@technomoron/api-server-base 2.0.0-beta.2 → 2.0.0-beta.20

package/dist/cjs/auth-api/compat-auth-storage.d.ts

@@ -1,9 +1,9 @@
 import { PasskeyService } from '../passkey/service.js';
-import type { AuthIdentifier, AuthStorage } from './types.js';
+import type { AuthAdapter, AuthIdentifier } from './types.js';
 import type { OAuthStore } from '../oauth/base.js';
 import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
 import type { PasskeyStore } from '../passkey/base.js';
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, StoredPasskeyCredential, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
 import type { TokenStore } from '../token/base.js';
 import type { Token } from '../token/types.js';
 import type { UserStore } from '../user/base.js';
@@ -11,7 +11,7 @@ interface PasskeyAdapterOptions {
     store: PasskeyStore;
     config: PasskeyServiceConfig;
 }
-export interface AuthStorageAdapterOptions<UserRow, PublicUser> {
+export interface AuthAdapterOptions<UserRow, PublicUser> {
     userStore: UserStore<UserRow, PublicUser>;
     tokenStore: TokenStore;
     passkeys?: PasskeyAdapterOptions | PasskeyService;
@@ -21,13 +21,13 @@ export interface AuthStorageAdapterOptions<UserRow, PublicUser> {
         effectiveUserId: AuthIdentifier;
     }) => boolean | Promise<boolean>;
 }
-export declare class AuthStorageAdapter<UserRow, PublicUser> implements AuthStorage<UserRow, PublicUser> {
+export declare class CompositeAuthAdapter<UserRow, PublicUser> implements AuthAdapter<UserRow, PublicUser> {
     private readonly userStore;
     private readonly tokenStore;
     private readonly oauthStore?;
     private readonly passkeyService?;
     private readonly canImpersonateFn?;
-    constructor(options: AuthStorageAdapterOptions<UserRow, PublicUser>);
+    constructor(options: AuthAdapterOptions<UserRow, PublicUser>);
     getUser(identifier: AuthIdentifier): Promise<UserRow | null>;
     getUserPasswordHash(user: UserRow): string;
     getUserId(user: UserRow): AuthIdentifier;
@@ -43,6 +43,8 @@ export declare class AuthStorageAdapter<UserRow, PublicUser> implements AuthStor
     }): Promise<boolean>;
     createPasskeyChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyPasskeyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential(credentialId: Buffer | string): Promise<boolean>;
     getClient(clientId: string): Promise<OAuthClient | null>;
     verifyClientSecret(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
     createAuthCode(request: AuthCodeRequest): Promise<AuthCodeData>;

package/dist/cjs/auth-api/compat-auth-storage.js

@@ -1,9 +1,9 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.AuthStorageAdapter = void 0;
+exports.CompositeAuthAdapter = void 0;
 const node_crypto_1 = require("node:crypto");
 const service_js_1 = require("../passkey/service.js");
-class AuthStorageAdapter {
+class CompositeAuthAdapter {
     constructor(options) {
         this.userStore = options.userStore;
         this.tokenStore = options.tokenStore;
@@ -55,6 +55,18 @@ class AuthStorageAdapter {
         }
         return this.passkeyService.verifyResponse(params);
     }
+    async listUserCredentials(userId) {
+        if (!this.passkeyService) {
+            throw new Error('Passkey storage is not configured');
+        }
+        return this.passkeyService.listUserCredentials(userId);
+    }
+    async deletePasskeyCredential(credentialId) {
+        if (!this.passkeyService) {
+            throw new Error('Passkey storage is not configured');
+        }
+        return this.passkeyService.deleteCredential(credentialId);
+    }
     async getClient(clientId) {
         if (!this.oauthStore) {
             return null;
@@ -113,4 +125,4 @@ class AuthStorageAdapter {
         return params.realUserId === params.effectiveUserId;
     }
 }
-exports.AuthStorageAdapter = AuthStorageAdapter;
+exports.CompositeAuthAdapter = CompositeAuthAdapter;

