@technomoron/api-server-base 2.0.0-beta.19 → 2.0.0-beta.20

package/dist/esm/auth-api/sql-auth-store.js

@@ -5,6 +5,7 @@ import { normalizeTablePrefix } from '../sequelize-utils.js';
 import { SequelizeTokenStore } from '../token/sequelize.js';
 import { SequelizeUserStore } from '../user/sequelize.js';
 import { CompositeAuthAdapter } from './compat-auth-storage.js';
+import { toOptionalStringId } from './user-id.js';
 function resolveTablePrefix(...prefixes) {
     for (const prefix of prefixes) {
         const normalized = normalizeTablePrefix(prefix);
@@ -103,6 +104,7 @@ export class SqlAuthStore {
             }
         }
         finally {
+            // Prevent double-close errors when the same Sequelize instance is shared with other code.
             this.sequelize.close = async () => { };
         }
     }
@@ -127,16 +129,16 @@ export class SqlAuthStore {
     async getToken(query, opts) {
         const normalized = {
             ...query,
-            userId: query.userId !== undefined && query.userId !== null ? String(query.userId) : undefined,
-            ruid: query.ruid !== undefined && query.ruid !== null ? String(query.ruid) : undefined
+            userId: toOptionalStringId(query.userId),
+            ruid: toOptionalStringId(query.ruid)
         };
         return this.adapter.getToken(normalized, opts);
     }
     async deleteToken(query) {
         const normalized = {
             ...query,
-            userId: query.userId !== undefined && query.userId !== null ? String(query.userId) : undefined,
-            ruid: query.ruid !== undefined && query.ruid !== null ? String(query.ruid) : undefined
+            userId: toOptionalStringId(query.userId),
+            ruid: toOptionalStringId(query.ruid)
         };
         return this.adapter.deleteToken(normalized);
     }

package/dist/esm/auth-api/user-id.d.ts

@@ -2,3 +2,4 @@ import type { AuthIdentifier } from './types.js';
 export declare function normalizeComparableUserId(identifier: AuthIdentifier): string;
 export declare function normalizeNumericUserId(identifier: AuthIdentifier): number;
 export declare function normalizeStringUserId(identifier: AuthIdentifier): string;
+export declare function toOptionalStringId(value: AuthIdentifier | undefined | null): string | undefined;

package/dist/esm/auth-api/user-id.js

@@ -24,3 +24,9 @@ export function normalizeNumericUserId(identifier) {
 export function normalizeStringUserId(identifier) {
     return normalizeComparableUserId(identifier);
 }
+export function toOptionalStringId(value) {
+    if (value === undefined || value === null) {
+        return undefined;
+    }
+    return String(value);
+}

package/dist/esm/auth-cookie-options.js

@@ -28,7 +28,16 @@ export function buildAuthCookieOptions(config, req) {
     const forwardedProto = firstHeaderValue(req.headers['x-forwarded-proto']).split(',')[0].trim().toLowerCase();
     const isHttps = forwardedProto === 'https' || req.protocol === 'https';
     const origin = firstHeaderValue(req.headers.origin ?? req.headers.referer);
-    const secure = config.cookieSecure === true ? true : config.cookieSecure === false ? false : /* auto */ Boolean(isHttps);
+    let secure;
+    if (config.cookieSecure === true) {
+        secure = true;
+    }
+    else if (config.cookieSecure === false) {
+        secure = false;
+    }
+    else {
+        secure = isHttps;
+    }
     let sameSite = config.cookieSameSite ?? 'lax';
     if (sameSite !== 'lax' && sameSite !== 'strict' && sameSite !== 'none') {
         sameSite = 'lax';

