@technomoron/api-server-base 2.0.0-beta.18 → 2.0.0-beta.19

package/dist/cjs/user/sequelize.js

@@ -3,29 +3,19 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.SequelizeUserStore = exports.AuthUserModel = void 0;
 exports.initAuthUserModel = initAuthUserModel;
 const sequelize_1 = require("sequelize");
+const user_id_js_1 = require("../auth-api/user-id.js");
+const sequelize_utils_js_1 = require("../sequelize-utils.js");
 const base_js_1 = require("./base.js");
-const DIALECTS_SUPPORTING_UNSIGNED = new Set(['mysql', 'mariadb']);
-function normalizeTablePrefix(prefix) {
-    if (!prefix) {
-        return undefined;
-    }
-    const trimmed = prefix.trim();
-    return trimmed.length > 0 ? trimmed : undefined;
-}
-function applyTablePrefix(prefix, tableName) {
-    const normalized = normalizeTablePrefix(prefix);
-    return normalized ? `${normalized}${tableName}` : tableName;
-}
 function integerIdType(sequelize) {
-    return DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? sequelize_1.DataTypes.INTEGER.UNSIGNED : sequelize_1.DataTypes.INTEGER;
+    return sequelize_utils_js_1.DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? sequelize_1.DataTypes.INTEGER.UNSIGNED : sequelize_1.DataTypes.INTEGER;
 }
 function userTableOptions(sequelize, tablePrefix) {
     const opts = {
         sequelize,
-        tableName: applyTablePrefix(tablePrefix, 'users'),
+        tableName: (0, sequelize_utils_js_1.applyTablePrefix)(tablePrefix, 'users'),
         timestamps: false
     };
-    if (DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect())) {
+    if (sequelize_utils_js_1.DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect())) {
         opts.charset = 'utf8mb4';
         opts.collate = 'utf8mb4_unicode_ci';
     }
@@ -183,13 +173,7 @@ class SequelizeUserStore extends base_js_1.UserStore {
         };
     }
     normalizeUserId(identifier) {
-        if (typeof identifier === 'number' && Number.isFinite(identifier)) {
-            return identifier;
-        }
-        if (typeof identifier === 'string' && /^\d+$/.test(identifier)) {
-            return Number(identifier);
-        }
-        throw new Error(`Unable to normalise user identifier: ${identifier}`);
+        return (0, user_id_js_1.normalizeNumericUserId)(identifier);
     }
 }
 exports.SequelizeUserStore = SequelizeUserStore;

package/dist/esm/api-module.d.ts

@@ -7,7 +7,7 @@ export interface ApiKey {
     uid: unknown;
 }
 export type ApiRoute = {
-    method: 'get' | 'post' | 'put' | 'delete';
+    method: 'get' | 'post' | 'put' | 'patch' | 'delete';
     path: string;
     handler: ApiHandler;
     auth: {
@@ -16,7 +16,9 @@ export type ApiRoute = {
     };
 };
 export declare class ApiModule<T = unknown> {
-    server: T;
+    private _server?;
+    get server(): T;
+    set server(value: T);
     namespace: string;
     mountpath: string;
     static defaultNamespace: string;

package/dist/esm/api-module.js

@@ -1,4 +1,13 @@
 export class ApiModule {
+    get server() {
+        if (this._server === undefined) {
+            throw new Error('ApiModule.server is not set. Mount the module with ApiServer.api(...) before using it.');
+        }
+        return this._server;
+    }
+    set server(value) {
+        this._server = value;
+    }
     constructor(opts = {}) {
         this.mountpath = '';
         this.namespace = opts.namespace ?? this.constructor.defaultNamespace ?? '';

