@dudousxd/adonis-authkit-server 0.1.0

package/build/src/accounts/lucid_account_store.js

@@ -0,0 +1,396 @@
+import { createHash, randomBytes, timingSafeEqual } from 'node:crypto';
+import { DateTime } from 'luxon';
+import { authenticator } from 'otplib';
+import { generateAuthenticationOptions, generateRegistrationOptions, verifyAuthenticationResponse, verifyRegistrationResponse, } from '@simplewebauthn/server';
+const sha256 = (value) => createHash('sha256').update(value).digest('hex');
+/** Recovery code legível: 10 chars hex em duas metades (ex.: a1b2c-3d4e5). */
+function generateRecoveryCode() {
+    const raw = randomBytes(5).toString('hex');
+    return `${raw.slice(0, 5)}-${raw.slice(5, 10)}`;
+}
+/** Comparação de hashes hex resistente a timing. */
+function hashesEqual(a, b) {
+    const ba = Buffer.from(a);
+    const bb = Buffer.from(b);
+    if (ba.length !== bb.length)
+        return false;
+    return timingSafeEqual(ba, bb);
+}
+/**
+ * Implementação default do {@link AccountStore} sobre um model Lucid composto
+ * de `withAuthUser()` + `withCredentials()` (+ opcionalmente `withMfa()`). O
+ * model carrega `connection`/`table` (app-específico) e, por convenção, uma
+ * coluna `fullName` (mapeada de `name`).
+ */
+export function lucidAccountStore(Model, options = {}) {
+    const mfaIssuer = options.mfaIssuer ?? 'AuthKit';
+    const recoveryCodeCount = options.recoveryCodeCount ?? 8;
+    const encrypter = options.encrypter;
+    const ProviderIdentityModel = options.providerIdentityModel;
+    const WebauthnCredentialModel = options.webauthnCredentialModel;
+    // RP do WebAuthn: usado nas cerimônias. Default do rpName cai no mfaIssuer.
+    const webauthn = options.webauthn ?? {
+        rpName: mfaIssuer,
+        rpId: 'localhost',
+        origin: 'http://localhost',
+    };
+    // Cerimônias WebAuthn: reais por default, injetáveis para testes.
+    const ceremonies = {
+        generateRegistrationOptions,
+        verifyRegistrationResponse,
+        generateAuthenticationOptions,
+        verifyAuthenticationResponse,
+        ...options.webauthnCeremonies,
+    };
+    // Garante que o store foi configurado com o model das identidades antes de
+    // tocar nos métodos de account linking (contrato: lança com mensagem clara).
+    const requireProviderIdentityModel = () => {
+        if (!ProviderIdentityModel) {
+            throw new Error('lucidAccountStore: account linking por provider identity requer a opção ' +
+                '`providerIdentityModel` (um model Lucid composto de `withProviderIdentity()`).');
+        }
+        return ProviderIdentityModel;
+    };
+    const requireWebauthnModel = () => {
+        if (!WebauthnCredentialModel) {
+            throw new Error('lucidAccountStore: passkeys (WebAuthn) requerem a opção ' +
+                '`webauthnCredentialModel` (um model Lucid composto de `withWebauthnCredential()`).');
+        }
+        return WebauthnCredentialModel;
+    };
+    // Encripta o segredo antes de persistir (no-op sem encrypter).
+    const sealSecret = (secret) => (encrypter ? encrypter.encrypt(secret) : secret);
+    // Decripta o segredo armazenado; retorna null em falha/adulteração (no-op sem encrypter).
+    const openSecret = (stored) => {
+        if (!stored)
+            return null;
+        if (!encrypter)
+            return stored;
+        return encrypter.decrypt(stored);
+    };
+    const toAccount = (row) => ({
+        id: row.id,
+        email: row.email,
+        globalRoles: row.globalRoles ?? [],
+        name: row.fullName ?? undefined,
+    });
+    return {
+        async findById(id) {
+            const row = await Model.find(id);
+            return row ? toAccount(row) : null;
+        },
+        async findByEmail(email) {
+            const row = await Model.query().where('email', email).first();
+            return row ? toAccount(row) : null;
+        },
+        async verifyCredentials(email, password) {
+            const row = await Model.query().where('email', email).first();
+            if (!row || !(await row.verifyPassword(password)))
+                return null;
+            return toAccount(row);
+        },
+        async create(input) {
+            const row = await Model.create({
+                email: input.email,
+                password: input.password,
+                fullName: input.fullName ?? null,
+                globalRoles: input.globalRoles ?? [],
+                emailVerifiedAt: input.emailVerified ? DateTime.now() : null,
+            });
+            return toAccount(row);
+        },
+        async findByProviderIdentity(provider, providerUserId) {
+            const Identity = requireProviderIdentityModel();
+            const identity = await Identity.query()
+                .where('provider', provider)
+                .where('providerUserId', providerUserId)
+                .first();
+            if (!identity)
+                return null;
+            const row = await Model.find(identity.accountId);
+            return row ? toAccount(row) : null;
+        },
+        async linkProviderIdentity(data) {
+            const Identity = requireProviderIdentityModel();
+            // Upsert idempotente na chave única (provider, providerUserId): atualiza
+            // account/email se já existir, cria caso contrário.
+            const existing = await Identity.query()
+                .where('provider', data.provider)
+                .where('providerUserId', data.providerUserId)
+                .first();
+            if (existing) {
+                existing.accountId = data.accountId;
+                if (data.email !== undefined)
+                    existing.email = data.email;
+                await existing.save();
+                return;
+            }
+            await Identity.create({
+                provider: data.provider,
+                providerUserId: data.providerUserId,
