@technomoron/api-server-base 2.0.0-beta.2 → 2.0.0-beta.20

package/dist/esm/auth-api/compat-auth-storage.d.ts

@@ -1,9 +1,9 @@
 import { PasskeyService } from '../passkey/service.js';
-import type { AuthIdentifier, AuthStorage } from './types.js';
+import type { AuthAdapter, AuthIdentifier } from './types.js';
 import type { OAuthStore } from '../oauth/base.js';
 import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
 import type { PasskeyStore } from '../passkey/base.js';
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, StoredPasskeyCredential, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
 import type { TokenStore } from '../token/base.js';
 import type { Token } from '../token/types.js';
 import type { UserStore } from '../user/base.js';
@@ -11,7 +11,7 @@ interface PasskeyAdapterOptions {
     store: PasskeyStore;
     config: PasskeyServiceConfig;
 }
-export interface AuthStorageAdapterOptions<UserRow, PublicUser> {
+export interface AuthAdapterOptions<UserRow, PublicUser> {
     userStore: UserStore<UserRow, PublicUser>;
     tokenStore: TokenStore;
     passkeys?: PasskeyAdapterOptions | PasskeyService;
@@ -21,13 +21,13 @@ export interface AuthStorageAdapterOptions<UserRow, PublicUser> {
         effectiveUserId: AuthIdentifier;
     }) => boolean | Promise<boolean>;
 }
-export declare class AuthStorageAdapter<UserRow, PublicUser> implements AuthStorage<UserRow, PublicUser> {
+export declare class CompositeAuthAdapter<UserRow, PublicUser> implements AuthAdapter<UserRow, PublicUser> {
     private readonly userStore;
     private readonly tokenStore;
     private readonly oauthStore?;
     private readonly passkeyService?;
     private readonly canImpersonateFn?;
-    constructor(options: AuthStorageAdapterOptions<UserRow, PublicUser>);
+    constructor(options: AuthAdapterOptions<UserRow, PublicUser>);
     getUser(identifier: AuthIdentifier): Promise<UserRow | null>;
     getUserPasswordHash(user: UserRow): string;
     getUserId(user: UserRow): AuthIdentifier;
@@ -43,6 +43,8 @@ export declare class AuthStorageAdapter<UserRow, PublicUser> implements AuthStor
     }): Promise<boolean>;
     createPasskeyChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyPasskeyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential(credentialId: Buffer | string): Promise<boolean>;
     getClient(clientId: string): Promise<OAuthClient | null>;
     verifyClientSecret(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
     createAuthCode(request: AuthCodeRequest): Promise<AuthCodeData>;

package/dist/esm/auth-api/compat-auth-storage.js

@@ -1,6 +1,6 @@
 import { randomUUID } from 'node:crypto';
 import { PasskeyService } from '../passkey/service.js';
-export class AuthStorageAdapter {
+export class CompositeAuthAdapter {
     constructor(options) {
         this.userStore = options.userStore;
         this.tokenStore = options.tokenStore;
@@ -52,6 +52,18 @@ export class AuthStorageAdapter {
         }
         return this.passkeyService.verifyResponse(params);
     }
+    async listUserCredentials(userId) {
+        if (!this.passkeyService) {
+            throw new Error('Passkey storage is not configured');
+        }
+        return this.passkeyService.listUserCredentials(userId);
+    }
+    async deletePasskeyCredential(credentialId) {
+        if (!this.passkeyService) {
+            throw new Error('Passkey storage is not configured');
+        }
+        return this.passkeyService.deleteCredential(credentialId);
+    }
     async getClient(clientId) {
         if (!this.oauthStore) {
             return null;

