@technomoron/api-server-base 2.0.0-beta.17 → 2.0.0-beta.19

package/dist/esm/auth-api/auth-module.js

@@ -1,6 +1,7 @@
 import { createHash, randomUUID } from 'node:crypto';
 import { isoBase64URL } from '@simplewebauthn/server/helpers';
 import { ApiError } from '../api-server-base.js';
+import { buildAuthCookieOptions } from '../auth-cookie-options.js';
 import { BaseAuthModule } from './module.js';
 import { BaseAuthAdapter } from './storage.js';
 function isAuthIdentifier(value) {
@@ -30,10 +31,18 @@ function sha256Base64Url(value) {
     return base64UrlEncode(hash);
 }
 class AuthModule extends BaseAuthModule {
+    get server() {
+        return super.server;
+    }
+    set server(value) {
+        super.server = value;
+    }
     constructor(options = {}) {
         super({ namespace: options.namespace ?? AuthModule.defaultNamespace });
         this.defaultDomain = options.defaultDomain;
         this.canImpersonateHook = options.canImpersonate;
+        this.rateLimitHook = options.rateLimit;
+        this.allowInsecurePkcePlain = options.allowInsecurePkcePlain ?? true;
     }
     get storage() {
         return this.server.getAuthStorage();
@@ -234,29 +243,7 @@ class AuthModule extends BaseAuthModule {
         return Number.isNaN(date.getTime()) ? undefined : date.toISOString();
     }
     cookieOptions(apiReq) {
-        const conf = this.server.config;
-        const forwarded = apiReq.req.headers['x-forwarded-proto'];
-        const referer = apiReq.req.headers['origin'] ?? apiReq.req.headers['referer'];
-        const origin = typeof referer === 'string' ? referer : '';
-        const isHttps = forwarded === 'https' || apiReq.req.protocol === 'https';
-        const isLocalhost = origin.includes('localhost');
-        const options = {
-            httpOnly: true,
-            secure: true,
-            sameSite: 'strict',
-            domain: conf.cookieDomain || undefined,
-            path: '/',
-            maxAge: undefined
-        };
-        if (conf.devMode) {
-            options.secure = isHttps;
-            options.httpOnly = false;
-            options.sameSite = 'lax';
-            if (isLocalhost) {
-                options.domain = undefined;
-            }
-        }
-        return options;
+        return buildAuthCookieOptions(this.server.config, apiReq.req);
     }
     setJwtCookies(apiReq, tokens, preferences = {}) {
         const conf = this.server.config;
@@ -283,7 +270,10 @@ class AuthModule extends BaseAuthModule {
     async issueTokens(apiReq, user, metadata = {}) {
         const conf = this.server.config;
         const enrichedMetadata = this.enrichTokenMetadata(apiReq, metadata);
-        const payload = this.buildTokenPayload(user, enrichedMetadata);
+        const payload = {
+            ...this.buildTokenPayload(user, enrichedMetadata),
+            jti: randomUUID()
+        };
         const access = this.server.jwtSign(payload, conf.accessSecret, conf.accessExpiry);
         if (!access.success || !access.token) {
             throw new ApiError({ code: 500, message: access.error ?? 'Unable to sign access token' });
@@ -453,6 +443,7 @@ class AuthModule extends BaseAuthModule {
         return undefined;
     }
     async postLogin(apiReq) {
+        await this.applyRateLimit(apiReq, 'login');
         this.assertAuthReady();
         const { login, password, ...metadata } = this.parseLoginBody(apiReq);
         const user = await this.storage.getUser(login);
@@ -550,10 +541,39 @@ class AuthModule extends BaseAuthModule {
                 apiReq.req.cookies[conf.accessCookie].trim().length > 0);
         const shouldRefresh = Boolean(body.refresh) || !hasAccessToken;
         if (shouldRefresh) {
-            const access = this.server.jwtSign(this.buildTokenPayload(user, stored), conf.accessSecret, conf.accessExpiry);
+            const updateToken = this.storage.updateToken;
+            if (typeof updateToken !== 'function' || !this.storageImplements('updateToken')) {
+                throw new ApiError({ code: 501, message: 'Token update storage is not configured' });
+            }
+            // Sign a new access token without embedding stored token secrets into the JWT payload.
+            const metadata = {
+                ruid: stored.ruid,
+                domain: stored.domain,
+                fingerprint: stored.fingerprint,
+                label: stored.label,
+                clientId: stored.clientId,
+                scope: stored.scope,
+                browser: stored.browser,
+                device: stored.device,
+                ip: stored.ip,
+                os: stored.os,
+                loginType: stored.loginType,
+                refreshTtlSeconds: this.normalizeRefreshTtlSeconds(stored.refreshTtlSeconds),
+                sessionCookie: stored.sessionCookie
+            };
+            const enrichedMetadata = this.enrichTokenMetadata(apiReq, metadata);
+            const access = this.server.jwtSign(this.buildTokenPayload(user, enrichedMetadata), conf.accessSecret, conf.accessExpiry);
             if (!access.success || !access.token) {
                 throw new ApiError({ code: 500, message: access.error ?? 'Unable to sign access token' });
             }
+            const updated = await updateToken.call(this.storage, {
+                refreshToken,
+                accessToken: access.token,
+                lastSeenAt: new Date()
+            });
+            if (!updated) {
+                throw new ApiError({ code: 500, message: 'Unable to persist refreshed access token' });
