@aooth/user 0.1.8 → 0.1.10

package/dist/atscript-db.cjs

@@ -1,5 +1,5 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
-const require_federated_identity_store = require("./federated-identity-store-oRjhnR5l.cjs");
+const require_federated_identity_store = require("./federated-identity-store-BEEEcoaP.cjs");
 let node_crypto = require("node:crypto");
 //#region src/atscript-db/federated-identity-store.ts
 function isConflict$1(err) {
@@ -80,14 +80,17 @@ function isConflict(err) {
 * `@atscript/db`-backed `UserStore`. Pass the resolved table for the
 * `AoothUserCredentials` (or a `.as` interface extending it) shipped at the
 * `@aooth/user/atscript-db/model.as` subpath. Identity reads use the
-* `@meta.id` PK (`id`) plus the unique `username` / `email` indexes; writes key
-* on `id`.
+* `@meta.id` PK (`id`) and the unique `username` index, plus any
+* annotation-resolved `handleFields`; writes key on `id`.
 */
 var UsersStoreAtscriptDb = class extends require_federated_identity_store.UserStore {
 	table;
+	/** Secondary handle fields tried (in order) by `findByHandle` after `username`. */
+	handleFields;
 	constructor(opts) {
 		super();
 		this.table = opts.table;
+		this.handleFields = opts.handleFields ?? [];
 	}
 	async exists(handle) {
 		return await this.table.count({ filter: { username: handle } }) > 0;
@@ -98,7 +101,11 @@ var UsersStoreAtscriptDb = class extends require_federated_identity_store.UserSt
 	async findByHandle(handle) {
 		const byUsername = await this.table.findOne({ filter: { username: handle } });
 		if (byUsername) return byUsername;
-		return await this.table.findOne({ filter: { email: handle } });
+		for (const field of this.handleFields) {
+			const byHandle = await this.table.findOne({ filter: { [field]: handle } });
+			if (byHandle) return byHandle;
+		}
+		return null;
 	}
 	async findByIdentifier(value) {
 		const byId = await this.table.findOne({ filter: { id: value } });
@@ -119,7 +126,12 @@ var UsersStoreAtscriptDb = class extends require_federated_identity_store.UserSt
 		if (update.inc) for (const [path, amount] of Object.entries(update.inc)) require_federated_identity_store.setAtPath(patch, path, { $inc: amount });
 		if (Object.keys(patch).length <= 1) return true;
 		if (update.expectedVersion !== void 0) patch.$cas = { version: update.expectedVersion };
-		return (await this.table.updateOne(patch)).matchedCount > 0;
+		try {
+			return (await this.table.updateOne(patch)).matchedCount > 0;
+		} catch (e) {
+			if (isConflict(e)) throw new require_federated_identity_store.UserAuthError("ALREADY_EXISTS", "Update conflicts with an existing unique value");
+			throw e;
+		}
 	}
 	async delete(id) {
 		return (await this.table.deleteMany({ id })).deletedCount > 0;

package/dist/atscript-db.d.cts

@@ -1,4 +1,4 @@
-import { D as UserCredentials, i as NewFederatedIdentity, k as UserStoreUpdate, n as FederatedIdentityStore, o as UserStore, r as FederatedProfileSnapshot, s as WithCasOptions, t as FederatedIdentity } from "./federated-identity-store-DEEed8lA.cjs";
+import { D as UserCredentials, i as NewFederatedIdentity, k as UserStoreUpdate, n as FederatedIdentityStore, o as UserStore, r as FederatedProfileSnapshot, s as WithCasOptions, t as FederatedIdentity } from "./federated-identity-store-CI7Vgllp.cjs";
 
 //#region src/atscript-db/federated-identity-store.d.ts
 /**
@@ -88,16 +88,28 @@ interface AuthUserTable<TUserCustom extends object = object> {
 }
 interface UsersStoreAtscriptDbOptions<TUserCustom extends object> {
   table: AuthUserTable<TUserCustom>;
+  /**
+   * Ordered login-handle field names (e.g. email then phone), resolved from the
+   * model's `@aooth.user.*` annotations by the wiring layer (`handleFields` of
+   * `getAoothUserHandleSpec`). `findByHandle` falls back to a `{ [field]: handle }`
+   * lookup for each, in order, after `username`. Omit/empty to disable handle
+   * resolution (login by anything but `username` unavailable). The base credential
+   * model no longer hardcodes `email` — the field names are whatever the
+   * consumer's `.as` model annotates.
+   */
+  handleFields?: string[];
 }
 /**
  * `@atscript/db`-backed `UserStore`. Pass the resolved table for the
  * `AoothUserCredentials` (or a `.as` interface extending it) shipped at the
  * `@aooth/user/atscript-db/model.as` subpath. Identity reads use the
- * `@meta.id` PK (`id`) plus the unique `username` / `email` indexes; writes key
- * on `id`.
+ * `@meta.id` PK (`id`) and the unique `username` index, plus any
+ * annotation-resolved `handleFields`; writes key on `id`.
  */
 declare class UsersStoreAtscriptDb<TUserCustom extends object = object> extends UserStore<TUserCustom> {
   protected table: AuthUserTable<TUserCustom>;
+  /** Secondary handle fields tried (in order) by `findByHandle` after `username`. */
+  protected readonly handleFields: string[];
   constructor(opts: UsersStoreAtscriptDbOptions<TUserCustom>);
   exists(handle: string): Promise<boolean>;
   findById(id: string): Promise<(UserCredentials & TUserCustom) | null>;

