@technomoron/api-server-base 2.0.0-beta.1 → 2.0.0-beta.10

package/README.txt

@@ -108,13 +108,14 @@ cookieDomain (string, default '.somewhere-over-the-rainbow.com') Domain applied
 accessCookie (string, default 'dat') Access token cookie name.
 refreshCookie (string, default 'drt') Refresh token cookie name.
 accessExpiry (number, default 60 * 15) Access token lifetime in seconds.
-refreshExpiry (number, default 30 * 24 * 60 * 60 * 1000) Refresh token lifetime in milliseconds.
+refreshExpiry (number, default 30 * 24 * 60 * 60) Refresh token lifetime in seconds.
 sessionRefreshExpiry (number, default 24 * 60 * 60) Session token lifetime in seconds when clients opt out of "remember me" cookies.
 authApi (boolean, default false) Toggle you can use when mounting auth routes.
 devMode (boolean, default false) Custom hook for development only features.
 debug (boolean, default false) When true the server logs inbound requests via dumpRequest.
 hydrateGetBody (boolean, default true) Copy query parameters into `req.body` for GET requests; set false if you prefer untouched bodies.
 validateTokens (boolean, default false) When true, every JWT-authenticated request must match a stored token row (access token + user id) before reaching your handler. API keys remain stateless either way.
+refreshMaybe (boolean, default false) When true, `auth: maybe` routes will try to refresh a missing/expired access token using the refresh cookie; if refresh fails, the request stays anonymous.
 
 Tip: If you add new configuration fields in downstream projects, extend ApiServerConf and update fillConfig so defaults stay aligned.
 
@@ -122,7 +123,7 @@ Request Lifecycle
 -----------------
 1. Express middlewares (express.json, cookie-parser, optional multer) run before your handler.
 2. ApiServer wraps the route inside handle_request, setting currReq and logging when debug is enabled.
-3. authenticate enforces the ApiRoute auth type: `none`, `maybe`, `yes`, `strict`, or `apikey`. Bearer JWTs and the `dat` cookie are accepted for `yes`/`strict`, while API key tokens prefixed with `apikey-` always delegate to `getApiKey`. The optional `strict` type (or server-wide `validateTokens` flag) requires the signed JWT to exist in storage; when it does, the persisted row is attached to `apiReq.authToken`. The dedicated `apikey` type simply means “an API key is required”; otherwise API keys are still accepted by `yes`/`strict` routes alongside JWTs, and `apiReq.apiKey` is populated when present.
+3. authenticate enforces the ApiRoute auth type: `none`, `maybe`, `yes`, `strict`, or `apikey`. Bearer JWTs and the access cookie (`accessCookie`, default `dat`) are accepted for `yes`/`strict`, while API key tokens prefixed with `apikey-` always delegate to `getApiKey`. When `refreshSecret` is configured and your storage supports refresh lookups (`getToken({ refreshToken })` + `updateToken(...)`), `yes`/`strict` routes will automatically mint a new access token when it is missing or expired (and also recover from "Authorization token is no longer valid" by refreshing). `maybe` routes only do the same when `refreshMaybe: true`. The optional `strict` type (or server-wide `validateTokens` flag) requires the signed JWT to exist in storage; when it does, the persisted row is attached to `apiReq.authToken`. The dedicated `apikey` type simply means “an API key is required”; otherwise API keys are still accepted by `yes`/`strict` routes alongside JWTs, and `apiReq.apiKey` is populated when present.
 4. authorize runs with the requested auth class (any or admin in the base implementation). Override to connect to your role system.
 5. The handler executes and returns its tuple. Responses are normalized to { code, message, data } JSON.
 6. Errors bubble into the wrapper. ApiError instances respect the provided status codes; other exceptions result in a 500 with text derived from guessExceptionText.
@@ -140,6 +141,28 @@ Use your storage adapter's filterUser helper to trim sensitive data before retur
 Provide your own authorize method to enforce role based access control using the ApiAuthClass enum.
