@technomoron/api-server-base 2.0.0-beta.2 → 2.0.0-beta.21

package/dist/esm/auth-api/auth-module.js

@@ -1,6 +1,9 @@
-import { createHash } from 'node:crypto';
+import { createHash, randomUUID } from 'node:crypto';
+import { isoBase64URL } from '@simplewebauthn/server/helpers';
 import { ApiError } from '../api-server-base.js';
+import { buildAuthCookieOptions } from '../auth-cookie-options.js';
 import { BaseAuthModule } from './module.js';
+import { BaseAuthAdapter } from './storage.js';
 function isAuthIdentifier(value) {
     return typeof value === 'string' || typeof value === 'number';
 }
@@ -28,10 +31,18 @@ function sha256Base64Url(value) {
     return base64UrlEncode(hash);
 }
 class AuthModule extends BaseAuthModule {
+    get server() {
+        return super.server;
+    }
+    set server(value) {
+        super.server = value;
+    }
     constructor(options = {}) {
         super({ namespace: options.namespace ?? AuthModule.defaultNamespace });
         this.defaultDomain = options.defaultDomain;
         this.canImpersonateHook = options.canImpersonate;
+        this.rateLimitHook = options.rateLimit;
+        this.allowInsecurePkcePlain = options.allowInsecurePkcePlain ?? true;
     }
     get storage() {
         return this.server.getAuthStorage();
@@ -72,9 +83,21 @@ class AuthModule extends BaseAuthModule {
     }
     buildTokenMetadata(metadata = {}) {
         const scope = metadata.scope;
+        const domain = metadata.domain ?? this.defaultDomain ?? '';
+        let fingerprint = metadata.fingerprint ?? metadata.clientId ?? '';
+        if (typeof fingerprint === 'string') {
+            fingerprint = fingerprint.trim();
+        }
+        else {
+            fingerprint = '';
+        }
+        // Avoid every client sharing the empty-string fingerprint which collapses sessions into one bucket.
+        if (!fingerprint) {
+            fingerprint = `srv-${randomUUID()}`;
+        }
         return {
-            domain: metadata.domain ?? this.defaultDomain ?? '',
-            fingerprint: metadata.fingerprint ?? metadata.clientId ?? '',
+            domain,
+            fingerprint,
             label: metadata.label ?? (Array.isArray(scope) ? scope.join(' ') : typeof scope === 'string' ? scope : ''),
             clientId: metadata.clientId,
             ruid: metadata.ruid,
@@ -132,6 +155,9 @@ class AuthModule extends BaseAuthModule {
             return candidate ? {} : { sessionCookie: true, refreshTtlSeconds: this.sessionRefreshTtlSeconds() };
         }
         if (typeof candidate === 'number') {
+            if (candidate === 0) {
+                return { sessionCookie: true, refreshTtlSeconds: this.sessionRefreshTtlSeconds() };
+            }
             const ttl = this.normalizeRefreshTtlSeconds(candidate);
             return ttl ? { sessionCookie: false, refreshTtlSeconds: ttl } : {};
         }
@@ -181,30 +207,46 @@ class AuthModule extends BaseAuthModule {
         }
         return prefs;
     }
-    cookieOptions(apiReq) {
-        const conf = this.server.config;
-        const forwarded = apiReq.req.headers['x-forwarded-proto'];
-        const referer = apiReq.req.headers['origin'] ?? apiReq.req.headers['referer'];
-        const origin = typeof referer === 'string' ? referer : '';
-        const isHttps = forwarded === 'https' || apiReq.req.protocol === 'https';
-        const isLocalhost = origin.includes('localhost');
-        const options = {
-            httpOnly: true,
-            secure: true,
-            sameSite: 'strict',
-            domain: conf.cookieDomain || undefined,
-            path: '/',
-            maxAge: undefined
-        };
-        if (conf.devMode) {
-            options.secure = isHttps;
-            options.httpOnly = false;
-            options.sameSite = 'lax';
-            if (isLocalhost) {
-                options.domain = undefined;
+    validateCredentialId(apiReq) {
+        const paramId = toStringOrNull(apiReq.req.params?.credentialId);
+        const bodyId = toStringOrNull(apiReq.req.body?.credentialId);
+        const credentialId = paramId ?? bodyId;
+        if (!credentialId) {
+            throw new ApiError({ code: 400, message: 'credentialId is required' });
+        }
+        try {
