@technomoron/api-server-base 2.0.0-beta.18 → 2.0.0-beta.19

package/dist/cjs/auth-cookie-options.js

@@ -0,0 +1,57 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildAuthCookieOptions = buildAuthCookieOptions;
+function firstHeaderValue(value) {
+    if (typeof value === 'string') {
+        return value;
+    }
+    if (Array.isArray(value)) {
+        return value[0] ?? '';
+    }
+    return '';
+}
+function resolveOriginHostname(origin) {
+    try {
+        const url = new URL(origin);
+        const hostname = url.hostname.trim().toLowerCase();
+        return hostname.length > 0 ? hostname : null;
+    }
+    catch {
+        return null;
+    }
+}
+function isLocalhostOrigin(origin) {
+    const hostname = resolveOriginHostname(origin);
+    if (!hostname) {
+        return false;
+    }
+    return hostname === 'localhost' || hostname.endsWith('.localhost');
+}
+function buildAuthCookieOptions(config, req) {
+    const forwardedProto = firstHeaderValue(req.headers['x-forwarded-proto']).split(',')[0].trim().toLowerCase();
+    const isHttps = forwardedProto === 'https' || req.protocol === 'https';
+    const origin = firstHeaderValue(req.headers.origin ?? req.headers.referer);
+    const secure = config.cookieSecure === true ? true : config.cookieSecure === false ? false : /* auto */ Boolean(isHttps);
+    let sameSite = config.cookieSameSite ?? 'lax';
+    if (sameSite !== 'lax' && sameSite !== 'strict' && sameSite !== 'none') {
+        sameSite = 'lax';
+    }
+    let resolvedSecure = secure;
+    if (sameSite === 'none' && resolvedSecure !== true) {
+        // Modern browsers reject SameSite=None cookies unless Secure is set.
+        resolvedSecure = true;
+    }
+    const options = {
+        httpOnly: config.cookieHttpOnly ?? true,
+        secure: resolvedSecure,
+        sameSite,
+        domain: config.cookieDomain || undefined,
+        path: config.cookiePath || '/',
+        maxAge: undefined
+    };
+    if (config.devMode && isLocalhostOrigin(origin)) {
+        // Domain cookies do not work on localhost; avoid breaking local development when cookieDomain is set.
+        options.domain = undefined;
+    }
+    return options;
+}

package/dist/cjs/oauth/memory.js

@@ -5,6 +5,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.MemoryOAuthStore = void 0;
 const bcryptjs_1 = __importDefault(require("bcryptjs"));
+const user_id_js_1 = require("../auth-api/user-id.js");
 const base_js_1 = require("./base.js");
 function cloneClient(client) {
     if (!client) {
@@ -29,15 +30,7 @@ function cloneCode(code) {
         metadata: code.metadata ? { ...code.metadata } : undefined
     };
 }
-function normalizeUserId(identifier) {
-    if (typeof identifier === 'number' && Number.isFinite(identifier)) {
-        return identifier;
-    }
-    if (typeof identifier === 'string' && /^\d+$/.test(identifier)) {
-        return Number(identifier);
-    }
-    throw new Error(`Unable to normalise user identifier: ${identifier}`);
-}
+const normalizeUserId = user_id_js_1.normalizeNumericUserId;
 class MemoryOAuthStore extends base_js_1.OAuthStore {
     constructor(options = {}) {
         super();

