@technomoron/api-server-base 1.1.13 → 2.0.0-beta.2

package/dist/esm/api-server-base.js

@@ -4,13 +4,34 @@
  * This source code is licensed under the MIT license found in the
  * LICENSE file in the root directory of this source tree.
  */
+import { randomUUID } from 'node:crypto';
 import cookieParser from 'cookie-parser';
 import cors from 'cors';
 import express from 'express';
-import jwt from 'jsonwebtoken';
 import multer from 'multer';
-import { nullAuthModule } from './auth-module.js';
-import { nullAuthStorage } from './auth-storage.js';
+import { nullAuthModule } from './auth-api/module.js';
+import { nullAuthStorage } from './auth-api/storage.js';
+import { TokenStore } from './token/base.js';
+class JwtHelperStore extends TokenStore {
+    async save() {
+        throw new Error('Token store is not configured');
+    }
+    async get() {
+        throw new Error('Token store is not configured');
+    }
+    async delete() {
+        throw new Error('Token store is not configured');
+    }
+    async update() {
+        throw new Error('Token store is not configured');
+    }
+    async list() {
+        return [];
+    }
+    async close() {
+        return;
+    }
+}
 export { ApiModule } from './api-module.js';
 function guess_exception_text(error, defMsg = 'Unknown Error') {
     const msg = [];
@@ -324,18 +345,36 @@ function fillConfig(config) {
         hydrateGetBody: config.hydrateGetBody ?? true,
         validateTokens: config.validateTokens ?? false,
         apiVersion: config.apiVersion ?? '',
-        minClientVersion: config.minClientVersion ?? ''
+        minClientVersion: config.minClientVersion ?? '',
+        tokenStore: config.tokenStore,
+        authStores: config.authStores
     };
 }
 export class ApiServer {
     constructor(config = {}) {
         this.currReq = null;
         this.apiNotFoundHandler = null;
+        this.tokenStoreAdapter = null;
+        this.userStoreAdapter = null;
+        this.passkeyServiceAdapter = null;
+        this.oauthStoreAdapter = null;
+        this.canImpersonateAdapter = null;
         this.config = fillConfig(config);
         this.apiBasePath = this.normalizeApiBasePath(this.config.apiBasePath);
         this.startedAt = Date.now();
         this.storageAdapter = nullAuthStorage;
         this.moduleAdapter = nullAuthModule;
+        this.jwtHelper = new JwtHelperStore();
+        this.tokenStoreAdapter = this.config.tokenStore ?? null;
+        if (this.config.authStores) {
+            const { userStore, tokenStore, passkeyService, oauthStore, canImpersonate } = this.config.authStores;
+            this.userStoreAdapter = userStore;
+            this.tokenStoreAdapter = tokenStore;
+            this.passkeyServiceAdapter = passkeyService ?? null;
+            this.oauthStoreAdapter = oauthStore ?? null;
+            this.canImpersonateAdapter = canImpersonate ?? null;
+            this.storageAdapter = this;
+        }
         this.app = express();
         if (config.uploadPath) {
             const upload = multer({ dest: config.uploadPath });
@@ -372,72 +411,143 @@ export class ApiServer {
     getAuthModule() {
         return this.moduleAdapter;
     }
-    jwtSign(payload, secret, expiresInSeconds, options) {
-        options || (options = {});
-        const opts = { ...options, expiresIn: expiresInSeconds };
-        try {
-            const token = jwt.sign(payload, secret, opts);
-            return {
-                success: true,
-                token
-            };
+    setTokenStore(store) {
+        this.tokenStoreAdapter = store;
+        // If using direct stores, expose self as the auth storage.
