@technomoron/api-server-base 2.0.0-beta.19 → 2.0.0-beta.20

package/dist/cjs/token/sequelize.js

@@ -7,18 +7,6 @@ const sequelize_utils_js_1 = require("../sequelize-utils.js");
 const base_js_1 = require("./base.js");
 class TokenModel extends sequelize_1.Model {
 }
-function tokenTableOptions(sequelize, tablePrefix) {
-    const opts = {
-        sequelize,
-        tableName: (0, sequelize_utils_js_1.applyTablePrefix)(tablePrefix, 'jwttokens'),
-        timestamps: false
-    };
-    if (sequelize_utils_js_1.DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect())) {
-        opts.charset = 'utf8mb4';
-        opts.collate = 'utf8mb4_unicode_ci';
-    }
-    return opts;
-}
 function initTokenModel(sequelize, options = {}) {
     const tableName = (0, sequelize_utils_js_1.applyTablePrefix)(options.tablePrefix, 'jwttokens');
     const usePrefixedIndexNames = tableName !== 'jwttokens';
@@ -26,9 +14,7 @@ function initTokenModel(sequelize, options = {}) {
     const refreshIndexName = usePrefixedIndexNames ? `${tableName}_refresh_unique` : 'jwt_refresh_unique';
     TokenModel.init({
         token_id: {
-            type: sequelize_utils_js_1.DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect())
-                ? sequelize_1.DataTypes.INTEGER.UNSIGNED
-                : sequelize_1.DataTypes.INTEGER,
+            type: (0, sequelize_utils_js_1.integerIdType)(sequelize),
             autoIncrement: true,
             allowNull: false,
             primaryKey: true
@@ -125,7 +111,7 @@ function initTokenModel(sequelize, options = {}) {
             defaultValue: '[]'
         }
     }, {
-        ...tokenTableOptions(sequelize, options.tablePrefix),
+        ...(0, sequelize_utils_js_1.tableOptions)(sequelize, 'jwttokens', options.tablePrefix, { timestamps: false }),
         indexes: [
             { name: accessIndexName, unique: true, fields: ['access'] },
             { name: refreshIndexName, unique: true, fields: ['refresh'] }
@@ -164,43 +150,50 @@ class SequelizeTokenStore extends base_js_1.TokenStore {
         const lastSeenAt = normalized.lastSeenAt ?? issuedAt;
         const sessionCookie = normalized.sessionCookie ?? false;
         const removalWhere = { user_id: resolvedUserId };
-        if (normalized.domain !== undefined && record.domain !== undefined) {
+        if (record.domain !== undefined) {
             removalWhere.domain = domain;
         }
-        if (normalized.fingerprint !== undefined && record.fingerprint !== undefined) {
+        if (record.fingerprint !== undefined) {
             removalWhere.fingerprint = fingerprint;
         }
         if (normalized.clientId) {
             removalWhere.client_id = normalized.clientId;
         }
-        await this.Tokens.destroy({ where: removalWhere });
-        // Access/refresh columns are unique. Remove stale collisions before insert to avoid
-        // transient uniqueness failures during retries/rotation edge-cases.
-        await this.Tokens.destroy({
-            where: {
-                [sequelize_1.Op.or]: [{ access: normalized.accessToken ?? '' }, { refresh: normalized.refreshToken }]
-            }
-        });
-        await this.Tokens.create({
-            user_id: resolvedUserId,
-            real_user_id: resolvedRealUserId,
-            access: normalized.accessToken ?? '',
-            refresh: normalized.refreshToken,
-            expires: normalized.expires,
-            issued_at: issuedAt,
-            last_seen_at: lastSeenAt,
-            domain,
-            fingerprint,
-            label,
-            browser,
-            device,
-            ip,
-            os,
-            client_id: normalized.clientId ?? null,
-            scope: this.encodeScope(normalized.scope),
-            login_type: loginType,
-            refresh_ttl_seconds: refreshTtlSeconds,
-            session_cookie: sessionCookie
+        const sequelize = this.Tokens.sequelize;
+        if (!sequelize) {
+            throw new Error('Token model is not bound to a Sequelize instance');
+        }
+        await sequelize.transaction(async (transaction) => {
+            await this.Tokens.destroy({ where: removalWhere, transaction });
+            // Access/refresh columns are unique. Remove stale collisions before insert to avoid
