feat: migrate nextjs to rr7

packages/auth/server/config.ts

@@ -0,0 +1,37 @@
+import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
+import { env } from '@documenso/lib/utils/env';
+
+/**
+ * How long a session should live for in milliseconds.
+ */
+export const AUTH_SESSION_LIFETIME = 1000 * 60 * 60 * 24 * 30; // 30 days.
+
+export type OAuthClientOptions = {
+  id: string;
+  scope: string[];
+  clientId: string;
+  clientSecret: string;
+  wellKnownUrl: string;
+  redirectUrl: string;
+  bypassEmailVerification?: boolean;
+};
+
+export const GoogleAuthOptions: OAuthClientOptions = {
+  id: 'google',
+  scope: ['openid', 'email', 'profile'],
+  clientId: env('NEXT_PRIVATE_GOOGLE_CLIENT_ID') ?? '',
+  clientSecret: env('NEXT_PRIVATE_GOOGLE_CLIENT_SECRET') ?? '',
+  redirectUrl: `${NEXT_PUBLIC_WEBAPP_URL()}/api/auth/callback/google`,
+  wellKnownUrl: 'https://accounts.google.com/.well-known/openid-configuration',
+  bypassEmailVerification: false,
+};
+
+export const OidcAuthOptions: OAuthClientOptions = {
+  id: 'oidc',
+  scope: ['openid', 'email', 'profile'],
+  clientId: env('NEXT_PRIVATE_OIDC_CLIENT_ID') ?? '',
+  clientSecret: env('NEXT_PRIVATE_OIDC_CLIENT_SECRET') ?? '',
+  redirectUrl: `${NEXT_PUBLIC_WEBAPP_URL()}/api/auth/callback/oidc`,
+  wellKnownUrl: env('NEXT_PRIVATE_OIDC_WELL_KNOWN') ?? '',
+  bypassEmailVerification: env('NEXT_PRIVATE_OIDC_SKIP_VERIFY') === 'true',
+};

packages/auth/server/index.ts

@@ -0,0 +1,92 @@
+import { Hono } from 'hono';
+import { HTTPException } from 'hono/http-exception';
+import type { ContentfulStatusCode } from 'hono/utils/http-status';
+
+import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import { extractRequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
+
+import { setCsrfCookie } from './lib/session/session-cookies';
+import { callbackRoute } from './routes/callback';
+import { emailPasswordRoute } from './routes/email-password';
+import { oauthRoute } from './routes/oauth';
+import { passkeyRoute } from './routes/passkey';
+import { sessionRoute } from './routes/session';
+import { signOutRoute } from './routes/sign-out';
+import { twoFactorRoute } from './routes/two-factor';
+import type { HonoAuthContext } from './types/context';
+
+// Note: You must chain routes for Hono RPC client to work.
+export const auth = new Hono<HonoAuthContext>()
+  .use(async (c, next) => {
+    c.set('requestMetadata', extractRequestMetadata(c.req.raw));
+
+    const validOrigin = new URL(NEXT_PUBLIC_WEBAPP_URL()).origin;
+    const headerOrigin = c.req.header('Origin');
+
+    if (headerOrigin && headerOrigin !== validOrigin) {
+      return c.json(
+        {
+          message: 'Forbidden',
+          statusCode: 403,
+        },
+        403,
+      );
+    }
+
+    await next();
+  })
+  .get('/csrf', async (c) => {
+    const csrfToken = await setCsrfCookie(c);
+
+    return c.json({ csrfToken });
+  })
+  .route('/', sessionRoute)
+  .route('/', signOutRoute)
+  .route('/callback', callbackRoute)
+  .route('/oauth', oauthRoute)
+  .route('/email-password', emailPasswordRoute)
+  .route('/passkey', passkeyRoute)
+  .route('/two-factor', twoFactorRoute);
+
+/**
+ * Handle errors.
+ */
+auth.onError((err, c) => {
+  if (err instanceof HTTPException) {
+    return c.json(
+      {
+        code: AppErrorCode.UNKNOWN_ERROR,
+        message: err.message,
+        statusCode: err.status,
+      },
+      err.status,
+    );
+  }
+
+  if (err instanceof AppError) {
+    // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
+    const statusCode = (err.statusCode || 500) as ContentfulStatusCode;
+
+    return c.json(
+      {
+        code: err.code,
+        message: err.message,
+        statusCode: err.statusCode,
+      },
+      statusCode,
+    );
+  }
+
+  // Handle other errors
+  return c.json(
+    {
+      code: AppErrorCode.UNKNOWN_ERROR,
+      message: 'Internal Server Error',
+      statusCode: 500,
+    },
+    500,
+  );
+});
+
+export type AuthAppType = typeof auth;

packages/auth/server/lib/errors/error-codes.ts

@@ -0,0 +1,29 @@
+export const AuthenticationErrorCode = {
+  AccountDisabled: 'ACCOUNT_DISABLED',
+  Unauthorized: 'UNAUTHORIZED',
+  InvalidCredentials: 'INVALID_CREDENTIALS',
+  SessionNotFound: 'SESSION_NOT_FOUND',
+  SessionExpired: 'SESSION_EXPIRED',
+  InvalidToken: 'INVALID_TOKEN',
+  MissingToken: 'MISSING_TOKEN',
+  InvalidRequest: 'INVALID_REQUEST',
+  UnverifiedEmail: 'UNVERIFIED_EMAIL',
+  NotFound: 'NOT_FOUND',
+  NotSetup: 'NOT_SETUP',
+
+  // InternalSeverError: 'INTERNAL_SEVER_ERROR',
+  // TwoFactorAlreadyEnabled: 'TWO_FACTOR_ALREADY_ENABLED',
+  // TwoFactorSetupRequired: 'TWO_FACTOR_SETUP_REQUIRED',
+  // TwoFactorMissingSecret: 'TWO_FACTOR_MISSING_SECRET',
+  // TwoFactorMissingCredentials: 'TWO_FACTOR_MISSING_CREDENTIALS',
+  InvalidTwoFactorCode: 'INVALID_TWO_FACTOR_CODE',
+  // IncorrectTwoFactorBackupCode: 'INCORRECT_TWO_FACTOR_BACKUP_CODE',
+  // IncorrectIdentityProvider: 'INCORRECT_IDENTITY_PROVIDER',
+  // IncorrectPassword: 'INCORRECT_PASSWORD',
+  // MissingEncryptionKey: 'MISSING_ENCRYPTION_KEY',
+  // MissingBackupCode: 'MISSING_BACKUP_CODE',
+} as const;
+
+export type AuthenticationErrorCode =
+  // eslint-disable-next-line @typescript-eslint/ban-types
+  (typeof AuthenticationErrorCode)[keyof typeof AuthenticationErrorCode] | (string & {});