package/dist/esm/api-server-base.d.ts

@@ -129,6 +129,7 @@ export interface ApiServerConf {
     minClientVersion: string;
     tokenStore?: TokenStore;
     authStores?: ApiServerAuthStores;
+    onStartError?: (error: Error) => void;
 }
 export declare class ApiServer {
     app: Application;
@@ -141,12 +142,14 @@ export declare class ApiServer {
     private moduleAdapter;
     private serverAuthAdapter;
     private apiNotFoundHandler;
+    private apiErrorHandlerInstalled;
     private tokenStoreAdapter;
     private userStoreAdapter;
     private passkeyServiceAdapter;
     private oauthStoreAdapter;
     private canImpersonateAdapter;
     private readonly jwtHelper;
+    private currReqDeprecationWarned;
     /**
      * @deprecated ApiServer does not track a global "current request". This value is always null.
      * Use the per-request ApiRequest passed to handlers, or `req.apiReq` / `res.locals.apiReq`
@@ -225,8 +228,10 @@ export declare class ApiServer {
     private installSwaggerHandler;
     private normalizeApiBasePath;
     private installApiNotFoundHandler;
+    private installApiErrorHandler;
     private describeMissingEndpoint;
     start(): this;
+    private internalServerErrorMessage;
     private verifyJWT;
     private jwtCookieOptions;
     private setAccessCookie;