package/dist/cjs/auth-api/mem-auth-store.d.ts

@@ -2,11 +2,11 @@ import { MemoryOAuthStore } from '../oauth/memory.js';
 import { MemoryPasskeyStore } from '../passkey/memory.js';
 import { TokenStore } from '../token/base.js';
 import { MemoryUserStore } from '../user/memory.js';
-import type { AuthIdentifier, AuthStorage } from './types.js';
+import type { AuthAdapter, AuthIdentifier } from './types.js';
 import type { MemoryOAuthStoreOptions } from '../oauth/memory.js';
 import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
 import type { MemoryPasskeyStoreOptions } from '../passkey/memory.js';
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, PasskeyUserDescriptor, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, PasskeyUserDescriptor, StoredPasskeyCredential, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
 import type { Token } from '../token/types.js';
 import type { MemoryUserAttributes, MemoryPublicUser, MemoryUserStoreOptions } from '../user/memory.js';
 interface PasskeyOptions extends Partial<PasskeyServiceConfig> {
@@ -24,7 +24,7 @@ export interface MemAuthStoreParams<UserAttributes extends MemoryUserAttributes
     }) => boolean | Promise<boolean>;
     tokenStore?: TokenStore;
 }
-export declare class MemAuthStore<UserAttributes extends MemoryUserAttributes = MemoryUserAttributes, PublicUserShape extends MemoryPublicUser<UserAttributes> = MemoryPublicUser<UserAttributes>> implements AuthStorage<UserAttributes, PublicUserShape> {
+export declare class MemAuthStore<UserAttributes extends MemoryUserAttributes = MemoryUserAttributes, PublicUserShape extends MemoryPublicUser<UserAttributes> = MemoryPublicUser<UserAttributes>> implements AuthAdapter<UserAttributes, PublicUserShape> {
     readonly userStore: MemoryUserStore<UserAttributes, PublicUserShape>;
     readonly tokenStore: TokenStore;
     readonly passkeyStore?: MemoryPasskeyStore;
@@ -54,6 +54,8 @@ export declare class MemAuthStore<UserAttributes extends MemoryUserAttributes =
     }): Promise<boolean>;
     createPasskeyChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyPasskeyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential(credentialId: Buffer | string): Promise<boolean>;
     getClient(clientId: string): Promise<OAuthClient | null>;
     verifyClientSecret(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
     createAuthCode(request: AuthCodeRequest): Promise<AuthCodeData>;