packages/auth/server/lib/session/session-cookies.ts

@@ -0,0 +1,105 @@
+import type { Context } from 'hono';
+import { deleteCookie, getSignedCookie, setSignedCookie } from 'hono/cookie';
+
+import {
+  formatSecureCookieName,
+  getCookieDomain,
+  useSecureCookies,
+} from '@documenso/lib/constants/auth';
+import { appLog } from '@documenso/lib/utils/debugger';
+import { env } from '@documenso/lib/utils/env';
+
+import { AUTH_SESSION_LIFETIME } from '../../config';
+import { extractCookieFromHeaders } from '../utils/cookies';
+import { generateSessionToken } from './session';
+
+export const sessionCookieName = formatSecureCookieName('sessionId');
+export const csrfCookieName = formatSecureCookieName('csrfToken');
+
+const getAuthSecret = () => {
+  const authSecret = env('NEXTAUTH_SECRET');
+
+  if (!authSecret) {
+    throw new Error('NEXTAUTH_SECRET is not set');
+  }
+
+  return authSecret;
+};
+
+/**
+ * Generic auth session cookie options.
+ */
+export const sessionCookieOptions = {
+  httpOnly: true,
+  path: '/',
+  sameSite: useSecureCookies ? 'none' : 'lax',
+  secure: useSecureCookies,
+  domain: getCookieDomain(),
+  expires: new Date(Date.now() + AUTH_SESSION_LIFETIME),
+} as const;
+
+export const extractSessionCookieFromHeaders = (headers: Headers): string | null => {
+  return extractCookieFromHeaders(sessionCookieName, headers);
+};
+
+/**
+ * Get the session cookie attached to the request headers.
+ *
+ * @param c - The Hono context.
+ * @returns The session ID or null if no session cookie is found.
+ */
+export const getSessionCookie = async (c: Context): Promise<string | null> => {
+  const sessionId = await getSignedCookie(c, getAuthSecret(), sessionCookieName);
+
+  return sessionId || null;
+};
+
+/**
+ * Set the session cookie into the Hono context.
+ *
+ * @param c - The Hono context.
+ * @param sessionToken - The session token to set.
+ */
+export const setSessionCookie = async (c: Context, sessionToken: string) => {
+  await setSignedCookie(
+    c,
+    sessionCookieName,
+    sessionToken,
+    getAuthSecret(),
+    sessionCookieOptions,
+  ).catch((err) => {
+    appLog('SetSessionCookie', `Error setting signed cookie: ${err}`);
+
+    throw err;
+  });
+};
+
+/**
+ * Set the session cookie into the Hono context.
+ *
+ * @param c - The Hono context.
+ * @param sessionToken - The session token to set.
+ */
+export const deleteSessionCookie = (c: Context) => {
+  deleteCookie(c, sessionCookieName, sessionCookieOptions);
+};
+
+export const getCsrfCookie = async (c: Context) => {
+  const csrfToken = await getSignedCookie(c, getAuthSecret(), csrfCookieName);
+
+  return csrfToken || null;
+};
+
+export const setCsrfCookie = async (c: Context) => {
+  const csrfToken = generateSessionToken();
+
+  await setSignedCookie(c, csrfCookieName, csrfToken, getAuthSecret(), {
+    ...sessionCookieOptions,
+
+    // Explicity set to undefined for session lived cookie.
+    expires: undefined,
+    maxAge: undefined,
+  });
+
+  return csrfToken;
+};

packages/auth/server/lib/session/session.ts

@@ -0,0 +1,150 @@
+import { sha256 } from '@oslojs/crypto/sha2';
+import { encodeBase32LowerCaseNoPadding, encodeHexLowerCase } from '@oslojs/encoding';
+import { type Session, type User, UserSecurityAuditLogType } from '@prisma/client';
+
+import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
+import { prisma } from '@documenso/prisma';
+
+import { AUTH_SESSION_LIFETIME } from '../../config';
+
+/**
+ * The user object to pass around the app.
+ *
+ * Do not put anything sensitive in here since it will be public.
+ */
+export type SessionUser = Pick<
+  User,
+  | 'id'
+  | 'name'
+  | 'email'
+  | 'emailVerified'
+  | 'avatarImageId'
+  | 'twoFactorEnabled'
+  | 'roles'
+  | 'signature'
+  | 'url'
+  | 'customerId'
+>;
+
+export type SessionValidationResult =
+  | {
+      session: Session;
+      user: SessionUser;
+      isAuthenticated: true;
+    }
+  | { session: null; user: null; isAuthenticated: false };
+
+export const generateSessionToken = (): string => {
+  const bytes = new Uint8Array(20);
+
+  crypto.getRandomValues(bytes);
+
+  const token = encodeBase32LowerCaseNoPadding(bytes);
+
+  return token;
+};
+
+export const createSession = async (
+  token: string,
+  userId: number,
+  metadata: RequestMetadata,
+): Promise<Session> => {
+  const hashedSessionId = encodeHexLowerCase(sha256(new TextEncoder().encode(token)));
+
+  const session: Session = {
+    id: hashedSessionId,
+    sessionToken: hashedSessionId,
+    userId,
+    updatedAt: new Date(),
+    createdAt: new Date(),
+    expiresAt: new Date(Date.now() + AUTH_SESSION_LIFETIME),
+    ipAddress: metadata.ipAddress ?? null,
+    userAgent: metadata.userAgent ?? null,
+  };
+
+  await prisma.session.create({
+    data: session,
+  });
+
+  await prisma.userSecurityAuditLog.create({
+    data: {
+      userId,
+      ipAddress: metadata.ipAddress,
+      userAgent: metadata.userAgent,
+      type: UserSecurityAuditLogType.SIGN_IN,
+    },
+  });
+
+  return session;
+};
+
+export const validateSessionToken = async (token: string): Promise<SessionValidationResult> => {
+  const sessionId = encodeHexLowerCase(sha256(new TextEncoder().encode(token)));
+
+  const result = await prisma.session.findUnique({
+    where: {
+      id: sessionId,
+    },
+    include: {
+      user: {
+        /**
+         * Do not expose anything sensitive here.
+         */
+        select: {
+          id: true,
+          name: true,
+          email: true,
+          emailVerified: true,
+          avatarImageId: true,
+          twoFactorEnabled: true,
+          roles: true,
+          signature: true,
+          url: true,
+          customerId: true,
+        },
+      },
+    },
+  });
+
+  if (!result?.user) {
+    return { session: null, user: null, isAuthenticated: false };
+  }
+
+  const { user, ...session } = result;
+
+  if (Date.now() >= session.expiresAt.getTime()) {
+    await prisma.session.delete({ where: { id: sessionId } });
+    return { session: null, user: null, isAuthenticated: false };
+  }
+
+  if (Date.now() >= session.expiresAt.getTime() - 1000 * 60 * 60 * 24 * 15) {
+    session.expiresAt = new Date(Date.now() + 1000 * 60 * 60 * 24 * 30);
+
+    await prisma.session.update({
+      where: {
+        id: session.id,
+      },
+      data: {
+        expiresAt: session.expiresAt,
+      },
+    });
+  }
+
+  return { session, user, isAuthenticated: true };
+};
+
+export const invalidateSession = async (
+  sessionId: string,
+  metadata: RequestMetadata,
+): Promise<void> => {
+  const session = await prisma.session.delete({ where: { id: sessionId } });
+
+  await prisma.userSecurityAuditLog.create({
+    data: {
+      userId: session.userId,
+      ipAddress: metadata.ipAddress,
+      userAgent: metadata.userAgent,
+      type: UserSecurityAuditLogType.SIGN_OUT,
+    },
+  });
+};