+            // transient uniqueness failures during retries/rotation edge-cases.
+            await this.Tokens.destroy({
+                where: {
+                    [sequelize_1.Op.or]: [{ access: normalized.accessToken ?? '' }, { refresh: normalized.refreshToken }]
+                },
+                transaction
+            });
+            await this.Tokens.create({
+                user_id: resolvedUserId,
+                real_user_id: resolvedRealUserId,
+                access: normalized.accessToken ?? '',
+                refresh: normalized.refreshToken,
+                expires: normalized.expires,
+                issued_at: issuedAt,
+                last_seen_at: lastSeenAt,
+                domain,
+                fingerprint,
+                label,
+                browser,
+                device,
+                ip,
+                os,
+                client_id: normalized.clientId ?? null,
+                scope: this.encodeScope(normalized.scope),
+                login_type: loginType,
+                refresh_ttl_seconds: refreshTtlSeconds,
+                session_cookie: sessionCookie
+            }, { transaction });
         });
     }
     async get(query, opts) {
@@ -269,11 +262,11 @@ class SequelizeTokenStore extends base_js_1.TokenStore {
             where.client_id = params.clientId;
         }
         const updates = {};
-        if (params.accessToken !== undefined) {
-            updates.access = params.accessToken ?? null;
+        if (params.accessToken !== undefined && params.accessToken !== null) {
+            updates.access = params.accessToken;
         }
-        if (params.expires !== undefined) {
-            updates.expires = params.expires ?? null;
+        if (params.expires !== undefined && params.expires !== null) {
+            updates.expires = params.expires;
         }
         if (params.scope !== undefined) {
             updates.scope = this.encodeScope(params.scope);
@@ -311,11 +304,11 @@ class SequelizeTokenStore extends base_js_1.TokenStore {
         if (params.sessionCookie !== undefined) {
             updates.session_cookie = params.sessionCookie;
         }
-        if (params.issuedAt !== undefined) {
-            updates.issued_at = params.issuedAt ?? null;
+        if (params.issuedAt !== undefined && params.issuedAt !== null) {
+            updates.issued_at = params.issuedAt;
         }
-        if (params.lastSeenAt !== undefined) {
-            updates.last_seen_at = params.lastSeenAt ?? null;
+        if (params.lastSeenAt !== undefined && params.lastSeenAt !== null) {
+            updates.last_seen_at = params.lastSeenAt;
         }
         if (Object.keys(updates).length === 0) {
             return false;
@@ -352,41 +345,17 @@ class SequelizeTokenStore extends base_js_1.TokenStore {
         }
         return value;
     }
-    encodeStringArray(values) {
-        return JSON.stringify(values ?? []);
-    }
-    decodeStringArray(raw) {
-        if (!raw) {
-            return [];
-        }
-        try {
-            const parsed = JSON.parse(raw);
-            if (Array.isArray(parsed)) {
-                return parsed.filter((entry) => typeof entry === 'string' && entry.length > 0);
-            }
-        }
-        catch {
-            // ignore malformed values
-        }
-        return raw
-            .split(/\s+/)
-            .map((entry) => entry.trim())
-            .filter((entry) => entry.length > 0);
-    }
     encodeScope(scope) {
         if (!scope || (Array.isArray(scope) && scope.length === 0)) {
             return '[]';
         }
         if (Array.isArray(scope)) {
-            return this.encodeStringArray(scope);
+            return (0, sequelize_utils_js_1.encodeStringArray)(scope);
         }
-        return this.encodeStringArray(scope.split(/\s+/).filter((entry) => entry.length > 0));
-    }
-    decodeScope(raw) {
-        return this.decodeStringArray(raw);
+        return (0, sequelize_utils_js_1.encodeStringArray)(scope.split(/\s+/).filter((entry) => entry.length > 0));
     }
     toTokenRecord(model) {
-        const scope = this.decodeScope(model.scope);
+        const scope = (0, sequelize_utils_js_1.decodeStringArray)(model.scope);
         const normalized = this.normalizeToken({
             userId: model.user_id,
             refreshToken: model.refresh,