package/dist/esm/oauth/memory.d.ts

@@ -1,11 +1,15 @@
 import { OAuthStore, type AuthCode, type OAuthClient } from './base.js';
 export interface MemoryOAuthStoreOptions {
     bcryptRounds?: number;
+    maxClients?: number;
+    maxAuthCodes?: number;
 }
 export declare class MemoryOAuthStore extends OAuthStore {
     private readonly clients;
     private readonly codes;
     private readonly bcryptRounds;
+    private readonly maxClients?;
+    private readonly maxAuthCodes?;
     constructor(options?: MemoryOAuthStoreOptions);
     getClient(clientId: string): Promise<OAuthClient | null>;
     createClient(input: OAuthClient): Promise<OAuthClient>;
@@ -13,4 +17,6 @@ export declare class MemoryOAuthStore extends OAuthStore {
     createAuthCode(code: AuthCode): Promise<void>;
     consumeAuthCode(code: string): Promise<AuthCode | null>;
     close(): Promise<void>;
+    private enforceClientCapacity;
+    private enforceCodeCapacity;
 }

package/dist/esm/oauth/memory.js

@@ -1,5 +1,5 @@
 import bcrypt from 'bcryptjs';
-import { normalizeNumericUserId } from '../auth-api/user-id.js';
+import { normalizeComparableUserId } from '../auth-api/user-id.js';
 import { OAuthStore } from './base.js';
 function cloneClient(client) {
     if (!client) {
@@ -7,8 +7,7 @@ function cloneClient(client) {
     }
     return {
         clientId: client.clientId,
-        // clientSecret is stored hashed; do not return the hash.
-        clientSecret: client.clientSecret ? '__stored__' : undefined,
+        hasSecret: Boolean(client.clientSecret),
         name: client.name,
         redirectUris: [...client.redirectUris],
         scope: client.scope ? [...client.scope] : undefined,
@@ -19,18 +18,28 @@ function cloneClient(client) {
 function cloneCode(code) {
     return {
         ...code,
+        userId: normalizeComparableUserId(code.userId),
         scope: code.scope ? [...code.scope] : undefined,
         expiresAt: new Date(code.expiresAt),
         metadata: code.metadata ? { ...code.metadata } : undefined
     };
 }
-const normalizeUserId = normalizeNumericUserId;
 export class MemoryOAuthStore extends OAuthStore {
     constructor(options = {}) {
         super();
         this.clients = new Map();
         this.codes = new Map();
         this.bcryptRounds = options.bcryptRounds ?? 12;
+        this.maxClients =
+            typeof options.maxClients === 'number' && Number.isFinite(options.maxClients) && options.maxClients > 0
+                ? Math.floor(options.maxClients)
+                : undefined;
+        this.maxAuthCodes =
+            typeof options.maxAuthCodes === 'number' &&
+                Number.isFinite(options.maxAuthCodes) &&
+                options.maxAuthCodes > 0
+                ? Math.floor(options.maxAuthCodes)
+                : undefined;
     }
     async getClient(clientId) {
         return cloneClient(this.clients.get(clientId));
@@ -47,6 +56,7 @@ export class MemoryOAuthStore extends OAuthStore {
             firstParty: input.firstParty
         };
         this.clients.set(stored.clientId, stored);
+        this.enforceClientCapacity();
         return cloneClient(stored);
     }
     async verifyClientSecret(clientId, secret) {
@@ -65,22 +75,51 @@ export class MemoryOAuthStore extends OAuthStore {
     async createAuthCode(code) {
         const record = {
             ...code,
-            userId: normalizeUserId(code.userId),
+            userId: normalizeComparableUserId(code.userId),
             scope: code.scope ? [...code.scope] : undefined,
             expiresAt: code.expiresAt,
             metadata: code.metadata ? { ...code.metadata } : undefined
         };
         this.codes.set(record.code, record);
+        this.enforceCodeCapacity();
     }
     async consumeAuthCode(code) {
         const record = this.codes.get(code);
         if (!record) {
             return null;
         }
+        if (record.expiresAt.getTime() <= Date.now()) {
+            this.codes.delete(code);
+            return null;
+        }
         this.codes.delete(code);
         return cloneCode(record);
     }
     async close() {
         return;
     }
+    enforceClientCapacity() {
+        if (!this.maxClients) {
+            return;
+        }
+        while (this.clients.size > this.maxClients) {
+            const oldest = this.clients.keys().next().value;
+            if (!oldest) {
+                return;
+            }
+            this.clients.delete(oldest);
+        }
+    }
+    enforceCodeCapacity() {
+        if (!this.maxAuthCodes) {
+            return;
+        }
+        while (this.codes.size > this.maxAuthCodes) {
+            const oldest = this.codes.keys().next().value;
+            if (!oldest) {
+                return;
+            }
+            this.codes.delete(oldest);
+        }
+    }
 }