package/dist/cjs/auth-api/mem-auth-store.js

@@ -2,32 +2,12 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.MemAuthStore = void 0;
 const memory_js_1 = require("../oauth/memory.js");
+const config_js_1 = require("../passkey/config.js");
 const memory_js_2 = require("../passkey/memory.js");
 const memory_js_3 = require("../token/memory.js");
 const memory_js_4 = require("../user/memory.js");
 const compat_auth_storage_js_1 = require("./compat-auth-storage.js");
-const DEFAULT_PASSKEY_CONFIG = {
-    rpId: 'localhost',
-    rpName: 'API Server',
-    origins: ['http://localhost:5173'],
-    timeoutMs: 5 * 60 * 1000,
-    userVerification: 'preferred'
-};
-function isOriginString(origin) {
-    return typeof origin === 'string' && origin.trim().length > 0;
-}
-function normalizePasskeyConfig(config = {}) {
-    const candidateOrigins = Array.isArray(config.origins) && config.origins.length > 0 ? config.origins.filter(isOriginString) : null;
-    return {
-        rpId: config.rpId?.trim() || DEFAULT_PASSKEY_CONFIG.rpId,
-        rpName: config.rpName?.trim() || DEFAULT_PASSKEY_CONFIG.rpName,
-        origins: candidateOrigins ? candidateOrigins.map((origin) => origin.trim()) : DEFAULT_PASSKEY_CONFIG.origins,
-        timeoutMs: typeof config.timeoutMs === 'number' && config.timeoutMs > 0
-            ? config.timeoutMs
-            : DEFAULT_PASSKEY_CONFIG.timeoutMs,
-        userVerification: config.userVerification ?? DEFAULT_PASSKEY_CONFIG.userVerification
-    };
-}
+const user_id_js_1 = require("./user-id.js");
 class MemAuthStore {
     constructor(params = {}) {
         this.userStore = new memory_js_4.MemoryUserStore({
@@ -42,7 +22,7 @@ class MemAuthStore {
         let passkeyStore;
         let passkeyConfig;
         if (params.passkeys !== false) {
-            passkeyConfig = normalizePasskeyConfig(params.passkeys ?? {});
+            passkeyConfig = (0, config_js_1.normalizePasskeyConfig)(params.passkeys ?? {});
             const resolveUser = async (lookup) => {
                 const found = await this.userStore.findUser(lookup.userId ?? lookup.login ?? '');
                 if (!found) {
@@ -59,7 +39,7 @@ class MemAuthStore {
             passkeyStore = new memory_js_2.MemoryPasskeyStore({ resolveUser });
             this.passkeyStore = passkeyStore;
         }
-        this.adapter = new compat_auth_storage_js_1.AuthStorageAdapter({
+        this.adapter = new compat_auth_storage_js_1.CompositeAuthAdapter({
             userStore: this.userStore,
             tokenStore: this.tokenStore,
             passkeys: passkeyStore && passkeyConfig ? { store: passkeyStore, config: passkeyConfig } : undefined,
@@ -94,16 +74,16 @@ class MemAuthStore {
     async getToken(query, opts) {
         const normalized = {
             ...query,
-            userId: query.userId !== undefined && query.userId !== null ? String(query.userId) : undefined,
-            ruid: query.ruid !== undefined && query.ruid !== null ? String(query.ruid) : undefined
+            userId: (0, user_id_js_1.toOptionalStringId)(query.userId),
+            ruid: (0, user_id_js_1.toOptionalStringId)(query.ruid)
         };
         return this.adapter.getToken(normalized, opts);
     }
     async deleteToken(query) {
         const normalized = {
             ...query,
-            userId: query.userId !== undefined && query.userId !== null ? String(query.userId) : undefined,
-            ruid: query.ruid !== undefined && query.ruid !== null ? String(query.ruid) : undefined
+            userId: (0, user_id_js_1.toOptionalStringId)(query.userId),
+            ruid: (0, user_id_js_1.toOptionalStringId)(query.ruid)
         };
         return this.adapter.deleteToken(normalized);
     }
@@ -116,6 +96,12 @@ class MemAuthStore {
     async verifyPasskeyResponse(params) {
         return this.adapter.verifyPasskeyResponse(params);
     }
+    async listUserCredentials(userId) {
+        return this.adapter.listUserCredentials(userId);
+    }
+    async deletePasskeyCredential(credentialId) {
+        return this.adapter.deletePasskeyCredential(credentialId);
+    }
     async getClient(clientId) {
         return this.adapter.getClient(clientId);
     }

package/dist/cjs/auth-api/module.d.ts

@@ -8,7 +8,7 @@ export interface AuthProviderModule<UserRow = unknown> {
         expires?: Date;
     }): Promise<TokenPair>;
 }
-export declare abstract class BaseAuthModule<UserRow = unknown> extends ApiModule<any> implements AuthProviderModule<UserRow> {
+export declare abstract class BaseAuthModule<UserRow = unknown> extends ApiModule implements AuthProviderModule<UserRow> {
     readonly moduleType: "auth";
     protected constructor(opts: {
         namespace: string;