package/dist/esm/api-server-base.js

@@ -14,6 +14,7 @@ import express from 'express';
 import multer from 'multer';
 import { nullAuthModule } from './auth-api/module.js';
 import { nullAuthAdapter } from './auth-api/storage.js';
+import { buildAuthCookieOptions } from './auth-cookie-options.js';
 import { TokenStore } from './token/base.js';
 class JwtHelperStore extends TokenStore {
     async save() {
@@ -70,6 +71,7 @@ function hydrateGetBody(req) {
         req.body = { ...query };
         return;
     }
+    // Keep explicit body fields authoritative when both query and body provide the same key.
     req.body = { ...query, ...body };
 }
 function normalizeIpAddress(candidate) {
@@ -329,6 +331,17 @@ function isApiErrorLike(candidate) {
     const maybeError = candidate;
     return typeof maybeError.code === 'number' && typeof maybeError.message === 'string';
 }
+function asHttpStatus(error) {
+    if (!error || typeof error !== 'object') {
+        return null;
+    }
+    const maybe = error;
+    const status = typeof maybe.status === 'number' ? maybe.status : maybe.statusCode;
+    if (typeof status === 'number' && status >= 400 && status <= 599) {
+        return status;
+    }
+    return null;
+}
 function fillConfig(config) {
     return {
         apiPort: config.apiPort ?? 3101,
@@ -361,7 +374,8 @@ function fillConfig(config) {
         apiVersion: config.apiVersion ?? '',
         minClientVersion: config.minClientVersion ?? '',
         tokenStore: config.tokenStore,
-        authStores: config.authStores
+        authStores: config.authStores,
+        onStartError: config.onStartError
     };
 }
 export class ApiServer {
@@ -374,17 +388,23 @@ export class ApiServer {
         return null;
     }
     set currReq(_value) {
+        if (this.config.devMode && !this.currReqDeprecationWarned) {
+            this.currReqDeprecationWarned = true;
+            console.warn('[api-server-base] ApiServer.currReq is deprecated and always null. Use req.apiReq or res.locals.apiReq.');
+        }
         void _value;
     }
     constructor(config = {}) {
         this.finalized = false;
         this.serverAuthAdapter = null;
         this.apiNotFoundHandler = null;
+        this.apiErrorHandlerInstalled = false;
         this.tokenStoreAdapter = null;
         this.userStoreAdapter = null;
         this.passkeyServiceAdapter = null;
         this.oauthStoreAdapter = null;
         this.canImpersonateAdapter = null;
+        this.currReqDeprecationWarned = false;
         this.config = fillConfig(config);
         this.apiBasePath = this.normalizeApiBasePath(this.config.apiBasePath);
         this.startedAt = Date.now();
@@ -431,6 +451,7 @@ export class ApiServer {
         this.app.use(this.apiBasePath, this.apiRouter);
         // addSwaggerUi(this.app);
         this.installApiNotFoundHandler();
+        this.installApiErrorHandler();
     }
     assertNotFinalized(action) {
         if (this.finalized) {
@@ -460,6 +481,7 @@ export class ApiServer {
     }
     finalize() {
         this.installApiNotFoundHandler();
+        this.installApiErrorHandler();
         this.finalized = true;
         return this;
     }
@@ -802,8 +824,12 @@ export class ApiServer {
         const base = this.apiBasePath === '/' ? '' : this.apiBasePath;
         const resolved = rawPath.length > 0 ? rawPath : `${base}/swagger`;
         const path = resolved.startsWith('/') ? resolved : `/${resolved}`;
-        const spec = this.loadSwaggerSpec();
+        let specCache;
         this.app.get(path, (_req, res) => {
+            if (specCache === undefined) {
+                specCache = this.loadSwaggerSpec();
+            }
+            const spec = specCache;
             if (!spec) {
                 res.status(500).json({
                     success: false,
@@ -847,6 +873,13 @@ export class ApiServer {
         };
         this.app.use(this.apiBasePath, this.apiNotFoundHandler);
     }
+    installApiErrorHandler() {
+        if (this.apiErrorHandlerInstalled) {
+            return;
+        }
+        this.apiErrorHandlerInstalled = true;
+        this.app.use(this.apiBasePath, this.expressErrorHandler());
+    }
     describeMissingEndpoint(req) {
         const method = typeof req.method === 'string' ? req.method.toUpperCase() : 'GET';
         const target = req.originalUrl || req.url || this.apiBasePath;
@@ -881,10 +914,17 @@ export class ApiServer {
             }
             const err = new Error(message);
             err.cause = error;
+            if (typeof this.config.onStartError === 'function') {
+                this.config.onStartError(err);
+                return;
+            }
             throw err;
         });
         return this;
     }
+    internalServerErrorMessage(error) {
+        return this.config.debug ? this.guessExceptionText(error) : 'Internal server error';
+    }
     async verifyJWT(token) {
         if (!this.config.accessSecret) {
             return { tokenData: undefined, error: 'JWT authentication disabled; no jwtSecret set', expired: false };
@@ -899,39 +939,7 @@ export class ApiServer {
         return { tokenData: result.data, error: undefined, expired: false };
     }
     jwtCookieOptions(apiReq) {
-        const conf = this.config;
-        const forwarded = apiReq.req.headers['x-forwarded-proto'];
-        const referer = apiReq.req.headers['origin'] ?? apiReq.req.headers['referer'];
-        const origin = typeof referer === 'string' ? referer : '';
-        const forwardedProto = (typeof forwarded === 'string' ? forwarded : Array.isArray(forwarded) ? (forwarded[0] ?? '') : '')
-            .split(',')[0]
-            .trim()
-            .toLowerCase();
-        const isHttps = forwardedProto === 'https' || apiReq.req.protocol === 'https';
-        const isLocalhost = origin.includes('localhost');
-        const secure = conf.cookieSecure === true ? true : conf.cookieSecure === false ? false : /* auto */ Boolean(isHttps);
-        let sameSite = conf.cookieSameSite ?? 'lax';
-        if (sameSite !== 'lax' && sameSite !== 'strict' && sameSite !== 'none') {
-            sameSite = 'lax';
-        }
-        let resolvedSecure = secure;
-        if (sameSite === 'none' && resolvedSecure !== true) {
-            // Modern browsers reject SameSite=None cookies unless Secure is set.
-            resolvedSecure = true;
-        }
-        const options = {
-            httpOnly: conf.cookieHttpOnly ?? true,
-            secure: resolvedSecure,
-            sameSite,
-            domain: conf.cookieDomain || undefined,
-            path: conf.cookiePath || '/',
-            maxAge: undefined
-        };
-        if (conf.devMode && isLocalhost) {
-            // Domain cookies do not work on localhost; avoid breaking local development when cookieDomain is set.
-            options.domain = undefined;
-        }
-        return options;
+        return buildAuthCookieOptions(this.config, apiReq.req);
     }
     setAccessCookie(apiReq, accessToken, sessionCookie) {
         const conf = this.config;
@@ -1277,10 +1285,21 @@ export class ApiServer {
                 res.status(apiError.code).json(errorPayload);
                 return;
             }
+            const status = asHttpStatus(error);
+            if (status) {
+                res.status(status).json({
+                    success: false,
+                    code: status,
+                    message: status === 400 ? 'Invalid request payload' : this.internalServerErrorMessage(error),
+                    data: null,
+                    errors: {}
+                });
+                return;
+            }
             const errorPayload = {
                 success: false,
                 code: 500,
-                message: this.guessExceptionText(error),
+                message: this.internalServerErrorMessage(error),
                 data: null,
                 errors: {}
             };
@@ -1340,7 +1359,7 @@ export class ApiServer {
                     const errorPayload = {
                         success: false,
                         code: 500,
-                        message: this.guessExceptionText(error),
+                        message: this.internalServerErrorMessage(error),
                         data: null,
                         errors: {}
                     };
@@ -1381,6 +1400,9 @@ export class ApiServer {
                 case 'put':
                     router.put(r.path, handler);
                     break;
+                case 'patch':
+                    router.patch(r.path, handler);
+                    break;
                 case 'delete':
                     router.delete(r.path, handler);
                     break;

