@technomoron/api-server-base 2.0.0-beta.1 → 2.0.0-beta.11

package/dist/esm/auth-api/auth-module.js

@@ -1,6 +1,8 @@
-import { createHash } from 'node:crypto';
+import { createHash, randomUUID } from 'node:crypto';
+import { isoBase64URL } from '@simplewebauthn/server/helpers';
 import { ApiError } from '../api-server-base.js';
 import { BaseAuthModule } from './module.js';
+import { BaseAuthAdapter } from './storage.js';
 function isAuthIdentifier(value) {
     return typeof value === 'string' || typeof value === 'number';
 }
@@ -72,9 +74,21 @@ class AuthModule extends BaseAuthModule {
     }
     buildTokenMetadata(metadata = {}) {
         const scope = metadata.scope;
+        const domain = metadata.domain ?? this.defaultDomain ?? '';
+        let fingerprint = metadata.fingerprint ?? metadata.clientId ?? '';
+        if (typeof fingerprint === 'string') {
+            fingerprint = fingerprint.trim();
+        }
+        else {
+            fingerprint = '';
+        }
+        // Avoid every client sharing the empty-string fingerprint which collapses sessions into one bucket.
+        if (!fingerprint) {
+            fingerprint = `srv-${randomUUID()}`;
+        }
         return {
-            domain: metadata.domain ?? this.defaultDomain ?? '',
-            fingerprint: metadata.fingerprint ?? metadata.clientId ?? '',
+            domain,
+            fingerprint,
             label: metadata.label ?? (Array.isArray(scope) ? scope.join(' ') : typeof scope === 'string' ? scope : ''),
             clientId: metadata.clientId,
             ruid: metadata.ruid,
@@ -181,6 +195,44 @@ class AuthModule extends BaseAuthModule {
         }
         return prefs;
     }
+    validateCredentialId(apiReq) {
+        const paramId = toStringOrNull(apiReq.req.params?.credentialId);
+        const bodyId = toStringOrNull(apiReq.req.body?.credentialId);
+        const credentialId = paramId ?? bodyId;
+        if (!credentialId) {
+            throw new ApiError({ code: 400, message: 'credentialId is required' });
+        }
+        try {
+            isoBase64URL.toBuffer(credentialId);
+        }
+        catch {
+            throw new ApiError({ code: 400, message: 'Invalid credentialId' });
+        }
+        return credentialId;
+    }
+    normalizeCredentialId(value) {
+        if (Buffer.isBuffer(value)) {
+            return value;
+        }
+        try {
+            return Buffer.from(isoBase64URL.toBuffer(value));
+        }
+        catch {
+            try {
+                return Buffer.from(value, 'base64');
+            }
+            catch {
+                return Buffer.from(value);
+            }
+        }
+    }
+    toIsoDate(value) {
+        if (!value) {
+            return undefined;
+        }
+        const date = value instanceof Date ? value : new Date(value);
+        return Number.isNaN(date.getTime()) ? undefined : date.toISOString();
+    }
     cookieOptions(apiReq) {
         const conf = this.server.config;
         const forwarded = apiReq.req.headers['x-forwarded-proto'];
@@ -511,7 +563,28 @@ class AuthModule extends BaseAuthModule {
                 : cookiePrefs.refreshTtlSeconds;
             this.setJwtCookies(apiReq, { accessToken: access.token, refreshToken }, { sessionCookie: cookiePrefs.sessionCookie ?? false, refreshTtlSeconds: refreshTtlForCookie });
         }
-        return [200, this.storage.filterUser(user)];
+        const tokenClaims = verify.data;
+        const effectiveUserId = this.storage.getUserId(user);
+        const effectiveId = String(effectiveUserId);
+        const rawRealId = stored.ruid ?? tokenClaims.ruid;
+        const normalizedRealId = rawRealId === undefined || rawRealId === null ? null : String(rawRealId).trim() || null;
+        const isImpersonating = normalizedRealId !== null && normalizedRealId !== effectiveId;
+        let realUser;
+        let realUserId;
+        if (isImpersonating && normalizedRealId !== null) {
+            const realUserEntity = await this.getUserOrThrow(normalizedRealId, 'Real user not found');
+            realUser = this.storage.filterUser(realUserEntity);
+            realUserId = this.storage.getUserId(realUserEntity);
+        }
+        return [
+            200,
+            {
+                user: this.storage.filterUser(user),
+                isImpersonating,
+                realUser,
+                realUserId
+            }
+        ];
     }
