@technomoron/api-server-base 2.0.0-beta.19 → 2.0.0-beta.20

package/dist/cjs/passkey/sequelize.js

@@ -3,150 +3,11 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.SequelizePasskeyStore = void 0;
 const sequelize_1 = require("sequelize");
 const user_id_js_1 = require("../auth-api/user-id.js");
-const sequelize_utils_js_1 = require("../sequelize-utils.js");
 const base_js_1 = require("./base.js");
-function integerIdType(sequelize) {
-    return sequelize_utils_js_1.DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? sequelize_1.DataTypes.INTEGER.UNSIGNED : sequelize_1.DataTypes.INTEGER;
-}
+const models_js_1 = require("./models.js");
 function encodeCredentialId(value) {
     return Buffer.isBuffer(value) ? value.toString('base64') : value;
 }
-function normalizeUserId(identifier) {
-    return (0, user_id_js_1.normalizeNumericUserId)(identifier);
-}
-class PasskeyCredentialModel extends sequelize_1.Model {
-}
-class PasskeyChallengeModel extends sequelize_1.Model {
-}
-function initPasskeyCredentialModel(sequelize, options = {}) {
-    const idType = integerIdType(sequelize);
-    return PasskeyCredentialModel.init({
-        credentialId: {
-            field: 'credential_id',
-            type: sequelize_1.DataTypes.STRING(768),
-            primaryKey: true,
-            allowNull: false,
-            get() {
-                const raw = this.getDataValue('credentialId');
-                if (!raw) {
-                    return raw;
-                }
-                if (Buffer.isBuffer(raw)) {
-                    return raw;
-                }
-                return Buffer.from(raw, 'base64');
-            },
-            set(value) {
-                const encoded = typeof value === 'string' ? value : value.toString('base64');
-                this.setDataValue('credentialId', encoded);
-            }
-        },
-        userId: {
-            field: 'user_id',
-            type: idType,
-            allowNull: false
-        },
-        publicKey: {
-            field: 'public_key',
-            type: sequelize_1.DataTypes.BLOB,
-            allowNull: false
-        },
-        counter: {
-            type: sequelize_1.DataTypes.INTEGER,
-            allowNull: false,
-            defaultValue: 0
-        },
-        transports: {
-            type: sequelize_1.DataTypes.JSON,
-            allowNull: true
-        },
-        backedUp: {
-            field: 'backed_up',
-            type: sequelize_1.DataTypes.BOOLEAN,
-            allowNull: false,
-            defaultValue: false
-        },
-        deviceType: {
-            field: 'device_type',
-            type: sequelize_1.DataTypes.STRING(32),
-            allowNull: false,
-            defaultValue: 'multiDevice'
-        },
-        label: {
-            type: sequelize_1.DataTypes.STRING(120),
-            allowNull: true
-        },
-        createdDomain: {
-            field: 'created_domain',
-            type: sequelize_1.DataTypes.STRING(255),
-            allowNull: true
-        },
-        createdUserAgent: {
-            field: 'created_user_agent',
-            type: sequelize_1.DataTypes.TEXT,
-            allowNull: true
-        },
-        createdBrowser: {
-            field: 'created_browser',
-            type: sequelize_1.DataTypes.STRING(120),
-            allowNull: true
-        },
-        createdOs: {
-            field: 'created_os',
-            type: sequelize_1.DataTypes.STRING(120),
-            allowNull: true
-        },
-        createdDevice: {
-            field: 'created_device',
-            type: sequelize_1.DataTypes.STRING(120),
-            allowNull: true
-        },
-        createdIp: {
-            field: 'created_ip',
-            type: sequelize_1.DataTypes.STRING(45),
-            allowNull: true
-        }
-    }, {
-        sequelize,
-        tableName: (0, sequelize_utils_js_1.applyTablePrefix)(options.tablePrefix, 'passkey_credentials'),
-        timestamps: true,
-        underscored: true
-    });
-}
-function initPasskeyChallengeModel(sequelize, options = {}) {