package/dist/esm/auth-api/mem-auth-store.d.ts

@@ -2,11 +2,11 @@ import { MemoryOAuthStore } from '../oauth/memory.js';
 import { MemoryPasskeyStore } from '../passkey/memory.js';
 import { TokenStore } from '../token/base.js';
 import { MemoryUserStore } from '../user/memory.js';
-import type { AuthIdentifier, AuthStorage } from './types.js';
+import type { AuthAdapter, AuthIdentifier } from './types.js';
 import type { MemoryOAuthStoreOptions } from '../oauth/memory.js';
 import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
 import type { MemoryPasskeyStoreOptions } from '../passkey/memory.js';
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, PasskeyUserDescriptor, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, PasskeyUserDescriptor, StoredPasskeyCredential, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
 import type { Token } from '../token/types.js';
 import type { MemoryUserAttributes, MemoryPublicUser, MemoryUserStoreOptions } from '../user/memory.js';
 interface PasskeyOptions extends Partial<PasskeyServiceConfig> {
@@ -24,7 +24,7 @@ export interface MemAuthStoreParams<UserAttributes extends MemoryUserAttributes
     }) => boolean | Promise<boolean>;
     tokenStore?: TokenStore;
 }
-export declare class MemAuthStore<UserAttributes extends MemoryUserAttributes = MemoryUserAttributes, PublicUserShape extends MemoryPublicUser<UserAttributes> = MemoryPublicUser<UserAttributes>> implements AuthStorage<UserAttributes, PublicUserShape> {
+export declare class MemAuthStore<UserAttributes extends MemoryUserAttributes = MemoryUserAttributes, PublicUserShape extends MemoryPublicUser<UserAttributes> = MemoryPublicUser<UserAttributes>> implements AuthAdapter<UserAttributes, PublicUserShape> {
     readonly userStore: MemoryUserStore<UserAttributes, PublicUserShape>;
     readonly tokenStore: TokenStore;
     readonly passkeyStore?: MemoryPasskeyStore;
@@ -54,6 +54,8 @@ export declare class MemAuthStore<UserAttributes extends MemoryUserAttributes =
     }): Promise<boolean>;
     createPasskeyChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyPasskeyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential(credentialId: Buffer | string): Promise<boolean>;
     getClient(clientId: string): Promise<OAuthClient | null>;
     verifyClientSecret(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
     createAuthCode(request: AuthCodeRequest): Promise<AuthCodeData>;

package/dist/esm/auth-api/mem-auth-store.js

@@ -1,30 +1,10 @@
 import { MemoryOAuthStore } from '../oauth/memory.js';
+import { normalizePasskeyConfig } from '../passkey/config.js';
 import { MemoryPasskeyStore } from '../passkey/memory.js';
 import { MemoryTokenStore } from '../token/memory.js';
 import { MemoryUserStore } from '../user/memory.js';
-import { AuthStorageAdapter } from './compat-auth-storage.js';
-const DEFAULT_PASSKEY_CONFIG = {
-    rpId: 'localhost',
-    rpName: 'API Server',
-    origins: ['http://localhost:5173'],
-    timeoutMs: 5 * 60 * 1000,
-    userVerification: 'preferred'
-};
-function isOriginString(origin) {
-    return typeof origin === 'string' && origin.trim().length > 0;
-}
-function normalizePasskeyConfig(config = {}) {
-    const candidateOrigins = Array.isArray(config.origins) && config.origins.length > 0 ? config.origins.filter(isOriginString) : null;
-    return {
-        rpId: config.rpId?.trim() || DEFAULT_PASSKEY_CONFIG.rpId,
-        rpName: config.rpName?.trim() || DEFAULT_PASSKEY_CONFIG.rpName,
-        origins: candidateOrigins ? candidateOrigins.map((origin) => origin.trim()) : DEFAULT_PASSKEY_CONFIG.origins,
-        timeoutMs: typeof config.timeoutMs === 'number' && config.timeoutMs > 0
-            ? config.timeoutMs
-            : DEFAULT_PASSKEY_CONFIG.timeoutMs,
-        userVerification: config.userVerification ?? DEFAULT_PASSKEY_CONFIG.userVerification
-    };
-}
+import { CompositeAuthAdapter } from './compat-auth-storage.js';
+import { toOptionalStringId } from './user-id.js';
 export class MemAuthStore {
     constructor(params = {}) {
         this.userStore = new MemoryUserStore({
@@ -56,7 +36,7 @@ export class MemAuthStore {
             passkeyStore = new MemoryPasskeyStore({ resolveUser });
             this.passkeyStore = passkeyStore;
         }
-        this.adapter = new AuthStorageAdapter({
+        this.adapter = new CompositeAuthAdapter({
             userStore: this.userStore,
             tokenStore: this.tokenStore,
             passkeys: passkeyStore && passkeyConfig ? { store: passkeyStore, config: passkeyConfig } : undefined,
@@ -91,16 +71,16 @@ export class MemAuthStore {
     async getToken(query, opts) {
         const normalized = {
             ...query,
-            userId: query.userId !== undefined && query.userId !== null ? String(query.userId) : undefined,
-            ruid: query.ruid !== undefined && query.ruid !== null ? String(query.ruid) : undefined
+            userId: toOptionalStringId(query.userId),
+            ruid: toOptionalStringId(query.ruid)
         };
         return this.adapter.getToken(normalized, opts);
     }
     async deleteToken(query) {
         const normalized = {
             ...query,
-            userId: query.userId !== undefined && query.userId !== null ? String(query.userId) : undefined,
-            ruid: query.ruid !== undefined && query.ruid !== null ? String(query.ruid) : undefined
+            userId: toOptionalStringId(query.userId),
+            ruid: toOptionalStringId(query.ruid)
         };
         return this.adapter.deleteToken(normalized);
     }
@@ -113,6 +93,12 @@ export class MemAuthStore {
     async verifyPasskeyResponse(params) {
         return this.adapter.verifyPasskeyResponse(params);
     }
+    async listUserCredentials(userId) {
+        return this.adapter.listUserCredentials(userId);
+    }
+    async deletePasskeyCredential(credentialId) {
+        return this.adapter.deletePasskeyCredential(credentialId);
+    }
     async getClient(clientId) {
         return this.adapter.getClient(clientId);
     }

