npm - @technomoron/api-server-base - Versions diffs - 2.0.0-beta.1 → 2.0.0-beta.11 - Mend

@technomoron/api-server-base 2.0.0-beta.1 → 2.0.0-beta.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (52) hide show

package/README.txt +25 -2
package/dist/cjs/api-server-base.cjs +277 -41
package/dist/cjs/api-server-base.d.ts +27 -7
package/dist/cjs/auth-api/auth-module.d.ts +11 -2
package/dist/cjs/auth-api/auth-module.js +215 -46
package/dist/cjs/auth-api/compat-auth-storage.d.ts +7 -5
package/dist/cjs/auth-api/compat-auth-storage.js +15 -3
package/dist/cjs/auth-api/mem-auth-store.d.ts +5 -3
package/dist/cjs/auth-api/mem-auth-store.js +7 -1
package/dist/cjs/auth-api/sql-auth-store.d.ts +5 -3
package/dist/cjs/auth-api/sql-auth-store.js +7 -1
package/dist/cjs/auth-api/storage.d.ts +6 -4
package/dist/cjs/auth-api/storage.js +15 -5
package/dist/cjs/auth-api/types.d.ts +7 -2
package/dist/cjs/index.cjs +4 -4
package/dist/cjs/index.d.ts +4 -4
package/dist/cjs/oauth/sequelize.js +1 -1
package/dist/cjs/passkey/base.d.ts +1 -0
package/dist/cjs/passkey/memory.d.ts +1 -0
package/dist/cjs/passkey/memory.js +4 -0
package/dist/cjs/passkey/sequelize.d.ts +1 -0
package/dist/cjs/passkey/sequelize.js +11 -2
package/dist/cjs/passkey/service.d.ts +5 -2
package/dist/cjs/passkey/service.js +145 -10
package/dist/cjs/passkey/types.d.ts +3 -0
package/dist/cjs/user/base.js +2 -1
package/dist/esm/api-server-base.d.ts +27 -7
package/dist/esm/api-server-base.js +278 -42
package/dist/esm/auth-api/auth-module.d.ts +11 -2
package/dist/esm/auth-api/auth-module.js +216 -47
package/dist/esm/auth-api/compat-auth-storage.d.ts +7 -5
package/dist/esm/auth-api/compat-auth-storage.js +13 -1
package/dist/esm/auth-api/mem-auth-store.d.ts +5 -3
package/dist/esm/auth-api/mem-auth-store.js +8 -2
package/dist/esm/auth-api/sql-auth-store.d.ts +5 -3
package/dist/esm/auth-api/sql-auth-store.js +8 -2
package/dist/esm/auth-api/storage.d.ts +6 -4
package/dist/esm/auth-api/storage.js +13 -3
package/dist/esm/auth-api/types.d.ts +7 -2
package/dist/esm/index.d.ts +4 -4
package/dist/esm/index.js +2 -2
package/dist/esm/oauth/sequelize.js +1 -1
package/dist/esm/passkey/base.d.ts +1 -0
package/dist/esm/passkey/memory.d.ts +1 -0
package/dist/esm/passkey/memory.js +4 -0
package/dist/esm/passkey/sequelize.d.ts +1 -0
package/dist/esm/passkey/sequelize.js +11 -2
package/dist/esm/passkey/service.d.ts +5 -2
package/dist/esm/passkey/service.js +113 -11
package/dist/esm/passkey/types.d.ts +3 -0
package/dist/esm/user/base.js +2 -1
package/package.json +13 -11