-    const idType = integerIdType(sequelize);
-    return PasskeyChallengeModel.init({
-        challenge: {
-            type: sequelize_1.DataTypes.STRING(255),
-            primaryKey: true,
-            allowNull: false
-        },
-        action: {
-            type: sequelize_1.DataTypes.STRING(16),
-            allowNull: false
-        },
-        userId: {
-            field: 'user_id',
-            type: idType,
-            allowNull: true
-        },
-        login: {
-            type: sequelize_1.DataTypes.STRING(128),
-            allowNull: true
-        },
-        expiresAt: {
-            field: 'expires_at',
-            type: sequelize_1.DataTypes.DATE,
-            allowNull: false
-        }
-    }, {
-        sequelize,
-        tableName: (0, sequelize_utils_js_1.applyTablePrefix)(options.tablePrefix, 'passkey_challenges'),
-        timestamps: true,
-        underscored: true,
-        indexes: [{ fields: ['expires_at'] }, { fields: ['user_id'] }]
-    });
-}
 class SequelizePasskeyStore extends base_js_1.PasskeyStore {
     constructor(options) {
         super();
@@ -156,12 +17,12 @@ class SequelizePasskeyStore extends base_js_1.PasskeyStore {
         this.resolveUserFn = options.resolveUser;
         this.credentials =
             options.credentialModel ??
-                (options.credentialModelFactory ?? initPasskeyCredentialModel)(options.sequelize, {
+                (options.credentialModelFactory ?? models_js_1.initPasskeyCredentialModel)(options.sequelize, {
                     tablePrefix: options.tablePrefix
                 });
         this.challenges =
             options.challengeModel ??
-                (options.challengeModelFactory ?? initPasskeyChallengeModel)(options.sequelize, {
+                (options.challengeModelFactory ?? models_js_1.initPasskeyChallengeModel)(options.sequelize, {
                     tablePrefix: options.tablePrefix
                 });
     }
@@ -169,25 +30,8 @@ class SequelizePasskeyStore extends base_js_1.PasskeyStore {
         return this.resolveUserFn(params);
     }
     async listUserCredentials(userId) {
-        const models = await this.credentials.findAll({ where: { userId: normalizeUserId(userId) } });
-        return models.map((model) => ({
-            userId: model.userId,
-            credentialId: model.credentialId,
-            publicKey: model.publicKey,
-            counter: model.counter,
-            transports: (model.transports ?? undefined),
-            backedUp: model.backedUp,
-            deviceType: model.deviceType,
-            label: model.label ?? undefined,
-            createdDomain: model.createdDomain ?? undefined,
-            createdUserAgent: model.createdUserAgent ?? undefined,
-            createdBrowser: model.createdBrowser ?? undefined,
-            createdOs: model.createdOs ?? undefined,
-            createdDevice: model.createdDevice ?? undefined,
-            createdIp: model.createdIp ?? undefined,
-            createdAt: model.createdAt ?? undefined,
-            updatedAt: model.updatedAt ?? undefined
-        }));
+        const models = await this.credentials.findAll({ where: { userId: (0, user_id_js_1.normalizeNumericUserId)(userId) } });
+        return models.map((model) => this.toStoredCredential(model));
     }
     async deleteCredential(credentialId) {
         const encoded = Buffer.isBuffer(credentialId) ? credentialId.toString('base64') : credentialId;
@@ -196,32 +40,12 @@ class SequelizePasskeyStore extends base_js_1.PasskeyStore {
     }
     async findCredentialById(credentialId) {
         const model = await this.credentials.findByPk(encodeCredentialId(credentialId));
-        if (!model) {
-            return null;
-        }
-        return {
-            userId: model.userId,
-            credentialId: model.credentialId,
-            publicKey: model.publicKey,
-            counter: model.counter,
-            transports: (model.transports ?? undefined),
-            backedUp: model.backedUp,