 Create feature modules by extending ApiModule. Use the optional checkConfig hook to validate prerequisites before routes mount.
 
+Custom Express Endpoints
+------------------------
+ApiModule routes run inside the tuple wrapper (always responding with a standardized JSON envelope). For endpoints that need raw Express control (streaming, webhooks, tus uploads, etc.), mount your own handlers directly.
+
+- `server.useExpress(...)` mounts middleware/routes and keeps the built-in `/api` 404 handler ordered last, so mounts under `apiBasePath` are not intercepted.
+- Protect endpoints by inserting `server.expressAuth({ type, req })` as middleware. It authenticates using the same JWT/cookie/API-key logic as ApiModule routes and then runs `authorize`.
+- On success, `expressAuth` attaches the computed ApiRequest to both `req.apiReq` and `res.locals.apiReq`.
+- If you want the same JSON error envelope for custom endpoints, mount `server.expressErrorHandler()` after your custom routes.
+
+Example:
+
+	server
+		.useExpress(
+			'/api/custom/optional',
+			server.expressAuth({ type: 'maybe', req: 'any' }),
+			(req, res) => {
+				const apiReq = (req as any).apiReq;
+				res.status(200).json({ uid: apiReq.tokenData?.uid ?? null });
+			}
+		)
+		.useExpress(server.expressErrorHandler());
+
 
 Tooling and Scripts
 -------------------

package/dist/cjs/api-server-base.cjs

@@ -352,6 +352,7 @@ function fillConfig(config) {
         devMode: config.devMode ?? false,
         hydrateGetBody: config.hydrateGetBody ?? true,
         validateTokens: config.validateTokens ?? false,
+        refreshMaybe: config.refreshMaybe ?? false,
         apiVersion: config.apiVersion ?? '',
         minClientVersion: config.minClientVersion ?? '',
         tokenStore: config.tokenStore,
@@ -370,7 +371,7 @@ class ApiServer {
         this.config = fillConfig(config);
         this.apiBasePath = this.normalizeApiBasePath(this.config.apiBasePath);
         this.startedAt = Date.now();
-        this.storageAdapter = storage_js_1.nullAuthStorage;
+        this.storageAdapter = storage_js_1.nullAuthAdapter;
         this.moduleAdapter = module_js_1.nullAuthModule;
         this.jwtHelper = new JwtHelperStore();
         this.tokenStoreAdapter = this.config.tokenStore ?? null;
@@ -448,13 +449,19 @@ class ApiServer {
         }
         return this.passkeyServiceAdapter;
     }
+    async listUserCredentials(userId) {
+        return this.ensurePasskeyService().listUserCredentials(userId);
+    }
+    async deletePasskeyCredential(credentialId) {
+        return this.ensurePasskeyService().deleteCredential(credentialId);
+    }
     ensureOAuthStore() {
         if (!this.oauthStoreAdapter) {
             throw new Error('OAuth store is not configured');
         }
         return this.oauthStoreAdapter;
     }
-    // AuthStorage-compatible helpers (used by AuthModule)
+    // AuthAdapter-compatible helpers (used by AuthModule)
     async getUser(identifier) {
         return this.userStoreAdapter ? this.userStoreAdapter.findUser(identifier) : null;
     }
@@ -700,16 +707,117 @@ class ApiServer {
     }
     async verifyJWT(token) {
         if (!this.config.accessSecret) {
-            return { tokenData: undefined, error: 'JWT authentication disabled; no jwtSecret set' };
+            return { tokenData: undefined, error: 'JWT authentication disabled; no jwtSecret set', expired: false };
