@technomoron/api-server-base 2.0.0-beta.2 → 2.0.0-beta.20

package/dist/cjs/index.cjs

@@ -3,7 +3,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.SequelizeOAuthStore = exports.MemoryOAuthStore = exports.OAuthStore = exports.SequelizePasskeyStore = exports.MemoryPasskeyStore = exports.PasskeyStore = exports.PasskeyService = exports.SequelizeTokenStore = exports.MemoryTokenStore = exports.TokenStore = exports.SequelizeUserStore = exports.MemoryUserStore = exports.UserStore = exports.AuthModule = exports.SqlAuthStore = exports.MemAuthStore = exports.AuthStorageAdapter = exports.BaseAuthModule = exports.nullAuthModule = exports.BaseAuthStorage = exports.nullAuthStorage = exports.ApiModule = exports.ApiError = exports.ApiServer = void 0;
+exports.MemoryOAuthStore = exports.OAuthStore = exports.MemoryPasskeyStore = exports.PasskeyStore = exports.PasskeyService = exports.MemoryTokenStore = exports.TokenStore = exports.MemoryUserStore = exports.UserStore = exports.AuthModule = exports.MemAuthStore = exports.CompositeAuthAdapter = exports.BaseAuthModule = exports.nullAuthModule = exports.BaseAuthAdapter = exports.nullAuthAdapter = exports.ApiModule = exports.ApiError = exports.ApiServer = void 0;
 var api_server_base_js_1 = require("./api-server-base.cjs");
 Object.defineProperty(exports, "ApiServer", { enumerable: true, get: function () { return __importDefault(api_server_base_js_1).default; } });
 var api_server_base_js_2 = require("./api-server-base.cjs");
@@ -11,42 +11,32 @@ Object.defineProperty(exports, "ApiError", { enumerable: true, get: function ()
 var api_module_js_1 = require("./api-module.cjs");
 Object.defineProperty(exports, "ApiModule", { enumerable: true, get: function () { return api_module_js_1.ApiModule; } });
 var storage_js_1 = require("./auth-api/storage.js");
-Object.defineProperty(exports, "nullAuthStorage", { enumerable: true, get: function () { return storage_js_1.nullAuthStorage; } });
-Object.defineProperty(exports, "BaseAuthStorage", { enumerable: true, get: function () { return storage_js_1.BaseAuthStorage; } });
+Object.defineProperty(exports, "nullAuthAdapter", { enumerable: true, get: function () { return storage_js_1.nullAuthAdapter; } });
+Object.defineProperty(exports, "BaseAuthAdapter", { enumerable: true, get: function () { return storage_js_1.BaseAuthAdapter; } });
 var module_js_1 = require("./auth-api/module.js");
 Object.defineProperty(exports, "nullAuthModule", { enumerable: true, get: function () { return module_js_1.nullAuthModule; } });
 Object.defineProperty(exports, "BaseAuthModule", { enumerable: true, get: function () { return module_js_1.BaseAuthModule; } });
 var compat_auth_storage_js_1 = require("./auth-api/compat-auth-storage.js");
-Object.defineProperty(exports, "AuthStorageAdapter", { enumerable: true, get: function () { return compat_auth_storage_js_1.AuthStorageAdapter; } });
+Object.defineProperty(exports, "CompositeAuthAdapter", { enumerable: true, get: function () { return compat_auth_storage_js_1.CompositeAuthAdapter; } });
 var mem_auth_store_js_1 = require("./auth-api/mem-auth-store.js");
 Object.defineProperty(exports, "MemAuthStore", { enumerable: true, get: function () { return mem_auth_store_js_1.MemAuthStore; } });
-var sql_auth_store_js_1 = require("./auth-api/sql-auth-store.js");
-Object.defineProperty(exports, "SqlAuthStore", { enumerable: true, get: function () { return sql_auth_store_js_1.SqlAuthStore; } });
 var auth_module_js_1 = require("./auth-api/auth-module.js");
 Object.defineProperty(exports, "AuthModule", { enumerable: true, get: function () { return __importDefault(auth_module_js_1).default; } });
 var base_js_1 = require("./user/base.js");
 Object.defineProperty(exports, "UserStore", { enumerable: true, get: function () { return base_js_1.UserStore; } });
 var memory_js_1 = require("./user/memory.js");
 Object.defineProperty(exports, "MemoryUserStore", { enumerable: true, get: function () { return memory_js_1.MemoryUserStore; } });
-var sequelize_js_1 = require("./user/sequelize.js");
-Object.defineProperty(exports, "SequelizeUserStore", { enumerable: true, get: function () { return sequelize_js_1.SequelizeUserStore; } });
 var base_js_2 = require("./token/base.js");
 Object.defineProperty(exports, "TokenStore", { enumerable: true, get: function () { return base_js_2.TokenStore; } });
 var memory_js_2 = require("./token/memory.js");
 Object.defineProperty(exports, "MemoryTokenStore", { enumerable: true, get: function () { return memory_js_2.MemoryTokenStore; } });
-var sequelize_js_2 = require("./token/sequelize.js");
-Object.defineProperty(exports, "SequelizeTokenStore", { enumerable: true, get: function () { return sequelize_js_2.SequelizeTokenStore; } });
 var service_js_1 = require("./passkey/service.js");
 Object.defineProperty(exports, "PasskeyService", { enumerable: true, get: function () { return service_js_1.PasskeyService; } });
 var base_js_3 = require("./passkey/base.js");
 Object.defineProperty(exports, "PasskeyStore", { enumerable: true, get: function () { return base_js_3.PasskeyStore; } });
 var memory_js_3 = require("./passkey/memory.js");
 Object.defineProperty(exports, "MemoryPasskeyStore", { enumerable: true, get: function () { return memory_js_3.MemoryPasskeyStore; } });
-var sequelize_js_3 = require("./passkey/sequelize.js");
-Object.defineProperty(exports, "SequelizePasskeyStore", { enumerable: true, get: function () { return sequelize_js_3.SequelizePasskeyStore; } });
 var base_js_4 = require("./oauth/base.js");
 Object.defineProperty(exports, "OAuthStore", { enumerable: true, get: function () { return base_js_4.OAuthStore; } });
 var memory_js_4 = require("./oauth/memory.js");
 Object.defineProperty(exports, "MemoryOAuthStore", { enumerable: true, get: function () { return memory_js_4.MemoryOAuthStore; } });
-var sequelize_js_4 = require("./oauth/sequelize.js");
-Object.defineProperty(exports, "SequelizeOAuthStore", { enumerable: true, get: function () { return sequelize_js_4.SequelizeOAuthStore; } });