-            deviceType: model.deviceType,
-            label: model.label ?? undefined,
-            createdDomain: model.createdDomain ?? undefined,
-            createdUserAgent: model.createdUserAgent ?? undefined,
-            createdBrowser: model.createdBrowser ?? undefined,
-            createdOs: model.createdOs ?? undefined,
-            createdDevice: model.createdDevice ?? undefined,
-            createdIp: model.createdIp ?? undefined,
-            createdAt: model.createdAt ?? undefined,
-            updatedAt: model.updatedAt ?? undefined
-        };
+        return model ? this.toStoredCredential(model) : null;
     }
     async saveCredential(record) {
         await this.credentials.upsert({
             credentialId: record.credentialId,
-            userId: normalizeUserId(record.userId),
+            userId: (0, user_id_js_1.normalizeNumericUserId)(record.userId),
             publicKey: record.publicKey,
             counter: record.counter,
             transports: record.transports ?? null,
@@ -243,27 +67,60 @@ class SequelizePasskeyStore extends base_js_1.PasskeyStore {
         await this.challenges.upsert({
             challenge: record.challenge,
             action: record.action,
-            userId: record.userId !== undefined ? normalizeUserId(record.userId) : null,
+            userId: record.userId !== undefined ? (0, user_id_js_1.normalizeNumericUserId)(record.userId) : null,
             login: record.login ?? null,
             expiresAt: record.expiresAt
         });
     }
-    async consumeChallenge(challenge) {
+    async getChallenge(challenge) {
         const model = await this.challenges.findByPk(challenge);
-        if (!model) {
-            return null;
+        return model ? this.toChallengeRecord(model) : null;
+    }
+    async consumeChallenge(challenge) {
+        const sequelize = this.challenges.sequelize;
+        if (!sequelize) {
+            throw new Error('Challenge model is not bound to a Sequelize instance');
         }
-        await model.destroy();
+        return sequelize.transaction({ isolationLevel: sequelize_1.Transaction.ISOLATION_LEVELS.READ_COMMITTED }, async (transaction) => {
+            const model = await this.challenges.findByPk(challenge, { transaction, lock: true });
+            if (!model) {
+                return null;
+            }
+            await model.destroy({ transaction });
+            return this.toChallengeRecord(model);
+        });
+    }
+    async cleanupChallenges(now) {
+        await this.challenges.destroy({ where: { expiresAt: { [sequelize_1.Op.lte]: now } } });
+    }
+    toChallengeRecord(model) {
         return {
             challenge: model.challenge,
             action: model.action,
-            userId: model.userId ?? undefined,
+            userId: model.userId !== null ? String(model.userId) : undefined,
             login: model.login ?? undefined,
             expiresAt: model.expiresAt
         };
     }
-    async cleanupChallenges(now) {
-        await this.challenges.destroy({ where: { expiresAt: { [sequelize_1.Op.lte]: now } } });
+    toStoredCredential(model) {
+        return {
+            userId: String(model.userId),
+            credentialId: model.credentialId,
+            publicKey: model.publicKey,
+            counter: model.counter,
+            transports: (model.transports ?? undefined),
+            backedUp: model.backedUp,
+            deviceType: model.deviceType,
+            label: model.label ?? undefined,
+            createdDomain: model.createdDomain ?? undefined,
+            createdUserAgent: model.createdUserAgent ?? undefined,
+            createdBrowser: model.createdBrowser ?? undefined,
+            createdOs: model.createdOs ?? undefined,
+            createdDevice: model.createdDevice ?? undefined,
+            createdIp: model.createdIp ?? undefined,
+            createdAt: model.createdAt ?? undefined,
+            updatedAt: model.updatedAt ?? undefined
+        };
     }
 }
 exports.SequelizePasskeyStore = SequelizePasskeyStore;

