@technomoron/api-server-base 2.0.0-beta.1 → 2.0.0-beta.11

package/dist/cjs/index.d.ts

@@ -1,15 +1,15 @@
 export { default as ApiServer } from './api-server-base.js';
 export { ApiError } from './api-server-base.js';
 export { ApiModule } from './api-module.js';
-export type { ApiErrorParams, ApiHandler, ApiKey, ApiServerConf, ApiRequest, ApiRoute, ApiAuthType, ApiAuthClass, ApiTokenData, ExtendedReq } from './api-server-base.js';
-export type { AuthIdentifier, AuthStorage } from './auth-api/types.js';
+export type { ApiErrorParams, ApiHandler, ApiKey, ApiServerConf, ApiRequest, ApiRoute, ApiAuthType, ApiAuthClass, ApiTokenData, ExtendedReq, ExpressApiRequest, ExpressApiLocals } from './api-server-base.js';
+export type { AuthIdentifier } from './auth-api/types.js';
 export type { Token, TokenPair, TokenStatus } from './token/types.js';
 export type { JwtSignResult, JwtVerifyResult, JwtDecodeResult } from './token/base.js';
 export type { OAuthClient, AuthCodeData, AuthCodeRequest } from './oauth/types.js';
 export type { AuthProviderModule } from './auth-api/module.js';
-export { nullAuthStorage, BaseAuthStorage } from './auth-api/storage.js';
+export { nullAuthAdapter, BaseAuthAdapter } from './auth-api/storage.js';
 export { nullAuthModule, BaseAuthModule } from './auth-api/module.js';
-export { AuthStorageAdapter } from './auth-api/compat-auth-storage.js';
+export { CompositeAuthAdapter } from './auth-api/compat-auth-storage.js';
 export { MemAuthStore } from './auth-api/mem-auth-store.js';
 export { SqlAuthStore } from './auth-api/sql-auth-store.js';
 export { default as AuthModule } from './auth-api/auth-module.js';

package/dist/cjs/oauth/sequelize.js

@@ -126,7 +126,7 @@ class SequelizeOAuthStore extends base_js_1.OAuthStore {
         const existing = await this.clients.findByPk(input.clientId);
         const hashedSecret = input.clientSecret !== undefined && input.clientSecret !== null
             ? await bcryptjs_1.default.hash(input.clientSecret, this.bcryptRounds)
-            : existing?.client_secret ?? '';
+            : (existing?.client_secret ?? '');
         const redirectUris = input.redirectUris ?? (existing ? decodeStringArray(existing.redirect_uris) : undefined);
         const scope = input.scope ?? (existing ? decodeStringArray(existing.scope) : undefined);
         const metadata = input.metadata ?? (existing ? parseMetadata(existing.metadata) : undefined);

package/dist/cjs/passkey/base.d.ts

@@ -6,6 +6,7 @@ export declare abstract class PasskeyStore implements PasskeyStorageAdapter {
         login?: string;
     }): Promise<PasskeyUserDescriptor | null>;
     abstract listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    abstract deleteCredential(credentialId: Buffer | string): Promise<boolean>;
     abstract findCredentialById(credentialId: Buffer): Promise<StoredPasskeyCredential | null>;
     abstract saveCredential(record: StoredPasskeyCredential): Promise<void>;
     abstract updateCredentialCounter(credentialId: Buffer, counter: number): Promise<void>;

package/dist/cjs/passkey/memory.d.ts

@@ -17,6 +17,7 @@ export declare class MemoryPasskeyStore extends PasskeyStore {
         login?: string;
     }): Promise<PasskeyUserDescriptor | null>;
     listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deleteCredential(credentialId: Buffer | string): Promise<boolean>;
     findCredentialById(credentialId: Buffer): Promise<StoredPasskeyCredential | null>;
     saveCredential(record: StoredPasskeyCredential): Promise<void>;
     updateCredentialCounter(credentialId: Buffer, counter: number): Promise<void>;

package/dist/cjs/passkey/memory.js

@@ -37,6 +37,10 @@ class MemoryPasskeyStore extends base_js_1.PasskeyStore {
             .filter((record) => normalizeUserId(record.userId) === normalizedUserId)
             .map((record) => cloneCredential(record));
     }
+    async deleteCredential(credentialId) {
+        const key = encodeCredentialId(credentialId);
+        return this.credentials.delete(key);
+    }
     async findCredentialById(credentialId) {
         const record = this.credentials.get(encodeCredentialId(credentialId));
         return record ? cloneCredential(record) : null;

