@technomoron/api-server-base 1.1.13 → 2.0.0-beta.10

package/dist/cjs/auth-api/sql-auth-store.js

@@ -0,0 +1,172 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SqlAuthStore = void 0;
+const sequelize_js_1 = require("../oauth/sequelize.js");
+const sequelize_js_2 = require("../passkey/sequelize.js");
+const sequelize_js_3 = require("../token/sequelize.js");
+const sequelize_js_4 = require("../user/sequelize.js");
+const compat_auth_storage_js_1 = require("./compat-auth-storage.js");
+const DEFAULT_PASSKEY_CONFIG = {
+    rpId: 'localhost',
+    rpName: 'API Server',
+    origins: ['http://localhost:5173'],
+    timeoutMs: 5 * 60 * 1000,
+    userVerification: 'preferred'
+};
+function isOriginString(origin) {
+    return typeof origin === 'string' && origin.trim().length > 0;
+}
+function normalizePasskeyConfig(config = {}) {
+    const candidateOrigins = Array.isArray(config.origins) && config.origins.length > 0 ? config.origins.filter(isOriginString) : null;
+    return {
+        rpId: config.rpId?.trim() || DEFAULT_PASSKEY_CONFIG.rpId,
+        rpName: config.rpName?.trim() || DEFAULT_PASSKEY_CONFIG.rpName,
+        origins: candidateOrigins ? candidateOrigins.map((origin) => origin.trim()) : DEFAULT_PASSKEY_CONFIG.origins,
+        timeoutMs: typeof config.timeoutMs === 'number' && config.timeoutMs > 0
+            ? config.timeoutMs
+            : DEFAULT_PASSKEY_CONFIG.timeoutMs,
+        userVerification: config.userVerification ?? DEFAULT_PASSKEY_CONFIG.userVerification
+    };
+}
+class SqlAuthStore {
+    constructor(params) {
+        this.closed = false;
+        if (!params?.sequelize) {
+            throw new Error('SqlAuthStore requires an initialised Sequelize instance');
+        }
+        this.sequelize = params.sequelize;
+        this.syncOptions = params.syncOptions;
+        this.userStore = new sequelize_js_4.SequelizeUserStore({
+            sequelize: this.sequelize,
+            userModel: params.userModel,
+            userModelFactory: params.userModelFactory,
+            recordMapper: params.userRecordMapper,
+            toPublic: params.publicUserMapper,
+            bcryptRounds: params.bcryptRounds,
+            bcryptPepper: params.passwordPepper
+        });
+        this.tokenStore =
+            params.tokenStore ?? new sequelize_js_3.SequelizeTokenStore({ sequelize: this.sequelize, ...params.tokenStoreOptions });
+        this.oauthStore = new sequelize_js_1.SequelizeOAuthStore({
+            sequelize: this.sequelize,
+            ...params.oauthStoreOptions,
+            bcryptRounds: params.bcryptRounds
+        });
+        let passkeyStore;
+        let passkeyConfig;
+        if (params.passkeys !== false) {
+            passkeyConfig = normalizePasskeyConfig(params.passkeys ?? {});
+            const resolveUser = async (lookup) => {
+                const found = await this.userStore.findUser(lookup.userId ?? lookup.login ?? '');
+                if (!found) {
+                    return null;
+                }
+                const mapper = params.passkeyUserMapper ??
+                    ((user) => ({
+                        id: (this.userStore.getUserId(user) ?? user['user_id']),
+                        login: user.login ?? String(this.userStore.getUserId(user)),
+                        displayName: user.login ?? String(this.userStore.getUserId(user))
+                    }));
+                return mapper(found);
+            };
+            passkeyStore = new sequelize_js_2.SequelizePasskeyStore({ sequelize: this.sequelize, resolveUser });
