@technomoron/api-server-base 2.0.0-beta.18 → 2.0.0-beta.19

package/dist/cjs/api-module.cjs

@@ -2,6 +2,15 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.ApiModule = void 0;
 class ApiModule {
+    get server() {
+        if (this._server === undefined) {
+            throw new Error('ApiModule.server is not set. Mount the module with ApiServer.api(...) before using it.');
+        }
+        return this._server;
+    }
+    set server(value) {
+        this._server = value;
+    }
     constructor(opts = {}) {
         this.mountpath = '';
         this.namespace = opts.namespace ?? this.constructor.defaultNamespace ?? '';

package/dist/cjs/api-module.d.ts

@@ -7,7 +7,7 @@ export interface ApiKey {
     uid: unknown;
 }
 export type ApiRoute = {
-    method: 'get' | 'post' | 'put' | 'delete';
+    method: 'get' | 'post' | 'put' | 'patch' | 'delete';
     path: string;
     handler: ApiHandler;
     auth: {
@@ -16,7 +16,9 @@ export type ApiRoute = {
     };
 };
 export declare class ApiModule<T = unknown> {
-    server: T;
+    private _server?;
+    get server(): T;
+    set server(value: T);
     namespace: string;
     mountpath: string;
     static defaultNamespace: string;

package/dist/cjs/api-server-base.cjs

@@ -20,6 +20,7 @@ const express_1 = __importDefault(require("express"));
 const multer_1 = __importDefault(require("multer"));
 const module_js_1 = require("./auth-api/module.js");
 const storage_js_1 = require("./auth-api/storage.js");
+const auth_cookie_options_js_1 = require("./auth-cookie-options.js");
 const base_js_1 = require("./token/base.js");
 class JwtHelperStore extends base_js_1.TokenStore {
     async save() {
@@ -77,6 +78,7 @@ function hydrateGetBody(req) {
         req.body = { ...query };
         return;
     }
+    // Keep explicit body fields authoritative when both query and body provide the same key.
     req.body = { ...query, ...body };
 }
 function normalizeIpAddress(candidate) {
@@ -337,6 +339,17 @@ function isApiErrorLike(candidate) {
     const maybeError = candidate;
     return typeof maybeError.code === 'number' && typeof maybeError.message === 'string';
 }
+function asHttpStatus(error) {
+    if (!error || typeof error !== 'object') {
+        return null;
+    }
+    const maybe = error;
+    const status = typeof maybe.status === 'number' ? maybe.status : maybe.statusCode;
+    if (typeof status === 'number' && status >= 400 && status <= 599) {
+        return status;
+    }
+    return null;
+}
 function fillConfig(config) {
     return {
         apiPort: config.apiPort ?? 3101,
@@ -369,7 +382,8 @@ function fillConfig(config) {
         apiVersion: config.apiVersion ?? '',
         minClientVersion: config.minClientVersion ?? '',
         tokenStore: config.tokenStore,
-        authStores: config.authStores
+        authStores: config.authStores,
+        onStartError: config.onStartError
     };
 }
 class ApiServer {
@@ -382,17 +396,23 @@ class ApiServer {
         return null;
     }
     set currReq(_value) {
+        if (this.config.devMode && !this.currReqDeprecationWarned) {
+            this.currReqDeprecationWarned = true;
+            console.warn('[api-server-base] ApiServer.currReq is deprecated and always null. Use req.apiReq or res.locals.apiReq.');
+        }
         void _value;
     }
     constructor(config = {}) {
         this.finalized = false;
         this.serverAuthAdapter = null;
         this.apiNotFoundHandler = null;
+        this.apiErrorHandlerInstalled = false;
         this.tokenStoreAdapter = null;
         this.userStoreAdapter = null;
         this.passkeyServiceAdapter = null;
         this.oauthStoreAdapter = null;
         this.canImpersonateAdapter = null;
+        this.currReqDeprecationWarned = false;
         this.config = fillConfig(config);
         this.apiBasePath = this.normalizeApiBasePath(this.config.apiBasePath);
         this.startedAt = Date.now();
@@ -439,6 +459,7 @@ class ApiServer {
         this.app.use(this.apiBasePath, this.apiRouter);
         // addSwaggerUi(this.app);
         this.installApiNotFoundHandler();
+        this.installApiErrorHandler();
     }
     assertNotFinalized(action) {
         if (this.finalized) {
@@ -468,6 +489,7 @@ class ApiServer {
     }
     finalize() {
         this.installApiNotFoundHandler();
+        this.installApiErrorHandler();
         this.finalized = true;
         return this;
     }
@@ -810,8 +832,12 @@ class ApiServer {
         const base = this.apiBasePath === '/' ? '' : this.apiBasePath;
         const resolved = rawPath.length > 0 ? rawPath : `${base}/swagger`;
         const path = resolved.startsWith('/') ? resolved : `/${resolved}`;
-        const spec = this.loadSwaggerSpec();
+        let specCache;
         this.app.get(path, (_req, res) => {
+            if (specCache === undefined) {
+                specCache = this.loadSwaggerSpec();
+            }
+            const spec = specCache;
             if (!spec) {
