@technomoron/api-server-base 1.1.13 → 2.0.0-beta.2

package/dist/cjs/passkey/sequelize.js

@@ -0,0 +1,211 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SequelizePasskeyStore = void 0;
+const sequelize_1 = require("sequelize");
+const base_js_1 = require("./base.js");
+const DIALECTS_SUPPORTING_UNSIGNED = new Set(['mysql', 'mariadb']);
+function integerIdType(sequelize) {
+    return DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? sequelize_1.DataTypes.INTEGER.UNSIGNED : sequelize_1.DataTypes.INTEGER;
+}
+function encodeCredentialId(value) {
+    return Buffer.isBuffer(value) ? value.toString('base64') : value;
+}
+function normalizeUserId(identifier) {
+    if (typeof identifier === 'number' && Number.isFinite(identifier)) {
+        return identifier;
+    }
+    if (typeof identifier === 'string' && /^\d+$/.test(identifier)) {
+        return Number(identifier);
+    }
+    throw new Error(`Unable to normalise user identifier: ${identifier}`);
+}
+class PasskeyCredentialModel extends sequelize_1.Model {
+}
+class PasskeyChallengeModel extends sequelize_1.Model {
+}
+function initPasskeyCredentialModel(sequelize) {
+    const idType = integerIdType(sequelize);
+    return PasskeyCredentialModel.init({
+        credentialId: {
+            field: 'credential_id',
+            type: sequelize_1.DataTypes.STRING(768),
+            primaryKey: true,
+            allowNull: false,
+            get() {
+                const raw = this.getDataValue('credentialId');
+                if (!raw) {
+                    return raw;
+                }
+                if (Buffer.isBuffer(raw)) {
+                    return raw;
+                }
+                return Buffer.from(raw, 'base64');
+            },
+            set(value) {
+                const encoded = typeof value === 'string' ? value : value.toString('base64');
+                this.setDataValue('credentialId', encoded);
+            }
+        },
+        userId: {
+            field: 'user_id',
+            type: idType,
+            allowNull: false
+        },
+        publicKey: {
+            field: 'public_key',
+            type: sequelize_1.DataTypes.BLOB,
+            allowNull: false
+        },
+        counter: {
+            type: sequelize_1.DataTypes.INTEGER,
+            allowNull: false,
+            defaultValue: 0
+        },
+        transports: {
+            type: sequelize_1.DataTypes.JSON,
+            allowNull: true
+        },
+        backedUp: {
+            field: 'backed_up',
+            type: sequelize_1.DataTypes.BOOLEAN,
+            allowNull: false,
+            defaultValue: false
+        },
+        deviceType: {
+            field: 'device_type',
+            type: sequelize_1.DataTypes.STRING(32),
+            allowNull: false,
+            defaultValue: 'multiDevice'
+        }
+    }, {
+        sequelize,
+        tableName: 'passkey_credentials',
+        timestamps: true,
+        underscored: true
+    });
+}
+function initPasskeyChallengeModel(sequelize) {
+    const idType = integerIdType(sequelize);
+    return PasskeyChallengeModel.init({
+        challenge: {
+            type: sequelize_1.DataTypes.STRING(255),
+            primaryKey: true,
+            allowNull: false
+        },
+        action: {
+            type: sequelize_1.DataTypes.STRING(16),
+            allowNull: false
+        },
+        userId: {
+            field: 'user_id',
+            type: idType,
+            allowNull: true
+        },
+        login: {
+            type: sequelize_1.DataTypes.STRING(128),
+            allowNull: true
+        },
+        metadata: {
+            type: sequelize_1.DataTypes.JSON,
+            allowNull: true
+        },
+        expiresAt: {
