@technomoron/api-server-base 2.0.0-beta.19 → 2.0.0-beta.20

package/dist/esm/token/sequelize.js

@@ -1,21 +1,9 @@
 import { DataTypes, Model, Op } from 'sequelize';
 import { normalizeStringUserId } from '../auth-api/user-id.js';
-import { DIALECTS_SUPPORTING_UNSIGNED, applyTablePrefix } from '../sequelize-utils.js';
+import { applyTablePrefix, decodeStringArray, encodeStringArray, integerIdType, tableOptions } from '../sequelize-utils.js';
 import { TokenStore } from './base.js';
 class TokenModel extends Model {
 }
-function tokenTableOptions(sequelize, tablePrefix) {
-    const opts = {
-        sequelize,
-        tableName: applyTablePrefix(tablePrefix, 'jwttokens'),
-        timestamps: false
-    };
-    if (DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect())) {
-        opts.charset = 'utf8mb4';
-        opts.collate = 'utf8mb4_unicode_ci';
-    }
-    return opts;
-}
 function initTokenModel(sequelize, options = {}) {
     const tableName = applyTablePrefix(options.tablePrefix, 'jwttokens');
     const usePrefixedIndexNames = tableName !== 'jwttokens';
@@ -23,9 +11,7 @@ function initTokenModel(sequelize, options = {}) {
     const refreshIndexName = usePrefixedIndexNames ? `${tableName}_refresh_unique` : 'jwt_refresh_unique';
     TokenModel.init({
         token_id: {
-            type: DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect())
-                ? DataTypes.INTEGER.UNSIGNED
-                : DataTypes.INTEGER,
+            type: integerIdType(sequelize),
             autoIncrement: true,
             allowNull: false,
             primaryKey: true
@@ -122,7 +108,7 @@ function initTokenModel(sequelize, options = {}) {
             defaultValue: '[]'
         }
     }, {
-        ...tokenTableOptions(sequelize, options.tablePrefix),
+        ...tableOptions(sequelize, 'jwttokens', options.tablePrefix, { timestamps: false }),
         indexes: [
             { name: accessIndexName, unique: true, fields: ['access'] },
             { name: refreshIndexName, unique: true, fields: ['refresh'] }
@@ -161,43 +147,50 @@ export class SequelizeTokenStore extends TokenStore {
         const lastSeenAt = normalized.lastSeenAt ?? issuedAt;
         const sessionCookie = normalized.sessionCookie ?? false;
         const removalWhere = { user_id: resolvedUserId };
-        if (normalized.domain !== undefined && record.domain !== undefined) {
+        if (record.domain !== undefined) {
             removalWhere.domain = domain;
         }
-        if (normalized.fingerprint !== undefined && record.fingerprint !== undefined) {
+        if (record.fingerprint !== undefined) {
             removalWhere.fingerprint = fingerprint;
         }
         if (normalized.clientId) {
             removalWhere.client_id = normalized.clientId;
         }
-        await this.Tokens.destroy({ where: removalWhere });
-        // Access/refresh columns are unique. Remove stale collisions before insert to avoid
-        // transient uniqueness failures during retries/rotation edge-cases.
-        await this.Tokens.destroy({
-            where: {
-                [Op.or]: [{ access: normalized.accessToken ?? '' }, { refresh: normalized.refreshToken }]
-            }
-        });
-        await this.Tokens.create({
-            user_id: resolvedUserId,
-            real_user_id: resolvedRealUserId,
-            access: normalized.accessToken ?? '',
-            refresh: normalized.refreshToken,
-            expires: normalized.expires,
-            issued_at: issuedAt,
-            last_seen_at: lastSeenAt,
-            domain,
-            fingerprint,
-            label,
-            browser,
-            device,
-            ip,
-            os,
-            client_id: normalized.clientId ?? null,
-            scope: this.encodeScope(normalized.scope),
-            login_type: loginType,
-            refresh_ttl_seconds: refreshTtlSeconds,
-            session_cookie: sessionCookie
+        const sequelize = this.Tokens.sequelize;
+        if (!sequelize) {
+            throw new Error('Token model is not bound to a Sequelize instance');
+        }
+        await sequelize.transaction(async (transaction) => {
+            await this.Tokens.destroy({ where: removalWhere, transaction });
+            // Access/refresh columns are unique. Remove stale collisions before insert to avoid