package/dist/cjs/passkey/sequelize.d.ts

@@ -44,6 +44,7 @@ export declare class SequelizePasskeyStore extends PasskeyStore {
         login?: string;
     }): Promise<PasskeyUserDescriptor | null>;
     listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deleteCredential(credentialId: Buffer | string): Promise<boolean>;
     findCredentialById(credentialId: Buffer): Promise<StoredPasskeyCredential | null>;
     saveCredential(record: StoredPasskeyCredential): Promise<void>;
     updateCredentialCounter(credentialId: Buffer, counter: number): Promise<void>;

package/dist/cjs/passkey/sequelize.js

@@ -147,9 +147,16 @@ class SequelizePasskeyStore extends base_js_1.PasskeyStore {
             counter: model.counter,
             transports: (model.transports ?? undefined),
             backedUp: model.backedUp,
-            deviceType: model.deviceType
+            deviceType: model.deviceType,
+            createdAt: model.createdAt ?? undefined,
+            updatedAt: model.updatedAt ?? undefined
         }));
     }
+    async deleteCredential(credentialId) {
+        const encoded = Buffer.isBuffer(credentialId) ? credentialId.toString('base64') : credentialId;
+        const deleted = await this.credentials.destroy({ where: { credentialId: encoded } });
+        return deleted > 0;
+    }
     async findCredentialById(credentialId) {
         const model = await this.credentials.findByPk(encodeCredentialId(credentialId));
         if (!model) {
@@ -162,7 +169,9 @@ class SequelizePasskeyStore extends base_js_1.PasskeyStore {
             counter: model.counter,
             transports: (model.transports ?? undefined),
             backedUp: model.backedUp,
-            deviceType: model.deviceType
+            deviceType: model.deviceType,
+            createdAt: model.createdAt ?? undefined,
+            updatedAt: model.updatedAt ?? undefined
         };
     }
     async saveCredential(record) {

package/dist/cjs/passkey/service.d.ts

@@ -1,11 +1,14 @@
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyStorageAdapter, PasskeyVerificationParams, PasskeyVerificationResult, PasskeyServiceConfig } from './types.js';
-export type { CredentialDeviceType, PasskeyChallenge, PasskeyChallengeParams, PasskeyChallengeRecord, PasskeyChallengeMetadata, PasskeyUserDescriptor, PasskeyVerificationParams, PasskeyVerificationResult, PasskeyServiceConfig, PasskeyStorageAdapter } from './types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyStorageAdapter, PasskeyVerificationParams, PasskeyVerificationResult, PasskeyServiceConfig, StoredPasskeyCredential } from './types.js';
+import type { AuthIdentifier } from '../auth-api/types.js';
+export type { CredentialDeviceType, PasskeyChallenge, PasskeyChallengeParams, PasskeyChallengeRecord, PasskeyChallengeMetadata, PasskeyUserDescriptor, PasskeyVerificationParams, PasskeyVerificationResult, PasskeyServiceConfig, PasskeyStorageAdapter, StoredPasskeyCredential } from './types.js';
 type Logger = Pick<typeof console, 'error' | 'warn'>;
 export declare class PasskeyService {
     private readonly config;
     private readonly adapter;
     private readonly logger;
     constructor(config: PasskeyServiceConfig, adapter: PasskeyStorageAdapter, logger?: Logger);
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deleteCredential(credentialId: Buffer | string): Promise<boolean>;
     createChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
     private createRegistrationChallenge;

