@technomoron/api-server-base 1.1.13 → 2.0.0-beta.10

package/dist/esm/auth-api/compat-auth-storage.d.ts

@@ -0,0 +1,57 @@
+import { PasskeyService } from '../passkey/service.js';
+import type { AuthAdapter, AuthIdentifier } from './types.js';
+import type { OAuthStore } from '../oauth/base.js';
+import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
+import type { PasskeyStore } from '../passkey/base.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, StoredPasskeyCredential, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
+import type { TokenStore } from '../token/base.js';
+import type { Token } from '../token/types.js';
+import type { UserStore } from '../user/base.js';
+interface PasskeyAdapterOptions {
+    store: PasskeyStore;
+    config: PasskeyServiceConfig;
+}
+export interface AuthAdapterOptions<UserRow, PublicUser> {
+    userStore: UserStore<UserRow, PublicUser>;
+    tokenStore: TokenStore;
+    passkeys?: PasskeyAdapterOptions | PasskeyService;
+    oauthStore?: OAuthStore;
+    canImpersonate?: (params: {
+        realUserId: AuthIdentifier;
+        effectiveUserId: AuthIdentifier;
+    }) => boolean | Promise<boolean>;
+}
+export declare class CompositeAuthAdapter<UserRow, PublicUser> implements AuthAdapter<UserRow, PublicUser> {
+    private readonly userStore;
+    private readonly tokenStore;
+    private readonly oauthStore?;
+    private readonly passkeyService?;
+    private readonly canImpersonateFn?;
+    constructor(options: AuthAdapterOptions<UserRow, PublicUser>);
+    getUser(identifier: AuthIdentifier): Promise<UserRow | null>;
+    getUserPasswordHash(user: UserRow): string;
+    getUserId(user: UserRow): AuthIdentifier;
+    filterUser(user: UserRow): PublicUser;
+    verifyPassword(password: string, hash: string): Promise<boolean>;
+    storeToken(data: Token): Promise<void>;
+    getToken(query: Partial<Token>, opts?: {
+        includeExpired?: boolean;
+    }): Promise<Token | null>;
+    deleteToken(query: Partial<Token>): Promise<number>;
+    updateToken(updates: Partial<Token> & {
+        refreshToken: string;
+    }): Promise<boolean>;
+    createPasskeyChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
+    verifyPasskeyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential(credentialId: Buffer | string): Promise<boolean>;
+    getClient(clientId: string): Promise<OAuthClient | null>;
+    verifyClientSecret(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
+    createAuthCode(request: AuthCodeRequest): Promise<AuthCodeData>;
+    consumeAuthCode(code: string, clientId: string): Promise<AuthCodeData | null>;
+    canImpersonate(params: {
+        realUserId: AuthIdentifier;
+        effectiveUserId: AuthIdentifier;
+    }): Promise<boolean>;
+}
+export {};