package/dist/cjs/token/types.d.ts

@@ -23,7 +23,7 @@ export interface Token {
     device?: string;
     ip?: string;
     os?: string;
-    scope?: string | string[];
+    scope?: string[];
     loginType?: string;
     refreshTtlSeconds?: number;
     sessionCookie?: boolean;

package/dist/cjs/user/base.d.ts

@@ -9,6 +9,7 @@ export declare abstract class UserStore<User, PublicUser> {
         bcryptRounds?: number;
         bcryptPepper?: string;
     });
+    private applyPepper;
     protected hashPassword(plain: string): Promise<string>;
     verifyPassword(plain: string, hashed: string): Promise<boolean>;
     protected normalizeUserInput(input: Partial<CreateUserInput>): CreateUserInput;

package/dist/cjs/user/base.js

@@ -4,6 +4,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.UserStore = void 0;
+const node_crypto_1 = require("node:crypto");
 const bcryptjs_1 = __importDefault(require("bcryptjs"));
 class UserStore {
     constructor(opts = {}) {
@@ -15,12 +16,18 @@ class UserStore {
         this.bcryptPepper =
             typeof opts.bcryptPepper === 'string' && opts.bcryptPepper.length > 0 ? opts.bcryptPepper : undefined;
     }
+    applyPepper(plain) {
+        if (!this.bcryptPepper) {
+            return plain;
+        }
+        return (0, node_crypto_1.createHmac)('sha256', this.bcryptPepper).update(plain).digest('hex');
+    }
     async hashPassword(plain) {
-        const candidate = this.bcryptPepper ? `${plain}${this.bcryptPepper}` : plain;
+        const candidate = this.applyPepper(plain);
         return bcryptjs_1.default.hash(candidate, this.bcryptRounds);
     }
     async verifyPassword(plain, hashed) {
-        const candidate = this.bcryptPepper ? `${plain}${this.bcryptPepper}` : plain;
+        const candidate = this.applyPepper(plain);
         return bcryptjs_1.default.compare(candidate, hashed);
     }
     normalizeUserInput(input) {
@@ -35,8 +42,8 @@ class UserStore {
     toPublic(user) {
         const mapped = this.toPublicUser(user);
         if (mapped && typeof mapped === 'object') {
-            const { password: _password, ...rest } = mapped;
-            void _password;
+            const rest = { ...mapped };
+            delete rest.password;
             return rest;
         }
         return mapped;

package/dist/cjs/user/memory.d.ts

@@ -14,12 +14,14 @@ export interface MemoryUserStoreOptions<UserAttributes extends MemoryUserAttribu
     toPublic?: PublicUserMapper<UserAttributes, PublicUserShape>;
     userIdFactory?: () => number;
     startingUserId?: number;
+    maxUsers?: number;
 }
 export declare class MemoryUserStore<UserAttributes extends MemoryUserAttributes = MemoryUserAttributes, PublicUserShape extends Omit<UserAttributes, 'password'> = Omit<UserAttributes, 'password'>> extends UserStore<UserAttributes, PublicUserShape> {
     private readonly usersById;
     private readonly loginToId;
     private readonly emailToId;
     private readonly userIdFactory;
+    private readonly maxUsers?;
     private nextUserId;
     constructor(options?: MemoryUserStoreOptions<UserAttributes, PublicUserShape>);
     findUser(identifier: AuthIdentifier | string): Promise<UserAttributes | null>;