+        if (this.userStoreAdapter) {
+            this.storageAdapter = this;
         }
-        catch (error) {
-            return {
-                success: false,
-                error: error instanceof Error ? error.message : String(error)
-            };
+        return this;
+    }
+    getTokenStore() {
+        return this.tokenStoreAdapter;
+    }
+    ensureUserStore() {
+        if (!this.userStoreAdapter) {
+            throw new Error('User store is not configured');
         }
+        return this.userStoreAdapter;
     }
-    jwtVerify(token, secret, options) {
-        options || (options = {});
-        try {
-            const data = jwt.verify(token, secret, options);
-            return {
-                success: true,
-                data
-            };
+    ensureTokenStore() {
+        if (!this.tokenStoreAdapter) {
+            throw new Error('Token store is not configured');
         }
-        catch (error) {
-            if (error instanceof jwt.TokenExpiredError) {
-                return {
-                    success: false,
-                    expired: true,
-                    error: 'Token expired'
-                };
-            }
-            else {
-                return {
-                    success: false,
-                    expired: false,
-                    error: error instanceof Error ? error.message : String(error)
-                };
-            }
+        return this.tokenStoreAdapter;
+    }
+    ensurePasskeyService() {
+        if (!this.passkeyServiceAdapter) {
+            throw new Error('Passkey service is not configured');
         }
+        return this.passkeyServiceAdapter;
     }
-    jwtDecode(token, options) {
-        options || (options = {});
-        try {
-            const data = jwt.decode(token, options);
-            // jwt.decode returns null for invalid tokens rather than throwing
-            if (data === null) {
-                return {
-                    success: false,
-                    error: 'Invalid token format'
-                };
-            }
-            return {
-                success: true,
-                data
-            };
+    ensureOAuthStore() {
+        if (!this.oauthStoreAdapter) {
+            throw new Error('OAuth store is not configured');
         }
-        catch (error) {
-            // jwt.decode rarely throws, but might for severely malformed tokens
-            return {
-                success: false,
-                error: error instanceof Error ? error.message : String(error)
-            };
+        return this.oauthStoreAdapter;
+    }
+    // AuthStorage-compatible helpers (used by AuthModule)
+    async getUser(identifier) {
+        return this.userStoreAdapter ? this.userStoreAdapter.findUser(identifier) : null;
+    }
+    getUserPasswordHash(user) {
+        return this.ensureUserStore().getPasswordHash(user) ?? '';
+    }
+    getUserId(user) {
+        return this.ensureUserStore().getUserId(user);
+    }
+    filterUser(user) {
+        return this.ensureUserStore().toPublic(user);
+    }
+    async verifyPassword(password, hash) {
+        return this.ensureUserStore().verifyPassword(password, hash);
+    }
+    async storeToken(data) {
+        if (this.tokenStoreAdapter) {
+            return this.tokenStoreAdapter.save(data);
         }
+        if (typeof this.storageAdapter.storeToken === 'function') {
+            return this.storageAdapter.storeToken(data);
+        }
+        throw new Error('Token store is not configured');
+    }
+    async getToken(query, opts) {
+        const normalized = {
+            ...query,
+            userId: query.userId !== undefined && query.userId !== null ? String(query.userId) : undefined,
+            ruid: query.ruid !== undefined && query.ruid !== null ? String(query.ruid) : undefined
+        };
+        if (this.tokenStoreAdapter) {
+            return this.tokenStoreAdapter.get(normalized, opts);
+        }
+        if (typeof this.storageAdapter.getToken === 'function') {