+                accountId: data.accountId,
+                email: data.email ?? null,
+            });
+        },
+        async issuePasswordResetToken(email) {
+            const row = await Model.query().where('email', email).first();
+            if (!row)
+                return null;
+            const token = randomBytes(32).toString('hex');
+            row.passwordResetToken = token;
+            row.passwordResetExpiresAt = DateTime.now().plus({ hours: 1 });
+            await row.save();
+            return { token, account: toAccount(row) };
+        },
+        async consumePasswordResetToken(token, newPassword) {
+            const row = await Model.query().where('passwordResetToken', token).first();
+            if (!row)
+                return false;
+            if (!row.passwordResetExpiresAt || row.passwordResetExpiresAt < DateTime.now())
+                return false;
+            row.password = newPassword;
+            row.passwordResetToken = null;
+            row.passwordResetExpiresAt = null;
+            await row.save();
+            return true;
+        },
+        async issueEmailVerificationToken(email) {
+            const row = await Model.query().where('email', email).first();
+            if (!row)
+                return null;
+            const token = randomBytes(32).toString('hex');
+            row.emailVerificationToken = token;
+            await row.save();
+            return { token, account: toAccount(row) };
+        },
+        async consumeEmailVerificationToken(token) {
+            if (!token)
+                return false;
+            const row = await Model.query().where('emailVerificationToken', token).first();
+            if (!row)
+                return false;
+            row.emailVerifiedAt = DateTime.now();
+            row.emailVerificationToken = null;
+            await row.save();
+            return true;
+        },
+        // ----- Administração (console admin) -----
+        async listAccounts(params) {
+            const page = Math.max(1, params.page ?? 1);
+            const limit = Math.max(1, params.limit ?? 20);
+            const search = params.search?.trim();
+            const base = () => {
+                const q = Model.query();
+                // Filtro por e-mail (substring, case-insensitive). `whereILike` cai no LIKE
+                // no sqlite (case-insensitive por default p/ ASCII), e em ILIKE no Postgres.
+                if (search)
+                    q.whereILike('email', `%${search}%`);
+                return q;
+            };
+            const countResult = await base().count('* as total');
+            // O shape do count varia por dialeto; lê de $extras.total (Lucid).
+            const total = Number(countResult[0]?.$extras?.total ?? 0);
+            const rows = await base()
+                .orderBy('email', 'asc')
+                .offset((page - 1) * limit)
+                .limit(limit);
+            return { data: rows.map(toAccount), total };
+        },
+        async setGlobalRoles(accountId, roles) {
+            const row = await Model.find(accountId);
+            if (!row)
+                return;
+            // A coluna `globalRoles` é serializada como JSON pelo mixin withAuthUser.
+            row.globalRoles = roles;
+            await row.save();
+        },
+        // ----- MFA / TOTP -----
+        async getMfaState(accountId) {
+            const row = await Model.find(accountId);
+            return { enabled: !!row?.mfaEnabledAt };
+        },
+        async startTotpEnrollment(accountId) {
+            const row = await Model.find(accountId);
+            if (!row)
+                return null;
+            const secret = authenticator.generateSecret();
+            // Segredo PENDENTE: armazenado (encriptado em repouso) mas mfaEnabledAt continua null.
+            row.totpSecret = sealSecret(secret);
+            row.mfaEnabledAt = null;
+            row.recoveryCodes = null;
+            await row.save();
+            const otpauthUri = authenticator.keyuri(row.email, mfaIssuer, secret);
+            return { secret, otpauthUri };
+        },
+        async confirmTotpEnrollment(accountId, code) {
+            const row = await Model.find(accountId);
+            if (!row || !row.totpSecret)
+                return { ok: false };
+            const secret = openSecret(row.totpSecret);
+            if (!secret)
+                return { ok: false };
+            // Só confirma a partir de um segredo pendente (não re-confirma um já ativo).
+            const valid = authenticator.verify({ token: String(code ?? ''), secret });
+            if (!valid)
+                return { ok: false };
+            const codes = Array.from({ length: recoveryCodeCount }, () => generateRecoveryCode());
+            row.mfaEnabledAt = DateTime.now();
+            row.recoveryCodes = codes.map(sha256);
+            await row.save();
+            return { ok: true, recoveryCodes: codes };
+        },
+        async verifyTotp(accountId, code) {
+            const row = await Model.find(accountId);
+            if (!row || !row.mfaEnabledAt || !row.totpSecret)
+                return false;
+            const secret = openSecret(row.totpSecret);
+            if (!secret)
+                return false;
+            return authenticator.verify({ token: String(code ?? ''), secret });
+        },
+        async consumeRecoveryCode(accountId, code) {
+            const row = await Model.find(accountId);
+            if (!row || !row.mfaEnabledAt || !Array.isArray(row.recoveryCodes))
+                return false;
+            const target = sha256(String(code ?? '').trim());
+            const remaining = row.recoveryCodes.filter((h) => !hashesEqual(h, target));
+            if (remaining.length === row.recoveryCodes.length)
+                return false; // nada casou
+            row.recoveryCodes = remaining;
+            await row.save();
