@lastshotlabs/bunshot 0.0.21 → 0.0.27

package/dist/lib/jwt.js

@@ -1,5 +1,8 @@
 import { SignJWT, jwtVerify } from "jose";
+import { getJwtIssuer, getJwtAudience } from "./appConfig";
+import { getSigningPrivateKey, getVerifyPublicKeys, isJwksLoaded } from "./jwks";
 let _secret = null;
+let _algorithm = "HS256";
 function getSecret() {
     if (_secret)
         return _secret;
@@ -14,11 +17,95 @@ function getSecret() {
     _secret = new TextEncoder().encode(rawSecret);
     return _secret;
 }
-export const signToken = async (userId, sessionId, expirySeconds) => new SignJWT({ sub: userId, sid: sessionId })
-    .setProtectedHeader({ alg: "HS256" })
-    .setExpirationTime(expirySeconds ? `${expirySeconds}s` : "7d")
-    .sign(getSecret());
+export function validateJwtSecrets() {
+    if (_algorithm !== "RS256") {
+        getSecret();
+    }
+}
+export async function signToken(claimsOrUserId, sessionIdOrExpiry, expirySeconds) {
+    let claims;
+    let expiry;
+    if (typeof claimsOrUserId === "string") {
+        // Legacy positional: signToken(userId, sessionId, expirySeconds?)
+        claims = { sub: claimsOrUserId, sid: sessionIdOrExpiry };
+        expiry = expirySeconds;
+    }
+    else {
+        // New object form: signToken(claims, expirySeconds?)
+        claims = claimsOrUserId;
+        expiry = sessionIdOrExpiry;
+    }
+    if (_algorithm === "RS256") {
+        if (!isJwksLoaded()) {
+            throw new Error("RS256 requires OIDC key configuration — call loadJwksKey() first");
+        }
+        // Use RS256 with JWKS key
+        const privateKey = getSigningPrivateKey();
+        const jwt = new SignJWT(claims)
+            .setProtectedHeader({ alg: "RS256", kid: "key-1" })
+            .setIssuedAt()
+            .setExpirationTime(expiry ? `${expiry}s` : "7d");
+        const issuer = getJwtIssuer();
+        const audience = getJwtAudience();
+        if (issuer)
+            jwt.setIssuer(issuer);
+        if (audience)
+            jwt.setAudience(audience);
+        return jwt.sign(privateKey);
+    }
+    const jwt = new SignJWT(claims)
+        .setProtectedHeader({ alg: _algorithm })
+        .setIssuedAt()
+        .setExpirationTime(expiry ? `${expiry}s` : "7d");
+    const issuer = getJwtIssuer();
+    const audience = getJwtAudience();
+    if (issuer)
+        jwt.setIssuer(issuer);
+    if (audience)
+        jwt.setAudience(audience);
+    return jwt.sign(getSecret());
+}
 export const verifyToken = async (token) => {
-    const { payload } = await jwtVerify(token, getSecret());
+    if (_algorithm === "RS256") {
+        if (!isJwksLoaded()) {
+            throw new Error("RS256 requires OIDC key configuration");
+        }
+        const publicKeys = getVerifyPublicKeys();
+        const opts = { algorithms: ["RS256"] };
+        const issuer = getJwtIssuer();
+        const audience = getJwtAudience();
+        if (issuer)
+            opts.issuer = issuer;
+        if (audience)
+            opts.audience = audience;
+        // Try each key (supports key rotation)
+        for (const key of publicKeys) {
+            try {
+                const { payload } = await jwtVerify(token, key, opts);
+                return payload;
+            }
+            catch {
+                continue;
+            }
+        }
+        throw new Error("JWT verification failed with all available keys");
+    }
+    const issuer = getJwtIssuer();
+    const audience = getJwtAudience();
+    const opts = { algorithms: [_algorithm] };
+    if (issuer)
+        opts.issuer = issuer;
+    if (audience)
+        opts.audience = audience;
+    const { payload } = await jwtVerify(token, getSecret(), opts);
     return payload;
 };
+/** @internal — used by Feature 8 (OIDC) to switch to RS256 once key material is loaded */
+export function _setAlgorithm(alg) {
+    _algorithm = alg;
+}
+/** @internal — reset for testing */
+export function _resetJwtState() {
+    _secret = null;
+    _algorithm = "HS256";
+}