+            }
             const cookiePrefs = this.mergeSessionPreferences({
                 sessionCookie: stored.sessionCookie,
                 refreshTtlSeconds: this.normalizeRefreshTtlSeconds(stored.refreshTtlSeconds)
@@ -587,6 +607,7 @@ class AuthModule extends BaseAuthModule {
         ];
     }
     async postPasskeyChallenge(apiReq) {
+        await this.applyRateLimit(apiReq, 'passkey-challenge');
         if (typeof this.storage.createPasskeyChallenge !== 'function') {
             throw new ApiError({ code: 501, message: 'Passkey support is not configured' });
         }
@@ -724,7 +745,8 @@ class AuthModule extends BaseAuthModule {
     async deleteImpersonation(apiReq) {
         this.assertAuthReady();
         const actor = await this.resolveActorContext(apiReq);
-        const metadata = this.buildImpersonationMetadata((apiReq.req.body ?? {}));
+        const query = (apiReq.req.query ?? {});
+        const metadata = this.buildImpersonationMetadata(query);
         metadata.loginType = metadata.loginType ?? 'impersonation-end';
         const tokens = await this.issueTokens(apiReq, actor.user, metadata);
         const publicUser = this.storage.filterUser(actor.user);
@@ -796,6 +818,7 @@ class AuthModule extends BaseAuthModule {
         const state = toStringOrNull(body.state) ?? undefined;
         const codeChallenge = toStringOrNull(body.codeChallenge) ?? undefined;
         const codeChallengeMethod = toStringOrNull(body.codeChallengeMethod) ?? undefined;
+        const resolvedCodeChallengeMethod = this.resolvePkceChallengeMethod(codeChallengeMethod);
         if (!clientId) {
             throw new ApiError({ code: 400, message: 'clientId is required' });
         }
@@ -815,7 +838,7 @@ class AuthModule extends BaseAuthModule {
             redirectUri,
             scope: resolvedScope,
             codeChallenge,
-            codeChallengeMethod: codeChallengeMethod === 'S256' ? 'S256' : codeChallengeMethod === 'plain' ? 'plain' : undefined,
+            codeChallengeMethod: resolvedCodeChallengeMethod,
             expiresInSeconds: 300
         });
         const redirect = new URL(redirectUri);
@@ -826,6 +849,7 @@ class AuthModule extends BaseAuthModule {
         return [200, { code: codeRecord.code, redirectUri: redirect.toString(), state }];
     }
     async postOAuthToken(apiReq) {
+        await this.applyRateLimit(apiReq, 'oauth-token');
         if (typeof this.storage.getClient !== 'function' || typeof this.storage.consumeAuthCode !== 'function') {
             throw new ApiError({ code: 501, message: 'OAuth token storage is not configured' });
         }
@@ -879,6 +903,9 @@ class AuthModule extends BaseAuthModule {
                 }
             }
             else if (record.codeChallengeMethod === 'plain') {
+                if (!this.allowInsecurePkcePlain) {
+                    throw new ApiError({ code: 400, message: 'PKCE plain is not permitted' });
+                }
                 if (codeVerifier !== record.codeChallenge) {
                     throw new ApiError({ code: 400, message: 'code_verifier does not match challenge' });
                 }
@@ -999,14 +1026,11 @@ class AuthModule extends BaseAuthModule {
             if (!secretProvided) {
                 throw new ApiError({ code: 400, message: 'Client authentication is required' });
             }
-            let valid = false;
-            if (this.storage.verifyClientSecret) {
-                const verifySecret = this.storage.verifyClientSecret.bind(this.storage);
-                valid = await verifySecret(client, clientSecret);
-            }
-            else {
-                valid = client.clientSecret === clientSecret;
+            const verifySecret = this.storage.verifyClientSecret;
+            if (typeof verifySecret !== 'function' || !this.storageImplements('verifyClientSecret')) {
+                throw new ApiError({ code: 501, message: 'OAuth client secret verification is not configured' });
             }
+            const valid = await verifySecret.call(this.storage, client, clientSecret);
             if (!valid) {
                 throw new ApiError({ code: 401, message: 'Invalid client credentials' });
             }
@@ -1082,6 +1106,24 @@ class AuthModule extends BaseAuthModule {
     storageImplementsAll(keys) {
         return keys.every((key) => this.storageImplements(key));
     }
+    async applyRateLimit(apiReq, endpoint) {
+        if (!this.rateLimitHook) {
+            return;
+        }
+        await this.rateLimitHook({ apiReq, endpoint });
+    }
+    resolvePkceChallengeMethod(value) {
+        if (value === 'S256') {
+            return 'S256';
+        }
+        if (value === 'plain') {
+            if (!this.allowInsecurePkcePlain) {
+                throw new ApiError({ code: 400, message: 'PKCE plain is not permitted' });
+            }
+            return 'plain';
+        }
+        return undefined;
+    }
     defineRoutes() {
         const routes = [];
         const coreAuthSupported = this.storageImplementsAll([
@@ -1154,7 +1196,7 @@ class AuthModule extends BaseAuthModule {
                     auth: { type: 'strict', req: 'any' }
                 }, {
                     method: 'delete',
-                    path: '/v1/passkeys/:credentialId?',
+                    path: '/v1/passkeys/:credentialId',
                     handler: (req) => this.deletePasskey(req),
                     auth: { type: 'strict', req: 'any' }
                 });