+            isoBase64URL.toBuffer(credentialId);
+        }
+        catch {
+            throw new ApiError({ code: 400, message: 'Invalid credentialId' });
+        }
+        return credentialId;
+    }
+    normalizeCredentialId(value) {
+        if (Buffer.isBuffer(value)) {
+            return value;
+        }
+        try {
+            return Buffer.from(isoBase64URL.toBuffer(value));
+        }
+        catch {
+            try {
+                return Buffer.from(value, 'base64');
+            }
+            catch {
+                return Buffer.from(value);
             }
         }
-        return options;
+    }
+    toIsoDate(value) {
+        if (!value) {
+            return undefined;
+        }
+        const date = value instanceof Date ? value : new Date(value);
+        return Number.isNaN(date.getTime()) ? undefined : date.toISOString();
+    }
+    cookieOptions(apiReq) {
+        return buildAuthCookieOptions(this.server.config, apiReq.req);
     }
     setJwtCookies(apiReq, tokens, preferences = {}) {
         const conf = this.server.config;
@@ -231,7 +273,10 @@ class AuthModule extends BaseAuthModule {
     async issueTokens(apiReq, user, metadata = {}) {
         const conf = this.server.config;
         const enrichedMetadata = this.enrichTokenMetadata(apiReq, metadata);
-        const payload = this.buildTokenPayload(user, enrichedMetadata);
+        const payload = {
+            ...this.buildTokenPayload(user, enrichedMetadata),
+            jti: randomUUID()
+        };
         const access = this.server.jwtSign(payload, conf.accessSecret, conf.accessExpiry);
         if (!access.success || !access.token) {
             throw new ApiError({ code: 500, message: access.error ?? 'Unable to sign access token' });
@@ -401,23 +446,16 @@ class AuthModule extends BaseAuthModule {
         return undefined;
     }
     async postLogin(apiReq) {
+        await this.applyRateLimit(apiReq, 'login');
         this.assertAuthReady();
         const { login, password, ...metadata } = this.parseLoginBody(apiReq);
         const user = await this.storage.getUser(login);
-        if (!user) {
-            throw new ApiError({
-                code: 400,
-                message: 'Invalid credentials',
-                errors: { login: 'Unknown user' }
-            });
-        }
-        const hash = this.storage.getUserPasswordHash(user);
-        const verified = await this.storage.verifyPassword(password, hash);
-        if (!verified) {
+        const hash = user ? this.storage.getUserPasswordHash(user) : '';
+        const verified = user ? await this.storage.verifyPassword(password, hash) : false;
+        if (!user || !verified) {
             throw new ApiError({
                 code: 400,
-                message: 'Invalid credentials',
-                errors: { password: 'Wrong password' }
+                message: 'Invalid credentials'
             });
         }
         const pair = await this.issueTokens(apiReq, user, metadata);
@@ -459,6 +497,7 @@ class AuthModule extends BaseAuthModule {
             refreshTtlSeconds: sessionPrefs.refreshTtlSeconds ?? stored.refreshTtlSeconds,
             sessionCookie: sessionPrefs.sessionCookie ?? stored.sessionCookie
         };
+        await this.storage.deleteToken({ refreshToken: providedToken });
         const pair = await this.issueTokens(apiReq, user, metadata);
         const publicUser = this.storage.filterUser(user);
         return [200, { ...pair, user: publicUser }];
@@ -498,10 +537,39 @@ class AuthModule extends BaseAuthModule {
                 apiReq.req.cookies[conf.accessCookie].trim().length > 0);
         const shouldRefresh = Boolean(body.refresh) || !hasAccessToken;
         if (shouldRefresh) {
-            const access = this.server.jwtSign(this.buildTokenPayload(user, stored), conf.accessSecret, conf.accessExpiry);
+            const updateToken = this.storage.updateToken;
+            if (typeof updateToken !== 'function' || !this.storageImplements('updateToken')) {
+                throw new ApiError({ code: 501, message: 'Token update storage is not configured' });
+            }
+            // Sign a new access token without embedding stored token secrets into the JWT payload.