package/dist/cjs/index.d.ts

@@ -1,32 +1,27 @@
 export { default as ApiServer } from './api-server-base.js';
 export { ApiError } from './api-server-base.js';
 export { ApiModule } from './api-module.js';
-export type { ApiErrorParams, ApiHandler, ApiKey, ApiServerConf, ApiRequest, ApiRoute, ApiAuthType, ApiAuthClass, ApiTokenData, ExtendedReq } from './api-server-base.js';
-export type { AuthIdentifier, AuthStorage } from './auth-api/types.js';
+export type { ApiErrorParams, ApiHandler, ApiKey, ApiServerConf, ApiRequest, ApiRoute, ApiAuthType, ApiAuthClass, ApiTokenData, ExtendedReq, ExpressApiRequest, ExpressApiLocals } from './api-server-base.js';
+export type { AuthIdentifier } from './auth-api/types.js';
 export type { Token, TokenPair, TokenStatus } from './token/types.js';
 export type { JwtSignResult, JwtVerifyResult, JwtDecodeResult } from './token/base.js';
 export type { OAuthClient, AuthCodeData, AuthCodeRequest } from './oauth/types.js';
 export type { AuthProviderModule } from './auth-api/module.js';
-export { nullAuthStorage, BaseAuthStorage } from './auth-api/storage.js';
+export { nullAuthAdapter, BaseAuthAdapter } from './auth-api/storage.js';
 export { nullAuthModule, BaseAuthModule } from './auth-api/module.js';
-export { AuthStorageAdapter } from './auth-api/compat-auth-storage.js';
+export { CompositeAuthAdapter } from './auth-api/compat-auth-storage.js';
 export { MemAuthStore } from './auth-api/mem-auth-store.js';
-export { SqlAuthStore } from './auth-api/sql-auth-store.js';
 export { default as AuthModule } from './auth-api/auth-module.js';
 export type { OAuthStartParams, OAuthStartResult, OAuthCallbackParams, OAuthCallbackResult } from './oauth/types.js';
 export type { BcryptHasherOptions, CreateUserInput, UpdateUserInput, PublicUserMapper } from './user/types.js';
 export { UserStore } from './user/base.js';
 export { MemoryUserStore } from './user/memory.js';
-export { SequelizeUserStore } from './user/sequelize.js';
 export type { MemoryUserAttributes, MemoryUserStoreOptions } from './user/memory.js';
 export { TokenStore } from './token/base.js';
 export { MemoryTokenStore } from './token/memory.js';
-export { SequelizeTokenStore } from './token/sequelize.js';
 export { PasskeyService } from './passkey/service.js';
 export { PasskeyStore } from './passkey/base.js';
 export { MemoryPasskeyStore } from './passkey/memory.js';
-export { SequelizePasskeyStore } from './passkey/sequelize.js';
 export type { PasskeyServiceConfig, PasskeyChallengeRecord, PasskeyUserDescriptor, StoredPasskeyCredential, PasskeyChallenge, PasskeyChallengeParams, PasskeyVerificationParams, PasskeyVerificationResult } from './passkey/types.js';
 export { OAuthStore } from './oauth/base.js';
 export { MemoryOAuthStore } from './oauth/memory.js';
-export { SequelizeOAuthStore } from './oauth/sequelize.js';

