@technomoron/api-server-base 2.0.0-beta.2 → 2.0.0-beta.20

package/dist/esm/passkey/memory.js

@@ -1,20 +1,13 @@
+import { normalizeComparableUserId } from '../auth-api/user-id.js';
 import { PasskeyStore } from './base.js';
 function encodeCredentialId(value) {
     return Buffer.isBuffer(value) ? value.toString('base64') : value;
 }
-function normalizeUserId(identifier) {
-    if (typeof identifier === 'number' && Number.isFinite(identifier)) {
-        return identifier;
-    }
-    if (typeof identifier === 'string' && /^\d+$/.test(identifier)) {
-        return Number(identifier);
-    }
-    return identifier;
-}
 function cloneCredential(record) {
     return {
         ...record,
         credentialId: Buffer.isBuffer(record.credentialId) ? Buffer.from(record.credentialId) : record.credentialId,
+        publicKey: Buffer.from(record.publicKey),
         transports: record.transports ? [...record.transports] : undefined
     };
 }
@@ -24,16 +17,32 @@ export class MemoryPasskeyStore extends PasskeyStore {
         this.credentials = new Map();
         this.challenges = new Map();
         this.resolveUserFn = options.resolveUser;
+        this.maxCredentials =
+            typeof options.maxCredentials === 'number' &&
+                Number.isFinite(options.maxCredentials) &&
+                options.maxCredentials > 0
+                ? Math.floor(options.maxCredentials)
+                : undefined;
+        this.maxChallenges =
+            typeof options.maxChallenges === 'number' &&
+                Number.isFinite(options.maxChallenges) &&
+                options.maxChallenges > 0
+                ? Math.floor(options.maxChallenges)
+                : undefined;
     }
     async resolveUser(params) {
         return this.resolveUserFn(params);
     }
     async listUserCredentials(userId) {
-        const normalizedUserId = normalizeUserId(userId);
+        const normalizedUserId = normalizeComparableUserId(userId);
         return [...this.credentials.values()]
-            .filter((record) => normalizeUserId(record.userId) === normalizedUserId)
+            .filter((record) => normalizeComparableUserId(record.userId) === normalizedUserId)
             .map((record) => cloneCredential(record));
     }
+    async deleteCredential(credentialId) {
+        const key = encodeCredentialId(credentialId);
+        return this.credentials.delete(key);
+    }
     async findCredentialById(credentialId) {
         const record = this.credentials.get(encodeCredentialId(credentialId));
         return record ? cloneCredential(record) : null;
@@ -41,10 +50,11 @@ export class MemoryPasskeyStore extends PasskeyStore {
     async saveCredential(record) {
         this.credentials.set(encodeCredentialId(record.credentialId), {
             ...record,
-            userId: normalizeUserId(record.userId),
+            userId: normalizeComparableUserId(record.userId),
             credentialId: Buffer.isBuffer(record.credentialId) ? Buffer.from(record.credentialId) : record.credentialId,
             transports: record.transports ? [...record.transports] : undefined
         });
+        this.enforceCredentialCapacity();
     }
     async updateCredentialCounter(credentialId, counter) {
         const key = encodeCredentialId(credentialId);
@@ -55,10 +65,17 @@ export class MemoryPasskeyStore extends PasskeyStore {
     }
     async saveChallenge(record) {
         this.challenges.set(record.challenge, {
-            ...record,
-            userId: record.userId !== undefined ? normalizeUserId(record.userId) : undefined,
-            metadata: record.metadata ? { ...record.metadata } : {}
+            challenge: record.challenge,
+            action: record.action,
+            userId: record.userId !== undefined ? normalizeComparableUserId(record.userId) : undefined,
+            login: record.login ?? undefined,
+            expiresAt: record.expiresAt
         });
+        this.enforceChallengeCapacity();
+    }
+    async getChallenge(challenge) {
+        const record = this.challenges.get(challenge);
+        return record ? { ...record } : null;
     }
     async consumeChallenge(challenge) {
         const record = this.challenges.get(challenge);
@@ -66,7 +83,7 @@ export class MemoryPasskeyStore extends PasskeyStore {
             return null;
         }
         this.challenges.delete(challenge);
-        return { ...record, metadata: record.metadata ? { ...record.metadata } : {} };
+        return { ...record };
     }
     async cleanupChallenges(now) {
         for (const [challenge, record] of this.challenges.entries()) {
@@ -75,4 +92,28 @@ export class MemoryPasskeyStore extends PasskeyStore {
             }
         }
     }
+    enforceCredentialCapacity() {
+        if (!this.maxCredentials) {
+            return;
+        }
+        while (this.credentials.size > this.maxCredentials) {
+            const oldest = this.credentials.keys().next().value;
+            if (!oldest) {
+                return;
+            }
+            this.credentials.delete(oldest);
+        }
+    }
+    enforceChallengeCapacity() {
+        if (!this.maxChallenges) {
+            return;
+        }
+        while (this.challenges.size > this.maxChallenges) {
+            const oldest = this.challenges.keys().next().value;
+            if (!oldest) {
+                return;
+            }
+            this.challenges.delete(oldest);
+        }
+    }
 }