     async postPasskeyChallenge(apiReq) {
         if (typeof this.storage.createPasskeyChallenge !== 'function') {
@@ -596,6 +669,44 @@ class AuthModule extends BaseAuthModule {
         const publicUser = this.storage.filterUser(user);
         return [200, { ...tokens, user: publicUser }];
     }
+    async getPasskeys(apiReq) {
+        if (typeof this.storage.listUserCredentials !== 'function') {
+            throw new ApiError({ code: 501, message: 'Passkey credential listing is not configured' });
+        }
+        const { userId } = await this.resolveActorContext(apiReq);
+        const credentials = await this.storage.listUserCredentials(userId);
+        const safeCredentials = credentials.map((credential) => {
+            const bufferId = this.normalizeCredentialId(credential.credentialId);
+            return {
+                id: isoBase64URL.fromBuffer(new Uint8Array(bufferId)),
+                transports: credential.transports,
+                backedUp: credential.backedUp,
+                deviceType: credential.deviceType,
+                createdAt: this.toIsoDate(credential.createdAt),
+                updatedAt: this.toIsoDate(credential.updatedAt)
+            };
+        });
+        return [200, { credentials: safeCredentials }];
+    }
+    async deletePasskey(apiReq) {
+        if (typeof this.storage.listUserCredentials !== 'function' ||
+            typeof this.storage.deletePasskeyCredential !== 'function') {
+            throw new ApiError({ code: 501, message: 'Passkey credential management is not configured' });
+        }
+        const { userId } = await this.resolveActorContext(apiReq);
+        const credentialId = this.validateCredentialId(apiReq);
+        const bufferId = Buffer.from(isoBase64URL.toBuffer(credentialId));
+        const credentials = await this.storage.listUserCredentials(userId);
+        const owns = credentials.some((credential) => {
+            const candidateId = this.normalizeCredentialId(credential.credentialId);
+            return isoBase64URL.fromBuffer(new Uint8Array(candidateId)) === credentialId;
+        });
+        if (!owns) {
+            throw new ApiError({ code: 404, message: 'Passkey not found' });
+        }
+        const deleted = await this.storage.deletePasskeyCredential(bufferId);
+        return [200, { deleted }];
+    }
     async postImpersonation(apiReq) {
         this.assertAuthReady();
         const { targetIdentifier, metadata } = this.parseImpersonationRequest(apiReq);
@@ -939,47 +1050,91 @@ class AuthModule extends BaseAuthModule {
         }
         throw new ApiError({ code: 401, message: 'Authorization requires user authentication' });
     }
+    hasPasskeyService() {
+        const storageAny = this.storage;
+        if (storageAny.passkeyService || storageAny.passkeyStore) {
+            return true;
+        }
+        if (storageAny.adapter?.passkeyService || storageAny.adapter?.passkeyStore) {
+            return true;
+        }
+        const serverAny = this.server;
+        return !!serverAny.passkeyServiceAdapter;
+    }
+    hasOAuthStore() {
+        const storageAny = this.storage;
+        if (storageAny.oauthStore) {
+            return true;
+        }
+        if (storageAny.adapter?.oauthStore) {
+            return true;
+        }
+        const serverAny = this.server;
+        return !!serverAny.oauthStoreAdapter;
+    }
+    storageImplements(key) {
+        const candidate = this.storage[key];
+        if (typeof candidate !== 'function') {
+            return false;
+        }
+        const baseImpl = BaseAuthAdapter.prototype[key];
+        return candidate !== baseImpl;
+    }
+    storageImplementsAll(keys) {
+        return keys.every((key) => this.storageImplements(key));
+    }
     defineRoutes() {
-        const routes = [
-            {
-                method: 'post',
-                path: '/v1/login',
-                handler: (req) => this.postLogin(req),
-                auth: { type: 'none', req: 'any' }
-            },
-            {
-                method: 'post',
-                path: '/v1/refresh',
-                handler: (req) => this.postRefresh(req),
-                auth: { type: 'none', req: 'any' }
-            },
-            {
-                method: 'post',
-                path: '/v1/logout',
-                handler: (req) => this.postLogout(req),
-                auth: { type: 'maybe', req: 'any' }
-            },
-            {
