@technomoron/api-server-base 2.0.0-beta.19 → 2.0.0-beta.20

package/dist/cjs/oauth/sequelize.js

@@ -3,82 +3,18 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.SequelizeOAuthStore = exports.OAuthCodeModel = exports.OAuthClientModel = void 0;
-exports.initOAuthClientModel = initOAuthClientModel;
-exports.initOAuthCodeModel = initOAuthCodeModel;
+exports.SequelizeOAuthStore = exports.initOAuthCodeModel = exports.initOAuthClientModel = exports.OAuthCodeModel = exports.OAuthClientModel = void 0;
 const bcryptjs_1 = __importDefault(require("bcryptjs"));
 const sequelize_1 = require("sequelize");
 const user_id_js_1 = require("../auth-api/user-id.js");
 const sequelize_utils_js_1 = require("../sequelize-utils.js");
 const base_js_1 = require("./base.js");
-function integerIdType(sequelize) {
-    return sequelize_utils_js_1.DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? sequelize_1.DataTypes.INTEGER.UNSIGNED : sequelize_1.DataTypes.INTEGER;
-}
-function tableOptions(sequelize, tableName, tablePrefix, extra) {
-    const opts = { sequelize, tableName: (0, sequelize_utils_js_1.applyTablePrefix)(tablePrefix, tableName) };
-    if (extra) {
-        Object.assign(opts, extra);
-    }
-    if (sequelize_utils_js_1.DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect())) {
-        opts.charset = 'utf8mb4';
-        opts.collate = 'utf8mb4_unicode_ci';
-    }
-    return opts;
-}
-class OAuthClientModel extends sequelize_1.Model {
-}
-exports.OAuthClientModel = OAuthClientModel;
-function initOAuthClientModel(sequelize, options = {}) {
-    OAuthClientModel.init({
-        client_id: { type: sequelize_1.DataTypes.STRING(128), allowNull: false, primaryKey: true },
-        client_secret: { type: sequelize_1.DataTypes.STRING(255), allowNull: false, defaultValue: '' },
-        name: { type: sequelize_1.DataTypes.STRING(128), allowNull: true, defaultValue: null },
-        redirect_uris: { type: sequelize_1.DataTypes.TEXT, allowNull: false, defaultValue: '[]' },
-        scope: { type: sequelize_1.DataTypes.TEXT, allowNull: false, defaultValue: '[]' },
-        metadata: { type: sequelize_1.DataTypes.TEXT, allowNull: true, defaultValue: null },
-        first_party: { type: sequelize_1.DataTypes.BOOLEAN, allowNull: false, defaultValue: false }
-    }, tableOptions(sequelize, 'oauth_clients', options.tablePrefix, { timestamps: false }));
-    return OAuthClientModel;
-}
-class OAuthCodeModel extends sequelize_1.Model {
-}
-exports.OAuthCodeModel = OAuthCodeModel;
-function initOAuthCodeModel(sequelize, options = {}) {
-    const idType = integerIdType(sequelize);
-    OAuthCodeModel.init({
-        code: { type: sequelize_1.DataTypes.STRING(128), allowNull: false, primaryKey: true },
-        client_id: { type: sequelize_1.DataTypes.STRING(128), allowNull: false },
-        user_id: { type: idType, allowNull: false },
-        redirect_uri: { type: sequelize_1.DataTypes.TEXT, allowNull: false },
-        scope: { type: sequelize_1.DataTypes.TEXT, allowNull: false, defaultValue: '[]' },
-        code_challenge: { type: sequelize_1.DataTypes.STRING(255), allowNull: true, defaultValue: null },
-        code_challenge_method: { type: sequelize_1.DataTypes.STRING(10), allowNull: true, defaultValue: null },
-        expires: { type: sequelize_1.DataTypes.DATE, allowNull: false },
-        metadata: { type: sequelize_1.DataTypes.TEXT, allowNull: true, defaultValue: null }
-    }, tableOptions(sequelize, 'oauth_codes', options.tablePrefix, { timestamps: false }));
-    return OAuthCodeModel;
-}
-function encodeStringArray(values) {
-    return JSON.stringify(values ?? []);
-}
-function decodeStringArray(raw) {
-    if (!raw) {
-        return [];
-    }
-    try {
-        const parsed = JSON.parse(raw);
-        if (Array.isArray(parsed)) {
-            return parsed.filter((entry) => typeof entry === 'string' && entry.length > 0);
-        }
-    }
-    catch {
-        // ignore malformed values
-    }
-    return raw
-        .split(/\s+/)
-        .map((entry) => entry.trim())
-        .filter((entry) => entry.length > 0);
-}
+const models_js_1 = require("./models.js");
+var models_js_2 = require("./models.js");
+Object.defineProperty(exports, "OAuthClientModel", { enumerable: true, get: function () { return models_js_2.OAuthClientModel; } });
+Object.defineProperty(exports, "OAuthCodeModel", { enumerable: true, get: function () { return models_js_2.OAuthCodeModel; } });
+Object.defineProperty(exports, "initOAuthClientModel", { enumerable: true, get: function () { return models_js_2.initOAuthClientModel; } });
+Object.defineProperty(exports, "initOAuthCodeModel", { enumerable: true, get: function () { return models_js_2.initOAuthCodeModel; } });
 function serializeMetadata(metadata) {
     if (!metadata) {
         return null;
@@ -100,9 +36,6 @@ function parseMetadata(raw) {
     }
     return undefined;
 }
-function normalizeUserId(identifier) {
-    return (0, user_id_js_1.normalizeNumericUserId)(identifier);
-}
 class SequelizeOAuthStore extends base_js_1.OAuthStore {
     constructor(options) {
         super();
@@ -111,12 +44,12 @@ class SequelizeOAuthStore extends base_js_1.OAuthStore {
         }
         this.clients =
             options.clientModel ??