package/dist/atscript-db.d.mts

@@ -1,4 +1,4 @@
-import { D as UserCredentials, i as NewFederatedIdentity, k as UserStoreUpdate, n as FederatedIdentityStore, o as UserStore, r as FederatedProfileSnapshot, s as WithCasOptions, t as FederatedIdentity } from "./federated-identity-store-DEEed8lA.mjs";
+import { D as UserCredentials, i as NewFederatedIdentity, k as UserStoreUpdate, n as FederatedIdentityStore, o as UserStore, r as FederatedProfileSnapshot, s as WithCasOptions, t as FederatedIdentity } from "./federated-identity-store-CI7Vgllp.mjs";
 
 //#region src/atscript-db/federated-identity-store.d.ts
 /**
@@ -88,16 +88,28 @@ interface AuthUserTable<TUserCustom extends object = object> {
 }
 interface UsersStoreAtscriptDbOptions<TUserCustom extends object> {
   table: AuthUserTable<TUserCustom>;
+  /**
+   * Ordered login-handle field names (e.g. email then phone), resolved from the
+   * model's `@aooth.user.*` annotations by the wiring layer (`handleFields` of
+   * `getAoothUserHandleSpec`). `findByHandle` falls back to a `{ [field]: handle }`
+   * lookup for each, in order, after `username`. Omit/empty to disable handle
+   * resolution (login by anything but `username` unavailable). The base credential
+   * model no longer hardcodes `email` — the field names are whatever the
+   * consumer's `.as` model annotates.
+   */
+  handleFields?: string[];
 }
 /**
  * `@atscript/db`-backed `UserStore`. Pass the resolved table for the
  * `AoothUserCredentials` (or a `.as` interface extending it) shipped at the
  * `@aooth/user/atscript-db/model.as` subpath. Identity reads use the
- * `@meta.id` PK (`id`) plus the unique `username` / `email` indexes; writes key
- * on `id`.
+ * `@meta.id` PK (`id`) and the unique `username` index, plus any
+ * annotation-resolved `handleFields`; writes key on `id`.
  */
 declare class UsersStoreAtscriptDb<TUserCustom extends object = object> extends UserStore<TUserCustom> {
   protected table: AuthUserTable<TUserCustom>;
+  /** Secondary handle fields tried (in order) by `findByHandle` after `username`. */
+  protected readonly handleFields: string[];
   constructor(opts: UsersStoreAtscriptDbOptions<TUserCustom>);
   exists(handle: string): Promise<boolean>;
   findById(id: string): Promise<(UserCredentials & TUserCustom) | null>;

package/dist/atscript-db.mjs

@@ -1,4 +1,4 @@
-import { d as UserAuthError, n as pickDefinedProfile, r as UserStore, t as FederatedIdentityStore, u as setAtPath } from "./federated-identity-store-Cmc7jBrw.mjs";
+import { d as UserAuthError, n as pickDefinedProfile, r as UserStore, t as FederatedIdentityStore, u as setAtPath } from "./federated-identity-store-CHW1xtMp.mjs";
 import { randomUUID } from "node:crypto";
 //#region src/atscript-db/federated-identity-store.ts
 function isConflict$1(err) {
@@ -79,14 +79,17 @@ function isConflict(err) {
 * `@atscript/db`-backed `UserStore`. Pass the resolved table for the
 * `AoothUserCredentials` (or a `.as` interface extending it) shipped at the
 * `@aooth/user/atscript-db/model.as` subpath. Identity reads use the
-* `@meta.id` PK (`id`) plus the unique `username` / `email` indexes; writes key
-* on `id`.
+* `@meta.id` PK (`id`) and the unique `username` index, plus any
+* annotation-resolved `handleFields`; writes key on `id`.
 */
 var UsersStoreAtscriptDb = class extends UserStore {
 	table;
+	/** Secondary handle fields tried (in order) by `findByHandle` after `username`. */
+	handleFields;
 	constructor(opts) {
 		super();
 		this.table = opts.table;
+		this.handleFields = opts.handleFields ?? [];
 	}
 	async exists(handle) {
 		return await this.table.count({ filter: { username: handle } }) > 0;
@@ -97,7 +100,11 @@ var UsersStoreAtscriptDb = class extends UserStore {
 	async findByHandle(handle) {
 		const byUsername = await this.table.findOne({ filter: { username: handle } });
 		if (byUsername) return byUsername;
-		return await this.table.findOne({ filter: { email: handle } });
+		for (const field of this.handleFields) {
+			const byHandle = await this.table.findOne({ filter: { [field]: handle } });
+			if (byHandle) return byHandle;
+		}
+		return null;
 	}
 	async findByIdentifier(value) {
 		const byId = await this.table.findOne({ filter: { id: value } });
@@ -118,7 +125,12 @@ var UsersStoreAtscriptDb = class extends UserStore {
 		if (update.inc) for (const [path, amount] of Object.entries(update.inc)) setAtPath(patch, path, { $inc: amount });
 		if (Object.keys(patch).length <= 1) return true;
 		if (update.expectedVersion !== void 0) patch.$cas = { version: update.expectedVersion };
-		return (await this.table.updateOne(patch)).matchedCount > 0;
+		try {
+			return (await this.table.updateOne(patch)).matchedCount > 0;
+		} catch (e) {
+			if (isConflict(e)) throw new UserAuthError("ALREADY_EXISTS", "Update conflicts with an existing unique value");
+			throw e;
+		}
 	}
 	async delete(id) {
 		return (await this.table.deleteMany({ id })).deletedCount > 0;