package/dist/esm/auth-api/module.d.ts

@@ -8,7 +8,7 @@ export interface AuthProviderModule<UserRow = unknown> {
         expires?: Date;
     }): Promise<TokenPair>;
 }
-export declare abstract class BaseAuthModule<UserRow = unknown> extends ApiModule<any> implements AuthProviderModule<UserRow> {
+export declare abstract class BaseAuthModule<UserRow = unknown> extends ApiModule implements AuthProviderModule<UserRow> {
     readonly moduleType: "auth";
     protected constructor(opts: {
         namespace: string;

package/dist/esm/auth-api/sql-auth-store.d.ts

@@ -3,21 +3,31 @@ import { SequelizeOAuthStore, type SequelizeOAuthStoreOptions } from '../oauth/s
 import { SequelizePasskeyStore } from '../passkey/sequelize.js';
 import { type SequelizeTokenStoreOptions } from '../token/sequelize.js';
 import { SequelizeUserStore, type AuthUserAttributes, GenericUserModel, GenericUserModelStatic } from '../user/sequelize.js';
-import type { AuthIdentifier, AuthStorage } from './types.js';
+import type { AuthAdapter, AuthIdentifier } from './types.js';
 import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, PasskeyUserDescriptor, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, PasskeyUserDescriptor, StoredPasskeyCredential, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
 import type { TokenStore } from '../token/base.js';
 import type { Token } from '../token/types.js';
 interface PasskeyOptions extends Partial<PasskeyServiceConfig> {
     enabled?: boolean;
 }
+export interface SqlAuthStoreTablePrefixes {
+    user?: string;
+    token?: string;
+    passkey?: string;
+    oauth?: string;
+}
 export interface SqlAuthStoreParams<UserAttributes extends AuthUserAttributes = AuthUserAttributes, PublicUserShape extends Omit<UserAttributes, 'password'> = Omit<UserAttributes, 'password'>> {
     sequelize: Sequelize;
     syncOptions?: SyncOptions;
     bcryptRounds?: number;
     passwordPepper?: string;
+    tablePrefix?: string;
+    tablePrefixes?: SqlAuthStoreTablePrefixes;
     userModel?: GenericUserModelStatic;
-    userModelFactory?: (sequelize: Sequelize) => GenericUserModelStatic;
+    userModelFactory?: (sequelize: Sequelize, options?: {
+        tablePrefix?: string;
+    }) => GenericUserModelStatic;
     userRecordMapper?: (model: GenericUserModel) => UserAttributes;
     publicUserMapper?: (user: UserAttributes) => PublicUserShape;
     passkeyUserMapper?: (user: UserAttributes) => PasskeyUserDescriptor;
@@ -30,7 +40,7 @@ export interface SqlAuthStoreParams<UserAttributes extends AuthUserAttributes =
     tokenStoreOptions?: Omit<SequelizeTokenStoreOptions, 'sequelize'>;
     oauthStoreOptions?: Omit<SequelizeOAuthStoreOptions, 'sequelize'>;
 }
-export declare class SqlAuthStore<UserAttributes extends AuthUserAttributes = AuthUserAttributes, PublicUserShape extends Omit<UserAttributes, 'password'> = Omit<UserAttributes, 'password'>> implements AuthStorage<UserAttributes, PublicUserShape> {
+export declare class SqlAuthStore<UserAttributes extends AuthUserAttributes = AuthUserAttributes, PublicUserShape extends Omit<UserAttributes, 'password'> = Omit<UserAttributes, 'password'>> implements AuthAdapter<UserAttributes, PublicUserShape> {
     readonly userStore: SequelizeUserStore<UserAttributes, PublicUserShape>;
     readonly tokenStore: TokenStore;
     readonly passkeyStore?: SequelizePasskeyStore;
@@ -63,6 +73,8 @@ export declare class SqlAuthStore<UserAttributes extends AuthUserAttributes = Au
     }): Promise<boolean>;
     createPasskeyChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyPasskeyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential(credentialId: Buffer | string): Promise<boolean>;
     getClient(clientId: string): Promise<OAuthClient | null>;
     verifyClientSecret(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
     createAuthCode(request: AuthCodeRequest): Promise<AuthCodeData>;

