@technomoron/api-server-base 2.0.0-beta.17 → 2.0.0-beta.19

package/dist/cjs/api-server-base.d.ts

@@ -100,7 +100,21 @@ export interface ApiServerConf {
     swaggerPath?: string;
     accessSecret: string;
     refreshSecret: string;
+    /** Cookie domain for auth cookies. Prefer leaving empty for localhost/development. */
     cookieDomain: string;
+    /** Cookie path for auth cookies. */
+    cookiePath?: string;
+    /** Cookie SameSite attribute for auth cookies. */
+    cookieSameSite?: 'lax' | 'strict' | 'none';
+    /**
+     * Cookie Secure attribute for auth cookies.
+     * - true: always secure
+     * - false: never secure
+     * - 'auto': secure when request is HTTPS (or forwarded as HTTPS)
+     */
+    cookieSecure?: boolean | 'auto';
+    /** Cookie HttpOnly attribute for auth cookies. */
+    cookieHttpOnly?: boolean;
     accessCookie: string;
     refreshCookie: string;
     accessExpiry: number;
@@ -115,24 +129,38 @@ export interface ApiServerConf {
     minClientVersion: string;
     tokenStore?: TokenStore;
     authStores?: ApiServerAuthStores;
+    onStartError?: (error: Error) => void;
 }
 export declare class ApiServer {
     app: Application;
-    currReq: ApiRequest | null;
     readonly config: ApiServerConf;
     readonly startedAt: number;
     private readonly apiBasePath;
+    private readonly apiRouter;
+    private finalized;
     private storageAdapter;
     private moduleAdapter;
     private serverAuthAdapter;
     private apiNotFoundHandler;
+    private apiErrorHandlerInstalled;
     private tokenStoreAdapter;
     private userStoreAdapter;
     private passkeyServiceAdapter;
     private oauthStoreAdapter;
     private canImpersonateAdapter;
     private readonly jwtHelper;
+    private currReqDeprecationWarned;
+    /**
+     * @deprecated ApiServer does not track a global "current request". This value is always null.
+     * Use the per-request ApiRequest passed to handlers, or `req.apiReq` / `res.locals.apiReq`
+     * when mounting raw Express endpoints.
+     */
+    get currReq(): ApiRequest | null;
+    set currReq(_value: ApiRequest | null);
     constructor(config?: Partial<ApiServerConf>);
+    private assertNotFinalized;
+    private toApiRouterPath;
+    finalize(): this;
     authStorage<UserRow, SafeUser>(storage: AuthAdapter<UserRow, SafeUser>): this;
     /**
      * @deprecated Use {@link ApiServer.authStorage} instead.
@@ -200,9 +228,10 @@ export declare class ApiServer {
     private installSwaggerHandler;
     private normalizeApiBasePath;
     private installApiNotFoundHandler;
-    private ensureApiNotFoundOrdering;
+    private installApiErrorHandler;
     private describeMissingEndpoint;
     start(): this;
+    private internalServerErrorMessage;
     private verifyJWT;
     private jwtCookieOptions;
     private setAccessCookie;

package/dist/cjs/auth-api/auth-module.d.ts

@@ -10,10 +10,16 @@ interface CanImpersonateContext<UserEntity> {
     targetUser: UserEntity;
     effectiveUserId: AuthIdentifier;
 }
+type AuthRateLimitEndpoint = 'login' | 'passkey-challenge' | 'oauth-token';
 interface AuthModuleOptions<UserEntity> {
     namespace?: string;
     defaultDomain?: string;
     canImpersonate?: (context: CanImpersonateContext<UserEntity>) => Promise<boolean> | boolean;
+    rateLimit?: (context: {
+        apiReq: ApiRequest;
+        endpoint: AuthRateLimitEndpoint;
+    }) => Promise<void> | void;
+    allowInsecurePkcePlain?: boolean;
 }
 type TokenMetadata = Partial<Token> & {
     sessionCookie?: boolean;
@@ -42,9 +48,12 @@ type AuthCapableServer<PublicUser> = ApiServer & {
 };
 export default class AuthModule<UserEntity, PublicUser> extends BaseAuthModule<UserEntity> implements AuthProviderModule<UserEntity> {
     static defaultNamespace: string;
-    server: AuthCapableServer<PublicUser>;
+    get server(): AuthCapableServer<PublicUser>;
+    set server(value: AuthCapableServer<PublicUser>);
     private readonly defaultDomain?;
     private readonly canImpersonateHook?;
+    private readonly rateLimitHook?;
+    private readonly allowInsecurePkcePlain;
     constructor(options?: AuthModuleOptions<UserEntity>);
     protected get storage(): AuthAdapter<UserEntity, PublicUser>;
     protected canImpersonate(apiReq: ApiRequest, realUser: UserEntity, targetUser: UserEntity): Promise<boolean>;
@@ -100,6 +109,8 @@ export default class AuthModule<UserEntity, PublicUser> extends BaseAuthModule<U
     private hasOAuthStore;
     private storageImplements;
     private storageImplementsAll;
+    private applyRateLimit;
+    private resolvePkceChallengeMethod;
     defineRoutes(): ApiRoute[];
 }
 export {};