         }
         const result = this.jwtVerify(token, this.config.accessSecret);
         if (!result.success) {
-            return { tokenData: undefined, error: result.error };
+            return { tokenData: undefined, error: result.error, expired: result.expired };
         }
         if (!result.data.uid) {
-            return { tokenData: undefined, error: 'Missing/bad userid in token' };
+            return { tokenData: undefined, error: 'Missing/bad userid in token', expired: false };
+        }
+        return { tokenData: result.data, error: undefined, expired: false };
+    }
+    jwtCookieOptions(apiReq) {
+        const conf = this.config;
+        const forwarded = apiReq.req.headers['x-forwarded-proto'];
+        const referer = apiReq.req.headers['origin'] ?? apiReq.req.headers['referer'];
+        const origin = typeof referer === 'string' ? referer : '';
+        const isHttps = forwarded === 'https' || apiReq.req.protocol === 'https';
+        const isLocalhost = origin.includes('localhost');
+        const options = {
+            httpOnly: true,
+            secure: true,
+            sameSite: 'strict',
+            domain: conf.cookieDomain || undefined,
+            path: '/',
+            maxAge: undefined
+        };
+        if (conf.devMode) {
+            options.secure = isHttps;
+            options.httpOnly = false;
+            options.sameSite = 'lax';
+            if (isLocalhost) {
+                options.domain = undefined;
+            }
         }
-        return { tokenData: result.data, error: undefined };
+        return options;
+    }
+    setAccessCookie(apiReq, accessToken, sessionCookie) {
+        const conf = this.config;
+        const options = this.jwtCookieOptions(apiReq);
+        const accessMaxAge = Math.max(1, conf.accessExpiry) * 1000;
+        const accessOptions = sessionCookie ? options : { ...options, maxAge: accessMaxAge };
+        apiReq.res.cookie(conf.accessCookie, accessToken, accessOptions);
+    }
+    async tryRefreshAccessToken(apiReq) {
+        const conf = this.config;
+        if (!conf.refreshSecret || !conf.accessSecret) {
+            return null;
+        }
+        const rawRefresh = apiReq.req.cookies?.[conf.refreshCookie];
+        if (typeof rawRefresh !== 'string') {
+            return null;
+        }
+        const refreshToken = rawRefresh.trim();
+        if (!refreshToken) {
+            return null;
+        }
+        const verify = this.jwtVerify(refreshToken, conf.refreshSecret);
+        if (!verify.success || !verify.data) {
+            return null;
+        }
+        let stored = null;
+        try {
+            stored = await this.storageAdapter.getToken({ refreshToken });
+        }
+        catch {
+            return null;
+        }
+        if (!stored) {
+            return null;
+        }
+        const storedUid = String(stored.userId);
+        const verifyUid = verify.data.uid === undefined || verify.data.uid === null ? null : String(verify.data.uid);
+        if (verifyUid && verifyUid !== storedUid) {
+            return null;
+        }
+        const claims = verify.data;
+        const { exp: _exp, iat: _iat, nbf: _nbf, ...payload } = claims;
+        void _exp;
+        void _iat;
+        void _nbf;
+        // Ensure we never embed token secrets into refreshed access tokens.