package/dist/cjs/user/memory.js

@@ -6,7 +6,6 @@ const base_js_1 = require("./base.js");
 function cloneUser(user) {
     return { ...user };
 }
-const normalizeUserId = user_id_js_1.normalizeNumericUserId;
 class MemoryUserStore extends base_js_1.UserStore {
     constructor(options = {}) {
         super({
@@ -18,6 +17,10 @@ class MemoryUserStore extends base_js_1.UserStore {
         this.loginToId = new Map();
         this.emailToId = new Map();
         this.nextUserId = Number.isFinite(options.startingUserId) ? Number(options.startingUserId) : 1;
+        this.maxUsers =
+            typeof options.maxUsers === 'number' && Number.isFinite(options.maxUsers) && options.maxUsers > 0
+                ? Math.floor(options.maxUsers)
+                : undefined;
         this.userIdFactory =
             options.userIdFactory ??
                 (() => {
@@ -52,7 +55,7 @@ class MemoryUserStore extends base_js_1.UserStore {
     }
     async findById(id) {
         try {
-            const numeric = normalizeUserId(id);
+            const numeric = (0, user_id_js_1.normalizeNumericUserId)(id);
             const user = this.usersById.get(numeric);
             return user ? cloneUser(user) : null;
         }
@@ -70,6 +73,9 @@ class MemoryUserStore extends base_js_1.UserStore {
         if (this.usersById.has(userId)) {
             throw new Error(`User ${userId} already exists`);
         }
+        if (this.maxUsers !== undefined && this.usersById.size >= this.maxUsers) {
+            throw new Error('MemoryUserStore maxUsers limit reached');
+        }
         if (this.loginToId.has(normalizedInput.login)) {
             throw new Error(`User with login ${normalizedInput.login} already exists`);
         }

package/dist/cjs/user/sequelize.js

@@ -6,26 +6,11 @@ const sequelize_1 = require("sequelize");
 const user_id_js_1 = require("../auth-api/user-id.js");
 const sequelize_utils_js_1 = require("../sequelize-utils.js");
 const base_js_1 = require("./base.js");
-function integerIdType(sequelize) {
-    return sequelize_utils_js_1.DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? sequelize_1.DataTypes.INTEGER.UNSIGNED : sequelize_1.DataTypes.INTEGER;
-}
-function userTableOptions(sequelize, tablePrefix) {
-    const opts = {
-        sequelize,
-        tableName: (0, sequelize_utils_js_1.applyTablePrefix)(tablePrefix, 'users'),
-        timestamps: false
-    };
-    if (sequelize_utils_js_1.DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect())) {
-        opts.charset = 'utf8mb4';
-        opts.collate = 'utf8mb4_unicode_ci';
-    }
-    return opts;
-}
 class AuthUserModel extends sequelize_1.Model {
 }
 exports.AuthUserModel = AuthUserModel;
 function initAuthUserModel(sequelize, options = {}) {
-    const idType = integerIdType(sequelize);
+    const idType = (0, sequelize_utils_js_1.integerIdType)(sequelize);
     AuthUserModel.init({
         user_id: {
             type: idType,
@@ -48,7 +33,7 @@ function initAuthUserModel(sequelize, options = {}) {
             allowNull: false
         }
     }, {
-        ...userTableOptions(sequelize, options.tablePrefix)
+        ...(0, sequelize_utils_js_1.tableOptions)(sequelize, 'users', options.tablePrefix, { timestamps: false })
     });
     return AuthUserModel;
 }
@@ -115,11 +100,16 @@ class SequelizeUserStore extends base_js_1.UserStore {
         if (providedId !== undefined && providedId !== null && Number.isFinite(providedId)) {
             defaults.user_id = Number(providedId);
         }
-        const [model] = await this.Users.findOrCreate({
-            where: { login: rest.login },
-            defaults: defaults
-        });
-        return this.toUserRecord(model);
+        try {
+            const model = await this.Users.create(defaults);
+            return this.toUserRecord(model);
+        }
+        catch (error) {
+            if (error instanceof sequelize_1.UniqueConstraintError) {
+                throw new Error(`User with login ${rest.login} or email ${rest.email} already exists`);
+            }
+            throw error;
+        }
     }
     async upsertUser(input) {
         const normalized = this.normalizeUserInput(input);