+            // transient uniqueness failures during retries/rotation edge-cases.
+            await this.Tokens.destroy({
+                where: {
+                    [Op.or]: [{ access: normalized.accessToken ?? '' }, { refresh: normalized.refreshToken }]
+                },
+                transaction
+            });
+            await this.Tokens.create({
+                user_id: resolvedUserId,
+                real_user_id: resolvedRealUserId,
+                access: normalized.accessToken ?? '',
+                refresh: normalized.refreshToken,
+                expires: normalized.expires,
+                issued_at: issuedAt,
+                last_seen_at: lastSeenAt,
+                domain,
+                fingerprint,
+                label,
+                browser,
+                device,
+                ip,
+                os,
+                client_id: normalized.clientId ?? null,
+                scope: this.encodeScope(normalized.scope),
+                login_type: loginType,
+                refresh_ttl_seconds: refreshTtlSeconds,
+                session_cookie: sessionCookie
+            }, { transaction });
         });
     }
     async get(query, opts) {
@@ -266,11 +259,11 @@ export class SequelizeTokenStore extends TokenStore {
             where.client_id = params.clientId;
         }
         const updates = {};
-        if (params.accessToken !== undefined) {
-            updates.access = params.accessToken ?? null;
+        if (params.accessToken !== undefined && params.accessToken !== null) {
+            updates.access = params.accessToken;
         }
-        if (params.expires !== undefined) {
-            updates.expires = params.expires ?? null;
+        if (params.expires !== undefined && params.expires !== null) {
+            updates.expires = params.expires;
         }
         if (params.scope !== undefined) {
             updates.scope = this.encodeScope(params.scope);
@@ -308,11 +301,11 @@ export class SequelizeTokenStore extends TokenStore {
         if (params.sessionCookie !== undefined) {
             updates.session_cookie = params.sessionCookie;
         }
-        if (params.issuedAt !== undefined) {
-            updates.issued_at = params.issuedAt ?? null;
+        if (params.issuedAt !== undefined && params.issuedAt !== null) {
+            updates.issued_at = params.issuedAt;
         }
-        if (params.lastSeenAt !== undefined) {
-            updates.last_seen_at = params.lastSeenAt ?? null;
+        if (params.lastSeenAt !== undefined && params.lastSeenAt !== null) {
+            updates.last_seen_at = params.lastSeenAt;
         }
         if (Object.keys(updates).length === 0) {
             return false;
@@ -349,41 +342,17 @@ export class SequelizeTokenStore extends TokenStore {
         }
         return value;
     }
-    encodeStringArray(values) {
-        return JSON.stringify(values ?? []);
-    }
-    decodeStringArray(raw) {
-        if (!raw) {
-            return [];
-        }
-        try {
-            const parsed = JSON.parse(raw);
-            if (Array.isArray(parsed)) {
-                return parsed.filter((entry) => typeof entry === 'string' && entry.length > 0);
-            }
-        }
-        catch {
-            // ignore malformed values
-        }
-        return raw
-            .split(/\s+/)
-            .map((entry) => entry.trim())
-            .filter((entry) => entry.length > 0);
-    }
     encodeScope(scope) {
         if (!scope || (Array.isArray(scope) && scope.length === 0)) {
             return '[]';
         }
         if (Array.isArray(scope)) {
-            return this.encodeStringArray(scope);
+            return encodeStringArray(scope);
         }
-        return this.encodeStringArray(scope.split(/\s+/).filter((entry) => entry.length > 0));
-    }
-    decodeScope(raw) {
-        return this.decodeStringArray(raw);
+        return encodeStringArray(scope.split(/\s+/).filter((entry) => entry.length > 0));
     }
     toTokenRecord(model) {
-        const scope = this.decodeScope(model.scope);
+        const scope = decodeStringArray(model.scope);
         const normalized = this.normalizeToken({
             userId: model.user_id,
             refreshToken: model.refresh,