package/dist/cjs/auth-api/auth-module.js CHANGED Viewed

@@ -1,8 +1,10 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 const node_crypto_1 = require("node:crypto");
+const helpers_1 = require("@simplewebauthn/server/helpers");
 const api_server_base_js_1 = require("../api-server-base.js");
 const module_js_1 = require("./module.js");
+const storage_js_1 = require("./storage.js");
 function isAuthIdentifier(value) {
     return typeof value === 'string' || typeof value === 'number';
 }
@@ -74,9 +76,21 @@ class AuthModule extends module_js_1.BaseAuthModule {
     }
     buildTokenMetadata(metadata = {}) {
         const scope = metadata.scope;
+        const domain = metadata.domain ?? this.defaultDomain ?? '';
+        let fingerprint = metadata.fingerprint ?? metadata.clientId ?? '';
+        if (typeof fingerprint === 'string') {
+            fingerprint = fingerprint.trim();
+        }
+        else {
+            fingerprint = '';
+        }
+        // Avoid every client sharing the empty-string fingerprint which collapses sessions into one bucket.
+        if (!fingerprint) {
+            fingerprint = `srv-${(0, node_crypto_1.randomUUID)()}`;
+        }
         return {
-            domain: metadata.domain ?? this.defaultDomain ?? '',
-            fingerprint: metadata.fingerprint ?? metadata.clientId ?? '',
+            domain,
+            fingerprint,
             label: metadata.label ?? (Array.isArray(scope) ? scope.join(' ') : typeof scope === 'string' ? scope : ''),
             clientId: metadata.clientId,
             ruid: metadata.ruid,
@@ -183,6 +197,44 @@ class AuthModule extends module_js_1.BaseAuthModule {
         }
         return prefs;
     }
+    validateCredentialId(apiReq) {
+        const paramId = toStringOrNull(apiReq.req.params?.credentialId);
+        const bodyId = toStringOrNull(apiReq.req.body?.credentialId);
+        const credentialId = paramId ?? bodyId;
+        if (!credentialId) {
+            throw new api_server_base_js_1.ApiError({ code: 400, message: 'credentialId is required' });
+        }
+        try {
+            helpers_1.isoBase64URL.toBuffer(credentialId);
+        }
+        catch {
+            throw new api_server_base_js_1.ApiError({ code: 400, message: 'Invalid credentialId' });
+        }
+        return credentialId;
+    }
+    normalizeCredentialId(value) {
+        if (Buffer.isBuffer(value)) {
+            return value;
+        }
+        try {
+            return Buffer.from(helpers_1.isoBase64URL.toBuffer(value));
+        }
+        catch {
+            try {
+                return Buffer.from(value, 'base64');
+            }
+            catch {
+                return Buffer.from(value);
+            }
+        }
+    }
+    toIsoDate(value) {
+        if (!value) {
+            return undefined;
+        }
+        const date = value instanceof Date ? value : new Date(value);
+        return Number.isNaN(date.getTime()) ? undefined : date.toISOString();
+    }
     cookieOptions(apiReq) {
         const conf = this.server.config;
         const forwarded = apiReq.req.headers['x-forwarded-proto'];
@@ -513,7 +565,28 @@ class AuthModule extends module_js_1.BaseAuthModule {
                 : cookiePrefs.refreshTtlSeconds;
             this.setJwtCookies(apiReq, { accessToken: access.token, refreshToken }, { sessionCookie: cookiePrefs.sessionCookie ?? false, refreshTtlSeconds: refreshTtlForCookie });
         }
-        return [200, this.storage.filterUser(user)];
+        const tokenClaims = verify.data;
+        const effectiveUserId = this.storage.getUserId(user);
+        const effectiveId = String(effectiveUserId);
+        const rawRealId = stored.ruid ?? tokenClaims.ruid;
+        const normalizedRealId = rawRealId === undefined || rawRealId === null ? null : String(rawRealId).trim() || null;
+        const isImpersonating = normalizedRealId !== null && normalizedRealId !== effectiveId;
+        let realUser;
+        let realUserId;
+        if (isImpersonating && normalizedRealId !== null) {
+            const realUserEntity = await this.getUserOrThrow(normalizedRealId, 'Real user not found');
+            realUser = this.storage.filterUser(realUserEntity);
+            realUserId = this.storage.getUserId(realUserEntity);
+        }
+        return [
+            200,
+            {
+                user: this.storage.filterUser(user),
+                isImpersonating,
+                realUser,
+                realUserId
+            }
+        ];
     }
     async postPasskeyChallenge(apiReq) {
         if (typeof this.storage.createPasskeyChallenge !== 'function') {
@@ -598,6 +671,44 @@ class AuthModule extends module_js_1.BaseAuthModule {
         const publicUser = this.storage.filterUser(user);
         return [200, { ...tokens, user: publicUser }];
     }
+    async getPasskeys(apiReq) {
+        if (typeof this.storage.listUserCredentials !== 'function') {
+            throw new api_server_base_js_1.ApiError({ code: 501, message: 'Passkey credential listing is not configured' });
+        }
+        const { userId } = await this.resolveActorContext(apiReq);
+        const credentials = await this.storage.listUserCredentials(userId);
+        const safeCredentials = credentials.map((credential) => {
+            const bufferId = this.normalizeCredentialId(credential.credentialId);
+            return {
+                id: helpers_1.isoBase64URL.fromBuffer(new Uint8Array(bufferId)),
+                transports: credential.transports,
+                backedUp: credential.backedUp,
+                deviceType: credential.deviceType,
+                createdAt: this.toIsoDate(credential.createdAt),
+                updatedAt: this.toIsoDate(credential.updatedAt)
+            };
+        });
+        return [200, { credentials: safeCredentials }];
+    }
+    async deletePasskey(apiReq) {
+        if (typeof this.storage.listUserCredentials !== 'function' ||
+            typeof this.storage.deletePasskeyCredential !== 'function') {
+            throw new api_server_base_js_1.ApiError({ code: 501, message: 'Passkey credential management is not configured' });
+        }
+        const { userId } = await this.resolveActorContext(apiReq);
+        const credentialId = this.validateCredentialId(apiReq);
+        const bufferId = Buffer.from(helpers_1.isoBase64URL.toBuffer(credentialId));
+        const credentials = await this.storage.listUserCredentials(userId);
+        const owns = credentials.some((credential) => {
+            const candidateId = this.normalizeCredentialId(credential.credentialId);
+            return helpers_1.isoBase64URL.fromBuffer(new Uint8Array(candidateId)) === credentialId;
+        });
+        if (!owns) {
+            throw new api_server_base_js_1.ApiError({ code: 404, message: 'Passkey not found' });
