@technomoron/api-server-base 1.1.13 → 2.0.0-beta.2

package/dist/cjs/user/base.js

@@ -0,0 +1,45 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UserStore = void 0;
+const bcryptjs_1 = __importDefault(require("bcryptjs"));
+class UserStore {
+    constructor(opts = {}) {
+        this.toPublicUser = opts.toPublic ?? ((u) => u);
+        const rounds = typeof opts.bcryptRounds === 'number' && Number.isFinite(opts.bcryptRounds)
+            ? Math.max(4, Math.floor(opts.bcryptRounds))
+            : 12;
+        this.bcryptRounds = rounds;
+        this.bcryptPepper =
+            typeof opts.bcryptPepper === 'string' && opts.bcryptPepper.length > 0 ? opts.bcryptPepper : undefined;
+    }
+    async hashPassword(plain) {
+        const candidate = this.bcryptPepper ? `${plain}${this.bcryptPepper}` : plain;
+        return bcryptjs_1.default.hash(candidate, this.bcryptRounds);
+    }
+    async verifyPassword(plain, hashed) {
+        const candidate = this.bcryptPepper ? `${plain}${this.bcryptPepper}` : plain;
+        return bcryptjs_1.default.compare(candidate, hashed);
+    }
+    normalizeUserInput(input) {
+        const login = typeof input.login === 'string' ? input.login.trim() : '';
+        const email = typeof input.email === 'string' ? input.email.trim() : '';
+        if (!login || !email) {
+            throw new Error('login and email are required');
+        }
+        const password = typeof input.password === 'string' ? input.password : undefined;
+        return { ...input, login, email, password };
+    }
+    toPublic(user) {
+        const mapped = this.toPublicUser(user);
+        if (mapped && typeof mapped === 'object') {
+            const { password: _password, ...rest } = mapped;
+            void _password;
+            return rest;
+        }
+        return mapped;
+    }
+}
+exports.UserStore = UserStore;

package/dist/cjs/user/memory.d.ts

@@ -0,0 +1,35 @@
+import { UserStore } from './base.js';
+import type { CreateUserInput, PublicUserMapper, UpdateUserInput } from './types.js';
+import type { AuthIdentifier } from '../auth-api/types.js';
+export interface MemoryUserAttributes extends Record<string, unknown> {
+    user_id: number;
+    login: string;
+    email: string;
+    password: string;
+}
+export type MemoryPublicUser<UserAttributes extends MemoryUserAttributes = MemoryUserAttributes> = Omit<UserAttributes, 'password'>;
+export interface MemoryUserStoreOptions<UserAttributes extends MemoryUserAttributes = MemoryUserAttributes, PublicUserShape extends Omit<UserAttributes, 'password'> = Omit<UserAttributes, 'password'>> {
+    bcryptRounds?: number;
+    bcryptPepper?: string;
+    toPublic?: PublicUserMapper<UserAttributes, PublicUserShape>;
+    userIdFactory?: () => number;
+    startingUserId?: number;
+}
+export declare class MemoryUserStore<UserAttributes extends MemoryUserAttributes = MemoryUserAttributes, PublicUserShape extends Omit<UserAttributes, 'password'> = Omit<UserAttributes, 'password'>> extends UserStore<UserAttributes, PublicUserShape> {
+    private readonly usersById;
+    private readonly loginToId;
+    private readonly emailToId;
+    private readonly userIdFactory;
+    private nextUserId;
+    constructor(options?: MemoryUserStoreOptions<UserAttributes, PublicUserShape>);
+    findUser(identifier: AuthIdentifier | string): Promise<UserAttributes | null>;
+    findById(id: AuthIdentifier): Promise<UserAttributes | null>;
+    findByLoginOrEmail(loginOrEmail: string): Promise<UserAttributes | null>;
+    createUser(input: CreateUserInput): Promise<UserAttributes>;
+    upsertUser(input: CreateUserInput): Promise<UserAttributes>;
+    updateUser(id: AuthIdentifier, patch: UpdateUserInput): Promise<UserAttributes>;
+    setPasswordHash(id: AuthIdentifier, hash: string): Promise<void>;
+    getPasswordHash(user: UserAttributes): string | null;
+    getUserId(user: UserAttributes): AuthIdentifier;
+    private persistUser;
+}