package/dist/{federated-identity-store-oRjhnR5l.cjs → federated-identity-store-BEEEcoaP.cjs}

@@ -100,9 +100,10 @@ function incrementAtPath(obj, path, amount) {
 *
 * - `findById` — strict, by the surrogate id; the canonical identity read used
 *   by authenticated flows that resolve the session subject (`getUserId()`).
-* - `findByHandle` — deterministic LOGIN resolver (`username` then `email`).
+* - `findByHandle` — deterministic LOGIN resolver (`username`, then the
+*   annotation-resolved handle fields — email, then phone — in order).
 * - `findByIdentifier` — permissive internal/admin/recovery lookup (`id`, then
-*   `username`, then `email`).
+*   the `findByHandle` chain).
 *
 * Writes (`update`/`delete`/`withCas`) all key on the surrogate `id`.
 */

package/dist/{federated-identity-store-Cmc7jBrw.mjs → federated-identity-store-CHW1xtMp.mjs}

@@ -100,9 +100,10 @@ function incrementAtPath(obj, path, amount) {
 *
 * - `findById` — strict, by the surrogate id; the canonical identity read used
 *   by authenticated flows that resolve the session subject (`getUserId()`).
-* - `findByHandle` — deterministic LOGIN resolver (`username` then `email`).
+* - `findByHandle` — deterministic LOGIN resolver (`username`, then the
+*   annotation-resolved handle fields — email, then phone — in order).
 * - `findByIdentifier` — permissive internal/admin/recovery lookup (`id`, then
-*   `username`, then `email`).
+*   the `findByHandle` chain).
 *
 * Writes (`update`/`delete`/`withCas`) all key on the surrogate `id`.
 */

package/dist/{federated-identity-store-DEEed8lA.d.cts → federated-identity-store-CI7Vgllp.d.cts}

@@ -2,14 +2,6 @@
 interface UserCredentials {
   id: string;
   username: string;
-  /**
-   * Unique login/contact handle. Indexed `@db.index.unique 'email_idx'` on the
-   * `AoothUserCredentials` model so it is independently unique from `username`
-   * and resolvable via `UserStore.findByHandle` / `findByIdentifier`. Optional
-   * because not every deployment populates it (and the invite flow sets
-   * `username := email`).
-   */
-  email?: string;
   /**
    * Server-managed optimistic-concurrency counter. Bumped by `UserStore.update`
    * on every successful write; checked against `UserStoreUpdate.expectedVersion`
@@ -233,9 +225,10 @@ interface WithCasOptions {
  *
  * - `findById` — strict, by the surrogate id; the canonical identity read used
  *   by authenticated flows that resolve the session subject (`getUserId()`).
- * - `findByHandle` — deterministic LOGIN resolver (`username` then `email`).
+ * - `findByHandle` — deterministic LOGIN resolver (`username`, then the
+ *   annotation-resolved handle fields — email, then phone — in order).
  * - `findByIdentifier` — permissive internal/admin/recovery lookup (`id`, then
- *   `username`, then `email`).
+ *   the `findByHandle` chain).
  *
  * Writes (`update`/`delete`/`withCas`) all key on the surrogate `id`.
  */
@@ -248,17 +241,19 @@ declare abstract class UserStore<T extends object = object> {
    */
   abstract findById(id: string): Promise<(UserCredentials & T) | null>;
   /**
-   * Deterministic LOGIN resolver: matches `username` exactly, then `email`
-   * exactly (in that order). Intentionally NOT a permissive `$or` — `id`,
-   * `username`, and `email` are all strings, so a permissive match could
-   * silently resolve a value that is one user's username and another's email
-   * to an arbitrary account.
+   * Deterministic LOGIN resolver: matches `username` exactly, then each
+   * annotation-resolved handle field (email, then phone) exactly, in that
+   * order. Intentionally NOT a permissive `$or` — handle values are all
+   * strings, so a permissive match could silently resolve a value that is one
+   * user's username and another's email to an arbitrary account. Each handle
+   * field is unique-when-present (the `@aooth.user.*` boot contract), so a
+   * present value resolves to at most one row.
    */
   abstract findByHandle(handle: string): Promise<(UserCredentials & T) | null>;
   /**
-   * Permissive lookup for internal / admin / recovery callers: `id`, then
-   * `username`, then `email` (ordered, first match). NOT for the login path —
-   * use `findByHandle` there.
+   * Permissive lookup for internal / admin / recovery callers: `id`, then the
+   * `findByHandle` chain (`username`, then the resolved handle fields). NOT for
+   * the login path — use `findByHandle` there.
    */
   abstract findByIdentifier(value: string): Promise<(UserCredentials & T) | null>;
   abstract create(data: UserCredentials & T): Promise<void>;