-                method: 'post',
-                path: '/v1/whoami',
-                handler: (req) => this.postWhoAmI(req),
-                auth: { type: 'maybe', req: 'any' }
-            },
-            {
-                method: 'post',
-                path: '/v1/impersonations',
-                handler: (req) => this.postImpersonation(req),
-                auth: { type: 'strict', req: 'any' }
-            },
-            {
-                method: 'delete',
-                path: '/v1/impersonations',
-                handler: (req) => this.deleteImpersonation(req),
-                auth: { type: 'strict', req: 'any' }
-            }
-        ];
-        const storage = this.storage;
-        const passkeysSupported = typeof storage.createPasskeyChallenge === 'function' && typeof storage.verifyPasskeyResponse === 'function';
+        const routes = [];
+        const coreAuthSupported = this.storageImplementsAll([
+            'getUser',
+            'getUserPasswordHash',
+            'getUserId',
+            'verifyPassword',
+            'filterUser',
+            'storeToken',
+            'getToken',
+            'deleteToken'
+        ]);
+        if (!coreAuthSupported) {
+            return routes;
+        }
+        routes.push({
+            method: 'post',
+            path: '/v1/login',
+            handler: (req) => this.postLogin(req),
+            auth: { type: 'none', req: 'any' }
+        }, {
+            method: 'post',
+            path: '/v1/refresh',
+            handler: (req) => this.postRefresh(req),
+            auth: { type: 'none', req: 'any' }
+        }, {
+            method: 'post',
+            path: '/v1/logout',
+            handler: (req) => this.postLogout(req),
+            auth: { type: 'maybe', req: 'any' }
+        }, {
+            method: 'post',
+            path: '/v1/whoami',
+            handler: (req) => this.postWhoAmI(req),
+            auth: { type: 'maybe', req: 'any' }
+        }, {
+            method: 'post',
+            path: '/v1/impersonations',
+            handler: (req) => this.postImpersonation(req),
+            auth: { type: 'strict', req: 'any' }
+        }, {
+            method: 'delete',
+            path: '/v1/impersonations',
+            handler: (req) => this.deleteImpersonation(req),
+            auth: { type: 'strict', req: 'any' }
+        });
+        const passkeysSupported = this.hasPasskeyService() &&
+            this.storageImplements('createPasskeyChallenge') &&
+            this.storageImplements('verifyPasskeyResponse');
+        const passkeyCredentialsSupported = passkeysSupported &&
+            this.storageImplements('listUserCredentials') &&
+            this.storageImplements('deletePasskeyCredential');
         if (passkeysSupported) {
             routes.push({
                 method: 'post',
@@ -992,6 +1147,19 @@ class AuthModule extends BaseAuthModule {
                 handler: (req) => this.postPasskeyVerify(req),
                 auth: { type: 'none', req: 'any' }
             });
+            if (passkeyCredentialsSupported) {
+                routes.push({
+                    method: 'get',
+                    path: '/v1/passkeys',
+                    handler: (req) => this.getPasskeys(req),
+                    auth: { type: 'strict', req: 'any' }
+                }, {
+                    method: 'delete',
+                    path: '/v1/passkeys/:credentialId?',
+                    handler: (req) => this.deletePasskey(req),
+                    auth: { type: 'strict', req: 'any' }
+                });
+            }
         }
         const externalOAuthSupported = typeof this.server.initiateOAuth === 'function' && typeof this.server.completeOAuth === 'function';
         if (externalOAuthSupported) {
@@ -1007,9 +1175,10 @@ class AuthModule extends BaseAuthModule {
                 auth: { type: 'none', req: 'any' }
             });
         }
-        const oauthStorageSupported = typeof storage.getClient === 'function' &&
-            typeof storage.createAuthCode === 'function' &&
-            typeof storage.consumeAuthCode === 'function';
+        const oauthStorageSupported = this.hasOAuthStore() &&
+            this.storageImplements('getClient') &&
+            this.storageImplements('createAuthCode') &&
+            this.storageImplements('consumeAuthCode');
         if (oauthStorageSupported) {
             routes.push({
                 method: 'post',