+            field: 'expires_at',
+            type: sequelize_1.DataTypes.DATE,
+            allowNull: false
+        }
+    }, {
+        sequelize,
+        tableName: 'passkey_challenges',
+        timestamps: true,
+        underscored: true,
+        indexes: [{ fields: ['expires_at'] }, { fields: ['user_id'] }]
+    });
+}
+class SequelizePasskeyStore extends base_js_1.PasskeyStore {
+    constructor(options) {
+        super();
+        if (!options?.sequelize) {
+            throw new Error('SequelizePasskeyStore requires an initialised Sequelize instance');
+        }
+        this.resolveUserFn = options.resolveUser;
+        this.credentials =
+            options.credentialModel ??
+                (options.credentialModelFactory ?? initPasskeyCredentialModel)(options.sequelize);
+        this.challenges =
+            options.challengeModel ?? (options.challengeModelFactory ?? initPasskeyChallengeModel)(options.sequelize);
+    }
+    async resolveUser(params) {
+        return this.resolveUserFn(params);
+    }
+    async listUserCredentials(userId) {
+        const models = await this.credentials.findAll({ where: { userId: normalizeUserId(userId) } });
+        return models.map((model) => ({
+            userId: model.userId,
+            credentialId: model.credentialId,
+            publicKey: model.publicKey,
+            counter: model.counter,
+            transports: (model.transports ?? undefined),
+            backedUp: model.backedUp,
+            deviceType: model.deviceType
+        }));
+    }
+    async findCredentialById(credentialId) {
+        const model = await this.credentials.findByPk(encodeCredentialId(credentialId));
+        if (!model) {
+            return null;
+        }
+        return {
+            userId: model.userId,
+            credentialId: model.credentialId,
+            publicKey: model.publicKey,
+            counter: model.counter,
+            transports: (model.transports ?? undefined),
+            backedUp: model.backedUp,
+            deviceType: model.deviceType
+        };
+    }
+    async saveCredential(record) {
+        await this.credentials.upsert({
+            credentialId: record.credentialId,
+            userId: normalizeUserId(record.userId),
+            publicKey: record.publicKey,
+            counter: record.counter,
+            transports: record.transports ?? null,
+            backedUp: record.backedUp,
+            deviceType: record.deviceType
+        });
+    }
+    async updateCredentialCounter(credentialId, counter) {
+        await this.credentials.update({ counter }, { where: { credentialId: encodeCredentialId(credentialId) } });
+    }
+    async saveChallenge(record) {
+        await this.challenges.upsert({
+            challenge: record.challenge,
+            action: record.action,
+            userId: record.userId !== undefined ? normalizeUserId(record.userId) : null,
+            login: record.login ?? null,
+            metadata: (record.metadata ?? {}),
+            expiresAt: record.expiresAt
+        });
+    }
+    async consumeChallenge(challenge) {
+        const model = await this.challenges.findByPk(challenge);
+        if (!model) {
+            return null;
+        }
+        await model.destroy();
+        return {
+            challenge: model.challenge,
+            action: model.action,
+            userId: model.userId ?? undefined,
+            login: model.login ?? undefined,
+            expiresAt: model.expiresAt,
+            metadata: model.metadata ?? {}
+        };
+    }
+    async cleanupChallenges(now) {
+        await this.challenges.destroy({ where: { expiresAt: { [sequelize_1.Op.lte]: now } } });
+    }
+}
+exports.SequelizePasskeyStore = SequelizePasskeyStore;

