buildmymcpserver/packages/auth/src/index.ts

import crypto from 'node:crypto';
import { and, createDb, eq, gt, type Database, magicLinks, memberships, organizations, sessions, users } from '@bmm/db';

const MAGIC_LINK_TTL_MS = 15 * 60 * 1000; // 15 min
const SESSION_TTL_MS = 30 * 24 * 60 * 60 * 1000; // 30 days

function sha256(input: string): string {
  return crypto.createHash('sha256').update(input).digest('hex');
}

function randomToken(bytes = 32): string {
  return crypto.randomBytes(bytes).toString('base64url');
}

function slugify(input: string): string {
  return input
    .toLowerCase()
    .replace(/[^a-z0-9]+/g, '-')
    .replace(/(^-|-$)/g, '')
    .slice(0, 48) || 'org';
}

export interface MagicLinkIssued {
  token: string;
  expiresAt: Date;
}

export async function issueMagicLink(email: string, db: Database = createDb()): Promise<MagicLinkIssued> {
  const lower = email.trim().toLowerCase();
  if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(lower)) {
    throw new Error('invalid_email');
  }
  const token = randomToken(32);
  const tokenHash = sha256(token);
  const expiresAt = new Date(Date.now() + MAGIC_LINK_TTL_MS);
  await db.insert(magicLinks).values({ email: lower, tokenHash, expiresAt });
  return { token, expiresAt };
}

export interface ConsumedSession {
  sessionToken: string;
  userId: string;
  orgId: string;
  email: string;
}

export async function consumeMagicLink(
  token: string,
  meta: { ipAddress?: string; userAgent?: string } = {},
  db: Database = createDb(),
): Promise<ConsumedSession> {
  const tokenHash = sha256(token);
  const [row] = await db
    .select()
    .from(magicLinks)
    .where(and(eq(magicLinks.tokenHash, tokenHash), gt(magicLinks.expiresAt, new Date())))
    .limit(1);
  if (!row || row.consumedAt) {
    throw new Error('invalid_or_expired_token');
  }
  await db.update(magicLinks).set({ consumedAt: new Date() }).where(eq(magicLinks.id, row.id));

  // Get or create user + default org
  let user = (await db.select().from(users).where(eq(users.email, row.email)).limit(1))[0];
  if (!user) {
    [user] = await db
      .insert(users)
      .values({ email: row.email, emailVerified: true })
      .returning();
    const orgSlug = `${slugify(row.email.split('@')[0] ?? 'me')}-${randomToken(3).toLowerCase()}`;
    const [org] = await db
      .insert(organizations)
      .values({ slug: orgSlug, name: `${row.email.split('@')[0]}'s workspace` })
      .returning();
    if (!org) throw new Error('org_create_failed');
    await db.insert(memberships).values({ orgId: org.id, userId: user!.id, role: 'owner' });
  } else if (!user.emailVerified) {
    await db.update(users).set({ emailVerified: true }).where(eq(users.id, user.id));
  }

  if (!user) throw new Error('user_resolve_failed');

  const [membership] = await db
    .select()
    .from(memberships)
    .where(eq(memberships.userId, user.id))
    .limit(1);
  if (!membership) throw new Error('no_org_membership');

  const sessionToken = randomToken(32);
  const sessionHash = sha256(sessionToken);
  await db.insert(sessions).values({
    userId: user.id,
    tokenHash: sessionHash,
    expiresAt: new Date(Date.now() + SESSION_TTL_MS),
    ipAddress: meta.ipAddress,
    userAgent: meta.userAgent,
  });

  return { sessionToken, userId: user.id, orgId: membership.orgId, email: user.email };
}

export interface AuthedUser {
  userId: string;
  orgId: string;
  email: string;
  role: string;
}

export async function getSession(
  sessionToken: string | null | undefined,
  db: Database = createDb(),
): Promise<AuthedUser | null> {
  if (!sessionToken) return null;
  const hash = sha256(sessionToken);
  const [row] = await db
    .select({
      userId: sessions.userId,
      expiresAt: sessions.expiresAt,
      email: users.email,
    })
    .from(sessions)
    .innerJoin(users, eq(users.id, sessions.userId))
    .where(eq(sessions.tokenHash, hash))
    .limit(1);
  if (!row || row.expiresAt < new Date()) return null;
  const [membership] = await db
    .select({ orgId: memberships.orgId, role: memberships.role })
    .from(memberships)
    .where(eq(memberships.userId, row.userId))
    .limit(1);
  if (!membership) return null;
  return { userId: row.userId, orgId: membership.orgId, email: row.email, role: membership.role };
}

export async function destroySession(sessionToken: string, db: Database = createDb()): Promise<void> {
  const hash = sha256(sessionToken);
  await db.delete(sessions).where(eq(sessions.tokenHash, hash));
}

export const __test = { sha256, randomToken, slugify };
feat(types,auth): zod contracts + magic-link session auth 2026-05-19 00:22:17 +02:00			`import crypto from 'node:crypto';`
			`import { and, createDb, eq, gt, type Database, magicLinks, memberships, organizations, sessions, users } from '@bmm/db';`

			`const MAGIC_LINK_TTL_MS = 15 * 60 * 1000; // 15 min`
			`const SESSION_TTL_MS = 30 * 24 * 60 * 60 * 1000; // 30 days`