package/dist/esm/auth-api/compat-auth-storage.js

@@ -0,0 +1,124 @@
+import { randomUUID } from 'node:crypto';
+import { PasskeyService } from '../passkey/service.js';
+export class CompositeAuthAdapter {
+    constructor(options) {
+        this.userStore = options.userStore;
+        this.tokenStore = options.tokenStore;
+        this.oauthStore = options.oauthStore;
+        this.canImpersonateFn = options.canImpersonate;
+        if (options.passkeys instanceof PasskeyService) {
+            this.passkeyService = options.passkeys;
+        }
+        else if (options.passkeys) {
+            this.passkeyService = new PasskeyService(options.passkeys.config, options.passkeys.store);
+        }
+    }
+    async getUser(identifier) {
+        return this.userStore.findUser(identifier);
+    }
+    getUserPasswordHash(user) {
+        return this.userStore.getPasswordHash(user) ?? '';
+    }
+    getUserId(user) {
+        return this.userStore.getUserId(user);
+    }
+    filterUser(user) {
+        return this.userStore.toPublic(user);
+    }
+    async verifyPassword(password, hash) {
+        return this.userStore.verifyPassword(password, hash);
+    }
+    async storeToken(data) {
+        return this.tokenStore.save(data);
+    }
+    async getToken(query, opts) {
+        return this.tokenStore.get(query, opts);
+    }
+    async deleteToken(query) {
+        return this.tokenStore.delete(query);
+    }
+    async updateToken(updates) {
+        return this.tokenStore.update(updates);
+    }
+    async createPasskeyChallenge(params) {
+        if (!this.passkeyService) {
+            throw new Error('Passkey storage is not configured');
+        }
+        return this.passkeyService.createChallenge(params);
+    }
+    async verifyPasskeyResponse(params) {
+        if (!this.passkeyService) {
+            throw new Error('Passkey storage is not configured');
+        }
+        return this.passkeyService.verifyResponse(params);
+    }
+    async listUserCredentials(userId) {
+        if (!this.passkeyService) {
+            throw new Error('Passkey storage is not configured');
+        }
+        return this.passkeyService.listUserCredentials(userId);
+    }
+    async deletePasskeyCredential(credentialId) {
+        if (!this.passkeyService) {
+            throw new Error('Passkey storage is not configured');
+        }
+        return this.passkeyService.deleteCredential(credentialId);
+    }
+    async getClient(clientId) {
+        if (!this.oauthStore) {
+            return null;
+        }
+        return this.oauthStore.getClient(clientId);
+    }
+    async verifyClientSecret(client, clientSecret) {
+        if (!this.oauthStore) {
+            throw new Error('OAuth storage is not configured');
+        }
+        return this.oauthStore.verifyClientSecret(client.clientId, clientSecret);
+    }
+    async createAuthCode(request) {
+        if (!this.oauthStore) {
+            throw new Error('OAuth storage is not configured');
+        }
+        const expiresAt = new Date(Date.now() + (request.expiresInSeconds ?? 300) * 1000);
+        const code = request.code ?? randomUUID();
+        await this.oauthStore.createAuthCode({
+            code,
+            clientId: request.clientId,
+            userId: request.userId,
+            scope: request.scope,
+            redirectUri: request.redirectUri,
+            codeChallenge: request.codeChallenge,
+            codeChallengeMethod: request.codeChallengeMethod,
+            expiresAt,
+            metadata: request.metadata
+        });
+        return {
+            code,
+            clientId: request.clientId,
+            userId: request.userId,
+            redirectUri: request.redirectUri,
+            scope: request.scope ?? [],
+            codeChallenge: request.codeChallenge,
+            codeChallengeMethod: request.codeChallengeMethod,
+            expiresAt,
+            metadata: request.metadata
+        };
+    }
+    async consumeAuthCode(code, clientId) {
+        if (!this.oauthStore) {
+            return null;
+        }
+        const consumed = await this.oauthStore.consumeAuthCode(code);
+        if (!consumed || consumed.clientId !== clientId) {
+            return null;
+        }
+        return consumed;
+    }
+    async canImpersonate(params) {
+        if (this.canImpersonateFn) {
+            return !!(await this.canImpersonateFn(params));
+        }
+        return params.realUserId === params.effectiveUserId;
+    }
+}