package/dist/cjs/passkey/service.d.ts

@@ -17,4 +17,5 @@ export declare class PasskeyService {
     private verifyAuthentication;
     private requireUser;
     private createExpiry;
+    private requireUserVerification;
 }

package/dist/cjs/passkey/service.js

@@ -102,21 +102,51 @@ async function spkiToCosePublicKey(spki) {
             return null;
         }
         const spkiView = new Uint8Array(spki);
-        const key = await subtle.importKey('spki', spkiView, { name: 'ECDSA', namedCurve: 'P-256' }, true, ['verify']);
-        const raw = Buffer.from(await subtle.exportKey('raw', key));
-        if (raw.length !== 65 || raw[0] !== 0x04) {
+        const ecCurves = [
+            { namedCurve: 'P-256', crv: 1, alg: -7, rawLength: 65 },
+            { namedCurve: 'P-384', crv: 2, alg: -35, rawLength: 97 },
+            { namedCurve: 'P-521', crv: 3, alg: -36, rawLength: 133 }
+        ];
+        for (const curve of ecCurves) {
+            try {
+                const key = await subtle.importKey('spki', spkiView, { name: 'ECDSA', namedCurve: curve.namedCurve }, true, ['verify']);
+                const raw = Buffer.from(await subtle.exportKey('raw', key));
+                if (raw.length !== curve.rawLength || raw[0] !== 0x04) {
+                    continue;
+                }
+                const coordLength = (raw.length - 1) / 2;
+                const x = raw.slice(1, 1 + coordLength);
+                const y = raw.slice(1 + coordLength);
+                const coseMap = new Map([
+                    [1, 2], // kty: EC2
+                    [3, curve.alg],
+                    [-1, curve.crv],
+                    [-2, x],
+                    [-3, y]
+                ]);
+                return Buffer.from(helpers_1.isoCBOR.encode(coseMap));
+            }
+            catch {
+                // try next algorithm
+            }
+        }
+        try {
+            const edKey = await subtle.importKey('spki', spkiView, { name: 'Ed25519' }, true, ['verify']);
+            const raw = Buffer.from(await subtle.exportKey('raw', edKey));
+            if (raw.length !== 32) {
+                return null;
+            }
+            const coseMap = new Map([
+                [1, 1], // kty: OKP
+                [3, -8], // alg: EdDSA
+                [-1, 6], // crv: Ed25519
+                [-2, raw]
+            ]);
+            return Buffer.from(helpers_1.isoCBOR.encode(coseMap));
+        }
+        catch {
             return null;
         }
-        const x = raw.slice(1, 33);
-        const y = raw.slice(33, 65);
-        const coseMap = new Map([
-            [1, 2], // kty: EC2
-            [3, -7], // alg: ES256
-            [-1, 1], // crv: P-256
-            [-2, x],
-            [-3, y]
-        ]);
-        return Buffer.from(helpers_1.isoCBOR.encode(coseMap));
     }
     catch {
         return null;
@@ -146,6 +176,10 @@ class PasskeyService {
     }
     async verifyResponse(params) {
         await this.adapter.cleanupChallenges?.(new Date());
+        const existing = this.adapter.getChallenge ? await this.adapter.getChallenge(params.expectedChallenge) : null;
+        if (existing && existing.expiresAt.getTime() <= Date.now()) {
+            return { verified: false };
+        }
         const record = await this.adapter.consumeChallenge(params.expectedChallenge);
         if (!record) {
             return { verified: false };
@@ -240,7 +274,7 @@ class PasskeyService {
             expectedChallenge: record.challenge,
             expectedOrigin: this.config.origins,
             expectedRPID: this.config.rpId,
-            requireUserVerification: true
+            requireUserVerification: this.requireUserVerification()
         });
         if (!result.verified || !result.registrationInfo) {
             if (!result.verified) {
@@ -334,7 +368,7 @@ class PasskeyService {
             expectedOrigin: this.config.origins,
             expectedRPID: this.config.rpId,
             credential: storedAuthData,
-            requireUserVerification: true
+            requireUserVerification: this.requireUserVerification()
         });
         if (!result.verified) {
             const err = result.error ?? result;
@@ -358,5 +392,8 @@ class PasskeyService {
     createExpiry() {
         return new Date(Date.now() + this.config.timeoutMs);
     }
+    requireUserVerification() {
+        return this.config.userVerification !== 'discouraged';
+    }
 }
 exports.PasskeyService = PasskeyService;

package/dist/cjs/passkey/types.d.ts

@@ -55,6 +55,7 @@ export interface PasskeyStorageAdapter {
     saveCredential(record: StoredPasskeyCredential): Promise<void>;
     updateCredentialCounter(credentialId: Buffer, counter: number): Promise<void>;
     saveChallenge(record: PasskeyChallengeRecord): Promise<void>;
+    getChallenge?(challenge: string): Promise<PasskeyChallengeRecord | null>;
     consumeChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
     cleanupChallenges?(now: Date): Promise<void>;
 }