package/dist/lib/logger.d.ts

@@ -1 +1,3 @@
 export declare const log: (...args: unknown[]) => void;
+/** Like log(), but also requires LOGGING_AUTH_TRACE=true. Use for lines that include user/session IDs. */
+export declare const authTrace: (...args: unknown[]) => void;

package/dist/lib/logger.js

@@ -5,3 +5,9 @@ export const log = (...args) => {
     if (verbose)
         console.log(...args);
 };
+const authTraceEnabled = process.env.LOGGING_AUTH_TRACE === "true";
+/** Like log(), but also requires LOGGING_AUTH_TRACE=true. Use for lines that include user/session IDs. */
+export const authTrace = (...args) => {
+    if (authTraceEnabled)
+        log(...args);
+};

package/dist/lib/m2m.d.ts

@@ -0,0 +1,29 @@
+import type { M2MClientRecord } from "./authAdapter";
+/**
+ * Look up an M2M client by clientId (active only).
+ * Returns the client record including clientSecretHash for verification.
+ */
+export declare function getM2MClient(clientId: string): Promise<(M2MClientRecord & {
+    clientSecretHash: string;
+}) | null>;
+/**
+ * Create a new M2M client. Returns the client ID and a plaintext secret (shown once).
+ * The secret is hashed with Bun.password before storage.
+ */
+export declare function createM2MClient(opts: {
+    clientId: string;
+    name: string;
+    scopes?: string[];
+}): Promise<{
+    id: string;
+    clientId: string;
+    clientSecret: string;
+}>;
+/**
+ * Delete an M2M client by clientId.
+ */
+export declare function deleteM2MClient(clientId: string): Promise<void>;
+/**
+ * List all M2M clients (secrets not included).
+ */
+export declare function listM2MClients(): Promise<M2MClientRecord[]>;

package/dist/lib/m2m.js

@@ -0,0 +1,48 @@
+import { getAuthAdapter } from "./authAdapter";
+/**
+ * Look up an M2M client by clientId (active only).
+ * Returns the client record including clientSecretHash for verification.
+ */
+export async function getM2MClient(clientId) {
+    const adapter = getAuthAdapter();
+    if (!adapter.getM2MClient)
+        return null;
+    return adapter.getM2MClient(clientId);
+}
+/**
+ * Create a new M2M client. Returns the client ID and a plaintext secret (shown once).
+ * The secret is hashed with Bun.password before storage.
+ */
+export async function createM2MClient(opts) {
+    const adapter = getAuthAdapter();
+    if (!adapter.createM2MClient) {
+        throw new Error("Auth adapter does not support M2M clients");
+    }
+    const clientSecret = crypto.randomUUID() + "-" + crypto.randomUUID();
+    const clientSecretHash = await Bun.password.hash(clientSecret);
+    const { id } = await adapter.createM2MClient({
+        clientId: opts.clientId,
+        clientSecretHash,
+        name: opts.name,
+        scopes: opts.scopes ?? [],
+    });
+    return { id, clientId: opts.clientId, clientSecret };
+}
+/**
+ * Delete an M2M client by clientId.
+ */
+export async function deleteM2MClient(clientId) {
+    const adapter = getAuthAdapter();
+    if (adapter.deleteM2MClient) {
+        await adapter.deleteM2MClient(clientId);
+    }
+}
+/**
+ * List all M2M clients (secrets not included).
+ */
+export async function listM2MClients() {
+    const adapter = getAuthAdapter();
+    if (!adapter.listM2MClients)
+        return [];
+    return adapter.listM2MClients();
+}

package/dist/lib/metrics.d.ts

@@ -0,0 +1,14 @@
+type Labels = Record<string, string>;
+export declare function defaultNormalizePath(path: string): string;
+export declare function incrementCounter(name: string, labels: Labels, amount?: number): void;
+export declare function observeHistogram(name: string, labels: Labels, value: number, buckets?: number[]): void;
+type GaugeCallback = () => Promise<{
+    labels: Labels;
+    value: number;
+}[]>;
+export declare function registerGaugeCallback(name: string, cb: GaugeCallback): void;
+export declare function serializeMetrics(): Promise<string>;
+export declare function resetMetrics(): void;
+export declare function setMetricsQueues(map: Map<string, any>): void;
+export declare function closeMetricsQueues(): Promise<void>;
+export {};