package/dist/esm/auth-api/sql-auth-store.js

@@ -1,29 +1,19 @@
 import { SequelizeOAuthStore } from '../oauth/sequelize.js';
+import { normalizePasskeyConfig } from '../passkey/config.js';
 import { SequelizePasskeyStore } from '../passkey/sequelize.js';
+import { normalizeTablePrefix } from '../sequelize-utils.js';
 import { SequelizeTokenStore } from '../token/sequelize.js';
 import { SequelizeUserStore } from '../user/sequelize.js';
-import { AuthStorageAdapter } from './compat-auth-storage.js';
-const DEFAULT_PASSKEY_CONFIG = {
-    rpId: 'localhost',
-    rpName: 'API Server',
-    origins: ['http://localhost:5173'],
-    timeoutMs: 5 * 60 * 1000,
-    userVerification: 'preferred'
-};
-function isOriginString(origin) {
-    return typeof origin === 'string' && origin.trim().length > 0;
-}
-function normalizePasskeyConfig(config = {}) {
-    const candidateOrigins = Array.isArray(config.origins) && config.origins.length > 0 ? config.origins.filter(isOriginString) : null;
-    return {
-        rpId: config.rpId?.trim() || DEFAULT_PASSKEY_CONFIG.rpId,
-        rpName: config.rpName?.trim() || DEFAULT_PASSKEY_CONFIG.rpName,
-        origins: candidateOrigins ? candidateOrigins.map((origin) => origin.trim()) : DEFAULT_PASSKEY_CONFIG.origins,
-        timeoutMs: typeof config.timeoutMs === 'number' && config.timeoutMs > 0
-            ? config.timeoutMs
-            : DEFAULT_PASSKEY_CONFIG.timeoutMs,
-        userVerification: config.userVerification ?? DEFAULT_PASSKEY_CONFIG.userVerification
-    };
+import { CompositeAuthAdapter } from './compat-auth-storage.js';
+import { toOptionalStringId } from './user-id.js';
+function resolveTablePrefix(...prefixes) {
+    for (const prefix of prefixes) {
+        const normalized = normalizeTablePrefix(prefix);
+        if (normalized) {
+            return normalized;
+        }
+    }
+    return undefined;
 }
 export class SqlAuthStore {
     constructor(params) {
@@ -33,6 +23,8 @@ export class SqlAuthStore {
         }
         this.sequelize = params.sequelize;
         this.syncOptions = params.syncOptions;
+        const moduleTablePrefixes = params.tablePrefixes ?? {};
+        const userTablePrefix = resolveTablePrefix(moduleTablePrefixes.user, params.tablePrefix);
         this.userStore = new SequelizeUserStore({
             sequelize: this.sequelize,
             userModel: params.userModel,
@@ -40,18 +32,28 @@ export class SqlAuthStore {
             recordMapper: params.userRecordMapper,
             toPublic: params.publicUserMapper,
             bcryptRounds: params.bcryptRounds,
-            bcryptPepper: params.passwordPepper
+            bcryptPepper: params.passwordPepper,
+            tablePrefix: userTablePrefix
         });
+        const tokenTablePrefix = resolveTablePrefix(params.tokenStoreOptions?.tablePrefix, moduleTablePrefixes.token, params.tablePrefix);
         this.tokenStore =
-            params.tokenStore ?? new SequelizeTokenStore({ sequelize: this.sequelize, ...params.tokenStoreOptions });
+            params.tokenStore ??
+                new SequelizeTokenStore({
+                    sequelize: this.sequelize,
+                    ...params.tokenStoreOptions,
+                    tablePrefix: tokenTablePrefix
+                });