package/dist/cjs/sequelize-utils.d.ts

@@ -1,3 +1,8 @@
+import { DataTypes, type InitOptions, type Model, type Sequelize } from 'sequelize';
 export declare const DIALECTS_SUPPORTING_UNSIGNED: Set<string>;
+export declare function integerIdType(sequelize: Sequelize): DataTypes.IntegerDataTypeConstructor;
+export declare function tableOptions<ModelType extends Model>(sequelize: Sequelize, tableName: string, tablePrefix?: string, extra?: Partial<InitOptions<ModelType>>): InitOptions<ModelType>;
 export declare function normalizeTablePrefix(prefix?: string): string | undefined;
 export declare function applyTablePrefix(prefix: string | undefined, tableName: string): string;
+export declare function encodeStringArray(values: string[] | undefined): string;
+export declare function decodeStringArray(raw: string | null | undefined): string[];

package/dist/cjs/sequelize-utils.js

@@ -1,9 +1,28 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.DIALECTS_SUPPORTING_UNSIGNED = void 0;
+exports.integerIdType = integerIdType;
+exports.tableOptions = tableOptions;
 exports.normalizeTablePrefix = normalizeTablePrefix;
 exports.applyTablePrefix = applyTablePrefix;
+exports.encodeStringArray = encodeStringArray;
+exports.decodeStringArray = decodeStringArray;
+const sequelize_1 = require("sequelize");
 exports.DIALECTS_SUPPORTING_UNSIGNED = new Set(['mysql', 'mariadb']);
+function integerIdType(sequelize) {
+    return exports.DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? sequelize_1.DataTypes.INTEGER.UNSIGNED : sequelize_1.DataTypes.INTEGER;
+}
+function tableOptions(sequelize, tableName, tablePrefix, extra) {
+    const opts = { sequelize, tableName: applyTablePrefix(tablePrefix, tableName) };
+    if (extra) {
+        Object.assign(opts, extra);
+    }
+    if (exports.DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect())) {
+        opts.charset = 'utf8mb4';
+        opts.collate = 'utf8mb4_unicode_ci';
+    }
+    return opts;
+}
 function normalizeTablePrefix(prefix) {
     if (!prefix) {
         return undefined;
@@ -15,3 +34,24 @@ function applyTablePrefix(prefix, tableName) {
     const normalized = normalizeTablePrefix(prefix);
     return normalized ? `${normalized}${tableName}` : tableName;
 }
+function encodeStringArray(values) {
+    return JSON.stringify(values ?? []);
+}
+function decodeStringArray(raw) {
+    if (!raw) {
+        return [];
+    }
+    try {
+        const parsed = JSON.parse(raw);
+        if (Array.isArray(parsed)) {
+            return parsed.filter((entry) => typeof entry === 'string' && entry.length > 0);
+        }
+    }
+    catch {
+        // ignore malformed values
+    }
+    return raw
+        .split(/\s+/)
+        .map((entry) => entry.trim())
+        .filter((entry) => entry.length > 0);
+}

package/dist/cjs/token/base.js

@@ -49,10 +49,10 @@ function normalizeTokenInternal(input) {
     const status = input.status === 'revoked' ? 'revoked' : expires.getTime() < Date.now() ? 'expired' : 'active';
     const sessionCookie = typeof input.sessionCookie === 'boolean' ? input.sessionCookie : false;
     return {
-        ...input,
         accessToken: input.accessToken,
         refreshToken: input.refreshToken,
         userId,
+        clientId: typeof input.clientId === 'string' && input.clientId.length > 0 ? input.clientId : undefined,
         domain: typeof input.domain === 'string' ? input.domain : '',
         fingerprint: typeof input.fingerprint === 'string' ? input.fingerprint : '',
         label: typeof input.label === 'string' ? input.label : '',
@@ -76,6 +76,8 @@ class TokenStore {
     normalizeToken(token) {
         return normalizeTokenInternal(token);
     }
+    // JWT helpers live on TokenStore so every adapter automatically exposes
+    // signing/verification without additional wiring.
     jwtSign(payload, secret, expiresInSeconds, options) {
         const opts = { ...(options ?? {}), expiresIn: expiresInSeconds };
         try {