package/dist/cjs/passkey/service.d.ts

@@ -0,0 +1,17 @@
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyStorageAdapter, PasskeyVerificationParams, PasskeyVerificationResult, PasskeyServiceConfig } from './types.js';
+export type { CredentialDeviceType, PasskeyChallenge, PasskeyChallengeParams, PasskeyChallengeRecord, PasskeyChallengeMetadata, PasskeyUserDescriptor, PasskeyVerificationParams, PasskeyVerificationResult, PasskeyServiceConfig, PasskeyStorageAdapter } from './types.js';
+type Logger = Pick<typeof console, 'error' | 'warn'>;
+export declare class PasskeyService {
+    private readonly config;
+    private readonly adapter;
+    private readonly logger;
+    constructor(config: PasskeyServiceConfig, adapter: PasskeyStorageAdapter, logger?: Logger);
+    createChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
+    verifyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    private createRegistrationChallenge;
+    private createAuthenticationChallenge;
+    private verifyRegistration;
+    private verifyAuthentication;
+    private requireUser;
+    private createExpiry;
+}

package/dist/cjs/passkey/service.js

@@ -0,0 +1,221 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PasskeyService = void 0;
+const server_1 = require("@simplewebauthn/server");
+const helpers_1 = require("@simplewebauthn/server/helpers");
+const ALLOWED_TRANSPORTS = [
+    'ble',
+    'cable',
+    'hybrid',
+    'internal',
+    'nfc',
+    'smart-card',
+    'usb'
+];
+function sanitizeTransports(input) {
+    if (!Array.isArray(input)) {
+        return undefined;
+    }
+    const filtered = input
+        .map((value) => String(value))
+        .filter((value) => ALLOWED_TRANSPORTS.includes(value));
+    return filtered.length > 0 ? filtered : undefined;
+}
+function toBase64Url(buffer) {
+    return helpers_1.isoBase64URL.fromBuffer(new Uint8Array(buffer));
+}
+function fromBase64Url(value) {
+    return Buffer.from(helpers_1.isoBase64URL.toBuffer(value));
+}
+function toBuffer(value) {
+    if (Buffer.isBuffer(value)) {
+        return value;
+    }
+    const view = value instanceof Uint8Array ? value : new Uint8Array(value);
+    return Buffer.from(view);
+}
+class PasskeyService {
+    constructor(config, adapter, logger = console) {
+        this.config = config;
+        this.adapter = adapter;
+        this.logger = logger;
+    }
+    async createChallenge(params) {
+        await this.adapter.cleanupChallenges?.(new Date());
+        const metadata = {
+            domain: typeof params.domain === 'string' ? params.domain : undefined,
+            fingerprint: typeof params.fingerprint === 'string' ? params.fingerprint : undefined,
+            label: typeof params.label === 'string' ? params.label : undefined,
+            userAgent: typeof params.userAgent === 'string' ? params.userAgent : undefined
+        };
+        if (params.action === 'register') {
+            return this.createRegistrationChallenge(params, metadata);
+        }
+        if (params.action === 'authenticate') {
+            return this.createAuthenticationChallenge(params, metadata);
+        }
+        throw new Error(`Unsupported passkey action: ${String(params.action)}`);
+    }
+    async verifyResponse(params) {
+        await this.adapter.cleanupChallenges?.(new Date());
+        const record = await this.adapter.consumeChallenge(params.expectedChallenge);
+        if (!record) {
+            return { verified: false };
+        }
+        if (record.expiresAt.getTime() <= Date.now()) {
+            return { verified: false };
+        }
+        try {
+            if (record.action === 'register') {
+                return this.verifyRegistration(params, record);
+            }
+            if (record.action === 'authenticate') {
+                return this.verifyAuthentication(params, record);
+            }
+        }
+        catch (error) {
+            this.logger.error?.('Passkey verification failed', error);
+        }
+        return { verified: false };
+    }
+    async createRegistrationChallenge(params, metadata) {
+        const user = await this.requireUser({ userId: params.userId, login: params.login });
+        const existing = await this.adapter.listUserCredentials(user.id);
+        const excludeCredentials = existing.map((credential) => {
+            const transports = credential.transports;
+            return transports && transports.length > 0
+                ? { id: toBase64Url(credential.credentialId), transports }
+                : { id: toBase64Url(credential.credentialId) };
+        });
+        const options = await (0, server_1.generateRegistrationOptions)({
+            rpName: this.config.rpName,
+            rpID: this.config.rpId,
+            userID: Buffer.from(String(user.id)),
+            userName: user.login,
+            userDisplayName: user.displayName,
+            excludeCredentials
+        });
+        const expiresAt = this.createExpiry();
+        await this.adapter.saveChallenge({