package/dist/{federated-identity-store-DEEed8lA.d.mts → federated-identity-store-CI7Vgllp.d.mts}

@@ -2,14 +2,6 @@
 interface UserCredentials {
   id: string;
   username: string;
-  /**
-   * Unique login/contact handle. Indexed `@db.index.unique 'email_idx'` on the
-   * `AoothUserCredentials` model so it is independently unique from `username`
-   * and resolvable via `UserStore.findByHandle` / `findByIdentifier`. Optional
-   * because not every deployment populates it (and the invite flow sets
-   * `username := email`).
-   */
-  email?: string;
   /**
    * Server-managed optimistic-concurrency counter. Bumped by `UserStore.update`
    * on every successful write; checked against `UserStoreUpdate.expectedVersion`
@@ -233,9 +225,10 @@ interface WithCasOptions {
  *
  * - `findById` — strict, by the surrogate id; the canonical identity read used
  *   by authenticated flows that resolve the session subject (`getUserId()`).
- * - `findByHandle` — deterministic LOGIN resolver (`username` then `email`).
+ * - `findByHandle` — deterministic LOGIN resolver (`username`, then the
+ *   annotation-resolved handle fields — email, then phone — in order).
  * - `findByIdentifier` — permissive internal/admin/recovery lookup (`id`, then
- *   `username`, then `email`).
+ *   the `findByHandle` chain).
  *
  * Writes (`update`/`delete`/`withCas`) all key on the surrogate `id`.
  */
@@ -248,17 +241,19 @@ declare abstract class UserStore<T extends object = object> {
    */
   abstract findById(id: string): Promise<(UserCredentials & T) | null>;
   /**
-   * Deterministic LOGIN resolver: matches `username` exactly, then `email`
-   * exactly (in that order). Intentionally NOT a permissive `$or` — `id`,
-   * `username`, and `email` are all strings, so a permissive match could
-   * silently resolve a value that is one user's username and another's email
-   * to an arbitrary account.
+   * Deterministic LOGIN resolver: matches `username` exactly, then each
+   * annotation-resolved handle field (email, then phone) exactly, in that
+   * order. Intentionally NOT a permissive `$or` — handle values are all
+   * strings, so a permissive match could silently resolve a value that is one
+   * user's username and another's email to an arbitrary account. Each handle
+   * field is unique-when-present (the `@aooth.user.*` boot contract), so a
+   * present value resolves to at most one row.
    */
   abstract findByHandle(handle: string): Promise<(UserCredentials & T) | null>;
   /**
-   * Permissive lookup for internal / admin / recovery callers: `id`, then
-   * `username`, then `email` (ordered, first match). NOT for the login path —
-   * use `findByHandle` there.
+   * Permissive lookup for internal / admin / recovery callers: `id`, then the
+   * `findByHandle` chain (`username`, then the resolved handle fields). NOT for
+   * the login path — use `findByHandle` there.
    */
   abstract findByIdentifier(value: string): Promise<(UserCredentials & T) | null>;
   abstract create(data: UserCredentials & T): Promise<void>;

