@technomoron/api-server-base 2.0.0-beta.2 → 2.0.0-beta.21

package/dist/esm/index.js

@@ -1,22 +1,17 @@
 export { default as ApiServer } from './api-server-base.js';
 export { ApiError } from './api-server-base.js';
 export { ApiModule } from './api-module.js';
-export { nullAuthStorage, BaseAuthStorage } from './auth-api/storage.js';
+export { nullAuthAdapter, BaseAuthAdapter } from './auth-api/storage.js';
 export { nullAuthModule, BaseAuthModule } from './auth-api/module.js';
-export { AuthStorageAdapter } from './auth-api/compat-auth-storage.js';
+export { CompositeAuthAdapter } from './auth-api/compat-auth-storage.js';
 export { MemAuthStore } from './auth-api/mem-auth-store.js';
-export { SqlAuthStore } from './auth-api/sql-auth-store.js';
 export { default as AuthModule } from './auth-api/auth-module.js';
 export { UserStore } from './user/base.js';
 export { MemoryUserStore } from './user/memory.js';
-export { SequelizeUserStore } from './user/sequelize.js';
 export { TokenStore } from './token/base.js';
 export { MemoryTokenStore } from './token/memory.js';
-export { SequelizeTokenStore } from './token/sequelize.js';
 export { PasskeyService } from './passkey/service.js';
 export { PasskeyStore } from './passkey/base.js';
 export { MemoryPasskeyStore } from './passkey/memory.js';
-export { SequelizePasskeyStore } from './passkey/sequelize.js';
 export { OAuthStore } from './oauth/base.js';
 export { MemoryOAuthStore } from './oauth/memory.js';
-export { SequelizeOAuthStore } from './oauth/sequelize.js';

package/dist/esm/oauth/memory.d.ts

@@ -1,11 +1,15 @@
 import { OAuthStore, type AuthCode, type OAuthClient } from './base.js';
 export interface MemoryOAuthStoreOptions {
     bcryptRounds?: number;
+    maxClients?: number;
+    maxAuthCodes?: number;
 }
 export declare class MemoryOAuthStore extends OAuthStore {
     private readonly clients;
     private readonly codes;
     private readonly bcryptRounds;
+    private readonly maxClients?;
+    private readonly maxAuthCodes?;
     constructor(options?: MemoryOAuthStoreOptions);
     getClient(clientId: string): Promise<OAuthClient | null>;
     createClient(input: OAuthClient): Promise<OAuthClient>;
@@ -13,4 +17,6 @@ export declare class MemoryOAuthStore extends OAuthStore {
     createAuthCode(code: AuthCode): Promise<void>;
     consumeAuthCode(code: string): Promise<AuthCode | null>;
     close(): Promise<void>;
+    private enforceClientCapacity;
+    private enforceCodeCapacity;
 }