package/dist/cjs/oauth/memory.d.ts

@@ -1,11 +1,15 @@
 import { OAuthStore, type AuthCode, type OAuthClient } from './base.js';
 export interface MemoryOAuthStoreOptions {
     bcryptRounds?: number;
+    maxClients?: number;
+    maxAuthCodes?: number;
 }
 export declare class MemoryOAuthStore extends OAuthStore {
     private readonly clients;
     private readonly codes;
     private readonly bcryptRounds;
+    private readonly maxClients?;
+    private readonly maxAuthCodes?;
     constructor(options?: MemoryOAuthStoreOptions);
     getClient(clientId: string): Promise<OAuthClient | null>;
     createClient(input: OAuthClient): Promise<OAuthClient>;
@@ -13,4 +17,6 @@ export declare class MemoryOAuthStore extends OAuthStore {
     createAuthCode(code: AuthCode): Promise<void>;
     consumeAuthCode(code: string): Promise<AuthCode | null>;
     close(): Promise<void>;
+    private enforceClientCapacity;
+    private enforceCodeCapacity;
 }

package/dist/cjs/oauth/memory.js

@@ -5,6 +5,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.MemoryOAuthStore = void 0;
 const bcryptjs_1 = __importDefault(require("bcryptjs"));
+const user_id_js_1 = require("../auth-api/user-id.js");
 const base_js_1 = require("./base.js");
 function cloneClient(client) {
     if (!client) {
@@ -12,7 +13,7 @@ function cloneClient(client) {
     }
     return {
         clientId: client.clientId,
-        clientSecret: client.clientSecret,
+        hasSecret: Boolean(client.clientSecret),
         name: client.name,
         redirectUris: [...client.redirectUris],
         scope: client.scope ? [...client.scope] : undefined,
@@ -23,26 +24,28 @@ function cloneClient(client) {
 function cloneCode(code) {
     return {
         ...code,
+        userId: (0, user_id_js_1.normalizeComparableUserId)(code.userId),
         scope: code.scope ? [...code.scope] : undefined,
         expiresAt: new Date(code.expiresAt),
         metadata: code.metadata ? { ...code.metadata } : undefined
     };
 }
-function normalizeUserId(identifier) {
-    if (typeof identifier === 'number' && Number.isFinite(identifier)) {
-        return identifier;
-    }
-    if (typeof identifier === 'string' && /^\d+$/.test(identifier)) {
-        return Number(identifier);
-    }
-    throw new Error(`Unable to normalise user identifier: ${identifier}`);
-}
 class MemoryOAuthStore extends base_js_1.OAuthStore {
     constructor(options = {}) {
         super();
         this.clients = new Map();
         this.codes = new Map();
         this.bcryptRounds = options.bcryptRounds ?? 12;
+        this.maxClients =
+            typeof options.maxClients === 'number' && Number.isFinite(options.maxClients) && options.maxClients > 0
+                ? Math.floor(options.maxClients)
+                : undefined;
+        this.maxAuthCodes =
+            typeof options.maxAuthCodes === 'number' &&
+                Number.isFinite(options.maxAuthCodes) &&
+                options.maxAuthCodes > 0
+                ? Math.floor(options.maxAuthCodes)
+                : undefined;
     }
     async getClient(clientId) {
         return cloneClient(this.clients.get(clientId));
@@ -59,6 +62,7 @@ class MemoryOAuthStore extends base_js_1.OAuthStore {
             firstParty: input.firstParty
         };
         this.clients.set(stored.clientId, stored);
+        this.enforceClientCapacity();
         return cloneClient(stored);
     }
     async verifyClientSecret(clientId, secret) {
@@ -77,23 +81,52 @@ class MemoryOAuthStore extends base_js_1.OAuthStore {
     async createAuthCode(code) {
         const record = {
             ...code,
-            userId: normalizeUserId(code.userId),
+            userId: (0, user_id_js_1.normalizeComparableUserId)(code.userId),
             scope: code.scope ? [...code.scope] : undefined,
             expiresAt: code.expiresAt,
             metadata: code.metadata ? { ...code.metadata } : undefined
         };
         this.codes.set(record.code, record);
+        this.enforceCodeCapacity();
     }
     async consumeAuthCode(code) {
         const record = this.codes.get(code);
         if (!record) {
             return null;
         }
+        if (record.expiresAt.getTime() <= Date.now()) {
+            this.codes.delete(code);
+            return null;
+        }
         this.codes.delete(code);
         return cloneCode(record);
     }
     async close() {
         return;
     }
+    enforceClientCapacity() {
+        if (!this.maxClients) {
+            return;
+        }
+        while (this.clients.size > this.maxClients) {
+            const oldest = this.clients.keys().next().value;
+            if (!oldest) {
+                return;
+            }
+            this.clients.delete(oldest);
+        }
+    }
+    enforceCodeCapacity() {
+        if (!this.maxAuthCodes) {
+            return;
+        }
+        while (this.codes.size > this.maxAuthCodes) {
+            const oldest = this.codes.keys().next().value;
+            if (!oldest) {
+                return;
+            }
+            this.codes.delete(oldest);
+        }
+    }
 }
 exports.MemoryOAuthStore = MemoryOAuthStore;