package/dist/esm/auth-api/mem-auth-store.js

@@ -1,30 +1,9 @@
 import { MemoryOAuthStore } from '../oauth/memory.js';
+import { normalizePasskeyConfig } from '../passkey/config.js';
 import { MemoryPasskeyStore } from '../passkey/memory.js';
 import { MemoryTokenStore } from '../token/memory.js';
 import { MemoryUserStore } from '../user/memory.js';
 import { CompositeAuthAdapter } from './compat-auth-storage.js';
-const DEFAULT_PASSKEY_CONFIG = {
-    rpId: 'localhost',
-    rpName: 'API Server',
-    origins: ['http://localhost:5173'],
-    timeoutMs: 5 * 60 * 1000,
-    userVerification: 'preferred'
-};
-function isOriginString(origin) {
-    return typeof origin === 'string' && origin.trim().length > 0;
-}
-function normalizePasskeyConfig(config = {}) {
-    const candidateOrigins = Array.isArray(config.origins) && config.origins.length > 0 ? config.origins.filter(isOriginString) : null;
-    return {
-        rpId: config.rpId?.trim() || DEFAULT_PASSKEY_CONFIG.rpId,
-        rpName: config.rpName?.trim() || DEFAULT_PASSKEY_CONFIG.rpName,
-        origins: candidateOrigins ? candidateOrigins.map((origin) => origin.trim()) : DEFAULT_PASSKEY_CONFIG.origins,
-        timeoutMs: typeof config.timeoutMs === 'number' && config.timeoutMs > 0
-            ? config.timeoutMs
-            : DEFAULT_PASSKEY_CONFIG.timeoutMs,
-        userVerification: config.userVerification ?? DEFAULT_PASSKEY_CONFIG.userVerification
-    };
-}
 export class MemAuthStore {
     constructor(params = {}) {
         this.userStore = new MemoryUserStore({