package/dist/esm/auth-api/mem-auth-store.d.ts

@@ -0,0 +1,68 @@
+import { MemoryOAuthStore } from '../oauth/memory.js';
+import { MemoryPasskeyStore } from '../passkey/memory.js';
+import { TokenStore } from '../token/base.js';
+import { MemoryUserStore } from '../user/memory.js';
+import type { AuthAdapter, AuthIdentifier } from './types.js';
+import type { MemoryOAuthStoreOptions } from '../oauth/memory.js';
+import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
+import type { MemoryPasskeyStoreOptions } from '../passkey/memory.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, PasskeyUserDescriptor, StoredPasskeyCredential, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
+import type { Token } from '../token/types.js';
+import type { MemoryUserAttributes, MemoryPublicUser, MemoryUserStoreOptions } from '../user/memory.js';
+interface PasskeyOptions extends Partial<PasskeyServiceConfig> {
+    enabled?: boolean;
+}
+export interface MemAuthStoreParams<UserAttributes extends MemoryUserAttributes = MemoryUserAttributes, PublicUserShape extends MemoryPublicUser<UserAttributes> = MemoryPublicUser<UserAttributes>> extends Omit<MemoryUserStoreOptions<UserAttributes, PublicUserShape>, 'hasher'>, MemoryOAuthStoreOptions, Partial<MemoryPasskeyStoreOptions> {
+    bcryptRounds?: number;
+    passwordPepper?: string;
+    publicUserMapper?: (user: UserAttributes) => PublicUserShape;
+    passkeyUserMapper?: (user: UserAttributes) => PasskeyUserDescriptor;
+    passkeys?: false | PasskeyOptions;
+    canImpersonate?: (params: {
+        realUserId: AuthIdentifier;
+        effectiveUserId: AuthIdentifier;
+    }) => boolean | Promise<boolean>;
+    tokenStore?: TokenStore;
+}
+export declare class MemAuthStore<UserAttributes extends MemoryUserAttributes = MemoryUserAttributes, PublicUserShape extends MemoryPublicUser<UserAttributes> = MemoryPublicUser<UserAttributes>> implements AuthAdapter<UserAttributes, PublicUserShape> {
+    readonly userStore: MemoryUserStore<UserAttributes, PublicUserShape>;
+    readonly tokenStore: TokenStore;
+    readonly passkeyStore?: MemoryPasskeyStore;
+    readonly oauthStore: MemoryOAuthStore;
+    private readonly adapter;
+    constructor(params?: MemAuthStoreParams<UserAttributes, PublicUserShape>);
+    initialise(): Promise<void>;
+    close(): Promise<void>;
+    getUser(identifier: AuthIdentifier): Promise<UserAttributes | null>;
+    getUserPasswordHash(user: UserAttributes): string;
+    getUserId(user: UserAttributes): AuthIdentifier;
+    filterUser(user: UserAttributes): PublicUserShape;
+    verifyPassword(password: string, hash: string): Promise<boolean>;
+    storeToken(data: Token): Promise<void>;
+    getToken(query: Partial<Token> & {
+        userId?: AuthIdentifier;
+        ruid?: AuthIdentifier;
+    }, opts?: {
+        includeExpired?: boolean;
+    }): Promise<Token | null>;
+    deleteToken(query: Partial<Token> & {
+        userId?: AuthIdentifier;
+        ruid?: AuthIdentifier;
+    }): Promise<number>;
+    updateToken(updates: Partial<Token> & {
+        refreshToken: string;
+    }): Promise<boolean>;
+    createPasskeyChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
+    verifyPasskeyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential(credentialId: Buffer | string): Promise<boolean>;
+    getClient(clientId: string): Promise<OAuthClient | null>;
+    verifyClientSecret(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
+    createAuthCode(request: AuthCodeRequest): Promise<AuthCodeData>;
+    consumeAuthCode(code: string, clientId: string): Promise<AuthCodeData | null>;
+    canImpersonate(params: {
+        realUserId: AuthIdentifier;
+        effectiveUserId: AuthIdentifier;
+    }): Promise<boolean>;
+}
+export {};