-                (options.clientModelFactory ?? initOAuthClientModel)(options.sequelize, {
+                (options.clientModelFactory ?? models_js_1.initOAuthClientModel)(options.sequelize, {
                     tablePrefix: options.tablePrefix
                 });
         this.codes =
             options.codeModel ??
-                (options.codeModelFactory ?? initOAuthCodeModel)(options.sequelize, {
+                (options.codeModelFactory ?? models_js_1.initOAuthCodeModel)(options.sequelize, {
                     tablePrefix: options.tablePrefix
                 });
         this.bcryptRounds = options.bcryptRounds ?? 12;
@@ -130,15 +63,15 @@ class SequelizeOAuthStore extends base_js_1.OAuthStore {
         const hashedSecret = input.clientSecret !== undefined && input.clientSecret !== null
             ? await bcryptjs_1.default.hash(input.clientSecret, this.bcryptRounds)
             : (existing?.client_secret ?? '');
-        const redirectUris = input.redirectUris ?? (existing ? decodeStringArray(existing.redirect_uris) : undefined);
-        const scope = input.scope ?? (existing ? decodeStringArray(existing.scope) : undefined);
+        const redirectUris = input.redirectUris ?? (existing ? (0, sequelize_utils_js_1.decodeStringArray)(existing.redirect_uris) : undefined);
+        const scope = input.scope ?? (existing ? (0, sequelize_utils_js_1.decodeStringArray)(existing.scope) : undefined);
         const metadata = input.metadata ?? (existing ? parseMetadata(existing.metadata) : undefined);
         await this.clients.upsert({
             client_id: input.clientId,
             client_secret: hashedSecret,
             name: input.name ?? existing?.name ?? null,
-            redirect_uris: encodeStringArray(redirectUris),
-            scope: encodeStringArray(scope),
+            redirect_uris: (0, sequelize_utils_js_1.encodeStringArray)(redirectUris),
+            scope: (0, sequelize_utils_js_1.encodeStringArray)(scope),
             metadata: serializeMetadata(metadata),
             first_party: input.firstParty ?? existing?.first_party ?? false
         });
@@ -165,9 +98,9 @@ class SequelizeOAuthStore extends base_js_1.OAuthStore {
         await this.codes.create({
             code: code.code,
             client_id: code.clientId,
-            user_id: normalizeUserId(code.userId),
+            user_id: (0, user_id_js_1.normalizeNumericUserId)(code.userId),
             redirect_uri: code.redirectUri ?? '',
-            scope: encodeStringArray(code.scope),
+            scope: (0, sequelize_utils_js_1.encodeStringArray)(code.scope),
             code_challenge: code.codeChallenge ?? null,
             code_challenge_method: code.codeChallengeMethod ?? null,
             expires: code.expiresAt,
@@ -175,12 +108,21 @@ class SequelizeOAuthStore extends base_js_1.OAuthStore {
         });
     }
     async consumeAuthCode(code) {
-        const model = await this.codes.findByPk(code);
-        if (!model) {
-            return null;
+        const sequelize = this.codes.sequelize;
+        if (!sequelize) {
+            throw new Error('Code model is not bound to a Sequelize instance');
         }
-        await model.destroy();
-        return this.toAuthCode(model);
+        return sequelize.transaction({ isolationLevel: sequelize_1.Transaction.ISOLATION_LEVELS.READ_COMMITTED }, async (transaction) => {
+            const model = await this.codes.findByPk(code, { transaction, lock: true });
+            if (!model) {
+                return null;
+            }
+            await model.destroy({ transaction });
+            if (model.expires.getTime() <= Date.now()) {
+                return null;
+            }
+            return this.toAuthCode(model);
+        });
     }
     async close() {
         return;
@@ -188,11 +130,10 @@ class SequelizeOAuthStore extends base_js_1.OAuthStore {
     toOAuthClient(model) {
         return {
             clientId: model.client_id,
-            // client_secret is stored hashed; do not return the hash.
-            clientSecret: model.client_secret ? '__stored__' : undefined,
+            hasSecret: Boolean(model.client_secret),
             name: model.name ?? undefined,
-            redirectUris: decodeStringArray(model.redirect_uris),
-            scope: decodeStringArray(model.scope),
+            redirectUris: (0, sequelize_utils_js_1.decodeStringArray)(model.redirect_uris),
+            scope: (0, sequelize_utils_js_1.decodeStringArray)(model.scope),
             metadata: parseMetadata(model.metadata),
             firstParty: model.first_party ?? false
         };
@@ -201,9 +142,9 @@ class SequelizeOAuthStore extends base_js_1.OAuthStore {
         return {
             code: model.code,
             clientId: model.client_id,
-            userId: model.user_id,
+            userId: String(model.user_id),
             redirectUri: model.redirect_uri,
-            scope: decodeStringArray(model.scope),
+            scope: (0, sequelize_utils_js_1.decodeStringArray)(model.scope),
             codeChallenge: model.code_challenge ?? undefined,
             codeChallengeMethod: model.code_challenge_method ?? undefined,
             expiresAt: model.expires,

