auth/account_routes.ts

Account route specs for cookie-based session management.

Returns RouteSpec[] — caller applies them to Hono via apply_route_specs.

Provides: - POST /login — Exchange username + password for signed session cookie - POST /logout — Clear session cookie and revoke auth session - GET /verify — Check if current session is valid - GET /sessions — List auth sessions for current account - POST /sessions/:id/revoke — Revoke a single auth session (account-scoped) - POST /sessions/revoke-all — Revoke all auth sessions for current account - POST /tokens/create — Create an API token - GET /tokens — List API tokens for current account - POST /tokens/:id/revoke — Revoke an API token (account-scoped) - POST /password — Change password (revokes all sessions and API tokens)

Signup is separate — see signup_routes.ts for invite-gated account creation. Defaults are closed/safe: accounts are created through bootstrap, admin action, or invite.

Declarations
#

7 declarations

view source

AccountRouteOptions
#

auth/account_routes.ts view source

AccountRouteOptions

Per-factory configuration for account route specs.

inheritance

login_account_rate_limiter

Rate limiter for login attempts, keyed by submitted username. Pass null to disable.

type RateLimiter | null

max_sessions

Max active sessions per account. Evicts oldest on login. Default 5, null disables.

type number | null

max_tokens

Max API tokens per account. Evicts oldest on creation. Default 10, null disables.

type number | null

AccountStatusOptions
#

auth/account_routes.ts view source

AccountStatusOptions

Options for the account status route spec.

path

Override the default path (/api/account/status).

type string

bootstrap_status

Runtime bootstrap status — when available, 401 responses include bootstrap_available.

type {available: boolean}

AuthSessionRouteOptions
#

auth/account_routes.ts view source

AuthSessionRouteOptions

Shared options for route factories that create sessions and rate-limit by IP.

Extended by AccountRouteOptions and SignupRouteOptions. Consumers can destructure these from AppServerContext once and spread into multiple factories.

session_options

type SessionOptions<string>

ip_rate_limiter

Rate limiter for auth attempts, keyed by client IP. Pass null to disable.

type RateLimiter | null

create_account_route_specs
#

auth/account_routes.ts view source

(deps: RouteFactoryDeps, options: AccountRouteOptions): RouteSpec[]

Create account route specs for session-based auth.

All session/token revocation is account-scoped to prevent cross-account attacks.

deps

stateless capabilities (keyring, password, log)

type RouteFactoryDeps

options

per-factory configuration (session_options, ip_rate_limiter, login_account_rate_limiter)

type AccountRouteOptions

returns

RouteSpec[]

route specs (not yet applied to Hono)

create_account_status_route_spec
#

auth/account_routes.ts view source

(options?: AccountStatusOptions | undefined): RouteSpec

Create the account status route spec.

Handles both authenticated and unauthenticated requests: - Authenticated: returns {account} with 200 - Unauthenticated: returns 401 with optional bootstrap_available flag

This eliminates the need for a separate /health fetch on page load — the frontend gets both session state and bootstrap availability in one request.

options?

optional configuration (bootstrap_status for bootstrap detection)

type AccountStatusOptions | undefined
optional

returns

RouteSpec

a single account status route spec

DEFAULT_MAX_SESSIONS
#

DEFAULT_MAX_TOKENS
#

Depends on
#