package/dist/esm/auth-api/mem-auth-store.js

@@ -0,0 +1,137 @@
+import { MemoryOAuthStore } from '../oauth/memory.js';
+import { MemoryPasskeyStore } from '../passkey/memory.js';
+import { MemoryTokenStore } from '../token/memory.js';
+import { MemoryUserStore } from '../user/memory.js';
+import { CompositeAuthAdapter } from './compat-auth-storage.js';
+const DEFAULT_PASSKEY_CONFIG = {
+    rpId: 'localhost',
+    rpName: 'API Server',
+    origins: ['http://localhost:5173'],
+    timeoutMs: 5 * 60 * 1000,
+    userVerification: 'preferred'
+};
+function isOriginString(origin) {
+    return typeof origin === 'string' && origin.trim().length > 0;
+}
+function normalizePasskeyConfig(config = {}) {
+    const candidateOrigins = Array.isArray(config.origins) && config.origins.length > 0 ? config.origins.filter(isOriginString) : null;
+    return {
+        rpId: config.rpId?.trim() || DEFAULT_PASSKEY_CONFIG.rpId,
+        rpName: config.rpName?.trim() || DEFAULT_PASSKEY_CONFIG.rpName,
+        origins: candidateOrigins ? candidateOrigins.map((origin) => origin.trim()) : DEFAULT_PASSKEY_CONFIG.origins,
+        timeoutMs: typeof config.timeoutMs === 'number' && config.timeoutMs > 0
+            ? config.timeoutMs
+            : DEFAULT_PASSKEY_CONFIG.timeoutMs,
+        userVerification: config.userVerification ?? DEFAULT_PASSKEY_CONFIG.userVerification
+    };
+}
+export class MemAuthStore {
+    constructor(params = {}) {
+        this.userStore = new MemoryUserStore({
+            toPublic: params.publicUserMapper ?? params.toPublic,
+            userIdFactory: params.userIdFactory,
+            startingUserId: params.startingUserId,
+            bcryptRounds: params.bcryptRounds,
+            bcryptPepper: params.passwordPepper
+        });
+        this.tokenStore = params.tokenStore ?? new MemoryTokenStore();
+        this.oauthStore = new MemoryOAuthStore({ bcryptRounds: params.bcryptRounds });
+        let passkeyStore;
+        let passkeyConfig;
+        if (params.passkeys !== false) {
+            passkeyConfig = normalizePasskeyConfig(params.passkeys ?? {});
+            const resolveUser = async (lookup) => {
+                const found = await this.userStore.findUser(lookup.userId ?? lookup.login ?? '');
+                if (!found) {
+                    return null;
+                }
+                const mapper = params.passkeyUserMapper ??
+                    ((user) => ({
+                        id: user.user_id,
+                        login: user.login,
+                        displayName: user.login
+                    }));
+                return mapper(found);
+            };
+            passkeyStore = new MemoryPasskeyStore({ resolveUser });
+            this.passkeyStore = passkeyStore;
+        }
+        this.adapter = new CompositeAuthAdapter({
+            userStore: this.userStore,
+            tokenStore: this.tokenStore,
+            passkeys: passkeyStore && passkeyConfig ? { store: passkeyStore, config: passkeyConfig } : undefined,
+            oauthStore: this.oauthStore,
+            canImpersonate: params.canImpersonate
+        });
+    }
+    async initialise() {
+        return;
+    }
+    async close() {
+        return;
+    }
+    async getUser(identifier) {
+        return this.adapter.getUser(identifier);
+    }
+    getUserPasswordHash(user) {
+        return this.adapter.getUserPasswordHash(user);
+    }
+    getUserId(user) {
+        return this.adapter.getUserId(user);
+    }
+    filterUser(user) {
+        return this.adapter.filterUser(user);
+    }
+    async verifyPassword(password, hash) {
+        return this.adapter.verifyPassword(password, hash);
+    }
+    async storeToken(data) {
+        return this.adapter.storeToken(data);
+    }
+    async getToken(query, opts) {
+        const normalized = {
+            ...query,
+            userId: query.userId !== undefined && query.userId !== null ? String(query.userId) : undefined,
+            ruid: query.ruid !== undefined && query.ruid !== null ? String(query.ruid) : undefined
+        };
+        return this.adapter.getToken(normalized, opts);
+    }
+    async deleteToken(query) {
+        const normalized = {
+            ...query,
+            userId: query.userId !== undefined && query.userId !== null ? String(query.userId) : undefined,
+            ruid: query.ruid !== undefined && query.ruid !== null ? String(query.ruid) : undefined
+        };
+        return this.adapter.deleteToken(normalized);
+    }
+    async updateToken(updates) {
+        return this.adapter.updateToken(updates);
+    }
+    async createPasskeyChallenge(params) {
+        return this.adapter.createPasskeyChallenge(params);
+    }
+    async verifyPasskeyResponse(params) {
+        return this.adapter.verifyPasskeyResponse(params);
+    }
+    async listUserCredentials(userId) {
+        return this.adapter.listUserCredentials(userId);
+    }
+    async deletePasskeyCredential(credentialId) {
+        return this.adapter.deletePasskeyCredential(credentialId);
+    }
+    async getClient(clientId) {
+        return this.adapter.getClient(clientId);
+    }
+    async verifyClientSecret(client, clientSecret) {
+        return this.adapter.verifyClientSecret(client, clientSecret);
+    }
+    async createAuthCode(request) {
+        return this.adapter.createAuthCode(request);
+    }
+    async consumeAuthCode(code, clientId) {
+        return this.adapter.consumeAuthCode(code, clientId);
+    }
+    async canImpersonate(params) {
+        return this.adapter.canImpersonate(params);
+    }
+}