package/dist/esm/passkey/models.d.ts

@@ -1,5 +1,4 @@
 import { Model, type InferAttributes, type InferCreationAttributes, type ModelStatic, type Sequelize } from 'sequelize';
-import type { PasskeyChallengeMetadata } from './service.js';
 export declare class PasskeyCredentialModel extends Model<InferAttributes<PasskeyCredentialModel>, InferCreationAttributes<PasskeyCredentialModel>> {
     credentialId: Buffer;
     userId: number;
@@ -8,6 +7,13 @@ export declare class PasskeyCredentialModel extends Model<InferAttributes<Passke
     transports: string[] | null;
     backedUp: boolean;
     deviceType: string;
+    label: string | null;
+    createdDomain: string | null;
+    createdUserAgent: string | null;
+    createdBrowser: string | null;
+    createdOs: string | null;
+    createdDevice: string | null;
+    createdIp: string | null;
     createdAt?: Date;
     updatedAt?: Date;
 }
@@ -16,10 +22,13 @@ export declare class PasskeyChallengeModel extends Model<InferAttributes<Passkey
     action: 'register' | 'authenticate';
     userId: number | null;
     login: string | null;
-    metadata: PasskeyChallengeMetadata | null;
     expiresAt: Date;
     createdAt?: Date;
     updatedAt?: Date;
 }
-export declare function initPasskeyCredentialModel(sequelize: Sequelize): ModelStatic<PasskeyCredentialModel>;
-export declare function initPasskeyChallengeModel(sequelize: Sequelize): ModelStatic<PasskeyChallengeModel>;
+export declare function initPasskeyCredentialModel(sequelize: Sequelize, options?: {
+    tablePrefix?: string;
+}): ModelStatic<PasskeyCredentialModel>;
+export declare function initPasskeyChallengeModel(sequelize: Sequelize, options?: {
+    tablePrefix?: string;
+}): ModelStatic<PasskeyChallengeModel>;