package/dist/index.cjs

@@ -1,5 +1,5 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
-const require_federated_identity_store = require("./federated-identity-store-oRjhnR5l.cjs");
+const require_federated_identity_store = require("./federated-identity-store-BEEEcoaP.cjs");
 let node_crypto = require("node:crypto");
 //#region src/base-x/base32.ts
 /**
@@ -780,12 +780,24 @@ var UserStoreMemory = class extends require_federated_identity_store.UserStore {
 	/** Keyed by the stable surrogate `id` (the token subject). */
 	store = /* @__PURE__ */ new Map();
 	/**
+	* Ordered secondary handle fields (e.g. email then phone) resolved from the
+	* model's `@aooth.user.*` annotations by the wiring layer (`handleFields` of
+	* `getAoothUserHandleSpec`). Tried by `findByHandle` after `username`, and
+	* enforced unique by `create`. Empty when no handles are configured (login by
+	* email/phone unavailable).
+	*/
+	handleFields;
+	/**
 	* Optional seed. The map is keyed by each record's `id`; a record missing an
 	* `id` gets one minted (mirrors the DB `@db.default.uuid`). The seed object's
 	* keys are ignored — identity is the record's `id`.
+	*
+	* `opts.handleFields` names the ordered secondary login handles (mirroring
+	* `UsersStoreAtscriptDb`); omit it for username-only resolution.
 	*/
-	constructor(seed) {
+	constructor(seed, opts) {
 		super();
+		this.handleFields = opts?.handleFields ?? [];
 		if (seed) for (const value of Object.values(seed)) {
 			const cloned = structuredClone(value);
 			if (!cloned.id) cloned.id = (0, node_crypto.randomUUID)();
@@ -801,12 +813,21 @@ var UserStoreMemory = class extends require_federated_identity_store.UserStore {
 		return user ? structuredClone(user) : null;
 	}
 	async findByHandle(handle) {
-		let byEmail = null;
+		let byHandle = null;
 		for (const u of this.store.values()) {
 			if (u.username === handle) return structuredClone(u);
-			if (byEmail === null && u.email !== void 0 && u.email === handle) byEmail = u;
+			if (byHandle === null) {
+				const rec = u;
+				for (const field of this.handleFields) {
+					const value = rec[field];
+					if (value !== void 0 && value === handle) {
+						byHandle = u;
+						break;
+					}
+				}
+			}
 		}
-		return byEmail ? structuredClone(byEmail) : null;
+		return byHandle ? structuredClone(byHandle) : null;
 	}
 	async findByIdentifier(value) {
 		const byId = this.store.get(value);
@@ -816,18 +837,36 @@ var UserStoreMemory = class extends require_federated_identity_store.UserStore {
 	async create(data) {
 		const cloned = structuredClone(data);
 		if (!cloned.id) cloned.id = (0, node_crypto.randomUUID)();
-		for (const u of this.store.values()) {
-			if (u.username === cloned.username) throw new require_federated_identity_store.UserAuthError("ALREADY_EXISTS", `User "${cloned.username}" already exists`);
-			if (cloned.email !== void 0 && u.email === cloned.email) throw new require_federated_identity_store.UserAuthError("ALREADY_EXISTS", `Email "${cloned.email}" already exists`);
-		}
+		for (const u of this.store.values()) if (u.username === cloned.username) throw new require_federated_identity_store.UserAuthError("ALREADY_EXISTS", `User "${cloned.username}" already exists`);
+		this.assertHandlesUnique(cloned);
 		cloned.version = 0;
 		this.store.set(cloned.id, cloned);
 	}
+	/**
+	* Throw `ALREADY_EXISTS` if any record other than `excludeId` already holds
+	* one of `rec`'s handle-column values — the in-memory mirror of the
+	* atscript-db store's unique index, so `create` and `update` enforce the same
+	* collision contract (which `promote-to-handle` swallows best-effort). Handle
+	* values are string columns; a non-string is never a collision.
+	*/
+	assertHandlesUnique(rec, excludeId) {
+		for (const field of this.handleFields) {
+			const value = rec[field];
+			if (typeof value !== "string") continue;
+			for (const [otherId, other] of this.store) {
+				if (otherId === excludeId) continue;
+				if (other[field] === value) throw new require_federated_identity_store.UserAuthError("ALREADY_EXISTS", `${field} "${value}" already exists`);
+			}
+		}
+	}
 	async update(id, update) {
 		const user = this.store.get(id);
 		if (!user) return false;
 		if (update.expectedVersion !== void 0 && (user.version ?? 0) !== update.expectedVersion) return false;
-		if (update.set) require_federated_identity_store.deepMerge(user, update.set);
+		if (update.set) {
+			this.assertHandlesUnique(update.set, id);
+			require_federated_identity_store.deepMerge(user, update.set);
+		}
 		if (update.inc) for (const [path, amount] of Object.entries(update.inc)) require_federated_identity_store.incrementAtPath(user, path, amount);
 		user.version = (user.version ?? 0) + 1;
 		return true;