package/dist/esm/oauth/memory.js

@@ -1,4 +1,5 @@
 import bcrypt from 'bcryptjs';
+import { normalizeComparableUserId } from '../auth-api/user-id.js';
 import { OAuthStore } from './base.js';
 function cloneClient(client) {
     if (!client) {
@@ -6,7 +7,7 @@ function cloneClient(client) {
     }
     return {
         clientId: client.clientId,
-        clientSecret: client.clientSecret,
+        hasSecret: Boolean(client.clientSecret),
         name: client.name,
         redirectUris: [...client.redirectUris],
         scope: client.scope ? [...client.scope] : undefined,
@@ -17,26 +18,28 @@ function cloneClient(client) {
 function cloneCode(code) {
     return {
         ...code,
+        userId: normalizeComparableUserId(code.userId),
         scope: code.scope ? [...code.scope] : undefined,
         expiresAt: new Date(code.expiresAt),
         metadata: code.metadata ? { ...code.metadata } : undefined
     };
 }
-function normalizeUserId(identifier) {
-    if (typeof identifier === 'number' && Number.isFinite(identifier)) {
-        return identifier;
-    }
-    if (typeof identifier === 'string' && /^\d+$/.test(identifier)) {
-        return Number(identifier);
-    }
-    throw new Error(`Unable to normalise user identifier: ${identifier}`);
-}
 export class MemoryOAuthStore extends OAuthStore {
     constructor(options = {}) {
         super();
         this.clients = new Map();
         this.codes = new Map();
         this.bcryptRounds = options.bcryptRounds ?? 12;
+        this.maxClients =
+            typeof options.maxClients === 'number' && Number.isFinite(options.maxClients) && options.maxClients > 0
+                ? Math.floor(options.maxClients)
+                : undefined;
+        this.maxAuthCodes =
+            typeof options.maxAuthCodes === 'number' &&
+                Number.isFinite(options.maxAuthCodes) &&
+                options.maxAuthCodes > 0
+                ? Math.floor(options.maxAuthCodes)
+                : undefined;
     }
     async getClient(clientId) {
         return cloneClient(this.clients.get(clientId));
@@ -53,6 +56,7 @@ export class MemoryOAuthStore extends OAuthStore {
             firstParty: input.firstParty
         };
         this.clients.set(stored.clientId, stored);
+        this.enforceClientCapacity();
         return cloneClient(stored);
     }
     async verifyClientSecret(clientId, secret) {
@@ -71,22 +75,51 @@ export class MemoryOAuthStore extends OAuthStore {
     async createAuthCode(code) {
         const record = {
             ...code,
-            userId: normalizeUserId(code.userId),
+            userId: normalizeComparableUserId(code.userId),
             scope: code.scope ? [...code.scope] : undefined,
             expiresAt: code.expiresAt,
             metadata: code.metadata ? { ...code.metadata } : undefined
         };
         this.codes.set(record.code, record);
+        this.enforceCodeCapacity();
     }
     async consumeAuthCode(code) {
         const record = this.codes.get(code);
         if (!record) {
             return null;
         }
+        if (record.expiresAt.getTime() <= Date.now()) {
+            this.codes.delete(code);
+            return null;
+        }
         this.codes.delete(code);
         return cloneCode(record);
     }
     async close() {
         return;
     }
+    enforceClientCapacity() {
+        if (!this.maxClients) {
+            return;
+        }
+        while (this.clients.size > this.maxClients) {
+            const oldest = this.clients.keys().next().value;
+            if (!oldest) {
+                return;
+            }
+            this.clients.delete(oldest);
+        }
+    }
+    enforceCodeCapacity() {
+        if (!this.maxAuthCodes) {
+            return;
+        }
+        while (this.codes.size > this.maxAuthCodes) {
+            const oldest = this.codes.keys().next().value;
+            if (!oldest) {
+                return;
+            }
+            this.codes.delete(oldest);
+        }
+    }
 }

package/dist/esm/oauth/models.d.ts

@@ -1,4 +1,5 @@
 import { Model, type Optional, type Sequelize } from 'sequelize';
+export { integerIdType, tableOptions } from '../sequelize-utils.js';
 export interface OAuthClientAttributes {
     client_id: string;
     client_secret: string;
@@ -18,7 +19,9 @@ export declare class OAuthClientModel extends Model<OAuthClientAttributes, OAuth
     metadata: string | null;
     first_party: boolean;
 }
-export declare function initOAuthClientModel(sequelize: Sequelize): typeof OAuthClientModel;
+export declare function initOAuthClientModel(sequelize: Sequelize, options?: {
+    tablePrefix?: string;
+}): typeof OAuthClientModel;
 export interface OAuthCodeAttributes {
     code: string;
     client_id: string;
@@ -42,4 +45,6 @@ export declare class OAuthCodeModel extends Model<OAuthCodeAttributes, OAuthCode
     expires: Date;
     metadata: string | null;
 }
-export declare function initOAuthCodeModel(sequelize: Sequelize): typeof OAuthCodeModel;
+export declare function initOAuthCodeModel(sequelize: Sequelize, options?: {
+    tablePrefix?: string;
+}): typeof OAuthCodeModel;