+            return true;
+        },
+        async disableMfa(accountId) {
+            const row = await Model.find(accountId);
+            if (!row)
+                return;
+            row.totpSecret = null;
+            row.mfaEnabledAt = null;
+            row.recoveryCodes = null;
+            await row.save();
+        },
+        // ----- MFA / WebAuthn (passkeys) -----
+        async generatePasskeyRegistrationOptions(accountId) {
+            const Credential = requireWebauthnModel();
+            const row = await Model.find(accountId);
+            if (!row)
+                return null;
+            const existing = await Credential.query().where('accountId', accountId);
+            const options = await ceremonies.generateRegistrationOptions({
+                rpName: webauthn.rpName,
+                rpID: webauthn.rpId,
+                userName: row.email,
+                userDisplayName: row.fullName ?? row.email,
+                // Não pede attestation (privacidade); confia na verificação local.
+                attestationType: 'none',
+                // Evita registrar a mesma credencial duas vezes.
+                excludeCredentials: existing.map((c) => ({
+                    id: c.id,
+                    transports: (c.transports ?? undefined),
+                })),
+                authenticatorSelection: { residentKey: 'preferred', userVerification: 'preferred' },
+            });
+            return { options: options, challenge: options.challenge };
+        },
+        async verifyPasskeyRegistration(accountId, response, expectedChallenge) {
+            const Credential = requireWebauthnModel();
+            const row = await Model.find(accountId);
+            if (!row)
+                return false;
+            let verification;
+            try {
+                verification = await ceremonies.verifyRegistrationResponse({
+                    response: response,
+                    expectedChallenge,
+                    expectedOrigin: webauthn.origin,
+                    expectedRPID: webauthn.rpId,
+                });
+            }
+            catch {
+                return false;
+            }
+            if (!verification.verified || !verification.registrationInfo)
+                return false;
+            const { credential } = verification.registrationInfo;
+            // publicKey vem como Uint8Array → armazenamos como base64url (texto).
+            const publicKey = Buffer.from(credential.publicKey).toString('base64url');
+            await Credential.create({
+                id: credential.id,
+                accountId,
+                publicKey,
+                counter: credential.counter,
+                transports: credential.transports ?? null,
+                label: null,
+            });
+            // Registrar uma passkey também habilita o MFA (2º fator presente).
+            if (!row.mfaEnabledAt) {
+                row.mfaEnabledAt = DateTime.now();
+                await row.save();
+            }
+            return true;
+        },
+        async generatePasskeyAuthenticationOptions(accountId) {
+            const Credential = requireWebauthnModel();
+            const creds = await Credential.query().where('accountId', accountId);
+            if (creds.length === 0)
+                return null;
+            const options = await ceremonies.generateAuthenticationOptions({
+                rpID: webauthn.rpId,
+                allowCredentials: creds.map((c) => ({
+                    id: c.id,
+                    transports: (c.transports ?? undefined),
+                })),
+                userVerification: 'preferred',
+            });
+            return { options: options, challenge: options.challenge };
+        },
+        async verifyPasskeyAuthentication(accountId, response, expectedChallenge) {
+            const Credential = requireWebauthnModel();
+            const resp = response;
+            // O credential id vem na resposta (base64url) → acha a credencial da conta.
+            const cred = await Credential.query()
+                .where('accountId', accountId)
+                .where('id', resp?.id ?? '')
+                .first();
+            if (!cred)
+                return false;
+            let verification;
+            try {
+                verification = await ceremonies.verifyAuthenticationResponse({
+                    response: resp,
+                    expectedChallenge,
+                    expectedOrigin: webauthn.origin,
+                    expectedRPID: webauthn.rpId,
+                    credential: {
+                        id: cred.id,
+                        publicKey: new Uint8Array(Buffer.from(cred.publicKey, 'base64url')),
+                        counter: cred.counter,
+                        transports: (cred.transports ?? undefined),
+                    },
+                });
+            }
+            catch {
+                return false;
+            }
+            if (!verification.verified)
+                return false;
+            // Atualiza o signature counter (anti-replay).
+            cred.counter = verification.authenticationInfo.newCounter;
+            await cred.save();
+            return true;
+        },
+        async listPasskeys(accountId) {
+            const Credential = requireWebauthnModel();
+            const creds = await Credential.query().where('accountId', accountId).orderBy('createdAt', 'asc');
+            return creds.map((c) => ({
+                id: c.id,
+                label: c.label ?? undefined,
+                createdAt: c.createdAt?.toISO?.() ?? String(c.createdAt ?? ''),
+            }));
+        },
+        async removePasskey(accountId, credentialId) {
+            const Credential = requireWebauthnModel();
+            await Credential.query().where('accountId', accountId).where('id', credentialId).delete();
+        },
+    };
+}