package/dist/esm/oauth/models.d.ts

@@ -1,4 +1,5 @@
 import { Model, type Optional, type Sequelize } from 'sequelize';
+export { integerIdType, tableOptions } from '../sequelize-utils.js';
 export interface OAuthClientAttributes {
     client_id: string;
     client_secret: string;

package/dist/esm/oauth/models.js

@@ -1,19 +1,6 @@
 import { DataTypes, Model } from 'sequelize';
-import { DIALECTS_SUPPORTING_UNSIGNED, applyTablePrefix } from '../sequelize-utils.js';
-function integerIdType(sequelize) {
-    return DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? DataTypes.INTEGER.UNSIGNED : DataTypes.INTEGER;
-}
-function tableOptions(sequelize, tableName, tablePrefix, extra) {
-    const opts = { sequelize, tableName: applyTablePrefix(tablePrefix, tableName) };
-    if (extra) {
-        Object.assign(opts, extra);
-    }
-    if (DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect())) {
-        opts.charset = 'utf8mb4';
-        opts.collate = 'utf8mb4_unicode_ci';
-    }
-    return opts;
-}
+import { integerIdType, tableOptions } from '../sequelize-utils.js';
+export { integerIdType, tableOptions } from '../sequelize-utils.js';
 export class OAuthClientModel extends Model {
 }
 export function initOAuthClientModel(sequelize, options = {}) {

package/dist/esm/oauth/sequelize.d.ts

@@ -1,66 +1,19 @@
-import { Model, type Optional, type Sequelize } from 'sequelize';
 import { OAuthStore, type AuthCode, type OAuthClient } from './base.js';
-export interface OAuthClientAttributes {
-    client_id: string;
-    client_secret: string;
-    name: string | null;
-    redirect_uris: string;
-    scope: string;
-    metadata: string | null;
-    first_party: boolean;
-}
-export type OAuthClientCreationAttributes = Optional<OAuthClientAttributes, 'client_secret' | 'name' | 'scope' | 'metadata' | 'first_party'>;
-export declare class OAuthClientModel extends Model<OAuthClientAttributes, OAuthClientCreationAttributes> implements OAuthClientAttributes {
-    client_id: string;
-    client_secret: string;
-    name: string | null;
-    redirect_uris: string;
-    scope: string;
-    metadata: string | null;
-    first_party: boolean;
-}
-export declare function initOAuthClientModel(sequelize: Sequelize, options?: {
-    tablePrefix?: string;
-}): typeof OAuthClientModel;
-export interface OAuthCodeAttributes {
-    code: string;
-    client_id: string;
-    user_id: number;
-    redirect_uri: string;
-    scope: string;
-    code_challenge: string | null;
-    code_challenge_method: 'plain' | 'S256' | null;
-    expires: Date;
-    metadata: string | null;
-}
-export type OAuthCodeCreationAttributes = Optional<OAuthCodeAttributes, 'code_challenge' | 'code_challenge_method' | 'metadata'>;
-export declare class OAuthCodeModel extends Model<OAuthCodeAttributes, OAuthCodeCreationAttributes> implements OAuthCodeAttributes {
-    code: string;
-    client_id: string;
-    user_id: number;
-    redirect_uri: string;
-    scope: string;
-    code_challenge: string | null;
-    code_challenge_method: 'plain' | 'S256' | null;
-    expires: Date;
-    metadata: string | null;
-}
-export declare function initOAuthCodeModel(sequelize: Sequelize, options?: {
-    tablePrefix?: string;
-}): typeof OAuthCodeModel;
+import { OAuthClientModel, OAuthCodeModel } from './models.js';
 export interface SequelizeOAuthStoreOptions {
-    sequelize: Sequelize;
+    sequelize: import('sequelize').Sequelize;
     tablePrefix?: string;
     clientModel?: typeof OAuthClientModel;
     codeModel?: typeof OAuthCodeModel;
-    clientModelFactory?: (sequelize: Sequelize, options?: {
+    clientModelFactory?: (sequelize: import('sequelize').Sequelize, options?: {
         tablePrefix?: string;
     }) => typeof OAuthClientModel;
-    codeModelFactory?: (sequelize: Sequelize, options?: {
+    codeModelFactory?: (sequelize: import('sequelize').Sequelize, options?: {
         tablePrefix?: string;
     }) => typeof OAuthCodeModel;
     bcryptRounds?: number;
 }
+export { OAuthClientModel, OAuthCodeModel, initOAuthClientModel, initOAuthCodeModel, type OAuthClientAttributes, type OAuthClientCreationAttributes, type OAuthCodeAttributes, type OAuthCodeCreationAttributes } from './models.js';
 export declare class SequelizeOAuthStore extends OAuthStore {
     private readonly clients;
     private readonly codes;