+        const oauthTablePrefix = resolveTablePrefix(params.oauthStoreOptions?.tablePrefix, moduleTablePrefixes.oauth, params.tablePrefix);
         this.oauthStore = new SequelizeOAuthStore({
             sequelize: this.sequelize,
             ...params.oauthStoreOptions,
+            tablePrefix: oauthTablePrefix,
             bcryptRounds: params.bcryptRounds
         });
         let passkeyStore;
         let passkeyConfig;
         if (params.passkeys !== false) {
+            const passkeyTablePrefix = resolveTablePrefix(moduleTablePrefixes.passkey, params.tablePrefix);
             passkeyConfig = normalizePasskeyConfig(params.passkeys ?? {});
             const resolveUser = async (lookup) => {
                 const found = await this.userStore.findUser(lookup.userId ?? lookup.login ?? '');
@@ -66,10 +68,14 @@ export class SqlAuthStore {
                     }));
                 return mapper(found);
             };
-            passkeyStore = new SequelizePasskeyStore({ sequelize: this.sequelize, resolveUser });
+            passkeyStore = new SequelizePasskeyStore({
+                sequelize: this.sequelize,
+                resolveUser,
+                tablePrefix: passkeyTablePrefix
+            });
             this.passkeyStore = passkeyStore;
         }
-        this.adapter = new AuthStorageAdapter({
+        this.adapter = new CompositeAuthAdapter({
             userStore: this.userStore,
             tokenStore: this.tokenStore,
             passkeys: passkeyStore && passkeyConfig ? { store: passkeyStore, config: passkeyConfig } : undefined,
@@ -98,6 +104,7 @@ export class SqlAuthStore {
             }
         }
         finally {
+            // Prevent double-close errors when the same Sequelize instance is shared with other code.
             this.sequelize.close = async () => { };
         }
     }
@@ -122,16 +129,16 @@ export class SqlAuthStore {
     async getToken(query, opts) {
         const normalized = {
             ...query,
-            userId: query.userId !== undefined && query.userId !== null ? String(query.userId) : undefined,
-            ruid: query.ruid !== undefined && query.ruid !== null ? String(query.ruid) : undefined
+            userId: toOptionalStringId(query.userId),
+            ruid: toOptionalStringId(query.ruid)
         };
         return this.adapter.getToken(normalized, opts);
     }
     async deleteToken(query) {
         const normalized = {
             ...query,
-            userId: query.userId !== undefined && query.userId !== null ? String(query.userId) : undefined,
-            ruid: query.ruid !== undefined && query.ruid !== null ? String(query.ruid) : undefined
+            userId: toOptionalStringId(query.userId),
+            ruid: toOptionalStringId(query.ruid)
         };
         return this.adapter.deleteToken(normalized);
     }
@@ -144,6 +151,12 @@ export class SqlAuthStore {
     async verifyPasskeyResponse(params) {
         return this.adapter.verifyPasskeyResponse(params);
     }
+    async listUserCredentials(userId) {
+        return this.adapter.listUserCredentials(userId);
+    }
+    async deletePasskeyCredential(credentialId) {
+        return this.adapter.deletePasskeyCredential(credentialId);
+    }
     async getClient(clientId) {
         return this.adapter.getClient(clientId);
     }