package/dist/esm/auth-api/compat-auth-storage.d.ts

@@ -1,9 +1,9 @@
 import { PasskeyService } from '../passkey/service.js';
-import type { AuthIdentifier, AuthStorage } from './types.js';
+import type { AuthAdapter, AuthIdentifier } from './types.js';
 import type { OAuthStore } from '../oauth/base.js';
 import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
 import type { PasskeyStore } from '../passkey/base.js';
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, StoredPasskeyCredential, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
 import type { TokenStore } from '../token/base.js';
 import type { Token } from '../token/types.js';
 import type { UserStore } from '../user/base.js';
@@ -11,7 +11,7 @@ interface PasskeyAdapterOptions {
     store: PasskeyStore;
     config: PasskeyServiceConfig;
 }
-export interface AuthStorageAdapterOptions<UserRow, PublicUser> {
+export interface AuthAdapterOptions<UserRow, PublicUser> {
     userStore: UserStore<UserRow, PublicUser>;
     tokenStore: TokenStore;
     passkeys?: PasskeyAdapterOptions | PasskeyService;
@@ -21,13 +21,13 @@ export interface AuthStorageAdapterOptions<UserRow, PublicUser> {
         effectiveUserId: AuthIdentifier;
     }) => boolean | Promise<boolean>;
 }
-export declare class AuthStorageAdapter<UserRow, PublicUser> implements AuthStorage<UserRow, PublicUser> {
+export declare class CompositeAuthAdapter<UserRow, PublicUser> implements AuthAdapter<UserRow, PublicUser> {
     private readonly userStore;
     private readonly tokenStore;
     private readonly oauthStore?;
     private readonly passkeyService?;
     private readonly canImpersonateFn?;
-    constructor(options: AuthStorageAdapterOptions<UserRow, PublicUser>);
+    constructor(options: AuthAdapterOptions<UserRow, PublicUser>);
     getUser(identifier: AuthIdentifier): Promise<UserRow | null>;
     getUserPasswordHash(user: UserRow): string;
     getUserId(user: UserRow): AuthIdentifier;
@@ -43,6 +43,8 @@ export declare class AuthStorageAdapter<UserRow, PublicUser> implements AuthStor
     }): Promise<boolean>;
     createPasskeyChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyPasskeyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential(credentialId: Buffer | string): Promise<boolean>;
     getClient(clientId: string): Promise<OAuthClient | null>;
     verifyClientSecret(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
     createAuthCode(request: AuthCodeRequest): Promise<AuthCodeData>;

package/dist/esm/auth-api/compat-auth-storage.js

@@ -1,6 +1,6 @@
 import { randomUUID } from 'node:crypto';
 import { PasskeyService } from '../passkey/service.js';
-export class AuthStorageAdapter {
+export class CompositeAuthAdapter {
     constructor(options) {
         this.userStore = options.userStore;
         this.tokenStore = options.tokenStore;
@@ -52,6 +52,18 @@ export class AuthStorageAdapter {
         }
         return this.passkeyService.verifyResponse(params);
     }
+    async listUserCredentials(userId) {
+        if (!this.passkeyService) {
+            throw new Error('Passkey storage is not configured');
+        }
+        return this.passkeyService.listUserCredentials(userId);
+    }
+    async deletePasskeyCredential(credentialId) {
+        if (!this.passkeyService) {
+            throw new Error('Passkey storage is not configured');
+        }
+        return this.passkeyService.deleteCredential(credentialId);
+    }
     async getClient(clientId) {
         if (!this.oauthStore) {
             return null;