package/dist/esm/oauth/sequelize.js

@@ -1,74 +1,10 @@
 import bcrypt from 'bcryptjs';
-import { DataTypes, Model } from 'sequelize';
+import { Transaction } from 'sequelize';
 import { normalizeNumericUserId } from '../auth-api/user-id.js';
-import { DIALECTS_SUPPORTING_UNSIGNED, applyTablePrefix } from '../sequelize-utils.js';
+import { decodeStringArray, encodeStringArray } from '../sequelize-utils.js';
 import { OAuthStore } from './base.js';
-function integerIdType(sequelize) {
-    return DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? DataTypes.INTEGER.UNSIGNED : DataTypes.INTEGER;
-}
-function tableOptions(sequelize, tableName, tablePrefix, extra) {
-    const opts = { sequelize, tableName: applyTablePrefix(tablePrefix, tableName) };
-    if (extra) {
-        Object.assign(opts, extra);
-    }
-    if (DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect())) {
-        opts.charset = 'utf8mb4';
-        opts.collate = 'utf8mb4_unicode_ci';
-    }
-    return opts;
-}
-export class OAuthClientModel extends Model {
-}
-export function initOAuthClientModel(sequelize, options = {}) {
-    OAuthClientModel.init({
-        client_id: { type: DataTypes.STRING(128), allowNull: false, primaryKey: true },
-        client_secret: { type: DataTypes.STRING(255), allowNull: false, defaultValue: '' },
-        name: { type: DataTypes.STRING(128), allowNull: true, defaultValue: null },
-        redirect_uris: { type: DataTypes.TEXT, allowNull: false, defaultValue: '[]' },
-        scope: { type: DataTypes.TEXT, allowNull: false, defaultValue: '[]' },
-        metadata: { type: DataTypes.TEXT, allowNull: true, defaultValue: null },
-        first_party: { type: DataTypes.BOOLEAN, allowNull: false, defaultValue: false }
-    }, tableOptions(sequelize, 'oauth_clients', options.tablePrefix, { timestamps: false }));
-    return OAuthClientModel;
-}
-export class OAuthCodeModel extends Model {
-}
-export function initOAuthCodeModel(sequelize, options = {}) {
-    const idType = integerIdType(sequelize);
-    OAuthCodeModel.init({
-        code: { type: DataTypes.STRING(128), allowNull: false, primaryKey: true },
-        client_id: { type: DataTypes.STRING(128), allowNull: false },
-        user_id: { type: idType, allowNull: false },
-        redirect_uri: { type: DataTypes.TEXT, allowNull: false },
-        scope: { type: DataTypes.TEXT, allowNull: false, defaultValue: '[]' },
-        code_challenge: { type: DataTypes.STRING(255), allowNull: true, defaultValue: null },
-        code_challenge_method: { type: DataTypes.STRING(10), allowNull: true, defaultValue: null },
-        expires: { type: DataTypes.DATE, allowNull: false },
-        metadata: { type: DataTypes.TEXT, allowNull: true, defaultValue: null }
-    }, tableOptions(sequelize, 'oauth_codes', options.tablePrefix, { timestamps: false }));
-    return OAuthCodeModel;
-}
-function encodeStringArray(values) {
-    return JSON.stringify(values ?? []);
-}
-function decodeStringArray(raw) {
-    if (!raw) {
-        return [];
-    }
-    try {
-        const parsed = JSON.parse(raw);
-        if (Array.isArray(parsed)) {
-            return parsed.filter((entry) => typeof entry === 'string' && entry.length > 0);
-        }
-    }
-    catch {
-        // ignore malformed values
-    }
-    return raw
-        .split(/\s+/)
-        .map((entry) => entry.trim())
-        .filter((entry) => entry.length > 0);
-}
+import { initOAuthClientModel, initOAuthCodeModel } from './models.js';
+export { OAuthClientModel, OAuthCodeModel, initOAuthClientModel, initOAuthCodeModel } from './models.js';
 function serializeMetadata(metadata) {