package/dist/esm/token/types.d.ts

@@ -23,7 +23,7 @@ export interface Token {
     device?: string;
     ip?: string;
     os?: string;
-    scope?: string | string[];
+    scope?: string[];
     loginType?: string;
     refreshTtlSeconds?: number;
     sessionCookie?: boolean;

package/dist/esm/user/base.d.ts

@@ -9,6 +9,7 @@ export declare abstract class UserStore<User, PublicUser> {
         bcryptRounds?: number;
         bcryptPepper?: string;
     });
+    private applyPepper;
     protected hashPassword(plain: string): Promise<string>;
     verifyPassword(plain: string, hashed: string): Promise<boolean>;
     protected normalizeUserInput(input: Partial<CreateUserInput>): CreateUserInput;

package/dist/esm/user/base.js

@@ -1,3 +1,4 @@
+import { createHmac } from 'node:crypto';
 import bcrypt from 'bcryptjs';
 export class UserStore {
     constructor(opts = {}) {
@@ -9,12 +10,18 @@ export class UserStore {
         this.bcryptPepper =
             typeof opts.bcryptPepper === 'string' && opts.bcryptPepper.length > 0 ? opts.bcryptPepper : undefined;
     }
+    applyPepper(plain) {
+        if (!this.bcryptPepper) {
+            return plain;
+        }
+        return createHmac('sha256', this.bcryptPepper).update(plain).digest('hex');
+    }
     async hashPassword(plain) {
-        const candidate = this.bcryptPepper ? `${plain}${this.bcryptPepper}` : plain;
+        const candidate = this.applyPepper(plain);
         return bcrypt.hash(candidate, this.bcryptRounds);
     }
     async verifyPassword(plain, hashed) {
-        const candidate = this.bcryptPepper ? `${plain}${this.bcryptPepper}` : plain;
+        const candidate = this.applyPepper(plain);
         return bcrypt.compare(candidate, hashed);
     }
     normalizeUserInput(input) {
@@ -29,8 +36,8 @@ export class UserStore {
     toPublic(user) {
         const mapped = this.toPublicUser(user);
         if (mapped && typeof mapped === 'object') {
-            const { password: _password, ...rest } = mapped;
-            void _password;
+            const rest = { ...mapped };
+            delete rest.password;
             return rest;
         }
         return mapped;

package/dist/esm/user/memory.d.ts

@@ -14,12 +14,14 @@ export interface MemoryUserStoreOptions<UserAttributes extends MemoryUserAttribu
     toPublic?: PublicUserMapper<UserAttributes, PublicUserShape>;
     userIdFactory?: () => number;
     startingUserId?: number;
+    maxUsers?: number;
 }
 export declare class MemoryUserStore<UserAttributes extends MemoryUserAttributes = MemoryUserAttributes, PublicUserShape extends Omit<UserAttributes, 'password'> = Omit<UserAttributes, 'password'>> extends UserStore<UserAttributes, PublicUserShape> {
     private readonly usersById;
     private readonly loginToId;
     private readonly emailToId;
     private readonly userIdFactory;
+    private readonly maxUsers?;
     private nextUserId;
     constructor(options?: MemoryUserStoreOptions<UserAttributes, PublicUserShape>);
     findUser(identifier: AuthIdentifier | string): Promise<UserAttributes | null>;

package/dist/esm/user/memory.js

@@ -3,7 +3,6 @@ import { UserStore } from './base.js';
 function cloneUser(user) {
     return { ...user };
 }
-const normalizeUserId = normalizeNumericUserId;
 export class MemoryUserStore extends UserStore {
     constructor(options = {}) {
         super({
@@ -15,6 +14,10 @@ export class MemoryUserStore extends UserStore {
         this.loginToId = new Map();
         this.emailToId = new Map();
         this.nextUserId = Number.isFinite(options.startingUserId) ? Number(options.startingUserId) : 1;
+        this.maxUsers =
+            typeof options.maxUsers === 'number' && Number.isFinite(options.maxUsers) && options.maxUsers > 0
+                ? Math.floor(options.maxUsers)
+                : undefined;
         this.userIdFactory =
             options.userIdFactory ??
                 (() => {
@@ -49,7 +52,7 @@ export class MemoryUserStore extends UserStore {
     }
     async findById(id) {
         try {
-            const numeric = normalizeUserId(id);
+            const numeric = normalizeNumericUserId(id);
             const user = this.usersById.get(numeric);
             return user ? cloneUser(user) : null;
         }
@@ -67,6 +70,9 @@ export class MemoryUserStore extends UserStore {
         if (this.usersById.has(userId)) {
             throw new Error(`User ${userId} already exists`);
         }
+        if (this.maxUsers !== undefined && this.usersById.size >= this.maxUsers) {
+            throw new Error('MemoryUserStore maxUsers limit reached');
+        }
         if (this.loginToId.has(normalizedInput.login)) {
             throw new Error(`User with login ${normalizedInput.login} already exists`);
         }