+        delete payload.accessToken;
+        delete payload.refreshToken;
+        delete payload.userId;
+        delete payload.expires;
+        delete payload.issuedAt;
+        delete payload.lastSeenAt;
+        delete payload.status;
+        const access = this.jwtSign(payload, conf.accessSecret, conf.accessExpiry);
+        if (!access.success || !access.token) {
+            return null;
+        }
+        const updated = await this.updateToken({
+            refreshToken,
+            accessToken: access.token,
+            lastSeenAt: new Date()
+        });
+        if (!updated) {
+            return null;
+        }
+        this.setAccessCookie(apiReq, access.token, stored.sessionCookie ?? false);
+        if (apiReq.req.cookies) {
+            apiReq.req.cookies[conf.accessCookie] = access.token;
+        }
+        const verifiedAccess = await this.verifyJWT(access.token);
+        if (!verifiedAccess.tokenData) {
+            return null;
+        }
+        const refreshedStored = { ...stored, accessToken: access.token };
+        apiReq.authToken = refreshedStored;
+        return { token: access.token, tokenData: verifiedAccess.tokenData, stored: refreshedStored };
     }
     async authenticate(apiReq, authType) {
         if (authType === 'none') {
@@ -719,6 +827,7 @@ class ApiServer {
         let token = null;
         const authHeader = apiReq.req.headers.authorization;
         const requiresAuthToken = this.requiresAuthToken(authType);
+        const allowRefresh = requiresAuthToken || (authType === 'maybe' && this.config.refreshMaybe);
         const apiKeyAuth = await this.tryAuthenticateApiKey(apiReq, authType, authHeader);
         if (apiKeyAuth) {
             return apiKeyAuth;
@@ -727,32 +836,84 @@ class ApiServer {
             token = authHeader.slice(7).trim();
         }
         if (!token) {
-            const access = apiReq.req.cookies?.dat;
+            const access = apiReq.req.cookies?.[this.config.accessCookie];
             if (access) {
                 token = access;
             }
         }
+        let tokenData;
+        let error;
+        let expired = false;
         if (!token || token === null) {
-            if (requiresAuthToken) {
-                throw new ApiError({ code: 401, message: 'Authorization token is required (Bearer/cookie)' });
+            if (authType === 'maybe') {
+                if (!this.config.refreshMaybe) {
+                    return null;
+                }
+                const refreshed = await this.tryRefreshAccessToken(apiReq);
+                if (!refreshed) {
+                    return null;
+                }
+                token = refreshed.token;
+                tokenData = refreshed.tokenData;
+                error = undefined;
+                expired = false;
+            }
+            else if (requiresAuthToken) {
+                const refreshed = await this.tryRefreshAccessToken(apiReq);
+                if (!refreshed) {
+                    throw new ApiError({ code: 401, message: 'Authorization token is required (Bearer/cookie)' });
+                }
+                token = refreshed.token;
+                tokenData = refreshed.tokenData;
+                error = undefined;
+                expired = false;
             }
         }
         if (!token) {
-            if (authType === 'maybe') {
-                return null;
-            }
-            else {
-                throw new ApiError({ code: 401, message: 'Unauthorized Access - requires authentication' });
+            throw new ApiError({ code: 401, message: 'Unauthorized Access - requires authentication' });
+        }
+        if (!tokenData) {
+            const verified = await this.verifyJWT(token);
+            tokenData = verified.tokenData;
+            error = verified.error;
+            expired = verified.expired ?? false;
+        }
+        if (!tokenData && allowRefresh && expired) {
+            const refreshed = await this.tryRefreshAccessToken(apiReq);
+            if (refreshed) {
+                token = refreshed.token;
+                tokenData = refreshed.tokenData;
+                error = undefined;
             }
         }
-        const { tokenData, error } = await this.verifyJWT(token);
         if (!tokenData) {
             throw new ApiError({ code: 401, message: 'Unathorized Access - ' + error });
         }
         const effectiveUserId = this.extractTokenUserId(tokenData);
         apiReq.realUid = this.resolveRealUserId(tokenData, effectiveUserId);
         if (this.shouldValidateStoredToken(authType)) {
-            await this.assertStoredAccessToken(apiReq, token, tokenData);
+            try {
+                await this.assertStoredAccessToken(apiReq, token, tokenData);
+            }
+            catch (error) {
+                if (allowRefresh &&
+                    error instanceof ApiError &&
+                    error.code === 401 &&
+                    error.message === 'Authorization token is no longer valid') {
+                    const refreshed = await this.tryRefreshAccessToken(apiReq);
+                    if (!refreshed) {
+                        throw error;
+                    }
+                    token = refreshed.token;
+                    tokenData = refreshed.tokenData;
+                    const refreshedUserId = this.extractTokenUserId(tokenData);