package/dist/esm/passkey/models.js

@@ -1,13 +1,10 @@
 import { DataTypes, Model } from 'sequelize';
-const DIALECTS_SUPPORTING_UNSIGNED = new Set(['mysql', 'mariadb']);
-function integerIdType(sequelize) {
-    return DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? DataTypes.INTEGER.UNSIGNED : DataTypes.INTEGER;
-}
+import { applyTablePrefix, integerIdType } from '../sequelize-utils.js';
 export class PasskeyCredentialModel extends Model {
 }
 export class PasskeyChallengeModel extends Model {
 }
-export function initPasskeyCredentialModel(sequelize) {
+export function initPasskeyCredentialModel(sequelize, options = {}) {
     const idType = integerIdType(sequelize);
     return PasskeyCredentialModel.init({
         credentialId: {
@@ -60,15 +57,49 @@ export function initPasskeyCredentialModel(sequelize) {
             type: DataTypes.STRING(32),
             allowNull: false,
             defaultValue: 'multiDevice'
+        },
+        label: {
+            type: DataTypes.STRING(120),
+            allowNull: true
+        },
+        createdDomain: {
+            field: 'created_domain',
+            type: DataTypes.STRING(255),
+            allowNull: true
+        },
+        createdUserAgent: {
+            field: 'created_user_agent',
+            type: DataTypes.TEXT,
+            allowNull: true
+        },
+        createdBrowser: {
+            field: 'created_browser',
+            type: DataTypes.STRING(120),
+            allowNull: true
+        },
+        createdOs: {
+            field: 'created_os',
+            type: DataTypes.STRING(120),
+            allowNull: true
+        },
+        createdDevice: {
+            field: 'created_device',
+            type: DataTypes.STRING(120),
+            allowNull: true
+        },
+        createdIp: {
+            field: 'created_ip',
+            type: DataTypes.STRING(45),
+            allowNull: true
         }
     }, {
         sequelize,
-        tableName: 'passkey_credentials',
+        tableName: applyTablePrefix(options.tablePrefix, 'passkey_credentials'),
         timestamps: true,
         underscored: true
     });
 }
-export function initPasskeyChallengeModel(sequelize) {
+export function initPasskeyChallengeModel(sequelize, options = {}) {
     const idType = integerIdType(sequelize);
     return PasskeyChallengeModel.init({
         challenge: {
@@ -89,10 +120,6 @@ export function initPasskeyChallengeModel(sequelize) {
             type: DataTypes.STRING(128),
             allowNull: true
         },
-        metadata: {
-            type: DataTypes.JSON,
-            allowNull: true
-        },
         expiresAt: {
             field: 'expires_at',
             type: DataTypes.DATE,
@@ -100,7 +127,7 @@ export function initPasskeyChallengeModel(sequelize) {
         }
     }, {
         sequelize,
-        tableName: 'passkey_challenges',
+        tableName: applyTablePrefix(options.tablePrefix, 'passkey_challenges'),
         timestamps: true,
         underscored: true,
         indexes: [{ fields: ['expires_at'] }, { fields: ['user_id'] }]

package/dist/esm/passkey/sequelize.d.ts

@@ -1,34 +1,19 @@
-import { Model, type InferAttributes, type InferCreationAttributes, type ModelStatic, type Sequelize } from 'sequelize';
+import { type ModelStatic, type Sequelize } from 'sequelize';
 import { PasskeyStore } from './base.js';
+import { PasskeyChallengeModel, PasskeyCredentialModel } from './models.js';
 import type { PasskeyChallengeRecord, PasskeyUserDescriptor, StoredPasskeyCredential } from './types.js';
 import type { AuthIdentifier } from '../auth-api/types.js';
-declare class PasskeyCredentialModel extends Model<InferAttributes<PasskeyCredentialModel>, InferCreationAttributes<PasskeyCredentialModel>> {
-    credentialId: Buffer;
-    userId: number;
-    publicKey: Buffer;
-    counter: number;
-    transports: string[] | null;
-    backedUp: boolean;
-    deviceType: string;
-    createdAt?: Date;
-    updatedAt?: Date;
-}
-declare class PasskeyChallengeModel extends Model<InferAttributes<PasskeyChallengeModel>, InferCreationAttributes<PasskeyChallengeModel>> {
-    challenge: string;
-    action: 'register' | 'authenticate';
-    userId: number | null;
-    login: string | null;
-    metadata: Record<string, unknown> | null;
-    expiresAt: Date;
-    createdAt?: Date;
-    updatedAt?: Date;
-}
 export interface SequelizePasskeyStoreOptions {
     sequelize: Sequelize;
+    tablePrefix?: string;
     credentialModel?: ModelStatic<PasskeyCredentialModel>;
     challengeModel?: ModelStatic<PasskeyChallengeModel>;
-    credentialModelFactory?: (sequelize: Sequelize) => ModelStatic<PasskeyCredentialModel>;
-    challengeModelFactory?: (sequelize: Sequelize) => ModelStatic<PasskeyChallengeModel>;
+    credentialModelFactory?: (sequelize: Sequelize, options?: {
+        tablePrefix?: string;
+    }) => ModelStatic<PasskeyCredentialModel>;
+    challengeModelFactory?: (sequelize: Sequelize, options?: {
+        tablePrefix?: string;
+    }) => ModelStatic<PasskeyChallengeModel>;
     resolveUser: (params: {
         userId?: AuthIdentifier;
         login?: string;
@@ -44,11 +29,14 @@ export declare class SequelizePasskeyStore extends PasskeyStore {
         login?: string;
     }): Promise<PasskeyUserDescriptor | null>;
     listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deleteCredential(credentialId: Buffer | string): Promise<boolean>;
     findCredentialById(credentialId: Buffer): Promise<StoredPasskeyCredential | null>;
     saveCredential(record: StoredPasskeyCredential): Promise<void>;
     updateCredentialCounter(credentialId: Buffer, counter: number): Promise<void>;
     saveChallenge(record: PasskeyChallengeRecord): Promise<void>;
+    getChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
     consumeChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
     cleanupChallenges(now: Date): Promise<void>;
+    private toChallengeRecord;
+    private toStoredCredential;
 }
-export {};