package/dist/esm/{auth-module.d.ts → auth-api/module.d.ts}

@@ -1,20 +1,20 @@
-import { ApiModule } from './api-module.js';
-import type { ApiRequest } from './api-server-base.js';
-import type { AuthTokenMetadata, AuthTokenPair } from './auth-storage.js';
+import { ApiModule } from '../api-module.js';
+import type { ApiRequest } from '../api-server-base.js';
+import type { Token, TokenPair } from '../token/types.js';
 export interface AuthProviderModule<UserRow = unknown> {
     readonly moduleType: 'auth';
     readonly namespace: string;
-    issueTokens(apiReq: ApiRequest, user: UserRow, metadata?: AuthTokenMetadata & {
+    issueTokens(apiReq: ApiRequest, user: UserRow, metadata?: Partial<Token> & {
         expires?: Date;
-    }): Promise<AuthTokenPair>;
+    }): Promise<TokenPair>;
 }
 export declare abstract class BaseAuthModule<UserRow = unknown> extends ApiModule<any> implements AuthProviderModule<UserRow> {
     readonly moduleType: "auth";
     protected constructor(opts: {
         namespace: string;
     });
-    abstract issueTokens(apiReq: ApiRequest, user: UserRow, metadata?: AuthTokenMetadata & {
+    abstract issueTokens(apiReq: ApiRequest, user: UserRow, metadata?: Partial<Token> & {
         expires?: Date;
-    }): Promise<AuthTokenPair>;
+    }): Promise<TokenPair>;
 }
 export declare const nullAuthModule: AuthProviderModule<unknown>;

package/dist/esm/{auth-module.js → auth-api/module.js}

@@ -1,4 +1,4 @@
-import { ApiModule } from './api-module.js';
+import { ApiModule } from '../api-module.js';
 // Handy base that you can extend when wiring a real auth module. Subclasses
 // must supply a namespace via the constructor and implement token issuance.
 export class BaseAuthModule extends ApiModule {

package/dist/esm/auth-api/sql-auth-store.d.ts

@@ -0,0 +1,77 @@
+import { Sequelize, type SyncOptions } from 'sequelize';
+import { SequelizeOAuthStore, type SequelizeOAuthStoreOptions } from '../oauth/sequelize.js';
+import { SequelizePasskeyStore } from '../passkey/sequelize.js';
+import { type SequelizeTokenStoreOptions } from '../token/sequelize.js';
+import { SequelizeUserStore, type AuthUserAttributes, GenericUserModel, GenericUserModelStatic } from '../user/sequelize.js';
+import type { AuthAdapter, AuthIdentifier } from './types.js';
+import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, PasskeyUserDescriptor, StoredPasskeyCredential, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
+import type { TokenStore } from '../token/base.js';
+import type { Token } from '../token/types.js';
+interface PasskeyOptions extends Partial<PasskeyServiceConfig> {
+    enabled?: boolean;
+}
+export interface SqlAuthStoreParams<UserAttributes extends AuthUserAttributes = AuthUserAttributes, PublicUserShape extends Omit<UserAttributes, 'password'> = Omit<UserAttributes, 'password'>> {
+    sequelize: Sequelize;
+    syncOptions?: SyncOptions;
+    bcryptRounds?: number;
+    passwordPepper?: string;
+    userModel?: GenericUserModelStatic;
+    userModelFactory?: (sequelize: Sequelize) => GenericUserModelStatic;
+    userRecordMapper?: (model: GenericUserModel) => UserAttributes;
+    publicUserMapper?: (user: UserAttributes) => PublicUserShape;
+    passkeyUserMapper?: (user: UserAttributes) => PasskeyUserDescriptor;
+    passkeys?: false | PasskeyOptions;
+    canImpersonate?: (params: {
+        realUserId: AuthIdentifier;
+        effectiveUserId: AuthIdentifier;
+    }) => boolean | Promise<boolean>;
+    tokenStore?: TokenStore;
+    tokenStoreOptions?: Omit<SequelizeTokenStoreOptions, 'sequelize'>;
+    oauthStoreOptions?: Omit<SequelizeOAuthStoreOptions, 'sequelize'>;
+}
+export declare class SqlAuthStore<UserAttributes extends AuthUserAttributes = AuthUserAttributes, PublicUserShape extends Omit<UserAttributes, 'password'> = Omit<UserAttributes, 'password'>> implements AuthAdapter<UserAttributes, PublicUserShape> {
+    readonly userStore: SequelizeUserStore<UserAttributes, PublicUserShape>;
+    readonly tokenStore: TokenStore;
+    readonly passkeyStore?: SequelizePasskeyStore;
+    readonly oauthStore: SequelizeOAuthStore;
+    private readonly adapter;
+    private readonly sequelize;
+    private closed;
+    private readonly syncOptions?;
+    constructor(params: SqlAuthStoreParams<UserAttributes, PublicUserShape>);
+    initialise(withSync?: boolean): Promise<void>;
+    close(): Promise<void>;
+    getUser(identifier: AuthIdentifier): Promise<UserAttributes | null>;
+    getUserPasswordHash(user: UserAttributes): string;
+    getUserId(user: UserAttributes): AuthIdentifier;
+    filterUser(user: UserAttributes): PublicUserShape;
+    verifyPassword(password: string, hash: string): Promise<boolean>;
+    storeToken(data: Token): Promise<void>;
+    getToken(query: Partial<Token> & {
+        userId?: AuthIdentifier;
+        ruid?: AuthIdentifier;
+    }, opts?: {
+        includeExpired?: boolean;
+    }): Promise<Token | null>;
+    deleteToken(query: Partial<Token> & {
+        userId?: AuthIdentifier;
+        ruid?: AuthIdentifier;
+    }): Promise<number>;
+    updateToken(updates: Partial<Token> & {
+        refreshToken: string;
+    }): Promise<boolean>;
+    createPasskeyChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
+    verifyPasskeyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential(credentialId: Buffer | string): Promise<boolean>;
+    getClient(clientId: string): Promise<OAuthClient | null>;
+    verifyClientSecret(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
+    createAuthCode(request: AuthCodeRequest): Promise<AuthCodeData>;
+    consumeAuthCode(code: string, clientId: string): Promise<AuthCodeData | null>;
+    canImpersonate(params: {
+        realUserId: AuthIdentifier;
+        effectiveUserId: AuthIdentifier;
+    }): Promise<boolean>;
+}
+export {};