packages/auth/server/lib/utils/authorizer.ts

@@ -0,0 +1,22 @@
+import type { Context } from 'hono';
+
+import type { HonoAuthContext } from '../../types/context';
+import { createSession, generateSessionToken } from '../session/session';
+import { setSessionCookie } from '../session/session-cookies';
+
+type AuthorizeUser = {
+  userId: number;
+};
+
+/**
+ * Handles creating a session.
+ */
+export const onAuthorize = async (user: AuthorizeUser, c: Context<HonoAuthContext>) => {
+  const metadata = c.get('requestMetadata');
+
+  const sessionToken = generateSessionToken();
+
+  await createSession(sessionToken, user.userId, metadata);
+
+  await setSessionCookie(c, sessionToken);
+};

packages/auth/server/lib/utils/cookies.ts

@@ -0,0 +1,14 @@
+/**
+ * Todo: Use library for cookies instead.
+ */
+export const extractCookieFromHeaders = (cookieName: string, headers: Headers): string | null => {
+  const cookieHeader = headers.get('cookie') || '';
+  const cookiePairs = cookieHeader.split(';');
+  const cookie = cookiePairs.find((pair) => pair.trim().startsWith(cookieName));
+
+  if (!cookie) {
+    return null;
+  }
+
+  return cookie.split('=')[1].trim();
+};

packages/auth/server/lib/utils/get-session.ts

@@ -0,0 +1,56 @@
+import type { Context } from 'hono';
+
+import { AppError } from '@documenso/lib/errors/app-error';
+
+import { AuthenticationErrorCode } from '../errors/error-codes';
+import type { SessionValidationResult } from '../session/session';
+import { validateSessionToken } from '../session/session';
+import { getSessionCookie } from '../session/session-cookies';
+
+export const getSession = async (c: Context | Request) => {
+  const { session, user } = await getOptionalSession(mapRequestToContextForCookie(c));
+
+  if (session && user) {
+    return { session, user };
+  }
+
+  if (c instanceof Request) {
+    throw new Error('Unauthorized');
+  }
+
+  throw new AppError(AuthenticationErrorCode.Unauthorized);
+};
+
+export const getOptionalSession = async (
+  c: Context | Request,
+): Promise<SessionValidationResult> => {
+  const sessionId = await getSessionCookie(mapRequestToContextForCookie(c));
+
+  if (!sessionId) {
+    return {
+      isAuthenticated: false,
+      session: null,
+      user: null,
+    };
+  }
+
+  return await validateSessionToken(sessionId);
+};
+
+/**
+ * Todo: (RR7) Rethink, this is pretty sketchy.
+ */
+const mapRequestToContextForCookie = (c: Context | Request) => {
+  if (c instanceof Request) {
+    const partialContext = {
+      req: {
+        raw: c,
+      },
+    };
+
+    // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
+    return partialContext as unknown as Context;
+  }
+
+  return c;
+};

packages/auth/server/lib/utils/handle-oauth-authorize-url.ts

@@ -0,0 +1,86 @@
+import { CodeChallengeMethod, OAuth2Client, generateCodeVerifier, generateState } from 'arctic';
+import type { Context } from 'hono';
+import { setCookie } from 'hono/cookie';
+
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+
+import type { OAuthClientOptions } from '../../config';
+import { sessionCookieOptions } from '../session/session-cookies';
+import { getOpenIdConfiguration } from './open-id';
+
+type HandleOAuthAuthorizeUrlOptions = {
+  /**
+   * Hono context.
+   */
+  c: Context;
+
+  /**
+   * OAuth client options.
+   */
+  clientOptions: OAuthClientOptions;
+
+  /**
+   * Optional redirect path to redirect the user somewhere on the app after authorization.
+   */
+  redirectPath?: string;
+};
+
+const oauthCookieMaxAge = 60 * 10; // 10 minutes.
+
+export const handleOAuthAuthorizeUrl = async (options: HandleOAuthAuthorizeUrlOptions) => {
+  const { c, clientOptions, redirectPath } = options;
+
+  if (!clientOptions.clientId || !clientOptions.clientSecret) {
+    throw new AppError(AppErrorCode.NOT_SETUP);
+  }
+
+  const { authorization_endpoint } = await getOpenIdConfiguration(clientOptions.wellKnownUrl, {
+    requiredScopes: clientOptions.scope,
+  });
+
+  const oAuthClient = new OAuth2Client(
+    clientOptions.clientId,
+    clientOptions.clientSecret,
+    clientOptions.redirectUrl,
+  );
+
+  const scopes = clientOptions.scope;
+  const state = generateState();
+
+  const codeVerifier = generateCodeVerifier();
+
+  const url = oAuthClient.createAuthorizationURLWithPKCE(
+    authorization_endpoint,
+    state,
+    CodeChallengeMethod.S256,
+    codeVerifier,
+    scopes,
+  );
+
+  // Allow user to select account during login.
+  url.searchParams.append('prompt', 'login');
+
+  setCookie(c, `${clientOptions.id}_oauth_state`, state, {
+    ...sessionCookieOptions,
+    sameSite: 'lax',
+    maxAge: oauthCookieMaxAge,
+  });
+
+  setCookie(c, `${clientOptions.id}_code_verifier`, codeVerifier, {
+    ...sessionCookieOptions,
+    sameSite: 'lax',
+    maxAge: oauthCookieMaxAge,
+  });
+
+  if (redirectPath) {
+    setCookie(c, `${clientOptions.id}_redirect_path`, `${state} ${redirectPath}`, {
+      ...sessionCookieOptions,
+      sameSite: 'lax',
+      maxAge: oauthCookieMaxAge,
+    });
+  }
+
+  return c.json({
+    redirectUrl: url.toString(),
+  });
+};