package/dist/lib/metrics.js

@@ -0,0 +1,158 @@
+// In-memory Prometheus-compatible metrics registry.
+// Bun is single-threaded so no atomics are needed.
+// ── Helpers ──────────────────────────────────────────────────────────────────
+function labelKey(labels) {
+    return Object.entries(labels)
+        .sort(([a], [b]) => a.localeCompare(b))
+        .map(([k, v]) => `${k}="${v}"`)
+        .join(",");
+}
+function formatLabels(labels) {
+    const pairs = Object.entries(labels)
+        .sort(([a], [b]) => a.localeCompare(b))
+        .map(([k, v]) => `${k}="${v}"`);
+    return pairs.length ? `{${pairs.join(",")}}` : "";
+}
+// ── Path normalization ───────────────────────────────────────────────────────
+const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+const OBJECTID_RE = /^[0-9a-f]{24}$/i;
+const NUMERIC_RE = /^\d+$/;
+export function defaultNormalizePath(path) {
+    return path
+        .split("/")
+        .map((seg) => {
+        if (!seg)
+            return seg;
+        if (UUID_RE.test(seg))
+            return ":id";
+        if (OBJECTID_RE.test(seg))
+            return ":id";
+        if (NUMERIC_RE.test(seg))
+            return ":id";
+        return seg;
+    })
+        .join("/");
+}
+const counters = new Map();
+export function incrementCounter(name, labels, amount = 1) {
+    let metric = counters.get(name);
+    if (!metric) {
+        metric = new Map();
+        counters.set(name, metric);
+    }
+    const key = labelKey(labels);
+    const existing = metric.get(key);
+    if (existing) {
+        existing.value += amount;
+    }
+    else {
+        metric.set(key, { labels: { ...labels }, value: amount });
+    }
+}
+// ── Histogram ────────────────────────────────────────────────────────────────
+const DEFAULT_BUCKETS = [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10];
+const histograms = new Map();
+export function observeHistogram(name, labels, value, buckets = DEFAULT_BUCKETS) {
+    let metric = histograms.get(name);
+    if (!metric) {
+        metric = { boundaries: buckets, entries: new Map() };
+        histograms.set(name, metric);
+    }
+    const key = labelKey(labels);
+    let entry = metric.entries.get(key);
+    if (!entry) {
+        entry = { labels: { ...labels }, buckets: new Array(buckets.length).fill(0), sum: 0, count: 0 };
+        metric.entries.set(key, entry);
+    }
+    // Find the first (tightest) bucket the value fits in.
+    // Serialization will compute cumulative sums across buckets.
+    for (let i = 0; i < metric.boundaries.length; i++) {
+        if (value <= metric.boundaries[i]) {
+            entry.buckets[i]++;
+            break;
+        }
+    }
+    entry.sum += value;
+    entry.count++;
+}
+const gaugeCallbacks = new Map();
+export function registerGaugeCallback(name, cb) {
+    gaugeCallbacks.set(name, cb);
+}
+// ── Serialize ────────────────────────────────────────────────────────────────
+export async function serializeMetrics() {
+    const lines = [];
+    // Collect gauge callbacks first so any error-counter increments are
+    // included when we serialize counters below.
+    const gaugeLines = [];
+    for (const [name, cb] of gaugeCallbacks) {
+        try {
+            const results = await cb();
+            gaugeLines.push(`# HELP ${name} ${name.replace(/_/g, " ")}`);
+            gaugeLines.push(`# TYPE ${name} gauge`);
+            for (const { labels, value } of results) {
+                gaugeLines.push(`${name}${formatLabels(labels)} ${value}`);
+            }
+            gaugeLines.push("");
+        }
+        catch (err) {
+            console.warn(`[metrics] Gauge callback "${name}" failed:`, err);
+            incrementCounter("bunshot_gauge_errors_total", { gauge: name });
+        }
+    }
+    // Counters
+    for (const [name, entries] of counters) {
+        lines.push(`# HELP ${name} Total ${name.replace(/_/g, " ")}`);
+        lines.push(`# TYPE ${name} counter`);
+        for (const entry of entries.values()) {
+            lines.push(`${name}${formatLabels(entry.labels)} ${entry.value}`);
+        }
+        lines.push("");
+    }
+    // Histograms
+    for (const [name, metric] of histograms) {
+        lines.push(`# HELP ${name} ${name.replace(/_/g, " ")}`);
+        lines.push(`# TYPE ${name} histogram`);
+        for (const entry of metric.entries.values()) {
+            const lbls = formatLabels(entry.labels);
+            let cumulative = 0;
+            for (let i = 0; i < metric.boundaries.length; i++) {
+                cumulative += entry.buckets[i];
+                const bucketLabels = { ...entry.labels, le: String(metric.boundaries[i]) };
+                lines.push(`${name}_bucket${formatLabels(bucketLabels)} ${cumulative}`);
+            }
+            const infLabels = { ...entry.labels, le: "+Inf" };
+            lines.push(`${name}_bucket${formatLabels(infLabels)} ${entry.count}`);
+            lines.push(`${name}_sum${lbls} ${entry.sum}`);
+            lines.push(`${name}_count${lbls} ${entry.count}`);
+        }
+        lines.push("");
+    }
+    // Gauges (already collected above)
+    lines.push(...gaugeLines);
+    return lines.join("\n");
+}
+// ── Reset (for tests) ───────────────────────────────────────────────────────
+export function resetMetrics() {
+    counters.clear();
+    histograms.clear();
+    gaugeCallbacks.clear();
+}
+// ── Queue cleanup ────────────────────────────────────────────────────────────
+let metricsQueues = null;
+export function setMetricsQueues(map) {
+    metricsQueues = map;
+}
+export async function closeMetricsQueues() {
+    if (!metricsQueues)
+        return;
+    for (const q of metricsQueues.values()) {
+        try {
+            await q.close();
+        }
+        catch {
+            // best-effort cleanup
+        }
+    }
+    metricsQueues.clear();
+}