package/dist/esm/auth-api/auth-module.d.ts

@@ -10,10 +10,16 @@ interface CanImpersonateContext<UserEntity> {
     targetUser: UserEntity;
     effectiveUserId: AuthIdentifier;
 }
+type AuthRateLimitEndpoint = 'login' | 'passkey-challenge' | 'oauth-token';
 interface AuthModuleOptions<UserEntity> {
     namespace?: string;
     defaultDomain?: string;
     canImpersonate?: (context: CanImpersonateContext<UserEntity>) => Promise<boolean> | boolean;
+    rateLimit?: (context: {
+        apiReq: ApiRequest;
+        endpoint: AuthRateLimitEndpoint;
+    }) => Promise<void> | void;
+    allowInsecurePkcePlain?: boolean;
 }
 type TokenMetadata = Partial<Token> & {
     sessionCookie?: boolean;
@@ -42,9 +48,12 @@ type AuthCapableServer<PublicUser> = ApiServer & {
 };
 export default class AuthModule<UserEntity, PublicUser> extends BaseAuthModule<UserEntity> implements AuthProviderModule<UserEntity> {
     static defaultNamespace: string;
-    server: AuthCapableServer<PublicUser>;
+    get server(): AuthCapableServer<PublicUser>;
+    set server(value: AuthCapableServer<PublicUser>);
     private readonly defaultDomain?;
     private readonly canImpersonateHook?;
+    private readonly rateLimitHook?;
+    private readonly allowInsecurePkcePlain;
     constructor(options?: AuthModuleOptions<UserEntity>);
     protected get storage(): AuthAdapter<UserEntity, PublicUser>;
     protected canImpersonate(apiReq: ApiRequest, realUser: UserEntity, targetUser: UserEntity): Promise<boolean>;
@@ -100,6 +109,8 @@ export default class AuthModule<UserEntity, PublicUser> extends BaseAuthModule<U
     private hasOAuthStore;
     private storageImplements;
     private storageImplementsAll;
+    private applyRateLimit;
+    private resolvePkceChallengeMethod;
     defineRoutes(): ApiRoute[];
 }
 export {};