packages/auth/server/lib/utils/handle-oauth-callback-url.ts

@@ -0,0 +1,195 @@
+import { UserSecurityAuditLogType } from '@prisma/client';
+import { OAuth2Client, decodeIdToken } from 'arctic';
+import type { Context } from 'hono';
+import { deleteCookie } from 'hono/cookie';
+import { nanoid } from 'nanoid';
+
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import { onCreateUserHook } from '@documenso/lib/server-only/user/create-user';
+import { prisma } from '@documenso/prisma';
+
+import type { OAuthClientOptions } from '../../config';
+import { AuthenticationErrorCode } from '../errors/error-codes';
+import { onAuthorize } from './authorizer';
+import { getOpenIdConfiguration } from './open-id';
+
+type HandleOAuthCallbackUrlOptions = {
+  c: Context;
+  clientOptions: OAuthClientOptions;
+};
+
+export const handleOAuthCallbackUrl = async (options: HandleOAuthCallbackUrlOptions) => {
+  const { c, clientOptions } = options;
+
+  if (!clientOptions.clientId || !clientOptions.clientSecret) {
+    throw new AppError(AppErrorCode.NOT_SETUP);
+  }
+
+  const { token_endpoint } = await getOpenIdConfiguration(clientOptions.wellKnownUrl, {
+    requiredScopes: clientOptions.scope,
+  });
+
+  const oAuthClient = new OAuth2Client(
+    clientOptions.clientId,
+    clientOptions.clientSecret,
+    clientOptions.redirectUrl,
+  );
+
+  const requestMeta = c.get('requestMetadata');
+
+  const code = c.req.query('code');
+  const state = c.req.query('state');
+
+  const storedState = deleteCookie(c, `${clientOptions.id}_oauth_state`);
+  const storedCodeVerifier = deleteCookie(c, `${clientOptions.id}_code_verifier`);
+  const storedRedirectPath = deleteCookie(c, `${clientOptions.id}_redirect_path`) ?? '';
+
+  if (!code || !storedState || state !== storedState || !storedCodeVerifier) {
+    throw new AppError(AppErrorCode.INVALID_REQUEST, {
+      message: 'Invalid or missing state',
+    });
+  }
+
+  // eslint-disable-next-line prefer-const
+  let [redirectState, redirectPath] = storedRedirectPath.split(' ');
+
+  if (redirectState !== storedState || !redirectPath) {
+    redirectPath = '/documents';
+  }
+
+  const tokens = await oAuthClient.validateAuthorizationCode(
+    token_endpoint,
+    code,
+    storedCodeVerifier,
+  );
+
+  const accessToken = tokens.accessToken();
+  const accessTokenExpiresAt = tokens.accessTokenExpiresAt();
+  const idToken = tokens.idToken();
+
+  // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
+  const claims = decodeIdToken(tokens.idToken()) as Record<string, unknown>;
+
+  const email = claims.email;
+  const name = claims.name;
+  const sub = claims.sub;
+
+  if (typeof email !== 'string' || typeof name !== 'string' || typeof sub !== 'string') {
+    throw new AppError(AuthenticationErrorCode.InvalidRequest, {
+      message: 'Invalid claims',
+    });
+  }
+
+  if (claims.email_verified !== true && !clientOptions.bypassEmailVerification) {
+    throw new AppError(AuthenticationErrorCode.UnverifiedEmail, {
+      message: 'Account email is not verified',
+    });
+  }
+
+  // Find the account if possible.
+  const existingAccount = await prisma.account.findFirst({
+    where: {
+      provider: clientOptions.id,
+      providerAccountId: sub,
+    },
+    include: {
+      user: true,
+    },
+  });
+
+  // Directly log in user if account already exists.
+  if (existingAccount) {
+    await onAuthorize({ userId: existingAccount.user.id }, c);
+
+    return c.redirect(redirectPath, 302);
+  }
+
+  const userWithSameEmail = await prisma.user.findFirst({
+    where: {
+      email: email,
+    },
+  });
+
+  // Handle existing user but no account.
+  if (userWithSameEmail) {
+    await prisma.$transaction(async (tx) => {
+      await tx.account.create({
+        data: {
+          type: 'oauth',
+          provider: clientOptions.id,
+          providerAccountId: sub,
+          access_token: accessToken,
+          expires_at: Math.floor(accessTokenExpiresAt.getTime() / 1000),
+          token_type: 'Bearer',
+          id_token: idToken,
+          userId: userWithSameEmail.id,
+        },
+      });
+
+      // Log link event.
+      await tx.userSecurityAuditLog.create({
+        data: {
+          userId: userWithSameEmail.id,
+          ipAddress: requestMeta.ipAddress,
+          userAgent: requestMeta.userAgent,
+          type: UserSecurityAuditLogType.ACCOUNT_SSO_LINK,
+        },
+      });
+
+      // If account already exists in an unverified state, remove the password to ensure
+      // they cannot sign in since we cannot confirm the password was set by the user.
+      if (!userWithSameEmail.emailVerified) {
+        await tx.user.update({
+          where: {
+            id: userWithSameEmail.id,
+          },
+          data: {
+            emailVerified: new Date(),
+            password: null,
+            // Todo: (RR7) Will need to update the "password" account after the migration.
+          },
+        });
+      }
+    });
+
+    await onAuthorize({ userId: userWithSameEmail.id }, c);
+
+    return c.redirect(redirectPath, 302);
+  }
+
+  // Handle new user.
+  const createdUser = await prisma.$transaction(async (tx) => {
+    const user = await tx.user.create({
+      data: {
+        email: email,
+        name: name,
+        emailVerified: new Date(),
+        url: nanoid(17),
+      },
+    });
+
+    await tx.account.create({
+      data: {
+        type: 'oauth',
+        provider: clientOptions.id,
+        providerAccountId: sub,
+        access_token: accessToken,
+        expires_at: Math.floor(accessTokenExpiresAt.getTime() / 1000),
+        token_type: 'Bearer',
+        id_token: idToken,
+        userId: user.id,
+      },
+    });
+
+    return user;
+  });
+
+  await onCreateUserHook(createdUser).catch((err) => {
+    // Todo: (RR7) Add logging.
+    console.error(err);
+  });
+
+  await onAuthorize({ userId: createdUser.id }, c);
+
+  return c.redirect(redirectPath, 302);
+};

packages/auth/server/lib/utils/open-id.ts

@@ -0,0 +1,44 @@
+import { z } from 'zod';
+
+const ZOpenIdConfigurationSchema = z.object({
+  authorization_endpoint: z.string(),
+  token_endpoint: z.string(),
+  scopes_supported: z.array(z.string()).optional(),
+});
+
+type OpenIdConfiguration = z.infer<typeof ZOpenIdConfigurationSchema>;
+
+type GetOpenIdConfigurationOptions = {
+  requiredScopes?: string[];
+};
+
+export const getOpenIdConfiguration = async (
+  wellKnownUrl: string,
+  options: GetOpenIdConfigurationOptions = {},
+): Promise<OpenIdConfiguration> => {
+  const response = await fetch(wellKnownUrl);
+
+  if (!response.ok) {
+    throw new Error(`Failed to fetch OIDC configuration: ${response.statusText}`);
+  }
+
+  const rawConfig = await response.json();
+
+  const config = ZOpenIdConfigurationSchema.parse(rawConfig);
+
+  // Validate required endpoints
+  if (!config.authorization_endpoint) {
+    throw new Error('Missing authorization_endpoint in OIDC configuration');
+  }
+
+  const supportedScopes = config.scopes_supported ?? [];
+  const requiredScopes = options.requiredScopes ?? [];
+
+  const unsupportedScopes = requiredScopes.filter((scope) => !supportedScopes.includes(scope));
+
+  if (unsupportedScopes.length > 0) {
+    throw new Error(`Requested scopes not supported by provider: ${unsupportedScopes.join(', ')}`);
+  }
+
+  return config;
+};

packages/auth/server/lib/utils/redirect.ts

@@ -0,0 +1,28 @@
+import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
+
+/**
+ * Handle an optional redirect path.
+ */
+export const handleRequestRedirect = (redirectUrl?: string) => {
+  if (!redirectUrl) {
+    return;
+  }
+
+  const url = new URL(redirectUrl, NEXT_PUBLIC_WEBAPP_URL());
+
+  if (url.origin !== NEXT_PUBLIC_WEBAPP_URL()) {
+    window.location.href = '/documents';
+  } else {
+    window.location.href = redirectUrl;
+  }
+};
+
+export const handleSignInRedirect = (redirectUrl: string = '/documents') => {
+  const url = new URL(redirectUrl, NEXT_PUBLIC_WEBAPP_URL());
+
+  if (url.origin !== NEXT_PUBLIC_WEBAPP_URL()) {
+    window.location.href = '/documents';
+  } else {
+    window.location.href = redirectUrl;
+  }
+};