package/build/src/adapters/adapter_contract.d.ts

@@ -0,0 +1,18 @@
+/** Forma mínima do payload persistido pelo oidc-provider. */
+export interface OidcPayload {
+    [key: string]: unknown;
+    grantId?: string;
+    userCode?: string;
+    uid?: string;
+    consumed?: unknown;
+}
+/** Contrato que o oidc-provider espera de um adapter (um por model). */
+export interface OidcAdapter {
+    upsert(id: string, payload: OidcPayload, expiresIn: number): Promise<void>;
+    find(id: string): Promise<OidcPayload | undefined>;
+    findByUserCode(userCode: string): Promise<OidcPayload | undefined>;
+    findByUid(uid: string): Promise<OidcPayload | undefined>;
+    consume(id: string): Promise<void>;
+    destroy(id: string): Promise<void>;
+    revokeByGrantId(grantId: string): Promise<void>;
+}

package/build/src/adapters/adapter_contract.js

@@ -0,0 +1 @@
+export {};

package/build/src/adapters/database_adapter.d.ts

@@ -0,0 +1,15 @@
+import type { Database } from '@adonisjs/lucid/database';
+import type { OidcAdapter, OidcPayload } from './adapter_contract.js';
+export declare class DatabaseAdapter implements OidcAdapter {
+    #private;
+    private name;
+    private db;
+    constructor(name: string, db: Database);
+    upsert(id: string, payload: OidcPayload, expiresIn: number): Promise<void>;
+    find(id: string): Promise<OidcPayload | undefined>;
+    findByUid(uid: string): Promise<OidcPayload | undefined>;
+    findByUserCode(userCode: string): Promise<OidcPayload | undefined>;
+    consume(id: string): Promise<void>;
+    destroy(id: string): Promise<void>;
+    revokeByGrantId(grantId: string): Promise<void>;
+}