package/dist/cjs/auth-api/auth-module.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const node_crypto_1 = require("node:crypto");
 const helpers_1 = require("@simplewebauthn/server/helpers");
 const api_server_base_js_1 = require("../api-server-base.js");
+const auth_cookie_options_js_1 = require("../auth-cookie-options.js");
 const module_js_1 = require("./module.js");
 const storage_js_1 = require("./storage.js");
 function isAuthIdentifier(value) {
@@ -32,10 +33,18 @@ function sha256Base64Url(value) {
     return base64UrlEncode(hash);
 }
 class AuthModule extends module_js_1.BaseAuthModule {
+    get server() {
+        return super.server;
+    }
+    set server(value) {
+        super.server = value;
+    }
     constructor(options = {}) {
         super({ namespace: options.namespace ?? AuthModule.defaultNamespace });
         this.defaultDomain = options.defaultDomain;
         this.canImpersonateHook = options.canImpersonate;
+        this.rateLimitHook = options.rateLimit;
+        this.allowInsecurePkcePlain = options.allowInsecurePkcePlain ?? true;
     }
     get storage() {
         return this.server.getAuthStorage();
@@ -236,29 +245,7 @@ class AuthModule extends module_js_1.BaseAuthModule {
         return Number.isNaN(date.getTime()) ? undefined : date.toISOString();
     }
     cookieOptions(apiReq) {
-        const conf = this.server.config;
-        const forwarded = apiReq.req.headers['x-forwarded-proto'];
-        const referer = apiReq.req.headers['origin'] ?? apiReq.req.headers['referer'];
-        const origin = typeof referer === 'string' ? referer : '';
-        const isHttps = forwarded === 'https' || apiReq.req.protocol === 'https';
-        const isLocalhost = origin.includes('localhost');
-        const options = {
-            httpOnly: true,
-            secure: true,
-            sameSite: 'strict',
-            domain: conf.cookieDomain || undefined,
-            path: '/',
-            maxAge: undefined
-        };
-        if (conf.devMode) {
-            options.secure = isHttps;
-            options.httpOnly = false;
-            options.sameSite = 'lax';
-            if (isLocalhost) {
-                options.domain = undefined;
-            }
-        }
-        return options;
+        return (0, auth_cookie_options_js_1.buildAuthCookieOptions)(this.server.config, apiReq.req);
     }
     setJwtCookies(apiReq, tokens, preferences = {}) {
         const conf = this.server.config;
@@ -285,7 +272,10 @@ class AuthModule extends module_js_1.BaseAuthModule {
     async issueTokens(apiReq, user, metadata = {}) {
         const conf = this.server.config;
         const enrichedMetadata = this.enrichTokenMetadata(apiReq, metadata);
-        const payload = this.buildTokenPayload(user, enrichedMetadata);
+        const payload = {
+            ...this.buildTokenPayload(user, enrichedMetadata),
+            jti: (0, node_crypto_1.randomUUID)()
+        };
         const access = this.server.jwtSign(payload, conf.accessSecret, conf.accessExpiry);
         if (!access.success || !access.token) {
             throw new api_server_base_js_1.ApiError({ code: 500, message: access.error ?? 'Unable to sign access token' });
@@ -455,6 +445,7 @@ class AuthModule extends module_js_1.BaseAuthModule {
         return undefined;
     }
     async postLogin(apiReq) {
+        await this.applyRateLimit(apiReq, 'login');
         this.assertAuthReady();
         const { login, password, ...metadata } = this.parseLoginBody(apiReq);
         const user = await this.storage.getUser(login);
@@ -552,10 +543,39 @@ class AuthModule extends module_js_1.BaseAuthModule {
                 apiReq.req.cookies[conf.accessCookie].trim().length > 0);
         const shouldRefresh = Boolean(body.refresh) || !hasAccessToken;
         if (shouldRefresh) {