package/dist/cjs/oauth/models.d.ts

@@ -1,4 +1,5 @@
 import { Model, type Optional, type Sequelize } from 'sequelize';
+export { integerIdType, tableOptions } from '../sequelize-utils.js';
 export interface OAuthClientAttributes {
     client_id: string;
     client_secret: string;
@@ -18,7 +19,9 @@ export declare class OAuthClientModel extends Model<OAuthClientAttributes, OAuth
     metadata: string | null;
     first_party: boolean;
 }
-export declare function initOAuthClientModel(sequelize: Sequelize): typeof OAuthClientModel;
+export declare function initOAuthClientModel(sequelize: Sequelize, options?: {
+    tablePrefix?: string;
+}): typeof OAuthClientModel;
 export interface OAuthCodeAttributes {
     code: string;
     client_id: string;
@@ -42,4 +45,6 @@ export declare class OAuthCodeModel extends Model<OAuthCodeAttributes, OAuthCode
     expires: Date;
     metadata: string | null;
 }
-export declare function initOAuthCodeModel(sequelize: Sequelize): typeof OAuthCodeModel;
+export declare function initOAuthCodeModel(sequelize: Sequelize, options?: {
+    tablePrefix?: string;
+}): typeof OAuthCodeModel;

package/dist/cjs/oauth/models.js

@@ -1,28 +1,17 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.OAuthCodeModel = exports.OAuthClientModel = void 0;
+exports.OAuthCodeModel = exports.OAuthClientModel = exports.tableOptions = exports.integerIdType = void 0;
 exports.initOAuthClientModel = initOAuthClientModel;
 exports.initOAuthCodeModel = initOAuthCodeModel;
 const sequelize_1 = require("sequelize");
-const DIALECTS_SUPPORTING_UNSIGNED = new Set(['mysql', 'mariadb']);
-function integerIdType(sequelize) {
-    return DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? sequelize_1.DataTypes.INTEGER.UNSIGNED : sequelize_1.DataTypes.INTEGER;
-}
-function tableOptions(sequelize, tableName, extra) {
-    const opts = { sequelize, tableName };
-    if (extra) {
-        Object.assign(opts, extra);
-    }
-    if (DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect())) {
-        opts.charset = 'utf8mb4';
-        opts.collate = 'utf8mb4_unicode_ci';
-    }
-    return opts;
-}
+const sequelize_utils_js_1 = require("../sequelize-utils.js");
+var sequelize_utils_js_2 = require("../sequelize-utils.js");
+Object.defineProperty(exports, "integerIdType", { enumerable: true, get: function () { return sequelize_utils_js_2.integerIdType; } });
+Object.defineProperty(exports, "tableOptions", { enumerable: true, get: function () { return sequelize_utils_js_2.tableOptions; } });
 class OAuthClientModel extends sequelize_1.Model {
 }
 exports.OAuthClientModel = OAuthClientModel;
-function initOAuthClientModel(sequelize) {
+function initOAuthClientModel(sequelize, options = {}) {
     OAuthClientModel.init({
         client_id: { type: sequelize_1.DataTypes.STRING(128), allowNull: false, primaryKey: true },
         client_secret: { type: sequelize_1.DataTypes.STRING(255), allowNull: false, defaultValue: '' },
@@ -32,15 +21,15 @@ function initOAuthClientModel(sequelize) {
         metadata: { type: sequelize_1.DataTypes.TEXT, allowNull: true, defaultValue: null },
         first_party: { type: sequelize_1.DataTypes.BOOLEAN, allowNull: false, defaultValue: false }
     }, {
-        ...tableOptions(sequelize, 'oauth_clients', { timestamps: false })
+        ...(0, sequelize_utils_js_1.tableOptions)(sequelize, 'oauth_clients', options.tablePrefix, { timestamps: false })
     });
     return OAuthClientModel;
 }
 class OAuthCodeModel extends sequelize_1.Model {
 }
 exports.OAuthCodeModel = OAuthCodeModel;
-function initOAuthCodeModel(sequelize) {
-    const idType = integerIdType(sequelize);
+function initOAuthCodeModel(sequelize, options = {}) {