+                    apiReq.realUid = this.resolveRealUserId(tokenData, refreshedUserId);
+                    await this.assertStoredAccessToken(apiReq, token, tokenData);
+                }
+                else {
+                    throw error;
+                }
+            }
         }
         apiReq.token = token;
         return tokenData;
@@ -794,6 +955,9 @@ class ApiServer {
     }
     async assertStoredAccessToken(apiReq, token, tokenData) {
         const userId = String(this.extractTokenUserId(tokenData));
+        if (apiReq.authToken && apiReq.authToken.accessToken === token && String(apiReq.authToken.userId) === userId) {
+            return;
+        }
         const stored = await this.storageAdapter.getToken({
             accessToken: token,
             userId
@@ -833,32 +997,98 @@ class ApiServer {
         }
         return rawReal;
     }
-    handle_request(handler, auth) {
+    useExpress(pathOrHandler, ...handlers) {
+        if (typeof pathOrHandler === 'string') {
+            this.app.use(pathOrHandler, ...handlers);
+        }
+        else {
+            this.app.use(pathOrHandler, ...handlers);
+        }
+        this.ensureApiNotFoundOrdering();
+        return this;
+    }
+    createApiRequest(req, res) {
+        const apiReq = {
+            server: this,
+            req,
+            res,
+            token: '',
+            tokenData: null,
+            realUid: null,
+            getClientInfo: () => ensureClientInfo(apiReq),
+            getClientIp: () => ensureClientInfo(apiReq).ip,
+            getClientIpChain: () => ensureClientInfo(apiReq).ipchain,
+            getRealUid: () => apiReq.realUid ?? null,
+            isImpersonating: () => {
+                const realUid = apiReq.realUid;
+                const tokenUid = apiReq.tokenData?.uid;
+                if (realUid === null || realUid === undefined) {
+                    return false;
+                }
+                if (tokenUid === null || tokenUid === undefined) {
+                    return false;
+                }
+                return realUid !== tokenUid;
+            }
+        };
+        return apiReq;
+    }
+    expressAuth(auth) {
         return async (req, res, next) => {
-            void next;
-            const apiReq = {
-                server: this,
-                req,
-                res,
-                token: '',
-                tokenData: null,
-                realUid: null,
-                getClientInfo: () => ensureClientInfo(apiReq),
-                getClientIp: () => ensureClientInfo(apiReq).ip,
-                getClientIpChain: () => ensureClientInfo(apiReq).ipchain,
-                getRealUid: () => apiReq.realUid ?? null,
-                isImpersonating: () => {
-                    const realUid = apiReq.realUid;
-                    const tokenUid = apiReq.tokenData?.uid;
-                    if (realUid === null || realUid === undefined) {
-                        return false;
-                    }
-                    if (tokenUid === null || tokenUid === undefined) {
-                        return false;
-                    }
-                    return realUid !== tokenUid;
+            const apiReq = this.createApiRequest(req, res);
+            req.apiReq = apiReq;
+            res.locals.apiReq = apiReq;
+            this.currReq = apiReq;
+            try {
+                if (this.config.hydrateGetBody) {
+                    hydrateGetBody(req);
+                }
+                if (this.config.debug) {
+                    this.dumpRequest(apiReq);
                 }
+                apiReq.tokenData = await this.authenticate(apiReq, auth.type);
+                await this.authorize(apiReq, auth.req);
+                next();
+            }
+            catch (error) {
+                next(error);
+            }
+        };
+    }
+    expressErrorHandler() {
+        return (error, _req, res, next) => {
+            void _req;
+            if (res.headersSent) {
+                next(error);
+                return;
+            }
+            if (error instanceof ApiError || isApiErrorLike(error)) {
+                const apiError = error;
+                const normalizedErrors = apiError.errors && typeof apiError.errors === 'object' && !Array.isArray(apiError.errors)
+                    ? apiError.errors
+                    : {};
+                const errorPayload = {
+                    code: apiError.code,
+                    message: apiError.message,
+                    data: apiError.data ?? null,
+                    errors: normalizedErrors
+                };
+                res.status(apiError.code).json(errorPayload);
+                return;
+            }
+            const errorPayload = {
+                code: 500,
+                message: this.guessExceptionText(error),
+                data: null,
+                errors: {}
             };
+            res.status(500).json(errorPayload);
+        };
+    }
+    handle_request(handler, auth) {
+        return async (req, res, next) => {
+            void next;
+            const apiReq = this.createApiRequest(req, res);
             this.currReq = apiReq;
             try {
                 if (this.config.hydrateGetBody) {

package/dist/cjs/api-server-base.d.ts

@@ -4,16 +4,16 @@
  * This source code is licensed under the MIT license found in the
  * LICENSE file in the root directory of this source tree.