package/dist/esm/auth-api/auth-module.js

@@ -1,6 +1,7 @@
 import { createHash, randomUUID } from 'node:crypto';
 import { isoBase64URL } from '@simplewebauthn/server/helpers';
 import { ApiError } from '../api-server-base.js';
+import { buildAuthCookieOptions } from '../auth-cookie-options.js';
 import { BaseAuthModule } from './module.js';
 import { BaseAuthAdapter } from './storage.js';
 function isAuthIdentifier(value) {
@@ -30,10 +31,18 @@ function sha256Base64Url(value) {
     return base64UrlEncode(hash);
 }
 class AuthModule extends BaseAuthModule {
+    get server() {
+        return super.server;
+    }
+    set server(value) {
+        super.server = value;
+    }
     constructor(options = {}) {
         super({ namespace: options.namespace ?? AuthModule.defaultNamespace });
         this.defaultDomain = options.defaultDomain;
         this.canImpersonateHook = options.canImpersonate;
+        this.rateLimitHook = options.rateLimit;
+        this.allowInsecurePkcePlain = options.allowInsecurePkcePlain ?? true;
     }
     get storage() {
         return this.server.getAuthStorage();
@@ -234,37 +243,7 @@ class AuthModule extends BaseAuthModule {
         return Number.isNaN(date.getTime()) ? undefined : date.toISOString();
     }
     cookieOptions(apiReq) {
-        const conf = this.server.config;
-        const forwarded = apiReq.req.headers['x-forwarded-proto'];
-        const referer = apiReq.req.headers['origin'] ?? apiReq.req.headers['referer'];
-        const origin = typeof referer === 'string' ? referer : '';
-        const forwardedProto = (typeof forwarded === 'string' ? forwarded : Array.isArray(forwarded) ? (forwarded[0] ?? '') : '')
-            .split(',')[0]
-            .trim()
-            .toLowerCase();
-        const isHttps = forwardedProto === 'https' || apiReq.req.protocol === 'https';
-        const isLocalhost = origin.includes('localhost');
-        const secure = conf.cookieSecure === true ? true : conf.cookieSecure === false ? false : /* auto */ Boolean(isHttps);
-        let sameSite = conf.cookieSameSite ?? 'lax';
-        if (sameSite !== 'lax' && sameSite !== 'strict' && sameSite !== 'none') {
-            sameSite = 'lax';
-        }
-        let resolvedSecure = secure;
-        if (sameSite === 'none' && resolvedSecure !== true) {
-            resolvedSecure = true;
-        }
-        const options = {
-            httpOnly: conf.cookieHttpOnly ?? true,
-            secure: resolvedSecure,
-            sameSite,
-            domain: conf.cookieDomain || undefined,
-            path: conf.cookiePath || '/',
-            maxAge: undefined
-        };
-        if (conf.devMode && isLocalhost) {
-            options.domain = undefined;
-        }
-        return options;
+        return buildAuthCookieOptions(this.server.config, apiReq.req);
     }
     setJwtCookies(apiReq, tokens, preferences = {}) {
         const conf = this.server.config;
@@ -291,7 +270,10 @@ class AuthModule extends BaseAuthModule {
     async issueTokens(apiReq, user, metadata = {}) {
         const conf = this.server.config;
         const enrichedMetadata = this.enrichTokenMetadata(apiReq, metadata);
-        const payload = this.buildTokenPayload(user, enrichedMetadata);
+        const payload = {
+            ...this.buildTokenPayload(user, enrichedMetadata),
+            jti: randomUUID()
+        };
         const access = this.server.jwtSign(payload, conf.accessSecret, conf.accessExpiry);
         if (!access.success || !access.token) {
             throw new ApiError({ code: 500, message: access.error ?? 'Unable to sign access token' });
@@ -461,6 +443,7 @@ class AuthModule extends BaseAuthModule {
         return undefined;
     }
     async postLogin(apiReq) {
+        await this.applyRateLimit(apiReq, 'login');
         this.assertAuthReady();
         const { login, password, ...metadata } = this.parseLoginBody(apiReq);
         const user = await this.storage.getUser(login);
@@ -624,6 +607,7 @@ class AuthModule extends BaseAuthModule {
         ];
     }
     async postPasskeyChallenge(apiReq) {
+        await this.applyRateLimit(apiReq, 'passkey-challenge');
         if (typeof this.storage.createPasskeyChallenge !== 'function') {
             throw new ApiError({ code: 501, message: 'Passkey support is not configured' });
         }
@@ -761,7 +745,8 @@ class AuthModule extends BaseAuthModule {
     async deleteImpersonation(apiReq) {
         this.assertAuthReady();
         const actor = await this.resolveActorContext(apiReq);
-        const metadata = this.buildImpersonationMetadata((apiReq.req.body ?? {}));
+        const query = (apiReq.req.query ?? {});
+        const metadata = this.buildImpersonationMetadata(query);
         metadata.loginType = metadata.loginType ?? 'impersonation-end';
         const tokens = await this.issueTokens(apiReq, actor.user, metadata);
         const publicUser = this.storage.filterUser(actor.user);
@@ -833,6 +818,7 @@ class AuthModule extends BaseAuthModule {
         const state = toStringOrNull(body.state) ?? undefined;
         const codeChallenge = toStringOrNull(body.codeChallenge) ?? undefined;
         const codeChallengeMethod = toStringOrNull(body.codeChallengeMethod) ?? undefined;
+        const resolvedCodeChallengeMethod = this.resolvePkceChallengeMethod(codeChallengeMethod);
         if (!clientId) {
             throw new ApiError({ code: 400, message: 'clientId is required' });
         }
@@ -852,7 +838,7 @@ class AuthModule extends BaseAuthModule {
             redirectUri,
             scope: resolvedScope,
             codeChallenge,
-            codeChallengeMethod: codeChallengeMethod === 'S256' ? 'S256' : codeChallengeMethod === 'plain' ? 'plain' : undefined,
+            codeChallengeMethod: resolvedCodeChallengeMethod,
             expiresInSeconds: 300
         });
         const redirect = new URL(redirectUri);
@@ -863,6 +849,7 @@ class AuthModule extends BaseAuthModule {
         return [200, { code: codeRecord.code, redirectUri: redirect.toString(), state }];
     }
     async postOAuthToken(apiReq) {
+        await this.applyRateLimit(apiReq, 'oauth-token');
         if (typeof this.storage.getClient !== 'function' || typeof this.storage.consumeAuthCode !== 'function') {
             throw new ApiError({ code: 501, message: 'OAuth token storage is not configured' });
         }
@@ -916,6 +903,9 @@ class AuthModule extends BaseAuthModule {
                 }
             }
             else if (record.codeChallengeMethod === 'plain') {
+                if (!this.allowInsecurePkcePlain) {
+                    throw new ApiError({ code: 400, message: 'PKCE plain is not permitted' });
+                }
                 if (codeVerifier !== record.codeChallenge) {
                     throw new ApiError({ code: 400, message: 'code_verifier does not match challenge' });
                 }
@@ -1116,6 +1106,24 @@ class AuthModule extends BaseAuthModule {
     storageImplementsAll(keys) {
         return keys.every((key) => this.storageImplements(key));
     }
+    async applyRateLimit(apiReq, endpoint) {
+        if (!this.rateLimitHook) {
+            return;
+        }
+        await this.rateLimitHook({ apiReq, endpoint });
+    }
+    resolvePkceChallengeMethod(value) {
+        if (value === 'S256') {
+            return 'S256';
+        }
+        if (value === 'plain') {
+            if (!this.allowInsecurePkcePlain) {
+                throw new ApiError({ code: 400, message: 'PKCE plain is not permitted' });
+            }
+            return 'plain';
+        }
+        return undefined;
+    }
     defineRoutes() {
         const routes = [];
         const coreAuthSupported = this.storageImplementsAll([