+            const metadata = {
+                ruid: stored.ruid,
+                domain: stored.domain,
+                fingerprint: stored.fingerprint,
+                label: stored.label,
+                clientId: stored.clientId,
+                scope: stored.scope,
+                browser: stored.browser,
+                device: stored.device,
+                ip: stored.ip,
+                os: stored.os,
+                loginType: stored.loginType,
+                refreshTtlSeconds: this.normalizeRefreshTtlSeconds(stored.refreshTtlSeconds),
+                sessionCookie: stored.sessionCookie
+            };
+            const enrichedMetadata = this.enrichTokenMetadata(apiReq, metadata);
+            const access = this.server.jwtSign(this.buildTokenPayload(user, enrichedMetadata), conf.accessSecret, conf.accessExpiry);
             if (!access.success || !access.token) {
                 throw new ApiError({ code: 500, message: access.error ?? 'Unable to sign access token' });
             }
+            const updated = await updateToken.call(this.storage, {
+                refreshToken,
+                accessToken: access.token,
+                lastSeenAt: new Date()
+            });
+            if (!updated) {
+                throw new ApiError({ code: 500, message: 'Unable to persist refreshed access token' });
+            }
             const cookiePrefs = this.mergeSessionPreferences({
                 sessionCookie: stored.sessionCookie,
                 refreshTtlSeconds: this.normalizeRefreshTtlSeconds(stored.refreshTtlSeconds)
@@ -511,9 +579,31 @@ class AuthModule extends BaseAuthModule {
                 : cookiePrefs.refreshTtlSeconds;
             this.setJwtCookies(apiReq, { accessToken: access.token, refreshToken }, { sessionCookie: cookiePrefs.sessionCookie ?? false, refreshTtlSeconds: refreshTtlForCookie });
         }
-        return [200, this.storage.filterUser(user)];
+        const tokenClaims = verify.data;
+        const effectiveUserId = this.storage.getUserId(user);
+        const effectiveId = String(effectiveUserId);
+        const rawRealId = stored.ruid ?? tokenClaims.ruid;
+        const normalizedRealId = rawRealId === undefined || rawRealId === null ? null : String(rawRealId).trim() || null;
+        const isImpersonating = normalizedRealId !== null && normalizedRealId !== effectiveId;
+        let realUser;
+        let realUserId;
+        if (isImpersonating && normalizedRealId !== null) {
+            const realUserEntity = await this.getUserOrThrow(normalizedRealId, 'Real user not found');
+            realUser = this.storage.filterUser(realUserEntity);
+            realUserId = this.storage.getUserId(realUserEntity);
+        }
+        return [
+            200,
+            {
+                user: this.storage.filterUser(user),
+                isImpersonating,
+                realUser,
+                realUserId
+            }
+        ];
     }
     async postPasskeyChallenge(apiReq) {
+        await this.applyRateLimit(apiReq, 'passkey-challenge');
         if (typeof this.storage.createPasskeyChallenge !== 'function') {
             throw new ApiError({ code: 501, message: 'Passkey support is not configured' });
         }
@@ -525,15 +615,7 @@ class AuthModule extends BaseAuthModule {
         const params = {
             action,
             login: toStringOrNull(body.login) ?? undefined,
-            userId: isAuthIdentifier(body.userId) ? body.userId : undefined,
-            userAgent: toStringOrNull(body.userAgent) ?? undefined,
-            domain: toStringOrNull(body.domain) ?? undefined,
-            fingerprint: toStringOrNull(body.fingerprint) ?? undefined,
-            label: toStringOrNull(body.label) ?? undefined,
-            browser: toStringOrNull(body.browser) ?? undefined,
-            device: toStringOrNull(body.device) ?? undefined,
-            ip: toStringOrNull(body.ip) ?? undefined,
-            os: toStringOrNull(body.os) ?? undefined
+            userId: isAuthIdentifier(body.userId) ? body.userId : undefined
         };
         const challenge = await this.storage.createPasskeyChallenge(params);
         return [200, challenge];
@@ -549,18 +631,25 @@ class AuthModule extends BaseAuthModule {
         if (!expectedChallenge || typeof response !== 'object' || response === null) {