package/dist/esm/auth-api/sql-auth-store.js

@@ -1,22 +1,10 @@
 import { SequelizeOAuthStore } from '../oauth/sequelize.js';
+import { normalizePasskeyConfig } from '../passkey/config.js';
 import { SequelizePasskeyStore } from '../passkey/sequelize.js';
+import { normalizeTablePrefix } from '../sequelize-utils.js';
 import { SequelizeTokenStore } from '../token/sequelize.js';
 import { SequelizeUserStore } from '../user/sequelize.js';
 import { CompositeAuthAdapter } from './compat-auth-storage.js';
-const DEFAULT_PASSKEY_CONFIG = {
-    rpId: 'localhost',
-    rpName: 'API Server',
-    origins: ['http://localhost:5173'],
-    timeoutMs: 5 * 60 * 1000,
-    userVerification: 'preferred'
-};
-function normalizeTablePrefix(prefix) {
-    if (!prefix) {
-        return undefined;
-    }
-    const trimmed = prefix.trim();
-    return trimmed.length > 0 ? trimmed : undefined;
-}
 function resolveTablePrefix(...prefixes) {
     for (const prefix of prefixes) {
         const normalized = normalizeTablePrefix(prefix);
@@ -26,21 +14,6 @@ function resolveTablePrefix(...prefixes) {
     }
     return undefined;
 }
-function isOriginString(origin) {
-    return typeof origin === 'string' && origin.trim().length > 0;
-}
-function normalizePasskeyConfig(config = {}) {
-    const candidateOrigins = Array.isArray(config.origins) && config.origins.length > 0 ? config.origins.filter(isOriginString) : null;
-    return {
-        rpId: config.rpId?.trim() || DEFAULT_PASSKEY_CONFIG.rpId,
-        rpName: config.rpName?.trim() || DEFAULT_PASSKEY_CONFIG.rpName,
-        origins: candidateOrigins ? candidateOrigins.map((origin) => origin.trim()) : DEFAULT_PASSKEY_CONFIG.origins,
-        timeoutMs: typeof config.timeoutMs === 'number' && config.timeoutMs > 0
-            ? config.timeoutMs
-            : DEFAULT_PASSKEY_CONFIG.timeoutMs,
-        userVerification: config.userVerification ?? DEFAULT_PASSKEY_CONFIG.userVerification
-    };
-}
 export class SqlAuthStore {
     constructor(params) {
         this.closed = false;

package/dist/esm/auth-api/user-id.d.ts

@@ -0,0 +1,4 @@
+import type { AuthIdentifier } from './types.js';
+export declare function normalizeComparableUserId(identifier: AuthIdentifier): string;
+export declare function normalizeNumericUserId(identifier: AuthIdentifier): number;
+export declare function normalizeStringUserId(identifier: AuthIdentifier): string;