+            challenge: options.challenge,
+            action: 'register',
+            userId: user.id,
+            login: user.login,
+            expiresAt,
+            metadata
+        });
+        return {
+            challenge: options.challenge,
+            expiresAt: expiresAt.toISOString(),
+            userId: user.id
+        };
+    }
+    async createAuthenticationChallenge(params, metadata) {
+        const user = await this.requireUser({ userId: params.userId, login: params.login });
+        const credentials = await this.adapter.listUserCredentials(user.id);
+        const allowCredentials = credentials.map((credential) => {
+            const transports = sanitizeTransports(credential.transports);
+            return transports && transports.length > 0
+                ? { type: 'public-key', id: toBase64Url(credential.credentialId), transports }
+                : { type: 'public-key', id: toBase64Url(credential.credentialId) };
+        });
+        const options = await (0, server_1.generateAuthenticationOptions)({
+            allowCredentials,
+            userVerification: this.config.userVerification,
+            rpID: this.config.rpId
+        });
+        const expiresAt = this.createExpiry();
+        await this.adapter.saveChallenge({
+            challenge: options.challenge,
+            action: 'authenticate',
+            userId: user.id,
+            login: user.login,
+            expiresAt,
+            metadata
+        });
+        return {
+            challenge: options.challenge,
+            expiresAt: expiresAt.toISOString(),
+            userId: user.id
+        };
+    }
+    async verifyRegistration(params, record) {
+        const parsed = typeof params.response === 'object' && params.response ? { ...params.response } : {};
+        const response = {
+            ...parsed,
+            id: String(parsed.id ?? ''),
+            rawId: String(parsed.rawId ?? '')
+        };
+        const user = await this.requireUser({ userId: record.userId, login: record.login });
+        const result = await (0, server_1.verifyRegistrationResponse)({
+            response,
+            expectedChallenge: record.challenge,
+            expectedOrigin: this.config.origins,
+            expectedRPID: this.config.rpId,
+            requireUserVerification: true
+        });
+        if (!result.verified || !result.registrationInfo) {
+            return { verified: false };
+        }
+        const registrationInfo = result.registrationInfo;
+        await this.adapter.saveCredential({
+            userId: user.id,
+            credentialId: toBuffer(registrationInfo.credentialID),
+            publicKey: toBuffer(registrationInfo.credentialPublicKey),
+            counter: registrationInfo.counter,
+            transports: sanitizeTransports(params.response.transports),
+            backedUp: registrationInfo.credentialDeviceType === 'multiDevice',
+            deviceType: registrationInfo.credentialDeviceType
+        });
+        return { verified: true, userId: user.id, login: user.login };
+    }
+    async verifyAuthentication(params, record) {
+        const parsed = typeof params.response === 'object' && params.response ? { ...params.response } : {};
+        const response = {
+            ...parsed,
+            id: String(parsed.id ?? ''),
+            rawId: String(parsed.rawId ?? '')
+        };
+        const credential = await this.adapter.findCredentialById(fromBase64Url(response.id));
+        if (!credential) {
+            return { verified: false };
+        }
+        const user = await this.requireUser({ userId: credential.userId, login: record.login });
+        const storedAuthData = {
+            credentialID: credential.credentialId,
+            counter: credential.counter,
+            credentialBackedUp: credential.backedUp,
+            credentialDeviceType: credential.deviceType,
+            credentialPublicKey: credential.publicKey,
+            transports: credential.transports ?? undefined
+        };
+        const result = await (0, server_1.verifyAuthenticationResponse)({
+            response,
+            expectedChallenge: record.challenge,
+            expectedOrigin: this.config.origins,
+            expectedRPID: this.config.rpId,
+            authenticator: storedAuthData,
+            requireUserVerification: true
+        });
+        if (!result.verified) {
+            return { verified: false };
+        }
+        await this.adapter.updateCredentialCounter(credential.credentialId, result.authenticationInfo.newCounter);
+        return {
+            verified: true,
+            userId: user.id,
+            login: user.login
+        };
+    }
+    async requireUser(params) {
+        const user = await this.adapter.resolveUser(params);
+        if (!user) {
+            throw new Error('User not found');
+        }
+        return user;
+    }
+    createExpiry() {
+        return new Date(Date.now() + this.config.timeoutMs);
+    }
+}
+exports.PasskeyService = PasskeyService;