package/dist/cjs/token/memory.d.ts

@@ -1,8 +1,13 @@
 import { TokenStore } from './base.js';
 import type { Token } from './types.js';
+export interface MemoryTokenStoreOptions {
+    maxTokens?: number;
+}
 export declare class MemoryTokenStore extends TokenStore {
     private readonly tokens;
     private readonly tokensByUser;
+    private readonly maxTokens?;
+    constructor(options?: MemoryTokenStoreOptions);
     private indexToken;
     private unindexToken;
     private removeByRefreshToken;
@@ -20,4 +25,5 @@ export declare class MemoryTokenStore extends TokenStore {
         includeExpired?: boolean;
     }): Promise<Token[]>;
     close(): Promise<void>;
+    private enforceCapacity;
 }

package/dist/cjs/token/memory.js

@@ -3,7 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.MemoryTokenStore = void 0;
 const base_js_1 = require("./base.js");
 function comparableUserId(value) {
-    if (value === undefined || value === null) {
+    if (value === undefined) {
         return undefined;
     }
     return String(value);
@@ -48,10 +48,14 @@ function matchesQuery(record, query, includeExpired) {
     return true;
 }
 class MemoryTokenStore extends base_js_1.TokenStore {
-    constructor() {
-        super(...arguments);
+    constructor(options = {}) {
+        super();
         this.tokens = new Map();
         this.tokensByUser = new Map();
+        this.maxTokens =
+            typeof options.maxTokens === 'number' && Number.isFinite(options.maxTokens) && options.maxTokens > 0
+                ? Math.floor(options.maxTokens)
+                : undefined;
     }
     indexToken(token) {
         const userId = comparableUserId(token.userId);
@@ -118,6 +122,7 @@ class MemoryTokenStore extends base_js_1.TokenStore {
         this.removeByRefreshToken(stored.refreshToken);
         this.tokens.set(stored.refreshToken, stored);
         this.indexToken(stored);
+        this.enforceCapacity();
     }
     async get(query, opts) {
         if (!query.refreshToken && !query.accessToken && query.userId === undefined) {
@@ -165,8 +170,12 @@ class MemoryTokenStore extends base_js_1.TokenStore {
                 merged[key] = value;
             }
         };
-        maybeAssign('accessToken');
-        maybeAssign('expires');
+        if (params.accessToken !== undefined && params.accessToken !== null) {
+            merged.accessToken = params.accessToken;
+        }
+        if (params.expires !== undefined && params.expires !== null) {
+            merged.expires = params.expires;
+        }
         maybeAssign('scope');
         maybeAssign('label');
         maybeAssign('domain');
@@ -177,8 +186,12 @@ class MemoryTokenStore extends base_js_1.TokenStore {
         maybeAssign('os');
         maybeAssign('refreshTtlSeconds');
         maybeAssign('loginType');
-        maybeAssign('issuedAt');
-        maybeAssign('lastSeenAt');
+        if (params.issuedAt !== undefined && params.issuedAt !== null) {
+            merged.issuedAt = params.issuedAt;
+        }
+        if (params.lastSeenAt !== undefined && params.lastSeenAt !== null) {
+            merged.lastSeenAt = params.lastSeenAt;
+        }
         maybeAssign('sessionCookie');
         const normalized = this.normalizeToken(merged);
         const previousUserId = token.userId;
@@ -210,5 +223,17 @@ class MemoryTokenStore extends base_js_1.TokenStore {
     async close() {
         return;
     }
+    enforceCapacity() {
+        if (!this.maxTokens) {
+            return;
+        }
+        while (this.tokens.size > this.maxTokens) {
+            const oldestRefresh = this.tokens.keys().next().value;
+            if (!oldestRefresh) {
+                return;
+            }
+            this.removeByRefreshToken(oldestRefresh);
+        }
+    }
 }
 exports.MemoryTokenStore = MemoryTokenStore;

package/dist/cjs/token/sequelize.d.ts

@@ -52,10 +52,7 @@ export declare class SequelizeTokenStore extends TokenStore {
     close(): Promise<void>;
     private normalizeUserId;
     private resolveRealUserId;
-    private encodeStringArray;
-    private decodeStringArray;
     private encodeScope;
-    private decodeScope;
     private toTokenRecord;
 }
 export {};