package/dist/esm/auth-api/mem-auth-store.d.ts

@@ -2,11 +2,11 @@ import { MemoryOAuthStore } from '../oauth/memory.js';
 import { MemoryPasskeyStore } from '../passkey/memory.js';
 import { TokenStore } from '../token/base.js';
 import { MemoryUserStore } from '../user/memory.js';
-import type { AuthIdentifier, AuthStorage } from './types.js';
+import type { AuthAdapter, AuthIdentifier } from './types.js';
 import type { MemoryOAuthStoreOptions } from '../oauth/memory.js';
 import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
 import type { MemoryPasskeyStoreOptions } from '../passkey/memory.js';
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, PasskeyUserDescriptor, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, PasskeyUserDescriptor, StoredPasskeyCredential, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
 import type { Token } from '../token/types.js';
 import type { MemoryUserAttributes, MemoryPublicUser, MemoryUserStoreOptions } from '../user/memory.js';
 interface PasskeyOptions extends Partial<PasskeyServiceConfig> {
@@ -24,7 +24,7 @@ export interface MemAuthStoreParams<UserAttributes extends MemoryUserAttributes
     }) => boolean | Promise<boolean>;
     tokenStore?: TokenStore;
 }
-export declare class MemAuthStore<UserAttributes extends MemoryUserAttributes = MemoryUserAttributes, PublicUserShape extends MemoryPublicUser<UserAttributes> = MemoryPublicUser<UserAttributes>> implements AuthStorage<UserAttributes, PublicUserShape> {
+export declare class MemAuthStore<UserAttributes extends MemoryUserAttributes = MemoryUserAttributes, PublicUserShape extends MemoryPublicUser<UserAttributes> = MemoryPublicUser<UserAttributes>> implements AuthAdapter<UserAttributes, PublicUserShape> {
     readonly userStore: MemoryUserStore<UserAttributes, PublicUserShape>;
     readonly tokenStore: TokenStore;
     readonly passkeyStore?: MemoryPasskeyStore;
@@ -54,6 +54,8 @@ export declare class MemAuthStore<UserAttributes extends MemoryUserAttributes =
     }): Promise<boolean>;
     createPasskeyChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyPasskeyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential(credentialId: Buffer | string): Promise<boolean>;
     getClient(clientId: string): Promise<OAuthClient | null>;
     verifyClientSecret(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
     createAuthCode(request: AuthCodeRequest): Promise<AuthCodeData>;

package/dist/esm/auth-api/mem-auth-store.js

@@ -2,7 +2,7 @@ import { MemoryOAuthStore } from '../oauth/memory.js';
 import { MemoryPasskeyStore } from '../passkey/memory.js';
 import { MemoryTokenStore } from '../token/memory.js';
 import { MemoryUserStore } from '../user/memory.js';
-import { AuthStorageAdapter } from './compat-auth-storage.js';
+import { CompositeAuthAdapter } from './compat-auth-storage.js';
 const DEFAULT_PASSKEY_CONFIG = {
     rpId: 'localhost',
     rpName: 'API Server',
@@ -56,7 +56,7 @@ export class MemAuthStore {
             passkeyStore = new MemoryPasskeyStore({ resolveUser });
             this.passkeyStore = passkeyStore;
         }
-        this.adapter = new AuthStorageAdapter({
+        this.adapter = new CompositeAuthAdapter({
             userStore: this.userStore,
             tokenStore: this.tokenStore,
             passkeys: passkeyStore && passkeyConfig ? { store: passkeyStore, config: passkeyConfig } : undefined,
@@ -113,6 +113,12 @@ export class MemAuthStore {
     async verifyPasskeyResponse(params) {
         return this.adapter.verifyPasskeyResponse(params);
     }
+    async listUserCredentials(userId) {
+        return this.adapter.listUserCredentials(userId);
+    }
+    async deletePasskeyCredential(credentialId) {
+        return this.adapter.deletePasskeyCredential(credentialId);
+    }
     async getClient(clientId) {
         return this.adapter.getClient(clientId);
     }