package/dist/esm/user/sequelize.js

@@ -1,22 +1,7 @@
-import { DataTypes, Model, Op } from 'sequelize';
+import { DataTypes, Model, Op, UniqueConstraintError } from 'sequelize';
 import { normalizeNumericUserId } from '../auth-api/user-id.js';
-import { DIALECTS_SUPPORTING_UNSIGNED, applyTablePrefix } from '../sequelize-utils.js';
+import { integerIdType, tableOptions } from '../sequelize-utils.js';
 import { UserStore } from './base.js';
-function integerIdType(sequelize) {
-    return DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? DataTypes.INTEGER.UNSIGNED : DataTypes.INTEGER;
-}
-function userTableOptions(sequelize, tablePrefix) {
-    const opts = {
-        sequelize,
-        tableName: applyTablePrefix(tablePrefix, 'users'),
-        timestamps: false
-    };
-    if (DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect())) {
-        opts.charset = 'utf8mb4';
-        opts.collate = 'utf8mb4_unicode_ci';
-    }
-    return opts;
-}
 export class AuthUserModel extends Model {
 }
 export function initAuthUserModel(sequelize, options = {}) {
@@ -43,7 +28,7 @@ export function initAuthUserModel(sequelize, options = {}) {
             allowNull: false
         }
     }, {
-        ...userTableOptions(sequelize, options.tablePrefix)
+        ...tableOptions(sequelize, 'users', options.tablePrefix, { timestamps: false })
     });
     return AuthUserModel;
 }
@@ -110,11 +95,16 @@ export class SequelizeUserStore extends UserStore {
         if (providedId !== undefined && providedId !== null && Number.isFinite(providedId)) {
             defaults.user_id = Number(providedId);
         }
-        const [model] = await this.Users.findOrCreate({
-            where: { login: rest.login },
-            defaults: defaults
-        });
-        return this.toUserRecord(model);
+        try {
+            const model = await this.Users.create(defaults);
+            return this.toUserRecord(model);
+        }
+        catch (error) {
+            if (error instanceof UniqueConstraintError) {
+                throw new Error(`User with login ${rest.login} or email ${rest.email} already exists`);
+            }
+            throw error;
+        }
     }
     async upsertUser(input) {
         const normalized = this.normalizeUserInput(input);

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@technomoron/api-server-base",
-	"version": "2.0.0-beta.19",
+	"version": "2.0.0-beta.20",
 	"description": "Api Server Skeleton / Base Class",
 	"type": "module",
 	"main": "./dist/cjs/index.cjs",
@@ -68,11 +68,7 @@
 	},
 	"dependencies": {
 		"@simplewebauthn/server": "^13.2.2",
-		"@types/cookie-parser": "^1.4.10",
-		"@types/cors": "^2.8.19",
 		"@types/express": "^5.0.6",
-		"@types/jsonwebtoken": "^9.0.10",
-		"@types/multer": "^2.0.0",
 		"bcryptjs": "^3.0.3",
 		"cookie-parser": "^1.4.7",
 		"cors": "^2.8.6",
@@ -81,7 +77,11 @@
 		"multer": "^2.0.2"
 	},
 	"devDependencies": {
+		"@types/cookie-parser": "^1.4.10",
+		"@types/cors": "^2.8.19",
 		"@types/express-serve-static-core": "^5.1.1",
+		"@types/jsonwebtoken": "^9.0.10",
+		"@types/multer": "^2.0.0",
 		"@types/supertest": "^6.0.3",
 		"@typescript-eslint/eslint-plugin": "^8.54.0",
 		"@typescript-eslint/parser": "^8.54.0",