package/build/src/adapters/database_adapter.js

@@ -0,0 +1,63 @@
+const TABLE = 'authkit_oidc_payloads';
+export class DatabaseAdapter {
+    name;
+    db;
+    constructor(name, db) {
+        this.name = name;
+        this.db = db;
+    }
+    #query() {
+        return this.db.query().from(TABLE).where('model_name', this.name);
+    }
+    async upsert(id, payload, expiresIn) {
+        // Armazenamos como ISO string para que o parse de expiração seja determinístico
+        // independente do backend (SQLite/Postgres) e do formato nativo de timestamp.
+        const expiresAt = expiresIn ? new Date(Date.now() + expiresIn * 1000).toISOString() : null;
+        const row = {
+            id,
+            model_name: this.name,
+            payload: JSON.stringify(payload),
+            grant_id: payload.grantId ?? null,
+            user_code: payload.userCode ?? null,
+            uid: payload.uid ?? null,
+            expires_at: expiresAt,
+        };
+        const existing = await this.#query().where('id', id).first();
+        if (existing) {
+            await this.#query().where('id', id).update(row);
+        }
+        else {
+            await this.db.table(TABLE).insert(row);
+        }
+    }
+    async #parse(record) {
+        if (!record)
+            return undefined;
+        if (record.expires_at && new Date(record.expires_at).getTime() <= Date.now()) {
+            return undefined;
+        }
+        return JSON.parse(record.payload);
+    }
+    async find(id) {
+        return this.#parse(await this.#query().where('id', id).first());
+    }
+    async findByUid(uid) {
+        return this.#parse(await this.#query().where('uid', uid).first());
+    }
+    async findByUserCode(userCode) {
+        return this.#parse(await this.#query().where('user_code', userCode).first());
+    }
+    async consume(id) {
+        const found = await this.find(id);
+        if (!found)
+            return;
+        found.consumed = Math.floor(Date.now() / 1000);
+        await this.#query().where('id', id).update({ payload: JSON.stringify(found) });
+    }
+    async destroy(id) {
+        await this.#query().where('id', id).delete();
+    }
+    async revokeByGrantId(grantId) {
+        await this.db.query().from(TABLE).where('grant_id', grantId).delete();
+    }
+}

package/build/src/adapters/factory.d.ts

@@ -0,0 +1,30 @@
+import type { ApplicationService } from '@adonisjs/core/types';
+import type { OidcAdapter } from './adapter_contract.js';
+export type OidcAdapterClass = new (name: string) => OidcAdapter;
+export interface AdapterFactory {
+    resolver(app: ApplicationService): Promise<OidcAdapterClass>;
+}
+export interface RedisAdapterConfig {
+    /** nome da conexão do @adonisjs/redis */
+    connection: string;
+    prefix?: string;
+}
+export interface DatabaseAdapterConfig {
+    /** nome da conexão Lucid (default: a primária) */
+    connection?: string;
+}
+export declare const adapters: {
+    /**
+     * Factory para o adapter Redis. O consumidor precisa ter o @adonisjs/redis
+     * configurado, pois o resolver resolve o `RedisManager` pelo token `'redis'`
+     * do container e obtém a conexão nomeada via `connection(name)`.
+     */
+    redis(config: RedisAdapterConfig): AdapterFactory;
+    /**
+     * Factory para o adapter de banco (Lucid). Resolve o `Database` manager pelo
+     * token `'lucid.db'`. O `DatabaseAdapter` consome o manager diretamente
+     * (`db.query()`/`db.table()`); quando uma conexão específica é solicitada,
+     * usamos `db.connection(name)` para obter o cliente daquela conexão.
+     */
+    database(config?: DatabaseAdapterConfig): AdapterFactory;
+};

package/build/src/adapters/factory.js

@@ -0,0 +1,43 @@
+import { RedisAdapter } from './redis_adapter.js';
+import { DatabaseAdapter } from './database_adapter.js';
+export const adapters = {
+    /**
+     * Factory para o adapter Redis. O consumidor precisa ter o @adonisjs/redis
+     * configurado, pois o resolver resolve o `RedisManager` pelo token `'redis'`
+     * do container e obtém a conexão nomeada via `connection(name)`.
+     */
+    redis(config) {
+        return {
+            async resolver(app) {
+                const redisManager = await app.container.make('redis');
+                const client = redisManager.connection(config.connection);
+                const prefix = config.prefix ?? 'authkit';
+                return class extends RedisAdapter {
+                    constructor(name) {
+                        super(name, client, prefix);
+                    }
+                };
+            },
+        };
+    },
+    /**
+     * Factory para o adapter de banco (Lucid). Resolve o `Database` manager pelo
+     * token `'lucid.db'`. O `DatabaseAdapter` consome o manager diretamente
+     * (`db.query()`/`db.table()`); quando uma conexão específica é solicitada,
+     * usamos `db.connection(name)` para obter o cliente daquela conexão.
+     */
+    database(config = {}) {
+        return {
+            async resolver(app) {
+                const db = await app.container.make('lucid.db');
+                const connection = config.connection;
+                const conn = connection ? db.connection(connection) : db;
+                return class extends DatabaseAdapter {
+                    constructor(name) {
+                        super(name, conn);
+                    }
+                };
+            },
+        };
+    },
+};