package/dist/esm/auth-api/sql-auth-store.d.ts

@@ -3,9 +3,9 @@ import { SequelizeOAuthStore, type SequelizeOAuthStoreOptions } from '../oauth/s
 import { SequelizePasskeyStore } from '../passkey/sequelize.js';
 import { type SequelizeTokenStoreOptions } from '../token/sequelize.js';
 import { SequelizeUserStore, type AuthUserAttributes, GenericUserModel, GenericUserModelStatic } from '../user/sequelize.js';
-import type { AuthIdentifier, AuthStorage } from './types.js';
+import type { AuthAdapter, AuthIdentifier } from './types.js';
 import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, PasskeyUserDescriptor, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, PasskeyUserDescriptor, StoredPasskeyCredential, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
 import type { TokenStore } from '../token/base.js';
 import type { Token } from '../token/types.js';
 interface PasskeyOptions extends Partial<PasskeyServiceConfig> {
@@ -30,7 +30,7 @@ export interface SqlAuthStoreParams<UserAttributes extends AuthUserAttributes =
     tokenStoreOptions?: Omit<SequelizeTokenStoreOptions, 'sequelize'>;
     oauthStoreOptions?: Omit<SequelizeOAuthStoreOptions, 'sequelize'>;
 }
-export declare class SqlAuthStore<UserAttributes extends AuthUserAttributes = AuthUserAttributes, PublicUserShape extends Omit<UserAttributes, 'password'> = Omit<UserAttributes, 'password'>> implements AuthStorage<UserAttributes, PublicUserShape> {
+export declare class SqlAuthStore<UserAttributes extends AuthUserAttributes = AuthUserAttributes, PublicUserShape extends Omit<UserAttributes, 'password'> = Omit<UserAttributes, 'password'>> implements AuthAdapter<UserAttributes, PublicUserShape> {
     readonly userStore: SequelizeUserStore<UserAttributes, PublicUserShape>;
     readonly tokenStore: TokenStore;
     readonly passkeyStore?: SequelizePasskeyStore;
@@ -63,6 +63,8 @@ export declare class SqlAuthStore<UserAttributes extends AuthUserAttributes = Au
     }): Promise<boolean>;
     createPasskeyChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyPasskeyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential(credentialId: Buffer | string): Promise<boolean>;
     getClient(clientId: string): Promise<OAuthClient | null>;
     verifyClientSecret(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
     createAuthCode(request: AuthCodeRequest): Promise<AuthCodeData>;

package/dist/esm/auth-api/sql-auth-store.js

@@ -2,7 +2,7 @@ import { SequelizeOAuthStore } from '../oauth/sequelize.js';
 import { SequelizePasskeyStore } from '../passkey/sequelize.js';
 import { SequelizeTokenStore } from '../token/sequelize.js';
 import { SequelizeUserStore } from '../user/sequelize.js';
-import { AuthStorageAdapter } from './compat-auth-storage.js';
+import { CompositeAuthAdapter } from './compat-auth-storage.js';
 const DEFAULT_PASSKEY_CONFIG = {
     rpId: 'localhost',
     rpName: 'API Server',
@@ -69,7 +69,7 @@ export class SqlAuthStore {
             passkeyStore = new SequelizePasskeyStore({ sequelize: this.sequelize, resolveUser });
             this.passkeyStore = passkeyStore;
         }
-        this.adapter = new AuthStorageAdapter({
+        this.adapter = new CompositeAuthAdapter({
             userStore: this.userStore,
             tokenStore: this.tokenStore,
             passkeys: passkeyStore && passkeyConfig ? { store: passkeyStore, config: passkeyConfig } : undefined,
@@ -144,6 +144,12 @@ export class SqlAuthStore {
     async verifyPasskeyResponse(params) {
         return this.adapter.verifyPasskeyResponse(params);
     }
+    async listUserCredentials(userId) {
+        return this.adapter.listUserCredentials(userId);
+    }
+    async deletePasskeyCredential(credentialId) {
+        return this.adapter.deletePasskeyCredential(credentialId);
+    }
     async getClient(clientId) {
         return this.adapter.getClient(clientId);
     }