+            this.passkeyStore = passkeyStore;
+        }
+        this.adapter = new compat_auth_storage_js_1.CompositeAuthAdapter({
+            userStore: this.userStore,
+            tokenStore: this.tokenStore,
+            passkeys: passkeyStore && passkeyConfig ? { store: passkeyStore, config: passkeyConfig } : undefined,
+            oauthStore: this.oauthStore,
+            canImpersonate: params.canImpersonate
+        });
+    }
+    async initialise(withSync = false) {
+        await this.sequelize.authenticate();
+        if (withSync) {
+            await this.sequelize.sync(this.syncOptions);
+        }
+    }
+    async close() {
+        if (this.closed) {
+            return;
+        }
+        this.closed = true;
+        try {
+            await this.sequelize.close();
+        }
+        catch (error) {
+            const message = error?.message ?? '';
+            if (!/closed/i.test(message)) {
+                throw error;
+            }
+        }
+        finally {
+            this.sequelize.close = async () => { };
+        }
+    }
+    async getUser(identifier) {
+        return this.adapter.getUser(identifier);
+    }
+    getUserPasswordHash(user) {
+        return this.adapter.getUserPasswordHash(user);
+    }
+    getUserId(user) {
+        return this.adapter.getUserId(user);
+    }
+    filterUser(user) {
+        return this.adapter.filterUser(user);
+    }
+    async verifyPassword(password, hash) {
+        return this.adapter.verifyPassword(password, hash);
+    }
+    async storeToken(data) {
+        return this.adapter.storeToken(data);
+    }
+    async getToken(query, opts) {
+        const normalized = {
+            ...query,
+            userId: query.userId !== undefined && query.userId !== null ? String(query.userId) : undefined,
+            ruid: query.ruid !== undefined && query.ruid !== null ? String(query.ruid) : undefined
+        };
+        return this.adapter.getToken(normalized, opts);
+    }
+    async deleteToken(query) {
+        const normalized = {
+            ...query,
+            userId: query.userId !== undefined && query.userId !== null ? String(query.userId) : undefined,
+            ruid: query.ruid !== undefined && query.ruid !== null ? String(query.ruid) : undefined
+        };
+        return this.adapter.deleteToken(normalized);
+    }
+    async updateToken(updates) {
+        return this.adapter.updateToken(updates);
+    }
+    async createPasskeyChallenge(params) {
+        return this.adapter.createPasskeyChallenge(params);
+    }
+    async verifyPasskeyResponse(params) {
+        return this.adapter.verifyPasskeyResponse(params);
+    }
+    async listUserCredentials(userId) {
+        return this.adapter.listUserCredentials(userId);
+    }
+    async deletePasskeyCredential(credentialId) {
+        return this.adapter.deletePasskeyCredential(credentialId);
+    }
+    async getClient(clientId) {
+        return this.adapter.getClient(clientId);
+    }
+    async verifyClientSecret(client, clientSecret) {
+        return this.adapter.verifyClientSecret(client, clientSecret);
+    }
+    async createAuthCode(request) {
+        return this.adapter.createAuthCode(request);
+    }
+    async consumeAuthCode(code, clientId) {
+        return this.adapter.consumeAuthCode(code, clientId);
+    }
+    async canImpersonate(params) {
+        return this.adapter.canImpersonate(params);
+    }
+}
+exports.SqlAuthStore = SqlAuthStore;