-            const access = this.server.jwtSign(this.buildTokenPayload(user, stored), conf.accessSecret, conf.accessExpiry);
+            const updateToken = this.storage.updateToken;
+            if (typeof updateToken !== 'function' || !this.storageImplements('updateToken')) {
+                throw new api_server_base_js_1.ApiError({ code: 501, message: 'Token update storage is not configured' });
+            }
+            // Sign a new access token without embedding stored token secrets into the JWT payload.
+            const metadata = {
+                ruid: stored.ruid,
+                domain: stored.domain,
+                fingerprint: stored.fingerprint,
+                label: stored.label,
+                clientId: stored.clientId,
+                scope: stored.scope,
+                browser: stored.browser,
+                device: stored.device,
+                ip: stored.ip,
+                os: stored.os,
+                loginType: stored.loginType,
+                refreshTtlSeconds: this.normalizeRefreshTtlSeconds(stored.refreshTtlSeconds),
+                sessionCookie: stored.sessionCookie
+            };
+            const enrichedMetadata = this.enrichTokenMetadata(apiReq, metadata);
+            const access = this.server.jwtSign(this.buildTokenPayload(user, enrichedMetadata), conf.accessSecret, conf.accessExpiry);
             if (!access.success || !access.token) {
                 throw new api_server_base_js_1.ApiError({ code: 500, message: access.error ?? 'Unable to sign access token' });
             }
+            const updated = await updateToken.call(this.storage, {
+                refreshToken,
+                accessToken: access.token,
+                lastSeenAt: new Date()
+            });
+            if (!updated) {
+                throw new api_server_base_js_1.ApiError({ code: 500, message: 'Unable to persist refreshed access token' });
+            }
             const cookiePrefs = this.mergeSessionPreferences({
                 sessionCookie: stored.sessionCookie,
                 refreshTtlSeconds: this.normalizeRefreshTtlSeconds(stored.refreshTtlSeconds)
@@ -589,6 +609,7 @@ class AuthModule extends module_js_1.BaseAuthModule {
         ];
     }
     async postPasskeyChallenge(apiReq) {
+        await this.applyRateLimit(apiReq, 'passkey-challenge');
         if (typeof this.storage.createPasskeyChallenge !== 'function') {
             throw new api_server_base_js_1.ApiError({ code: 501, message: 'Passkey support is not configured' });
         }
@@ -726,7 +747,8 @@ class AuthModule extends module_js_1.BaseAuthModule {
     async deleteImpersonation(apiReq) {
         this.assertAuthReady();
         const actor = await this.resolveActorContext(apiReq);
-        const metadata = this.buildImpersonationMetadata((apiReq.req.body ?? {}));
+        const query = (apiReq.req.query ?? {});
+        const metadata = this.buildImpersonationMetadata(query);
         metadata.loginType = metadata.loginType ?? 'impersonation-end';
         const tokens = await this.issueTokens(apiReq, actor.user, metadata);
         const publicUser = this.storage.filterUser(actor.user);
@@ -798,6 +820,7 @@ class AuthModule extends module_js_1.BaseAuthModule {
         const state = toStringOrNull(body.state) ?? undefined;
         const codeChallenge = toStringOrNull(body.codeChallenge) ?? undefined;
         const codeChallengeMethod = toStringOrNull(body.codeChallengeMethod) ?? undefined;
+        const resolvedCodeChallengeMethod = this.resolvePkceChallengeMethod(codeChallengeMethod);
         if (!clientId) {
             throw new api_server_base_js_1.ApiError({ code: 400, message: 'clientId is required' });
         }
@@ -817,7 +840,7 @@ class AuthModule extends module_js_1.BaseAuthModule {
             redirectUri,
             scope: resolvedScope,
             codeChallenge,