			`function sha256(input: string): string {`
			`return crypto.createHash('sha256').update(input).digest('hex');`
			`}`

			`function randomToken(bytes = 32): string {`
			`return crypto.randomBytes(bytes).toString('base64url');`
			`}`

			`function slugify(input: string): string {`
			`return input`
			`.toLowerCase()`
			`.replace(/[^a-z0-9]+/g, '-')`
			`.replace(/(^-\|-$)/g, '')`
			`.slice(0, 48) \|\| 'org';`
			`}`

			`export interface MagicLinkIssued {`
			`token: string;`
			`expiresAt: Date;`
			`}`

			`export async function issueMagicLink(email: string, db: Database = createDb()): Promise<MagicLinkIssued> {`
			`const lower = email.trim().toLowerCase();`
			`if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(lower)) {`
			`throw new Error('invalid_email');`
			`}`
			`const token = randomToken(32);`
			`const tokenHash = sha256(token);`
			`const expiresAt = new Date(Date.now() + MAGIC_LINK_TTL_MS);`
			`await db.insert(magicLinks).values({ email: lower, tokenHash, expiresAt });`
			`return { token, expiresAt };`
			`}`

			`export interface ConsumedSession {`
			`sessionToken: string;`
			`userId: string;`
			`orgId: string;`
			`email: string;`
			`}`

			`export async function consumeMagicLink(`
			`token: string,`
			`meta: { ipAddress?: string; userAgent?: string } = {},`
			`db: Database = createDb(),`
			`): Promise<ConsumedSession> {`
			`const tokenHash = sha256(token);`
			`const [row] = await db`
			`.select()`
			`.from(magicLinks)`
			`.where(and(eq(magicLinks.tokenHash, tokenHash), gt(magicLinks.expiresAt, new Date())))`
			`.limit(1);`
			`if (!row \|\| row.consumedAt) {`
			`throw new Error('invalid_or_expired_token');`
			`}`
			`await db.update(magicLinks).set({ consumedAt: new Date() }).where(eq(magicLinks.id, row.id));`

			`// Get or create user + default org`
			`let user = (await db.select().from(users).where(eq(users.email, row.email)).limit(1))[0];`
			`if (!user) {`
			`[user] = await db`
			`.insert(users)`
			`.values({ email: row.email, emailVerified: true })`
			`.returning();`
			const orgSlug = `${slugify(row.email.split('@')[0] ?? 'me')}-${randomToken(3).toLowerCase()}`;
			`const [org] = await db`
			`.insert(organizations)`
			.values({ slug: orgSlug, name: `${row.email.split('@')[0]}'s workspace` })
			`.returning();`
			`if (!org) throw new Error('org_create_failed');`
			`await db.insert(memberships).values({ orgId: org.id, userId: user!.id, role: 'owner' });`
			`} else if (!user.emailVerified) {`
			`await db.update(users).set({ emailVerified: true }).where(eq(users.id, user.id));`
			`}`

			`if (!user) throw new Error('user_resolve_failed');`

			`const [membership] = await db`
			`.select()`
			`.from(memberships)`
			`.where(eq(memberships.userId, user.id))`
			`.limit(1);`
			`if (!membership) throw new Error('no_org_membership');`

			`const sessionToken = randomToken(32);`
			`const sessionHash = sha256(sessionToken);`
			`await db.insert(sessions).values({`
			`userId: user.id,`
			`tokenHash: sessionHash,`
			`expiresAt: new Date(Date.now() + SESSION_TTL_MS),`
			`ipAddress: meta.ipAddress,`
			`userAgent: meta.userAgent,`
			`});`

			`return { sessionToken, userId: user.id, orgId: membership.orgId, email: user.email };`
			`}`

			`export interface AuthedUser {`
			`userId: string;`
			`orgId: string;`
			`email: string;`
			`role: string;`
			`}`

			`export async function getSession(`
			`sessionToken: string \| null \| undefined,`
			`db: Database = createDb(),`
			`): Promise<AuthedUser \| null> {`
			`if (!sessionToken) return null;`
			`const hash = sha256(sessionToken);`
			`const [row] = await db`
			`.select({`
			`userId: sessions.userId,`
			`expiresAt: sessions.expiresAt,`
			`email: users.email,`
			`})`
			`.from(sessions)`
			`.innerJoin(users, eq(users.id, sessions.userId))`
			`.where(eq(sessions.tokenHash, hash))`
			`.limit(1);`
			`if (!row \|\| row.expiresAt < new Date()) return null;`
			`const [membership] = await db`
			`.select({ orgId: memberships.orgId, role: memberships.role })`
			`.from(memberships)`
			`.where(eq(memberships.userId, row.userId))`
			`.limit(1);`
			`if (!membership) return null;`
			`return { userId: row.userId, orgId: membership.orgId, email: row.email, role: membership.role };`
			`}`

			`export async function destroySession(sessionToken: string, db: Database = createDb()): Promise<void> {`
			`const hash = sha256(sessionToken);`
			`await db.delete(sessions).where(eq(sessions.tokenHash, hash));`
			`}`

			`export const __test = { sha256, randomToken, slugify };`