package/dist/cjs/passkey/types.d.ts

@@ -0,0 +1,75 @@
+import type { AuthIdentifier } from '../auth-api/types.js';
+import type { Token, TokenPair } from '../token/types.js';
+import type { AuthenticatorTransportFuture } from '@simplewebauthn/server';
+export type CredentialDeviceType = 'singleDevice' | 'multiDevice';
+export interface PasskeyServiceConfig {
+    rpId: string;
+    rpName: string;
+    origins: string[];
+    timeoutMs: number;
+    userVerification?: 'preferred' | 'required' | 'discouraged';
+}
+export interface PasskeyChallengeMetadata {
+    domain?: string;
+    fingerprint?: string;
+    label?: string;
+    userAgent?: string;
+}
+export interface PasskeyChallengeRecord {
+    challenge: string;
+    action: 'register' | 'authenticate';
+    userId?: AuthIdentifier;
+    login?: string;
+    expiresAt: Date;
+    metadata: PasskeyChallengeMetadata;
+}
+export interface PasskeyUserDescriptor {
+    id: AuthIdentifier;
+    login: string;
+    displayName: string;
+}
+export interface StoredPasskeyCredential {
+    userId: AuthIdentifier;
+    credentialId: Buffer;
+    publicKey: Buffer;
+    counter: number;
+    transports?: AuthenticatorTransportFuture[];
+    backedUp: boolean;
+    deviceType: CredentialDeviceType;
+}
+export interface PasskeyStorageAdapter {
+    resolveUser(params: {
+        userId?: AuthIdentifier;
+        login?: string;
+    }): Promise<PasskeyUserDescriptor | null>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    findCredentialById(credentialId: Buffer): Promise<StoredPasskeyCredential | null>;
+    saveCredential(record: StoredPasskeyCredential): Promise<void>;
+    updateCredentialCounter(credentialId: Buffer, counter: number): Promise<void>;
+    saveChallenge(record: PasskeyChallengeRecord): Promise<void>;
+    consumeChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
+    cleanupChallenges?(now: Date): Promise<void>;
+}
+export interface PasskeyChallengeParams extends Partial<Omit<Token, 'userId'>> {
+    action: 'register' | 'authenticate';
+    login?: string;
+    userAgent?: string;
+    userId?: AuthIdentifier;
+}
+export interface PasskeyChallenge extends Record<string, unknown> {
+    challenge: string;
+    expiresAt?: string | number | Date;
+    userId?: AuthIdentifier;
+}
+export interface PasskeyVerificationParams extends Partial<Omit<Token, 'userId'>> {
+    expectedChallenge: string;
+    login?: string;
+    response: Record<string, unknown>;
+    userId?: AuthIdentifier;
+}
+export interface PasskeyVerificationResult extends Record<string, unknown> {
+    login?: string;
+    tokens?: TokenPair;
+    userId?: AuthIdentifier;
+    verified: boolean;
+}

package/dist/cjs/passkey/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/cjs/token/base.d.ts

@@ -0,0 +1,38 @@
+import type { Token } from './types.js';
+import type { DecodeOptions, SignOptions, VerifyOptions } from 'jsonwebtoken';
+export interface JwtSignResult {
+    success: boolean;
+    token?: string;
+    error?: string;
+}
+export interface JwtVerifyResult<T> {
+    success: boolean;
+    data?: T;
+    expired?: boolean;
+    error?: string;
+}
+export interface JwtDecodeResult<T> {
+    success: boolean;
+    data?: T;
+    error?: string;
+}
+export declare abstract class TokenStore {
+    abstract save(record: Token): Promise<void>;
+    abstract get(query: Partial<Token>, opts?: {
+        includeExpired?: boolean;
+    }): Promise<Token | null>;
+    abstract delete(query: Partial<Token>): Promise<number>;
+    abstract update(update: Partial<Token> & {
+        refreshToken: string;
+    }): Promise<boolean>;
+    abstract list(userId: string | number, opts?: {
+        limit?: number;
+        offset?: number;
+        includeExpired?: boolean;
+    }): Promise<Token[]>;
+    abstract close(): Promise<void>;
+    normalizeToken(token: Partial<Token>): Token;
+    jwtSign(payload: any, secret: string, expiresInSeconds: number, options?: SignOptions): JwtSignResult;
+    jwtVerify<T>(token: string, secret: string, options?: VerifyOptions): JwtVerifyResult<T>;
+    jwtDecode<T>(token: string, options?: DecodeOptions): JwtDecodeResult<T>;
+}