+    const idType = (0, sequelize_utils_js_1.integerIdType)(sequelize);
     OAuthCodeModel.init({
         code: { type: sequelize_1.DataTypes.STRING(128), allowNull: false, primaryKey: true },
         client_id: { type: sequelize_1.DataTypes.STRING(128), allowNull: false },
@@ -52,7 +41,7 @@ function initOAuthCodeModel(sequelize) {
         expires: { type: sequelize_1.DataTypes.DATE, allowNull: false },
         metadata: { type: sequelize_1.DataTypes.TEXT, allowNull: true, defaultValue: null }
     }, {
-        ...tableOptions(sequelize, 'oauth_codes', { timestamps: false })
+        ...(0, sequelize_utils_js_1.tableOptions)(sequelize, 'oauth_codes', options.tablePrefix, { timestamps: false })
     });
     return OAuthCodeModel;
 }

package/dist/cjs/oauth/sequelize.d.ts

@@ -1,57 +1,19 @@
-import { Model, type Optional, type Sequelize } from 'sequelize';
 import { OAuthStore, type AuthCode, type OAuthClient } from './base.js';
-export interface OAuthClientAttributes {
-    client_id: string;
-    client_secret: string;
-    name: string | null;
-    redirect_uris: string;
-    scope: string;
-    metadata: string | null;
-    first_party: boolean;
-}
-export type OAuthClientCreationAttributes = Optional<OAuthClientAttributes, 'client_secret' | 'name' | 'scope' | 'metadata' | 'first_party'>;
-export declare class OAuthClientModel extends Model<OAuthClientAttributes, OAuthClientCreationAttributes> implements OAuthClientAttributes {
-    client_id: string;
-    client_secret: string;
-    name: string | null;
-    redirect_uris: string;
-    scope: string;
-    metadata: string | null;
-    first_party: boolean;
-}
-export declare function initOAuthClientModel(sequelize: Sequelize): typeof OAuthClientModel;
-export interface OAuthCodeAttributes {
-    code: string;
-    client_id: string;
-    user_id: number;
-    redirect_uri: string;
-    scope: string;
-    code_challenge: string | null;
-    code_challenge_method: 'plain' | 'S256' | null;
-    expires: Date;
-    metadata: string | null;
-}
-export type OAuthCodeCreationAttributes = Optional<OAuthCodeAttributes, 'code_challenge' | 'code_challenge_method' | 'metadata'>;
-export declare class OAuthCodeModel extends Model<OAuthCodeAttributes, OAuthCodeCreationAttributes> implements OAuthCodeAttributes {
-    code: string;
-    client_id: string;
-    user_id: number;
-    redirect_uri: string;
-    scope: string;
-    code_challenge: string | null;
-    code_challenge_method: 'plain' | 'S256' | null;
-    expires: Date;
-    metadata: string | null;
-}
-export declare function initOAuthCodeModel(sequelize: Sequelize): typeof OAuthCodeModel;
+import { OAuthClientModel, OAuthCodeModel } from './models.js';
 export interface SequelizeOAuthStoreOptions {
-    sequelize: Sequelize;
+    sequelize: import('sequelize').Sequelize;
+    tablePrefix?: string;
     clientModel?: typeof OAuthClientModel;
     codeModel?: typeof OAuthCodeModel;
-    clientModelFactory?: (sequelize: Sequelize) => typeof OAuthClientModel;
-    codeModelFactory?: (sequelize: Sequelize) => typeof OAuthCodeModel;
+    clientModelFactory?: (sequelize: import('sequelize').Sequelize, options?: {
+        tablePrefix?: string;
+    }) => typeof OAuthClientModel;
+    codeModelFactory?: (sequelize: import('sequelize').Sequelize, options?: {
+        tablePrefix?: string;
+    }) => typeof OAuthCodeModel;
     bcryptRounds?: number;
 }
+export { OAuthClientModel, OAuthCodeModel, initOAuthClientModel, initOAuthCodeModel, type OAuthClientAttributes, type OAuthClientCreationAttributes, type OAuthCodeAttributes, type OAuthCodeCreationAttributes } from './models.js';
 export declare class SequelizeOAuthStore extends OAuthStore {
     private readonly clients;
     private readonly codes;