package/dist/esm/auth-api/user-id.js

@@ -0,0 +1,26 @@
+export function normalizeComparableUserId(identifier) {
+    if (typeof identifier === 'number' && Number.isFinite(identifier)) {
+        return String(identifier);
+    }
+    if (typeof identifier === 'string') {
+        const trimmed = identifier.trim();
+        if (trimmed.length === 0) {
+            throw new Error(`Unable to normalise user identifier: ${identifier}`);
+        }
+        if (/^\d+$/.test(trimmed)) {
+            return String(Number(trimmed));
+        }
+        return trimmed;
+    }
+    throw new Error(`Unable to normalise user identifier: ${identifier}`);
+}
+export function normalizeNumericUserId(identifier) {
+    const normalized = normalizeComparableUserId(identifier);
+    if (/^\d+$/.test(normalized)) {
+        return Number(normalized);
+    }
+    throw new Error(`Unable to normalise user identifier: ${identifier}`);
+}
+export function normalizeStringUserId(identifier) {
+    return normalizeComparableUserId(identifier);
+}

package/dist/esm/auth-cookie-options.d.ts

@@ -0,0 +1,11 @@
+import type { Request } from 'express';
+import type { CookieOptions } from 'express-serve-static-core';
+export interface AuthCookieConfig {
+    cookieSecure?: boolean | 'auto';
+    cookieSameSite?: 'lax' | 'strict' | 'none';
+    cookieHttpOnly?: boolean;
+    cookieDomain?: string;
+    cookiePath?: string;
+    devMode?: boolean;
+}
+export declare function buildAuthCookieOptions(config: AuthCookieConfig, req: Pick<Request, 'headers' | 'protocol'>): CookieOptions;

package/dist/esm/auth-cookie-options.js

@@ -0,0 +1,54 @@
+function firstHeaderValue(value) {
+    if (typeof value === 'string') {
+        return value;
+    }
+    if (Array.isArray(value)) {
+        return value[0] ?? '';
+    }
+    return '';
+}
+function resolveOriginHostname(origin) {
+    try {
+        const url = new URL(origin);
+        const hostname = url.hostname.trim().toLowerCase();
+        return hostname.length > 0 ? hostname : null;
+    }
+    catch {
+        return null;
+    }
+}
+function isLocalhostOrigin(origin) {
+    const hostname = resolveOriginHostname(origin);
+    if (!hostname) {
+        return false;
+    }
+    return hostname === 'localhost' || hostname.endsWith('.localhost');
+}
+export function buildAuthCookieOptions(config, req) {
+    const forwardedProto = firstHeaderValue(req.headers['x-forwarded-proto']).split(',')[0].trim().toLowerCase();
+    const isHttps = forwardedProto === 'https' || req.protocol === 'https';
+    const origin = firstHeaderValue(req.headers.origin ?? req.headers.referer);
+    const secure = config.cookieSecure === true ? true : config.cookieSecure === false ? false : /* auto */ Boolean(isHttps);
+    let sameSite = config.cookieSameSite ?? 'lax';
+    if (sameSite !== 'lax' && sameSite !== 'strict' && sameSite !== 'none') {
+        sameSite = 'lax';
+    }
+    let resolvedSecure = secure;
+    if (sameSite === 'none' && resolvedSecure !== true) {
+        // Modern browsers reject SameSite=None cookies unless Secure is set.
+        resolvedSecure = true;
+    }
+    const options = {
+        httpOnly: config.cookieHttpOnly ?? true,
+        secure: resolvedSecure,
+        sameSite,
+        domain: config.cookieDomain || undefined,
+        path: config.cookiePath || '/',
+        maxAge: undefined
+    };
+    if (config.devMode && isLocalhostOrigin(origin)) {
+        // Domain cookies do not work on localhost; avoid breaking local development when cookieDomain is set.
+        options.domain = undefined;
+    }
+    return options;
+}

