npm - wabe - Versions diffs - 0.6.9 → 0.6.11 - Mend

wabe 0.6.9 → 0.6.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (162) hide show

package/README.md +156 -50
package/bucket/b.txt +1 -0
package/dev/index.ts +215 -0
package/dist/authentication/Session.d.ts +4 -1
package/dist/authentication/interface.d.ts +16 -0
package/dist/cron/index.d.ts +0 -1
package/dist/database/DatabaseController.d.ts +41 -13
package/dist/database/interface.d.ts +1 -0
package/dist/email/DevAdapter.d.ts +0 -1
package/dist/email/interface.d.ts +1 -1
package/dist/graphql/resolvers.d.ts +4 -2
package/dist/hooks/index.d.ts +8 -2
package/dist/index.d.ts +0 -1
package/dist/index.js +32144 -32058
package/dist/schema/Schema.d.ts +2 -1
package/dist/server/index.d.ts +4 -2
package/dist/utils/crypto.d.ts +7 -0
package/dist/utils/helper.d.ts +5 -1
package/generated/schema.graphql +22 -14
package/generated/wabe.ts +4 -4
package/package.json +23 -23
package/src/authentication/OTP.test.ts +69 -0
package/src/authentication/OTP.ts +64 -0
package/src/authentication/Session.test.ts +629 -0
package/src/authentication/Session.ts +493 -0
package/src/authentication/defaultAuthentication.ts +209 -0
package/src/authentication/index.ts +3 -0
package/src/authentication/interface.ts +155 -0
package/src/authentication/oauth/GitHub.test.ts +91 -0
package/src/authentication/oauth/GitHub.ts +121 -0
package/src/authentication/oauth/Google.test.ts +91 -0
package/src/authentication/oauth/Google.ts +101 -0
package/src/authentication/oauth/Oauth2Client.test.ts +219 -0
package/src/authentication/oauth/Oauth2Client.ts +135 -0
package/src/authentication/oauth/index.ts +2 -0
package/src/authentication/oauth/utils.test.ts +33 -0
package/src/authentication/oauth/utils.ts +27 -0
package/src/authentication/providers/EmailOTP.test.ts +127 -0
package/src/authentication/providers/EmailOTP.ts +84 -0
package/src/authentication/providers/EmailPassword.test.ts +176 -0
package/src/authentication/providers/EmailPassword.ts +116 -0
package/src/authentication/providers/EmailPasswordSRP.test.ts +208 -0
package/src/authentication/providers/EmailPasswordSRP.ts +179 -0
package/src/authentication/providers/GitHub.ts +24 -0
package/src/authentication/providers/Google.ts +24 -0
package/src/authentication/providers/OAuth.test.ts +185 -0
package/src/authentication/providers/OAuth.ts +106 -0
package/src/authentication/providers/PhonePassword.test.ts +176 -0
package/src/authentication/providers/PhonePassword.ts +115 -0
package/src/authentication/providers/QRCodeOTP.test.ts +77 -0
package/src/authentication/providers/QRCodeOTP.ts +58 -0
package/src/authentication/providers/index.ts +6 -0
package/src/authentication/resolvers/refreshResolver.test.ts +30 -0
package/src/authentication/resolvers/refreshResolver.ts +19 -0
package/src/authentication/resolvers/signInWithResolver.inte.test.ts +59 -0
package/src/authentication/resolvers/signInWithResolver.test.ts +293 -0
package/src/authentication/resolvers/signInWithResolver.ts +92 -0
package/src/authentication/resolvers/signOutResolver.test.ts +38 -0
package/src/authentication/resolvers/signOutResolver.ts +18 -0
package/src/authentication/resolvers/signUpWithResolver.test.ts +180 -0
package/src/authentication/resolvers/signUpWithResolver.ts +65 -0
package/src/authentication/resolvers/verifyChallenge.test.ts +133 -0
package/src/authentication/resolvers/verifyChallenge.ts +62 -0
package/src/authentication/roles.test.ts +49 -0
package/src/authentication/roles.ts +40 -0
package/src/authentication/utils.test.ts +97 -0
package/src/authentication/utils.ts +39 -0
package/src/cache/InMemoryCache.test.ts +62 -0
package/src/cache/InMemoryCache.ts +45 -0
package/src/cron/index.test.ts +17 -0
package/src/cron/index.ts +43 -0
package/src/database/DatabaseController.test.ts +613 -0
package/src/database/DatabaseController.ts +1007 -0