package/dist/cjs/oauth/sequelize.js

@@ -3,81 +3,18 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.SequelizeOAuthStore = exports.OAuthCodeModel = exports.OAuthClientModel = void 0;
-exports.initOAuthClientModel = initOAuthClientModel;
-exports.initOAuthCodeModel = initOAuthCodeModel;
+exports.SequelizeOAuthStore = exports.initOAuthCodeModel = exports.initOAuthClientModel = exports.OAuthCodeModel = exports.OAuthClientModel = void 0;
 const bcryptjs_1 = __importDefault(require("bcryptjs"));
 const sequelize_1 = require("sequelize");
+const user_id_js_1 = require("../auth-api/user-id.js");
+const sequelize_utils_js_1 = require("../sequelize-utils.js");
 const base_js_1 = require("./base.js");
-const DIALECTS_SUPPORTING_UNSIGNED = new Set(['mysql', 'mariadb']);
-function integerIdType(sequelize) {
-    return DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? sequelize_1.DataTypes.INTEGER.UNSIGNED : sequelize_1.DataTypes.INTEGER;
-}
-function tableOptions(sequelize, tableName, extra) {
-    const opts = { sequelize, tableName };
-    if (extra) {
-        Object.assign(opts, extra);
-    }
-    if (DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect())) {
-        opts.charset = 'utf8mb4';
-        opts.collate = 'utf8mb4_unicode_ci';
-    }
-    return opts;
-}
-class OAuthClientModel extends sequelize_1.Model {
-}
-exports.OAuthClientModel = OAuthClientModel;
-function initOAuthClientModel(sequelize) {
-    OAuthClientModel.init({
-        client_id: { type: sequelize_1.DataTypes.STRING(128), allowNull: false, primaryKey: true },
-        client_secret: { type: sequelize_1.DataTypes.STRING(255), allowNull: false, defaultValue: '' },
-        name: { type: sequelize_1.DataTypes.STRING(128), allowNull: true, defaultValue: null },
-        redirect_uris: { type: sequelize_1.DataTypes.TEXT, allowNull: false, defaultValue: '[]' },
-        scope: { type: sequelize_1.DataTypes.TEXT, allowNull: false, defaultValue: '[]' },
-        metadata: { type: sequelize_1.DataTypes.TEXT, allowNull: true, defaultValue: null },
-        first_party: { type: sequelize_1.DataTypes.BOOLEAN, allowNull: false, defaultValue: false }
-    }, tableOptions(sequelize, 'oauth_clients', { timestamps: false }));
-    return OAuthClientModel;
-}
-class OAuthCodeModel extends sequelize_1.Model {
-}
-exports.OAuthCodeModel = OAuthCodeModel;
-function initOAuthCodeModel(sequelize) {
-    const idType = integerIdType(sequelize);
-    OAuthCodeModel.init({
-        code: { type: sequelize_1.DataTypes.STRING(128), allowNull: false, primaryKey: true },
-        client_id: { type: sequelize_1.DataTypes.STRING(128), allowNull: false },
-        user_id: { type: idType, allowNull: false },
-        redirect_uri: { type: sequelize_1.DataTypes.TEXT, allowNull: false },
-        scope: { type: sequelize_1.DataTypes.TEXT, allowNull: false, defaultValue: '[]' },
-        code_challenge: { type: sequelize_1.DataTypes.STRING(255), allowNull: true, defaultValue: null },
-        code_challenge_method: { type: sequelize_1.DataTypes.STRING(10), allowNull: true, defaultValue: null },
-        expires: { type: sequelize_1.DataTypes.DATE, allowNull: false },
-        metadata: { type: sequelize_1.DataTypes.TEXT, allowNull: true, defaultValue: null }
-    }, tableOptions(sequelize, 'oauth_codes', { timestamps: false }));
-    return OAuthCodeModel;
-}
-function encodeStringArray(values) {
-    return JSON.stringify(values ?? []);
-}
-function decodeStringArray(raw) {
-    if (!raw) {
-        return [];
-    }
-    try {
-        const parsed = JSON.parse(raw);
-        if (Array.isArray(parsed)) {
-            return parsed.filter((entry) => typeof entry === 'string' && entry.length > 0);
-        }
-    }
-    catch {
-        // ignore malformed values
-    }
-    return raw
-        .split(/\s+/)
-        .map((entry) => entry.trim())
-        .filter((entry) => entry.length > 0);
-}
+const models_js_1 = require("./models.js");
+var models_js_2 = require("./models.js");
+Object.defineProperty(exports, "OAuthClientModel", { enumerable: true, get: function () { return models_js_2.OAuthClientModel; } });
+Object.defineProperty(exports, "OAuthCodeModel", { enumerable: true, get: function () { return models_js_2.OAuthCodeModel; } });
+Object.defineProperty(exports, "initOAuthClientModel", { enumerable: true, get: function () { return models_js_2.initOAuthClientModel; } });
+Object.defineProperty(exports, "initOAuthCodeModel", { enumerable: true, get: function () { return models_js_2.initOAuthCodeModel; } });
 function serializeMetadata(metadata) {
     if (!metadata) {
         return null;
@@ -99,23 +36,22 @@ function parseMetadata(raw) {
     }
     return undefined;
 }
-function normalizeUserId(identifier) {
-    if (typeof identifier === 'number' && Number.isFinite(identifier)) {
-        return identifier;
-    }
-    if (typeof identifier === 'string' && /^\d+$/.test(identifier)) {
-        return Number(identifier);
-    }
-    throw new Error(`Unable to normalise user identifier: ${identifier}`);
-}
 class SequelizeOAuthStore extends base_js_1.OAuthStore {
     constructor(options) {
         super();
         if (!options?.sequelize) {
             throw new Error('SequelizeOAuthStore requires an initialised Sequelize instance');