package/dist/cjs/passkey/service.js

@@ -1,4 +1,37 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.PasskeyService = void 0;
 const server_1 = require("@simplewebauthn/server");
@@ -34,12 +67,64 @@ function toBuffer(value) {
     const view = value instanceof Uint8Array ? value : new Uint8Array(value);
     return Buffer.from(view);
 }
+function toBufferOrNull(value) {
+    if (!value) {
+        return null;
+    }
+    if (Buffer.isBuffer(value)) {
+        return value;
+    }
+    if (value instanceof ArrayBuffer || value instanceof Uint8Array) {
+        return toBuffer(value);
+    }
+    if (typeof value === 'string') {
+        try {
+            return fromBase64Url(value);
+        }
+        catch {
+            return null;
+        }
+    }
+    return null;
+}
+async function spkiToCosePublicKey(spki) {
+    try {
+        const subtle = globalThis.crypto?.subtle ?? (await Promise.resolve().then(() => __importStar(require('crypto')))).webcrypto?.subtle;
+        if (!subtle) {
+            return null;
+        }
+        const key = await subtle.importKey('spki', spki, { name: 'ECDSA', namedCurve: 'P-256' }, true, ['verify']);
+        const raw = Buffer.from(await subtle.exportKey('raw', key));
+        if (raw.length !== 65 || raw[0] !== 0x04) {
+            return null;
+        }
+        const x = raw.slice(1, 33);
+        const y = raw.slice(33, 65);
+        const coseMap = new Map([
+            [1, 2], // kty: EC2
+            [3, -7], // alg: ES256
+            [-1, 1], // crv: P-256
+            [-2, x],
+            [-3, y]
+        ]);
+        return Buffer.from(helpers_1.isoCBOR.encode(coseMap));
+    }
+    catch {
+        return null;
+    }
+}
 class PasskeyService {
     constructor(config, adapter, logger = console) {
         this.config = config;
         this.adapter = adapter;
         this.logger = logger;
     }
+    async listUserCredentials(userId) {
+        return this.adapter.listUserCredentials(userId);
+    }
+    async deleteCredential(credentialId) {
+        return this.adapter.deleteCredential(credentialId);
+    }
     async createChallenge(params) {
         await this.adapter.cleanupChallenges?.(new Date());
         const metadata = {
@@ -107,7 +192,8 @@ class PasskeyService {
         return {
             challenge: options.challenge,
             expiresAt: expiresAt.toISOString(),
-            userId: user.id
+            userId: user.id,
+            publicKey: options
         };
     }
     async createAuthenticationChallenge(params, metadata) {
@@ -136,7 +222,8 @@ class PasskeyService {
         return {
             challenge: options.challenge,
             expiresAt: expiresAt.toISOString(),
-            userId: user.id
+            userId: user.id,
+            publicKey: options
         };
     }
     async verifyRegistration(params, record) {
@@ -155,14 +242,57 @@ class PasskeyService {
             requireUserVerification: true
         });
         if (!result.verified || !result.registrationInfo) {
+            if (!result.verified) {
+                const err = result.error ?? result;
+                this.logger.error?.('Passkey registration verification failed', err);
+            }
             return { verified: false };
         }
         const registrationInfo = result.registrationInfo;
+        const attestationResponse = params.response?.response;
+        const credentialIdPrimary = toBufferOrNull(registrationInfo.credentialID);
+        const credentialIdFallback = toBufferOrNull(params.response?.id);
+        const credentialId = credentialIdPrimary && credentialIdPrimary.length > 0 ? credentialIdPrimary : credentialIdFallback;
+        const publicKeyPrimary = toBufferOrNull(registrationInfo.credentialPublicKey);
+        let publicKeyFallback = toBufferOrNull(attestationResponse?.publicKey);
+        if ((!publicKeyPrimary || publicKeyPrimary.length === 0) && attestationResponse?.attestationObject) {
+            try {
+                const attObj = (0, helpers_1.decodeAttestationObject)(helpers_1.isoBase64URL.toBuffer(attestationResponse.attestationObject));