package/src/database/index.test.ts +1372 -0
package/src/database/index.ts +9 -0
package/src/database/interface.ts +302 -0
package/src/email/DevAdapter.ts +7 -0
package/src/email/EmailController.test.ts +29 -0
package/src/email/EmailController.ts +13 -0
package/src/email/index.ts +2 -0
package/src/email/interface.ts +36 -0
package/src/email/templates/sendOtpCode.ts +120 -0
package/src/file/FileController.ts +28 -0
package/src/file/FileDevAdapter.ts +51 -0
package/src/file/hookDeleteFile.ts +25 -0
package/src/file/hookReadFile.ts +66 -0
package/src/file/hookUploadFile.ts +50 -0
package/src/file/index.test.ts +932 -0
package/src/file/index.ts +2 -0
package/src/file/interface.ts +39 -0
package/src/graphql/GraphQLSchema.test.ts +4408 -0
package/src/graphql/GraphQLSchema.ts +880 -0
package/src/graphql/index.ts +2 -0
package/src/graphql/parseGraphqlSchema.ts +85 -0
package/src/graphql/parser.test.ts +203 -0
package/src/graphql/parser.ts +542 -0
package/src/graphql/pointerAndRelationFunction.ts +191 -0
package/src/graphql/resolvers.ts +442 -0
package/src/graphql/tests/aggregation.test.ts +1115 -0
package/src/graphql/tests/e2e.test.ts +590 -0
package/src/graphql/tests/scalars.test.ts +250 -0
package/src/graphql/types.ts +227 -0
package/src/hooks/HookObject.test.ts +122 -0
package/src/hooks/HookObject.ts +165 -0
package/src/hooks/authentication.ts +67 -0
package/src/hooks/createUser.test.ts +77 -0
package/src/hooks/createUser.ts +10 -0
package/src/hooks/defaultFields.test.ts +176 -0
package/src/hooks/defaultFields.ts +32 -0
package/src/hooks/deleteSession.test.ts +181 -0
package/src/hooks/deleteSession.ts +20 -0
package/src/hooks/hashFieldHook.test.ts +152 -0
package/src/hooks/hashFieldHook.ts +89 -0
package/src/hooks/index.test.ts +258 -0
package/src/hooks/index.ts +414 -0
package/src/hooks/permissions.test.ts +412 -0
package/src/hooks/permissions.ts +93 -0
package/src/hooks/protected.test.ts +551 -0
package/src/hooks/protected.ts +60 -0
package/src/hooks/searchableFields.test.ts +147 -0
package/src/hooks/searchableFields.ts +86 -0
package/src/hooks/session.test.ts +134 -0
package/src/hooks/session.ts +76 -0
package/src/hooks/setEmail.test.ts +216 -0
package/src/hooks/setEmail.ts +33 -0
package/src/hooks/setupAcl.test.ts +618 -0
package/src/hooks/setupAcl.ts +25 -0
package/src/index.ts +9 -0
package/src/schema/Schema.test.ts +482 -0
package/src/schema/Schema.ts +757 -0
package/src/schema/defaultResolvers.ts +93 -0
package/src/schema/index.ts +1 -0
package/src/schema/resolvers/meResolver.test.ts +62 -0
package/src/schema/resolvers/meResolver.ts +10 -0
package/src/schema/resolvers/resetPassword.test.ts +341 -0
package/src/schema/resolvers/resetPassword.ts +63 -0
package/src/schema/resolvers/sendEmail.test.ts +118 -0
package/src/schema/resolvers/sendEmail.ts +21 -0
package/src/schema/resolvers/sendOtpCode.test.ts +141 -0
package/src/schema/resolvers/sendOtpCode.ts +52 -0
package/src/security.test.ts +3434 -0
package/src/server/defaultSessionHandler.test.ts +62 -0
package/src/server/defaultSessionHandler.ts +105 -0
package/src/server/generateCodegen.ts +433 -0
package/src/server/index.test.ts +532 -0
package/src/server/index.ts +334 -0
package/src/server/interface.ts +11 -0
package/src/server/routes/authHandler.ts +169 -0
package/src/server/routes/index.ts +39 -0
package/src/utils/crypto.test.ts +41 -0
package/src/utils/crypto.ts +105 -0
package/src/utils/export.ts +11 -0
package/src/utils/helper.ts +204 -0
package/src/utils/index.test.ts +11 -0
package/src/utils/index.ts +189 -0
package/src/utils/preload.ts +8 -0
package/src/utils/testHelper.ts +116 -0
package/tsconfig.json +32 -0
package/bunfig.toml +0 -4
package/dist/ai/index.d.ts +0 -1
package/dist/ai/interface.d.ts +0 -9
/package/dist/server/{defaultHandlers.d.ts → defaultSessionHandler.d.ts} +0 -0