+            return this.storageAdapter.getToken(normalized, opts);
+        }
+        return null;
+    }
+    async deleteToken(query) {
+        const normalized = {
+            ...query,
+            userId: query.userId !== undefined && query.userId !== null ? String(query.userId) : undefined,
+            ruid: query.ruid !== undefined && query.ruid !== null ? String(query.ruid) : undefined
+        };
+        if (this.tokenStoreAdapter) {
+            return this.tokenStoreAdapter.delete(normalized);
+        }
+        if (typeof this.storageAdapter.deleteToken === 'function') {
+            return this.storageAdapter.deleteToken(normalized);
+        }
+        return 0;
+    }
+    async createPasskeyChallenge(params) {
+        return this.ensurePasskeyService().createChallenge(params);
+    }
+    async verifyPasskeyResponse(params) {
+        return this.ensurePasskeyService().verifyResponse(params);
+    }
+    async getClient(clientId) {
+        return this.oauthStoreAdapter ? this.oauthStoreAdapter.getClient(clientId) : null;
+    }
+    async verifyClientSecret(client, clientSecret) {
+        return this.ensureOAuthStore().verifyClientSecret(client.clientId, clientSecret);
+    }
+    async createAuthCode(request) {
+        const expiresAt = new Date(Date.now() + (request.expiresInSeconds ?? 300) * 1000);
+        const code = request.code ?? randomUUID();
+        await this.ensureOAuthStore().createAuthCode({ ...request, code, expiresAt });
+        return {
+            code,
+            clientId: request.clientId,
+            userId: request.userId,
+            redirectUri: request.redirectUri,
+            scope: request.scope ?? [],
+            codeChallenge: request.codeChallenge,
+            codeChallengeMethod: request.codeChallengeMethod,
+            expiresAt,
+            metadata: request.metadata
+        };
+    }
+    async consumeAuthCode(code, clientId) {
+        const consumed = await this.ensureOAuthStore().consumeAuthCode(code);
+        if (!consumed || consumed.clientId !== clientId) {
+            return null;
+        }
+        return consumed;
+    }
+    async canImpersonate(params) {
+        if (this.canImpersonateAdapter) {
+            return !!(await this.canImpersonateAdapter(params));
+        }
+        return params.realUserId === params.effectiveUserId;
+    }
+    jwtSign(payload, secret, expiresInSeconds, options) {
+        return (this.tokenStoreAdapter ?? this.jwtHelper).jwtSign(payload, secret, expiresInSeconds, options);
+    }
+    jwtVerify(token, secret, options) {
+        return (this.tokenStoreAdapter ?? this.jwtHelper).jwtVerify(token, secret, options);
+    }
+    jwtDecode(token, options) {
+        return (this.tokenStoreAdapter ?? this.jwtHelper).jwtDecode(token, options);
     }
     async getApiKey(token) {
         void token;
@@ -455,16 +565,13 @@ export class ApiServer {
         return this.storageAdapter.verifyPassword(params.password, hash);
     }
     async updateToken(updates) {
-        if (typeof this.storageAdapter.updateToken !== 'function') {
-            return false;
+        if (this.tokenStoreAdapter) {
+            return this.tokenStoreAdapter.update(updates);
         }
-        return this.storageAdapter.updateToken({
-            refreshToken: updates.refreshToken,
-            access: updates.accessToken,
-            expires: updates.expires,
-            clientId: updates.clientId,
-            scope: updates.scope
-        });
+        if (typeof this.storageAdapter.updateToken === 'function') {
+            return this.storageAdapter.updateToken(updates);
+        }
+        return false;
     }
     guessExceptionText(error, defMsg = 'Unkown Error') {
         return guess_exception_text(error, defMsg);
@@ -678,7 +785,7 @@ export class ApiServer {
         return this.config.validateTokens || authType === 'strict';
     }
     async assertStoredAccessToken(apiReq, token, tokenData) {
-        const userId = this.extractTokenUserId(tokenData);
+        const userId = String(this.extractTokenUserId(tokenData));