package/dist/esm/auth-api/storage.d.ts

@@ -1,8 +1,8 @@
-import type { AuthIdentifier, AuthStorage } from './types.js';
+import type { AuthAdapter, AuthIdentifier } from './types.js';
 import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyVerificationParams, PasskeyVerificationResult, StoredPasskeyCredential } from '../passkey/types.js';
 import type { Token } from '../token/types.js';
-export declare class BaseAuthStorage<UserRow = unknown, SafeUser = unknown> implements AuthStorage<UserRow, SafeUser> {
+export declare class BaseAuthAdapter<UserRow = unknown, SafeUser = unknown> implements AuthAdapter<UserRow, SafeUser> {
     getUser(identifier: AuthIdentifier): Promise<UserRow | null>;
     getUserPasswordHash(user: UserRow): string;
     getUserId(user: UserRow): AuthIdentifier;
@@ -24,6 +24,8 @@ export declare class BaseAuthStorage<UserRow = unknown, SafeUser = unknown> impl
     }): Promise<boolean>;
     createPasskeyChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyPasskeyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential(credentialId: Buffer | string): Promise<boolean>;
     getClient(clientId: string): Promise<OAuthClient | null>;
     verifyClientSecret(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
     createAuthCode(request: AuthCodeRequest): Promise<AuthCodeData>;
@@ -33,4 +35,4 @@ export declare class BaseAuthStorage<UserRow = unknown, SafeUser = unknown> impl
         effectiveUserId: AuthIdentifier;
     }): Promise<boolean>;
 }
-export declare const nullAuthStorage: AuthStorage<unknown, unknown>;
+export declare const nullAuthAdapter: AuthAdapter<unknown, unknown>;

package/dist/esm/auth-api/storage.js

@@ -1,6 +1,6 @@
-// Handy base you can extend when wiring a real storage adapter. Every method
+// Handy base you can extend when wiring a real auth adapter. Every method
 // throws by default so unimplemented hooks fail loudly.
-export class BaseAuthStorage {
+export class BaseAuthAdapter {
     // Override to load a user record by identifier
     async getUser(identifier) {
         void identifier;
@@ -57,6 +57,16 @@ export class BaseAuthStorage {
         void params;
         throw new Error('Auth storage not configured');
     }
+    // Override to list passkey credentials for a user
+    async listUserCredentials(userId) {
+        void userId;
+        throw new Error('Auth storage not configured');
+    }
+    // Override to delete a passkey credential
+    async deletePasskeyCredential(credentialId) {
+        void credentialId;
+        throw new Error('Auth storage not configured');
+    }
     // Override to fetch an OAuth client by identifier
     async getClient(clientId) {
         void clientId;
@@ -85,4 +95,4 @@ export class BaseAuthStorage {
         return false;
     }
 }
-export const nullAuthStorage = new BaseAuthStorage();
+export const nullAuthAdapter = new BaseAuthAdapter();

package/dist/esm/auth-api/types.d.ts

@@ -1,8 +1,9 @@
 import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyVerificationParams, PasskeyVerificationResult, StoredPasskeyCredential } from '../passkey/types.js';
 import type { Token } from '../token/types.js';
 export type AuthIdentifier = string | number;
-export interface AuthStorage<UserRow, SafeUser> {
+/** @internal */
+export interface AuthAdapter<UserRow, SafeUser> {
     getUser(identifier: AuthIdentifier): Promise<UserRow | null>;
     getUserPasswordHash(user: UserRow): string;
     getUserId(user: UserRow): AuthIdentifier;
@@ -18,6 +19,8 @@ export interface AuthStorage<UserRow, SafeUser> {
     }): Promise<boolean>;
     createPasskeyChallenge?(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyPasskeyResponse?(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials?(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential?(credentialId: Buffer | string): Promise<boolean>;
     getClient?(clientId: string): Promise<OAuthClient | null>;
     verifyClientSecret?(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
     createAuthCode?(request: AuthCodeRequest): Promise<AuthCodeData>;
@@ -27,3 +30,5 @@ export interface AuthStorage<UserRow, SafeUser> {
         effectiveUserId: AuthIdentifier;
     }): Promise<boolean>;
 }
+/** @internal */
+export type AuthStorage<UserRow, SafeUser> = AuthAdapter<UserRow, SafeUser>;