package/dist/esm/api-server-base.js

@@ -5,7 +5,7 @@
  * LICENSE file in the root directory of this source tree.
  */
 import { randomUUID } from 'node:crypto';
-import fs from 'node:fs';
+import { access, readFile } from 'node:fs/promises';
 import { createRequire } from 'node:module';
 import path from 'node:path';
 import cookieParser from 'cookie-parser';
@@ -14,6 +14,7 @@ import express from 'express';
 import multer from 'multer';
 import { nullAuthModule } from './auth-api/module.js';
 import { nullAuthAdapter } from './auth-api/storage.js';
+import { toOptionalStringId } from './auth-api/user-id.js';
 import { buildAuthCookieOptions } from './auth-cookie-options.js';
 import { TokenStore } from './token/base.js';
 class JwtHelperStore extends TokenStore {
@@ -267,7 +268,9 @@ function collectClientIpChain(req) {
     }
     const realIp = req.headers['x-real-ip'];
     if (Array.isArray(realIp)) {
-        realIp.forEach((value) => pushNormalized(normalizeIpAddress(value)));
+        for (const value of realIp) {
+            pushNormalized(normalizeIpAddress(value));
+        }
     }
     else if (typeof realIp === 'string') {
         pushNormalized(normalizeIpAddress(realIp));
@@ -421,6 +424,10 @@ export class ApiServer {
             this.canImpersonateAdapter = canImpersonate ?? null;
             this.storageAdapter = this.getServerAuthAdapter();
         }
+        if ((this.config.authApi || this.config.authStores) &&
+            (!this.config.accessSecret || !this.config.refreshSecret)) {
+            console.warn('[api-server-base] Auth is enabled but accessSecret and/or refreshSecret are empty. JWT signing will fail at runtime.');
+        }
         this.app = express();
         // Mount API modules and any custom endpoints under `apiBasePath` on this router so we can keep
         // the API 404 handler ordered last without relying on Express internals.
@@ -608,8 +615,8 @@ export class ApiServer {
     async getToken(query, opts) {
         const normalized = {
             ...query,
-            userId: query.userId !== undefined && query.userId !== null ? String(query.userId) : undefined,
-            ruid: query.ruid !== undefined && query.ruid !== null ? String(query.ruid) : undefined
+            userId: toOptionalStringId(query.userId),
+            ruid: toOptionalStringId(query.ruid)
         };
         if (this.tokenStoreAdapter) {
             return this.tokenStoreAdapter.get(normalized, opts);
@@ -623,8 +630,8 @@ export class ApiServer {
     async deleteToken(query) {
         const normalized = {
             ...query,
-            userId: query.userId !== undefined && query.userId !== null ? String(query.userId) : undefined,
-            ruid: query.ruid !== undefined && query.ruid !== null ? String(query.ruid) : undefined
+            userId: toOptionalStringId(query.userId),
+            ruid: toOptionalStringId(query.ruid)
         };
         if (this.tokenStoreAdapter) {
             return this.tokenStoreAdapter.delete(normalized);
@@ -787,7 +794,7 @@ export class ApiServer {
             res.status(200).json({ success: true, code: 200, message: 'Success', data: payload, errors: {} });
         });
     }
-    loadSwaggerSpec() {
+    async loadSwaggerSpec() {
         const candidates = [path.resolve(process.cwd(), 'docs/swagger/openapi.json')];
         if (typeof __dirname === 'string') {
             candidates.push(path.resolve(__dirname, '../../docs/swagger/openapi.json'));