                 res.status(500).json({
                     success: false,
@@ -855,6 +881,13 @@ class ApiServer {
         };
         this.app.use(this.apiBasePath, this.apiNotFoundHandler);
     }
+    installApiErrorHandler() {
+        if (this.apiErrorHandlerInstalled) {
+            return;
+        }
+        this.apiErrorHandlerInstalled = true;
+        this.app.use(this.apiBasePath, this.expressErrorHandler());
+    }
     describeMissingEndpoint(req) {
         const method = typeof req.method === 'string' ? req.method.toUpperCase() : 'GET';
         const target = req.originalUrl || req.url || this.apiBasePath;
@@ -889,10 +922,17 @@ class ApiServer {
             }
             const err = new Error(message);
             err.cause = error;
+            if (typeof this.config.onStartError === 'function') {
+                this.config.onStartError(err);
+                return;
+            }
             throw err;
         });
         return this;
     }
+    internalServerErrorMessage(error) {
+        return this.config.debug ? this.guessExceptionText(error) : 'Internal server error';
+    }
     async verifyJWT(token) {
         if (!this.config.accessSecret) {
             return { tokenData: undefined, error: 'JWT authentication disabled; no jwtSecret set', expired: false };
@@ -907,39 +947,7 @@ class ApiServer {
         return { tokenData: result.data, error: undefined, expired: false };
     }
     jwtCookieOptions(apiReq) {
-        const conf = this.config;
-        const forwarded = apiReq.req.headers['x-forwarded-proto'];
-        const referer = apiReq.req.headers['origin'] ?? apiReq.req.headers['referer'];
-        const origin = typeof referer === 'string' ? referer : '';
-        const forwardedProto = (typeof forwarded === 'string' ? forwarded : Array.isArray(forwarded) ? (forwarded[0] ?? '') : '')
-            .split(',')[0]
-            .trim()
-            .toLowerCase();
-        const isHttps = forwardedProto === 'https' || apiReq.req.protocol === 'https';
-        const isLocalhost = origin.includes('localhost');
-        const secure = conf.cookieSecure === true ? true : conf.cookieSecure === false ? false : /* auto */ Boolean(isHttps);
-        let sameSite = conf.cookieSameSite ?? 'lax';
-        if (sameSite !== 'lax' && sameSite !== 'strict' && sameSite !== 'none') {
-            sameSite = 'lax';
-        }
-        let resolvedSecure = secure;
-        if (sameSite === 'none' && resolvedSecure !== true) {
-            // Modern browsers reject SameSite=None cookies unless Secure is set.
-            resolvedSecure = true;
-        }
-        const options = {
-            httpOnly: conf.cookieHttpOnly ?? true,
-            secure: resolvedSecure,
-            sameSite,
-            domain: conf.cookieDomain || undefined,
-            path: conf.cookiePath || '/',
-            maxAge: undefined
-        };
-        if (conf.devMode && isLocalhost) {
-            // Domain cookies do not work on localhost; avoid breaking local development when cookieDomain is set.
-            options.domain = undefined;
-        }
-        return options;
+        return (0, auth_cookie_options_js_1.buildAuthCookieOptions)(this.config, apiReq.req);
     }
     setAccessCookie(apiReq, accessToken, sessionCookie) {
         const conf = this.config;
@@ -1285,10 +1293,21 @@ class ApiServer {
                 res.status(apiError.code).json(errorPayload);
                 return;
             }
+            const status = asHttpStatus(error);
+            if (status) {
+                res.status(status).json({
+                    success: false,
+                    code: status,
+                    message: status === 400 ? 'Invalid request payload' : this.internalServerErrorMessage(error),
+                    data: null,
+                    errors: {}
+                });
+                return;
+            }
             const errorPayload = {
                 success: false,
                 code: 500,
-                message: this.guessExceptionText(error),
+                message: this.internalServerErrorMessage(error),
                 data: null,
                 errors: {}
             };
@@ -1348,7 +1367,7 @@ class ApiServer {
                     const errorPayload = {
                         success: false,
                         code: 500,
-                        message: this.guessExceptionText(error),
+                        message: this.internalServerErrorMessage(error),
                         data: null,
                         errors: {}
                     };
@@ -1389,6 +1408,9 @@ class ApiServer {
                 case 'put':
                     router.put(r.path, handler);
                     break;
+                case 'patch':
+                    router.patch(r.path, handler);
+                    break;
                 case 'delete':
                     router.delete(r.path, handler);
                     break;