packages/auth/server/routes/callback.ts

@@ -0,0 +1,20 @@
+import { Hono } from 'hono';
+
+import { GoogleAuthOptions, OidcAuthOptions } from '../config';
+import { handleOAuthCallbackUrl } from '../lib/utils/handle-oauth-callback-url';
+import type { HonoAuthContext } from '../types/context';
+
+/**
+ * Have to create this route instead of bundling callback with oauth routes to provide
+ * backwards compatibility for self-hosters (since we used to use NextAuth).
+ */
+export const callbackRoute = new Hono<HonoAuthContext>()
+  /**
+   * OIDC callback verification.
+   */
+  .get('/oidc', async (c) => handleOAuthCallbackUrl({ c, clientOptions: OidcAuthOptions }))
+
+  /**
+   * Google callback verification.
+   */
+  .get('/google', async (c) => handleOAuthCallbackUrl({ c, clientOptions: GoogleAuthOptions }));

packages/auth/server/routes/email-password.ts

@@ -0,0 +1,397 @@
+import { sValidator } from '@hono/standard-validator';
+import { compare } from '@node-rs/bcrypt';
+import { UserSecurityAuditLogType } from '@prisma/client';
+import { Hono } from 'hono';
+import { DateTime } from 'luxon';
+import { z } from 'zod';
+
+import { IS_BILLING_ENABLED } from '@documenso/lib/constants/app';
+import { EMAIL_VERIFICATION_STATE } from '@documenso/lib/constants/email';
+import { AppError } from '@documenso/lib/errors/app-error';
+import { jobsClient } from '@documenso/lib/jobs/client';
+import { disableTwoFactorAuthentication } from '@documenso/lib/server-only/2fa/disable-2fa';
+import { enableTwoFactorAuthentication } from '@documenso/lib/server-only/2fa/enable-2fa';
+import { isTwoFactorAuthenticationEnabled } from '@documenso/lib/server-only/2fa/is-2fa-availble';
+import { setupTwoFactorAuthentication } from '@documenso/lib/server-only/2fa/setup-2fa';
+import { validateTwoFactorAuthentication } from '@documenso/lib/server-only/2fa/validate-2fa';
+import { viewBackupCodes } from '@documenso/lib/server-only/2fa/view-backup-codes';
+import { createUser } from '@documenso/lib/server-only/user/create-user';
+import { forgotPassword } from '@documenso/lib/server-only/user/forgot-password';
+import { getMostRecentVerificationTokenByUserId } from '@documenso/lib/server-only/user/get-most-recent-verification-token-by-user-id';
+import { resetPassword } from '@documenso/lib/server-only/user/reset-password';
+import { updatePassword } from '@documenso/lib/server-only/user/update-password';
+import { verifyEmail } from '@documenso/lib/server-only/user/verify-email';
+import { env } from '@documenso/lib/utils/env';
+import { prisma } from '@documenso/prisma';
+
+import { AuthenticationErrorCode } from '../lib/errors/error-codes';
+import { getCsrfCookie } from '../lib/session/session-cookies';
+import { onAuthorize } from '../lib/utils/authorizer';
+import { getSession } from '../lib/utils/get-session';
+import type { HonoAuthContext } from '../types/context';
+import {
+  ZForgotPasswordSchema,
+  ZResendVerifyEmailSchema,
+  ZResetPasswordSchema,
+  ZSignInSchema,
+  ZSignUpSchema,
+  ZUpdatePasswordSchema,
+  ZVerifyEmailSchema,
+} from '../types/email-password';
+
+export const emailPasswordRoute = new Hono<HonoAuthContext>()
+  /**
+   * Authorize endpoint.
+   */
+  .post('/authorize', sValidator('json', ZSignInSchema), async (c) => {
+    const requestMetadata = c.get('requestMetadata');
+
+    const { email, password, totpCode, backupCode, csrfToken } = c.req.valid('json');
+
+    const csrfCookieToken = await getCsrfCookie(c);
+
+    // Todo: (RR7) Add logging here.
+    if (csrfToken !== csrfCookieToken || !csrfCookieToken) {
+      throw new AppError(AuthenticationErrorCode.InvalidRequest, {
+        message: 'Invalid CSRF token',
+      });
+    }
+
+    const user = await prisma.user.findFirst({
+      where: {
+        email: email.toLowerCase(),
+      },
+    });
+
+    if (!user || !user.password) {
+      throw new AppError(AuthenticationErrorCode.InvalidCredentials, {
+        message: 'Invalid email or password',
+      });
+    }
+
+    const isPasswordsSame = await compare(password, user.password);
+
+    if (!isPasswordsSame) {
+      await prisma.userSecurityAuditLog.create({
+        data: {
+          userId: user.id,
+          ipAddress: requestMetadata.ipAddress,
+          userAgent: requestMetadata.userAgent,
+          type: UserSecurityAuditLogType.SIGN_IN_FAIL,
+        },
+      });
+
+      throw new AppError(AuthenticationErrorCode.InvalidCredentials, {
+        message: 'Invalid email or password',
+      });
+    }
+
+    const is2faEnabled = isTwoFactorAuthenticationEnabled({ user });
+
+    if (is2faEnabled) {
+      const isValid = await validateTwoFactorAuthentication({ backupCode, totpCode, user });
+
+      if (!isValid) {
+        await prisma.userSecurityAuditLog.create({
+          data: {
+            userId: user.id,
+            ipAddress: requestMetadata.ipAddress,
+            userAgent: requestMetadata.userAgent,
+            type: UserSecurityAuditLogType.SIGN_IN_2FA_FAIL,
+          },
+        });
+
+        throw new AppError(AuthenticationErrorCode.InvalidTwoFactorCode);
+      }
+    }
+
+    if (!user.emailVerified) {
+      const mostRecentToken = await getMostRecentVerificationTokenByUserId({
+        userId: user.id,
+      });
+
+      if (
+        !mostRecentToken ||
+        mostRecentToken.expires.valueOf() <= Date.now() ||
+        DateTime.fromJSDate(mostRecentToken.createdAt).diffNow('minutes').minutes > -5
+      ) {
+        await jobsClient.triggerJob({
+          name: 'send.signup.confirmation.email',
+          payload: {
+            email: user.email,
+          },
+        });
+      }
+
+      throw new AppError('UNVERIFIED_EMAIL', {
+        message: 'Unverified email',
+      });
+    }
+
+    if (user.disabled) {
+      throw new AppError('ACCOUNT_DISABLED', {
+        message: 'Account disabled',
+      });
+    }
+
+    await onAuthorize({ userId: user.id }, c);
+
+    return c.text('', 201);
+  })
+  /**
+   * Signup endpoint.
+   */
+  .post('/signup', sValidator('json', ZSignUpSchema), async (c) => {
+    if (env('NEXT_PUBLIC_DISABLE_SIGNUP') === 'true') {
+      throw new AppError('SIGNUP_DISABLED', {
+        message: 'Signups are disabled.',
+      });
+    }
+
+    const { name, email, password, signature, url } = c.req.valid('json');
+
+    if (IS_BILLING_ENABLED() && url && url.length < 6) {
+      throw new AppError('PREMIUM_PROFILE_URL', {
+        message: 'Only subscribers can have a username shorter than 6 characters',
+      });
+    }
+
+    const user = await createUser({ name, email, password, signature, url });
+
+    await jobsClient.triggerJob({
+      name: 'send.signup.confirmation.email',
+      payload: {
+        email: user.email,
+      },
+    });
+
+    return c.text('OK', 201);
+  })
+  /**
+   * Update password endpoint.
+   */
+  .post('/update-password', sValidator('json', ZUpdatePasswordSchema), async (c) => {
+    const { password, currentPassword } = c.req.valid('json');
+    const requestMetadata = c.get('requestMetadata');
+
+    const session = await getSession(c);
+
+    await updatePassword({
+      userId: session.user.id,
+      password,
+      currentPassword,
+      requestMetadata,
+    });
+
+    return c.text('OK', 201);
+  })
+  /**
+   * Verify email endpoint.
+   */
+  .post('/verify-email', sValidator('json', ZVerifyEmailSchema), async (c) => {
+    const { state, userId } = await verifyEmail({ token: c.req.valid('json').token });
+
+    // If email is verified, automatically authenticate user.
+    if (state === EMAIL_VERIFICATION_STATE.VERIFIED && userId !== null) {
+      await onAuthorize({ userId }, c);
+    }
+
+    return c.json({
+      state,
+    });
+  })
+  /**
+   * Resend verification email endpoint.
+   */
+  .post('/resend-verify-email', sValidator('json', ZResendVerifyEmailSchema), async (c) => {
+    const { email } = c.req.valid('json');
+
+    await jobsClient.triggerJob({
+      name: 'send.signup.confirmation.email',
+      payload: {
+        email,
+      },
+    });
+
+    return c.text('OK', 201);
+  })
+  /**
+   * Forgot password endpoint.
+   */
+  .post('/forgot-password', sValidator('json', ZForgotPasswordSchema), async (c) => {
+    const { email } = c.req.valid('json');
+
+    await forgotPassword({
+      email,
+    });
+
+    return c.text('OK', 201);
+  })
+  /**
+   * Reset password endpoint.
+   */
+  .post('/reset-password', sValidator('json', ZResetPasswordSchema), async (c) => {
+    const { token, password } = c.req.valid('json');
+
+    const requestMetadata = c.get('requestMetadata');
+
+    await resetPassword({
+      token,
+      password,
+      requestMetadata,
+    });
+
+    return c.text('OK', 201);
+  })
+  /**
+   * Setup two factor authentication.
+   */
+  .post('/2fa/setup', async (c) => {
+    const { user } = await getSession(c);
+
+    const result = await setupTwoFactorAuthentication({
+      user,
+    });
+
+    return c.json({
+      success: true,
+      secret: result.secret,
+      uri: result.uri,
+    });
+  })
+  /**
+   * Enable two factor authentication.
+   */
+  .post(
+    '/2fa/enable',
+    sValidator(
+      'json',
+      z.object({
+        code: z.string(),
+      }),
+    ),
+    async (c) => {
+      const requestMetadata = c.get('requestMetadata');
+
+      const { user: sessionUser } = await getSession(c);
+
+      const user = await prisma.user.findFirst({
+        where: {
+          id: sessionUser.id,
+        },
+        select: {
+          id: true,
+          email: true,
+          twoFactorEnabled: true,
+          twoFactorSecret: true,
+        },
+      });
+
+      if (!user) {
+        throw new AppError(AuthenticationErrorCode.InvalidRequest);
+      }
+
+      const { code } = c.req.valid('json');
+
+      const result = await enableTwoFactorAuthentication({
+        user,
+        code,
+        requestMetadata,
+      });
+
+      return c.json({
+        success: true,
+        recoveryCodes: result.recoveryCodes,
+      });
+    },
+  )
+  /**
+   * Disable two factor authentication.
+   */
+  .post(
+    '/2fa/disable',
+    sValidator(
+      'json',
+      z.object({
+        totpCode: z.string().trim().optional(),
+        backupCode: z.string().trim().optional(),
+      }),
+    ),
+    async (c) => {
+      const requestMetadata = c.get('requestMetadata');
+
+      const { user: sessionUser } = await getSession(c);
+
+      const user = await prisma.user.findFirst({
+        where: {
+          id: sessionUser.id,
+        },
+        select: {
+          id: true,
+          email: true,
+          twoFactorEnabled: true,
+          twoFactorSecret: true,
+          twoFactorBackupCodes: true,
+        },
+      });
+
+      if (!user) {
+        throw new AppError(AuthenticationErrorCode.InvalidRequest);
+      }
+
+      const { totpCode, backupCode } = c.req.valid('json');
+
+      await disableTwoFactorAuthentication({
+        user,
+        totpCode,
+        backupCode,
+        requestMetadata,
+      });
+
+      return c.text('OK', 201);
+    },
+  )
+  /**
+   * View backup codes.
+   */
+  .post(
+    '/2fa/view-recovery-codes',
+    sValidator(
+      'json',
+      z.object({
+        token: z.string(),
+      }),
+    ),
+    async (c) => {
+      const { user: sessionUser } = await getSession(c);
+
+      const user = await prisma.user.findFirst({
+        where: {
+          id: sessionUser.id,
+        },
+        select: {
+          id: true,
+          email: true,
+          twoFactorEnabled: true,
+          twoFactorSecret: true,
+          twoFactorBackupCodes: true,
+        },
+      });
+
+      if (!user) {
+        throw new AppError(AuthenticationErrorCode.InvalidRequest);
+      }
+
+      const { token } = c.req.valid('json');
+
+      const backupCodes = await viewBackupCodes({
+        user,
+        token,
+      });
+
+      return c.json({
+        success: true,
+        backupCodes,
+      });
+    },
+  );