     if (!metadata) {
         return null;
@@ -90,9 +26,6 @@ function parseMetadata(raw) {
     }
     return undefined;
 }
-function normalizeUserId(identifier) {
-    return normalizeNumericUserId(identifier);
-}
 export class SequelizeOAuthStore extends OAuthStore {
     constructor(options) {
         super();
@@ -155,7 +88,7 @@ export class SequelizeOAuthStore extends OAuthStore {
         await this.codes.create({
             code: code.code,
             client_id: code.clientId,
-            user_id: normalizeUserId(code.userId),
+            user_id: normalizeNumericUserId(code.userId),
             redirect_uri: code.redirectUri ?? '',
             scope: encodeStringArray(code.scope),
             code_challenge: code.codeChallenge ?? null,
@@ -165,12 +98,21 @@ export class SequelizeOAuthStore extends OAuthStore {
         });
     }
     async consumeAuthCode(code) {
-        const model = await this.codes.findByPk(code);
-        if (!model) {
-            return null;
+        const sequelize = this.codes.sequelize;
+        if (!sequelize) {
+            throw new Error('Code model is not bound to a Sequelize instance');
         }
-        await model.destroy();
-        return this.toAuthCode(model);
+        return sequelize.transaction({ isolationLevel: Transaction.ISOLATION_LEVELS.READ_COMMITTED }, async (transaction) => {
+            const model = await this.codes.findByPk(code, { transaction, lock: true });
+            if (!model) {
+                return null;
+            }
+            await model.destroy({ transaction });
+            if (model.expires.getTime() <= Date.now()) {
+                return null;
+            }
+            return this.toAuthCode(model);
+        });
     }
     async close() {
         return;
@@ -178,8 +120,7 @@ export class SequelizeOAuthStore extends OAuthStore {
     toOAuthClient(model) {
         return {
             clientId: model.client_id,
-            // client_secret is stored hashed; do not return the hash.
-            clientSecret: model.client_secret ? '__stored__' : undefined,
+            hasSecret: Boolean(model.client_secret),
             name: model.name ?? undefined,
             redirectUris: decodeStringArray(model.redirect_uris),
             scope: decodeStringArray(model.scope),
@@ -191,7 +132,7 @@ export class SequelizeOAuthStore extends OAuthStore {
         return {
             code: model.code,
             clientId: model.client_id,
-            userId: model.user_id,
+            userId: String(model.user_id),
             redirectUri: model.redirect_uri,
             scope: decodeStringArray(model.scope),
             codeChallenge: model.code_challenge ?? undefined,

package/dist/esm/oauth/types.d.ts

@@ -2,6 +2,7 @@ import type { AuthIdentifier } from '../auth-api/types.js';
 export interface OAuthClient {
     clientId: string;
     clientSecret?: string;
+    hasSecret?: boolean;
     firstParty?: boolean;
     metadata?: Record<string, unknown>;
     name?: string;

package/dist/esm/passkey/base.d.ts

@@ -11,6 +11,7 @@ export declare abstract class PasskeyStore implements PasskeyStorageAdapter {
     abstract saveCredential(record: StoredPasskeyCredential): Promise<void>;
     abstract updateCredentialCounter(credentialId: Buffer, counter: number): Promise<void>;
     abstract saveChallenge(record: PasskeyChallengeRecord): Promise<void>;
+    abstract getChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
     abstract consumeChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
     abstract cleanupChallenges(now: Date): Promise<void>;
 }