package/dist/esm/auth-api/sql-auth-store.js

@@ -0,0 +1,168 @@
+import { SequelizeOAuthStore } from '../oauth/sequelize.js';
+import { SequelizePasskeyStore } from '../passkey/sequelize.js';
+import { SequelizeTokenStore } from '../token/sequelize.js';
+import { SequelizeUserStore } from '../user/sequelize.js';
+import { CompositeAuthAdapter } from './compat-auth-storage.js';
+const DEFAULT_PASSKEY_CONFIG = {
+    rpId: 'localhost',
+    rpName: 'API Server',
+    origins: ['http://localhost:5173'],
+    timeoutMs: 5 * 60 * 1000,
+    userVerification: 'preferred'
+};
+function isOriginString(origin) {
+    return typeof origin === 'string' && origin.trim().length > 0;
+}
+function normalizePasskeyConfig(config = {}) {
+    const candidateOrigins = Array.isArray(config.origins) && config.origins.length > 0 ? config.origins.filter(isOriginString) : null;
+    return {
+        rpId: config.rpId?.trim() || DEFAULT_PASSKEY_CONFIG.rpId,
+        rpName: config.rpName?.trim() || DEFAULT_PASSKEY_CONFIG.rpName,
+        origins: candidateOrigins ? candidateOrigins.map((origin) => origin.trim()) : DEFAULT_PASSKEY_CONFIG.origins,
+        timeoutMs: typeof config.timeoutMs === 'number' && config.timeoutMs > 0
+            ? config.timeoutMs
+            : DEFAULT_PASSKEY_CONFIG.timeoutMs,
+        userVerification: config.userVerification ?? DEFAULT_PASSKEY_CONFIG.userVerification
+    };
+}
+export class SqlAuthStore {
+    constructor(params) {
+        this.closed = false;
+        if (!params?.sequelize) {
+            throw new Error('SqlAuthStore requires an initialised Sequelize instance');
+        }
+        this.sequelize = params.sequelize;
+        this.syncOptions = params.syncOptions;
+        this.userStore = new SequelizeUserStore({
+            sequelize: this.sequelize,
+            userModel: params.userModel,
+            userModelFactory: params.userModelFactory,
+            recordMapper: params.userRecordMapper,
+            toPublic: params.publicUserMapper,
+            bcryptRounds: params.bcryptRounds,
+            bcryptPepper: params.passwordPepper
+        });
+        this.tokenStore =
+            params.tokenStore ?? new SequelizeTokenStore({ sequelize: this.sequelize, ...params.tokenStoreOptions });
+        this.oauthStore = new SequelizeOAuthStore({
+            sequelize: this.sequelize,
+            ...params.oauthStoreOptions,
+            bcryptRounds: params.bcryptRounds
+        });
+        let passkeyStore;
+        let passkeyConfig;
+        if (params.passkeys !== false) {
+            passkeyConfig = normalizePasskeyConfig(params.passkeys ?? {});
+            const resolveUser = async (lookup) => {
+                const found = await this.userStore.findUser(lookup.userId ?? lookup.login ?? '');
+                if (!found) {
+                    return null;
+                }
+                const mapper = params.passkeyUserMapper ??
+                    ((user) => ({
+                        id: (this.userStore.getUserId(user) ?? user['user_id']),
+                        login: user.login ?? String(this.userStore.getUserId(user)),
+                        displayName: user.login ?? String(this.userStore.getUserId(user))
+                    }));
+                return mapper(found);
+            };
+            passkeyStore = new SequelizePasskeyStore({ sequelize: this.sequelize, resolveUser });