-            codeChallengeMethod: codeChallengeMethod === 'S256' ? 'S256' : codeChallengeMethod === 'plain' ? 'plain' : undefined,
+            codeChallengeMethod: resolvedCodeChallengeMethod,
             expiresInSeconds: 300
         });
         const redirect = new URL(redirectUri);
@@ -828,6 +851,7 @@ class AuthModule extends module_js_1.BaseAuthModule {
         return [200, { code: codeRecord.code, redirectUri: redirect.toString(), state }];
     }
     async postOAuthToken(apiReq) {
+        await this.applyRateLimit(apiReq, 'oauth-token');
         if (typeof this.storage.getClient !== 'function' || typeof this.storage.consumeAuthCode !== 'function') {
             throw new api_server_base_js_1.ApiError({ code: 501, message: 'OAuth token storage is not configured' });
         }
@@ -881,6 +905,9 @@ class AuthModule extends module_js_1.BaseAuthModule {
                 }
             }
             else if (record.codeChallengeMethod === 'plain') {
+                if (!this.allowInsecurePkcePlain) {
+                    throw new api_server_base_js_1.ApiError({ code: 400, message: 'PKCE plain is not permitted' });
+                }
                 if (codeVerifier !== record.codeChallenge) {
                     throw new api_server_base_js_1.ApiError({ code: 400, message: 'code_verifier does not match challenge' });
                 }
@@ -1001,14 +1028,11 @@ class AuthModule extends module_js_1.BaseAuthModule {
             if (!secretProvided) {
                 throw new api_server_base_js_1.ApiError({ code: 400, message: 'Client authentication is required' });
             }
-            let valid = false;
-            if (this.storage.verifyClientSecret) {
-                const verifySecret = this.storage.verifyClientSecret.bind(this.storage);
-                valid = await verifySecret(client, clientSecret);
-            }
-            else {
-                valid = client.clientSecret === clientSecret;
+            const verifySecret = this.storage.verifyClientSecret;
+            if (typeof verifySecret !== 'function' || !this.storageImplements('verifyClientSecret')) {
+                throw new api_server_base_js_1.ApiError({ code: 501, message: 'OAuth client secret verification is not configured' });
             }
+            const valid = await verifySecret.call(this.storage, client, clientSecret);
             if (!valid) {
                 throw new api_server_base_js_1.ApiError({ code: 401, message: 'Invalid client credentials' });
             }
@@ -1084,6 +1108,24 @@ class AuthModule extends module_js_1.BaseAuthModule {
     storageImplementsAll(keys) {
         return keys.every((key) => this.storageImplements(key));
     }
+    async applyRateLimit(apiReq, endpoint) {
+        if (!this.rateLimitHook) {
+            return;
+        }
+        await this.rateLimitHook({ apiReq, endpoint });
+    }
+    resolvePkceChallengeMethod(value) {
+        if (value === 'S256') {
+            return 'S256';
+        }
+        if (value === 'plain') {
+            if (!this.allowInsecurePkcePlain) {
+                throw new api_server_base_js_1.ApiError({ code: 400, message: 'PKCE plain is not permitted' });
+            }
+            return 'plain';
+        }
+        return undefined;
+    }
     defineRoutes() {
         const routes = [];
         const coreAuthSupported = this.storageImplementsAll([
@@ -1156,7 +1198,7 @@ class AuthModule extends module_js_1.BaseAuthModule {
                     auth: { type: 'strict', req: 'any' }
                 }, {
                     method: 'delete',
-                    path: '/v1/passkeys/:credentialId?',
+                    path: '/v1/passkeys/:credentialId',
                     handler: (req) => this.deletePasskey(req),
                     auth: { type: 'strict', req: 'any' }
                 });