package/dist/cjs/oauth/models.js

@@ -4,27 +4,16 @@ exports.OAuthCodeModel = exports.OAuthClientModel = void 0;
 exports.initOAuthClientModel = initOAuthClientModel;
 exports.initOAuthCodeModel = initOAuthCodeModel;
 const sequelize_1 = require("sequelize");
-const DIALECTS_SUPPORTING_UNSIGNED = new Set(['mysql', 'mariadb']);
-function normalizeTablePrefix(prefix) {
-    if (!prefix) {
-        return undefined;
-    }
-    const trimmed = prefix.trim();
-    return trimmed.length > 0 ? trimmed : undefined;
-}
-function applyTablePrefix(prefix, tableName) {
-    const normalized = normalizeTablePrefix(prefix);
-    return normalized ? `${normalized}${tableName}` : tableName;
-}
+const sequelize_utils_js_1 = require("../sequelize-utils.js");
 function integerIdType(sequelize) {
-    return DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? sequelize_1.DataTypes.INTEGER.UNSIGNED : sequelize_1.DataTypes.INTEGER;
+    return sequelize_utils_js_1.DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? sequelize_1.DataTypes.INTEGER.UNSIGNED : sequelize_1.DataTypes.INTEGER;
 }
 function tableOptions(sequelize, tableName, tablePrefix, extra) {
-    const opts = { sequelize, tableName: applyTablePrefix(tablePrefix, tableName) };
+    const opts = { sequelize, tableName: (0, sequelize_utils_js_1.applyTablePrefix)(tablePrefix, tableName) };
     if (extra) {
         Object.assign(opts, extra);
     }
-    if (DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect())) {
+    if (sequelize_utils_js_1.DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect())) {
         opts.charset = 'utf8mb4';
         opts.collate = 'utf8mb4_unicode_ci';
     }

package/dist/cjs/oauth/sequelize.js

@@ -8,28 +8,18 @@ exports.initOAuthClientModel = initOAuthClientModel;
 exports.initOAuthCodeModel = initOAuthCodeModel;
 const bcryptjs_1 = __importDefault(require("bcryptjs"));
 const sequelize_1 = require("sequelize");
+const user_id_js_1 = require("../auth-api/user-id.js");
+const sequelize_utils_js_1 = require("../sequelize-utils.js");
 const base_js_1 = require("./base.js");
-const DIALECTS_SUPPORTING_UNSIGNED = new Set(['mysql', 'mariadb']);
-function normalizeTablePrefix(prefix) {
-    if (!prefix) {
-        return undefined;
-    }
-    const trimmed = prefix.trim();
-    return trimmed.length > 0 ? trimmed : undefined;
-}
-function applyTablePrefix(prefix, tableName) {
-    const normalized = normalizeTablePrefix(prefix);
-    return normalized ? `${normalized}${tableName}` : tableName;
-}
 function integerIdType(sequelize) {
-    return DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? sequelize_1.DataTypes.INTEGER.UNSIGNED : sequelize_1.DataTypes.INTEGER;
+    return sequelize_utils_js_1.DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? sequelize_1.DataTypes.INTEGER.UNSIGNED : sequelize_1.DataTypes.INTEGER;
 }
 function tableOptions(sequelize, tableName, tablePrefix, extra) {
-    const opts = { sequelize, tableName: applyTablePrefix(tablePrefix, tableName) };
+    const opts = { sequelize, tableName: (0, sequelize_utils_js_1.applyTablePrefix)(tablePrefix, tableName) };
     if (extra) {
         Object.assign(opts, extra);
     }
-    if (DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect())) {
+    if (sequelize_utils_js_1.DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect())) {
         opts.charset = 'utf8mb4';
         opts.collate = 'utf8mb4_unicode_ci';
     }
@@ -111,13 +101,7 @@ function parseMetadata(raw) {
     return undefined;
 }
 function normalizeUserId(identifier) {
-    if (typeof identifier === 'number' && Number.isFinite(identifier)) {
-        return identifier;
-    }
-    if (typeof identifier === 'string' && /^\d+$/.test(identifier)) {
-        return Number(identifier);
-    }
-    throw new Error(`Unable to normalise user identifier: ${identifier}`);
+    return (0, user_id_js_1.normalizeNumericUserId)(identifier);
 }
 class SequelizeOAuthStore extends base_js_1.OAuthStore {
     constructor(options) {

package/dist/cjs/passkey/config.d.ts

@@ -0,0 +1,2 @@
+import type { PasskeyServiceConfig } from './types.js';
+export declare function normalizePasskeyConfig(config?: Partial<PasskeyServiceConfig>): PasskeyServiceConfig;