         }
-        this.clients = options.clientModel ?? (options.clientModelFactory ?? initOAuthClientModel)(options.sequelize);
-        this.codes = options.codeModel ?? (options.codeModelFactory ?? initOAuthCodeModel)(options.sequelize);
+        this.clients =
+            options.clientModel ??
+                (options.clientModelFactory ?? models_js_1.initOAuthClientModel)(options.sequelize, {
+                    tablePrefix: options.tablePrefix
+                });
+        this.codes =
+            options.codeModel ??
+                (options.codeModelFactory ?? models_js_1.initOAuthCodeModel)(options.sequelize, {
+                    tablePrefix: options.tablePrefix
+                });
         this.bcryptRounds = options.bcryptRounds ?? 12;
     }
     async getClient(clientId) {
@@ -127,15 +63,15 @@ class SequelizeOAuthStore extends base_js_1.OAuthStore {
         const hashedSecret = input.clientSecret !== undefined && input.clientSecret !== null
             ? await bcryptjs_1.default.hash(input.clientSecret, this.bcryptRounds)
             : (existing?.client_secret ?? '');
-        const redirectUris = input.redirectUris ?? (existing ? decodeStringArray(existing.redirect_uris) : undefined);
-        const scope = input.scope ?? (existing ? decodeStringArray(existing.scope) : undefined);
+        const redirectUris = input.redirectUris ?? (existing ? (0, sequelize_utils_js_1.decodeStringArray)(existing.redirect_uris) : undefined);
+        const scope = input.scope ?? (existing ? (0, sequelize_utils_js_1.decodeStringArray)(existing.scope) : undefined);
         const metadata = input.metadata ?? (existing ? parseMetadata(existing.metadata) : undefined);
         await this.clients.upsert({
             client_id: input.clientId,
             client_secret: hashedSecret,
             name: input.name ?? existing?.name ?? null,
-            redirect_uris: encodeStringArray(redirectUris),
-            scope: encodeStringArray(scope),
+            redirect_uris: (0, sequelize_utils_js_1.encodeStringArray)(redirectUris),
+            scope: (0, sequelize_utils_js_1.encodeStringArray)(scope),
             metadata: serializeMetadata(metadata),
             first_party: input.firstParty ?? existing?.first_party ?? false
         });
@@ -162,9 +98,9 @@ class SequelizeOAuthStore extends base_js_1.OAuthStore {
         await this.codes.create({
             code: code.code,
             client_id: code.clientId,
-            user_id: normalizeUserId(code.userId),
+            user_id: (0, user_id_js_1.normalizeNumericUserId)(code.userId),
             redirect_uri: code.redirectUri ?? '',
-            scope: encodeStringArray(code.scope),
+            scope: (0, sequelize_utils_js_1.encodeStringArray)(code.scope),
             code_challenge: code.codeChallenge ?? null,
             code_challenge_method: code.codeChallengeMethod ?? null,
             expires: code.expiresAt,
@@ -172,12 +108,21 @@ class SequelizeOAuthStore extends base_js_1.OAuthStore {
         });
     }
     async consumeAuthCode(code) {
-        const model = await this.codes.findByPk(code);
-        if (!model) {
-            return null;
+        const sequelize = this.codes.sequelize;
+        if (!sequelize) {
+            throw new Error('Code model is not bound to a Sequelize instance');
         }
-        await model.destroy();
-        return this.toAuthCode(model);
+        return sequelize.transaction({ isolationLevel: sequelize_1.Transaction.ISOLATION_LEVELS.READ_COMMITTED }, async (transaction) => {
+            const model = await this.codes.findByPk(code, { transaction, lock: true });
+            if (!model) {
+                return null;
+            }
+            await model.destroy({ transaction });
+            if (model.expires.getTime() <= Date.now()) {
+                return null;
+            }
+            return this.toAuthCode(model);
+        });
     }
     async close() {
         return;
@@ -185,10 +130,10 @@ class SequelizeOAuthStore extends base_js_1.OAuthStore {
     toOAuthClient(model) {
         return {
             clientId: model.client_id,
-            clientSecret: model.client_secret,
+            hasSecret: Boolean(model.client_secret),
             name: model.name ?? undefined,
-            redirectUris: decodeStringArray(model.redirect_uris),
-            scope: decodeStringArray(model.scope),
+            redirectUris: (0, sequelize_utils_js_1.decodeStringArray)(model.redirect_uris),
+            scope: (0, sequelize_utils_js_1.decodeStringArray)(model.scope),
             metadata: parseMetadata(model.metadata),
             firstParty: model.first_party ?? false
         };
@@ -197,9 +142,9 @@ class SequelizeOAuthStore extends base_js_1.OAuthStore {
         return {
             code: model.code,
             clientId: model.client_id,
-            userId: model.user_id,
+            userId: String(model.user_id),
             redirectUri: model.redirect_uri,
-            scope: decodeStringArray(model.scope),
+            scope: (0, sequelize_utils_js_1.decodeStringArray)(model.scope),
             codeChallenge: model.code_challenge ?? undefined,
             codeChallengeMethod: model.code_challenge_method ?? undefined,
             expiresAt: model.expires,