package/dist/esm/index.d.ts

@@ -1,15 +1,15 @@
 export { default as ApiServer } from './api-server-base.js';
 export { ApiError } from './api-server-base.js';
 export { ApiModule } from './api-module.js';
-export type { ApiErrorParams, ApiHandler, ApiKey, ApiServerConf, ApiRequest, ApiRoute, ApiAuthType, ApiAuthClass, ApiTokenData, ExtendedReq } from './api-server-base.js';
-export type { AuthIdentifier, AuthStorage } from './auth-api/types.js';
+export type { ApiErrorParams, ApiHandler, ApiKey, ApiServerConf, ApiRequest, ApiRoute, ApiAuthType, ApiAuthClass, ApiTokenData, ExtendedReq, ExpressApiRequest, ExpressApiLocals } from './api-server-base.js';
+export type { AuthIdentifier } from './auth-api/types.js';
 export type { Token, TokenPair, TokenStatus } from './token/types.js';
 export type { JwtSignResult, JwtVerifyResult, JwtDecodeResult } from './token/base.js';
 export type { OAuthClient, AuthCodeData, AuthCodeRequest } from './oauth/types.js';
 export type { AuthProviderModule } from './auth-api/module.js';
-export { nullAuthStorage, BaseAuthStorage } from './auth-api/storage.js';
+export { nullAuthAdapter, BaseAuthAdapter } from './auth-api/storage.js';
 export { nullAuthModule, BaseAuthModule } from './auth-api/module.js';
-export { AuthStorageAdapter } from './auth-api/compat-auth-storage.js';
+export { CompositeAuthAdapter } from './auth-api/compat-auth-storage.js';
 export { MemAuthStore } from './auth-api/mem-auth-store.js';
 export { SqlAuthStore } from './auth-api/sql-auth-store.js';
 export { default as AuthModule } from './auth-api/auth-module.js';

package/dist/esm/index.js

@@ -1,9 +1,9 @@
 export { default as ApiServer } from './api-server-base.js';
 export { ApiError } from './api-server-base.js';
 export { ApiModule } from './api-module.js';
-export { nullAuthStorage, BaseAuthStorage } from './auth-api/storage.js';
+export { nullAuthAdapter, BaseAuthAdapter } from './auth-api/storage.js';
 export { nullAuthModule, BaseAuthModule } from './auth-api/module.js';
-export { AuthStorageAdapter } from './auth-api/compat-auth-storage.js';
+export { CompositeAuthAdapter } from './auth-api/compat-auth-storage.js';
 export { MemAuthStore } from './auth-api/mem-auth-store.js';
 export { SqlAuthStore } from './auth-api/sql-auth-store.js';
 export { default as AuthModule } from './auth-api/auth-module.js';

package/dist/esm/oauth/sequelize.js

@@ -116,7 +116,7 @@ export class SequelizeOAuthStore extends OAuthStore {
         const existing = await this.clients.findByPk(input.clientId);
         const hashedSecret = input.clientSecret !== undefined && input.clientSecret !== null
             ? await bcrypt.hash(input.clientSecret, this.bcryptRounds)
-            : existing?.client_secret ?? '';
+            : (existing?.client_secret ?? '');
         const redirectUris = input.redirectUris ?? (existing ? decodeStringArray(existing.redirect_uris) : undefined);
         const scope = input.scope ?? (existing ? decodeStringArray(existing.scope) : undefined);
         const metadata = input.metadata ?? (existing ? parseMetadata(existing.metadata) : undefined);