             throw new ApiError({ code: 400, message: 'Malformed passkey verification payload' });
         }
-        const params = {
-            expectedChallenge,
-            response: response,
-            login: toStringOrNull(body.login) ?? undefined,
-            userId: isAuthIdentifier(body.userId) ? body.userId : undefined,
+        const rawMetadata = {
             domain: toStringOrNull(body.domain) ?? undefined,
             fingerprint: toStringOrNull(body.fingerprint) ?? undefined,
             label: toStringOrNull(body.label) ?? undefined,
             browser: toStringOrNull(body.browser) ?? undefined,
             device: toStringOrNull(body.device) ?? undefined,
             ip: toStringOrNull(body.ip) ?? undefined,
-            os: toStringOrNull(body.os) ?? undefined,
+            os: toStringOrNull(body.os) ?? undefined
+        };
+        const clientInfo = apiReq.getClientInfo();
+        const userAgent = toStringOrNull(body.userAgent) ?? (clientInfo.ua ? clientInfo.ua : null);
+        const requestMetadata = this.enrichTokenMetadata(apiReq, rawMetadata);
+        const params = {
+            expectedChallenge,
+            response: response,
+            login: toStringOrNull(body.login) ?? undefined,
+            userId: isAuthIdentifier(body.userId) ? body.userId : undefined,
+            userAgent: userAgent ?? undefined,
+            ...requestMetadata,
             ...sessionPrefs
         };
         const result = await this.storage.verifyPasskeyResponse(params);
@@ -596,6 +685,44 @@ class AuthModule extends BaseAuthModule {
         const publicUser = this.storage.filterUser(user);
         return [200, { ...tokens, user: publicUser }];
     }
+    async getPasskeys(apiReq) {
+        if (typeof this.storage.listUserCredentials !== 'function') {
+            throw new ApiError({ code: 501, message: 'Passkey credential listing is not configured' });
+        }
+        const { userId } = await this.resolveActorContext(apiReq);
+        const credentials = await this.storage.listUserCredentials(userId);
+        const safeCredentials = credentials.map((credential) => {
+            const bufferId = this.normalizeCredentialId(credential.credentialId);
+            return {
+                id: isoBase64URL.fromBuffer(new Uint8Array(bufferId)),
+                transports: credential.transports,
+                backedUp: credential.backedUp,
+                deviceType: credential.deviceType,
+                createdAt: this.toIsoDate(credential.createdAt),
+                updatedAt: this.toIsoDate(credential.updatedAt)
+            };
+        });
+        return [200, { credentials: safeCredentials }];
+    }
+    async deletePasskey(apiReq) {
+        if (typeof this.storage.listUserCredentials !== 'function' ||
+            typeof this.storage.deletePasskeyCredential !== 'function') {
+            throw new ApiError({ code: 501, message: 'Passkey credential management is not configured' });
+        }
+        const { userId } = await this.resolveActorContext(apiReq);
+        const credentialId = this.validateCredentialId(apiReq);
+        const bufferId = Buffer.from(isoBase64URL.toBuffer(credentialId));
+        const credentials = await this.storage.listUserCredentials(userId);
+        const owns = credentials.some((credential) => {
+            const candidateId = this.normalizeCredentialId(credential.credentialId);
+            return isoBase64URL.fromBuffer(new Uint8Array(candidateId)) === credentialId;
+        });
+        if (!owns) {
+            throw new ApiError({ code: 404, message: 'Passkey not found' });
+        }
+        const deleted = await this.storage.deletePasskeyCredential(bufferId);
+        return [200, { deleted }];
+    }
     async postImpersonation(apiReq) {
         this.assertAuthReady();
         const { targetIdentifier, metadata } = this.parseImpersonationRequest(apiReq);
@@ -614,7 +741,8 @@ class AuthModule extends BaseAuthModule {
     async deleteImpersonation(apiReq) {
         this.assertAuthReady();
         const actor = await this.resolveActorContext(apiReq);
-        const metadata = this.buildImpersonationMetadata((apiReq.req.body ?? {}));
+        const query = (apiReq.req.query ?? {});
+        const metadata = this.buildImpersonationMetadata(query);