package/dist/schema/Schema.d.ts CHANGED Viewed

@@ -1,5 +1,6 @@
 import type { WabeConfig, WabeTypes } from "../server";
 import type { HookObject } from "../hooks/HookObject";
+export declare const defaultPrivateFields: unknown;
 export type WabePrimaryTypes = "String" | "Int" | "Float" | "Boolean" | "Email" | "Phone" | "Date" | "File" | "Hash";
 export type WabeCustomTypes = "Array" | "Object";
 export type WabeRelationTypes = "Pointer" | "Relation";
@@ -54,7 +55,7 @@ type TypeFieldFile = {
 	type: "File";
 };
 type TypeFieldCustomScalars<T extends WabeTypes> = {
-	type: T["scalars"];
+	type: T["scalars"] extends "" ? never : T["scalars"];
 	required?: boolean;
 	defaultValue?: any;
 };

package/dist/server/index.d.ts CHANGED Viewed

@@ -11,7 +11,6 @@ import type { Context, CorsOptions, RateLimitOptions } from "wobe";
 import type { WabeContext } from "./interface";
 import type { EmailConfig } from "../email";
 import { EmailController } from "../email/EmailController";
-import type { AIConfig } from "../ai";
 import { FileController } from "../file/FileController";
 import type { CronConfig } from "../cron";
 import type { FileConfig } from "../file";
@@ -19,9 +18,13 @@ type SecurityConfig = {
 	corsOptions?: CorsOptions;
 	rateLimit?: RateLimitOptions;
 	hideSensitiveErrorMessage?: boolean;
+	disableCSRFProtection?: boolean;
+	allowIntrospectionInProduction?: boolean;
+	maxGraphqlDepth?: number;
 };
 export * from "./interface";
 export * from "./routes";
+export declare const defaultRoles: unknown;
 export interface WabeConfig<T extends WabeTypes> {
 	port: number;
 	isProduction: boolean;
@@ -41,7 +44,6 @@ export interface WabeConfig<T extends WabeTypes> {
 	rootKey: string;
 	hooks?: Hook<T, any>[];
 	email?: EmailConfig;
-	ai?: AIConfig;
 	file?: FileConfig<T>;
 	crons?: CronConfig<T>;
 }

package/dist/utils/crypto.d.ts CHANGED Viewed

@@ -9,3 +9,10 @@ export declare const hashArgon2: unknown;
 */
 export declare const verifyArgon2: unknown;
 export declare const isArgon2Hash: (value: string) => boolean;
+/**
+* Deterministic AES-256-GCM encryption for tokens.
+* IV is derived via HMAC-SHA256(key, token) to allow equality checks without storing plaintext.
+* Caller must provide a strong 32-byte key (already derived/hashed).
+*/
+export declare const encryptDeterministicToken: (token: string, key: Buffer) => string;
+export declare const decryptDeterministicToken: (encryptedToken: string | undefined, key: Buffer) => string | null;

package/dist/utils/helper.d.ts CHANGED Viewed

@@ -7,10 +7,14 @@ export interface DevWabeTypes extends WabeTypes {
 	enums: WabeSchemaEnums;
 	where: WabeSchemaWhereTypes;
 }
+export declare const selectFieldsWithoutPrivateFields: <T extends Record<string, any>>(select?: T) => T;
 export declare const firstLetterUpperCase: (str: string) => string;
 export declare const getGraphqlClient: (port: number) => GraphQLClient;
 export declare const getAnonymousClient: (port: number) => GraphQLClient;
-export declare const getUserClient: (port: number, accessToken: string) => GraphQLClient;
+export declare const getUserClient: (port: number, options: {
+	accessToken?: string;
+	csrfToken?: string;
+}) => GraphQLClient;
 export declare const getAdminUserClient: (port: number, wabe: Wabe<DevWabeTypes>, { email, password }: {
 	email: string;
 	password: string;