package/dist/esm/auth-api/storage.d.ts

@@ -1,8 +1,8 @@
-import type { AuthIdentifier, AuthStorage } from './types.js';
+import type { AuthAdapter, AuthIdentifier } from './types.js';
 import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyVerificationParams, PasskeyVerificationResult, StoredPasskeyCredential } from '../passkey/types.js';
 import type { Token } from '../token/types.js';
-export declare class BaseAuthStorage<UserRow = unknown, SafeUser = unknown> implements AuthStorage<UserRow, SafeUser> {
+export declare class BaseAuthAdapter<UserRow = unknown, SafeUser = unknown> implements AuthAdapter<UserRow, SafeUser> {
     getUser(identifier: AuthIdentifier): Promise<UserRow | null>;
     getUserPasswordHash(user: UserRow): string;
     getUserId(user: UserRow): AuthIdentifier;
@@ -24,6 +24,8 @@ export declare class BaseAuthStorage<UserRow = unknown, SafeUser = unknown> impl
     }): Promise<boolean>;
     createPasskeyChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyPasskeyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential(credentialId: Buffer | string): Promise<boolean>;
     getClient(clientId: string): Promise<OAuthClient | null>;
     verifyClientSecret(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
     createAuthCode(request: AuthCodeRequest): Promise<AuthCodeData>;
@@ -33,4 +35,4 @@ export declare class BaseAuthStorage<UserRow = unknown, SafeUser = unknown> impl
         effectiveUserId: AuthIdentifier;
     }): Promise<boolean>;
 }
-export declare const nullAuthStorage: AuthStorage<unknown, unknown>;
+export declare const nullAuthAdapter: AuthAdapter<unknown, unknown>;

package/dist/esm/auth-api/storage.js

@@ -1,6 +1,6 @@
-// Handy base you can extend when wiring a real storage adapter. Every method
+// Handy base you can extend when wiring a real auth adapter. Every method
 // throws by default so unimplemented hooks fail loudly.
-export class BaseAuthStorage {
+export class BaseAuthAdapter {
     // Override to load a user record by identifier
     async getUser(identifier) {
         void identifier;
@@ -57,6 +57,16 @@ export class BaseAuthStorage {
         void params;
         throw new Error('Auth storage not configured');
     }
+    // Override to list passkey credentials for a user
+    async listUserCredentials(userId) {
+        void userId;
+        throw new Error('Auth storage not configured');
+    }
+    // Override to delete a passkey credential
+    async deletePasskeyCredential(credentialId) {
+        void credentialId;
+        throw new Error('Auth storage not configured');
+    }
     // Override to fetch an OAuth client by identifier
     async getClient(clientId) {
         void clientId;
@@ -85,4 +95,4 @@ export class BaseAuthStorage {
         return false;
     }
 }
-export const nullAuthStorage = new BaseAuthStorage();
+export const nullAuthAdapter = new BaseAuthAdapter();

package/dist/esm/auth-api/types.d.ts

@@ -1,8 +1,9 @@
 import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyVerificationParams, PasskeyVerificationResult, StoredPasskeyCredential } from '../passkey/types.js';
 import type { Token } from '../token/types.js';
 export type AuthIdentifier = string | number;
-export interface AuthStorage<UserRow, SafeUser> {
+/** @internal */
+export interface AuthAdapter<UserRow, SafeUser> {
     getUser(identifier: AuthIdentifier): Promise<UserRow | null>;
     getUserPasswordHash(user: UserRow): string;
     getUserId(user: UserRow): AuthIdentifier;
@@ -18,6 +19,8 @@ export interface AuthStorage<UserRow, SafeUser> {
     }): Promise<boolean>;
     createPasskeyChallenge?(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyPasskeyResponse?(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials?(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential?(credentialId: Buffer | string): Promise<boolean>;
     getClient?(clientId: string): Promise<OAuthClient | null>;
     verifyClientSecret?(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
     createAuthCode?(request: AuthCodeRequest): Promise<AuthCodeData>;
@@ -27,3 +30,5 @@ export interface AuthStorage<UserRow, SafeUser> {
         effectiveUserId: AuthIdentifier;
     }): Promise<boolean>;
 }
+/** @internal */
+export type AuthStorage<UserRow, SafeUser> = AuthAdapter<UserRow, SafeUser>;