package/dist/cjs/oauth/types.d.ts

@@ -2,6 +2,7 @@ import type { AuthIdentifier } from '../auth-api/types.js';
 export interface OAuthClient {
     clientId: string;
     clientSecret?: string;
+    hasSecret?: boolean;
     firstParty?: boolean;
     metadata?: Record<string, unknown>;
     name?: string;

package/dist/cjs/passkey/base.d.ts

@@ -11,6 +11,7 @@ export declare abstract class PasskeyStore implements PasskeyStorageAdapter {
     abstract saveCredential(record: StoredPasskeyCredential): Promise<void>;
     abstract updateCredentialCounter(credentialId: Buffer, counter: number): Promise<void>;
     abstract saveChallenge(record: PasskeyChallengeRecord): Promise<void>;
+    abstract getChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
     abstract consumeChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
     abstract cleanupChallenges(now: Date): Promise<void>;
 }

package/dist/cjs/passkey/memory.d.ts

@@ -6,11 +6,15 @@ export interface MemoryPasskeyStoreOptions {
         userId?: AuthIdentifier;
         login?: string;
     }) => Promise<PasskeyUserDescriptor | null>;
+    maxCredentials?: number;
+    maxChallenges?: number;
 }
 export declare class MemoryPasskeyStore extends PasskeyStore {
     private readonly resolveUserFn;
     private readonly credentials;
     private readonly challenges;
+    private readonly maxCredentials?;
+    private readonly maxChallenges?;
     constructor(options: MemoryPasskeyStoreOptions);
     resolveUser(params: {
         userId?: AuthIdentifier;
@@ -22,6 +26,9 @@ export declare class MemoryPasskeyStore extends PasskeyStore {
     saveCredential(record: StoredPasskeyCredential): Promise<void>;
     updateCredentialCounter(credentialId: Buffer, counter: number): Promise<void>;
     saveChallenge(record: PasskeyChallengeRecord): Promise<void>;
+    getChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
     consumeChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
     cleanupChallenges(now: Date): Promise<void>;
+    private enforceCredentialCapacity;
+    private enforceChallengeCapacity;
 }