         metadata.loginType = metadata.loginType ?? 'impersonation-end';
         const tokens = await this.issueTokens(apiReq, actor.user, metadata);
         const publicUser = this.storage.filterUser(actor.user);
@@ -686,6 +814,7 @@ class AuthModule extends BaseAuthModule {
         const state = toStringOrNull(body.state) ?? undefined;
         const codeChallenge = toStringOrNull(body.codeChallenge) ?? undefined;
         const codeChallengeMethod = toStringOrNull(body.codeChallengeMethod) ?? undefined;
+        const resolvedCodeChallengeMethod = this.resolvePkceChallengeMethod(codeChallengeMethod);
         if (!clientId) {
             throw new ApiError({ code: 400, message: 'clientId is required' });
         }
@@ -705,7 +834,7 @@ class AuthModule extends BaseAuthModule {
             redirectUri,
             scope: resolvedScope,
             codeChallenge,
-            codeChallengeMethod: codeChallengeMethod === 'S256' ? 'S256' : codeChallengeMethod === 'plain' ? 'plain' : undefined,
+            codeChallengeMethod: resolvedCodeChallengeMethod,
             expiresInSeconds: 300
         });
         const redirect = new URL(redirectUri);
@@ -716,6 +845,7 @@ class AuthModule extends BaseAuthModule {
         return [200, { code: codeRecord.code, redirectUri: redirect.toString(), state }];
     }
     async postOAuthToken(apiReq) {
+        await this.applyRateLimit(apiReq, 'oauth-token');
         if (typeof this.storage.getClient !== 'function' || typeof this.storage.consumeAuthCode !== 'function') {
             throw new ApiError({ code: 501, message: 'OAuth token storage is not configured' });
         }
@@ -769,12 +899,15 @@ class AuthModule extends BaseAuthModule {
                 }
             }
             else if (record.codeChallengeMethod === 'plain') {
+                if (!this.allowInsecurePkcePlain) {
+                    throw new ApiError({ code: 400, message: 'PKCE plain is not permitted' });
+                }
                 if (codeVerifier !== record.codeChallenge) {
                     throw new ApiError({ code: 400, message: 'code_verifier does not match challenge' });
                 }
             }
         }
-        else if (!clientSecretProvided && client.clientSecret) {
+        else if (!clientSecretProvided && (client.hasSecret ?? Boolean(client.clientSecret))) {
             throw new ApiError({ code: 400, message: 'Client authentication required when no PKCE challenge present' });
         }
         const user = await this.getUserOrThrow(record.userId, 'User not found');
@@ -809,6 +942,7 @@ class AuthModule extends BaseAuthModule {
             throw new ApiError({ code: 400, message: 'Refresh token issued to another client' });
         }
         const user = await this.getUserOrThrow(stored.userId ?? verify.data.uid, 'User not found');
+        await this.storage.deleteToken({ refreshToken });
         const tokens = await this.issueTokens(apiReq, user, {
             clientId: client.clientId,
             scope: stored.scope,
@@ -817,11 +951,7 @@ class AuthModule extends BaseAuthModule {
             loginType: stored.loginType ?? 'oauth'
         });
         this.clearOAuthCookies(apiReq);
-        const scope = Array.isArray(stored.scope)
-            ? stored.scope
-            : typeof stored.scope === 'string'
-                ? stored.scope.split(/\s+/).filter((entry) => entry.length > 0)
-                : [];
+        const scope = Array.isArray(stored.scope) ? stored.scope : [];
         return [200, this.buildTokenResponse(tokens, client, scope)];
     }
     clearOAuthCookies(apiReq) {
@@ -884,19 +1014,16 @@ class AuthModule extends BaseAuthModule {
         if (!client) {
             throw new ApiError({ code: 400, message: 'Unknown client_id' });
         }
-        const requiresSecret = !!client.clientSecret;
+        const requiresSecret = client.hasSecret ?? Boolean(client.clientSecret);
         if (requiresSecret) {
             if (!secretProvided) {
                 throw new ApiError({ code: 400, message: 'Client authentication is required' });
             }
-            let valid = false;
-            if (this.storage.verifyClientSecret) {
-                const verifySecret = this.storage.verifyClientSecret.bind(this.storage);
-                valid = await verifySecret(client, clientSecret);