packages/auth/server/routes/oauth.ts

@@ -0,0 +1,37 @@
+import { sValidator } from '@hono/standard-validator';
+import { Hono } from 'hono';
+import { z } from 'zod';
+
+import { GoogleAuthOptions, OidcAuthOptions } from '../config';
+import { handleOAuthAuthorizeUrl } from '../lib/utils/handle-oauth-authorize-url';
+import type { HonoAuthContext } from '../types/context';
+
+const ZOAuthAuthorizeSchema = z.object({
+  redirectPath: z.string().optional(),
+});
+
+export const oauthRoute = new Hono<HonoAuthContext>()
+  /**
+   * Google authorize endpoint.
+   */
+  .post('/authorize/google', sValidator('json', ZOAuthAuthorizeSchema), async (c) => {
+    const { redirectPath } = c.req.valid('json');
+
+    return handleOAuthAuthorizeUrl({
+      c,
+      clientOptions: GoogleAuthOptions,
+      redirectPath,
+    });
+  })
+  /**
+   * OIDC authorize endpoint.
+   */
+  .post('/authorize/oidc', sValidator('json', ZOAuthAuthorizeSchema), async (c) => {
+    const { redirectPath } = c.req.valid('json');
+
+    return handleOAuthAuthorizeUrl({
+      c,
+      clientOptions: OidcAuthOptions,
+      redirectPath,
+    });
+  });