package/dist/esm/oauth/models.js

@@ -1,22 +1,9 @@
 import { DataTypes, Model } from 'sequelize';
-const DIALECTS_SUPPORTING_UNSIGNED = new Set(['mysql', 'mariadb']);
-function integerIdType(sequelize) {
-    return DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? DataTypes.INTEGER.UNSIGNED : DataTypes.INTEGER;
-}
-function tableOptions(sequelize, tableName, extra) {
-    const opts = { sequelize, tableName };
-    if (extra) {
-        Object.assign(opts, extra);
-    }
-    if (DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect())) {
-        opts.charset = 'utf8mb4';
-        opts.collate = 'utf8mb4_unicode_ci';
-    }
-    return opts;
-}
+import { integerIdType, tableOptions } from '../sequelize-utils.js';
+export { integerIdType, tableOptions } from '../sequelize-utils.js';
 export class OAuthClientModel extends Model {
 }
-export function initOAuthClientModel(sequelize) {
+export function initOAuthClientModel(sequelize, options = {}) {
     OAuthClientModel.init({
         client_id: { type: DataTypes.STRING(128), allowNull: false, primaryKey: true },
         client_secret: { type: DataTypes.STRING(255), allowNull: false, defaultValue: '' },
@@ -26,13 +13,13 @@ export function initOAuthClientModel(sequelize) {
         metadata: { type: DataTypes.TEXT, allowNull: true, defaultValue: null },
         first_party: { type: DataTypes.BOOLEAN, allowNull: false, defaultValue: false }
     }, {
-        ...tableOptions(sequelize, 'oauth_clients', { timestamps: false })
+        ...tableOptions(sequelize, 'oauth_clients', options.tablePrefix, { timestamps: false })
     });
     return OAuthClientModel;
 }
 export class OAuthCodeModel extends Model {
 }
-export function initOAuthCodeModel(sequelize) {
+export function initOAuthCodeModel(sequelize, options = {}) {
     const idType = integerIdType(sequelize);
     OAuthCodeModel.init({
         code: { type: DataTypes.STRING(128), allowNull: false, primaryKey: true },
@@ -45,7 +32,7 @@ export function initOAuthCodeModel(sequelize) {
         expires: { type: DataTypes.DATE, allowNull: false },
         metadata: { type: DataTypes.TEXT, allowNull: true, defaultValue: null }
     }, {
-        ...tableOptions(sequelize, 'oauth_codes', { timestamps: false })
+        ...tableOptions(sequelize, 'oauth_codes', options.tablePrefix, { timestamps: false })
     });
     return OAuthCodeModel;
 }