         const stored = await this.storageAdapter.getToken({
             accessToken: token,
             userId

package/dist/esm/auth-api/auth-module.d.ts

@@ -0,0 +1,96 @@
+import { type ApiRequest, type ApiRoute, type ApiServer } from '../api-server-base.js';
+import { BaseAuthModule, type AuthProviderModule } from './module.js';
+import type { AuthIdentifier, AuthStorage } from './types.js';
+import type { OAuthCallbackParams, OAuthCallbackResult, OAuthStartParams, OAuthStartResult } from '../oauth/types.js';
+import type { TokenPair, Token } from '../token/types.js';
+interface CanImpersonateContext<UserEntity> {
+    apiReq: ApiRequest;
+    realUser: UserEntity;
+    realUserId: AuthIdentifier;
+    targetUser: UserEntity;
+    effectiveUserId: AuthIdentifier;
+}
+interface AuthModuleOptions<UserEntity> {
+    namespace?: string;
+    defaultDomain?: string;
+    canImpersonate?: (context: CanImpersonateContext<UserEntity>) => Promise<boolean> | boolean;
+}
+type TokenMetadata = Partial<Token> & {
+    sessionCookie?: boolean;
+};
+interface TokenIssueOptions extends TokenMetadata {
+    expires?: Date;
+    sessionCookie?: boolean;
+}
+interface NormalizedTokenMetadata extends TokenMetadata {
+    domain: string;
+    fingerprint: string;
+    label: string;
+    browser: string;
+    device: string;
+    ip: string;
+    os: string;
+}
+type TokenClaims = TokenMetadata & {
+    uid: string;
+    exp?: number;
+    iat?: number;
+};
+type AuthCapableServer<PublicUser> = ApiServer & {
+    initiateOAuth?: (params: OAuthStartParams) => Promise<OAuthStartResult>;
+    completeOAuth?: (params: OAuthCallbackParams) => Promise<OAuthCallbackResult<PublicUser>>;
+};
+export default class AuthModule<UserEntity, PublicUser> extends BaseAuthModule<UserEntity> implements AuthProviderModule<UserEntity> {
+    static defaultNamespace: string;
+    server: AuthCapableServer<PublicUser>;
+    private readonly defaultDomain?;
+    private readonly canImpersonateHook?;
+    constructor(options?: AuthModuleOptions<UserEntity>);
+    protected get storage(): AuthStorage<UserEntity, PublicUser>;
+    protected canImpersonate(apiReq: ApiRequest, realUser: UserEntity, targetUser: UserEntity): Promise<boolean>;
+    protected ensureImpersonationAllowed(apiReq: ApiRequest, realUser: UserEntity, targetUser: UserEntity): Promise<void>;
+    protected buildTokenPayload(user: UserEntity, metadata?: TokenMetadata): TokenClaims;
+    protected buildTokenMetadata(metadata?: TokenMetadata): NormalizedTokenMetadata;
+    protected enrichTokenMetadata(apiReq: ApiRequest, metadata?: TokenMetadata): TokenMetadata;
+    private sessionRefreshTtlSeconds;
+    private normalizeRefreshTtlSeconds;
+    private resolveSessionPreferences;
+    private mergeSessionPreferences;
+    private sessionPrefsFromRecord;
+    private cookieOptions;
+    private setJwtCookies;
+    issueTokens(apiReq: ApiRequest, user: UserEntity, metadata?: TokenIssueOptions): Promise<TokenPair>;
+    private assertAuthReady;
+    private parseLoginBody;
+    private parseImpersonationRequest;
+    private resolveImpersonationIdentifier;
+    private buildImpersonationMetadata;
+    private getUserOrThrow;
+    private getRealUserIdentifier;
+    private resolveActorContext;
+    private extractRefreshToken;
+    private normalizeScope;
+    private postLogin;
+    private postRefresh;
+    private postLogout;
+    private postWhoAmI;
+    private postPasskeyChallenge;
+    private postPasskeyVerify;
+    private postImpersonation;
+    private deleteImpersonation;
+    private getUserFromPasskey;
+    private postOAuthStart;
+    private postOAuthCallback;
+    private postOAuthAuthorize;
+    private postOAuthToken;
+    private handleAuthorizationCodeGrant;
+    private handleRefreshTokenGrant;
+    private clearOAuthCookies;
+    private buildTokenResponse;
+    private resolveScope;
+    private resolveClientAuthentication;
+    private assertRedirectUriAllowed;
+    private resolveUserForOAuth;
+    defineRoutes(): ApiRoute[];
+}
+export {};