package/dist/lib/mfaChallenge.d.ts

@@ -1,4 +1,4 @@
-export type MfaChallengePurpose = "login" | "webauthn-registration";
+export type MfaChallengePurpose = "login" | "webauthn-registration" | "passkey-login";
 export interface MfaChallengeOptions {
     emailOtpHash?: string;
     webauthnChallenge?: string;
@@ -39,4 +39,17 @@ export declare const consumeWebAuthnRegistrationChallenge: (token: string) => Pr
     userId: string;
     challenge: string;
 } | null>;
+/**
+ * Create a passkey login challenge token. Not tied to a user — userId is resolved
+ * from the credential after assertion. Uses a fixed 120s TTL.
+ */
+export declare const createPasskeyLoginChallenge: (challenge: string) => Promise<string>;
+/**
+ * Consume a passkey login challenge token.
+ * Only accepts tokens with `purpose: "passkey-login"`.
+ * Returns the stored webauthnChallenge bytes or null if expired/invalid.
+ */
+export declare const consumePasskeyLoginChallenge: (token: string) => Promise<{
+    webauthnChallenge: string;
+} | null>;
 export {};

package/dist/lib/mfaChallenge.js

@@ -68,13 +68,35 @@ function ensureSqliteMfaTable() {
     catch { /* already exists */ }
     _sqliteTableCreated = true;
 }
+// ---------------------------------------------------------------------------
+// Redis helpers
+// ---------------------------------------------------------------------------
+/** Atomically GET+DEL a key. Uses native GETDEL (Redis >= 6.2) with a Lua fallback. */
+async function redisGetDel(key) {
+    const redis = getRedis();
+    if (typeof redis.getdel === "function") {
+        try {
+            return await redis.getdel(key);
+        }
+        catch (err) {
+            const msg = err?.message ?? "";
+            if (!/unknown command|ERR unknown command/i.test(msg))
+                throw err;
+            // Fall through to Lua on "unknown command"
+        }
+    }
+    const result = await redis.eval("local v = redis.call('GET', KEYS[1])\nif v then redis.call('DEL', KEYS[1]) end\nreturn v", 1, key);
+    return result ?? null;
+}
 let _store = "redis";
 export const setMfaChallengeStore = (store) => { _store = store; };
 // ---------------------------------------------------------------------------
 // Public API
 // ---------------------------------------------------------------------------
 export const createMfaChallenge = async (userId, options) => {
-    const token = crypto.randomUUID();
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    const token = Buffer.from(bytes).toString("base64url");
     const hash = sha256(token);
     const ttl = getMfaChallengeTtl();
     const now = Date.now();
@@ -135,10 +157,9 @@ export const consumeMfaChallenge = async (token) => {
     }
     // redis
     const key = `mfachallenge:${getAppName()}:${hash}`;
-    const raw = await getRedis().get(key);
+    const raw = await redisGetDel(key);
     if (!raw)
         return null;
-    await getRedis().del(key);
     const data = JSON.parse(raw);
     if (data.purpose !== "login")
         return null;
@@ -220,7 +241,9 @@ export const replaceMfaChallengeOtp = async (token, newEmailOtpHash) => {
  * uses `purpose: "webauthn-registration"` so it cannot be consumed by `consumeMfaChallenge`.
  */
 export const createWebAuthnRegistrationChallenge = async (userId, challenge) => {
-    const token = crypto.randomUUID();
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    const token = Buffer.from(bytes).toString("base64url");
     const hash = sha256(token);
     const ttl = getMfaChallengeTtl();
     const now = Date.now();
@@ -282,12 +305,94 @@ export const consumeWebAuthnRegistrationChallenge = async (token) => {
     }
     // redis
     const key = `mfachallenge:${getAppName()}:${hash}`;
-    const raw = await getRedis().get(key);
+    const raw = await redisGetDel(key);
     if (!raw)
         return null;
-    await getRedis().del(key);
     const data = JSON.parse(raw);