package/dist/index.d.cts

@@ -1,4 +1,4 @@
-import { C as TotpConfig, D as UserCredentials, E as UserAuthErrorType, O as UserServiceConfig, S as PolicyCheckResult, T as TrustedDeviceRecord, _ as PasswordData, a as pickDefinedProfile, b as PasswordPolicyEvalFn, c as AccountData, d as LockoutConfig, f as LoginResult, g as PasswordConfig, h as MfaMethodInfo, i as NewFederatedIdentity, k as UserStoreUpdate, l as DeepPartial, m as MfaMethod, n as FederatedIdentityStore, o as UserStore, p as MfaData, r as FederatedProfileSnapshot, s as WithCasOptions, t as FederatedIdentity, u as LockStatus, v as PasswordPolicyContext, w as TransferablePolicy, x as PasswordPolicyInstance, y as PasswordPolicyDef } from "./federated-identity-store-DEEed8lA.cjs";
+import { C as TotpConfig, D as UserCredentials, E as UserAuthErrorType, O as UserServiceConfig, S as PolicyCheckResult, T as TrustedDeviceRecord, _ as PasswordData, a as pickDefinedProfile, b as PasswordPolicyEvalFn, c as AccountData, d as LockoutConfig, f as LoginResult, g as PasswordConfig, h as MfaMethodInfo, i as NewFederatedIdentity, k as UserStoreUpdate, l as DeepPartial, m as MfaMethod, n as FederatedIdentityStore, o as UserStore, p as MfaData, r as FederatedProfileSnapshot, s as WithCasOptions, t as FederatedIdentity, u as LockStatus, v as PasswordPolicyContext, w as TransferablePolicy, x as PasswordPolicyInstance, y as PasswordPolicyDef } from "./federated-identity-store-CI7Vgllp.cjs";
 
 //#region src/errors.d.ts
 declare class UserAuthError extends Error {
@@ -238,17 +238,38 @@ declare class UserService<T extends object = object> {
 declare class UserStoreMemory<T extends object = object> extends UserStore<T> {
   /** Keyed by the stable surrogate `id` (the token subject). */
   private store;
+  /**
+   * Ordered secondary handle fields (e.g. email then phone) resolved from the
+   * model's `@aooth.user.*` annotations by the wiring layer (`handleFields` of
+   * `getAoothUserHandleSpec`). Tried by `findByHandle` after `username`, and
+   * enforced unique by `create`. Empty when no handles are configured (login by
+   * email/phone unavailable).
+   */
+  private readonly handleFields;
   /**
    * Optional seed. The map is keyed by each record's `id`; a record missing an
    * `id` gets one minted (mirrors the DB `@db.default.uuid`). The seed object's
    * keys are ignored — identity is the record's `id`.
+   *
+   * `opts.handleFields` names the ordered secondary login handles (mirroring
+   * `UsersStoreAtscriptDb`); omit it for username-only resolution.
    */
-  constructor(seed?: Record<string, UserCredentials & T>);
+  constructor(seed?: Record<string, UserCredentials & T>, opts?: {
+    handleFields?: string[];
+  });
   exists(handle: string): Promise<boolean>;
   findById(id: string): Promise<(UserCredentials & T) | null>;
   findByHandle(handle: string): Promise<(UserCredentials & T) | null>;
   findByIdentifier(value: string): Promise<(UserCredentials & T) | null>;
   create(data: UserCredentials & T): Promise<void>;
+  /**
+   * Throw `ALREADY_EXISTS` if any record other than `excludeId` already holds
+   * one of `rec`'s handle-column values — the in-memory mirror of the
+   * atscript-db store's unique index, so `create` and `update` enforce the same
+   * collision contract (which `promote-to-handle` swallows best-effort). Handle
+   * values are string columns; a non-string is never a collision.
+   */
+  private assertHandlesUnique;
   update(id: string, update: UserStoreUpdate): Promise<boolean>;
   delete(id: string): Promise<boolean>;
   withCas(id: string, mutator: (current: UserCredentials & T) => UserStoreUpdate | null, opts?: WithCasOptions): Promise<void>;

package/dist/index.d.mts

@@ -1,4 +1,4 @@
-import { C as TotpConfig, D as UserCredentials, E as UserAuthErrorType, O as UserServiceConfig, S as PolicyCheckResult, T as TrustedDeviceRecord, _ as PasswordData, a as pickDefinedProfile, b as PasswordPolicyEvalFn, c as AccountData, d as LockoutConfig, f as LoginResult, g as PasswordConfig, h as MfaMethodInfo, i as NewFederatedIdentity, k as UserStoreUpdate, l as DeepPartial, m as MfaMethod, n as FederatedIdentityStore, o as UserStore, p as MfaData, r as FederatedProfileSnapshot, s as WithCasOptions, t as FederatedIdentity, u as LockStatus, v as PasswordPolicyContext, w as TransferablePolicy, x as PasswordPolicyInstance, y as PasswordPolicyDef } from "./federated-identity-store-DEEed8lA.mjs";
+import { C as TotpConfig, D as UserCredentials, E as UserAuthErrorType, O as UserServiceConfig, S as PolicyCheckResult, T as TrustedDeviceRecord, _ as PasswordData, a as pickDefinedProfile, b as PasswordPolicyEvalFn, c as AccountData, d as LockoutConfig, f as LoginResult, g as PasswordConfig, h as MfaMethodInfo, i as NewFederatedIdentity, k as UserStoreUpdate, l as DeepPartial, m as MfaMethod, n as FederatedIdentityStore, o as UserStore, p as MfaData, r as FederatedProfileSnapshot, s as WithCasOptions, t as FederatedIdentity, u as LockStatus, v as PasswordPolicyContext, w as TransferablePolicy, x as PasswordPolicyInstance, y as PasswordPolicyDef } from "./federated-identity-store-CI7Vgllp.mjs";
 