package/build/src/adapters/redis_adapter.d.ts

@@ -0,0 +1,16 @@
+import type { Redis } from 'ioredis';
+import type { OidcAdapter, OidcPayload } from './adapter_contract.js';
+export declare class RedisAdapter implements OidcAdapter {
+    #private;
+    private name;
+    private redis;
+    private prefix;
+    constructor(name: string, redis: Redis, prefix: string);
+    upsert(id: string, payload: OidcPayload, expiresIn: number): Promise<void>;
+    find(id: string): Promise<OidcPayload | undefined>;
+    findByUid(uid: string): Promise<OidcPayload | undefined>;
+    findByUserCode(userCode: string): Promise<OidcPayload | undefined>;
+    consume(id: string): Promise<void>;
+    destroy(id: string): Promise<void>;
+    revokeByGrantId(grantId: string): Promise<void>;
+}

package/build/src/adapters/redis_adapter.js

@@ -0,0 +1,95 @@
+const grantable = new Set([
+    'AccessToken',
+    'AuthorizationCode',
+    'RefreshToken',
+    'DeviceCode',
+    'BackchannelAuthenticationRequest',
+]);
+export class RedisAdapter {
+    name;
+    redis;
+    prefix;
+    constructor(name, redis, prefix) {
+        this.name = name;
+        this.redis = redis;
+        this.prefix = prefix;
+    }
+    #key(id) {
+        return `${this.prefix}:${this.name}:${id}`;
+    }
+    #grantKey(grantId) {
+        return `${this.prefix}:grant:${grantId}`;
+    }
+    #userCodeKey(userCode) {
+        return `${this.prefix}:userCode:${userCode}`;
+    }
+    #uidKey(uid) {
+        return `${this.prefix}:uid:${uid}`;
+    }
+    async upsert(id, payload, expiresIn) {
+        const key = this.#key(id);
+        const multi = this.redis.multi();
+        multi.set(key, JSON.stringify(payload));
+        if (grantable.has(this.name) && payload.grantId) {
+            const gk = this.#grantKey(payload.grantId);
+            multi.rpush(gk, key);
+            if (expiresIn)
+                multi.expire(gk, expiresIn);
+        }
+        if (payload.userCode) {
+            const uck = this.#userCodeKey(payload.userCode);
+            multi.set(uck, id);
+            if (expiresIn)
+                multi.expire(uck, expiresIn);
+        }
+        if (this.name === 'Session' && payload.uid) {
+            const uk = this.#uidKey(payload.uid);
+            multi.set(uk, id);
+            if (expiresIn)
+                multi.expire(uk, expiresIn);
+        }
+        if (expiresIn)
+            multi.expire(key, expiresIn);
+        await multi.exec();
+    }
+    async find(id) {
+        const data = await this.redis.get(this.#key(id));
+        if (!data)
+            return undefined;
+        return JSON.parse(data);
+    }
+    async findByUid(uid) {
+        const id = await this.redis.get(this.#uidKey(uid));
+        if (!id)
+            return undefined;
+        return this.find(id);
+    }
+    async findByUserCode(userCode) {
+        const id = await this.redis.get(this.#userCodeKey(userCode));
+        if (!id)
+            return undefined;
+        return this.find(id);
+    }
+    async consume(id) {
+        const found = await this.find(id);
+        if (!found)
+            return;
+        found.consumed = Math.floor(Date.now() / 1000);
+        const ttl = await this.redis.ttl(this.#key(id));
+        if (ttl > 0)
+            await this.redis.set(this.#key(id), JSON.stringify(found), 'EX', ttl);
+        else
+            await this.redis.set(this.#key(id), JSON.stringify(found));
+    }
+    async destroy(id) {
+        await this.redis.del(this.#key(id));
+    }
+    async revokeByGrantId(grantId) {
+        const gk = this.#grantKey(grantId);
+        const keys = await this.redis.lrange(gk, 0, -1);
+        const multi = this.redis.multi();
+        keys.forEach((k) => multi.del(k));
+        multi.del(gk);
+        await multi.exec();
+    }
+}