package/dist/cjs/auth-api/storage.d.ts

@@ -0,0 +1,38 @@
+import type { AuthAdapter, AuthIdentifier } from './types.js';
+import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyVerificationParams, PasskeyVerificationResult, StoredPasskeyCredential } from '../passkey/types.js';
+import type { Token } from '../token/types.js';
+export declare class BaseAuthAdapter<UserRow = unknown, SafeUser = unknown> implements AuthAdapter<UserRow, SafeUser> {
+    getUser(identifier: AuthIdentifier): Promise<UserRow | null>;
+    getUserPasswordHash(user: UserRow): string;
+    getUserId(user: UserRow): AuthIdentifier;
+    filterUser(user: UserRow): SafeUser;
+    verifyPassword(password: string, hash: string): Promise<boolean>;
+    storeToken(data: Token): Promise<void>;
+    getToken(query: Partial<Omit<Token, 'userId' | 'ruid'>> & {
+        userId?: string | number;
+        ruid?: string | number;
+    }, opts?: {
+        includeExpired?: boolean;
+    }): Promise<Token | null>;
+    deleteToken(query: Partial<Omit<Token, 'userId' | 'ruid'>> & {
+        userId?: string | number;
+        ruid?: string | number;
+    }): Promise<number>;
+    updateToken(updates: Partial<Token> & {
+        refreshToken: string;
+    }): Promise<boolean>;
+    createPasskeyChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
+    verifyPasskeyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential(credentialId: Buffer | string): Promise<boolean>;
+    getClient(clientId: string): Promise<OAuthClient | null>;
+    verifyClientSecret(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
+    createAuthCode(request: AuthCodeRequest): Promise<AuthCodeData>;
+    consumeAuthCode(code: string, clientId: string): Promise<AuthCodeData | null>;
+    canImpersonate(params: {
+        realUserId: AuthIdentifier;
+        effectiveUserId: AuthIdentifier;
+    }): Promise<boolean>;
+}
+export declare const nullAuthAdapter: AuthAdapter<unknown, unknown>;