 //#region src/errors.d.ts
 declare class UserAuthError extends Error {
@@ -238,17 +238,38 @@ declare class UserService<T extends object = object> {
 declare class UserStoreMemory<T extends object = object> extends UserStore<T> {
   /** Keyed by the stable surrogate `id` (the token subject). */
   private store;
+  /**
+   * Ordered secondary handle fields (e.g. email then phone) resolved from the
+   * model's `@aooth.user.*` annotations by the wiring layer (`handleFields` of
+   * `getAoothUserHandleSpec`). Tried by `findByHandle` after `username`, and
+   * enforced unique by `create`. Empty when no handles are configured (login by
+   * email/phone unavailable).
+   */
+  private readonly handleFields;
   /**
    * Optional seed. The map is keyed by each record's `id`; a record missing an
    * `id` gets one minted (mirrors the DB `@db.default.uuid`). The seed object's
    * keys are ignored — identity is the record's `id`.
+   *
+   * `opts.handleFields` names the ordered secondary login handles (mirroring
+   * `UsersStoreAtscriptDb`); omit it for username-only resolution.
    */
-  constructor(seed?: Record<string, UserCredentials & T>);
+  constructor(seed?: Record<string, UserCredentials & T>, opts?: {
+    handleFields?: string[];
+  });
   exists(handle: string): Promise<boolean>;
   findById(id: string): Promise<(UserCredentials & T) | null>;
   findByHandle(handle: string): Promise<(UserCredentials & T) | null>;
   findByIdentifier(value: string): Promise<(UserCredentials & T) | null>;
   create(data: UserCredentials & T): Promise<void>;
+  /**
+   * Throw `ALREADY_EXISTS` if any record other than `excludeId` already holds
+   * one of `rec`'s handle-column values — the in-memory mirror of the
+   * atscript-db store's unique index, so `create` and `update` enforce the same
+   * collision contract (which `promote-to-handle` swallows best-effort). Handle
+   * values are string columns; a non-string is never a collision.
+   */
+  private assertHandlesUnique;
   update(id: string, update: UserStoreUpdate): Promise<boolean>;
   delete(id: string): Promise<boolean>;
   withCas(id: string, mutator: (current: UserCredentials & T) => UserStoreUpdate | null, opts?: WithCasOptions): Promise<void>;