package/generated/schema.graphql CHANGED Viewed

@@ -425,9 +425,9 @@ input PostRelationInput {
 type _Session {
   id: ID!
   user: User
-  accessToken: String!
+  accessTokenEncrypted: String!
   accessTokenExpiresAt: Date!
-  refreshToken: String
+  refreshTokenEncrypted: String!
   refreshTokenExpiresAt: Date!
   acl: _SessionACLObject
   createdAt: Date
@@ -454,9 +454,9 @@ type _SessionACLObjectRolesACL {
 input _SessionInput {
   user: UserPointerInput
-  accessToken: String!
+  accessTokenEncrypted: String!
   accessTokenExpiresAt: Date!
-  refreshToken: String
+  refreshTokenEncrypted: String!
   refreshTokenExpiresAt: Date!
   acl: _SessionACLObjectInput
   createdAt: Date
@@ -490,9 +490,9 @@ input _SessionPointerInput {
 input _SessionCreateFieldsInput {
   user: UserPointerInput
-  accessToken: String
+  accessTokenEncrypted: String
   accessTokenExpiresAt: Date
-  refreshToken: String
+  refreshTokenEncrypted: String
   refreshTokenExpiresAt: Date
   acl: _SessionACLObjectCreateFieldsInput
   createdAt: Date
@@ -766,6 +766,7 @@ input StringWhereInput {
   notEqualTo: String
   in: [String]
   notIn: [String]
+  exists: Boolean
 }
 input IntWhereInput {
@@ -777,6 +778,7 @@ input IntWhereInput {
   greaterThanOrEqualTo: Int
   in: [Int]
   notIn: [Int]
+  exists: Boolean
 }
 input EmailWhereInput {
@@ -784,6 +786,7 @@ input EmailWhereInput {
   notEqualTo: Email
   in: [Email]
   notIn: [Email]
+  exists: Boolean
 }
 input UserACLObjectWhereInput {
@@ -806,6 +809,7 @@ input BooleanWhereInput {
   notEqualTo: Boolean
   in: [Boolean]
   notIn: [Boolean]
+  exists: Boolean
 }
 input UserACLObjectRolesACLWhereInput {
@@ -825,6 +829,7 @@ input DateWhereInput {
   lessThanOrEqualTo: Date
   greaterThan: Date
   greaterThanOrEqualTo: Date
+  exists: Boolean
 }
 input SearchWhereInput {
@@ -865,6 +870,7 @@ input PhoneWhereInput {
   notEqualTo: Phone
   in: [Phone]
   notIn: [Phone]
+  exists: Boolean
 }
 input UserAuthenticationEmailPasswordWhereInput {
@@ -892,6 +898,7 @@ input UserAuthenticationGithubWhereInput {
 input AnyWhereInput {
   equalTo: Any
   notEqualTo: Any
+  exists: Boolean
 }
 """
@@ -937,9 +944,9 @@ input RoleACLObjectRolesACLWhereInput {
 input _SessionWhereInput {
   id: IdWhereInput
   user: UserWhereInput
-  accessToken: StringWhereInput
+  accessTokenEncrypted: StringWhereInput
   accessTokenExpiresAt: DateWhereInput
-  refreshToken: StringWhereInput
+  refreshTokenEncrypted: StringWhereInput
   refreshTokenExpiresAt: DateWhereInput
   acl: _SessionACLObjectWhereInput
   createdAt: DateWhereInput
@@ -1050,6 +1057,7 @@ input ArrayWhereInput {
   notEqualTo: Any
   contains: Any
   notContains: Any
+  exists: Boolean
 }
 input PostACLObjectWhereInput {
@@ -1099,12 +1107,12 @@ enum PostOrder {
 enum _SessionOrder {
   user_ASC
   user_DESC
-  accessToken_ASC
-  accessToken_DESC
+  accessTokenEncrypted_ASC
+  accessTokenEncrypted_DESC
   accessTokenExpiresAt_ASC
   accessTokenExpiresAt_DESC
-  refreshToken_ASC
-  refreshToken_DESC
+  refreshTokenEncrypted_ASC
+  refreshTokenEncrypted_DESC
   refreshTokenExpiresAt_ASC
   refreshTokenExpiresAt_DESC
   acl_ASC
@@ -1507,9 +1515,9 @@ input Update_SessionInput {
 input _SessionUpdateFieldsInput {
   user: UserPointerInput
-  accessToken: String
+  accessTokenEncrypted: String
   accessTokenExpiresAt: Date
-  refreshToken: String
+  refreshTokenEncrypted: String
   refreshTokenExpiresAt: Date
   acl: _SessionACLObjectUpdateFieldsInput
   createdAt: Date