package/dist/cjs/{auth-storage.cjs → auth-api/storage.js}

@@ -1,10 +1,9 @@
 "use strict";
-// Numeric database id or lookup string such as username/email.
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.nullAuthStorage = exports.BaseAuthStorage = void 0;
-// Handy base you can extend when wiring a real storage adapter. Every method
+exports.nullAuthAdapter = exports.BaseAuthAdapter = void 0;
+// Handy base you can extend when wiring a real auth adapter. Every method
 // throws by default so unimplemented hooks fail loudly.
-class BaseAuthStorage {
+class BaseAuthAdapter {
     // Override to load a user record by identifier
     async getUser(identifier) {
         void identifier;
@@ -36,8 +35,9 @@ class BaseAuthStorage {
         throw new Error('Auth storage not configured');
     }
     // Override to look up a stored token by query
-    async getToken(query) {
+    async getToken(query, opts) {
         void query;
+        void opts;
         return null;
     }
     // Override to remove stored tokens that match the query
@@ -60,6 +60,16 @@ class BaseAuthStorage {
         void params;
         throw new Error('Auth storage not configured');
     }
+    // Override to list passkey credentials for a user
+    async listUserCredentials(userId) {
+        void userId;
+        throw new Error('Auth storage not configured');
+    }
+    // Override to delete a passkey credential
+    async deletePasskeyCredential(credentialId) {
+        void credentialId;
+        throw new Error('Auth storage not configured');
+    }
     // Override to fetch an OAuth client by identifier
     async getClient(clientId) {
         void clientId;
@@ -88,5 +98,5 @@ class BaseAuthStorage {
         return false;
     }
 }
-exports.BaseAuthStorage = BaseAuthStorage;
-exports.nullAuthStorage = new BaseAuthStorage();
+exports.BaseAuthAdapter = BaseAuthAdapter;
+exports.nullAuthAdapter = new BaseAuthAdapter();

package/dist/cjs/auth-api/types.d.ts

@@ -0,0 +1,34 @@
+import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyVerificationParams, PasskeyVerificationResult, StoredPasskeyCredential } from '../passkey/types.js';
+import type { Token } from '../token/types.js';
+export type AuthIdentifier = string | number;
+/** @internal */
+export interface AuthAdapter<UserRow, SafeUser> {
+    getUser(identifier: AuthIdentifier): Promise<UserRow | null>;
+    getUserPasswordHash(user: UserRow): string;
+    getUserId(user: UserRow): AuthIdentifier;
+    filterUser(user: UserRow): SafeUser;
+    verifyPassword(password: string, hash: string): Promise<boolean>;
+    storeToken(data: Token): Promise<void>;
+    getToken(query: Partial<Token>, opts?: {
+        includeExpired?: boolean;
+    }): Promise<Token | null>;
+    deleteToken(query: Partial<Token>): Promise<number>;
+    updateToken?(updates: Partial<Token> & {
+        refreshToken: string;
+    }): Promise<boolean>;
+    createPasskeyChallenge?(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
+    verifyPasskeyResponse?(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials?(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential?(credentialId: Buffer | string): Promise<boolean>;
+    getClient?(clientId: string): Promise<OAuthClient | null>;
+    verifyClientSecret?(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
+    createAuthCode?(request: AuthCodeRequest): Promise<AuthCodeData>;
+    consumeAuthCode?(code: string, clientId: string): Promise<AuthCodeData | null>;
+    canImpersonate?(params: {
+        realUserId: AuthIdentifier;
+        effectiveUserId: AuthIdentifier;
+    }): Promise<boolean>;
+}
+/** @internal */
+export type AuthStorage<UserRow, SafeUser> = AuthAdapter<UserRow, SafeUser>;

package/dist/cjs/auth-api/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/cjs/index.cjs