package/dist/cjs/passkey/config.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.normalizePasskeyConfig = normalizePasskeyConfig;
+const DEFAULT_PASSKEY_CONFIG = {
+    rpId: 'localhost',
+    rpName: 'API Server',
+    origins: ['http://localhost:5173'],
+    timeoutMs: 5 * 60 * 1000,
+    userVerification: 'preferred'
+};
+function isOriginString(origin) {
+    return typeof origin === 'string' && origin.trim().length > 0;
+}
+function normalizePasskeyConfig(config = {}) {
+    const candidateOrigins = Array.isArray(config.origins) && config.origins.length > 0 ? config.origins.filter(isOriginString) : null;
+    return {
+        rpId: config.rpId?.trim() || DEFAULT_PASSKEY_CONFIG.rpId,
+        rpName: config.rpName?.trim() || DEFAULT_PASSKEY_CONFIG.rpName,
+        origins: candidateOrigins ? candidateOrigins.map((origin) => origin.trim()) : DEFAULT_PASSKEY_CONFIG.origins,
+        timeoutMs: typeof config.timeoutMs === 'number' && config.timeoutMs > 0
+            ? config.timeoutMs
+            : DEFAULT_PASSKEY_CONFIG.timeoutMs,
+        userVerification: config.userVerification ?? DEFAULT_PASSKEY_CONFIG.userVerification,
+        debug: Boolean(config.debug)
+    };
+}

package/dist/cjs/passkey/memory.js

@@ -1,19 +1,12 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.MemoryPasskeyStore = void 0;
+const user_id_js_1 = require("../auth-api/user-id.js");
 const base_js_1 = require("./base.js");
 function encodeCredentialId(value) {
     return Buffer.isBuffer(value) ? value.toString('base64') : value;
 }
-function normalizeUserId(identifier) {
-    if (typeof identifier === 'number' && Number.isFinite(identifier)) {
-        return identifier;
-    }
-    if (typeof identifier === 'string' && /^\d+$/.test(identifier)) {
-        return Number(identifier);
-    }
-    return identifier;
-}
+const normalizeUserId = user_id_js_1.normalizeComparableUserId;
 function cloneCredential(record) {
     return {
         ...record,

package/dist/cjs/passkey/models.js

@@ -4,20 +4,9 @@ exports.PasskeyChallengeModel = exports.PasskeyCredentialModel = void 0;
 exports.initPasskeyCredentialModel = initPasskeyCredentialModel;
 exports.initPasskeyChallengeModel = initPasskeyChallengeModel;
 const sequelize_1 = require("sequelize");
-const DIALECTS_SUPPORTING_UNSIGNED = new Set(['mysql', 'mariadb']);
-function normalizeTablePrefix(prefix) {
-    if (!prefix) {
-        return undefined;
-    }
-    const trimmed = prefix.trim();
-    return trimmed.length > 0 ? trimmed : undefined;
-}
-function applyTablePrefix(prefix, tableName) {
-    const normalized = normalizeTablePrefix(prefix);
-    return normalized ? `${normalized}${tableName}` : tableName;
-}
+const sequelize_utils_js_1 = require("../sequelize-utils.js");
 function integerIdType(sequelize) {
-    return DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? sequelize_1.DataTypes.INTEGER.UNSIGNED : sequelize_1.DataTypes.INTEGER;
+    return sequelize_utils_js_1.DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? sequelize_1.DataTypes.INTEGER.UNSIGNED : sequelize_1.DataTypes.INTEGER;
 }
 class PasskeyCredentialModel extends sequelize_1.Model {
 }
@@ -115,7 +104,7 @@ function initPasskeyCredentialModel(sequelize, options = {}) {
         }
     }, {
         sequelize,
-        tableName: applyTablePrefix(options.tablePrefix, 'passkey_credentials'),
+        tableName: (0, sequelize_utils_js_1.applyTablePrefix)(options.tablePrefix, 'passkey_credentials'),
         timestamps: true,
         underscored: true
     });
@@ -148,7 +137,7 @@ function initPasskeyChallengeModel(sequelize, options = {}) {
         }
     }, {
         sequelize,
-        tableName: applyTablePrefix(options.tablePrefix, 'passkey_challenges'),
+        tableName: (0, sequelize_utils_js_1.applyTablePrefix)(options.tablePrefix, 'passkey_challenges'),
         timestamps: true,
         underscored: true,
         indexes: [{ fields: ['expires_at'] }, { fields: ['user_id'] }]