+            this.passkeyStore = passkeyStore;
+        }
+        this.adapter = new CompositeAuthAdapter({
+            userStore: this.userStore,
+            tokenStore: this.tokenStore,
+            passkeys: passkeyStore && passkeyConfig ? { store: passkeyStore, config: passkeyConfig } : undefined,
+            oauthStore: this.oauthStore,
+            canImpersonate: params.canImpersonate
+        });
+    }
+    async initialise(withSync = false) {
+        await this.sequelize.authenticate();
+        if (withSync) {
+            await this.sequelize.sync(this.syncOptions);
+        }
+    }
+    async close() {
+        if (this.closed) {
+            return;
+        }
+        this.closed = true;
+        try {
+            await this.sequelize.close();
+        }
+        catch (error) {
+            const message = error?.message ?? '';
+            if (!/closed/i.test(message)) {
+                throw error;
+            }
+        }
+        finally {
+            this.sequelize.close = async () => { };
+        }
+    }
+    async getUser(identifier) {
+        return this.adapter.getUser(identifier);
+    }
+    getUserPasswordHash(user) {
+        return this.adapter.getUserPasswordHash(user);
+    }
+    getUserId(user) {
+        return this.adapter.getUserId(user);
+    }
+    filterUser(user) {
+        return this.adapter.filterUser(user);
+    }
+    async verifyPassword(password, hash) {
+        return this.adapter.verifyPassword(password, hash);
+    }
+    async storeToken(data) {
+        return this.adapter.storeToken(data);
+    }
+    async getToken(query, opts) {
+        const normalized = {
+            ...query,
+            userId: query.userId !== undefined && query.userId !== null ? String(query.userId) : undefined,
+            ruid: query.ruid !== undefined && query.ruid !== null ? String(query.ruid) : undefined
+        };
+        return this.adapter.getToken(normalized, opts);
+    }
+    async deleteToken(query) {
+        const normalized = {
+            ...query,
+            userId: query.userId !== undefined && query.userId !== null ? String(query.userId) : undefined,
+            ruid: query.ruid !== undefined && query.ruid !== null ? String(query.ruid) : undefined
+        };
+        return this.adapter.deleteToken(normalized);
+    }
+    async updateToken(updates) {
+        return this.adapter.updateToken(updates);
+    }
+    async createPasskeyChallenge(params) {
+        return this.adapter.createPasskeyChallenge(params);
+    }
+    async verifyPasskeyResponse(params) {
+        return this.adapter.verifyPasskeyResponse(params);
+    }
+    async listUserCredentials(userId) {
+        return this.adapter.listUserCredentials(userId);
+    }
+    async deletePasskeyCredential(credentialId) {
+        return this.adapter.deletePasskeyCredential(credentialId);
+    }
+    async getClient(clientId) {
+        return this.adapter.getClient(clientId);
+    }
+    async verifyClientSecret(client, clientSecret) {
+        return this.adapter.verifyClientSecret(client, clientSecret);
+    }
+    async createAuthCode(request) {
+        return this.adapter.createAuthCode(request);
+    }
+    async consumeAuthCode(code, clientId) {
+        return this.adapter.consumeAuthCode(code, clientId);
+    }
+    async canImpersonate(params) {
+        return this.adapter.canImpersonate(params);
+    }
+}