package/dist/esm/passkey/sequelize.js

@@ -1,124 +1,10 @@
-import { DataTypes, Model, Op } from 'sequelize';
+import { Op, Transaction } from 'sequelize';
+import { normalizeNumericUserId } from '../auth-api/user-id.js';
 import { PasskeyStore } from './base.js';
-const DIALECTS_SUPPORTING_UNSIGNED = new Set(['mysql', 'mariadb']);
-function integerIdType(sequelize) {
-    return DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? DataTypes.INTEGER.UNSIGNED : DataTypes.INTEGER;
-}
+import { initPasskeyChallengeModel, initPasskeyCredentialModel } from './models.js';
 function encodeCredentialId(value) {
     return Buffer.isBuffer(value) ? value.toString('base64') : value;
 }
-function normalizeUserId(identifier) {
-    if (typeof identifier === 'number' && Number.isFinite(identifier)) {
-        return identifier;
-    }
-    if (typeof identifier === 'string' && /^\d+$/.test(identifier)) {
-        return Number(identifier);
-    }
-    throw new Error(`Unable to normalise user identifier: ${identifier}`);
-}
-class PasskeyCredentialModel extends Model {
-}
-class PasskeyChallengeModel extends Model {
-}
-function initPasskeyCredentialModel(sequelize) {
-    const idType = integerIdType(sequelize);
-    return PasskeyCredentialModel.init({
-        credentialId: {
-            field: 'credential_id',
-            type: DataTypes.STRING(768),
-            primaryKey: true,
-            allowNull: false,
-            get() {
-                const raw = this.getDataValue('credentialId');
-                if (!raw) {
-                    return raw;
-                }
-                if (Buffer.isBuffer(raw)) {
-                    return raw;
-                }
-                return Buffer.from(raw, 'base64');
-            },
-            set(value) {
-                const encoded = typeof value === 'string' ? value : value.toString('base64');
-                this.setDataValue('credentialId', encoded);
-            }
-        },
-        userId: {
-            field: 'user_id',
-            type: idType,
-            allowNull: false
-        },
-        publicKey: {
-            field: 'public_key',
-            type: DataTypes.BLOB,
-            allowNull: false
-        },
-        counter: {
-            type: DataTypes.INTEGER,
-            allowNull: false,
-            defaultValue: 0
-        },
-        transports: {
-            type: DataTypes.JSON,
-            allowNull: true
-        },
-        backedUp: {
-            field: 'backed_up',
-            type: DataTypes.BOOLEAN,
-            allowNull: false,
-            defaultValue: false
-        },
-        deviceType: {
-            field: 'device_type',
-            type: DataTypes.STRING(32),
-            allowNull: false,
-            defaultValue: 'multiDevice'
-        }
-    }, {
-        sequelize,
-        tableName: 'passkey_credentials',
-        timestamps: true,
-        underscored: true
-    });
-}
-function initPasskeyChallengeModel(sequelize) {
-    const idType = integerIdType(sequelize);
-    return PasskeyChallengeModel.init({
-        challenge: {
-            type: DataTypes.STRING(255),
-            primaryKey: true,
-            allowNull: false
-        },
-        action: {
-            type: DataTypes.STRING(16),
-            allowNull: false
-        },
-        userId: {
-            field: 'user_id',
-            type: idType,
-            allowNull: true
-        },
-        login: {
-            type: DataTypes.STRING(128),
-            allowNull: true
-        },
-        metadata: {
-            type: DataTypes.JSON,
-            allowNull: true
-        },
-        expiresAt: {
-            field: 'expires_at',
-            type: DataTypes.DATE,
-            allowNull: false
-        }
-    }, {
-        sequelize,
-        tableName: 'passkey_challenges',
-        timestamps: true,
-        underscored: true,
-        indexes: [{ fields: ['expires_at'] }, { fields: ['user_id'] }]
-    });
-}
 export class SequelizePasskeyStore extends PasskeyStore {
     constructor(options) {
         super();
@@ -128,49 +14,47 @@ export class SequelizePasskeyStore extends PasskeyStore {
         this.resolveUserFn = options.resolveUser;
         this.credentials =
             options.credentialModel ??
-                (options.credentialModelFactory ?? initPasskeyCredentialModel)(options.sequelize);
+                (options.credentialModelFactory ?? initPasskeyCredentialModel)(options.sequelize, {
+                    tablePrefix: options.tablePrefix
+                });
         this.challenges =
-            options.challengeModel ?? (options.challengeModelFactory ?? initPasskeyChallengeModel)(options.sequelize);
+            options.challengeModel ??
+                (options.challengeModelFactory ?? initPasskeyChallengeModel)(options.sequelize, {
+                    tablePrefix: options.tablePrefix
+                });
     }
     async resolveUser(params) {
         return this.resolveUserFn(params);
     }
     async listUserCredentials(userId) {
-        const models = await this.credentials.findAll({ where: { userId: normalizeUserId(userId) } });
-        return models.map((model) => ({
-            userId: model.userId,
-            credentialId: model.credentialId,