package/dist/cjs/passkey/sequelize.js

@@ -2,33 +2,17 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.SequelizePasskeyStore = void 0;
 const sequelize_1 = require("sequelize");
+const user_id_js_1 = require("../auth-api/user-id.js");
+const sequelize_utils_js_1 = require("../sequelize-utils.js");
 const base_js_1 = require("./base.js");
-const DIALECTS_SUPPORTING_UNSIGNED = new Set(['mysql', 'mariadb']);
-function normalizeTablePrefix(prefix) {
-    if (!prefix) {
-        return undefined;
-    }
-    const trimmed = prefix.trim();
-    return trimmed.length > 0 ? trimmed : undefined;
-}
-function applyTablePrefix(prefix, tableName) {
-    const normalized = normalizeTablePrefix(prefix);
-    return normalized ? `${normalized}${tableName}` : tableName;
-}
 function integerIdType(sequelize) {
-    return DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? sequelize_1.DataTypes.INTEGER.UNSIGNED : sequelize_1.DataTypes.INTEGER;
+    return sequelize_utils_js_1.DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? sequelize_1.DataTypes.INTEGER.UNSIGNED : sequelize_1.DataTypes.INTEGER;
 }
 function encodeCredentialId(value) {
     return Buffer.isBuffer(value) ? value.toString('base64') : value;
 }
 function normalizeUserId(identifier) {
-    if (typeof identifier === 'number' && Number.isFinite(identifier)) {
-        return identifier;
-    }
-    if (typeof identifier === 'string' && /^\d+$/.test(identifier)) {
-        return Number(identifier);
-    }
-    throw new Error(`Unable to normalise user identifier: ${identifier}`);
+    return (0, user_id_js_1.normalizeNumericUserId)(identifier);
 }
 class PasskeyCredentialModel extends sequelize_1.Model {
 }
@@ -124,7 +108,7 @@ function initPasskeyCredentialModel(sequelize, options = {}) {
         }
     }, {
         sequelize,
-        tableName: applyTablePrefix(options.tablePrefix, 'passkey_credentials'),
+        tableName: (0, sequelize_utils_js_1.applyTablePrefix)(options.tablePrefix, 'passkey_credentials'),
         timestamps: true,
         underscored: true
     });
@@ -157,7 +141,7 @@ function initPasskeyChallengeModel(sequelize, options = {}) {
         }
     }, {
         sequelize,
-        tableName: applyTablePrefix(options.tablePrefix, 'passkey_challenges'),
+        tableName: (0, sequelize_utils_js_1.applyTablePrefix)(options.tablePrefix, 'passkey_challenges'),
         timestamps: true,
         underscored: true,
         indexes: [{ fields: ['expires_at'] }, { fields: ['user_id'] }]

package/dist/cjs/sequelize-utils.d.ts

@@ -0,0 +1,3 @@
+export declare const DIALECTS_SUPPORTING_UNSIGNED: Set<string>;
+export declare function normalizeTablePrefix(prefix?: string): string | undefined;
+export declare function applyTablePrefix(prefix: string | undefined, tableName: string): string;

package/dist/cjs/sequelize-utils.js

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DIALECTS_SUPPORTING_UNSIGNED = void 0;
+exports.normalizeTablePrefix = normalizeTablePrefix;
+exports.applyTablePrefix = applyTablePrefix;
+exports.DIALECTS_SUPPORTING_UNSIGNED = new Set(['mysql', 'mariadb']);
+function normalizeTablePrefix(prefix) {
+    if (!prefix) {
+        return undefined;
+    }
+    const trimmed = prefix.trim();
+    return trimmed.length > 0 ? trimmed : undefined;
+}
+function applyTablePrefix(prefix, tableName) {
+    const normalized = normalizeTablePrefix(prefix);
+    return normalized ? `${normalized}${tableName}` : tableName;
+}

package/dist/cjs/token/memory.d.ts

@@ -2,6 +2,10 @@ import { TokenStore } from './base.js';
 import type { Token } from './types.js';
 export declare class MemoryTokenStore extends TokenStore {
     private readonly tokens;
+    private readonly tokensByUser;
+    private indexToken;
+    private unindexToken;
+    private removeByRefreshToken;
     save(record: Token): Promise<void>;
     get(query: Partial<Token>, opts?: {
         includeExpired?: boolean;