     if (data.purpose !== "webauthn-registration" || !data.webauthnChallenge)
         return null;
     return { userId: data.userId, challenge: data.webauthnChallenge };
 };
+// ---------------------------------------------------------------------------
+// Passkey login challenge helpers (passwordless first-factor)
+// ---------------------------------------------------------------------------
+const PASSKEY_LOGIN_CHALLENGE_TTL = 120; // seconds — single-use, so longer TTL is safe
+/**
+ * Create a passkey login challenge token. Not tied to a user — userId is resolved
+ * from the credential after assertion. Uses a fixed 120s TTL.
+ */
+export const createPasskeyLoginChallenge = async (challenge) => {
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    const token = Buffer.from(bytes).toString("base64url");
+    const hash = sha256(token);
+    const ttl = PASSKEY_LOGIN_CHALLENGE_TTL;
+    const now = Date.now();
+    const purpose = "passkey-login";
+    const userId = ""; // anonymous — resolved from credential ID at login time
+    if (_store === "memory") {
+        _memoryChallenges.set(hash, { userId, purpose, webauthnChallenge: challenge, createdAt: now, resendCount: 0, expiresAt: now + ttl * 1000 });
+        return token;
+    }
+    if (_store === "sqlite") {
+        ensureSqliteMfaTable();
+        _sqliteDb.run("INSERT INTO mfa_challenges (token, userId, purpose, webauthnChallenge, createdAt, resendCount, expiresAt) VALUES (?, ?, ?, ?, ?, 0, ?)", [hash, userId, purpose, challenge, now, now + ttl * 1000]);
+        return token;
+    }
+    if (_store === "mongo") {
+        await getMfaChallengeModel().create({
+            token: hash,
+            userId,
+            purpose,
+            webauthnChallenge: challenge,
+            createdAt: new Date(now),
+            resendCount: 0,
+            expiresAt: new Date(now + ttl * 1000),
+        });
+        return token;
+    }
+    // redis
+    await getRedis().set(`mfachallenge:${getAppName()}:${hash}`, JSON.stringify({ userId, purpose, webauthnChallenge: challenge, createdAt: now, resendCount: 0 }), "EX", ttl);
+    return token;
+};
+/**
+ * Consume a passkey login challenge token.
+ * Only accepts tokens with `purpose: "passkey-login"`.
+ * Returns the stored webauthnChallenge bytes or null if expired/invalid.
+ */
+export const consumePasskeyLoginChallenge = async (token) => {
+    const hash = sha256(token);
+    if (_store === "memory") {
+        const entry = _memoryChallenges.get(hash);
+        if (!entry || entry.expiresAt <= Date.now()) {
+            _memoryChallenges.delete(hash);
+            return null;
+        }
+        _memoryChallenges.delete(hash);
+        if (entry.purpose !== "passkey-login" || !entry.webauthnChallenge)
+            return null;
+        return { webauthnChallenge: entry.webauthnChallenge };
+    }
+    if (_store === "sqlite") {
+        ensureSqliteMfaTable();
+        const row = _sqliteDb.query("DELETE FROM mfa_challenges WHERE token = ? AND expiresAt > ? RETURNING purpose, webauthnChallenge").get(hash, Date.now());
+        if (!row || row.purpose !== "passkey-login" || !row.webauthnChallenge)
+            return null;
+        return { webauthnChallenge: row.webauthnChallenge };
+    }
+    if (_store === "mongo") {
+        const doc = await getMfaChallengeModel().findOneAndDelete({ token: hash, expiresAt: { $gt: new Date() } });
+        if (!doc || doc.purpose !== "passkey-login" || !doc.webauthnChallenge)
+            return null;
+        return { webauthnChallenge: doc.webauthnChallenge };
+    }
+    // redis
+    const key = `mfachallenge:${getAppName()}:${hash}`;
+    const raw = await redisGetDel(key);
+    if (!raw)
+        return null;
+    const data = JSON.parse(raw);
+    if (data.purpose !== "passkey-login" || !data.webauthnChallenge)
+        return null;
+    return { webauthnChallenge: data.webauthnChallenge };
+};