package/dist/index.mjs

@@ -1,4 +1,4 @@
-import { a as generateSecureRandom, c as maskMfaValue, d as UserAuthError, i as deepMerge, l as maskPhone, n as pickDefinedProfile, o as incrementAtPath, r as UserStore, s as maskEmail, t as FederatedIdentityStore, u as setAtPath } from "./federated-identity-store-Cmc7jBrw.mjs";
+import { a as generateSecureRandom, c as maskMfaValue, d as UserAuthError, i as deepMerge, l as maskPhone, n as pickDefinedProfile, o as incrementAtPath, r as UserStore, s as maskEmail, t as FederatedIdentityStore, u as setAtPath } from "./federated-identity-store-CHW1xtMp.mjs";
 import { createHash, createHmac, randomBytes, randomUUID, scrypt, timingSafeEqual } from "node:crypto";
 //#region src/base-x/base32.ts
 /**
@@ -779,12 +779,24 @@ var UserStoreMemory = class extends UserStore {
 	/** Keyed by the stable surrogate `id` (the token subject). */
 	store = /* @__PURE__ */ new Map();
 	/**
+	* Ordered secondary handle fields (e.g. email then phone) resolved from the
+	* model's `@aooth.user.*` annotations by the wiring layer (`handleFields` of
+	* `getAoothUserHandleSpec`). Tried by `findByHandle` after `username`, and
+	* enforced unique by `create`. Empty when no handles are configured (login by
+	* email/phone unavailable).
+	*/
+	handleFields;
+	/**
 	* Optional seed. The map is keyed by each record's `id`; a record missing an
 	* `id` gets one minted (mirrors the DB `@db.default.uuid`). The seed object's
 	* keys are ignored — identity is the record's `id`.
+	*
+	* `opts.handleFields` names the ordered secondary login handles (mirroring
+	* `UsersStoreAtscriptDb`); omit it for username-only resolution.
 	*/
-	constructor(seed) {
+	constructor(seed, opts) {
 		super();
+		this.handleFields = opts?.handleFields ?? [];
 		if (seed) for (const value of Object.values(seed)) {
 			const cloned = structuredClone(value);
 			if (!cloned.id) cloned.id = randomUUID();
@@ -800,12 +812,21 @@ var UserStoreMemory = class extends UserStore {
 		return user ? structuredClone(user) : null;
 	}
 	async findByHandle(handle) {
-		let byEmail = null;
+		let byHandle = null;
 		for (const u of this.store.values()) {
 			if (u.username === handle) return structuredClone(u);
-			if (byEmail === null && u.email !== void 0 && u.email === handle) byEmail = u;
+			if (byHandle === null) {
+				const rec = u;
+				for (const field of this.handleFields) {
+					const value = rec[field];
+					if (value !== void 0 && value === handle) {
+						byHandle = u;
+						break;
+					}
+				}
+			}
 		}
-		return byEmail ? structuredClone(byEmail) : null;
+		return byHandle ? structuredClone(byHandle) : null;
 	}
 	async findByIdentifier(value) {
 		const byId = this.store.get(value);
@@ -815,18 +836,36 @@ var UserStoreMemory = class extends UserStore {
 	async create(data) {
 		const cloned = structuredClone(data);
 		if (!cloned.id) cloned.id = randomUUID();
-		for (const u of this.store.values()) {
-			if (u.username === cloned.username) throw new UserAuthError("ALREADY_EXISTS", `User "${cloned.username}" already exists`);
-			if (cloned.email !== void 0 && u.email === cloned.email) throw new UserAuthError("ALREADY_EXISTS", `Email "${cloned.email}" already exists`);
-		}
+		for (const u of this.store.values()) if (u.username === cloned.username) throw new UserAuthError("ALREADY_EXISTS", `User "${cloned.username}" already exists`);
+		this.assertHandlesUnique(cloned);
 		cloned.version = 0;
 		this.store.set(cloned.id, cloned);
 	}
+	/**
+	* Throw `ALREADY_EXISTS` if any record other than `excludeId` already holds
+	* one of `rec`'s handle-column values — the in-memory mirror of the
+	* atscript-db store's unique index, so `create` and `update` enforce the same
+	* collision contract (which `promote-to-handle` swallows best-effort). Handle
+	* values are string columns; a non-string is never a collision.
+	*/
+	assertHandlesUnique(rec, excludeId) {
+		for (const field of this.handleFields) {
+			const value = rec[field];
+			if (typeof value !== "string") continue;
+			for (const [otherId, other] of this.store) {
+				if (otherId === excludeId) continue;
+				if (other[field] === value) throw new UserAuthError("ALREADY_EXISTS", `${field} "${value}" already exists`);
+			}
+		}
+	}
 	async update(id, update) {
 		const user = this.store.get(id);
 		if (!user) return false;
 		if (update.expectedVersion !== void 0 && (user.version ?? 0) !== update.expectedVersion) return false;
-		if (update.set) deepMerge(user, update.set);
+		if (update.set) {
+			this.assertHandlesUnique(update.set, id);
+			deepMerge(user, update.set);
+		}
 		if (update.inc) for (const [path, amount] of Object.entries(update.inc)) incrementAtPath(user, path, amount);
 		user.version = (user.version ?? 0) + 1;
 		return true;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aooth/user",
-  "version": "0.1.8",
+  "version": "0.1.10",
   "description": "User credential primitives for aoothjs",
   "keywords": [
     "aoothjs",
@@ -60,14 +60,14 @@
     "access": "public"
   },
   "devDependencies": {
-    "@atscript/core": "^0.1.69",
-    "@atscript/db": "^0.1.96",
-    "@atscript/db-sql-tools": "^0.1.96",
-    "@atscript/db-sqlite": "^0.1.96",
-    "@atscript/typescript": "^0.1.69",
+    "@atscript/core": "^0.1.71",
+    "@atscript/db": "^0.1.98",
+    "@atscript/db-sql-tools": "^0.1.98",
+    "@atscript/db-sqlite": "^0.1.98",
+    "@atscript/typescript": "^0.1.71",
     "@types/better-sqlite3": "^7.6.13",
     "better-sqlite3": "^12.6.2",
-    "unplugin-atscript": "^0.1.69"
+    "unplugin-atscript": "^0.1.71"
   },
   "peerDependencies": {
     "@atscript/db": ">=0.1.79"

package/src/atscript-db/user-credentials.as

@@ -6,9 +6,6 @@ export interface AoothUserCredentials {
     @db.index.unique 'username_idx'
     username: string
 
-    @db.index.unique 'email_idx'
-    email?: string
-
     @db.column.version
     version: number.int
 

package/src/atscript-db/user-credentials.as.d.ts

@@ -16,7 +16,6 @@ import type { TAtscriptTypeObject, TAtscriptTypeComplex, TAtscriptTypeFinal, TAt
 export declare class AoothUserCredentials {
   id: string
   username: string
-  email?: string
   version: number /* int */
   password: {
     hash: string