@@ -3,16 +3,50 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.BaseAuthModule = exports.nullAuthModule = exports.BaseAuthStorage = exports.nullAuthStorage = exports.ApiModule = exports.ApiError = exports.ApiServer = void 0;
+exports.SequelizeOAuthStore = exports.MemoryOAuthStore = exports.OAuthStore = exports.SequelizePasskeyStore = exports.MemoryPasskeyStore = exports.PasskeyStore = exports.PasskeyService = exports.SequelizeTokenStore = exports.MemoryTokenStore = exports.TokenStore = exports.SequelizeUserStore = exports.MemoryUserStore = exports.UserStore = exports.AuthModule = exports.SqlAuthStore = exports.MemAuthStore = exports.CompositeAuthAdapter = exports.BaseAuthModule = exports.nullAuthModule = exports.BaseAuthAdapter = exports.nullAuthAdapter = exports.ApiModule = exports.ApiError = exports.ApiServer = void 0;
 var api_server_base_js_1 = require("./api-server-base.cjs");
 Object.defineProperty(exports, "ApiServer", { enumerable: true, get: function () { return __importDefault(api_server_base_js_1).default; } });
 var api_server_base_js_2 = require("./api-server-base.cjs");
 Object.defineProperty(exports, "ApiError", { enumerable: true, get: function () { return api_server_base_js_2.ApiError; } });
 var api_module_js_1 = require("./api-module.cjs");
 Object.defineProperty(exports, "ApiModule", { enumerable: true, get: function () { return api_module_js_1.ApiModule; } });
-var auth_storage_js_1 = require("./auth-storage.cjs");
-Object.defineProperty(exports, "nullAuthStorage", { enumerable: true, get: function () { return auth_storage_js_1.nullAuthStorage; } });
-Object.defineProperty(exports, "BaseAuthStorage", { enumerable: true, get: function () { return auth_storage_js_1.BaseAuthStorage; } });
-var auth_module_js_1 = require("./auth-module.cjs");
-Object.defineProperty(exports, "nullAuthModule", { enumerable: true, get: function () { return auth_module_js_1.nullAuthModule; } });
-Object.defineProperty(exports, "BaseAuthModule", { enumerable: true, get: function () { return auth_module_js_1.BaseAuthModule; } });
+var storage_js_1 = require("./auth-api/storage.js");
+Object.defineProperty(exports, "nullAuthAdapter", { enumerable: true, get: function () { return storage_js_1.nullAuthAdapter; } });
+Object.defineProperty(exports, "BaseAuthAdapter", { enumerable: true, get: function () { return storage_js_1.BaseAuthAdapter; } });
+var module_js_1 = require("./auth-api/module.js");
+Object.defineProperty(exports, "nullAuthModule", { enumerable: true, get: function () { return module_js_1.nullAuthModule; } });
+Object.defineProperty(exports, "BaseAuthModule", { enumerable: true, get: function () { return module_js_1.BaseAuthModule; } });
+var compat_auth_storage_js_1 = require("./auth-api/compat-auth-storage.js");
+Object.defineProperty(exports, "CompositeAuthAdapter", { enumerable: true, get: function () { return compat_auth_storage_js_1.CompositeAuthAdapter; } });
+var mem_auth_store_js_1 = require("./auth-api/mem-auth-store.js");
+Object.defineProperty(exports, "MemAuthStore", { enumerable: true, get: function () { return mem_auth_store_js_1.MemAuthStore; } });
+var sql_auth_store_js_1 = require("./auth-api/sql-auth-store.js");
+Object.defineProperty(exports, "SqlAuthStore", { enumerable: true, get: function () { return sql_auth_store_js_1.SqlAuthStore; } });
+var auth_module_js_1 = require("./auth-api/auth-module.js");
+Object.defineProperty(exports, "AuthModule", { enumerable: true, get: function () { return __importDefault(auth_module_js_1).default; } });
+var base_js_1 = require("./user/base.js");
+Object.defineProperty(exports, "UserStore", { enumerable: true, get: function () { return base_js_1.UserStore; } });
+var memory_js_1 = require("./user/memory.js");
+Object.defineProperty(exports, "MemoryUserStore", { enumerable: true, get: function () { return memory_js_1.MemoryUserStore; } });
+var sequelize_js_1 = require("./user/sequelize.js");
+Object.defineProperty(exports, "SequelizeUserStore", { enumerable: true, get: function () { return sequelize_js_1.SequelizeUserStore; } });
+var base_js_2 = require("./token/base.js");
+Object.defineProperty(exports, "TokenStore", { enumerable: true, get: function () { return base_js_2.TokenStore; } });
+var memory_js_2 = require("./token/memory.js");
+Object.defineProperty(exports, "MemoryTokenStore", { enumerable: true, get: function () { return memory_js_2.MemoryTokenStore; } });
+var sequelize_js_2 = require("./token/sequelize.js");
+Object.defineProperty(exports, "SequelizeTokenStore", { enumerable: true, get: function () { return sequelize_js_2.SequelizeTokenStore; } });
+var service_js_1 = require("./passkey/service.js");
+Object.defineProperty(exports, "PasskeyService", { enumerable: true, get: function () { return service_js_1.PasskeyService; } });
+var base_js_3 = require("./passkey/base.js");
+Object.defineProperty(exports, "PasskeyStore", { enumerable: true, get: function () { return base_js_3.PasskeyStore; } });
+var memory_js_3 = require("./passkey/memory.js");
+Object.defineProperty(exports, "MemoryPasskeyStore", { enumerable: true, get: function () { return memory_js_3.MemoryPasskeyStore; } });
+var sequelize_js_3 = require("./passkey/sequelize.js");
+Object.defineProperty(exports, "SequelizePasskeyStore", { enumerable: true, get: function () { return sequelize_js_3.SequelizePasskeyStore; } });
+var base_js_4 = require("./oauth/base.js");
+Object.defineProperty(exports, "OAuthStore", { enumerable: true, get: function () { return base_js_4.OAuthStore; } });
+var memory_js_4 = require("./oauth/memory.js");
+Object.defineProperty(exports, "MemoryOAuthStore", { enumerable: true, get: function () { return memory_js_4.MemoryOAuthStore; } });
+var sequelize_js_4 = require("./oauth/sequelize.js");
+Object.defineProperty(exports, "SequelizeOAuthStore", { enumerable: true, get: function () { return sequelize_js_4.SequelizeOAuthStore; } });