+        }
+        const deleted = await this.storage.deletePasskeyCredential(bufferId);
+        return [200, { deleted }];
+    }
     async postImpersonation(apiReq) {
         this.assertAuthReady();
         const { targetIdentifier, metadata } = this.parseImpersonationRequest(apiReq);
@@ -941,47 +1052,91 @@ class AuthModule extends module_js_1.BaseAuthModule {
         }
         throw new api_server_base_js_1.ApiError({ code: 401, message: 'Authorization requires user authentication' });
     }
+    hasPasskeyService() {
+        const storageAny = this.storage;
+        if (storageAny.passkeyService || storageAny.passkeyStore) {
+            return true;
+        }
+        if (storageAny.adapter?.passkeyService || storageAny.adapter?.passkeyStore) {
+            return true;
+        }
+        const serverAny = this.server;
+        return !!serverAny.passkeyServiceAdapter;
+    }
+    hasOAuthStore() {
+        const storageAny = this.storage;
+        if (storageAny.oauthStore) {
+            return true;
+        }
+        if (storageAny.adapter?.oauthStore) {
+            return true;
+        }
+        const serverAny = this.server;
+        return !!serverAny.oauthStoreAdapter;
+    }
+    storageImplements(key) {
+        const candidate = this.storage[key];
+        if (typeof candidate !== 'function') {
+            return false;
+        }
+        const baseImpl = storage_js_1.BaseAuthAdapter.prototype[key];
+        return candidate !== baseImpl;
+    }
+    storageImplementsAll(keys) {
+        return keys.every((key) => this.storageImplements(key));
+    }
     defineRoutes() {
-        const routes = [
-            {
-                method: 'post',
-                path: '/v1/login',
-                handler: (req) => this.postLogin(req),
-                auth: { type: 'none', req: 'any' }
-            },
-            {
-                method: 'post',
-                path: '/v1/refresh',
-                handler: (req) => this.postRefresh(req),
-                auth: { type: 'none', req: 'any' }
-            },
-            {
-                method: 'post',
-                path: '/v1/logout',
-                handler: (req) => this.postLogout(req),
-                auth: { type: 'maybe', req: 'any' }
-            },
-            {
-                method: 'post',
-                path: '/v1/whoami',
-                handler: (req) => this.postWhoAmI(req),
-                auth: { type: 'maybe', req: 'any' }
-            },
-            {
-                method: 'post',
-                path: '/v1/impersonations',
-                handler: (req) => this.postImpersonation(req),
-                auth: { type: 'strict', req: 'any' }
-            },
-            {
-                method: 'delete',
-                path: '/v1/impersonations',
-                handler: (req) => this.deleteImpersonation(req),
-                auth: { type: 'strict', req: 'any' }
-            }
-        ];
-        const storage = this.storage;
-        const passkeysSupported = typeof storage.createPasskeyChallenge === 'function' && typeof storage.verifyPasskeyResponse === 'function';
+        const routes = [];
+        const coreAuthSupported = this.storageImplementsAll([
+            'getUser',
+            'getUserPasswordHash',
+            'getUserId',
+            'verifyPassword',
+            'filterUser',
+            'storeToken',
+            'getToken',
+            'deleteToken'
+        ]);
+        if (!coreAuthSupported) {
+            return routes;
+        }
+        routes.push({
+            method: 'post',
+            path: '/v1/login',
+            handler: (req) => this.postLogin(req),
+            auth: { type: 'none', req: 'any' }
+        }, {
+            method: 'post',
+            path: '/v1/refresh',
+            handler: (req) => this.postRefresh(req),
+            auth: { type: 'none', req: 'any' }
+        }, {
+            method: 'post',
+            path: '/v1/logout',
+            handler: (req) => this.postLogout(req),
+            auth: { type: 'maybe', req: 'any' }
+        }, {
+            method: 'post',
+            path: '/v1/whoami',
+            handler: (req) => this.postWhoAmI(req),
+            auth: { type: 'maybe', req: 'any' }
+        }, {
+            method: 'post',
+            path: '/v1/impersonations',
+            handler: (req) => this.postImpersonation(req),
+            auth: { type: 'strict', req: 'any' }
+        }, {
+            method: 'delete',
+            path: '/v1/impersonations',
+            handler: (req) => this.deleteImpersonation(req),
+            auth: { type: 'strict', req: 'any' }
+        });
+        const passkeysSupported = this.hasPasskeyService() &&
+            this.storageImplements('createPasskeyChallenge') &&
+            this.storageImplements('verifyPasskeyResponse');
+        const passkeyCredentialsSupported = passkeysSupported &&
+            this.storageImplements('listUserCredentials') &&
+            this.storageImplements('deletePasskeyCredential');
         if (passkeysSupported) {
             routes.push({
                 method: 'post',
@@ -994,6 +1149,19 @@ class AuthModule extends module_js_1.BaseAuthModule {
                 handler: (req) => this.postPasskeyVerify(req),
                 auth: { type: 'none', req: 'any' }
             });
+            if (passkeyCredentialsSupported) {
+                routes.push({
+                    method: 'get',
+                    path: '/v1/passkeys',
+                    handler: (req) => this.getPasskeys(req),
+                    auth: { type: 'strict', req: 'any' }
+                }, {
+                    method: 'delete',
+                    path: '/v1/passkeys/:credentialId?',
+                    handler: (req) => this.deletePasskey(req),
+                    auth: { type: 'strict', req: 'any' }
+                });
+            }
         }
         const externalOAuthSupported = typeof this.server.initiateOAuth === 'function' && typeof this.server.completeOAuth === 'function';
         if (externalOAuthSupported) {
@@ -1009,9 +1177,10 @@ class AuthModule extends module_js_1.BaseAuthModule {
                 auth: { type: 'none', req: 'any' }
             });
         }
-        const oauthStorageSupported = typeof storage.getClient === 'function' &&
-            typeof storage.createAuthCode === 'function' &&
-            typeof storage.consumeAuthCode === 'function';
+        const oauthStorageSupported = this.hasOAuthStore() &&
+            this.storageImplements('getClient') &&
+            this.storageImplements('createAuthCode') &&
+            this.storageImplements('consumeAuthCode');
         if (oauthStorageSupported) {
             routes.push({
                 method: 'post',