package/generated/wabe.ts CHANGED Viewed

@@ -116,9 +116,9 @@ export type Post = {
 export type _Session = {
 	id: string,
 	user: User,
-	accessToken: string,
+	accessTokenEncrypted: string,
 	accessTokenExpiresAt: string,
-	refreshToken?: string,
+	refreshTokenEncrypted: string,
 	refreshTokenExpiresAt: string,
 	acl?: ACLObject,
 	createdAt?: string,
@@ -181,9 +181,9 @@ export type WherePost = {
 export type Where_Session = {
 	id: string,
 	user: User,
-	accessToken: string,
+	accessTokenEncrypted: string,
 	accessTokenExpiresAt: Date,
-	refreshToken?: string,
+	refreshTokenEncrypted: string,
 	refreshTokenExpiresAt: Date,
 	acl?: ACLObject,
 	createdAt?: Date,

package/package.json CHANGED Viewed

@@ -1,19 +1,19 @@
 {
 	"name": "wabe",
-	"version": "0.6.9",
-	"description": "Your backend in minutes not days",
-	"homepage": "https://wabe.dev",
-	"author": {
-		"name": "coratgerl",
-		"url": "https://github.com/coratgerl"
-	},
-	"license": "Apache-2.0",
+	"version": "0.6.11",
+	"description": "Your backend without vendor lock-in in Typescript",
 	"keywords": [
+		"baas",
 		"backend",
-		"wabe",
 		"graphql",
-		"baas"
+		"wabe"
 	],
+	"homepage": "https://palixir.github.io/wabe/",
+	"license": "Apache-2.0",
+	"author": {
+		"name": "coratgerl",
+		"url": "https://github.com/coratgerl"
+	},
 	"repository": {
 		"type": "git",
 		"url": "git+https://github.com/palixir/wabe.git"
@@ -22,33 +22,33 @@
 	"scripts": {
 		"build": "bun --filter wabe-build build:package $(pwd)",
 		"check": "tsc --project $(pwd)/tsconfig.json",
-		"lint": "biome lint . --no-errors-on-unmatched --config-path=../../",
+		"lint": "oxlint .",
 		"ci": "bun generate:codegen && bun lint $(pwd) && bun check && bun test src",
-		"format": "biome format --write . --config-path=../../",
+		"format": "oxfmt --write .",
 		"dev": "bun run --watch dev/index.ts",
 		"generate:codegen": "touch generated/wabe.ts && CODEGEN=true bun dev/index.ts"
 	},
 	"dependencies": {
-		"@graphql-yoga/plugin-disable-introspection": "2.10.9",
 		"croner": "9.0.0",
+		"graphql": "16.12.0",
 		"js-srp6a": "1.0.2",
 		"jsonwebtoken": "9.0.2",
 		"libphonenumber-js": "1.11.18",
 		"otplib": "12.0.1",
-		"p-retry": "6.2.1",
-		"wobe": "1.1.10",
-		"wobe-graphql-yoga": "1.2.6"
+		"p-retry": "7.1.0",
+		"wobe": "1.1.15",
+		"wobe-graphql-yoga": "1.2.9"
 	},
 	"devDependencies": {
 		"@types/jsonwebtoken": "9.0.6",
 		"@types/uuid": "9.0.6",
-		"graphql-request": "6.1.0",
 		"get-port": "7.1.0",
-		"uuid": "10.0.0",
-		"wabe-mongodb-launcher": "workspace:*",
-		"wabe-pluralize": "workspace:*",
-		"wabe-build": "workspace:*",
-		"wabe-mongodb": "workspace:*",
-		"wabe": "workspace:*"
+		"graphql-request": "6.1.0",
+		"uuid": "13.0.0",
+		"wabe": "0.6.11",
+		"wabe-build": "0.5.0",
+		"wabe-mongodb": "0.5.3",
+		"wabe-mongodb-launcher": "0.5.2",
+		"wabe-pluralize": "0.0.1"
 	}
 }

