          const introspectionDisabled = new WeakSet;
+          const introspectionDisabledRequests = new WeakSet;
           return {
             onRequestParse: ({ request }) => {
-              if (!(this.config.security?.disableIntrospection ?? false))
+              if (!introspectionDisabled)
                 return;
-              introspectionDisabled.add(request);
+              introspectionDisabledRequests.add(request);
             },
             onValidate: ({
               addValidationRule,
               context
             }) => {
-              if (introspectionDisabled.has(context.request)) {
+              if (introspectionDisabledRequests.has(context.request)) {
                 addValidationRule(import_graphql52.NoSchemaIntrospectionCustomRule);
               }
             }
@@ -51816,6 +51899,9 @@ class Wabe {
     await initializeRoles(this);
   }
   async close() {
+    this.config.crons?.forEach(({ job }) => {
+      job?.stop?.();
+    });
     await this.controllers.database.close();
     await this.server.stop();
   }
@@ -52356,8 +52442,10 @@ export {
   isArgon2Hash,
   initializeHook,
   hashArgon2,
+  getOrCreateOtpSalt,
   getDefaultHooks,
   getDatabaseController,
+  generateOtpSalt,
   generateCodegen,
   encryptDeterministicToken,
   defaultRoutes,