package/dist/cjs/auth-api/compat-auth-storage.d.ts CHANGED Viewed

@@ -1,9 +1,9 @@
 import { PasskeyService } from '../passkey/service.js';
-import type { AuthIdentifier, AuthStorage } from './types.js';
+import type { AuthAdapter, AuthIdentifier } from './types.js';
 import type { OAuthStore } from '../oauth/base.js';
 import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
 import type { PasskeyStore } from '../passkey/base.js';
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, StoredPasskeyCredential, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
 import type { TokenStore } from '../token/base.js';
 import type { Token } from '../token/types.js';
 import type { UserStore } from '../user/base.js';
@@ -11,7 +11,7 @@ interface PasskeyAdapterOptions {
     store: PasskeyStore;
     config: PasskeyServiceConfig;
 }
-export interface AuthStorageAdapterOptions<UserRow, PublicUser> {
+export interface AuthAdapterOptions<UserRow, PublicUser> {
     userStore: UserStore<UserRow, PublicUser>;
     tokenStore: TokenStore;
     passkeys?: PasskeyAdapterOptions | PasskeyService;
@@ -21,13 +21,13 @@ export interface AuthStorageAdapterOptions<UserRow, PublicUser> {
         effectiveUserId: AuthIdentifier;
     }) => boolean | Promise<boolean>;
 }
-export declare class AuthStorageAdapter<UserRow, PublicUser> implements AuthStorage<UserRow, PublicUser> {
+export declare class CompositeAuthAdapter<UserRow, PublicUser> implements AuthAdapter<UserRow, PublicUser> {
     private readonly userStore;
     private readonly tokenStore;
     private readonly oauthStore?;
     private readonly passkeyService?;
     private readonly canImpersonateFn?;
-    constructor(options: AuthStorageAdapterOptions<UserRow, PublicUser>);
+    constructor(options: AuthAdapterOptions<UserRow, PublicUser>);
     getUser(identifier: AuthIdentifier): Promise<UserRow | null>;
     getUserPasswordHash(user: UserRow): string;
     getUserId(user: UserRow): AuthIdentifier;
@@ -43,6 +43,8 @@ export declare class AuthStorageAdapter<UserRow, PublicUser> implements AuthStor
     }): Promise<boolean>;
     createPasskeyChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyPasskeyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential(credentialId: Buffer | string): Promise<boolean>;
     getClient(clientId: string): Promise<OAuthClient | null>;
     verifyClientSecret(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
     createAuthCode(request: AuthCodeRequest): Promise<AuthCodeData>;