package/dist/esm/passkey/memory.d.ts

@@ -6,11 +6,15 @@ export interface MemoryPasskeyStoreOptions {
         userId?: AuthIdentifier;
         login?: string;
     }) => Promise<PasskeyUserDescriptor | null>;
+    maxCredentials?: number;
+    maxChallenges?: number;
 }
 export declare class MemoryPasskeyStore extends PasskeyStore {
     private readonly resolveUserFn;
     private readonly credentials;
     private readonly challenges;
+    private readonly maxCredentials?;
+    private readonly maxChallenges?;
     constructor(options: MemoryPasskeyStoreOptions);
     resolveUser(params: {
         userId?: AuthIdentifier;
@@ -22,6 +26,9 @@ export declare class MemoryPasskeyStore extends PasskeyStore {
     saveCredential(record: StoredPasskeyCredential): Promise<void>;
     updateCredentialCounter(credentialId: Buffer, counter: number): Promise<void>;
     saveChallenge(record: PasskeyChallengeRecord): Promise<void>;
+    getChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
     consumeChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
     cleanupChallenges(now: Date): Promise<void>;
+    private enforceCredentialCapacity;
+    private enforceChallengeCapacity;
 }

package/dist/esm/passkey/memory.js

@@ -3,11 +3,11 @@ import { PasskeyStore } from './base.js';
 function encodeCredentialId(value) {
     return Buffer.isBuffer(value) ? value.toString('base64') : value;
 }
-const normalizeUserId = normalizeComparableUserId;
 function cloneCredential(record) {
     return {
         ...record,
         credentialId: Buffer.isBuffer(record.credentialId) ? Buffer.from(record.credentialId) : record.credentialId,
+        publicKey: Buffer.from(record.publicKey),
         transports: record.transports ? [...record.transports] : undefined
     };
 }
@@ -17,14 +17,26 @@ export class MemoryPasskeyStore extends PasskeyStore {
         this.credentials = new Map();
         this.challenges = new Map();
         this.resolveUserFn = options.resolveUser;
+        this.maxCredentials =
+            typeof options.maxCredentials === 'number' &&
+                Number.isFinite(options.maxCredentials) &&
+                options.maxCredentials > 0
+                ? Math.floor(options.maxCredentials)
+                : undefined;
+        this.maxChallenges =
+            typeof options.maxChallenges === 'number' &&
+                Number.isFinite(options.maxChallenges) &&
+                options.maxChallenges > 0
+                ? Math.floor(options.maxChallenges)
+                : undefined;
     }
     async resolveUser(params) {
         return this.resolveUserFn(params);
     }
     async listUserCredentials(userId) {
-        const normalizedUserId = normalizeUserId(userId);
+        const normalizedUserId = normalizeComparableUserId(userId);
         return [...this.credentials.values()]
-            .filter((record) => normalizeUserId(record.userId) === normalizedUserId)
+            .filter((record) => normalizeComparableUserId(record.userId) === normalizedUserId)
             .map((record) => cloneCredential(record));
     }
     async deleteCredential(credentialId) {
@@ -38,10 +50,11 @@ export class MemoryPasskeyStore extends PasskeyStore {
     async saveCredential(record) {
         this.credentials.set(encodeCredentialId(record.credentialId), {
             ...record,
-            userId: normalizeUserId(record.userId),
+            userId: normalizeComparableUserId(record.userId),
             credentialId: Buffer.isBuffer(record.credentialId) ? Buffer.from(record.credentialId) : record.credentialId,
             transports: record.transports ? [...record.transports] : undefined
         });
+        this.enforceCredentialCapacity();
     }
     async updateCredentialCounter(credentialId, counter) {
         const key = encodeCredentialId(credentialId);
@@ -54,10 +67,15 @@ export class MemoryPasskeyStore extends PasskeyStore {
         this.challenges.set(record.challenge, {
             challenge: record.challenge,
             action: record.action,
-            userId: record.userId !== undefined ? normalizeUserId(record.userId) : undefined,
+            userId: record.userId !== undefined ? normalizeComparableUserId(record.userId) : undefined,
             login: record.login ?? undefined,
             expiresAt: record.expiresAt
         });
+        this.enforceChallengeCapacity();
+    }
+    async getChallenge(challenge) {
+        const record = this.challenges.get(challenge);
+        return record ? { ...record } : null;
     }
     async consumeChallenge(challenge) {
         const record = this.challenges.get(challenge);
@@ -74,4 +92,28 @@ export class MemoryPasskeyStore extends PasskeyStore {
             }
         }
     }
+    enforceCredentialCapacity() {
+        if (!this.maxCredentials) {
+            return;
+        }
+        while (this.credentials.size > this.maxCredentials) {
+            const oldest = this.credentials.keys().next().value;
+            if (!oldest) {
+                return;
+            }
+            this.credentials.delete(oldest);
+        }
+    }
+    enforceChallengeCapacity() {
+        if (!this.maxChallenges) {
+            return;
+        }
+        while (this.challenges.size > this.maxChallenges) {
+            const oldest = this.challenges.keys().next().value;
+            if (!oldest) {
+                return;
+            }
+            this.challenges.delete(oldest);
+        }
+    }
 }