package/dist/esm/oauth/memory.js

@@ -1,4 +1,5 @@
 import bcrypt from 'bcryptjs';
+import { normalizeNumericUserId } from '../auth-api/user-id.js';
 import { OAuthStore } from './base.js';
 function cloneClient(client) {
     if (!client) {
@@ -6,7 +7,8 @@ function cloneClient(client) {
     }
     return {
         clientId: client.clientId,
-        clientSecret: client.clientSecret,
+        // clientSecret is stored hashed; do not return the hash.
+        clientSecret: client.clientSecret ? '__stored__' : undefined,
         name: client.name,
         redirectUris: [...client.redirectUris],
         scope: client.scope ? [...client.scope] : undefined,
@@ -22,15 +24,7 @@ function cloneCode(code) {
         metadata: code.metadata ? { ...code.metadata } : undefined
     };
 }
-function normalizeUserId(identifier) {
-    if (typeof identifier === 'number' && Number.isFinite(identifier)) {
-        return identifier;
-    }
-    if (typeof identifier === 'string' && /^\d+$/.test(identifier)) {
-        return Number(identifier);
-    }
-    throw new Error(`Unable to normalise user identifier: ${identifier}`);
-}
+const normalizeUserId = normalizeNumericUserId;
 export class MemoryOAuthStore extends OAuthStore {
     constructor(options = {}) {
         super();

package/dist/esm/oauth/models.js

@@ -1,16 +1,5 @@
 import { DataTypes, Model } from 'sequelize';
-const DIALECTS_SUPPORTING_UNSIGNED = new Set(['mysql', 'mariadb']);
-function normalizeTablePrefix(prefix) {
-    if (!prefix) {
-        return undefined;
-    }
-    const trimmed = prefix.trim();
-    return trimmed.length > 0 ? trimmed : undefined;
-}
-function applyTablePrefix(prefix, tableName) {
-    const normalized = normalizeTablePrefix(prefix);
-    return normalized ? `${normalized}${tableName}` : tableName;
-}
+import { DIALECTS_SUPPORTING_UNSIGNED, applyTablePrefix } from '../sequelize-utils.js';
 function integerIdType(sequelize) {
     return DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? DataTypes.INTEGER.UNSIGNED : DataTypes.INTEGER;
 }

package/dist/esm/oauth/sequelize.js

@@ -1,18 +1,8 @@
 import bcrypt from 'bcryptjs';
 import { DataTypes, Model } from 'sequelize';
+import { normalizeNumericUserId } from '../auth-api/user-id.js';
+import { DIALECTS_SUPPORTING_UNSIGNED, applyTablePrefix } from '../sequelize-utils.js';
 import { OAuthStore } from './base.js';
-const DIALECTS_SUPPORTING_UNSIGNED = new Set(['mysql', 'mariadb']);
-function normalizeTablePrefix(prefix) {
-    if (!prefix) {
-        return undefined;
-    }
-    const trimmed = prefix.trim();
-    return trimmed.length > 0 ? trimmed : undefined;
-}
-function applyTablePrefix(prefix, tableName) {
-    const normalized = normalizeTablePrefix(prefix);
-    return normalized ? `${normalized}${tableName}` : tableName;
-}
 function integerIdType(sequelize) {
     return DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? DataTypes.INTEGER.UNSIGNED : DataTypes.INTEGER;
 }
@@ -101,13 +91,7 @@ function parseMetadata(raw) {
     return undefined;
 }
 function normalizeUserId(identifier) {
-    if (typeof identifier === 'number' && Number.isFinite(identifier)) {
-        return identifier;
-    }
-    if (typeof identifier === 'string' && /^\d+$/.test(identifier)) {
-        return Number(identifier);
-    }
-    throw new Error(`Unable to normalise user identifier: ${identifier}`);
+    return normalizeNumericUserId(identifier);
 }
 export class SequelizeOAuthStore extends OAuthStore {
     constructor(options) {
@@ -194,7 +178,8 @@ export class SequelizeOAuthStore extends OAuthStore {
     toOAuthClient(model) {
         return {
             clientId: model.client_id,
-            clientSecret: model.client_secret,
+            // client_secret is stored hashed; do not return the hash.
+            clientSecret: model.client_secret ? '__stored__' : undefined,
             name: model.name ?? undefined,
             redirectUris: decodeStringArray(model.redirect_uris),
             scope: decodeStringArray(model.scope),