package/dist/cjs/auth-api/compat-auth-storage.js CHANGED Viewed

@@ -1,9 +1,9 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.AuthStorageAdapter = void 0;
+exports.CompositeAuthAdapter = void 0;
 const node_crypto_1 = require("node:crypto");
 const service_js_1 = require("../passkey/service.js");
-class AuthStorageAdapter {
+class CompositeAuthAdapter {
     constructor(options) {
         this.userStore = options.userStore;
         this.tokenStore = options.tokenStore;
@@ -55,6 +55,18 @@ class AuthStorageAdapter {
         }
         return this.passkeyService.verifyResponse(params);
     }
+    async listUserCredentials(userId) {
+        if (!this.passkeyService) {
+            throw new Error('Passkey storage is not configured');
+        }
+        return this.passkeyService.listUserCredentials(userId);
+    }
+    async deletePasskeyCredential(credentialId) {
+        if (!this.passkeyService) {
+            throw new Error('Passkey storage is not configured');
+        }
+        return this.passkeyService.deleteCredential(credentialId);
+    }
     async getClient(clientId) {
         if (!this.oauthStore) {
             return null;
@@ -113,4 +125,4 @@ class AuthStorageAdapter {
         return params.realUserId === params.effectiveUserId;
     }
 }
-exports.AuthStorageAdapter = AuthStorageAdapter;
+exports.CompositeAuthAdapter = CompositeAuthAdapter;

package/dist/cjs/auth-api/mem-auth-store.d.ts CHANGED Viewed

@@ -2,11 +2,11 @@ import { MemoryOAuthStore } from '../oauth/memory.js';
 import { MemoryPasskeyStore } from '../passkey/memory.js';
 import { TokenStore } from '../token/base.js';
 import { MemoryUserStore } from '../user/memory.js';
-import type { AuthIdentifier, AuthStorage } from './types.js';
+import type { AuthAdapter, AuthIdentifier } from './types.js';
 import type { MemoryOAuthStoreOptions } from '../oauth/memory.js';
 import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
 import type { MemoryPasskeyStoreOptions } from '../passkey/memory.js';
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, PasskeyUserDescriptor, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, PasskeyUserDescriptor, StoredPasskeyCredential, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
 import type { Token } from '../token/types.js';
 import type { MemoryUserAttributes, MemoryPublicUser, MemoryUserStoreOptions } from '../user/memory.js';
 interface PasskeyOptions extends Partial<PasskeyServiceConfig> {
@@ -24,7 +24,7 @@ export interface MemAuthStoreParams<UserAttributes extends MemoryUserAttributes
     }) => boolean | Promise<boolean>;
     tokenStore?: TokenStore;
 }
-export declare class MemAuthStore<UserAttributes extends MemoryUserAttributes = MemoryUserAttributes, PublicUserShape extends MemoryPublicUser<UserAttributes> = MemoryPublicUser<UserAttributes>> implements AuthStorage<UserAttributes, PublicUserShape> {
+export declare class MemAuthStore<UserAttributes extends MemoryUserAttributes = MemoryUserAttributes, PublicUserShape extends MemoryPublicUser<UserAttributes> = MemoryPublicUser<UserAttributes>> implements AuthAdapter<UserAttributes, PublicUserShape> {
     readonly userStore: MemoryUserStore<UserAttributes, PublicUserShape>;
     readonly tokenStore: TokenStore;
     readonly passkeyStore?: MemoryPasskeyStore;
@@ -54,6 +54,8 @@ export declare class MemAuthStore<UserAttributes extends MemoryUserAttributes =
     }): Promise<boolean>;
     createPasskeyChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyPasskeyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential(credentialId: Buffer | string): Promise<boolean>;
     getClient(clientId: string): Promise<OAuthClient | null>;
     verifyClientSecret(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
     createAuthCode(request: AuthCodeRequest): Promise<AuthCodeData>;