package/dist/cjs/api-server-base.d.ts

@@ -129,6 +129,7 @@ export interface ApiServerConf {
     minClientVersion: string;
     tokenStore?: TokenStore;
     authStores?: ApiServerAuthStores;
+    onStartError?: (error: Error) => void;
 }
 export declare class ApiServer {
     app: Application;
@@ -141,12 +142,14 @@ export declare class ApiServer {
     private moduleAdapter;
     private serverAuthAdapter;
     private apiNotFoundHandler;
+    private apiErrorHandlerInstalled;
     private tokenStoreAdapter;
     private userStoreAdapter;
     private passkeyServiceAdapter;
     private oauthStoreAdapter;
     private canImpersonateAdapter;
     private readonly jwtHelper;
+    private currReqDeprecationWarned;
     /**
      * @deprecated ApiServer does not track a global "current request". This value is always null.
      * Use the per-request ApiRequest passed to handlers, or `req.apiReq` / `res.locals.apiReq`
@@ -225,8 +228,10 @@ export declare class ApiServer {
     private installSwaggerHandler;
     private normalizeApiBasePath;
     private installApiNotFoundHandler;
+    private installApiErrorHandler;
     private describeMissingEndpoint;
     start(): this;
+    private internalServerErrorMessage;
     private verifyJWT;
     private jwtCookieOptions;
     private setAccessCookie;

package/dist/cjs/auth-api/auth-module.d.ts

@@ -10,10 +10,16 @@ interface CanImpersonateContext<UserEntity> {
     targetUser: UserEntity;
     effectiveUserId: AuthIdentifier;
 }
+type AuthRateLimitEndpoint = 'login' | 'passkey-challenge' | 'oauth-token';
 interface AuthModuleOptions<UserEntity> {
     namespace?: string;
     defaultDomain?: string;
     canImpersonate?: (context: CanImpersonateContext<UserEntity>) => Promise<boolean> | boolean;
+    rateLimit?: (context: {
+        apiReq: ApiRequest;
+        endpoint: AuthRateLimitEndpoint;
+    }) => Promise<void> | void;
+    allowInsecurePkcePlain?: boolean;
 }
 type TokenMetadata = Partial<Token> & {
     sessionCookie?: boolean;
@@ -42,9 +48,12 @@ type AuthCapableServer<PublicUser> = ApiServer & {
 };
 export default class AuthModule<UserEntity, PublicUser> extends BaseAuthModule<UserEntity> implements AuthProviderModule<UserEntity> {
     static defaultNamespace: string;
-    server: AuthCapableServer<PublicUser>;
+    get server(): AuthCapableServer<PublicUser>;
+    set server(value: AuthCapableServer<PublicUser>);
     private readonly defaultDomain?;
     private readonly canImpersonateHook?;
+    private readonly rateLimitHook?;
+    private readonly allowInsecurePkcePlain;
     constructor(options?: AuthModuleOptions<UserEntity>);
     protected get storage(): AuthAdapter<UserEntity, PublicUser>;
     protected canImpersonate(apiReq: ApiRequest, realUser: UserEntity, targetUser: UserEntity): Promise<boolean>;
@@ -100,6 +109,8 @@ export default class AuthModule<UserEntity, PublicUser> extends BaseAuthModule<U
     private hasOAuthStore;
     private storageImplements;
     private storageImplementsAll;
+    private applyRateLimit;
+    private resolvePkceChallengeMethod;
     defineRoutes(): ApiRoute[];
 }
 export {};