package/dist/cjs/token/base.js

@@ -0,0 +1,114 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenStore = void 0;
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+function normalizeScope(scope) {
+    if (!scope) {
+        return undefined;
+    }
+    if (Array.isArray(scope)) {
+        return scope.filter((entry) => typeof entry === 'string' && entry.length > 0);
+    }
+    return scope
+        .split(/\s+/)
+        .map((entry) => entry.trim())
+        .filter((entry) => entry.length > 0);
+}
+function normalizeRefreshTtlSeconds(value) {
+    if (typeof value === 'number' && Number.isFinite(value) && value > 0) {
+        return Math.floor(value);
+    }
+    if (typeof value === 'string') {
+        const parsed = Number(value);
+        if (Number.isFinite(parsed) && parsed > 0) {
+            return Math.floor(parsed);
+        }
+    }
+    return undefined;
+}
+function normalizeTokenInternal(input) {
+    if (!input.refreshToken) {
+        throw new Error('refreshToken is required');
+    }
+    if (!input.accessToken) {
+        throw new Error('accessToken is required');
+    }
+    if (input.userId === undefined || input.userId === null) {
+        throw new Error('userId is required');
+    }
+    const userId = String(input.userId);
+    const ruid = input.ruid === undefined || input.ruid === null ? undefined : String(input.ruid);
+    const expires = input.expires ? new Date(input.expires) : new Date(Date.now() + 30 * 24 * 60 * 60 * 1000);
+    const issuedAt = input.issuedAt ? new Date(input.issuedAt) : new Date();
+    const lastSeenAt = input.lastSeenAt ? new Date(input.lastSeenAt) : issuedAt;
+    const scope = normalizeScope(input.scope);
+    const refreshTtlSeconds = normalizeRefreshTtlSeconds(input.refreshTtlSeconds);
+    const status = input.status === 'revoked' ? 'revoked' : expires.getTime() < Date.now() ? 'expired' : 'active';
+    const sessionCookie = typeof input.sessionCookie === 'boolean' ? input.sessionCookie : false;
+    return {
+        ...input,
+        accessToken: input.accessToken,
+        refreshToken: input.refreshToken,
+        userId,
+        domain: typeof input.domain === 'string' ? input.domain : '',
+        fingerprint: typeof input.fingerprint === 'string' ? input.fingerprint : '',
+        label: typeof input.label === 'string' ? input.label : '',
+        browser: typeof input.browser === 'string' ? input.browser : '',
+        device: typeof input.device === 'string' ? input.device : '',
+        ip: typeof input.ip === 'string' ? input.ip : '',
+        os: typeof input.os === 'string' ? input.os : '',
+        loginType: typeof input.loginType === 'string' && input.loginType.length > 0 ? input.loginType : undefined,
+        scope,
+        refreshTtlSeconds,
+        expires,
+        issuedAt,
+        lastSeenAt,
+        status,
+        ruid,
+        sessionCookie
+    };
+}
+class TokenStore {
+    // Instance helpers
+    normalizeToken(token) {
+        return normalizeTokenInternal(token);
+    }
+    jwtSign(payload, secret, expiresInSeconds, options) {
+        const opts = { ...(options ?? {}), expiresIn: expiresInSeconds };
+        try {
+            const token = jsonwebtoken_1.default.sign(payload, secret, opts);
+            return { success: true, token };
+        }
+        catch (error) {
+            return { success: false, error: error instanceof Error ? error.message : String(error) };
+        }
+    }
+    jwtVerify(token, secret, options) {
+        try {
+            const data = jsonwebtoken_1.default.verify(token, secret, options ?? {});
+            return { success: true, data };
+        }
+        catch (error) {
+            if (error instanceof jsonwebtoken_1.default.TokenExpiredError) {
+                return { success: false, expired: true, error: 'Token expired' };
+            }
+            return { success: false, expired: false, error: error instanceof Error ? error.message : String(error) };
+        }
+    }
+    jwtDecode(token, options) {
+        try {
+            const data = jsonwebtoken_1.default.decode(token, options ?? {});
+            if (data === null) {
+                return { success: false, error: 'Invalid token format' };
+            }
+            return { success: true, data };
+        }
+        catch (error) {
+            return { success: false, error: error instanceof Error ? error.message : String(error) };
+        }
+    }
+}
+exports.TokenStore = TokenStore;