-            }
-            else {
-                valid = client.clientSecret === clientSecret;
+            const verifySecret = this.storage.verifyClientSecret;
+            if (typeof verifySecret !== 'function' || !this.storageImplements('verifyClientSecret')) {
+                throw new ApiError({ code: 501, message: 'OAuth client secret verification is not configured' });
             }
+            const valid = await verifySecret.call(this.storage, client, clientSecret);
             if (!valid) {
                 throw new ApiError({ code: 401, message: 'Invalid client credentials' });
             }
@@ -923,63 +1050,118 @@ class AuthModule extends BaseAuthModule {
         const password = toStringOrNull(body.password);
         if (login && password) {
             const user = await this.storage.getUser(login);
-            if (!user) {
-                throw new ApiError({ code: 400, message: 'Invalid credentials', errors: { login: 'Unknown user' } });
-            }
-            const hash = this.storage.getUserPasswordHash(user);
-            const verified = await this.storage.verifyPassword(password, hash);
-            if (!verified) {
-                throw new ApiError({
-                    code: 400,
-                    message: 'Invalid credentials',
-                    errors: { password: 'Wrong password' }
-                });
+            const hash = user ? this.storage.getUserPasswordHash(user) : '';
+            const verified = user ? await this.storage.verifyPassword(password, hash) : false;
+            if (!user || !verified) {
+                throw new ApiError({ code: 400, message: 'Invalid credentials' });
             }
             return user;
         }
         throw new ApiError({ code: 401, message: 'Authorization requires user authentication' });
     }
-    defineRoutes() {
-        const routes = [
-            {
-                method: 'post',
-                path: '/v1/login',
-                handler: (req) => this.postLogin(req),
-                auth: { type: 'none', req: 'any' }
-            },
-            {
-                method: 'post',
-                path: '/v1/refresh',
-                handler: (req) => this.postRefresh(req),
-                auth: { type: 'none', req: 'any' }
-            },
-            {
-                method: 'post',
-                path: '/v1/logout',
-                handler: (req) => this.postLogout(req),
-                auth: { type: 'maybe', req: 'any' }
-            },
-            {
-                method: 'post',
-                path: '/v1/whoami',
-                handler: (req) => this.postWhoAmI(req),
-                auth: { type: 'maybe', req: 'any' }
-            },
-            {
-                method: 'post',
-                path: '/v1/impersonations',
-                handler: (req) => this.postImpersonation(req),
-                auth: { type: 'strict', req: 'any' }
-            },
-            {
-                method: 'delete',
-                path: '/v1/impersonations',
-                handler: (req) => this.deleteImpersonation(req),
-                auth: { type: 'strict', req: 'any' }
+    hasPasskeyService() {
+        const storageHints = this.storage;
+        if (storageHints.passkeyService || storageHints.passkeyStore) {
+            return true;
+        }
+        if (storageHints.adapter?.passkeyService || storageHints.adapter?.passkeyStore) {
+            return true;
+        }
+        const serverHints = this.server;
+        return !!serverHints.passkeyServiceAdapter;
+    }
+    hasOAuthStore() {
+        const storageHints = this.storage;
+        if (storageHints.oauthStore) {
+            return true;
+        }
+        if (storageHints.adapter?.oauthStore) {
+            return true;
+        }
+        const serverHints = this.server;
+        return !!serverHints.oauthStoreAdapter;
+    }
+    storageImplements(key) {
+        const candidate = this.storage[key];
+        if (typeof candidate !== 'function') {
+            return false;
+        }
+        const baseImpl = BaseAuthAdapter.prototype[key];
+        return candidate !== baseImpl;
+    }
+    storageImplementsAll(keys) {
+        return keys.every((key) => this.storageImplements(key));
+    }
+    async applyRateLimit(apiReq, endpoint) {