package/dist/cjs/auth-api/auth-module.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const node_crypto_1 = require("node:crypto");
 const helpers_1 = require("@simplewebauthn/server/helpers");
 const api_server_base_js_1 = require("../api-server-base.js");
+const auth_cookie_options_js_1 = require("../auth-cookie-options.js");
 const module_js_1 = require("./module.js");
 const storage_js_1 = require("./storage.js");
 function isAuthIdentifier(value) {
@@ -32,10 +33,18 @@ function sha256Base64Url(value) {
     return base64UrlEncode(hash);
 }
 class AuthModule extends module_js_1.BaseAuthModule {
+    get server() {
+        return super.server;
+    }
+    set server(value) {
+        super.server = value;
+    }
     constructor(options = {}) {
         super({ namespace: options.namespace ?? AuthModule.defaultNamespace });
         this.defaultDomain = options.defaultDomain;
         this.canImpersonateHook = options.canImpersonate;
+        this.rateLimitHook = options.rateLimit;
+        this.allowInsecurePkcePlain = options.allowInsecurePkcePlain ?? true;
     }
     get storage() {
         return this.server.getAuthStorage();
@@ -236,37 +245,7 @@ class AuthModule extends module_js_1.BaseAuthModule {
         return Number.isNaN(date.getTime()) ? undefined : date.toISOString();
     }
     cookieOptions(apiReq) {
-        const conf = this.server.config;
-        const forwarded = apiReq.req.headers['x-forwarded-proto'];
-        const referer = apiReq.req.headers['origin'] ?? apiReq.req.headers['referer'];
-        const origin = typeof referer === 'string' ? referer : '';
-        const forwardedProto = (typeof forwarded === 'string' ? forwarded : Array.isArray(forwarded) ? (forwarded[0] ?? '') : '')
-            .split(',')[0]
-            .trim()
-            .toLowerCase();
-        const isHttps = forwardedProto === 'https' || apiReq.req.protocol === 'https';
-        const isLocalhost = origin.includes('localhost');
-        const secure = conf.cookieSecure === true ? true : conf.cookieSecure === false ? false : /* auto */ Boolean(isHttps);
-        let sameSite = conf.cookieSameSite ?? 'lax';
-        if (sameSite !== 'lax' && sameSite !== 'strict' && sameSite !== 'none') {
-            sameSite = 'lax';
-        }
-        let resolvedSecure = secure;
-        if (sameSite === 'none' && resolvedSecure !== true) {
-            resolvedSecure = true;
-        }
-        const options = {
-            httpOnly: conf.cookieHttpOnly ?? true,
-            secure: resolvedSecure,
-            sameSite,
-            domain: conf.cookieDomain || undefined,
-            path: conf.cookiePath || '/',
-            maxAge: undefined
-        };
-        if (conf.devMode && isLocalhost) {
-            options.domain = undefined;
-        }
-        return options;
+        return (0, auth_cookie_options_js_1.buildAuthCookieOptions)(this.server.config, apiReq.req);
     }
     setJwtCookies(apiReq, tokens, preferences = {}) {
         const conf = this.server.config;
@@ -293,7 +272,10 @@ class AuthModule extends module_js_1.BaseAuthModule {
     async issueTokens(apiReq, user, metadata = {}) {
         const conf = this.server.config;
         const enrichedMetadata = this.enrichTokenMetadata(apiReq, metadata);
-        const payload = this.buildTokenPayload(user, enrichedMetadata);
+        const payload = {
+            ...this.buildTokenPayload(user, enrichedMetadata),
+            jti: (0, node_crypto_1.randomUUID)()
+        };
         const access = this.server.jwtSign(payload, conf.accessSecret, conf.accessExpiry);
         if (!access.success || !access.token) {
             throw new api_server_base_js_1.ApiError({ code: 500, message: access.error ?? 'Unable to sign access token' });
@@ -463,6 +445,7 @@ class AuthModule extends module_js_1.BaseAuthModule {
         return undefined;
     }
     async postLogin(apiReq) {
+        await this.applyRateLimit(apiReq, 'login');
         this.assertAuthReady();
         const { login, password, ...metadata } = this.parseLoginBody(apiReq);