package/dist/cjs/user/memory.js

@@ -0,0 +1,173 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MemoryUserStore = void 0;
+const base_js_1 = require("./base.js");
+function cloneUser(user) {
+    return { ...user };
+}
+function normalizeUserId(identifier) {
+    if (typeof identifier === 'number' && Number.isFinite(identifier)) {
+        return identifier;
+    }
+    if (typeof identifier === 'string' && /^\d+$/.test(identifier)) {
+        return Number(identifier);
+    }
+    throw new Error(`Unable to normalise user identifier: ${identifier}`);
+}
+class MemoryUserStore extends base_js_1.UserStore {
+    constructor(options = {}) {
+        super({
+            toPublic: options.toPublic,
+            bcryptRounds: options.bcryptRounds,
+            bcryptPepper: options.bcryptPepper
+        });
+        this.usersById = new Map();
+        this.loginToId = new Map();
+        this.emailToId = new Map();
+        this.nextUserId = Number.isFinite(options.startingUserId) ? Number(options.startingUserId) : 1;
+        this.userIdFactory =
+            options.userIdFactory ??
+                (() => {
+                    const id = this.nextUserId;
+                    this.nextUserId += 1;
+                    return id;
+                });
+    }
+    async findUser(identifier) {
+        if (typeof identifier === 'number') {
+            const user = this.usersById.get(identifier);
+            return user ? cloneUser(user) : null;
+        }
+        if (typeof identifier === 'string') {
+            const numeric = /^\d+$/.test(identifier) ? Number(identifier) : null;
+            if (numeric !== null) {
+                const user = this.usersById.get(numeric);
+                if (user) {
+                    return cloneUser(user);
+                }
+            }
+            const loginId = this.loginToId.get(identifier);
+            if (loginId !== undefined) {
+                return cloneUser(this.usersById.get(loginId));
+            }
+            const emailId = this.emailToId.get(identifier);
+            if (emailId !== undefined) {
+                return cloneUser(this.usersById.get(emailId));
+            }
+        }
+        return null;
+    }
+    async findById(id) {
+        try {
+            const numeric = normalizeUserId(id);
+            const user = this.usersById.get(numeric);
+            return user ? cloneUser(user) : null;
+        }
+        catch {
+            return null;
+        }
+    }
+    async findByLoginOrEmail(loginOrEmail) {
+        return this.findUser(loginOrEmail);
+    }
+    async createUser(input) {
+        const normalizedInput = this.normalizeUserInput(input);
+        const providedId = input.user_id;
+        const userId = typeof providedId === 'number' && Number.isFinite(providedId) ? providedId : this.userIdFactory();
+        if (this.usersById.has(userId)) {
+            throw new Error(`User ${userId} already exists`);
+        }
+        if (this.loginToId.has(normalizedInput.login)) {
+            throw new Error(`User with login ${normalizedInput.login} already exists`);
+        }
+        if (this.emailToId.has(normalizedInput.email)) {
+            throw new Error(`User with email ${normalizedInput.email} already exists`);
+        }
+        const passwordHash = normalizedInput.password ? await this.hashPassword(normalizedInput.password) : '';
+        const record = {
+            ...normalizedInput,
+            user_id: userId,
+            password: passwordHash
+        };
+        this.persistUser(record);
+        if (typeof providedId === 'number' && Number.isFinite(providedId)) {
+            this.nextUserId = Math.max(this.nextUserId, providedId + 1);
+        }
+        return cloneUser(record);
+    }
+    async upsertUser(input) {
+        const normalizedInput = this.normalizeUserInput(input);
+        const providedId = input.user_id;
+        if (providedId !== undefined) {
+            const existing = this.usersById.get(providedId);
+            if (!existing) {
+                throw new Error(`User ${providedId} not found`);
+            }
+            const updates = {
+                ...existing,
+                ...normalizedInput
+            };
+            if (updates.login !== existing.login) {
+                const loginOwner = this.loginToId.get(updates.login);
+                if (loginOwner !== undefined && loginOwner !== existing.user_id) {
+                    throw new Error(`User with login ${updates.login} already exists`);
+                }
+            }
+            if (updates.email !== existing.email) {
+                const emailOwner = this.emailToId.get(updates.email);
+                if (emailOwner !== undefined && emailOwner !== existing.user_id) {
+                    throw new Error(`User with email ${updates.email} already exists`);
+                }
+            }
+            if (normalizedInput.password) {
+                updates.password = await this.hashPassword(normalizedInput.password);
+            }
+            this.persistUser(updates);
+            return cloneUser(updates);
+        }
+        return this.createUser(input);
+    }
+    async updateUser(id, patch) {
+        const user = await this.findById(id);
+        if (!user) {
+            throw new Error(`User ${String(id)} not found`);
+        }
+        const updates = { ...user, ...patch };
+        if (patch.password) {
+            updates.password = await this.hashPassword(patch.password);
+        }
+        this.persistUser(updates);
+        return cloneUser(updates);
+    }
+    async setPasswordHash(id, hash) {
+        const user = await this.findById(id);
+        if (!user) {
+            throw new Error(`User ${String(id)} not found`);
+        }
+        const updates = { ...user, password: hash };
+        this.persistUser(updates);
+    }
+    getPasswordHash(user) {
+        return user.password;
+    }
+    getUserId(user) {
+        return user.user_id;
+    }
+    persistUser(user) {
+        const snapshot = { ...user };
+        this.usersById.set(user.user_id, snapshot);
+        for (const [login, id] of [...this.loginToId.entries()]) {
+            if (id === user.user_id && login !== user.login) {
+                this.loginToId.delete(login);
+            }
+        }
+        for (const [email, id] of [...this.emailToId.entries()]) {
+            if (id === user.user_id && email !== user.email) {
+                this.emailToId.delete(email);
+            }
+        }
+        this.loginToId.set(user.login, user.user_id);
+        this.emailToId.set(user.email, user.user_id);
+    }
+}
+exports.MemoryUserStore = MemoryUserStore;