package/dist/esm/passkey/config.d.ts

@@ -0,0 +1,2 @@
+import type { PasskeyServiceConfig } from './types.js';
+export declare function normalizePasskeyConfig(config?: Partial<PasskeyServiceConfig>): PasskeyServiceConfig;

package/dist/esm/passkey/config.js

@@ -0,0 +1,23 @@
+const DEFAULT_PASSKEY_CONFIG = {
+    rpId: 'localhost',
+    rpName: 'API Server',
+    origins: ['http://localhost:5173'],
+    timeoutMs: 5 * 60 * 1000,
+    userVerification: 'preferred'
+};
+function isOriginString(origin) {
+    return typeof origin === 'string' && origin.trim().length > 0;
+}
+export function normalizePasskeyConfig(config = {}) {
+    const candidateOrigins = Array.isArray(config.origins) && config.origins.length > 0 ? config.origins.filter(isOriginString) : null;
+    return {
+        rpId: config.rpId?.trim() || DEFAULT_PASSKEY_CONFIG.rpId,
+        rpName: config.rpName?.trim() || DEFAULT_PASSKEY_CONFIG.rpName,
+        origins: candidateOrigins ? candidateOrigins.map((origin) => origin.trim()) : DEFAULT_PASSKEY_CONFIG.origins,
+        timeoutMs: typeof config.timeoutMs === 'number' && config.timeoutMs > 0
+            ? config.timeoutMs
+            : DEFAULT_PASSKEY_CONFIG.timeoutMs,
+        userVerification: config.userVerification ?? DEFAULT_PASSKEY_CONFIG.userVerification,
+        debug: Boolean(config.debug)
+    };
+}

package/dist/esm/passkey/memory.js

@@ -1,16 +1,9 @@
+import { normalizeComparableUserId } from '../auth-api/user-id.js';
 import { PasskeyStore } from './base.js';
 function encodeCredentialId(value) {
     return Buffer.isBuffer(value) ? value.toString('base64') : value;
 }
-function normalizeUserId(identifier) {
-    if (typeof identifier === 'number' && Number.isFinite(identifier)) {
-        return identifier;
-    }
-    if (typeof identifier === 'string' && /^\d+$/.test(identifier)) {
-        return Number(identifier);
-    }
-    return identifier;
-}
+const normalizeUserId = normalizeComparableUserId;
 function cloneCredential(record) {
     return {
         ...record,

package/dist/esm/passkey/models.js

@@ -1,16 +1,5 @@
 import { DataTypes, Model } from 'sequelize';
-const DIALECTS_SUPPORTING_UNSIGNED = new Set(['mysql', 'mariadb']);
-function normalizeTablePrefix(prefix) {
-    if (!prefix) {
-        return undefined;
-    }
-    const trimmed = prefix.trim();
-    return trimmed.length > 0 ? trimmed : undefined;
-}
-function applyTablePrefix(prefix, tableName) {
-    const normalized = normalizeTablePrefix(prefix);
-    return normalized ? `${normalized}${tableName}` : tableName;
-}
+import { DIALECTS_SUPPORTING_UNSIGNED, applyTablePrefix } from '../sequelize-utils.js';
 function integerIdType(sequelize) {
     return DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? DataTypes.INTEGER.UNSIGNED : DataTypes.INTEGER;
 }