package/dist/cjs/index.d.ts

@@ -1,8 +1,32 @@
 export { default as ApiServer } from './api-server-base.js';
 export { ApiError } from './api-server-base.js';
 export { ApiModule } from './api-module.js';
-export type { ApiErrorParams, ApiHandler, ApiKey, ApiServerConf, ApiRequest, ApiRoute, ApiAuthType, ApiAuthClass, ApiTokenData, RequestWithStuff } from './api-server-base.js';
-export type { AuthIdentifier, AuthTokenMetadata, AuthTokenData, AuthTokenQuery, AuthTokenPair, AuthTokenPayload, PasskeyChallengeParams, PasskeyChallenge, PasskeyVerificationParams, PasskeyVerificationResult, OAuthClient, AuthCodeData, AuthCodeRequest, AuthStorage } from './auth-storage.js';
-export type { AuthProviderModule } from './auth-module.js';
-export { nullAuthStorage, BaseAuthStorage } from './auth-storage.js';
-export { nullAuthModule, BaseAuthModule } from './auth-module.js';
+export type { ApiErrorParams, ApiHandler, ApiKey, ApiServerConf, ApiRequest, ApiRoute, ApiAuthType, ApiAuthClass, ApiTokenData, ExtendedReq, ExpressApiRequest, ExpressApiLocals } from './api-server-base.js';
+export type { AuthIdentifier } from './auth-api/types.js';
+export type { Token, TokenPair, TokenStatus } from './token/types.js';
+export type { JwtSignResult, JwtVerifyResult, JwtDecodeResult } from './token/base.js';
+export type { OAuthClient, AuthCodeData, AuthCodeRequest } from './oauth/types.js';
+export type { AuthProviderModule } from './auth-api/module.js';
+export { nullAuthAdapter, BaseAuthAdapter } from './auth-api/storage.js';
+export { nullAuthModule, BaseAuthModule } from './auth-api/module.js';
+export { CompositeAuthAdapter } from './auth-api/compat-auth-storage.js';
+export { MemAuthStore } from './auth-api/mem-auth-store.js';
+export { SqlAuthStore } from './auth-api/sql-auth-store.js';
+export { default as AuthModule } from './auth-api/auth-module.js';
+export type { OAuthStartParams, OAuthStartResult, OAuthCallbackParams, OAuthCallbackResult } from './oauth/types.js';
+export type { BcryptHasherOptions, CreateUserInput, UpdateUserInput, PublicUserMapper } from './user/types.js';
+export { UserStore } from './user/base.js';
+export { MemoryUserStore } from './user/memory.js';
+export { SequelizeUserStore } from './user/sequelize.js';
+export type { MemoryUserAttributes, MemoryUserStoreOptions } from './user/memory.js';
+export { TokenStore } from './token/base.js';
+export { MemoryTokenStore } from './token/memory.js';
+export { SequelizeTokenStore } from './token/sequelize.js';
+export { PasskeyService } from './passkey/service.js';
+export { PasskeyStore } from './passkey/base.js';
+export { MemoryPasskeyStore } from './passkey/memory.js';
+export { SequelizePasskeyStore } from './passkey/sequelize.js';
+export type { PasskeyServiceConfig, PasskeyChallengeRecord, PasskeyUserDescriptor, StoredPasskeyCredential, PasskeyChallenge, PasskeyChallengeParams, PasskeyVerificationParams, PasskeyVerificationResult } from './passkey/types.js';
+export { OAuthStore } from './oauth/base.js';
+export { MemoryOAuthStore } from './oauth/memory.js';
+export { SequelizeOAuthStore } from './oauth/sequelize.js';

package/dist/cjs/oauth/base.d.ts

@@ -0,0 +1,10 @@
+import type { AuthCode, OAuthClient } from './types.js';
+export declare abstract class OAuthStore {
+    abstract getClient(clientId: string): Promise<OAuthClient | null>;
+    abstract createClient(input: OAuthClient): Promise<OAuthClient>;
+    abstract verifyClientSecret(clientId: string, secret: string | null): Promise<boolean>;
+    abstract createAuthCode(code: AuthCode): Promise<void>;
+    abstract consumeAuthCode(code: string): Promise<AuthCode | null>;
+    abstract close(): Promise<void>;
+}
+export type { OAuthClient, AuthCode } from './types.js';

package/dist/cjs/oauth/base.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthStore = void 0;
+class OAuthStore {
+}
+exports.OAuthStore = OAuthStore;

package/dist/cjs/oauth/memory.d.ts

@@ -0,0 +1,16 @@
+import { OAuthStore, type AuthCode, type OAuthClient } from './base.js';
+export interface MemoryOAuthStoreOptions {
+    bcryptRounds?: number;
+}
+export declare class MemoryOAuthStore extends OAuthStore {
+    private readonly clients;
+    private readonly codes;
+    private readonly bcryptRounds;
+    constructor(options?: MemoryOAuthStoreOptions);
+    getClient(clientId: string): Promise<OAuthClient | null>;
+    createClient(input: OAuthClient): Promise<OAuthClient>;
+    verifyClientSecret(clientId: string, secret: string | null): Promise<boolean>;
+    createAuthCode(code: AuthCode): Promise<void>;
+    consumeAuthCode(code: string): Promise<AuthCode | null>;
+    close(): Promise<void>;
+}