package/dist/cjs/user/sequelize.d.ts

@@ -0,0 +1,41 @@
+import { CreationOptional, Model, type InferAttributes, type InferCreationAttributes, type ModelStatic, type Sequelize } from 'sequelize';
+import { UserStore } from './base.js';
+import type { CreateUserInput, PublicUserMapper, UpdateUserInput } from './types.js';
+import type { AuthIdentifier } from '../auth-api/types.js';
+export declare class AuthUserModel extends Model<InferAttributes<AuthUserModel>, InferCreationAttributes<AuthUserModel>> implements InferAttributes<AuthUserModel> {
+    user_id: CreationOptional<number>;
+    login: string;
+    email: string;
+    password: string;
+}
+export type AuthUserAttributes = InferAttributes<AuthUserModel>;
+export type AuthUserCreationAttributes = InferCreationAttributes<AuthUserModel>;
+export declare function initAuthUserModel(sequelize: Sequelize): typeof AuthUserModel;
+export type GenericUserModel = Model<Record<string, unknown>, Record<string, unknown>>;
+export type GenericUserModelStatic = ModelStatic<GenericUserModel>;
+export interface SequelizeUserStoreOptions<UserAttributes extends AuthUserAttributes = AuthUserAttributes, PublicUserShape extends Omit<UserAttributes, 'password'> = Omit<UserAttributes, 'password'>> {
+    bcryptRounds?: number;
+    bcryptPepper?: string;
+    sequelize: Sequelize;
+    userModel?: GenericUserModelStatic;
+    userModelFactory?: (sequelize: Sequelize) => GenericUserModelStatic;
+    recordMapper?: (model: GenericUserModel) => UserAttributes;
+    toPublic?: PublicUserMapper<UserAttributes, PublicUserShape>;
+}
+export declare class SequelizeUserStore<UserAttributes extends AuthUserAttributes = AuthUserAttributes, PublicUserShape extends Omit<UserAttributes, 'password'> = Omit<UserAttributes, 'password'>> extends UserStore<UserAttributes, PublicUserShape> {
+    readonly Users: GenericUserModelStatic;
+    private readonly recordMapper;
+    constructor(options: SequelizeUserStoreOptions<UserAttributes, PublicUserShape>);
+    findUser(identifier: AuthIdentifier | string): Promise<UserAttributes | null>;
+    findById(id: AuthIdentifier): Promise<UserAttributes | null>;
+    findByLoginOrEmail(loginOrEmail: string): Promise<UserAttributes | null>;
+    createUser(input: CreateUserInput): Promise<UserAttributes>;
+    upsertUser(input: CreateUserInput): Promise<UserAttributes>;
+    updateUser(id: AuthIdentifier, patch: UpdateUserInput): Promise<UserAttributes>;
+    setPasswordHash(id: AuthIdentifier, hash: string): Promise<void>;
+    getPasswordHash(user: UserAttributes): string | null;
+    getUserId(user: UserAttributes): AuthIdentifier;
+    protected toUserRecord(model: GenericUserModel): UserAttributes;
+    private static mapModelToUser;
+    private normalizeUserId;
+}