  */
-import { Application, Request, Response } from 'express';
+import { Application, Request, Response, type ErrorRequestHandler, type RequestHandler } from 'express';
 import { ApiModule } from './api-module.js';
 import { TokenStore, type JwtDecodeResult, type JwtSignResult, type JwtVerifyResult } from './token/base.js';
-import type { ApiAuthClass, ApiKey } from './api-module.js';
+import type { ApiAuthClass, ApiAuthType, ApiKey } from './api-module.js';
 import type { AuthProviderModule } from './auth-api/module.js';
-import type { AuthStorage, AuthIdentifier } from './auth-api/types.js';
+import type { AuthAdapter, AuthIdentifier } from './auth-api/types.js';
 import type { OAuthStore } from './oauth/base.js';
 import type { AuthCodeData, AuthCodeRequest, OAuthClient } from './oauth/types.js';
 import type { PasskeyService } from './passkey/service.js';
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyVerificationParams, PasskeyVerificationResult } from './passkey/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, StoredPasskeyCredential, PasskeyVerificationParams, PasskeyVerificationResult } from './passkey/types.js';
 import type { Token } from './token/types.js';
 import type { UserStore } from './user/base.js';
 import type { JwtPayload, SignOptions, VerifyOptions } from 'jsonwebtoken';
@@ -47,6 +47,12 @@ export interface ApiRequest {
     getRealUid: () => AuthIdentifier | null;
     isImpersonating: () => boolean;
 }
+export interface ExpressApiRequest extends ExtendedReq {
+    apiReq?: ApiRequest;
+}
+export interface ExpressApiLocals {
+    apiReq?: ApiRequest;
+}
 export interface ClientAgentProfile {
     ua: string;
     browser: string;
@@ -101,6 +107,7 @@ export interface ApiServerConf {
     devMode: boolean;
     hydrateGetBody: boolean;
     validateTokens: boolean;
+    refreshMaybe: boolean;
     apiVersion: string;
     minClientVersion: string;
     tokenStore?: TokenStore;
@@ -122,23 +129,25 @@ export declare class ApiServer {
     private canImpersonateAdapter;
     private readonly jwtHelper;
     constructor(config?: Partial<ApiServerConf>);
-    authStorage<UserRow, SafeUser>(storage: AuthStorage<UserRow, SafeUser>): this;
+    authStorage<UserRow, SafeUser>(storage: AuthAdapter<UserRow, SafeUser>): this;
     /**
      * @deprecated Use {@link ApiServer.authStorage} instead.
      */
-    useAuthStorage<UserRow, SafeUser>(storage: AuthStorage<UserRow, SafeUser>): this;
+    useAuthStorage<UserRow, SafeUser>(storage: AuthAdapter<UserRow, SafeUser>): this;
     authModule<UserRow>(module: AuthProviderModule<UserRow>): this;
     /**
      * @deprecated Use {@link ApiServer.authModule} instead.