package/dist/cjs/token/memory.js

@@ -9,12 +9,12 @@ function comparableUserId(value) {
     return String(value);
 }
 function cloneToken(record) {
-    // this.normalizeToken is not available in static context; caller passes through instance.
-    // cloning handled via store instance methods.
-    const normalized = record;
     return {
-        ...normalized,
-        scope: normalized.scope ? [...normalized.scope] : undefined
+        ...record,
+        scope: record.scope ? [...record.scope] : undefined,
+        expires: record.expires ? new Date(record.expires) : undefined,
+        issuedAt: record.issuedAt ? new Date(record.issuedAt) : undefined,
+        lastSeenAt: record.lastSeenAt ? new Date(record.lastSeenAt) : undefined
     };
 }
 function matchesQuery(record, query, includeExpired) {
@@ -50,15 +50,57 @@ function matchesQuery(record, query, includeExpired) {
 class MemoryTokenStore extends base_js_1.TokenStore {
     constructor() {
         super(...arguments);
-        this.tokens = [];
+        this.tokens = new Map();
+        this.tokensByUser = new Map();
+    }
+    indexToken(token) {
+        const userId = comparableUserId(token.userId);
+        if (!userId) {
+            return;
+        }
+        let userTokens = this.tokensByUser.get(userId);
+        if (!userTokens) {
+            userTokens = new Set();
+            this.tokensByUser.set(userId, userTokens);
+        }
+        userTokens.add(token.refreshToken);
+    }
+    unindexToken(token) {
+        const userId = comparableUserId(token.userId);
+        if (!userId) {
+            return;
+        }
+        const userTokens = this.tokensByUser.get(userId);
+        if (!userTokens) {
+            return;
+        }
+        userTokens.delete(token.refreshToken);
+        if (userTokens.size === 0) {
+            this.tokensByUser.delete(userId);
+        }
+    }
+    removeByRefreshToken(refreshToken) {
+        const existing = this.tokens.get(refreshToken);
+        if (!existing) {
+            return;
+        }
+        this.unindexToken(existing);
+        this.tokens.delete(refreshToken);
     }
     async save(record) {
         const stored = this.normalizeToken(record);
         const normalizedUserId = comparableUserId(stored.userId);
+        if (!normalizedUserId) {
+            throw new Error('userId is required');
+        }
         const domainProvided = record.domain !== undefined;
         const fingerprintProvided = record.fingerprint !== undefined;
-        for (let index = this.tokens.length - 1; index >= 0; index -= 1) {
-            const existing = this.tokens[index];
+        const userRefreshTokens = [...(this.tokensByUser.get(normalizedUserId) ?? [])];
+        for (const refreshToken of userRefreshTokens) {
+            const existing = this.tokens.get(refreshToken);
+            if (!existing) {
+                continue;
+            }
             if (comparableUserId(existing.userId) !== normalizedUserId) {
                 continue;
             }
@@ -71,44 +113,51 @@ class MemoryTokenStore extends base_js_1.TokenStore {
             if (fingerprintProvided && existing.fingerprint !== stored.fingerprint) {
                 continue;
             }
-            this.tokens.splice(index, 1);
+            this.removeByRefreshToken(existing.refreshToken);
         }
-        this.tokens.push(stored);
+        this.removeByRefreshToken(stored.refreshToken);
+        this.tokens.set(stored.refreshToken, stored);
+        this.indexToken(stored);
     }
     async get(query, opts) {
         if (!query.refreshToken && !query.accessToken && query.userId === undefined) {
             throw new Error('At least one token lookup field must be provided');
         }
         const includeExpired = opts?.includeExpired ?? false;