@@ -802,11 +809,14 @@ export class ApiServer {
             // Ignore resolution failures; fall back to any existing candidate.
         }
         for (const candidate of candidates) {
-            if (!fs.existsSync(candidate)) {
+            try {
+                await access(candidate);
+            }
+            catch {
                 continue;
             }
             try {
-                const raw = fs.readFileSync(candidate, 'utf8');
+                const raw = await readFile(candidate, 'utf8');
                 return JSON.parse(raw);
             }
             catch {
@@ -824,12 +834,12 @@ export class ApiServer {
         const base = this.apiBasePath === '/' ? '' : this.apiBasePath;
         const resolved = rawPath.length > 0 ? rawPath : `${base}/swagger`;
         const path = resolved.startsWith('/') ? resolved : `/${resolved}`;
-        let specCache;
-        this.app.get(path, (_req, res) => {
-            if (specCache === undefined) {
-                specCache = this.loadSwaggerSpec();
+        let specPromise;
+        this.app.get(path, async (_req, res) => {
+            if (!specPromise) {
+                specPromise = this.loadSwaggerSpec();
             }
-            const spec = specCache;
+            const spec = await specPromise;
             if (!spec) {
                 res.status(500).json({
                     success: false,
@@ -1042,7 +1052,7 @@ export class ApiServer {
         let tokenData;
         let error;
         let expired = false;
-        if (!token || token === null) {
+        if (!token) {
             if (authType === 'maybe') {
                 if (!this.config.refreshMaybe) {
                     return null;
@@ -1195,9 +1205,6 @@ export class ApiServer {
         if (rawReal === null) {
             return effectiveUserId;
         }
-        if (typeof rawReal === 'number' && rawReal === 0) {
-            return effectiveUserId;
-        }
         return rawReal;
     }
     useExpress(pathOrHandler, ...handlers) {
@@ -1421,9 +1428,29 @@ export class ApiServer {
         console.log('URL:', url);
         console.log('Method:', req.method);
         console.log('Query Params:', req.query || {});
-        console.log('Body Params:', req.body || {});
-        console.log('Cookies:', req.cookies || {});
-        console.log('Headers:', req.headers);
+        const sensitiveBodyKeys = ['password', 'client_secret', 'clientSecret', 'secret'];
+        const body = req.body && typeof req.body === 'object' ? { ...req.body } : req.body;
+        if (body && typeof body === 'object') {
+            for (const key of sensitiveBodyKeys) {
+                if (key in body) {
+                    body[key] = '[REDACTED]';
+                }
+            }
+        }
+        console.log('Body Params:', body || {});
+        const cookies = req.cookies ? { ...req.cookies } : {};
+        const sensitiveCookieKeys = [this.config.accessCookie, this.config.refreshCookie];
+        for (const key of sensitiveCookieKeys) {
+            if (key in cookies) {
+                cookies[key] = '[REDACTED]';
+            }
+        }
+        console.log('Cookies:', cookies);
+        const headers = { ...req.headers };
+        if (headers.authorization) {
+            headers.authorization = '[REDACTED]';
+        }
+        console.log('Headers:', headers);
         console.log('------------------------');
     }
     formatDebugValue(value, maxLength = 50, seen = new WeakSet()) {