         const user = await this.storage.getUser(login);
@@ -626,6 +609,7 @@ class AuthModule extends module_js_1.BaseAuthModule {
         ];
     }
     async postPasskeyChallenge(apiReq) {
+        await this.applyRateLimit(apiReq, 'passkey-challenge');
         if (typeof this.storage.createPasskeyChallenge !== 'function') {
             throw new api_server_base_js_1.ApiError({ code: 501, message: 'Passkey support is not configured' });
         }
@@ -763,7 +747,8 @@ class AuthModule extends module_js_1.BaseAuthModule {
     async deleteImpersonation(apiReq) {
         this.assertAuthReady();
         const actor = await this.resolveActorContext(apiReq);
-        const metadata = this.buildImpersonationMetadata((apiReq.req.body ?? {}));
+        const query = (apiReq.req.query ?? {});
+        const metadata = this.buildImpersonationMetadata(query);
         metadata.loginType = metadata.loginType ?? 'impersonation-end';
         const tokens = await this.issueTokens(apiReq, actor.user, metadata);
         const publicUser = this.storage.filterUser(actor.user);
@@ -835,6 +820,7 @@ class AuthModule extends module_js_1.BaseAuthModule {
         const state = toStringOrNull(body.state) ?? undefined;
         const codeChallenge = toStringOrNull(body.codeChallenge) ?? undefined;
         const codeChallengeMethod = toStringOrNull(body.codeChallengeMethod) ?? undefined;
+        const resolvedCodeChallengeMethod = this.resolvePkceChallengeMethod(codeChallengeMethod);
         if (!clientId) {
             throw new api_server_base_js_1.ApiError({ code: 400, message: 'clientId is required' });
         }
@@ -854,7 +840,7 @@ class AuthModule extends module_js_1.BaseAuthModule {
             redirectUri,
             scope: resolvedScope,
             codeChallenge,
-            codeChallengeMethod: codeChallengeMethod === 'S256' ? 'S256' : codeChallengeMethod === 'plain' ? 'plain' : undefined,
+            codeChallengeMethod: resolvedCodeChallengeMethod,
             expiresInSeconds: 300
         });
         const redirect = new URL(redirectUri);
@@ -865,6 +851,7 @@ class AuthModule extends module_js_1.BaseAuthModule {
         return [200, { code: codeRecord.code, redirectUri: redirect.toString(), state }];
     }
     async postOAuthToken(apiReq) {
+        await this.applyRateLimit(apiReq, 'oauth-token');
         if (typeof this.storage.getClient !== 'function' || typeof this.storage.consumeAuthCode !== 'function') {
             throw new api_server_base_js_1.ApiError({ code: 501, message: 'OAuth token storage is not configured' });
         }
@@ -918,6 +905,9 @@ class AuthModule extends module_js_1.BaseAuthModule {
                 }
             }
             else if (record.codeChallengeMethod === 'plain') {
+                if (!this.allowInsecurePkcePlain) {
+                    throw new api_server_base_js_1.ApiError({ code: 400, message: 'PKCE plain is not permitted' });
+                }
                 if (codeVerifier !== record.codeChallenge) {
                     throw new api_server_base_js_1.ApiError({ code: 400, message: 'code_verifier does not match challenge' });
                 }
@@ -1118,6 +1108,24 @@ class AuthModule extends module_js_1.BaseAuthModule {
     storageImplementsAll(keys) {
         return keys.every((key) => this.storageImplements(key));
     }
+    async applyRateLimit(apiReq, endpoint) {
+        if (!this.rateLimitHook) {
+            return;
+        }
+        await this.rateLimitHook({ apiReq, endpoint });
+    }
+    resolvePkceChallengeMethod(value) {
+        if (value === 'S256') {
+            return 'S256';
+        }
+        if (value === 'plain') {
+            if (!this.allowInsecurePkcePlain) {
+                throw new api_server_base_js_1.ApiError({ code: 400, message: 'PKCE plain is not permitted' });
+            }
+            return 'plain';
+        }
+        return undefined;
+    }
     defineRoutes() {
         const routes = [];
         const coreAuthSupported = this.storageImplementsAll([