package/dist/esm/auth-api/user-id.d.ts

@@ -0,0 +1,5 @@
+import type { AuthIdentifier } from './types.js';
+export declare function normalizeComparableUserId(identifier: AuthIdentifier): string;
+export declare function normalizeNumericUserId(identifier: AuthIdentifier): number;
+export declare function normalizeStringUserId(identifier: AuthIdentifier): string;
+export declare function toOptionalStringId(value: AuthIdentifier | undefined | null): string | undefined;

package/dist/esm/auth-api/user-id.js

@@ -0,0 +1,32 @@
+export function normalizeComparableUserId(identifier) {
+    if (typeof identifier === 'number' && Number.isFinite(identifier)) {
+        return String(identifier);
+    }
+    if (typeof identifier === 'string') {
+        const trimmed = identifier.trim();
+        if (trimmed.length === 0) {
+            throw new Error(`Unable to normalise user identifier: ${identifier}`);
+        }
+        if (/^\d+$/.test(trimmed)) {
+            return String(Number(trimmed));
+        }
+        return trimmed;
+    }
+    throw new Error(`Unable to normalise user identifier: ${identifier}`);
+}
+export function normalizeNumericUserId(identifier) {
+    const normalized = normalizeComparableUserId(identifier);
+    if (/^\d+$/.test(normalized)) {
+        return Number(normalized);
+    }
+    throw new Error(`Unable to normalise user identifier: ${identifier}`);
+}
+export function normalizeStringUserId(identifier) {
+    return normalizeComparableUserId(identifier);
+}
+export function toOptionalStringId(value) {
+    if (value === undefined || value === null) {
+        return undefined;
+    }
+    return String(value);
+}

package/dist/esm/auth-cookie-options.d.ts

@@ -0,0 +1,11 @@
+import type { Request } from 'express';
+import type { CookieOptions } from 'express-serve-static-core';
+export interface AuthCookieConfig {
+    cookieSecure?: boolean | 'auto';
+    cookieSameSite?: 'lax' | 'strict' | 'none';
+    cookieHttpOnly?: boolean;
+    cookieDomain?: string;
+    cookiePath?: string;
+    devMode?: boolean;
+}
+export declare function buildAuthCookieOptions(config: AuthCookieConfig, req: Pick<Request, 'headers' | 'protocol'>): CookieOptions;

package/dist/esm/auth-cookie-options.js

@@ -0,0 +1,63 @@
+function firstHeaderValue(value) {
+    if (typeof value === 'string') {
+        return value;
+    }
+    if (Array.isArray(value)) {
+        return value[0] ?? '';
+    }
+    return '';
+}
+function resolveOriginHostname(origin) {
+    try {
+        const url = new URL(origin);
+        const hostname = url.hostname.trim().toLowerCase();
+        return hostname.length > 0 ? hostname : null;
+    }
+    catch {
+        return null;
+    }
+}
+function isLocalhostOrigin(origin) {
+    const hostname = resolveOriginHostname(origin);
+    if (!hostname) {
+        return false;
+    }
+    return hostname === 'localhost' || hostname.endsWith('.localhost');
+}
+export function buildAuthCookieOptions(config, req) {
+    const forwardedProto = firstHeaderValue(req.headers['x-forwarded-proto']).split(',')[0].trim().toLowerCase();
+    const isHttps = forwardedProto === 'https' || req.protocol === 'https';
+    const origin = firstHeaderValue(req.headers.origin ?? req.headers.referer);
+    let secure;
+    if (config.cookieSecure === true) {
+        secure = true;
+    }
+    else if (config.cookieSecure === false) {
+        secure = false;
+    }
+    else {
+        secure = isHttps;
+    }
+    let sameSite = config.cookieSameSite ?? 'lax';
+    if (sameSite !== 'lax' && sameSite !== 'strict' && sameSite !== 'none') {
+        sameSite = 'lax';
+    }
+    let resolvedSecure = secure;
+    if (sameSite === 'none' && resolvedSecure !== true) {
+        // Modern browsers reject SameSite=None cookies unless Secure is set.
+        resolvedSecure = true;
+    }
+    const options = {
+        httpOnly: config.cookieHttpOnly ?? true,
+        secure: resolvedSecure,
+        sameSite,
+        domain: config.cookieDomain || undefined,
+        path: config.cookiePath || '/',
+        maxAge: undefined
+    };
+    if (config.devMode && isLocalhostOrigin(origin)) {
+        // Domain cookies do not work on localhost; avoid breaking local development when cookieDomain is set.
+        options.domain = undefined;
+    }
+    return options;
+}