package/dist/esm/auth-api/auth-module.js

@@ -155,6 +155,9 @@ class AuthModule extends BaseAuthModule {
             return candidate ? {} : { sessionCookie: true, refreshTtlSeconds: this.sessionRefreshTtlSeconds() };
         }
         if (typeof candidate === 'number') {
+            if (candidate === 0) {
+                return { sessionCookie: true, refreshTtlSeconds: this.sessionRefreshTtlSeconds() };
+            }
             const ttl = this.normalizeRefreshTtlSeconds(candidate);
             return ttl ? { sessionCookie: false, refreshTtlSeconds: ttl } : {};
         }
@@ -447,20 +450,12 @@ class AuthModule extends BaseAuthModule {
         this.assertAuthReady();
         const { login, password, ...metadata } = this.parseLoginBody(apiReq);
         const user = await this.storage.getUser(login);
-        if (!user) {
+        const hash = user ? this.storage.getUserPasswordHash(user) : '';
+        const verified = user ? await this.storage.verifyPassword(password, hash) : false;
+        if (!user || !verified) {
             throw new ApiError({
                 code: 400,
-                message: 'Invalid credentials',
-                errors: { login: 'Unknown user' }
-            });
-        }
-        const hash = this.storage.getUserPasswordHash(user);
-        const verified = await this.storage.verifyPassword(password, hash);
-        if (!verified) {
-            throw new ApiError({
-                code: 400,
-                message: 'Invalid credentials',
-                errors: { password: 'Wrong password' }
+                message: 'Invalid credentials'
             });
         }
         const pair = await this.issueTokens(apiReq, user, metadata);
@@ -502,6 +497,7 @@ class AuthModule extends BaseAuthModule {
             refreshTtlSeconds: sessionPrefs.refreshTtlSeconds ?? stored.refreshTtlSeconds,
             sessionCookie: sessionPrefs.sessionCookie ?? stored.sessionCookie
         };
+        await this.storage.deleteToken({ refreshToken: providedToken });
         const pair = await this.issueTokens(apiReq, user, metadata);
         const publicUser = this.storage.filterUser(user);
         return [200, { ...pair, user: publicUser }];
@@ -911,7 +907,7 @@ class AuthModule extends BaseAuthModule {
                 }
             }
         }
-        else if (!clientSecretProvided && client.clientSecret) {
+        else if (!clientSecretProvided && (client.hasSecret ?? Boolean(client.clientSecret))) {
             throw new ApiError({ code: 400, message: 'Client authentication required when no PKCE challenge present' });
         }
         const user = await this.getUserOrThrow(record.userId, 'User not found');
@@ -946,6 +942,7 @@ class AuthModule extends BaseAuthModule {
             throw new ApiError({ code: 400, message: 'Refresh token issued to another client' });
         }
         const user = await this.getUserOrThrow(stored.userId ?? verify.data.uid, 'User not found');
+        await this.storage.deleteToken({ refreshToken });
         const tokens = await this.issueTokens(apiReq, user, {
             clientId: client.clientId,
             scope: stored.scope,
@@ -954,11 +951,7 @@ class AuthModule extends BaseAuthModule {
             loginType: stored.loginType ?? 'oauth'
         });
         this.clearOAuthCookies(apiReq);
-        const scope = Array.isArray(stored.scope)
-            ? stored.scope
-            : typeof stored.scope === 'string'
-                ? stored.scope.split(/\s+/).filter((entry) => entry.length > 0)
-                : [];
+        const scope = Array.isArray(stored.scope) ? stored.scope : [];
         return [200, this.buildTokenResponse(tokens, client, scope)];
     }
     clearOAuthCookies(apiReq) {
@@ -1021,7 +1014,7 @@ class AuthModule extends BaseAuthModule {
         if (!client) {
             throw new ApiError({ code: 400, message: 'Unknown client_id' });
         }
-        const requiresSecret = !!client.clientSecret;
+        const requiresSecret = client.hasSecret ?? Boolean(client.clientSecret);
         if (requiresSecret) {
             if (!secretProvided) {
                 throw new ApiError({ code: 400, message: 'Client authentication is required' });
@@ -1057,17 +1050,10 @@ class AuthModule extends BaseAuthModule {
         const password = toStringOrNull(body.password);
         if (login && password) {
             const user = await this.storage.getUser(login);
-            if (!user) {
-                throw new ApiError({ code: 400, message: 'Invalid credentials', errors: { login: 'Unknown user' } });
-            }
-            const hash = this.storage.getUserPasswordHash(user);
-            const verified = await this.storage.verifyPassword(password, hash);
-            if (!verified) {
-                throw new ApiError({
-                    code: 400,
-                    message: 'Invalid credentials',
-                    errors: { password: 'Wrong password' }
-                });
+            const hash = user ? this.storage.getUserPasswordHash(user) : '';
+            const verified = user ? await this.storage.verifyPassword(password, hash) : false;
+            if (!user || !verified) {
+                throw new ApiError({ code: 400, message: 'Invalid credentials' });
             }
             return user;
         }

package/dist/esm/auth-api/mem-auth-store.js

@@ -4,6 +4,7 @@ import { MemoryPasskeyStore } from '../passkey/memory.js';
 import { MemoryTokenStore } from '../token/memory.js';
 import { MemoryUserStore } from '../user/memory.js';
 import { CompositeAuthAdapter } from './compat-auth-storage.js';
+import { toOptionalStringId } from './user-id.js';
 export class MemAuthStore {
     constructor(params = {}) {
         this.userStore = new MemoryUserStore({
@@ -70,16 +71,16 @@ export class MemAuthStore {
     async getToken(query, opts) {
         const normalized = {
             ...query,
-            userId: query.userId !== undefined && query.userId !== null ? String(query.userId) : undefined,
-            ruid: query.ruid !== undefined && query.ruid !== null ? String(query.ruid) : undefined
+            userId: toOptionalStringId(query.userId),
+            ruid: toOptionalStringId(query.ruid)
         };
         return this.adapter.getToken(normalized, opts);
     }
     async deleteToken(query) {
         const normalized = {
             ...query,
-            userId: query.userId !== undefined && query.userId !== null ? String(query.userId) : undefined,
-            ruid: query.ruid !== undefined && query.ruid !== null ? String(query.ruid) : undefined
+            userId: toOptionalStringId(query.userId),
+            ruid: toOptionalStringId(query.ruid)
         };
         return this.adapter.deleteToken(normalized);
     }