+        if (!this.rateLimitHook) {
+            return;
+        }
+        await this.rateLimitHook({ apiReq, endpoint });
+    }
+    resolvePkceChallengeMethod(value) {
+        if (value === 'S256') {
+            return 'S256';
+        }
+        if (value === 'plain') {
+            if (!this.allowInsecurePkcePlain) {
+                throw new ApiError({ code: 400, message: 'PKCE plain is not permitted' });
             }
-        ];
-        const storage = this.storage;
-        const passkeysSupported = typeof storage.createPasskeyChallenge === 'function' && typeof storage.verifyPasskeyResponse === 'function';
+            return 'plain';
+        }
+        return undefined;
+    }
+    defineRoutes() {
+        const routes = [];
+        const coreAuthSupported = this.storageImplementsAll([
+            'getUser',
+            'getUserPasswordHash',
+            'getUserId',
+            'verifyPassword',
+            'filterUser',
+            'storeToken',
+            'getToken',
+            'deleteToken'
+        ]);
+        if (!coreAuthSupported) {
+            return routes;
+        }
+        routes.push({
+            method: 'post',
+            path: '/v1/login',
+            handler: (req) => this.postLogin(req),
+            auth: { type: 'none', req: 'any' }
+        }, {
+            method: 'post',
+            path: '/v1/refresh',
+            handler: (req) => this.postRefresh(req),
+            auth: { type: 'none', req: 'any' }
+        }, {
+            method: 'post',
+            path: '/v1/logout',
+            handler: (req) => this.postLogout(req),
+            auth: { type: 'maybe', req: 'any' }
+        }, {
+            method: 'post',
+            path: '/v1/whoami',
+            handler: (req) => this.postWhoAmI(req),
+            auth: { type: 'maybe', req: 'any' }
+        }, {
+            method: 'post',
+            path: '/v1/impersonations',
+            handler: (req) => this.postImpersonation(req),
+            auth: { type: 'strict', req: 'any' }
+        }, {
+            method: 'delete',
+            path: '/v1/impersonations',
+            handler: (req) => this.deleteImpersonation(req),
+            auth: { type: 'strict', req: 'any' }
+        });
+        const passkeysSupported = this.hasPasskeyService() &&
+            this.storageImplements('createPasskeyChallenge') &&
+            this.storageImplements('verifyPasskeyResponse');
+        const passkeyCredentialsSupported = passkeysSupported &&
+            this.storageImplements('listUserCredentials') &&
+            this.storageImplements('deletePasskeyCredential');
         if (passkeysSupported) {
             routes.push({
                 method: 'post',
@@ -992,6 +1174,19 @@ class AuthModule extends BaseAuthModule {
                 handler: (req) => this.postPasskeyVerify(req),
                 auth: { type: 'none', req: 'any' }
             });
+            if (passkeyCredentialsSupported) {
+                routes.push({
+                    method: 'get',
+                    path: '/v1/passkeys',
+                    handler: (req) => this.getPasskeys(req),
+                    auth: { type: 'strict', req: 'any' }
+                }, {
+                    method: 'delete',
+                    path: '/v1/passkeys/:credentialId',
+                    handler: (req) => this.deletePasskey(req),
+                    auth: { type: 'strict', req: 'any' }
+                });
+            }
         }
         const externalOAuthSupported = typeof this.server.initiateOAuth === 'function' && typeof this.server.completeOAuth === 'function';
         if (externalOAuthSupported) {
@@ -1007,9 +1202,10 @@ class AuthModule extends BaseAuthModule {
                 auth: { type: 'none', req: 'any' }
             });
         }
-        const oauthStorageSupported = typeof storage.getClient === 'function' &&
-            typeof storage.createAuthCode === 'function' &&
-            typeof storage.consumeAuthCode === 'function';
+        const oauthStorageSupported = this.hasOAuthStore() &&
+            this.storageImplements('getClient') &&
+            this.storageImplements('createAuthCode') &&
+            this.storageImplements('consumeAuthCode');
         if (oauthStorageSupported) {
             routes.push({
                 method: 'post',