-        const record = this.tokens.find((token) => matchesQuery(token, query, includeExpired));
-        return record ? cloneToken(record) : null;
+        if (query.refreshToken) {
+            const record = this.tokens.get(query.refreshToken);
+            return record && matchesQuery(record, query, includeExpired) ? cloneToken(record) : null;
+        }
+        for (const token of this.tokens.values()) {
+            if (matchesQuery(token, query, includeExpired)) {
+                return cloneToken(token);
+            }
+        }
+        return null;
     }
     async delete(query) {
         if (!query.refreshToken && !query.accessToken && query.userId === undefined && !query.clientId) {
             return 0;
         }
         let removed = 0;
-        for (let index = this.tokens.length - 1; index >= 0; index -= 1) {
-            if (matchesQuery(this.tokens[index], query, true)) {
-                this.tokens.splice(index, 1);
+        const refreshTokens = [...this.tokens.keys()];
+        for (const refreshToken of refreshTokens) {
+            const token = this.tokens.get(refreshToken);
+            if (token && matchesQuery(token, query, true)) {
+                this.removeByRefreshToken(refreshToken);
                 removed += 1;
             }
         }
         return removed;
     }
     async update(params) {
-        const token = this.tokens.find((record) => {
-            if (record.refreshToken !== params.refreshToken) {
-                return false;
-            }
-            if (params.clientId && record.clientId !== params.clientId) {
-                return false;
-            }
-            return true;
-        });
+        const token = this.tokens.get(params.refreshToken);
         if (!token) {
             return false;
         }
+        if (params.clientId && token.clientId !== params.clientId) {
+            return false;
+        }
         const merged = { ...token };
         const maybeAssign = (key) => {
             const value = params[key];
@@ -132,12 +181,28 @@ class MemoryTokenStore extends base_js_1.TokenStore {
         maybeAssign('lastSeenAt');
         maybeAssign('sessionCookie');
         const normalized = this.normalizeToken(merged);
+        const previousUserId = token.userId;
+        const previousRefreshToken = token.refreshToken;
+        const userChanged = comparableUserId(previousUserId) !== comparableUserId(normalized.userId);
         Object.assign(token, normalized);
+        if (userChanged || previousRefreshToken !== token.refreshToken) {
+            this.unindexToken({ ...token, userId: previousUserId, refreshToken: previousRefreshToken });
+            this.indexToken(token);
+            if (previousRefreshToken !== token.refreshToken) {
+                this.tokens.delete(previousRefreshToken);
+                this.tokens.set(token.refreshToken, token);
+            }
+        }
         return true;
     }
     async list(userId, opts = {}) {
         const includeExpired = opts.includeExpired ?? false;
-        const filtered = this.tokens.filter((token) => matchesQuery(token, { userId: comparableUserId(userId) }, includeExpired));
+        const normalizedUserId = comparableUserId(userId);
+        const userRefreshTokens = normalizedUserId ? [...(this.tokensByUser.get(normalizedUserId) ?? [])] : [];
+        const filtered = userRefreshTokens
+            .map((refreshToken) => this.tokens.get(refreshToken))
+            .filter((token) => Boolean(token))
+            .filter((token) => matchesQuery(token, { userId: normalizedUserId }, includeExpired));
         const offset = opts.offset ?? 0;
         const limit = opts.limit ?? filtered.length;
         return filtered.slice(offset, offset + limit).map(cloneToken);