package/dist/esm/auth-api/mem-auth-store.js

@@ -1,31 +1,9 @@
 import { MemoryOAuthStore } from '../oauth/memory.js';
+import { normalizePasskeyConfig } from '../passkey/config.js';
 import { MemoryPasskeyStore } from '../passkey/memory.js';
 import { MemoryTokenStore } from '../token/memory.js';
 import { MemoryUserStore } from '../user/memory.js';
 import { CompositeAuthAdapter } from './compat-auth-storage.js';
-const DEFAULT_PASSKEY_CONFIG = {
-    rpId: 'localhost',
-    rpName: 'API Server',
-    origins: ['http://localhost:5173'],
-    timeoutMs: 5 * 60 * 1000,
-    userVerification: 'preferred'
-};
-function isOriginString(origin) {
-    return typeof origin === 'string' && origin.trim().length > 0;
-}
-function normalizePasskeyConfig(config = {}) {
-    const candidateOrigins = Array.isArray(config.origins) && config.origins.length > 0 ? config.origins.filter(isOriginString) : null;
-    return {
-        rpId: config.rpId?.trim() || DEFAULT_PASSKEY_CONFIG.rpId,
-        rpName: config.rpName?.trim() || DEFAULT_PASSKEY_CONFIG.rpName,
-        origins: candidateOrigins ? candidateOrigins.map((origin) => origin.trim()) : DEFAULT_PASSKEY_CONFIG.origins,
-        timeoutMs: typeof config.timeoutMs === 'number' && config.timeoutMs > 0
-            ? config.timeoutMs
-            : DEFAULT_PASSKEY_CONFIG.timeoutMs,
-        userVerification: config.userVerification ?? DEFAULT_PASSKEY_CONFIG.userVerification,
-        debug: Boolean(config.debug)
-    };
-}
 export class MemAuthStore {
     constructor(params = {}) {
         this.userStore = new MemoryUserStore({