package/dist/cjs/auth-api/sql-auth-store.d.ts

@@ -3,21 +3,31 @@ import { SequelizeOAuthStore, type SequelizeOAuthStoreOptions } from '../oauth/s
 import { SequelizePasskeyStore } from '../passkey/sequelize.js';
 import { type SequelizeTokenStoreOptions } from '../token/sequelize.js';
 import { SequelizeUserStore, type AuthUserAttributes, GenericUserModel, GenericUserModelStatic } from '../user/sequelize.js';
-import type { AuthIdentifier, AuthStorage } from './types.js';
+import type { AuthAdapter, AuthIdentifier } from './types.js';
 import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, PasskeyUserDescriptor, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, PasskeyUserDescriptor, StoredPasskeyCredential, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
 import type { TokenStore } from '../token/base.js';
 import type { Token } from '../token/types.js';
 interface PasskeyOptions extends Partial<PasskeyServiceConfig> {
     enabled?: boolean;
 }
+export interface SqlAuthStoreTablePrefixes {
+    user?: string;
+    token?: string;
+    passkey?: string;
+    oauth?: string;
+}
 export interface SqlAuthStoreParams<UserAttributes extends AuthUserAttributes = AuthUserAttributes, PublicUserShape extends Omit<UserAttributes, 'password'> = Omit<UserAttributes, 'password'>> {
     sequelize: Sequelize;
     syncOptions?: SyncOptions;
     bcryptRounds?: number;
     passwordPepper?: string;
+    tablePrefix?: string;
+    tablePrefixes?: SqlAuthStoreTablePrefixes;
     userModel?: GenericUserModelStatic;
-    userModelFactory?: (sequelize: Sequelize) => GenericUserModelStatic;
+    userModelFactory?: (sequelize: Sequelize, options?: {
+        tablePrefix?: string;
+    }) => GenericUserModelStatic;
     userRecordMapper?: (model: GenericUserModel) => UserAttributes;
     publicUserMapper?: (user: UserAttributes) => PublicUserShape;
     passkeyUserMapper?: (user: UserAttributes) => PasskeyUserDescriptor;
@@ -30,7 +40,7 @@ export interface SqlAuthStoreParams<UserAttributes extends AuthUserAttributes =
     tokenStoreOptions?: Omit<SequelizeTokenStoreOptions, 'sequelize'>;
     oauthStoreOptions?: Omit<SequelizeOAuthStoreOptions, 'sequelize'>;
 }
-export declare class SqlAuthStore<UserAttributes extends AuthUserAttributes = AuthUserAttributes, PublicUserShape extends Omit<UserAttributes, 'password'> = Omit<UserAttributes, 'password'>> implements AuthStorage<UserAttributes, PublicUserShape> {
+export declare class SqlAuthStore<UserAttributes extends AuthUserAttributes = AuthUserAttributes, PublicUserShape extends Omit<UserAttributes, 'password'> = Omit<UserAttributes, 'password'>> implements AuthAdapter<UserAttributes, PublicUserShape> {
     readonly userStore: SequelizeUserStore<UserAttributes, PublicUserShape>;
     readonly tokenStore: TokenStore;
     readonly passkeyStore?: SequelizePasskeyStore;
@@ -63,6 +73,8 @@ export declare class SqlAuthStore<UserAttributes extends AuthUserAttributes = Au
     }): Promise<boolean>;
     createPasskeyChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyPasskeyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential(credentialId: Buffer | string): Promise<boolean>;
     getClient(clientId: string): Promise<OAuthClient | null>;
     verifyClientSecret(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
     createAuthCode(request: AuthCodeRequest): Promise<AuthCodeData>;