package/dist/cjs/auth-api/mem-auth-store.js

@@ -2,32 +2,11 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.MemAuthStore = void 0;
 const memory_js_1 = require("../oauth/memory.js");
+const config_js_1 = require("../passkey/config.js");
 const memory_js_2 = require("../passkey/memory.js");
 const memory_js_3 = require("../token/memory.js");
 const memory_js_4 = require("../user/memory.js");
 const compat_auth_storage_js_1 = require("./compat-auth-storage.js");
-const DEFAULT_PASSKEY_CONFIG = {
-    rpId: 'localhost',
-    rpName: 'API Server',
-    origins: ['http://localhost:5173'],
-    timeoutMs: 5 * 60 * 1000,
-    userVerification: 'preferred'
-};
-function isOriginString(origin) {
-    return typeof origin === 'string' && origin.trim().length > 0;
-}
-function normalizePasskeyConfig(config = {}) {
-    const candidateOrigins = Array.isArray(config.origins) && config.origins.length > 0 ? config.origins.filter(isOriginString) : null;
-    return {
-        rpId: config.rpId?.trim() || DEFAULT_PASSKEY_CONFIG.rpId,
-        rpName: config.rpName?.trim() || DEFAULT_PASSKEY_CONFIG.rpName,
-        origins: candidateOrigins ? candidateOrigins.map((origin) => origin.trim()) : DEFAULT_PASSKEY_CONFIG.origins,
-        timeoutMs: typeof config.timeoutMs === 'number' && config.timeoutMs > 0
-            ? config.timeoutMs
-            : DEFAULT_PASSKEY_CONFIG.timeoutMs,
-        userVerification: config.userVerification ?? DEFAULT_PASSKEY_CONFIG.userVerification
-    };
-}
 class MemAuthStore {
     constructor(params = {}) {
         this.userStore = new memory_js_4.MemoryUserStore({
@@ -42,7 +21,7 @@ class MemAuthStore {
         let passkeyStore;
         let passkeyConfig;
         if (params.passkeys !== false) {
-            passkeyConfig = normalizePasskeyConfig(params.passkeys ?? {});
+            passkeyConfig = (0, config_js_1.normalizePasskeyConfig)(params.passkeys ?? {});
             const resolveUser = async (lookup) => {
                 const found = await this.userStore.findUser(lookup.userId ?? lookup.login ?? '');
                 if (!found) {

package/dist/cjs/auth-api/sql-auth-store.js

@@ -2,48 +2,21 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.SqlAuthStore = void 0;
 const sequelize_js_1 = require("../oauth/sequelize.js");
+const config_js_1 = require("../passkey/config.js");
 const sequelize_js_2 = require("../passkey/sequelize.js");
+const sequelize_utils_js_1 = require("../sequelize-utils.js");
 const sequelize_js_3 = require("../token/sequelize.js");
 const sequelize_js_4 = require("../user/sequelize.js");
 const compat_auth_storage_js_1 = require("./compat-auth-storage.js");
-const DEFAULT_PASSKEY_CONFIG = {
-    rpId: 'localhost',
-    rpName: 'API Server',
-    origins: ['http://localhost:5173'],
-    timeoutMs: 5 * 60 * 1000,
-    userVerification: 'preferred'
-};
-function normalizeTablePrefix(prefix) {
-    if (!prefix) {
-        return undefined;
-    }
-    const trimmed = prefix.trim();
-    return trimmed.length > 0 ? trimmed : undefined;
-}
 function resolveTablePrefix(...prefixes) {
     for (const prefix of prefixes) {
-        const normalized = normalizeTablePrefix(prefix);
+        const normalized = (0, sequelize_utils_js_1.normalizeTablePrefix)(prefix);
         if (normalized) {
             return normalized;
         }
     }
     return undefined;
 }
-function isOriginString(origin) {
-    return typeof origin === 'string' && origin.trim().length > 0;
-}
-function normalizePasskeyConfig(config = {}) {
-    const candidateOrigins = Array.isArray(config.origins) && config.origins.length > 0 ? config.origins.filter(isOriginString) : null;
-    return {
-        rpId: config.rpId?.trim() || DEFAULT_PASSKEY_CONFIG.rpId,
-        rpName: config.rpName?.trim() || DEFAULT_PASSKEY_CONFIG.rpName,
-        origins: candidateOrigins ? candidateOrigins.map((origin) => origin.trim()) : DEFAULT_PASSKEY_CONFIG.origins,
-        timeoutMs: typeof config.timeoutMs === 'number' && config.timeoutMs > 0
-            ? config.timeoutMs
-            : DEFAULT_PASSKEY_CONFIG.timeoutMs,
-        userVerification: config.userVerification ?? DEFAULT_PASSKEY_CONFIG.userVerification
-    };
-}
 class SqlAuthStore {
     constructor(params) {
         this.closed = false;
@@ -83,7 +56,7 @@ class SqlAuthStore {
         let passkeyConfig;
         if (params.passkeys !== false) {
             const passkeyTablePrefix = resolveTablePrefix(moduleTablePrefixes.passkey, params.tablePrefix);
-            passkeyConfig = normalizePasskeyConfig(params.passkeys ?? {});
+            passkeyConfig = (0, config_js_1.normalizePasskeyConfig)(params.passkeys ?? {});
             const resolveUser = async (lookup) => {
                 const found = await this.userStore.findUser(lookup.userId ?? lookup.login ?? '');
                 if (!found) {