package/dist/cjs/auth-api/mem-auth-store.js CHANGED Viewed

@@ -59,7 +59,7 @@ class MemAuthStore {
             passkeyStore = new memory_js_2.MemoryPasskeyStore({ resolveUser });
             this.passkeyStore = passkeyStore;
         }
-        this.adapter = new compat_auth_storage_js_1.AuthStorageAdapter({
+        this.adapter = new compat_auth_storage_js_1.CompositeAuthAdapter({
             userStore: this.userStore,
             tokenStore: this.tokenStore,
             passkeys: passkeyStore && passkeyConfig ? { store: passkeyStore, config: passkeyConfig } : undefined,
@@ -116,6 +116,12 @@ class MemAuthStore {
     async verifyPasskeyResponse(params) {
         return this.adapter.verifyPasskeyResponse(params);
     }
+    async listUserCredentials(userId) {
+        return this.adapter.listUserCredentials(userId);
+    }
+    async deletePasskeyCredential(credentialId) {
+        return this.adapter.deletePasskeyCredential(credentialId);
+    }
     async getClient(clientId) {
         return this.adapter.getClient(clientId);
     }

package/dist/cjs/auth-api/sql-auth-store.d.ts CHANGED Viewed

@@ -3,9 +3,9 @@ import { SequelizeOAuthStore, type SequelizeOAuthStoreOptions } from '../oauth/s
 import { SequelizePasskeyStore } from '../passkey/sequelize.js';
 import { type SequelizeTokenStoreOptions } from '../token/sequelize.js';
 import { SequelizeUserStore, type AuthUserAttributes, GenericUserModel, GenericUserModelStatic } from '../user/sequelize.js';
-import type { AuthIdentifier, AuthStorage } from './types.js';
+import type { AuthAdapter, AuthIdentifier } from './types.js';
 import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, PasskeyUserDescriptor, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, PasskeyUserDescriptor, StoredPasskeyCredential, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
 import type { TokenStore } from '../token/base.js';
 import type { Token } from '../token/types.js';
 interface PasskeyOptions extends Partial<PasskeyServiceConfig> {
@@ -30,7 +30,7 @@ export interface SqlAuthStoreParams<UserAttributes extends AuthUserAttributes =
     tokenStoreOptions?: Omit<SequelizeTokenStoreOptions, 'sequelize'>;
     oauthStoreOptions?: Omit<SequelizeOAuthStoreOptions, 'sequelize'>;
 }
-export declare class SqlAuthStore<UserAttributes extends AuthUserAttributes = AuthUserAttributes, PublicUserShape extends Omit<UserAttributes, 'password'> = Omit<UserAttributes, 'password'>> implements AuthStorage<UserAttributes, PublicUserShape> {
+export declare class SqlAuthStore<UserAttributes extends AuthUserAttributes = AuthUserAttributes, PublicUserShape extends Omit<UserAttributes, 'password'> = Omit<UserAttributes, 'password'>> implements AuthAdapter<UserAttributes, PublicUserShape> {
     readonly userStore: SequelizeUserStore<UserAttributes, PublicUserShape>;
     readonly tokenStore: TokenStore;
     readonly passkeyStore?: SequelizePasskeyStore;
@@ -63,6 +63,8 @@ export declare class SqlAuthStore<UserAttributes extends AuthUserAttributes = Au
     }): Promise<boolean>;
     createPasskeyChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyPasskeyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential(credentialId: Buffer | string): Promise<boolean>;
     getClient(clientId: string): Promise<OAuthClient | null>;
     verifyClientSecret(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
     createAuthCode(request: AuthCodeRequest): Promise<AuthCodeData>;

package/dist/cjs/auth-api/sql-auth-store.js CHANGED Viewed

@@ -72,7 +72,7 @@ class SqlAuthStore {
             passkeyStore = new sequelize_js_2.SequelizePasskeyStore({ sequelize: this.sequelize, resolveUser });
             this.passkeyStore = passkeyStore;
         }
-        this.adapter = new compat_auth_storage_js_1.AuthStorageAdapter({
+        this.adapter = new compat_auth_storage_js_1.CompositeAuthAdapter({
             userStore: this.userStore,
             tokenStore: this.tokenStore,
             passkeys: passkeyStore && passkeyConfig ? { store: passkeyStore, config: passkeyConfig } : undefined,
@@ -147,6 +147,12 @@ class SqlAuthStore {
     async verifyPasskeyResponse(params) {
         return this.adapter.verifyPasskeyResponse(params);
     }
+    async listUserCredentials(userId) {
+        return this.adapter.listUserCredentials(userId);
+    }
+    async deletePasskeyCredential(credentialId) {
+        return this.adapter.deletePasskeyCredential(credentialId);
+    }
     async getClient(clientId) {
         return this.adapter.getClient(clientId);
     }