package/dist/cjs/auth-api/sql-auth-store.js

@@ -2,31 +2,21 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.SqlAuthStore = void 0;
 const sequelize_js_1 = require("../oauth/sequelize.js");
+const config_js_1 = require("../passkey/config.js");
 const sequelize_js_2 = require("../passkey/sequelize.js");
+const sequelize_utils_js_1 = require("../sequelize-utils.js");
 const sequelize_js_3 = require("../token/sequelize.js");
 const sequelize_js_4 = require("../user/sequelize.js");
 const compat_auth_storage_js_1 = require("./compat-auth-storage.js");
-const DEFAULT_PASSKEY_CONFIG = {
-    rpId: 'localhost',
-    rpName: 'API Server',
-    origins: ['http://localhost:5173'],
-    timeoutMs: 5 * 60 * 1000,
-    userVerification: 'preferred'
-};
-function isOriginString(origin) {
-    return typeof origin === 'string' && origin.trim().length > 0;
-}
-function normalizePasskeyConfig(config = {}) {
-    const candidateOrigins = Array.isArray(config.origins) && config.origins.length > 0 ? config.origins.filter(isOriginString) : null;
-    return {
-        rpId: config.rpId?.trim() || DEFAULT_PASSKEY_CONFIG.rpId,
-        rpName: config.rpName?.trim() || DEFAULT_PASSKEY_CONFIG.rpName,
-        origins: candidateOrigins ? candidateOrigins.map((origin) => origin.trim()) : DEFAULT_PASSKEY_CONFIG.origins,
-        timeoutMs: typeof config.timeoutMs === 'number' && config.timeoutMs > 0
-            ? config.timeoutMs
-            : DEFAULT_PASSKEY_CONFIG.timeoutMs,
-        userVerification: config.userVerification ?? DEFAULT_PASSKEY_CONFIG.userVerification
-    };
+const user_id_js_1 = require("./user-id.js");
+function resolveTablePrefix(...prefixes) {
+    for (const prefix of prefixes) {
+        const normalized = (0, sequelize_utils_js_1.normalizeTablePrefix)(prefix);
+        if (normalized) {
+            return normalized;
+        }
+    }
+    return undefined;
 }
 class SqlAuthStore {
     constructor(params) {
@@ -36,6 +26,8 @@ class SqlAuthStore {
         }
         this.sequelize = params.sequelize;
         this.syncOptions = params.syncOptions;
+        const moduleTablePrefixes = params.tablePrefixes ?? {};
+        const userTablePrefix = resolveTablePrefix(moduleTablePrefixes.user, params.tablePrefix);
         this.userStore = new sequelize_js_4.SequelizeUserStore({
             sequelize: this.sequelize,
             userModel: params.userModel,
@@ -43,19 +35,29 @@ class SqlAuthStore {
             recordMapper: params.userRecordMapper,
             toPublic: params.publicUserMapper,
             bcryptRounds: params.bcryptRounds,
-            bcryptPepper: params.passwordPepper
+            bcryptPepper: params.passwordPepper,
+            tablePrefix: userTablePrefix
         });
+        const tokenTablePrefix = resolveTablePrefix(params.tokenStoreOptions?.tablePrefix, moduleTablePrefixes.token, params.tablePrefix);
         this.tokenStore =
-            params.tokenStore ?? new sequelize_js_3.SequelizeTokenStore({ sequelize: this.sequelize, ...params.tokenStoreOptions });
+            params.tokenStore ??
+                new sequelize_js_3.SequelizeTokenStore({
+                    sequelize: this.sequelize,
+                    ...params.tokenStoreOptions,
+                    tablePrefix: tokenTablePrefix
+                });
+        const oauthTablePrefix = resolveTablePrefix(params.oauthStoreOptions?.tablePrefix, moduleTablePrefixes.oauth, params.tablePrefix);
         this.oauthStore = new sequelize_js_1.SequelizeOAuthStore({
             sequelize: this.sequelize,
             ...params.oauthStoreOptions,
+            tablePrefix: oauthTablePrefix,
             bcryptRounds: params.bcryptRounds
         });
         let passkeyStore;
         let passkeyConfig;
         if (params.passkeys !== false) {
-            passkeyConfig = normalizePasskeyConfig(params.passkeys ?? {});
+            const passkeyTablePrefix = resolveTablePrefix(moduleTablePrefixes.passkey, params.tablePrefix);
+            passkeyConfig = (0, config_js_1.normalizePasskeyConfig)(params.passkeys ?? {});
             const resolveUser = async (lookup) => {
                 const found = await this.userStore.findUser(lookup.userId ?? lookup.login ?? '');
                 if (!found) {
@@ -69,10 +71,14 @@ class SqlAuthStore {
                     }));
                 return mapper(found);
             };
-            passkeyStore = new sequelize_js_2.SequelizePasskeyStore({ sequelize: this.sequelize, resolveUser });
+            passkeyStore = new sequelize_js_2.SequelizePasskeyStore({
+                sequelize: this.sequelize,
+                resolveUser,
+                tablePrefix: passkeyTablePrefix
+            });
             this.passkeyStore = passkeyStore;
         }
-        this.adapter = new compat_auth_storage_js_1.AuthStorageAdapter({
+        this.adapter = new compat_auth_storage_js_1.CompositeAuthAdapter({
             userStore: this.userStore,
             tokenStore: this.tokenStore,
             passkeys: passkeyStore && passkeyConfig ? { store: passkeyStore, config: passkeyConfig } : undefined,
@@ -101,6 +107,7 @@ class SqlAuthStore {
             }
         }
         finally {
+            // Prevent double-close errors when the same Sequelize instance is shared with other code.
             this.sequelize.close = async () => { };
         }
     }
@@ -125,16 +132,16 @@ class SqlAuthStore {
     async getToken(query, opts) {
         const normalized = {
             ...query,
-            userId: query.userId !== undefined && query.userId !== null ? String(query.userId) : undefined,
-            ruid: query.ruid !== undefined && query.ruid !== null ? String(query.ruid) : undefined
+            userId: (0, user_id_js_1.toOptionalStringId)(query.userId),
+            ruid: (0, user_id_js_1.toOptionalStringId)(query.ruid)
         };
         return this.adapter.getToken(normalized, opts);
     }
     async deleteToken(query) {
         const normalized = {
             ...query,
-            userId: query.userId !== undefined && query.userId !== null ? String(query.userId) : undefined,
-            ruid: query.ruid !== undefined && query.ruid !== null ? String(query.ruid) : undefined
+            userId: (0, user_id_js_1.toOptionalStringId)(query.userId),
+            ruid: (0, user_id_js_1.toOptionalStringId)(query.ruid)
         };
         return this.adapter.deleteToken(normalized);
     }
@@ -147,6 +154,12 @@ class SqlAuthStore {
     async verifyPasskeyResponse(params) {
         return this.adapter.verifyPasskeyResponse(params);
     }
+    async listUserCredentials(userId) {
+        return this.adapter.listUserCredentials(userId);
+    }
+    async deletePasskeyCredential(credentialId) {
+        return this.adapter.deletePasskeyCredential(credentialId);
+    }
     async getClient(clientId) {
         return this.adapter.getClient(clientId);
     }

