@unchainedshop/core-users

December 30, 2025 ยท View on GitHub

npm version License: EUPL-1.2

@unchainedshop/core-users

User management module for the Unchained Engine. Handles user accounts, authentication, profiles, and WebAuthn support.

Installation

npm install @unchainedshop/core-users

Usage

import { configureUsersModule } from '@unchainedshop/core-users';

const usersModule = await configureUsersModule({ db });

// Find users
const users = await usersModule.findUsers({
  includeGuests: false,
  limit: 50,
});

// Create a user
const userId = await usersModule.createUser({
  email: 'user@example.com',
  password: 'securePassword',
});

// Update profile
await usersModule.updateProfile(userId, {
  displayName: 'John Doe',
});

API Overview

Module Configuration

ExportDescription
configureUsersModuleConfigure and return the users module
configureUsersWebAuthnModuleConfigure WebAuthn submodule

Queries

MethodDescription
findUserFind user by ID, email, or username
findUsersFind users with filtering, sorting, and pagination
countCount users matching query
userExistsCheck if a user exists

Mutations

MethodDescription
createUserCreate a new user account
updateUserUpdate user data
updateProfileUpdate user profile
updateRolesUpdate user roles
updateTagsUpdate user tags
updateAvatarSet user avatar
updateBillingAddressUpdate billing address
updatePasswordChange user password
updateUsernameChange username
deleteSoft delete a user
replaceUserIdMigrate data between users

Authentication

MethodDescription
verifyPasswordVerify password against stored hash
hashPasswordHash a password for storage
addEmailAdd email address to user
removeEmailRemove email address
verifyEmailMark email as verified
updateHeartbeatUpdate last activity timestamp
updateLastLoginRecord login event

WebAuthn Submodule

MethodDescription
webAuthn.findCredentialsFind WebAuthn credentials for user
webAuthn.createCredentialRegister new WebAuthn credential
webAuthn.removeCredentialRemove WebAuthn credential

Settings

ExportDescription
userSettingsAccess user module settings
UserAccountActionAccount action types enum

Types

ExportDescription
UserUser document type
UserQueryQuery parameters type
UserProfileUser profile type
EmailEmail address type
UsersModuleModule interface type
UserSettingsOptionsConfiguration options type

Events

EventDescription
USER_CREATEUser created
USER_UPDATEUser updated
USER_REMOVEUser deleted
USER_UPDATE_PROFILEProfile updated
USER_UPDATE_PASSWORDPassword changed
USER_UPDATE_ROLESRoles changed
USER_ACCOUNT_ACTIONAccount action triggered

Security

This module implements security best practices for user authentication and data protection.

Password Security

  • Algorithm: PBKDF2 with SHA-512
  • Iterations: 300,000 (exceeds OWASP recommendation)
  • Salt: 16 bytes, cryptographically random per password
  • Key Length: 256 bytes
  • FIPS 140-3: Compatible when running on FIPS-enabled Node.js

Token Security

  • Generation: crypto.randomUUID() (CSPRNG-based)
  • Storage: SHA-256 hashed before database storage
  • Expiration: Time-limited (configurable, default 1 hour)
  • Single-use: Tokens invalidated after verification

WebAuthn/FIDO2

Full support for passwordless authentication via hardware security keys and platform authenticators, providing phishing-resistant authentication.

Data Protection

  • Sensitive data (password hashes, tokens) stripped from event emissions via removeConfidentialServiceHashes()
  • Soft delete preserves audit trail while removing PII
  • Email addresses and profile data access-controlled via RBAC

See SECURITY.md for complete security documentation.

License

EUPL-1.2