package/dist/esm/index.d.ts

@@ -1,32 +1,27 @@
 export { default as ApiServer } from './api-server-base.js';
 export { ApiError } from './api-server-base.js';
 export { ApiModule } from './api-module.js';
-export type { ApiErrorParams, ApiHandler, ApiKey, ApiServerConf, ApiRequest, ApiRoute, ApiAuthType, ApiAuthClass, ApiTokenData, ExtendedReq } from './api-server-base.js';
-export type { AuthIdentifier, AuthStorage } from './auth-api/types.js';
+export type { ApiErrorParams, ApiHandler, ApiKey, ApiServerConf, ApiRequest, ApiRoute, ApiAuthType, ApiAuthClass, ApiTokenData, ExtendedReq, ExpressApiRequest, ExpressApiLocals } from './api-server-base.js';
+export type { AuthIdentifier } from './auth-api/types.js';
 export type { Token, TokenPair, TokenStatus } from './token/types.js';
 export type { JwtSignResult, JwtVerifyResult, JwtDecodeResult } from './token/base.js';
 export type { OAuthClient, AuthCodeData, AuthCodeRequest } from './oauth/types.js';
 export type { AuthProviderModule } from './auth-api/module.js';
-export { nullAuthStorage, BaseAuthStorage } from './auth-api/storage.js';
+export { nullAuthAdapter, BaseAuthAdapter } from './auth-api/storage.js';
 export { nullAuthModule, BaseAuthModule } from './auth-api/module.js';
-export { AuthStorageAdapter } from './auth-api/compat-auth-storage.js';
+export { CompositeAuthAdapter } from './auth-api/compat-auth-storage.js';
 export { MemAuthStore } from './auth-api/mem-auth-store.js';
-export { SqlAuthStore } from './auth-api/sql-auth-store.js';
 export { default as AuthModule } from './auth-api/auth-module.js';
 export type { OAuthStartParams, OAuthStartResult, OAuthCallbackParams, OAuthCallbackResult } from './oauth/types.js';
 export type { BcryptHasherOptions, CreateUserInput, UpdateUserInput, PublicUserMapper } from './user/types.js';
 export { UserStore } from './user/base.js';
 export { MemoryUserStore } from './user/memory.js';
-export { SequelizeUserStore } from './user/sequelize.js';
 export type { MemoryUserAttributes, MemoryUserStoreOptions } from './user/memory.js';
 export { TokenStore } from './token/base.js';
 export { MemoryTokenStore } from './token/memory.js';
-export { SequelizeTokenStore } from './token/sequelize.js';
 export { PasskeyService } from './passkey/service.js';
 export { PasskeyStore } from './passkey/base.js';
 export { MemoryPasskeyStore } from './passkey/memory.js';
-export { SequelizePasskeyStore } from './passkey/sequelize.js';
 export type { PasskeyServiceConfig, PasskeyChallengeRecord, PasskeyUserDescriptor, StoredPasskeyCredential, PasskeyChallenge, PasskeyChallengeParams, PasskeyVerificationParams, PasskeyVerificationResult } from './passkey/types.js';
 export { OAuthStore } from './oauth/base.js';
 export { MemoryOAuthStore } from './oauth/memory.js';
-export { SequelizeOAuthStore } from './oauth/sequelize.js';