package/dist/cjs/passkey/memory.js

@@ -6,11 +6,11 @@ const base_js_1 = require("./base.js");
 function encodeCredentialId(value) {
     return Buffer.isBuffer(value) ? value.toString('base64') : value;
 }
-const normalizeUserId = user_id_js_1.normalizeComparableUserId;
 function cloneCredential(record) {
     return {
         ...record,
         credentialId: Buffer.isBuffer(record.credentialId) ? Buffer.from(record.credentialId) : record.credentialId,
+        publicKey: Buffer.from(record.publicKey),
         transports: record.transports ? [...record.transports] : undefined
     };
 }
@@ -20,14 +20,26 @@ class MemoryPasskeyStore extends base_js_1.PasskeyStore {
         this.credentials = new Map();
         this.challenges = new Map();
         this.resolveUserFn = options.resolveUser;
+        this.maxCredentials =
+            typeof options.maxCredentials === 'number' &&
+                Number.isFinite(options.maxCredentials) &&
+                options.maxCredentials > 0
+                ? Math.floor(options.maxCredentials)
+                : undefined;
+        this.maxChallenges =
+            typeof options.maxChallenges === 'number' &&
+                Number.isFinite(options.maxChallenges) &&
+                options.maxChallenges > 0
+                ? Math.floor(options.maxChallenges)
+                : undefined;
     }
     async resolveUser(params) {
         return this.resolveUserFn(params);
     }
     async listUserCredentials(userId) {
-        const normalizedUserId = normalizeUserId(userId);
+        const normalizedUserId = (0, user_id_js_1.normalizeComparableUserId)(userId);
         return [...this.credentials.values()]
-            .filter((record) => normalizeUserId(record.userId) === normalizedUserId)
+            .filter((record) => (0, user_id_js_1.normalizeComparableUserId)(record.userId) === normalizedUserId)
             .map((record) => cloneCredential(record));
     }
     async deleteCredential(credentialId) {
@@ -41,10 +53,11 @@ class MemoryPasskeyStore extends base_js_1.PasskeyStore {
     async saveCredential(record) {
         this.credentials.set(encodeCredentialId(record.credentialId), {
             ...record,
-            userId: normalizeUserId(record.userId),
+            userId: (0, user_id_js_1.normalizeComparableUserId)(record.userId),
             credentialId: Buffer.isBuffer(record.credentialId) ? Buffer.from(record.credentialId) : record.credentialId,
             transports: record.transports ? [...record.transports] : undefined
         });
+        this.enforceCredentialCapacity();
     }
     async updateCredentialCounter(credentialId, counter) {
         const key = encodeCredentialId(credentialId);
@@ -57,10 +70,15 @@ class MemoryPasskeyStore extends base_js_1.PasskeyStore {
         this.challenges.set(record.challenge, {
             challenge: record.challenge,
             action: record.action,
-            userId: record.userId !== undefined ? normalizeUserId(record.userId) : undefined,
+            userId: record.userId !== undefined ? (0, user_id_js_1.normalizeComparableUserId)(record.userId) : undefined,
             login: record.login ?? undefined,
             expiresAt: record.expiresAt
         });
+        this.enforceChallengeCapacity();
+    }
+    async getChallenge(challenge) {
+        const record = this.challenges.get(challenge);
+        return record ? { ...record } : null;
     }
     async consumeChallenge(challenge) {
         const record = this.challenges.get(challenge);
@@ -77,5 +95,29 @@ class MemoryPasskeyStore extends base_js_1.PasskeyStore {
             }
         }
     }
+    enforceCredentialCapacity() {
+        if (!this.maxCredentials) {
+            return;
+        }
+        while (this.credentials.size > this.maxCredentials) {
+            const oldest = this.credentials.keys().next().value;
+            if (!oldest) {
+                return;
+            }
+            this.credentials.delete(oldest);
+        }
+    }
+    enforceChallengeCapacity() {
+        if (!this.maxChallenges) {
+            return;
+        }
+        while (this.challenges.size > this.maxChallenges) {
+            const oldest = this.challenges.keys().next().value;
+            if (!oldest) {
+                return;
+            }
+            this.challenges.delete(oldest);
+        }
+    }
 }
 exports.MemoryPasskeyStore = MemoryPasskeyStore;