package/dist/cjs/auth-api/user-id.d.ts

@@ -0,0 +1,4 @@
+import type { AuthIdentifier } from './types.js';
+export declare function normalizeComparableUserId(identifier: AuthIdentifier): string;
+export declare function normalizeNumericUserId(identifier: AuthIdentifier): number;
+export declare function normalizeStringUserId(identifier: AuthIdentifier): string;

package/dist/cjs/auth-api/user-id.js

@@ -0,0 +1,31 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.normalizeComparableUserId = normalizeComparableUserId;
+exports.normalizeNumericUserId = normalizeNumericUserId;
+exports.normalizeStringUserId = normalizeStringUserId;
+function normalizeComparableUserId(identifier) {
+    if (typeof identifier === 'number' && Number.isFinite(identifier)) {
+        return String(identifier);
+    }
+    if (typeof identifier === 'string') {
+        const trimmed = identifier.trim();
+        if (trimmed.length === 0) {
+            throw new Error(`Unable to normalise user identifier: ${identifier}`);
+        }
+        if (/^\d+$/.test(trimmed)) {
+            return String(Number(trimmed));
+        }
+        return trimmed;
+    }
+    throw new Error(`Unable to normalise user identifier: ${identifier}`);
+}
+function normalizeNumericUserId(identifier) {
+    const normalized = normalizeComparableUserId(identifier);
+    if (/^\d+$/.test(normalized)) {
+        return Number(normalized);
+    }
+    throw new Error(`Unable to normalise user identifier: ${identifier}`);
+}
+function normalizeStringUserId(identifier) {
+    return normalizeComparableUserId(identifier);
+}

package/dist/cjs/auth-cookie-options.d.ts

@@ -0,0 +1,11 @@
+import type { Request } from 'express';
+import type { CookieOptions } from 'express-serve-static-core';
+export interface AuthCookieConfig {
+    cookieSecure?: boolean | 'auto';
+    cookieSameSite?: 'lax' | 'strict' | 'none';
+    cookieHttpOnly?: boolean;
+    cookieDomain?: string;
+    cookiePath?: string;
+    devMode?: boolean;
+}
+export declare function buildAuthCookieOptions(config: AuthCookieConfig, req: Pick<Request, 'headers' | 'protocol'>): CookieOptions;

package/dist/cjs/auth-cookie-options.js

@@ -0,0 +1,57 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildAuthCookieOptions = buildAuthCookieOptions;
+function firstHeaderValue(value) {
+    if (typeof value === 'string') {
+        return value;
+    }
+    if (Array.isArray(value)) {
+        return value[0] ?? '';
+    }
+    return '';
+}
+function resolveOriginHostname(origin) {
+    try {
+        const url = new URL(origin);
+        const hostname = url.hostname.trim().toLowerCase();
+        return hostname.length > 0 ? hostname : null;
+    }
+    catch {
+        return null;
+    }
+}
+function isLocalhostOrigin(origin) {
+    const hostname = resolveOriginHostname(origin);
+    if (!hostname) {
+        return false;
+    }
+    return hostname === 'localhost' || hostname.endsWith('.localhost');
+}
+function buildAuthCookieOptions(config, req) {
+    const forwardedProto = firstHeaderValue(req.headers['x-forwarded-proto']).split(',')[0].trim().toLowerCase();
+    const isHttps = forwardedProto === 'https' || req.protocol === 'https';
+    const origin = firstHeaderValue(req.headers.origin ?? req.headers.referer);
+    const secure = config.cookieSecure === true ? true : config.cookieSecure === false ? false : /* auto */ Boolean(isHttps);
+    let sameSite = config.cookieSameSite ?? 'lax';
+    if (sameSite !== 'lax' && sameSite !== 'strict' && sameSite !== 'none') {
+        sameSite = 'lax';
+    }
+    let resolvedSecure = secure;
+    if (sameSite === 'none' && resolvedSecure !== true) {
+        // Modern browsers reject SameSite=None cookies unless Secure is set.
+        resolvedSecure = true;
+    }
+    const options = {
+        httpOnly: config.cookieHttpOnly ?? true,
+        secure: resolvedSecure,
+        sameSite,
+        domain: config.cookieDomain || undefined,
+        path: config.cookiePath || '/',
+        maxAge: undefined
+    };
+    if (config.devMode && isLocalhostOrigin(origin)) {
+        // Domain cookies do not work on localhost; avoid breaking local development when cookieDomain is set.
+        options.domain = undefined;
+    }
+    return options;
+}