package/dist/cjs/user/sequelize.js

@@ -0,0 +1,182 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SequelizeUserStore = exports.AuthUserModel = void 0;
+exports.initAuthUserModel = initAuthUserModel;
+const sequelize_1 = require("sequelize");
+const base_js_1 = require("./base.js");
+const DIALECTS_SUPPORTING_UNSIGNED = new Set(['mysql', 'mariadb']);
+function integerIdType(sequelize) {
+    return DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? sequelize_1.DataTypes.INTEGER.UNSIGNED : sequelize_1.DataTypes.INTEGER;
+}
+function userTableOptions(sequelize) {
+    const opts = {
+        sequelize,
+        tableName: 'users',
+        timestamps: false
+    };
+    if (DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect())) {
+        opts.charset = 'utf8mb4';
+        opts.collate = 'utf8mb4_unicode_ci';
+    }
+    return opts;
+}
+class AuthUserModel extends sequelize_1.Model {
+}
+exports.AuthUserModel = AuthUserModel;
+function initAuthUserModel(sequelize) {
+    const idType = integerIdType(sequelize);
+    AuthUserModel.init({
+        user_id: {
+            type: idType,
+            autoIncrement: true,
+            allowNull: false,
+            primaryKey: true
+        },
+        login: {
+            type: sequelize_1.DataTypes.STRING(64),
+            allowNull: false,
+            unique: true
+        },
+        email: {
+            type: sequelize_1.DataTypes.STRING(100),
+            allowNull: false,
+            unique: true
+        },
+        password: {
+            type: sequelize_1.DataTypes.STRING(255),
+            allowNull: false
+        }
+    }, {
+        ...userTableOptions(sequelize)
+    });
+    return AuthUserModel;
+}
+class SequelizeUserStore extends base_js_1.UserStore {
+    constructor(options) {
+        super({
+            toPublic: options.toPublic,
+            bcryptRounds: options.bcryptRounds,
+            bcryptPepper: options.bcryptPepper
+        });
+        if (!options?.sequelize) {
+            throw new Error('SequelizeUserStore requires a configured Sequelize instance');
+        }
+        this.Users = options.userModel
+            ? options.userModel
+            : (options.userModelFactory ?? initAuthUserModel)(options.sequelize);
+        this.recordMapper =
+            options.recordMapper ??
+                ((model) => SequelizeUserStore.mapModelToUser(model));
+    }
+    async findUser(identifier) {
+        const where = [];
+        try {
+            where.push({ user_id: this.normalizeUserId(identifier) });
+        }
+        catch {
+            // ignore
+        }
+        if (typeof identifier === 'string') {
+            where.push({ login: identifier });
+            where.push({ email: identifier });
+        }
+        if (where.length === 0) {
+            return null;
+        }
+        const model = await this.Users.findOne({ where: { [sequelize_1.Op.or]: where } });
+        return model ? this.toUserRecord(model) : null;
+    }
+    async findById(id) {
+        try {
+            const model = await this.Users.findByPk(this.normalizeUserId(id));
+            return model ? this.toUserRecord(model) : null;
+        }
+        catch {
+            return null;
+        }
+    }
+    async findByLoginOrEmail(loginOrEmail) {
+        const model = await this.Users.findOne({
+            where: { [sequelize_1.Op.or]: [{ login: loginOrEmail }, { email: loginOrEmail }] }
+        });
+        return model ? this.toUserRecord(model) : null;
+    }
+    async createUser(input) {
+        const normalized = this.normalizeUserInput(input);
+        const { password, ...rest } = normalized;
+        const defaults = {
+            ...rest,
+            password: password ? await this.hashPassword(password) : ''
+        };
+        const providedId = input.user_id;
+        if (providedId !== undefined && providedId !== null && Number.isFinite(providedId)) {
+            defaults.user_id = Number(providedId);
+        }
+        const [model] = await this.Users.findOrCreate({
+            where: { login: rest.login },
+            defaults: defaults
+        });
+        return this.toUserRecord(model);
+    }
+    async upsertUser(input) {
+        const normalized = this.normalizeUserInput(input);
+        const providedId = input.user_id;
+        if (providedId !== undefined) {
+            const model = await this.Users.findByPk(Number(providedId));
+            if (!model) {
+                throw new Error(`User ${String(providedId)} not found`);
+            }
+            const next = { ...normalized };
+            if (normalized.password) {
+                next.password = await this.hashPassword(normalized.password);
+            }
+            await model.set(next);
+            await model.save();
+            return this.toUserRecord(model);
+        }
+        return this.createUser(input);
+    }
+    async updateUser(id, patch) {
+        const model = await this.Users.findByPk(this.normalizeUserId(id));
+        if (!model) {
+            throw new Error(`User ${String(id)} not found`);
+        }
+        const updates = { ...patch };
+        if (patch.password) {
+            updates.password = await this.hashPassword(patch.password);
+        }
+        await model.set(updates);
+        await model.save();
+        return this.toUserRecord(model);
+    }
+    async setPasswordHash(id, hash) {
+        await this.Users.update({ password: hash }, { where: { user_id: this.normalizeUserId(id) } });
+    }
+    getPasswordHash(user) {
+        return user.password;
+    }
+    getUserId(user) {
+        return user.user_id;
+    }
+    toUserRecord(model) {
+        return this.recordMapper(model);
+    }
+    static mapModelToUser(model) {
+        return {
+            user_id: model.get('user_id'),
+            login: model.get('login'),
+            email: model.get('email'),
+            password: model.get('password')
+        };
+    }
+    normalizeUserId(identifier) {
+        if (typeof identifier === 'number' && Number.isFinite(identifier)) {
+            return identifier;
+        }
+        if (typeof identifier === 'string' && /^\d+$/.test(identifier)) {
+            return Number(identifier);
+        }
+        throw new Error(`Unable to normalise user identifier: ${identifier}`);
+    }
+}
+exports.SequelizeUserStore = SequelizeUserStore;