packages/auth/server/routes/passkey.ts

@@ -0,0 +1,121 @@
+import { sValidator } from '@hono/standard-validator';
+import { UserSecurityAuditLogType } from '@prisma/client';
+import { verifyAuthenticationResponse } from '@simplewebauthn/server';
+import { Hono } from 'hono';
+
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import type { TAuthenticationResponseJSONSchema } from '@documenso/lib/types/webauthn';
+import { ZAuthenticationResponseJSONSchema } from '@documenso/lib/types/webauthn';
+import { getAuthenticatorOptions } from '@documenso/lib/utils/authenticator';
+import { prisma } from '@documenso/prisma';
+
+import { onAuthorize } from '../lib/utils/authorizer';
+import type { HonoAuthContext } from '../types/context';
+import { ZPasskeyAuthorizeSchema } from '../types/passkey';
+
+export const passkeyRoute = new Hono<HonoAuthContext>()
+  /**
+   * Authorize endpoint.
+   */
+  .post('/authorize', sValidator('json', ZPasskeyAuthorizeSchema), async (c) => {
+    const requestMetadata = c.get('requestMetadata');
+
+    const { csrfToken, credential } = c.req.valid('json');
+
+    if (typeof csrfToken !== 'string' || csrfToken.length === 0) {
+      throw new AppError(AppErrorCode.INVALID_REQUEST);
+    }
+
+    let requestBodyCrediential: TAuthenticationResponseJSONSchema | null = null;
+
+    try {
+      const parsedBodyCredential = JSON.parse(credential);
+      requestBodyCrediential = ZAuthenticationResponseJSONSchema.parse(parsedBodyCredential);
+    } catch {
+      throw new AppError(AppErrorCode.INVALID_REQUEST);
+    }
+
+    const challengeToken = await prisma.anonymousVerificationToken
+      .delete({
+        where: {
+          id: csrfToken,
+        },
+      })
+      .catch(() => null);
+
+    if (!challengeToken) {
+      throw new AppError(AppErrorCode.INVALID_REQUEST);
+    }
+
+    if (challengeToken.expiresAt < new Date()) {
+      throw new AppError(AppErrorCode.EXPIRED_CODE);
+    }
+
+    const passkey = await prisma.passkey.findFirst({
+      where: {
+        credentialId: Buffer.from(requestBodyCrediential.id, 'base64'),
+      },
+      include: {
+        user: {
+          select: {
+            id: true,
+            email: true,
+            name: true,
+            emailVerified: true,
+          },
+        },
+      },
+    });
+
+    if (!passkey) {
+      throw new AppError(AppErrorCode.NOT_SETUP);
+    }
+
+    const user = passkey.user;
+
+    const { rpId, origin } = getAuthenticatorOptions();
+
+    const verification = await verifyAuthenticationResponse({
+      response: requestBodyCrediential,
+      expectedChallenge: challengeToken.token,
+      expectedOrigin: origin,
+      expectedRPID: rpId,
+      authenticator: {
+        credentialID: new Uint8Array(Array.from(passkey.credentialId)),
+        credentialPublicKey: new Uint8Array(passkey.credentialPublicKey),
+        counter: Number(passkey.counter),
+      },
+    }).catch(() => null);
+
+    if (!verification?.verified) {
+      await prisma.userSecurityAuditLog.create({
+        data: {
+          userId: user.id,
+          ipAddress: requestMetadata.ipAddress,
+          userAgent: requestMetadata.userAgent,
+          type: UserSecurityAuditLogType.SIGN_IN_PASSKEY_FAIL,
+        },
+      });
+
+      throw new AppError(AppErrorCode.INVALID_REQUEST);
+    }
+
+    await prisma.passkey.update({
+      where: {
+        id: passkey.id,
+      },
+      data: {
+        lastUsedAt: new Date(),
+        counter: verification.authenticationInfo.newCounter,
+      },
+    });
+
+    await onAuthorize({ userId: user.id }, c);
+
+    return c.json(
+      {
+        url: '/documents',
+      },
+      200,
+    );
+  });

packages/auth/server/routes/session.ts

@@ -0,0 +1,17 @@
+import { Hono } from 'hono';
+import superjson from 'superjson';
+
+import type { SessionValidationResult } from '../lib/session/session';
+import { getOptionalSession } from '../lib/utils/get-session';
+
+export const sessionRoute = new Hono()
+  .get('/session', async (c) => {
+    const session: SessionValidationResult = await getOptionalSession(c);
+
+    return c.json(session);
+  })
+  .get('/session-json', async (c) => {
+    const session: SessionValidationResult = await getOptionalSession(c);
+
+    return c.json(superjson.serialize(session));
+  });

packages/auth/server/routes/sign-out.ts

@@ -0,0 +1,27 @@
+import { Hono } from 'hono';
+
+import { invalidateSession, validateSessionToken } from '../lib/session/session';
+import { deleteSessionCookie, getSessionCookie } from '../lib/session/session-cookies';
+import type { HonoAuthContext } from '../types/context';
+
+export const signOutRoute = new Hono<HonoAuthContext>().post('/signout', async (c) => {
+  const metadata = c.get('requestMetadata');
+
+  const sessionId = await getSessionCookie(c);
+
+  if (!sessionId) {
+    return new Response('No session found', { status: 401 });
+  }
+
+  const { session } = await validateSessionToken(sessionId);
+
+  if (!session) {
+    return new Response('No session found', { status: 401 });
+  }
+
+  await invalidateSession(session.id, metadata);
+
+  deleteSessionCookie(c);
+
+  return c.status(200);
+});