package/dist/cjs/auth-api/storage.d.ts

@@ -1,8 +1,8 @@
-import type { AuthIdentifier, AuthStorage } from './types.js';
+import type { AuthAdapter, AuthIdentifier } from './types.js';
 import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyVerificationParams, PasskeyVerificationResult, StoredPasskeyCredential } from '../passkey/types.js';
 import type { Token } from '../token/types.js';
-export declare class BaseAuthStorage<UserRow = unknown, SafeUser = unknown> implements AuthStorage<UserRow, SafeUser> {
+export declare class BaseAuthAdapter<UserRow = unknown, SafeUser = unknown> implements AuthAdapter<UserRow, SafeUser> {
     getUser(identifier: AuthIdentifier): Promise<UserRow | null>;
     getUserPasswordHash(user: UserRow): string;
     getUserId(user: UserRow): AuthIdentifier;
@@ -24,6 +24,8 @@ export declare class BaseAuthStorage<UserRow = unknown, SafeUser = unknown> impl
     }): Promise<boolean>;
     createPasskeyChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyPasskeyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential(credentialId: Buffer | string): Promise<boolean>;
     getClient(clientId: string): Promise<OAuthClient | null>;
     verifyClientSecret(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
     createAuthCode(request: AuthCodeRequest): Promise<AuthCodeData>;
@@ -33,4 +35,4 @@ export declare class BaseAuthStorage<UserRow = unknown, SafeUser = unknown> impl
         effectiveUserId: AuthIdentifier;
     }): Promise<boolean>;
 }
-export declare const nullAuthStorage: AuthStorage<unknown, unknown>;
+export declare const nullAuthAdapter: AuthAdapter<unknown, unknown>;