package/dist/esm/passkey/models.js

@@ -1,8 +1,5 @@
 import { DataTypes, Model } from 'sequelize';
-import { DIALECTS_SUPPORTING_UNSIGNED, applyTablePrefix } from '../sequelize-utils.js';
-function integerIdType(sequelize) {
-    return DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? DataTypes.INTEGER.UNSIGNED : DataTypes.INTEGER;
-}
+import { applyTablePrefix, integerIdType } from '../sequelize-utils.js';
 export class PasskeyCredentialModel extends Model {
 }
 export class PasskeyChallengeModel extends Model {

package/dist/esm/passkey/sequelize.d.ts

@@ -1,34 +1,8 @@
-import { Model, type InferAttributes, type InferCreationAttributes, type ModelStatic, type Sequelize } from 'sequelize';
+import { type ModelStatic, type Sequelize } from 'sequelize';
 import { PasskeyStore } from './base.js';
+import { PasskeyChallengeModel, PasskeyCredentialModel } from './models.js';
 import type { PasskeyChallengeRecord, PasskeyUserDescriptor, StoredPasskeyCredential } from './types.js';
 import type { AuthIdentifier } from '../auth-api/types.js';
-declare class PasskeyCredentialModel extends Model<InferAttributes<PasskeyCredentialModel>, InferCreationAttributes<PasskeyCredentialModel>> {
-    credentialId: Buffer;
-    userId: number;
-    publicKey: Buffer;
-    counter: number;
-    transports: string[] | null;
-    backedUp: boolean;
-    deviceType: string;
-    label: string | null;
-    createdDomain: string | null;
-    createdUserAgent: string | null;
-    createdBrowser: string | null;
-    createdOs: string | null;
-    createdDevice: string | null;
-    createdIp: string | null;
-    createdAt?: Date;
-    updatedAt?: Date;
-}
-declare class PasskeyChallengeModel extends Model<InferAttributes<PasskeyChallengeModel>, InferCreationAttributes<PasskeyChallengeModel>> {
-    challenge: string;
-    action: 'register' | 'authenticate';
-    userId: number | null;
-    login: string | null;
-    expiresAt: Date;
-    createdAt?: Date;
-    updatedAt?: Date;
-}
 export interface SequelizePasskeyStoreOptions {
     sequelize: Sequelize;
     tablePrefix?: string;
@@ -60,7 +34,9 @@ export declare class SequelizePasskeyStore extends PasskeyStore {
     saveCredential(record: StoredPasskeyCredential): Promise<void>;
     updateCredentialCounter(credentialId: Buffer, counter: number): Promise<void>;
     saveChallenge(record: PasskeyChallengeRecord): Promise<void>;
+    getChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
     consumeChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
     cleanupChallenges(now: Date): Promise<void>;
+    private toChallengeRecord;
+    private toStoredCredential;
 }
-export {};