package/dist/cjs/auth-api/storage.d.ts CHANGED Viewed

@@ -1,8 +1,8 @@
-import type { AuthIdentifier, AuthStorage } from './types.js';
+import type { AuthAdapter, AuthIdentifier } from './types.js';
 import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyVerificationParams, PasskeyVerificationResult, StoredPasskeyCredential } from '../passkey/types.js';
 import type { Token } from '../token/types.js';
-export declare class BaseAuthStorage<UserRow = unknown, SafeUser = unknown> implements AuthStorage<UserRow, SafeUser> {
+export declare class BaseAuthAdapter<UserRow = unknown, SafeUser = unknown> implements AuthAdapter<UserRow, SafeUser> {
     getUser(identifier: AuthIdentifier): Promise<UserRow | null>;
     getUserPasswordHash(user: UserRow): string;
     getUserId(user: UserRow): AuthIdentifier;
@@ -24,6 +24,8 @@ export declare class BaseAuthStorage<UserRow = unknown, SafeUser = unknown> impl
     }): Promise<boolean>;
     createPasskeyChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyPasskeyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential(credentialId: Buffer | string): Promise<boolean>;
     getClient(clientId: string): Promise<OAuthClient | null>;
     verifyClientSecret(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
     createAuthCode(request: AuthCodeRequest): Promise<AuthCodeData>;
@@ -33,4 +35,4 @@ export declare class BaseAuthStorage<UserRow = unknown, SafeUser = unknown> impl
         effectiveUserId: AuthIdentifier;
     }): Promise<boolean>;
 }
-export declare const nullAuthStorage: AuthStorage<unknown, unknown>;
+export declare const nullAuthAdapter: AuthAdapter<unknown, unknown>;

package/dist/cjs/auth-api/storage.js CHANGED Viewed

@@ -1,9 +1,9 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.nullAuthStorage = exports.BaseAuthStorage = void 0;
-// Handy base you can extend when wiring a real storage adapter. Every method
+exports.nullAuthAdapter = exports.BaseAuthAdapter = void 0;
+// Handy base you can extend when wiring a real auth adapter. Every method
 // throws by default so unimplemented hooks fail loudly.
-class BaseAuthStorage {
+class BaseAuthAdapter {
     // Override to load a user record by identifier
     async getUser(identifier) {
         void identifier;
@@ -60,6 +60,16 @@ class BaseAuthStorage {
         void params;
         throw new Error('Auth storage not configured');
     }
+    // Override to list passkey credentials for a user
+    async listUserCredentials(userId) {
+        void userId;
+        throw new Error('Auth storage not configured');
+    }
+    // Override to delete a passkey credential
+    async deletePasskeyCredential(credentialId) {
+        void credentialId;
+        throw new Error('Auth storage not configured');
+    }
     // Override to fetch an OAuth client by identifier
     async getClient(clientId) {
         void clientId;
@@ -88,5 +98,5 @@ class BaseAuthStorage {
         return false;
     }
 }
-exports.BaseAuthStorage = BaseAuthStorage;
-exports.nullAuthStorage = new BaseAuthStorage();
+exports.BaseAuthAdapter = BaseAuthAdapter;
+exports.nullAuthAdapter = new BaseAuthAdapter();