package/dist/cjs/token/sequelize.js

@@ -2,41 +2,31 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.SequelizeTokenStore = void 0;
 const sequelize_1 = require("sequelize");
+const user_id_js_1 = require("../auth-api/user-id.js");
+const sequelize_utils_js_1 = require("../sequelize-utils.js");
 const base_js_1 = require("./base.js");
-const DIALECTS_SUPPORTING_UNSIGNED = new Set(['mysql', 'mariadb']);
-function normalizeTablePrefix(prefix) {
-    if (!prefix) {
-        return undefined;
-    }
-    const trimmed = prefix.trim();
-    return trimmed.length > 0 ? trimmed : undefined;
-}
-function applyTablePrefix(prefix, tableName) {
-    const normalized = normalizeTablePrefix(prefix);
-    return normalized ? `${normalized}${tableName}` : tableName;
-}
 class TokenModel extends sequelize_1.Model {
 }
 function tokenTableOptions(sequelize, tablePrefix) {
     const opts = {
         sequelize,
-        tableName: applyTablePrefix(tablePrefix, 'jwttokens'),
+        tableName: (0, sequelize_utils_js_1.applyTablePrefix)(tablePrefix, 'jwttokens'),
         timestamps: false
     };
-    if (DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect())) {
+    if (sequelize_utils_js_1.DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect())) {
         opts.charset = 'utf8mb4';
         opts.collate = 'utf8mb4_unicode_ci';
     }
     return opts;
 }
 function initTokenModel(sequelize, options = {}) {
-    const tableName = applyTablePrefix(options.tablePrefix, 'jwttokens');
+    const tableName = (0, sequelize_utils_js_1.applyTablePrefix)(options.tablePrefix, 'jwttokens');
     const usePrefixedIndexNames = tableName !== 'jwttokens';
     const accessIndexName = usePrefixedIndexNames ? `${tableName}_access_unique` : 'jwt_access_unique';
     const refreshIndexName = usePrefixedIndexNames ? `${tableName}_refresh_unique` : 'jwt_refresh_unique';
     TokenModel.init({
         token_id: {
-            type: DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect())
+            type: sequelize_utils_js_1.DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect())
                 ? sequelize_1.DataTypes.INTEGER.UNSIGNED
                 : sequelize_1.DataTypes.INTEGER,
             autoIncrement: true,
@@ -67,11 +57,11 @@ function initTokenModel(sequelize, options = {}) {
             defaultValue: sequelize_1.DataTypes.NOW
         },
         access: {
-            type: sequelize_1.DataTypes.STRING(512),
+            type: sequelize_1.DataTypes.STRING(768),
             allowNull: false
         },
         refresh: {
-            type: sequelize_1.DataTypes.STRING(512),
+            type: sequelize_1.DataTypes.STRING(768),
             allowNull: false
         },
         domain: {
@@ -184,6 +174,13 @@ class SequelizeTokenStore extends base_js_1.TokenStore {
             removalWhere.client_id = normalized.clientId;
         }
         await this.Tokens.destroy({ where: removalWhere });
+        // Access/refresh columns are unique. Remove stale collisions before insert to avoid
+        // transient uniqueness failures during retries/rotation edge-cases.
+        await this.Tokens.destroy({
+            where: {
+                [sequelize_1.Op.or]: [{ access: normalized.accessToken ?? '' }, { refresh: normalized.refreshToken }]
+            }
+        });
         await this.Tokens.create({
             user_id: resolvedUserId,
             real_user_id: resolvedRealUserId,
@@ -343,10 +340,7 @@ class SequelizeTokenStore extends base_js_1.TokenStore {
         return;
     }
     normalizeUserId(identifier) {
-        if (identifier === undefined || identifier === null) {
-            throw new Error(`Unable to normalise user identifier: ${identifier}`);
-        }
-        return String(identifier);
+        return (0, user_id_js_1.normalizeStringUserId)(identifier);
     }
     resolveRealUserId(ruid) {
         if (ruid === undefined || ruid === null) {

package/dist/cjs/token/types.d.ts

@@ -9,7 +9,14 @@ export interface Token {
     status?: TokenStatus;
     ruid?: string;
     clientId?: string;
+    /**
+     * Optional session partition key. Token stores may use `domain` and `fingerprint`
+     * to replace previous sessions that match the same bucket.
+     */
     domain?: string;
+    /**
+     * Optional device/session fingerprint used together with `domain` for session bucketing.
+     */
     fingerprint?: string;
     label?: string;
     browser?: string;

package/dist/cjs/user/memory.js

@@ -1,19 +1,12 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.MemoryUserStore = void 0;
+const user_id_js_1 = require("../auth-api/user-id.js");
 const base_js_1 = require("./base.js");
 function cloneUser(user) {
     return { ...user };
 }
-function normalizeUserId(identifier) {
-    if (typeof identifier === 'number' && Number.isFinite(identifier)) {
-        return identifier;
-    }
-    if (typeof identifier === 'string' && /^\d+$/.test(identifier)) {
-        return Number(identifier);
-    }
-    throw new Error(`Unable to normalise user identifier: ${identifier}`);
-}
+const normalizeUserId = user_id_js_1.normalizeNumericUserId;
 class MemoryUserStore extends base_js_1.UserStore {
     constructor(options = {}) {
         super({