      */
     useAuthModule<UserRow>(module: AuthProviderModule<UserRow>): this;
-    getAuthStorage(): AuthStorage<any, any>;
+    getAuthStorage(): AuthAdapter<any, any>;
     getAuthModule(): AuthProviderModule<any>;
     setTokenStore(store: TokenStore): this;
     getTokenStore(): TokenStore | null;
     private ensureUserStore;
     private ensureTokenStore;
     private ensurePasskeyService;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential(credentialId: Buffer | string): Promise<boolean>;
     private ensureOAuthStore;
     getUser(identifier: AuthIdentifier): Promise<any | null>;
     getUserPasswordHash(user: any): string;
@@ -187,6 +196,9 @@ export declare class ApiServer {
     private describeMissingEndpoint;
     start(): this;
     private verifyJWT;
+    private jwtCookieOptions;
+    private setAccessCookie;
+    private tryRefreshAccessToken;
     private authenticate;
     private tryAuthenticateApiKey;
     private requiresAuthToken;
@@ -195,6 +207,14 @@ export declare class ApiServer {
     private normalizeAuthIdentifier;
     private extractTokenUserId;
     private resolveRealUserId;
+    useExpress(path: string, ...handlers: Array<RequestHandler | ErrorRequestHandler>): this;
+    useExpress(...handlers: Array<RequestHandler | ErrorRequestHandler>): this;
+    private createApiRequest;
+    expressAuth(auth: {
+        type: ApiAuthType;
+        req: ApiAuthClass;
+    }): RequestHandler;
+    expressErrorHandler(): ErrorRequestHandler;
     private handle_request;
     api<T extends ApiModule<any>>(module: T): this;
     dumpRequest(apiReq: ApiRequest): void;

package/dist/cjs/auth-api/auth-module.d.ts

@@ -1,6 +1,6 @@
 import { type ApiRequest, type ApiRoute, type ApiServer } from '../api-server-base.js';
 import { BaseAuthModule, type AuthProviderModule } from './module.js';
-import type { AuthIdentifier, AuthStorage } from './types.js';
+import type { AuthAdapter, AuthIdentifier } from './types.js';
 import type { OAuthCallbackParams, OAuthCallbackResult, OAuthStartParams, OAuthStartResult } from '../oauth/types.js';
 import type { TokenPair, Token } from '../token/types.js';
 interface CanImpersonateContext<UserEntity> {
@@ -46,7 +46,7 @@ export default class AuthModule<UserEntity, PublicUser> extends BaseAuthModule<U
     private readonly defaultDomain?;
     private readonly canImpersonateHook?;
     constructor(options?: AuthModuleOptions<UserEntity>);
-    protected get storage(): AuthStorage<UserEntity, PublicUser>;
+    protected get storage(): AuthAdapter<UserEntity, PublicUser>;
     protected canImpersonate(apiReq: ApiRequest, realUser: UserEntity, targetUser: UserEntity): Promise<boolean>;
     protected ensureImpersonationAllowed(apiReq: ApiRequest, realUser: UserEntity, targetUser: UserEntity): Promise<void>;
     protected buildTokenPayload(user: UserEntity, metadata?: TokenMetadata): TokenClaims;
@@ -57,6 +57,9 @@ export default class AuthModule<UserEntity, PublicUser> extends BaseAuthModule<U
     private resolveSessionPreferences;
     private mergeSessionPreferences;
     private sessionPrefsFromRecord;
+    private validateCredentialId;
+    private normalizeCredentialId;
+    private toIsoDate;
     private cookieOptions;
     private setJwtCookies;
     issueTokens(apiReq: ApiRequest, user: UserEntity, metadata?: TokenIssueOptions): Promise<TokenPair>;
@@ -76,6 +79,8 @@ export default class AuthModule<UserEntity, PublicUser> extends BaseAuthModule<U
     private postWhoAmI;
     private postPasskeyChallenge;
     private postPasskeyVerify;
+    private getPasskeys;
+    private deletePasskey;
     private postImpersonation;
     private deleteImpersonation;
     private getUserFromPasskey;
@@ -91,6 +96,10 @@ export default class AuthModule<UserEntity, PublicUser> extends BaseAuthModule<U
     private resolveClientAuthentication;
     private assertRedirectUriAllowed;
     private resolveUserForOAuth;
+    private hasPasskeyService;
+    private hasOAuthStore;
+    private storageImplements;
+    private storageImplementsAll;
     defineRoutes(): ApiRoute[];
 }
 export {};