+                const parsedAuth = (0, helpers_1.parseAuthenticatorData)(attObj.get('authData'));
+                publicKeyFallback = toBufferOrNull(parsedAuth.credentialPublicKey) ?? publicKeyFallback;
+            }
+            catch (error) {
+                this.logger.warn?.('Passkey registration: failed to parse attestationObject', error);
+            }
+        }
+        const publicKey = publicKeyPrimary && publicKeyPrimary.length > 0 ? publicKeyPrimary : publicKeyFallback;
+        if (this.logger?.warn) {
+            const pkPrimaryHex = publicKeyPrimary ? publicKeyPrimary.slice(0, 4).toString('hex') : 'null';
+            const pkFallbackHex = publicKeyFallback ? publicKeyFallback.slice(0, 4).toString('hex') : 'null';
+            this.logger.warn(`Passkey registration: pkPrimary len=${publicKeyPrimary?.length ?? 0} head=${pkPrimaryHex}, pkFallback len=${publicKeyFallback?.length ?? 0} head=${pkFallbackHex}`);
+        }
+        if (!credentialId || credentialId.length === 0) {
+            return { verified: false, message: 'Missing credential id in registration response' };
+        }
+        if (!publicKey || publicKey.length === 0) {
+            return { verified: false, message: 'Missing public key in registration response' };
+        }
+        let storedPublicKey = Buffer.isBuffer(publicKey) ? publicKey : toBuffer(publicKey);
+        // If fallback is an SPKI key (DER, starts with 0x30) convert to COSE so verification succeeds.
+        if (storedPublicKey[0] === 0x30) {
+            const converted = await spkiToCosePublicKey(storedPublicKey);
+            if (converted) {
+                storedPublicKey = converted;
+            }
+            else {
+                this.logger.warn?.('Passkey registration: failed to convert SPKI public key to COSE');
+            }
+        }
         await this.adapter.saveCredential({
             userId: user.id,
-            credentialId: toBuffer(registrationInfo.credentialID),
-            publicKey: toBuffer(registrationInfo.credentialPublicKey),
-            counter: registrationInfo.counter,
+            credentialId,
+            publicKey: storedPublicKey,
+            counter: registrationInfo.counter ?? 0,
             transports: sanitizeTransports(params.response.transports),
             backedUp: registrationInfo.credentialDeviceType === 'multiDevice',
             deviceType: registrationInfo.credentialDeviceType
@@ -182,22 +312,27 @@ class PasskeyService {
         }
         const user = await this.requireUser({ userId: credential.userId, login: record.login });
         const storedAuthData = {
-            credentialID: credential.credentialId,
+            id: credential.credentialId,
+            publicKey: toBuffer(credential.publicKey),
+            credentialPublicKey: toBuffer(credential.publicKey),
             counter: credential.counter,
+            transports: credential.transports ?? undefined,
             credentialBackedUp: credential.backedUp,
-            credentialDeviceType: credential.deviceType,
-            credentialPublicKey: credential.publicKey,
-            transports: credential.transports ?? undefined
+            credentialDeviceType: credential.deviceType
+            // simplewebauthn accepts either Uint8Array or Buffer; ensure Buffer
+            // see https://github.com/MasterKale/SimpleWebAuthn/blob/master/packages/server/src/authentication/verifyAuthenticationResponse.ts
         };
         const result = await (0, server_1.verifyAuthenticationResponse)({
             response,
             expectedChallenge: record.challenge,
             expectedOrigin: this.config.origins,
             expectedRPID: this.config.rpId,
-            authenticator: storedAuthData,
+            credential: storedAuthData,
             requireUserVerification: true
         });
         if (!result.verified) {
+            const err = result.error ?? result;
+            this.logger.error?.('Passkey authentication verification failed', err);
             return { verified: false };
         }
         await this.adapter.updateCredentialCounter(credential.credentialId, result.authenticationInfo.newCounter);