package/dist/cjs/oauth/memory.js

@@ -0,0 +1,99 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MemoryOAuthStore = void 0;
+const bcryptjs_1 = __importDefault(require("bcryptjs"));
+const base_js_1 = require("./base.js");
+function cloneClient(client) {
+    if (!client) {
+        return null;
+    }
+    return {
+        clientId: client.clientId,
+        clientSecret: client.clientSecret,
+        name: client.name,
+        redirectUris: [...client.redirectUris],
+        scope: client.scope ? [...client.scope] : undefined,
+        metadata: client.metadata ? { ...client.metadata } : undefined,
+        firstParty: client.firstParty
+    };
+}
+function cloneCode(code) {
+    return {
+        ...code,
+        scope: code.scope ? [...code.scope] : undefined,
+        expiresAt: new Date(code.expiresAt),
+        metadata: code.metadata ? { ...code.metadata } : undefined
+    };
+}
+function normalizeUserId(identifier) {
+    if (typeof identifier === 'number' && Number.isFinite(identifier)) {
+        return identifier;
+    }
+    if (typeof identifier === 'string' && /^\d+$/.test(identifier)) {
+        return Number(identifier);
+    }
+    throw new Error(`Unable to normalise user identifier: ${identifier}`);
+}
+class MemoryOAuthStore extends base_js_1.OAuthStore {
+    constructor(options = {}) {
+        super();
+        this.clients = new Map();
+        this.codes = new Map();
+        this.bcryptRounds = options.bcryptRounds ?? 12;
+    }
+    async getClient(clientId) {
+        return cloneClient(this.clients.get(clientId));
+    }
+    async createClient(input) {
+        const clientSecret = input.clientSecret ? await bcryptjs_1.default.hash(input.clientSecret, this.bcryptRounds) : '';
+        const stored = {
+            clientId: input.clientId,
+            clientSecret,
+            name: input.name,
+            redirectUris: [...input.redirectUris],
+            scope: input.scope ? [...input.scope] : undefined,
+            metadata: input.metadata ? { ...input.metadata } : undefined,
+            firstParty: input.firstParty
+        };
+        this.clients.set(stored.clientId, stored);
+        return cloneClient(stored);
+    }
+    async verifyClientSecret(clientId, secret) {
+        const client = this.clients.get(clientId);
+        if (!client) {
+            return false;
+        }
+        if (!client.clientSecret) {
+            return !secret || secret.length === 0;
+        }
+        if (!secret) {
+            return false;
+        }
+        return bcryptjs_1.default.compare(secret, client.clientSecret);
+    }
+    async createAuthCode(code) {
+        const record = {
+            ...code,
+            userId: normalizeUserId(code.userId),
+            scope: code.scope ? [...code.scope] : undefined,
+            expiresAt: code.expiresAt,
+            metadata: code.metadata ? { ...code.metadata } : undefined
+        };
+        this.codes.set(record.code, record);
+    }
+    async consumeAuthCode(code) {
+        const record = this.codes.get(code);
+        if (!record) {
+            return null;
+        }
+        this.codes.delete(code);
+        return cloneCode(record);
+    }
+    async close() {
+        return;
+    }
+}
+exports.MemoryOAuthStore = MemoryOAuthStore;

package/dist/cjs/oauth/models.d.ts

@@ -0,0 +1,45 @@
+import { Model, type Optional, type Sequelize } from 'sequelize';
+export interface OAuthClientAttributes {
+    client_id: string;
+    client_secret: string;
+    name: string | null;
+    redirect_uris: string;
+    scope: string;
+    metadata: string | null;
+    first_party: boolean;
+}
+export type OAuthClientCreationAttributes = Optional<OAuthClientAttributes, 'client_secret' | 'name' | 'scope' | 'metadata' | 'first_party'>;
+export declare class OAuthClientModel extends Model<OAuthClientAttributes, OAuthClientCreationAttributes> implements OAuthClientAttributes {
+    client_id: string;
+    client_secret: string;
+    name: string | null;
+    redirect_uris: string;
+    scope: string;
+    metadata: string | null;
+    first_party: boolean;
+}
+export declare function initOAuthClientModel(sequelize: Sequelize): typeof OAuthClientModel;
+export interface OAuthCodeAttributes {
+    code: string;
+    client_id: string;
+    user_id: number;
+    redirect_uri: string;
+    scope: string;
+    code_challenge: string | null;
+    code_challenge_method: 'plain' | 'S256' | null;
+    expires: Date;
+    metadata: string | null;
+}
+export type OAuthCodeCreationAttributes = Optional<OAuthCodeAttributes, 'code_challenge' | 'code_challenge_method' | 'metadata'>;
+export declare class OAuthCodeModel extends Model<OAuthCodeAttributes, OAuthCodeCreationAttributes> implements OAuthCodeAttributes {
+    code: string;
+    client_id: string;
+    user_id: number;
+    redirect_uri: string;
+    scope: string;
+    code_challenge: string | null;
+    code_challenge_method: 'plain' | 'S256' | null;
+    expires: Date;
+    metadata: string | null;
+}
+export declare function initOAuthCodeModel(sequelize: Sequelize): typeof OAuthCodeModel;