package/dist/esm/auth-api/sql-auth-store.js

@@ -1,22 +1,10 @@
 import { SequelizeOAuthStore } from '../oauth/sequelize.js';
+import { normalizePasskeyConfig } from '../passkey/config.js';
 import { SequelizePasskeyStore } from '../passkey/sequelize.js';
+import { normalizeTablePrefix } from '../sequelize-utils.js';
 import { SequelizeTokenStore } from '../token/sequelize.js';
 import { SequelizeUserStore } from '../user/sequelize.js';
 import { CompositeAuthAdapter } from './compat-auth-storage.js';
-const DEFAULT_PASSKEY_CONFIG = {
-    rpId: 'localhost',
-    rpName: 'API Server',
-    origins: ['http://localhost:5173'],
-    timeoutMs: 5 * 60 * 1000,
-    userVerification: 'preferred'
-};
-function normalizeTablePrefix(prefix) {
-    if (!prefix) {
-        return undefined;
-    }
-    const trimmed = prefix.trim();
-    return trimmed.length > 0 ? trimmed : undefined;
-}
 function resolveTablePrefix(...prefixes) {
     for (const prefix of prefixes) {
         const normalized = normalizeTablePrefix(prefix);
@@ -26,22 +14,6 @@ function resolveTablePrefix(...prefixes) {
     }
     return undefined;
 }
-function isOriginString(origin) {
-    return typeof origin === 'string' && origin.trim().length > 0;
-}
-function normalizePasskeyConfig(config = {}) {
-    const candidateOrigins = Array.isArray(config.origins) && config.origins.length > 0 ? config.origins.filter(isOriginString) : null;
-    return {
-        rpId: config.rpId?.trim() || DEFAULT_PASSKEY_CONFIG.rpId,
-        rpName: config.rpName?.trim() || DEFAULT_PASSKEY_CONFIG.rpName,
-        origins: candidateOrigins ? candidateOrigins.map((origin) => origin.trim()) : DEFAULT_PASSKEY_CONFIG.origins,
-        timeoutMs: typeof config.timeoutMs === 'number' && config.timeoutMs > 0
-            ? config.timeoutMs
-            : DEFAULT_PASSKEY_CONFIG.timeoutMs,
-        userVerification: config.userVerification ?? DEFAULT_PASSKEY_CONFIG.userVerification,
-        debug: Boolean(config.debug)
-    };
-}
 export class SqlAuthStore {
     constructor(params) {
         this.closed = false;

package/dist/esm/auth-api/user-id.d.ts

@@ -0,0 +1,4 @@
+import type { AuthIdentifier } from './types.js';
+export declare function normalizeComparableUserId(identifier: AuthIdentifier): string;
+export declare function normalizeNumericUserId(identifier: AuthIdentifier): number;
+export declare function normalizeStringUserId(identifier: AuthIdentifier): string;

package/dist/esm/auth-api/user-id.js

@@ -0,0 +1,26 @@
+export function normalizeComparableUserId(identifier) {
+    if (typeof identifier === 'number' && Number.isFinite(identifier)) {
+        return String(identifier);
+    }
+    if (typeof identifier === 'string') {
+        const trimmed = identifier.trim();
+        if (trimmed.length === 0) {
+            throw new Error(`Unable to normalise user identifier: ${identifier}`);
+        }
+        if (/^\d+$/.test(trimmed)) {
+            return String(Number(trimmed));
+        }
+        return trimmed;
+    }
+    throw new Error(`Unable to normalise user identifier: ${identifier}`);
+}
+export function normalizeNumericUserId(identifier) {
+    const normalized = normalizeComparableUserId(identifier);
+    if (/^\d+$/.test(normalized)) {
+        return Number(normalized);
+    }
+    throw new Error(`Unable to normalise user identifier: ${identifier}`);
+}
+export function normalizeStringUserId(identifier) {
+    return normalizeComparableUserId(identifier);
+}

package/dist/esm/auth-cookie-options.d.ts

@@ -0,0 +1,11 @@
+import type { Request } from 'express';
+import type { CookieOptions } from 'express-serve-static-core';
+export interface AuthCookieConfig {
+    cookieSecure?: boolean | 'auto';
+    cookieSameSite?: 'lax' | 'strict' | 'none';
+    cookieHttpOnly?: boolean;
+    cookieDomain?: string;
+    cookiePath?: string;
+    devMode?: boolean;
+}
+export declare function buildAuthCookieOptions(config: AuthCookieConfig, req: Pick<Request, 'headers' | 'protocol'>): CookieOptions;