package/dist/cjs/passkey/types.d.ts

@@ -36,6 +36,8 @@ export interface StoredPasskeyCredential {
     transports?: AuthenticatorTransportFuture[];
     backedUp: boolean;
     deviceType: CredentialDeviceType;
+    createdAt?: Date;
+    updatedAt?: Date;
 }
 export interface PasskeyStorageAdapter {
     resolveUser(params: {
@@ -43,6 +45,7 @@ export interface PasskeyStorageAdapter {
         login?: string;
     }): Promise<PasskeyUserDescriptor | null>;
     listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deleteCredential(credentialId: Buffer | string): Promise<boolean>;
     findCredentialById(credentialId: Buffer): Promise<StoredPasskeyCredential | null>;
     saveCredential(record: StoredPasskeyCredential): Promise<void>;
     updateCredentialCounter(credentialId: Buffer, counter: number): Promise<void>;

package/dist/cjs/user/base.js

@@ -35,7 +35,8 @@ class UserStore {
     toPublic(user) {
         const mapped = this.toPublicUser(user);
         if (mapped && typeof mapped === 'object') {
-            const { password, ...rest } = mapped;
+            const { password: _password, ...rest } = mapped;
+            void _password;
             return rest;
         }
         return mapped;

package/dist/esm/api-server-base.d.ts

@@ -4,16 +4,16 @@
  * This source code is licensed under the MIT license found in the
  * LICENSE file in the root directory of this source tree.
  */
-import { Application, Request, Response } from 'express';
+import { Application, Request, Response, type ErrorRequestHandler, type RequestHandler } from 'express';
 import { ApiModule } from './api-module.js';
 import { TokenStore, type JwtDecodeResult, type JwtSignResult, type JwtVerifyResult } from './token/base.js';
-import type { ApiAuthClass, ApiKey } from './api-module.js';
+import type { ApiAuthClass, ApiAuthType, ApiKey } from './api-module.js';
 import type { AuthProviderModule } from './auth-api/module.js';
-import type { AuthStorage, AuthIdentifier } from './auth-api/types.js';
+import type { AuthAdapter, AuthIdentifier } from './auth-api/types.js';
 import type { OAuthStore } from './oauth/base.js';
 import type { AuthCodeData, AuthCodeRequest, OAuthClient } from './oauth/types.js';
 import type { PasskeyService } from './passkey/service.js';
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyVerificationParams, PasskeyVerificationResult } from './passkey/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, StoredPasskeyCredential, PasskeyVerificationParams, PasskeyVerificationResult } from './passkey/types.js';
 import type { Token } from './token/types.js';
 import type { UserStore } from './user/base.js';
 import type { JwtPayload, SignOptions, VerifyOptions } from 'jsonwebtoken';
@@ -47,6 +47,12 @@ export interface ApiRequest {
     getRealUid: () => AuthIdentifier | null;
     isImpersonating: () => boolean;
 }
+export interface ExpressApiRequest extends ExtendedReq {
+    apiReq?: ApiRequest;
+}
+export interface ExpressApiLocals {
+    apiReq?: ApiRequest;
+}
 export interface ClientAgentProfile {
     ua: string;
     browser: string;
@@ -101,6 +107,7 @@ export interface ApiServerConf {
     devMode: boolean;
     hydrateGetBody: boolean;
     validateTokens: boolean;
+    refreshMaybe: boolean;
     apiVersion: string;
     minClientVersion: string;
     tokenStore?: TokenStore;
@@ -122,23 +129,25 @@ export declare class ApiServer {
     private canImpersonateAdapter;
     private readonly jwtHelper;
     constructor(config?: Partial<ApiServerConf>);
-    authStorage<UserRow, SafeUser>(storage: AuthStorage<UserRow, SafeUser>): this;
+    authStorage<UserRow, SafeUser>(storage: AuthAdapter<UserRow, SafeUser>): this;
     /**
      * @deprecated Use {@link ApiServer.authStorage} instead.
      */
-    useAuthStorage<UserRow, SafeUser>(storage: AuthStorage<UserRow, SafeUser>): this;
+    useAuthStorage<UserRow, SafeUser>(storage: AuthAdapter<UserRow, SafeUser>): this;
     authModule<UserRow>(module: AuthProviderModule<UserRow>): this;
     /**
      * @deprecated Use {@link ApiServer.authModule} instead.
      */
     useAuthModule<UserRow>(module: AuthProviderModule<UserRow>): this;
-    getAuthStorage(): AuthStorage<any, any>;
+    getAuthStorage(): AuthAdapter<any, any>;
     getAuthModule(): AuthProviderModule<any>;
     setTokenStore(store: TokenStore): this;
     getTokenStore(): TokenStore | null;
     private ensureUserStore;
     private ensureTokenStore;
     private ensurePasskeyService;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential(credentialId: Buffer | string): Promise<boolean>;
     private ensureOAuthStore;
     getUser(identifier: AuthIdentifier): Promise<any | null>;
     getUserPasswordHash(user: any): string;
@@ -187,6 +196,9 @@ export declare class ApiServer {
     private describeMissingEndpoint;
     start(): this;
     private verifyJWT;
+    private jwtCookieOptions;
+    private setAccessCookie;
+    private tryRefreshAccessToken;
     private authenticate;
     private tryAuthenticateApiKey;
     private requiresAuthToken;
@@ -195,6 +207,14 @@ export declare class ApiServer {
     private normalizeAuthIdentifier;
     private extractTokenUserId;
     private resolveRealUserId;
+    useExpress(path: string, ...handlers: Array<RequestHandler | ErrorRequestHandler>): this;
+    useExpress(...handlers: Array<RequestHandler | ErrorRequestHandler>): this;
+    private createApiRequest;
+    expressAuth(auth: {
+        type: ApiAuthType;
+        req: ApiAuthClass;
+    }): RequestHandler;
+    expressErrorHandler(): ErrorRequestHandler;
     private handle_request;
     api<T extends ApiModule<any>>(module: T): this;
     dumpRequest(apiReq: ApiRequest): void;