package/dist/cjs/oauth/models.js

@@ -0,0 +1,58 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthCodeModel = exports.OAuthClientModel = void 0;
+exports.initOAuthClientModel = initOAuthClientModel;
+exports.initOAuthCodeModel = initOAuthCodeModel;
+const sequelize_1 = require("sequelize");
+const DIALECTS_SUPPORTING_UNSIGNED = new Set(['mysql', 'mariadb']);
+function integerIdType(sequelize) {
+    return DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? sequelize_1.DataTypes.INTEGER.UNSIGNED : sequelize_1.DataTypes.INTEGER;
+}
+function tableOptions(sequelize, tableName, extra) {
+    const opts = { sequelize, tableName };
+    if (extra) {
+        Object.assign(opts, extra);
+    }
+    if (DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect())) {
+        opts.charset = 'utf8mb4';
+        opts.collate = 'utf8mb4_unicode_ci';
+    }
+    return opts;
+}
+class OAuthClientModel extends sequelize_1.Model {
+}
+exports.OAuthClientModel = OAuthClientModel;
+function initOAuthClientModel(sequelize) {
+    OAuthClientModel.init({
+        client_id: { type: sequelize_1.DataTypes.STRING(128), allowNull: false, primaryKey: true },
+        client_secret: { type: sequelize_1.DataTypes.STRING(255), allowNull: false, defaultValue: '' },
+        name: { type: sequelize_1.DataTypes.STRING(128), allowNull: true, defaultValue: null },
+        redirect_uris: { type: sequelize_1.DataTypes.TEXT, allowNull: false, defaultValue: '[]' },
+        scope: { type: sequelize_1.DataTypes.TEXT, allowNull: false, defaultValue: '[]' },
+        metadata: { type: sequelize_1.DataTypes.TEXT, allowNull: true, defaultValue: null },
+        first_party: { type: sequelize_1.DataTypes.BOOLEAN, allowNull: false, defaultValue: false }
+    }, {
+        ...tableOptions(sequelize, 'oauth_clients', { timestamps: false })
+    });
+    return OAuthClientModel;
+}
+class OAuthCodeModel extends sequelize_1.Model {
+}
+exports.OAuthCodeModel = OAuthCodeModel;
+function initOAuthCodeModel(sequelize) {
+    const idType = integerIdType(sequelize);
+    OAuthCodeModel.init({
+        code: { type: sequelize_1.DataTypes.STRING(128), allowNull: false, primaryKey: true },
+        client_id: { type: sequelize_1.DataTypes.STRING(128), allowNull: false },
+        user_id: { type: idType, allowNull: false },
+        redirect_uri: { type: sequelize_1.DataTypes.TEXT, allowNull: false },
+        scope: { type: sequelize_1.DataTypes.TEXT, allowNull: false, defaultValue: '[]' },
+        code_challenge: { type: sequelize_1.DataTypes.STRING(255), allowNull: true, defaultValue: null },
+        code_challenge_method: { type: sequelize_1.DataTypes.STRING(10), allowNull: true, defaultValue: null },
+        expires: { type: sequelize_1.DataTypes.DATE, allowNull: false },
+        metadata: { type: sequelize_1.DataTypes.TEXT, allowNull: true, defaultValue: null }
+    }, {
+        ...tableOptions(sequelize, 'oauth_codes', { timestamps: false })
+    });
+    return OAuthCodeModel;
+}