package/dist/cjs/auth-api/mem-auth-store.js

@@ -2,33 +2,11 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.MemAuthStore = void 0;
 const memory_js_1 = require("../oauth/memory.js");
+const config_js_1 = require("../passkey/config.js");
 const memory_js_2 = require("../passkey/memory.js");
 const memory_js_3 = require("../token/memory.js");
 const memory_js_4 = require("../user/memory.js");
 const compat_auth_storage_js_1 = require("./compat-auth-storage.js");
-const DEFAULT_PASSKEY_CONFIG = {
-    rpId: 'localhost',
-    rpName: 'API Server',
-    origins: ['http://localhost:5173'],
-    timeoutMs: 5 * 60 * 1000,
-    userVerification: 'preferred'
-};
-function isOriginString(origin) {
-    return typeof origin === 'string' && origin.trim().length > 0;
-}
-function normalizePasskeyConfig(config = {}) {
-    const candidateOrigins = Array.isArray(config.origins) && config.origins.length > 0 ? config.origins.filter(isOriginString) : null;
-    return {
-        rpId: config.rpId?.trim() || DEFAULT_PASSKEY_CONFIG.rpId,
-        rpName: config.rpName?.trim() || DEFAULT_PASSKEY_CONFIG.rpName,
-        origins: candidateOrigins ? candidateOrigins.map((origin) => origin.trim()) : DEFAULT_PASSKEY_CONFIG.origins,
-        timeoutMs: typeof config.timeoutMs === 'number' && config.timeoutMs > 0
-            ? config.timeoutMs
-            : DEFAULT_PASSKEY_CONFIG.timeoutMs,
-        userVerification: config.userVerification ?? DEFAULT_PASSKEY_CONFIG.userVerification,
-        debug: Boolean(config.debug)
-    };
-}
 class MemAuthStore {
     constructor(params = {}) {
         this.userStore = new memory_js_4.MemoryUserStore({
@@ -43,7 +21,7 @@ class MemAuthStore {
         let passkeyStore;
         let passkeyConfig;
         if (params.passkeys !== false) {
-            passkeyConfig = normalizePasskeyConfig(params.passkeys ?? {});
+            passkeyConfig = (0, config_js_1.normalizePasskeyConfig)(params.passkeys ?? {});
             const resolveUser = async (lookup) => {
                 const found = await this.userStore.findUser(lookup.userId ?? lookup.login ?? '');
                 if (!found) {