package/dist/cjs/user/types.d.ts

@@ -0,0 +1,11 @@
+export interface BcryptHasherOptions {
+    rounds?: number;
+    pepper?: string;
+}
+export type CreateUserInput = Record<string, unknown> & {
+    login: string;
+    email: string;
+    password?: string;
+};
+export type UpdateUserInput = Partial<CreateUserInput>;
+export type PublicUserMapper<User, PublicUser> = (user: User) => PublicUser;

package/dist/cjs/user/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/esm/api-server-base.d.ts

@@ -5,48 +5,39 @@
  * LICENSE file in the root directory of this source tree.
  */
 import { Application, Request, Response } from 'express';
-import jwt, { JwtPayload, SignOptions, VerifyOptions } from 'jsonwebtoken';
 import { ApiModule } from './api-module.js';
+import { TokenStore, type JwtDecodeResult, type JwtSignResult, type JwtVerifyResult } from './token/base.js';
 import type { ApiAuthClass, ApiKey } from './api-module.js';
-import type { AuthProviderModule } from './auth-module.js';
-import type { AuthStorage, AuthIdentifier, AuthTokenData, AuthTokenMetadata } from './auth-storage.js';
+import type { AuthProviderModule } from './auth-api/module.js';
+import type { AuthStorage, AuthIdentifier } from './auth-api/types.js';
+import type { OAuthStore } from './oauth/base.js';
+import type { AuthCodeData, AuthCodeRequest, OAuthClient } from './oauth/types.js';
+import type { PasskeyService } from './passkey/service.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyVerificationParams, PasskeyVerificationResult } from './passkey/types.js';
+import type { Token } from './token/types.js';
+import type { UserStore } from './user/base.js';
+import type { JwtPayload, SignOptions, VerifyOptions } from 'jsonwebtoken';
 export type { Application, Request, Response, NextFunction, Router } from 'express';
 export type { Multer } from 'multer';
 export type { JwtPayload, SignOptions, VerifyOptions } from 'jsonwebtoken';
-export interface RequestWithStuff extends Request {
+export interface ExtendedReq extends Request {
     file?: Express.Multer.File;
     files?: Express.Multer.File[] | {
         [fieldname: string]: Express.Multer.File[];
     };
 }
-interface JwtSignResult {
-    success: boolean;
-    token?: string;
-    error?: string;
-}
-interface JwtVerifyResult<T> {
-    success: boolean;
-    data?: T;
-    expired?: boolean;
-    error?: string;
-}
-interface JwtDecodeResult<T> {
-    success: boolean;
-    data?: T;
-    error?: string;
-}
-export interface ApiTokenData extends JwtPayload, AuthTokenMetadata {
+export interface ApiTokenData extends JwtPayload, Partial<Token> {
     uid: unknown;
     iat?: number;
     exp?: number;
 }
 export interface ApiRequest {
     server: any;
-    req: RequestWithStuff;
+    req: ExtendedReq;
     res: Response;
     tokenData?: ApiTokenData | null;
     token?: string;
-    authToken?: AuthTokenData | null;
+    authToken?: Token | null;
     apiKey?: ApiKey | null;
     clientInfo?: ClientInfo;
     realUid?: AuthIdentifier | null;
@@ -66,6 +57,16 @@ export interface ClientInfo extends ClientAgentProfile {
     ip: string | null;
     ipchain: string[];
 }
+export interface ApiServerAuthStores {
+    userStore: UserStore<any, any>;
+    tokenStore: TokenStore;
+    passkeyService?: PasskeyService;
+    oauthStore?: OAuthStore;
+    canImpersonate?: (params: {
+        realUserId: AuthIdentifier;
+        effectiveUserId: AuthIdentifier;
+    }) => boolean | Promise<boolean>;
+}