package/dist/cjs/passkey/models.js

@@ -5,9 +5,6 @@ exports.initPasskeyCredentialModel = initPasskeyCredentialModel;
 exports.initPasskeyChallengeModel = initPasskeyChallengeModel;
 const sequelize_1 = require("sequelize");
 const sequelize_utils_js_1 = require("../sequelize-utils.js");
-function integerIdType(sequelize) {
-    return sequelize_utils_js_1.DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? sequelize_1.DataTypes.INTEGER.UNSIGNED : sequelize_1.DataTypes.INTEGER;
-}
 class PasskeyCredentialModel extends sequelize_1.Model {
 }
 exports.PasskeyCredentialModel = PasskeyCredentialModel;
@@ -15,7 +12,7 @@ class PasskeyChallengeModel extends sequelize_1.Model {
 }
 exports.PasskeyChallengeModel = PasskeyChallengeModel;
 function initPasskeyCredentialModel(sequelize, options = {}) {
-    const idType = integerIdType(sequelize);
+    const idType = (0, sequelize_utils_js_1.integerIdType)(sequelize);
     return PasskeyCredentialModel.init({
         credentialId: {
             field: 'credential_id',
@@ -110,7 +107,7 @@ function initPasskeyCredentialModel(sequelize, options = {}) {
     });
 }
 function initPasskeyChallengeModel(sequelize, options = {}) {
-    const idType = integerIdType(sequelize);
+    const idType = (0, sequelize_utils_js_1.integerIdType)(sequelize);
     return PasskeyChallengeModel.init({
         challenge: {
             type: sequelize_1.DataTypes.STRING(255),

package/dist/cjs/passkey/sequelize.d.ts

@@ -1,34 +1,8 @@
-import { Model, type InferAttributes, type InferCreationAttributes, type ModelStatic, type Sequelize } from 'sequelize';
+import { type ModelStatic, type Sequelize } from 'sequelize';
 import { PasskeyStore } from './base.js';
+import { PasskeyChallengeModel, PasskeyCredentialModel } from './models.js';
 import type { PasskeyChallengeRecord, PasskeyUserDescriptor, StoredPasskeyCredential } from './types.js';
 import type { AuthIdentifier } from '../auth-api/types.js';
-declare class PasskeyCredentialModel extends Model<InferAttributes<PasskeyCredentialModel>, InferCreationAttributes<PasskeyCredentialModel>> {
-    credentialId: Buffer;
-    userId: number;
-    publicKey: Buffer;
-    counter: number;
-    transports: string[] | null;
-    backedUp: boolean;
-    deviceType: string;
-    label: string | null;
-    createdDomain: string | null;
-    createdUserAgent: string | null;
-    createdBrowser: string | null;
-    createdOs: string | null;
-    createdDevice: string | null;
-    createdIp: string | null;
-    createdAt?: Date;
-    updatedAt?: Date;
-}
-declare class PasskeyChallengeModel extends Model<InferAttributes<PasskeyChallengeModel>, InferCreationAttributes<PasskeyChallengeModel>> {
-    challenge: string;
-    action: 'register' | 'authenticate';
-    userId: number | null;
-    login: string | null;
-    expiresAt: Date;
-    createdAt?: Date;
-    updatedAt?: Date;
-}
 export interface SequelizePasskeyStoreOptions {
     sequelize: Sequelize;
     tablePrefix?: string;
@@ -60,7 +34,9 @@ export declare class SequelizePasskeyStore extends PasskeyStore {
     saveCredential(record: StoredPasskeyCredential): Promise<void>;
     updateCredentialCounter(credentialId: Buffer, counter: number): Promise<void>;
     saveChallenge(record: PasskeyChallengeRecord): Promise<void>;
+    getChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
     consumeChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
     cleanupChallenges(now: Date): Promise<void>;
+    private toChallengeRecord;
+    private toStoredCredential;
 }
-export {};