package/dist/cjs/auth-api/storage.js

@@ -1,9 +1,9 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.nullAuthStorage = exports.BaseAuthStorage = void 0;
-// Handy base you can extend when wiring a real storage adapter. Every method
+exports.nullAuthAdapter = exports.BaseAuthAdapter = void 0;
+// Handy base you can extend when wiring a real auth adapter. Every method
 // throws by default so unimplemented hooks fail loudly.
-class BaseAuthStorage {
+class BaseAuthAdapter {
     // Override to load a user record by identifier
     async getUser(identifier) {
         void identifier;
@@ -60,6 +60,16 @@ class BaseAuthStorage {
         void params;
         throw new Error('Auth storage not configured');
     }
+    // Override to list passkey credentials for a user
+    async listUserCredentials(userId) {
+        void userId;
+        throw new Error('Auth storage not configured');
+    }
+    // Override to delete a passkey credential
+    async deletePasskeyCredential(credentialId) {
+        void credentialId;
+        throw new Error('Auth storage not configured');
+    }
     // Override to fetch an OAuth client by identifier
     async getClient(clientId) {
         void clientId;
@@ -88,5 +98,5 @@ class BaseAuthStorage {
         return false;
     }
 }
-exports.BaseAuthStorage = BaseAuthStorage;
-exports.nullAuthStorage = new BaseAuthStorage();
+exports.BaseAuthAdapter = BaseAuthAdapter;
+exports.nullAuthAdapter = new BaseAuthAdapter();

package/dist/cjs/auth-api/types.d.ts

@@ -1,8 +1,9 @@
 import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyVerificationParams, PasskeyVerificationResult, StoredPasskeyCredential } from '../passkey/types.js';
 import type { Token } from '../token/types.js';
 export type AuthIdentifier = string | number;
-export interface AuthStorage<UserRow, SafeUser> {
+/** @internal */
+export interface AuthAdapter<UserRow, SafeUser> {
     getUser(identifier: AuthIdentifier): Promise<UserRow | null>;
     getUserPasswordHash(user: UserRow): string;
     getUserId(user: UserRow): AuthIdentifier;
@@ -18,6 +19,8 @@ export interface AuthStorage<UserRow, SafeUser> {
     }): Promise<boolean>;
     createPasskeyChallenge?(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyPasskeyResponse?(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials?(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential?(credentialId: Buffer | string): Promise<boolean>;
     getClient?(clientId: string): Promise<OAuthClient | null>;
     verifyClientSecret?(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
     createAuthCode?(request: AuthCodeRequest): Promise<AuthCodeData>;
@@ -27,3 +30,5 @@ export interface AuthStorage<UserRow, SafeUser> {
         effectiveUserId: AuthIdentifier;
     }): Promise<boolean>;
 }
+/** @internal */
+export type AuthStorage<UserRow, SafeUser> = AuthAdapter<UserRow, SafeUser>;

package/dist/cjs/auth-api/user-id.d.ts

@@ -0,0 +1,5 @@
+import type { AuthIdentifier } from './types.js';
+export declare function normalizeComparableUserId(identifier: AuthIdentifier): string;
+export declare function normalizeNumericUserId(identifier: AuthIdentifier): number;
+export declare function normalizeStringUserId(identifier: AuthIdentifier): string;
+export declare function toOptionalStringId(value: AuthIdentifier | undefined | null): string | undefined;