-            publicKey: model.publicKey,
-            counter: model.counter,
-            transports: (model.transports ?? undefined),
-            backedUp: model.backedUp,
-            deviceType: model.deviceType
-        }));
+        const models = await this.credentials.findAll({ where: { userId: normalizeNumericUserId(userId) } });
+        return models.map((model) => this.toStoredCredential(model));
+    }
+    async deleteCredential(credentialId) {
+        const encoded = Buffer.isBuffer(credentialId) ? credentialId.toString('base64') : credentialId;
+        const deleted = await this.credentials.destroy({ where: { credentialId: encoded } });
+        return deleted > 0;
     }
     async findCredentialById(credentialId) {
         const model = await this.credentials.findByPk(encodeCredentialId(credentialId));
-        if (!model) {
-            return null;
-        }
-        return {
-            userId: model.userId,
-            credentialId: model.credentialId,
-            publicKey: model.publicKey,
-            counter: model.counter,
-            transports: (model.transports ?? undefined),
-            backedUp: model.backedUp,
-            deviceType: model.deviceType
-        };
+        return model ? this.toStoredCredential(model) : null;
     }
     async saveCredential(record) {
         await this.credentials.upsert({
             credentialId: record.credentialId,
-            userId: normalizeUserId(record.userId),
+            userId: normalizeNumericUserId(record.userId),
             publicKey: record.publicKey,
             counter: record.counter,
             transports: record.transports ?? null,
             backedUp: record.backedUp,
-            deviceType: record.deviceType
+            deviceType: record.deviceType,
+            label: record.label ?? null,
+            createdDomain: record.createdDomain ?? null,
+            createdUserAgent: record.createdUserAgent ?? null,
+            createdBrowser: record.createdBrowser ?? null,
+            createdOs: record.createdOs ?? null,
+            createdDevice: record.createdDevice ?? null,
+            createdIp: record.createdIp ?? null
         });
     }
     async updateCredentialCounter(credentialId, counter) {
@@ -180,28 +64,59 @@ export class SequelizePasskeyStore extends PasskeyStore {
         await this.challenges.upsert({
             challenge: record.challenge,
             action: record.action,
-            userId: record.userId !== undefined ? normalizeUserId(record.userId) : null,
+            userId: record.userId !== undefined ? normalizeNumericUserId(record.userId) : null,
             login: record.login ?? null,
-            metadata: (record.metadata ?? {}),
             expiresAt: record.expiresAt
         });
     }
-    async consumeChallenge(challenge) {
+    async getChallenge(challenge) {
         const model = await this.challenges.findByPk(challenge);
-        if (!model) {
-            return null;
+        return model ? this.toChallengeRecord(model) : null;
+    }
+    async consumeChallenge(challenge) {
+        const sequelize = this.challenges.sequelize;
+        if (!sequelize) {
+            throw new Error('Challenge model is not bound to a Sequelize instance');
         }
-        await model.destroy();
+        return sequelize.transaction({ isolationLevel: Transaction.ISOLATION_LEVELS.READ_COMMITTED }, async (transaction) => {
+            const model = await this.challenges.findByPk(challenge, { transaction, lock: true });
+            if (!model) {
+                return null;
+            }
+            await model.destroy({ transaction });
+            return this.toChallengeRecord(model);
+        });
+    }
+    async cleanupChallenges(now) {
+        await this.challenges.destroy({ where: { expiresAt: { [Op.lte]: now } } });
+    }
+    toChallengeRecord(model) {
         return {
             challenge: model.challenge,
             action: model.action,
-            userId: model.userId ?? undefined,
+            userId: model.userId !== null ? String(model.userId) : undefined,
             login: model.login ?? undefined,
-            expiresAt: model.expiresAt,
-            metadata: model.metadata ?? {}
+            expiresAt: model.expiresAt
         };
     }
-    async cleanupChallenges(now) {
-        await this.challenges.destroy({ where: { expiresAt: { [Op.lte]: now } } });
+    toStoredCredential(model) {
+        return {
+            userId: String(model.userId),
+            credentialId: model.credentialId,
+            publicKey: model.publicKey,
+            counter: model.counter,
+            transports: (model.transports ?? undefined),
+            backedUp: model.backedUp,
+            deviceType: model.deviceType,
+            label: model.label ?? undefined,
+            createdDomain: model.createdDomain ?? undefined,
+            createdUserAgent: model.createdUserAgent ?? undefined,
+            createdBrowser: model.createdBrowser ?? undefined,
+            createdOs: model.createdOs ?? undefined,
+            createdDevice: model.createdDevice ?? undefined,
+            createdIp: model.createdIp ?? undefined,
+            createdAt: model.createdAt ?? undefined,
+            updatedAt: model.updatedAt ?? undefined
+        };
     }
 }