package/dist/lib/mongo.js

@@ -13,7 +13,7 @@ function requireMongoose() {
 }
 function buildUri(user, password, host, db) {
     const [hostPart, queryPart] = host.split("?");
-    return `mongodb+srv://${user}:${password}@${hostPart.replace(/\/$/, "")}/${db}${queryPart ? `?${queryPart}` : ""}`;
+    return `mongodb+srv://${encodeURIComponent(user)}:${encodeURIComponent(password)}@${hostPart.replace(/\/$/, "")}/${db}${queryPart ? `?${queryPart}` : ""}`;
 }
 // Internal mutable references — set inside connect functions
 let _authConn = null;

package/dist/lib/oauthCode.js

@@ -18,6 +18,25 @@ function getOAuthCodeModel() {
     }, { collection: "oauth_codes" });
     return appConnection.model("OAuthCode", schema);
 }
+// ---------------------------------------------------------------------------
+// Redis helpers
+// ---------------------------------------------------------------------------
+/** Atomically GET+DEL a key. Uses native GETDEL (Redis >= 6.2) with a Lua fallback. */
+async function redisGetDel(key) {
+    const redis = getRedis();
+    if (typeof redis.getdel === "function") {
+        try {
+            return await redis.getdel(key);
+        }
+        catch (err) {
+            const msg = err?.message ?? "";
+            if (!/unknown command|ERR unknown command/i.test(msg))
+                throw err;
+        }
+    }
+    const result = await redis.eval("local v = redis.call('GET', KEYS[1])\nif v then redis.call('DEL', KEYS[1]) end\nreturn v", 1, key);
+    return result ?? null;
+}
 let _store = "redis";
 export const setOAuthCodeStore = (store) => { _store = store; };
 const CODE_TTL = 60; // 60 seconds
@@ -27,7 +46,9 @@ const CODE_TTL = 60; // 60 seconds
 /** Store a one-time authorization code. Returns the raw code (for the redirect URL).
  *  Only the SHA-256 hash is persisted. */
 export const storeOAuthCode = async (payload) => {
-    const code = crypto.randomUUID();
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    const code = Buffer.from(bytes).toString("base64url");
     const hash = sha256(code);
     if (_store === "memory") {
         memoryStoreOAuthCode(hash, payload, CODE_TTL);
@@ -67,23 +88,7 @@ export const consumeOAuthCode = async (code) => {
     }
     // Redis
     const key = `oauthcode:${getAppName()}:${hash}`;
-    const redis = getRedis();
-    let raw = null;
-    if (typeof redis.getdel === "function") {
-        try {
-            raw = await redis.getdel(key);
-        }
-        catch {
-            raw = await redis.get(key);
-            if (raw)
-                await redis.del(key);
-        }
-    }
-    else {
-        raw = await redis.get(key);
-        if (raw)
-            await redis.del(key);
-    }
+    const raw = await redisGetDel(key);
     if (!raw)
         return null;
     return JSON.parse(raw);