packages/auth/server/routes/two-factor.ts

@@ -0,0 +1,151 @@
+import { sValidator } from '@hono/standard-validator';
+import { Hono } from 'hono';
+
+import { AppError } from '@documenso/lib/errors/app-error';
+import { disableTwoFactorAuthentication } from '@documenso/lib/server-only/2fa/disable-2fa';
+import { enableTwoFactorAuthentication } from '@documenso/lib/server-only/2fa/enable-2fa';
+import { setupTwoFactorAuthentication } from '@documenso/lib/server-only/2fa/setup-2fa';
+import { viewBackupCodes } from '@documenso/lib/server-only/2fa/view-backup-codes';
+import { prisma } from '@documenso/prisma';
+
+import { AuthenticationErrorCode } from '../lib/errors/error-codes';
+import { getSession } from '../lib/utils/get-session';
+import type { HonoAuthContext } from '../types/context';
+import {
+  ZDisableTwoFactorRequestSchema,
+  ZEnableTwoFactorRequestSchema,
+  ZViewTwoFactorRecoveryCodesRequestSchema,
+} from './two-factor.types';
+
+export const twoFactorRoute = new Hono<HonoAuthContext>()
+  /**
+   * Setup two factor authentication.
+   */
+  .post('/setup', async (c) => {
+    const { user } = await getSession(c);
+
+    const result = await setupTwoFactorAuthentication({
+      user,
+    });
+
+    return c.json({
+      success: true,
+      secret: result.secret,
+      uri: result.uri,
+    });
+  })
+
+  /**
+   * Enable two factor authentication.
+   */
+  .post('/enable', sValidator('json', ZEnableTwoFactorRequestSchema), async (c) => {
+    const requestMetadata = c.get('requestMetadata');
+
+    const { user: sessionUser } = await getSession(c);
+
+    const user = await prisma.user.findFirst({
+      where: {
+        id: sessionUser.id,
+      },
+      select: {
+        id: true,
+        email: true,
+        twoFactorEnabled: true,
+        twoFactorSecret: true,
+      },
+    });
+
+    if (!user) {
+      throw new AppError(AuthenticationErrorCode.InvalidRequest);
+    }
+
+    const { code } = c.req.valid('json');
+
+    const result = await enableTwoFactorAuthentication({
+      user,
+      code,
+      requestMetadata,
+    });
+
+    return c.json({
+      success: true,
+      recoveryCodes: result.recoveryCodes,
+    });
+  })
+
+  /**
+   * Disable two factor authentication.
+   */
+  .post('/disable', sValidator('json', ZDisableTwoFactorRequestSchema), async (c) => {
+    const requestMetadata = c.get('requestMetadata');
+
+    const { user: sessionUser } = await getSession(c);
+
+    const user = await prisma.user.findFirst({
+      where: {
+        id: sessionUser.id,
+      },
+      select: {
+        id: true,
+        email: true,
+        twoFactorEnabled: true,
+        twoFactorSecret: true,
+        twoFactorBackupCodes: true,
+      },
+    });
+
+    if (!user) {
+      throw new AppError(AuthenticationErrorCode.InvalidRequest);
+    }
+
+    const { totpCode, backupCode } = c.req.valid('json');
+
+    await disableTwoFactorAuthentication({
+      user,
+      totpCode,
+      backupCode,
+      requestMetadata,
+    });
+
+    return c.text('OK', 201);
+  })
+
+  /**
+   * View backup codes.
+   */
+  .post(
+    '/view-recovery-codes',
+    sValidator('json', ZViewTwoFactorRecoveryCodesRequestSchema),
+    async (c) => {
+      const { user: sessionUser } = await getSession(c);
+
+      const user = await prisma.user.findFirst({
+        where: {
+          id: sessionUser.id,
+        },
+        select: {
+          id: true,
+          email: true,
+          twoFactorEnabled: true,
+          twoFactorSecret: true,
+          twoFactorBackupCodes: true,
+        },
+      });
+
+      if (!user) {
+        throw new AppError(AuthenticationErrorCode.InvalidRequest);
+      }
+
+      const { token } = c.req.valid('json');
+
+      const backupCodes = await viewBackupCodes({
+        user,
+        token,
+      });
+
+      return c.json({
+        success: true,
+        backupCodes,
+      });
+    },
+  );

packages/auth/server/routes/two-factor.types.ts

@@ -0,0 +1,22 @@
+import { z } from 'zod';
+
+export const ZEnableTwoFactorRequestSchema = z.object({
+  code: z.string().min(6).max(6),
+});
+
+export type TEnableTwoFactorRequestSchema = z.infer<typeof ZEnableTwoFactorRequestSchema>;
+
+export const ZDisableTwoFactorRequestSchema = z.object({
+  totpCode: z.string().trim().optional(),
+  backupCode: z.string().trim().optional(),
+});
+
+export type TDisableTwoFactorRequestSchema = z.infer<typeof ZDisableTwoFactorRequestSchema>;
+
+export const ZViewTwoFactorRecoveryCodesRequestSchema = z.object({
+  token: z.string().trim().min(1),
+});
+
+export type TViewTwoFactorRecoveryCodesRequestSchema = z.infer<
+  typeof ZViewTwoFactorRecoveryCodesRequestSchema
+>;

packages/auth/server/types/context.ts

@@ -0,0 +1,7 @@
+import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
+
+export type HonoAuthContext = {
+  Variables: {
+    requestMetadata: RequestMetadata;
+  };
+};

packages/auth/server/types/email-password.ts

@@ -0,0 +1,83 @@
+import { z } from 'zod';
+
+export const ZCurrentPasswordSchema = z
+  .string()
+  .min(6, { message: 'Must be at least 6 characters in length' })
+  .max(72);
+
+export const ZSignInSchema = z.object({
+  email: z.string().email().min(1),
+  password: ZCurrentPasswordSchema,
+  totpCode: z.string().trim().optional(),
+  backupCode: z.string().trim().optional(),
+  csrfToken: z.string().trim(),
+});
+
+export type TSignInSchema = z.infer<typeof ZSignInSchema>;
+
+export const ZPasswordSchema = z
+  .string()
+  .min(8, { message: 'Must be at least 8 characters in length' })
+  .max(72, { message: 'Cannot be more than 72 characters in length' })
+  .refine((value) => value.length > 25 || /[A-Z]/.test(value), {
+    message: 'One uppercase character',
+  })
+  .refine((value) => value.length > 25 || /[a-z]/.test(value), {
+    message: 'One lowercase character',
+  })
+  .refine((value) => value.length > 25 || /\d/.test(value), {
+    message: 'One number',
+  })
+  .refine((value) => value.length > 25 || /[`~<>?,./!@#$%^&*()\-_"'+=|{}[\];:\\]/.test(value), {
+    message: 'One special character is required',
+  });
+
+export const ZSignUpSchema = z.object({
+  name: z.string().min(1),
+  email: z.string().email(),
+  password: ZPasswordSchema,
+  signature: z.string().nullish(),
+  url: z
+    .string()
+    .trim()
+    .toLowerCase()
+    .min(1)
+    .regex(/^[a-z0-9-]+$/, {
+      message: 'Username can only container alphanumeric characters and dashes.',
+    })
+    .optional(),
+});
+
+export type TSignUpSchema = z.infer<typeof ZSignUpSchema>;
+
+export const ZForgotPasswordSchema = z.object({
+  email: z.string().email().min(1),
+});
+
+export type TForgotPasswordSchema = z.infer<typeof ZForgotPasswordSchema>;
+
+export const ZResetPasswordSchema = z.object({
+  password: ZPasswordSchema,
+  token: z.string().min(1),
+});
+
+export type TResetPasswordSchema = z.infer<typeof ZResetPasswordSchema>;
+
+export const ZVerifyEmailSchema = z.object({
+  token: z.string().min(1),
+});
+
+export type TVerifyEmailSchema = z.infer<typeof ZVerifyEmailSchema>;
+
+export const ZResendVerifyEmailSchema = z.object({
+  email: z.string().email().min(1),
+});
+
+export type TResendVerifyEmailSchema = z.infer<typeof ZResendVerifyEmailSchema>;
+
+export const ZUpdatePasswordSchema = z.object({
+  currentPassword: ZCurrentPasswordSchema,
+  password: ZPasswordSchema,
+});
+
+export type TUpdatePasswordSchema = z.infer<typeof ZUpdatePasswordSchema>;

packages/auth/server/types/passkey.ts

@@ -0,0 +1,8 @@
+import { z } from 'zod';
+
+export const ZPasskeyAuthorizeSchema = z.object({
+  csrfToken: z.string().min(1),
+  credential: z.string().min(1),
+});
+
+export type TPasskeyAuthorizeSchema = z.infer<typeof ZPasskeyAuthorizeSchema>;