package/dist/esm/passkey/sequelize.js

@@ -1,17 +1,7 @@
 import { DataTypes, Model, Op } from 'sequelize';
+import { normalizeNumericUserId } from '../auth-api/user-id.js';
+import { DIALECTS_SUPPORTING_UNSIGNED, applyTablePrefix } from '../sequelize-utils.js';
 import { PasskeyStore } from './base.js';
-const DIALECTS_SUPPORTING_UNSIGNED = new Set(['mysql', 'mariadb']);
-function normalizeTablePrefix(prefix) {
-    if (!prefix) {
-        return undefined;
-    }
-    const trimmed = prefix.trim();
-    return trimmed.length > 0 ? trimmed : undefined;
-}
-function applyTablePrefix(prefix, tableName) {
-    const normalized = normalizeTablePrefix(prefix);
-    return normalized ? `${normalized}${tableName}` : tableName;
-}
 function integerIdType(sequelize) {
     return DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? DataTypes.INTEGER.UNSIGNED : DataTypes.INTEGER;
 }
@@ -19,13 +9,7 @@ function encodeCredentialId(value) {
     return Buffer.isBuffer(value) ? value.toString('base64') : value;
 }
 function normalizeUserId(identifier) {
-    if (typeof identifier === 'number' && Number.isFinite(identifier)) {
-        return identifier;
-    }
-    if (typeof identifier === 'string' && /^\d+$/.test(identifier)) {
-        return Number(identifier);
-    }
-    throw new Error(`Unable to normalise user identifier: ${identifier}`);
+    return normalizeNumericUserId(identifier);
 }
 class PasskeyCredentialModel extends Model {
 }

package/dist/esm/passkey/service.js

@@ -232,7 +232,7 @@ export class PasskeyService {
             }
         }
         const publicKey = publicKeyPrimary && publicKeyPrimary.length > 0 ? publicKeyPrimary : publicKeyFallback;
-        if (this.logger?.warn) {
+        if (this.config.debug && this.logger?.warn) {
             const pkPrimaryHex = publicKeyPrimary ? publicKeyPrimary.slice(0, 4).toString('hex') : 'null';
             const pkFallbackHex = publicKeyFallback ? publicKeyFallback.slice(0, 4).toString('hex') : 'null';
             this.logger.warn(`Passkey registration: pkPrimary len=${publicKeyPrimary?.length ?? 0} head=${pkPrimaryHex}, pkFallback len=${publicKeyFallback?.length ?? 0} head=${pkFallbackHex}`);

package/dist/esm/passkey/types.d.ts

@@ -8,6 +8,11 @@ export interface PasskeyServiceConfig {
     origins: string[];
     timeoutMs: number;
     userVerification?: 'preferred' | 'required' | 'discouraged';
+    /**
+     * When enabled, PasskeyService emits additional diagnostic logs during registration/authentication.
+     * Defaults to false.
+     */
+    debug?: boolean;
 }
 export interface PasskeyChallengeRecord {
     challenge: string;

package/dist/esm/sequelize-utils.d.ts

@@ -0,0 +1,3 @@
+export declare const DIALECTS_SUPPORTING_UNSIGNED: Set<string>;
+export declare function normalizeTablePrefix(prefix?: string): string | undefined;
+export declare function applyTablePrefix(prefix: string | undefined, tableName: string): string;

package/dist/esm/sequelize-utils.js

@@ -0,0 +1,12 @@
+export const DIALECTS_SUPPORTING_UNSIGNED = new Set(['mysql', 'mariadb']);
+export function normalizeTablePrefix(prefix) {
+    if (!prefix) {
+        return undefined;
+    }
+    const trimmed = prefix.trim();
+    return trimmed.length > 0 ? trimmed : undefined;
+}
+export function applyTablePrefix(prefix, tableName) {
+    const normalized = normalizeTablePrefix(prefix);
+    return normalized ? `${normalized}${tableName}` : tableName;
+}

package/dist/esm/token/memory.d.ts

@@ -2,6 +2,10 @@ import { TokenStore } from './base.js';
 import type { Token } from './types.js';
 export declare class MemoryTokenStore extends TokenStore {
     private readonly tokens;
+    private readonly tokensByUser;
+    private indexToken;
+    private unindexToken;
+    private removeByRefreshToken;
     save(record: Token): Promise<void>;
     get(query: Partial<Token>, opts?: {
         includeExpired?: boolean;