package/dist/cjs/oauth/memory.js

@@ -5,6 +5,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.MemoryOAuthStore = void 0;
 const bcryptjs_1 = __importDefault(require("bcryptjs"));
+const user_id_js_1 = require("../auth-api/user-id.js");
 const base_js_1 = require("./base.js");
 function cloneClient(client) {
     if (!client) {
@@ -12,7 +13,8 @@ function cloneClient(client) {
     }
     return {
         clientId: client.clientId,
-        clientSecret: client.clientSecret,
+        // clientSecret is stored hashed; do not return the hash.
+        clientSecret: client.clientSecret ? '__stored__' : undefined,
         name: client.name,
         redirectUris: [...client.redirectUris],
         scope: client.scope ? [...client.scope] : undefined,
@@ -28,15 +30,7 @@ function cloneCode(code) {
         metadata: code.metadata ? { ...code.metadata } : undefined
     };
 }
-function normalizeUserId(identifier) {
-    if (typeof identifier === 'number' && Number.isFinite(identifier)) {
-        return identifier;
-    }
-    if (typeof identifier === 'string' && /^\d+$/.test(identifier)) {
-        return Number(identifier);
-    }
-    throw new Error(`Unable to normalise user identifier: ${identifier}`);
-}
+const normalizeUserId = user_id_js_1.normalizeNumericUserId;
 class MemoryOAuthStore extends base_js_1.OAuthStore {
     constructor(options = {}) {
         super();

package/dist/cjs/oauth/models.js

@@ -4,27 +4,16 @@ exports.OAuthCodeModel = exports.OAuthClientModel = void 0;
 exports.initOAuthClientModel = initOAuthClientModel;
 exports.initOAuthCodeModel = initOAuthCodeModel;
 const sequelize_1 = require("sequelize");
-const DIALECTS_SUPPORTING_UNSIGNED = new Set(['mysql', 'mariadb']);
-function normalizeTablePrefix(prefix) {
-    if (!prefix) {
-        return undefined;
-    }
-    const trimmed = prefix.trim();
-    return trimmed.length > 0 ? trimmed : undefined;
-}
-function applyTablePrefix(prefix, tableName) {
-    const normalized = normalizeTablePrefix(prefix);
-    return normalized ? `${normalized}${tableName}` : tableName;
-}
+const sequelize_utils_js_1 = require("../sequelize-utils.js");
 function integerIdType(sequelize) {
-    return DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? sequelize_1.DataTypes.INTEGER.UNSIGNED : sequelize_1.DataTypes.INTEGER;
+    return sequelize_utils_js_1.DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? sequelize_1.DataTypes.INTEGER.UNSIGNED : sequelize_1.DataTypes.INTEGER;
 }
 function tableOptions(sequelize, tableName, tablePrefix, extra) {
-    const opts = { sequelize, tableName: applyTablePrefix(tablePrefix, tableName) };
+    const opts = { sequelize, tableName: (0, sequelize_utils_js_1.applyTablePrefix)(tablePrefix, tableName) };
     if (extra) {
         Object.assign(opts, extra);
     }
-    if (DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect())) {
+    if (sequelize_utils_js_1.DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect())) {
         opts.charset = 'utf8mb4';
         opts.collate = 'utf8mb4_unicode_ci';
     }