package/dist/cjs/oauth/types.d.ts

@@ -2,6 +2,7 @@ import type { AuthIdentifier } from '../auth-api/types.js';
 export interface OAuthClient {
     clientId: string;
     clientSecret?: string;
+    hasSecret?: boolean;
     firstParty?: boolean;
     metadata?: Record<string, unknown>;
     name?: string;

package/dist/cjs/passkey/base.d.ts

@@ -6,10 +6,12 @@ export declare abstract class PasskeyStore implements PasskeyStorageAdapter {
         login?: string;
     }): Promise<PasskeyUserDescriptor | null>;
     abstract listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    abstract deleteCredential(credentialId: Buffer | string): Promise<boolean>;
     abstract findCredentialById(credentialId: Buffer): Promise<StoredPasskeyCredential | null>;
     abstract saveCredential(record: StoredPasskeyCredential): Promise<void>;
     abstract updateCredentialCounter(credentialId: Buffer, counter: number): Promise<void>;
     abstract saveChallenge(record: PasskeyChallengeRecord): Promise<void>;
+    abstract getChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
     abstract consumeChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
     abstract cleanupChallenges(now: Date): Promise<void>;
 }

package/dist/cjs/passkey/config.d.ts

@@ -0,0 +1,2 @@
+import type { PasskeyServiceConfig } from './types.js';
+export declare function normalizePasskeyConfig(config?: Partial<PasskeyServiceConfig>): PasskeyServiceConfig;