package/dist/esm/passkey/service.d.ts

@@ -1,11 +1,14 @@
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyStorageAdapter, PasskeyVerificationParams, PasskeyVerificationResult, PasskeyServiceConfig } from './types.js';
-export type { CredentialDeviceType, PasskeyChallenge, PasskeyChallengeParams, PasskeyChallengeRecord, PasskeyChallengeMetadata, PasskeyUserDescriptor, PasskeyVerificationParams, PasskeyVerificationResult, PasskeyServiceConfig, PasskeyStorageAdapter } from './types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyStorageAdapter, PasskeyVerificationParams, PasskeyVerificationResult, PasskeyServiceConfig, StoredPasskeyCredential } from './types.js';
+import type { AuthIdentifier } from '../auth-api/types.js';
+export type { CredentialDeviceType, PasskeyChallenge, PasskeyChallengeParams, PasskeyChallengeRecord, PasskeyUserDescriptor, PasskeyVerificationParams, PasskeyVerificationResult, PasskeyServiceConfig, PasskeyStorageAdapter, StoredPasskeyCredential } from './types.js';
 type Logger = Pick<typeof console, 'error' | 'warn'>;
 export declare class PasskeyService {
     private readonly config;
     private readonly adapter;
     private readonly logger;
     constructor(config: PasskeyServiceConfig, adapter: PasskeyStorageAdapter, logger?: Logger);
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deleteCredential(credentialId: Buffer | string): Promise<boolean>;
     createChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
     private createRegistrationChallenge;
@@ -14,4 +17,5 @@ export declare class PasskeyService {
     private verifyAuthentication;
     private requireUser;
     private createExpiry;
+    private requireUserVerification;
 }