package/dist/cjs/auth-api/user-id.js

@@ -0,0 +1,38 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.normalizeComparableUserId = normalizeComparableUserId;
+exports.normalizeNumericUserId = normalizeNumericUserId;
+exports.normalizeStringUserId = normalizeStringUserId;
+exports.toOptionalStringId = toOptionalStringId;
+function normalizeComparableUserId(identifier) {
+    if (typeof identifier === 'number' && Number.isFinite(identifier)) {
+        return String(identifier);
+    }
+    if (typeof identifier === 'string') {
+        const trimmed = identifier.trim();
+        if (trimmed.length === 0) {
+            throw new Error(`Unable to normalise user identifier: ${identifier}`);
+        }
+        if (/^\d+$/.test(trimmed)) {
+            return String(Number(trimmed));
+        }
+        return trimmed;
+    }
+    throw new Error(`Unable to normalise user identifier: ${identifier}`);
+}
+function normalizeNumericUserId(identifier) {
+    const normalized = normalizeComparableUserId(identifier);
+    if (/^\d+$/.test(normalized)) {
+        return Number(normalized);
+    }
+    throw new Error(`Unable to normalise user identifier: ${identifier}`);
+}
+function normalizeStringUserId(identifier) {
+    return normalizeComparableUserId(identifier);
+}
+function toOptionalStringId(value) {
+    if (value === undefined || value === null) {
+        return undefined;
+    }
+    return String(value);
+}

package/dist/cjs/auth-cookie-options.d.ts

@@ -0,0 +1,11 @@
+import type { Request } from 'express';
+import type { CookieOptions } from 'express-serve-static-core';
+export interface AuthCookieConfig {
+    cookieSecure?: boolean | 'auto';
+    cookieSameSite?: 'lax' | 'strict' | 'none';
+    cookieHttpOnly?: boolean;
+    cookieDomain?: string;
+    cookiePath?: string;
+    devMode?: boolean;
+}
+export declare function buildAuthCookieOptions(config: AuthCookieConfig, req: Pick<Request, 'headers' | 'protocol'>): CookieOptions;

package/dist/cjs/auth-cookie-options.js

@@ -0,0 +1,66 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildAuthCookieOptions = buildAuthCookieOptions;
+function firstHeaderValue(value) {
+    if (typeof value === 'string') {
+        return value;
+    }
+    if (Array.isArray(value)) {
+        return value[0] ?? '';
+    }
+    return '';
+}
+function resolveOriginHostname(origin) {
+    try {
+        const url = new URL(origin);
+        const hostname = url.hostname.trim().toLowerCase();
+        return hostname.length > 0 ? hostname : null;
+    }
+    catch {
+        return null;
+    }
+}
+function isLocalhostOrigin(origin) {
+    const hostname = resolveOriginHostname(origin);
+    if (!hostname) {
+        return false;
+    }
+    return hostname === 'localhost' || hostname.endsWith('.localhost');
+}
+function buildAuthCookieOptions(config, req) {
+    const forwardedProto = firstHeaderValue(req.headers['x-forwarded-proto']).split(',')[0].trim().toLowerCase();
+    const isHttps = forwardedProto === 'https' || req.protocol === 'https';
+    const origin = firstHeaderValue(req.headers.origin ?? req.headers.referer);
+    let secure;
+    if (config.cookieSecure === true) {
+        secure = true;
+    }
+    else if (config.cookieSecure === false) {
+        secure = false;
+    }
+    else {
+        secure = isHttps;
+    }
+    let sameSite = config.cookieSameSite ?? 'lax';
+    if (sameSite !== 'lax' && sameSite !== 'strict' && sameSite !== 'none') {
+        sameSite = 'lax';
+    }
+    let resolvedSecure = secure;
+    if (sameSite === 'none' && resolvedSecure !== true) {
+        // Modern browsers reject SameSite=None cookies unless Secure is set.
+        resolvedSecure = true;
+    }
+    const options = {
+        httpOnly: config.cookieHttpOnly ?? true,
+        secure: resolvedSecure,
+        sameSite,
+        domain: config.cookieDomain || undefined,
+        path: config.cookiePath || '/',
+        maxAge: undefined
+    };
+    if (config.devMode && isLocalhostOrigin(origin)) {
+        // Domain cookies do not work on localhost; avoid breaking local development when cookieDomain is set.
+        options.domain = undefined;
+    }
+    return options;
+}