 export { ApiModule } from './api-module.js';
 export type { ApiHandler, ApiAuthType, ApiAuthClass, ApiRoute, ApiKey } from './api-module.js';
 export interface ApiErrorParams {
@@ -102,6 +103,8 @@ export interface ApiServerConf {
     validateTokens: boolean;
     apiVersion: string;
     minClientVersion: string;
+    tokenStore?: TokenStore;
+    authStores?: ApiServerAuthStores;
 }
 export declare class ApiServer {
     app: Application;
@@ -112,6 +115,12 @@ export declare class ApiServer {
     private storageAdapter;
     private moduleAdapter;
     private apiNotFoundHandler;
+    private tokenStoreAdapter;
+    private userStoreAdapter;
+    private passkeyServiceAdapter;
+    private oauthStoreAdapter;
+    private canImpersonateAdapter;
+    private readonly jwtHelper;
     constructor(config?: Partial<ApiServerConf>);
     authStorage<UserRow, SafeUser>(storage: AuthStorage<UserRow, SafeUser>): this;
     /**
@@ -125,20 +134,48 @@ export declare class ApiServer {
     useAuthModule<UserRow>(module: AuthProviderModule<UserRow>): this;
     getAuthStorage(): AuthStorage<any, any>;
     getAuthModule(): AuthProviderModule<any>;
+    setTokenStore(store: TokenStore): this;
+    getTokenStore(): TokenStore | null;
+    private ensureUserStore;
+    private ensureTokenStore;
+    private ensurePasskeyService;
+    private ensureOAuthStore;
+    getUser(identifier: AuthIdentifier): Promise<any | null>;
+    getUserPasswordHash(user: any): string;
+    getUserId(user: any): AuthIdentifier;
+    filterUser(user: any): any;
+    verifyPassword(password: string, hash: string): Promise<boolean>;
+    storeToken(data: Token): Promise<void>;
+    getToken(query: Partial<Token> & {
+        userId?: AuthIdentifier;
+        ruid?: AuthIdentifier;
+    }, opts?: {
+        includeExpired?: boolean;
+    }): Promise<Token | null>;
+    deleteToken(query: Partial<Token> & {
+        userId?: AuthIdentifier;
+        ruid?: AuthIdentifier;
+    }): Promise<number>;
+    createPasskeyChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
+    verifyPasskeyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    getClient(clientId: string): Promise<OAuthClient | null>;
+    verifyClientSecret(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
+    createAuthCode(request: AuthCodeRequest): Promise<AuthCodeData>;
+    consumeAuthCode(code: string, clientId: string): Promise<AuthCodeData | null>;
+    canImpersonate(params: {
+        realUserId: AuthIdentifier;
+        effectiveUserId: AuthIdentifier;
+    }): Promise<boolean>;
     jwtSign(payload: any, secret: string, expiresInSeconds: number, options?: SignOptions): JwtSignResult;
     jwtVerify<T>(token: string, secret: string, options?: VerifyOptions): JwtVerifyResult<T>;
-    jwtDecode<T>(token: string, options?: jwt.DecodeOptions): JwtDecodeResult<T>;
+    jwtDecode<T>(token: string, options?: import('jsonwebtoken').DecodeOptions): JwtDecodeResult<T>;
     getApiKey<T = ApiKey>(token: string): Promise<T | null>;
     authenticateUser(params: {
         login: string;
         password: string;
     }): Promise<boolean>;
-    updateToken(updates: {
-        accessToken: string;
+    updateToken(updates: Partial<Token> & {
         refreshToken: string;
-        expires?: Date;
-        clientId?: string;
-        scope?: string[];
     }): Promise<boolean>;
     guessExceptionText(error: any, defMsg?: string): string;
     protected authorize(apiReq: ApiRequest, requiredClass: ApiAuthClass): Promise<void>;