package/src/authentication/OTP.test.ts ADDED Viewed

@@ -0,0 +1,69 @@
+import { describe, it, expect } from 'bun:test'
+import { OTP } from './OTP'
+describe('OTP', () => {
+	it('should generate a valid OTP code', () => {
+		const otp = new OTP('rootKey')
+		const otpValue = otp.generate('userId')
+		expect(otpValue.length).toBe(6)
+	})
+	it('should verify a valid OTP code', () => {
+		const otp = new OTP('rootKey')
+		const otpValue = otp.generate('userId')
+		expect(otpValue.length).toBe(6)
+		expect(otp.verify(otpValue, 'userId')).toBe(true)
+	})
+	it('should not verify an invalid OTP code', () => {
+		const otp = new OTP('rootKey')
+		const otpValue = otp.generate('userId')
+		expect(otpValue.length).toBe(6)
+		expect(otp.verify('invalidOtp', 'userId')).toBe(false)
+		const otpValue2 = otp.generate('invalidUserId')
+		expect(otpValue2.length).toBe(6)
+		expect(otp.verify(otpValue2, 'userId')).toBe(false)
+	})
+	it('should not verify an invalid OTP code (more than 5 minutes)', () => {
+		// Directly test the timeout is flaky we only test that the correct value is passed to totp
+		const otp = new OTP('rootKey')
+		expect(otp.internalTotp.options.window).toEqual([1, 0])
+	})
+	it('should generate a valid keyuri', () => {
+		const otp = new OTP('rootKey')
+		const keyuri = otp.generateKeyuri({
+			userId: 'userId',
+			emailOrUsername: 'email@test.fr',
+			applicationName: 'Wabe',
+		})
+		expect(keyuri).toBe(
+			'otpauth://totp/Wabe:email%40test.fr?secret=O54OZDANWM2YFHJKJMMVMQSV7DUMUZFT3BWE4Z5NOQCAATGGHKYA&period=30&digits=6&algorithm=SHA1&issuer=Wabe',
+		)
+	})
+	it('should verify an OTP generated from authenticator', () => {
+		const otp = new OTP('rootKey')
+		const code = otp.authenticatorGenerate('userId')
+		const isValid = otp.authenticatorVerify(code, 'userId')
+		expect(isValid).toBe(true)
+	})
+})

package/src/authentication/OTP.ts ADDED Viewed

@@ -0,0 +1,64 @@
+import { totp, authenticator } from 'otplib'
+import type { TOTP } from 'otplib/core'
+import { createHash } from 'node:crypto'
+import { base32Encode } from 'src/utils'
+const ONE_WINDOW = 1
+export class OTP {
+	private secret: string
+	public internalTotp: TOTP
+	constructor(rootKey: string) {
+		this.secret = rootKey
+		this.internalTotp = totp.clone({
+			window: [ONE_WINDOW, 0],
+		})
+	}
+	deriveSecret(userId: string): string {
+		const hash = createHash('sha256').update(`${this.secret}:${userId}`).digest()
+		return base32Encode(hash, 'RFC4648', { padding: false })
+	}
+	generate(userId: string): string {
+		const secret = this.deriveSecret(userId)
+		return this.internalTotp.generate(secret)
+	}
+	verify(otp: string, userId: string): boolean {
+		const secret = this.deriveSecret(userId)
+		return this.internalTotp.verify({ secret, token: otp })
+	}
+	authenticatorGenerate(userId: string): string {
+		const secret = this.deriveSecret(userId)
+		return authenticator.generate(secret)
+	}
+	authenticatorVerify(otp: string, userId: string): boolean {
+		const secret = this.deriveSecret(userId)
+		return authenticator.verify({
+			secret,
+			token: otp,
+		})
+	}
+	generateKeyuri({
+		userId,
+		emailOrUsername,
+		applicationName,
+	}: {
+		userId: string
+		emailOrUsername: string
+		applicationName: string
+	}): string {
+		const secret = this.deriveSecret(userId)
+		return authenticator.keyuri(emailOrUsername, applicationName, secret)
+	}
+}