package/dist/cjs/auth-api/sql-auth-store.js

@@ -2,49 +2,21 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.SqlAuthStore = void 0;
 const sequelize_js_1 = require("../oauth/sequelize.js");
+const config_js_1 = require("../passkey/config.js");
 const sequelize_js_2 = require("../passkey/sequelize.js");
+const sequelize_utils_js_1 = require("../sequelize-utils.js");
 const sequelize_js_3 = require("../token/sequelize.js");
 const sequelize_js_4 = require("../user/sequelize.js");
 const compat_auth_storage_js_1 = require("./compat-auth-storage.js");
-const DEFAULT_PASSKEY_CONFIG = {
-    rpId: 'localhost',
-    rpName: 'API Server',
-    origins: ['http://localhost:5173'],
-    timeoutMs: 5 * 60 * 1000,
-    userVerification: 'preferred'
-};
-function normalizeTablePrefix(prefix) {
-    if (!prefix) {
-        return undefined;
-    }
-    const trimmed = prefix.trim();
-    return trimmed.length > 0 ? trimmed : undefined;
-}
 function resolveTablePrefix(...prefixes) {
     for (const prefix of prefixes) {
-        const normalized = normalizeTablePrefix(prefix);
+        const normalized = (0, sequelize_utils_js_1.normalizeTablePrefix)(prefix);
         if (normalized) {
             return normalized;
         }
     }
     return undefined;
 }
-function isOriginString(origin) {
-    return typeof origin === 'string' && origin.trim().length > 0;
-}
-function normalizePasskeyConfig(config = {}) {
-    const candidateOrigins = Array.isArray(config.origins) && config.origins.length > 0 ? config.origins.filter(isOriginString) : null;
-    return {
-        rpId: config.rpId?.trim() || DEFAULT_PASSKEY_CONFIG.rpId,
-        rpName: config.rpName?.trim() || DEFAULT_PASSKEY_CONFIG.rpName,
-        origins: candidateOrigins ? candidateOrigins.map((origin) => origin.trim()) : DEFAULT_PASSKEY_CONFIG.origins,
-        timeoutMs: typeof config.timeoutMs === 'number' && config.timeoutMs > 0
-            ? config.timeoutMs
-            : DEFAULT_PASSKEY_CONFIG.timeoutMs,
-        userVerification: config.userVerification ?? DEFAULT_PASSKEY_CONFIG.userVerification,
-        debug: Boolean(config.debug)
-    };
-}
 class SqlAuthStore {
     constructor(params) {
         this.closed = false;
@@ -84,7 +56,7 @@ class SqlAuthStore {
         let passkeyConfig;
         if (params.passkeys !== false) {
             const passkeyTablePrefix = resolveTablePrefix(moduleTablePrefixes.passkey, params.tablePrefix);
-            passkeyConfig = normalizePasskeyConfig(params.passkeys ?? {});
+            passkeyConfig = (0, config_js_1.normalizePasskeyConfig)(params.passkeys ?? {});
             const resolveUser = async (lookup) => {
                 const found = await this.userStore.findUser(lookup.userId ?? lookup.login ?? '');
                 if (!found) {

package/dist/cjs/auth-api/user-id.d.ts

@@ -0,0 +1,4 @@
+import type { AuthIdentifier } from './types.js';
+export declare function normalizeComparableUserId(identifier: AuthIdentifier): string;
+export declare function normalizeNumericUserId(identifier: AuthIdentifier): number;
+export declare function normalizeStringUserId(identifier: AuthIdentifier): string;

package/dist/cjs/auth-api/user-id.js

@@ -0,0 +1,31 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.normalizeComparableUserId = normalizeComparableUserId;
+exports.normalizeNumericUserId = normalizeNumericUserId;
+exports.normalizeStringUserId = normalizeStringUserId;
+function normalizeComparableUserId(identifier) {
+    if (typeof identifier === 'number' && Number.isFinite(identifier)) {
+        return String(identifier);
+    }
+    if (typeof identifier === 'string') {
+        const trimmed = identifier.trim();
+        if (trimmed.length === 0) {
+            throw new Error(`Unable to normalise user identifier: ${identifier}`);
+        }
+        if (/^\d+$/.test(trimmed)) {
+            return String(Number(trimmed));
+        }
+        return trimmed;
+    }
+    throw new Error(`Unable to normalise user identifier: ${identifier}`);
+}
+function normalizeNumericUserId(identifier) {
+    const normalized = normalizeComparableUserId(identifier);
+    if (/^\d+$/.test(normalized)) {
+        return Number(normalized);
+    }
+    throw new Error(`Unable to normalise user identifier: ${identifier}`);
+}
+function normalizeStringUserId(identifier) {
+    return normalizeComparableUserId(identifier);
+}

package/dist/cjs/auth-cookie-options.d.ts

@@ -0,0 +1,11 @@
+import type { Request } from 'express';
+import type { CookieOptions } from 'express-serve-static-core';
+export interface AuthCookieConfig {
+    cookieSecure?: boolean | 'auto';
+    cookieSameSite?: 'lax' | 'strict' | 'none';
+    cookieHttpOnly?: boolean;
+    cookieDomain?: string;
+    cookiePath?: string;
+    devMode?: boolean;
+}
+export declare function buildAuthCookieOptions(config: AuthCookieConfig, req: Pick<Request, 'headers' | 'protocol'>): CookieOptions;