package/dist/cjs/auth-api/types.d.ts CHANGED Viewed

@@ -1,8 +1,9 @@
 import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyVerificationParams, PasskeyVerificationResult, StoredPasskeyCredential } from '../passkey/types.js';
 import type { Token } from '../token/types.js';
 export type AuthIdentifier = string | number;
-export interface AuthStorage<UserRow, SafeUser> {
+/** @internal */
+export interface AuthAdapter<UserRow, SafeUser> {
     getUser(identifier: AuthIdentifier): Promise<UserRow | null>;
     getUserPasswordHash(user: UserRow): string;
     getUserId(user: UserRow): AuthIdentifier;
@@ -18,6 +19,8 @@ export interface AuthStorage<UserRow, SafeUser> {
     }): Promise<boolean>;
     createPasskeyChallenge?(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyPasskeyResponse?(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials?(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential?(credentialId: Buffer | string): Promise<boolean>;
     getClient?(clientId: string): Promise<OAuthClient | null>;
     verifyClientSecret?(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
     createAuthCode?(request: AuthCodeRequest): Promise<AuthCodeData>;
@@ -27,3 +30,5 @@ export interface AuthStorage<UserRow, SafeUser> {
         effectiveUserId: AuthIdentifier;
     }): Promise<boolean>;
 }
+/** @internal */
+export type AuthStorage<UserRow, SafeUser> = AuthAdapter<UserRow, SafeUser>;

package/dist/cjs/index.cjs CHANGED Viewed

@@ -3,7 +3,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.SequelizeOAuthStore = exports.MemoryOAuthStore = exports.OAuthStore = exports.SequelizePasskeyStore = exports.MemoryPasskeyStore = exports.PasskeyStore = exports.PasskeyService = exports.SequelizeTokenStore = exports.MemoryTokenStore = exports.TokenStore = exports.SequelizeUserStore = exports.MemoryUserStore = exports.UserStore = exports.AuthModule = exports.SqlAuthStore = exports.MemAuthStore = exports.AuthStorageAdapter = exports.BaseAuthModule = exports.nullAuthModule = exports.BaseAuthStorage = exports.nullAuthStorage = exports.ApiModule = exports.ApiError = exports.ApiServer = void 0;
+exports.SequelizeOAuthStore = exports.MemoryOAuthStore = exports.OAuthStore = exports.SequelizePasskeyStore = exports.MemoryPasskeyStore = exports.PasskeyStore = exports.PasskeyService = exports.SequelizeTokenStore = exports.MemoryTokenStore = exports.TokenStore = exports.SequelizeUserStore = exports.MemoryUserStore = exports.UserStore = exports.AuthModule = exports.SqlAuthStore = exports.MemAuthStore = exports.CompositeAuthAdapter = exports.BaseAuthModule = exports.nullAuthModule = exports.BaseAuthAdapter = exports.nullAuthAdapter = exports.ApiModule = exports.ApiError = exports.ApiServer = void 0;
 var api_server_base_js_1 = require("./api-server-base.cjs");
 Object.defineProperty(exports, "ApiServer", { enumerable: true, get: function () { return __importDefault(api_server_base_js_1).default; } });
 var api_server_base_js_2 = require("./api-server-base.cjs");
@@ -11,13 +11,13 @@ Object.defineProperty(exports, "ApiError", { enumerable: true, get: function ()
 var api_module_js_1 = require("./api-module.cjs");
 Object.defineProperty(exports, "ApiModule", { enumerable: true, get: function () { return api_module_js_1.ApiModule; } });
 var storage_js_1 = require("./auth-api/storage.js");
-Object.defineProperty(exports, "nullAuthStorage", { enumerable: true, get: function () { return storage_js_1.nullAuthStorage; } });
-Object.defineProperty(exports, "BaseAuthStorage", { enumerable: true, get: function () { return storage_js_1.BaseAuthStorage; } });
+Object.defineProperty(exports, "nullAuthAdapter", { enumerable: true, get: function () { return storage_js_1.nullAuthAdapter; } });
+Object.defineProperty(exports, "BaseAuthAdapter", { enumerable: true, get: function () { return storage_js_1.BaseAuthAdapter; } });
 var module_js_1 = require("./auth-api/module.js");
 Object.defineProperty(exports, "nullAuthModule", { enumerable: true, get: function () { return module_js_1.nullAuthModule; } });
 Object.defineProperty(exports, "BaseAuthModule", { enumerable: true, get: function () { return module_js_1.BaseAuthModule; } });
 var compat_auth_storage_js_1 = require("./auth-api/compat-auth-storage.js");
-Object.defineProperty(exports, "AuthStorageAdapter", { enumerable: true, get: function () { return compat_auth_storage_js_1.AuthStorageAdapter; } });
+Object.defineProperty(exports, "CompositeAuthAdapter", { enumerable: true, get: function () { return compat_auth_storage_js_1.CompositeAuthAdapter; } });
 var mem_auth_store_js_1 = require("./auth-api/mem-auth-store.js");
 Object.defineProperty(exports, "MemAuthStore", { enumerable: true, get: function () { return mem_auth_store_js_1.MemAuthStore; } });
 var sql_auth_store_js_1 = require("./auth-api/sql-auth-store.js");