package/dist/esm/oauth/sequelize.d.ts

@@ -1,57 +1,19 @@
-import { Model, type Optional, type Sequelize } from 'sequelize';
 import { OAuthStore, type AuthCode, type OAuthClient } from './base.js';
-export interface OAuthClientAttributes {
-    client_id: string;
-    client_secret: string;
-    name: string | null;
-    redirect_uris: string;
-    scope: string;
-    metadata: string | null;
-    first_party: boolean;
-}
-export type OAuthClientCreationAttributes = Optional<OAuthClientAttributes, 'client_secret' | 'name' | 'scope' | 'metadata' | 'first_party'>;
-export declare class OAuthClientModel extends Model<OAuthClientAttributes, OAuthClientCreationAttributes> implements OAuthClientAttributes {
-    client_id: string;
-    client_secret: string;
-    name: string | null;
-    redirect_uris: string;
-    scope: string;
-    metadata: string | null;
-    first_party: boolean;
-}
-export declare function initOAuthClientModel(sequelize: Sequelize): typeof OAuthClientModel;
-export interface OAuthCodeAttributes {
-    code: string;
-    client_id: string;
-    user_id: number;
-    redirect_uri: string;
-    scope: string;
-    code_challenge: string | null;
-    code_challenge_method: 'plain' | 'S256' | null;
-    expires: Date;
-    metadata: string | null;
-}
-export type OAuthCodeCreationAttributes = Optional<OAuthCodeAttributes, 'code_challenge' | 'code_challenge_method' | 'metadata'>;
-export declare class OAuthCodeModel extends Model<OAuthCodeAttributes, OAuthCodeCreationAttributes> implements OAuthCodeAttributes {
-    code: string;
-    client_id: string;
-    user_id: number;
-    redirect_uri: string;
-    scope: string;
-    code_challenge: string | null;
-    code_challenge_method: 'plain' | 'S256' | null;
-    expires: Date;
-    metadata: string | null;
-}
-export declare function initOAuthCodeModel(sequelize: Sequelize): typeof OAuthCodeModel;
+import { OAuthClientModel, OAuthCodeModel } from './models.js';
 export interface SequelizeOAuthStoreOptions {
-    sequelize: Sequelize;
+    sequelize: import('sequelize').Sequelize;
+    tablePrefix?: string;
     clientModel?: typeof OAuthClientModel;
     codeModel?: typeof OAuthCodeModel;
-    clientModelFactory?: (sequelize: Sequelize) => typeof OAuthClientModel;
-    codeModelFactory?: (sequelize: Sequelize) => typeof OAuthCodeModel;
+    clientModelFactory?: (sequelize: import('sequelize').Sequelize, options?: {
+        tablePrefix?: string;
+    }) => typeof OAuthClientModel;
+    codeModelFactory?: (sequelize: import('sequelize').Sequelize, options?: {
+        tablePrefix?: string;
+    }) => typeof OAuthCodeModel;
     bcryptRounds?: number;
 }
+export { OAuthClientModel, OAuthCodeModel, initOAuthClientModel, initOAuthCodeModel, type OAuthClientAttributes, type OAuthClientCreationAttributes, type OAuthCodeAttributes, type OAuthCodeCreationAttributes } from './models.js';
 export declare class SequelizeOAuthStore extends OAuthStore {
     private readonly clients;
     private readonly codes;

package/dist/esm/oauth/sequelize.js

@@ -1,73 +1,10 @@
 import bcrypt from 'bcryptjs';
-import { DataTypes, Model } from 'sequelize';
+import { Transaction } from 'sequelize';
+import { normalizeNumericUserId } from '../auth-api/user-id.js';
+import { decodeStringArray, encodeStringArray } from '../sequelize-utils.js';
 import { OAuthStore } from './base.js';
-const DIALECTS_SUPPORTING_UNSIGNED = new Set(['mysql', 'mariadb']);
-function integerIdType(sequelize) {
-    return DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? DataTypes.INTEGER.UNSIGNED : DataTypes.INTEGER;
-}
-function tableOptions(sequelize, tableName, extra) {
-    const opts = { sequelize, tableName };
-    if (extra) {
-        Object.assign(opts, extra);
-    }
-    if (DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect())) {
-        opts.charset = 'utf8mb4';
-        opts.collate = 'utf8mb4_unicode_ci';
-    }
-    return opts;
-}
-export class OAuthClientModel extends Model {
-}
-export function initOAuthClientModel(sequelize) {
-    OAuthClientModel.init({
-        client_id: { type: DataTypes.STRING(128), allowNull: false, primaryKey: true },
-        client_secret: { type: DataTypes.STRING(255), allowNull: false, defaultValue: '' },
-        name: { type: DataTypes.STRING(128), allowNull: true, defaultValue: null },
-        redirect_uris: { type: DataTypes.TEXT, allowNull: false, defaultValue: '[]' },
-        scope: { type: DataTypes.TEXT, allowNull: false, defaultValue: '[]' },
-        metadata: { type: DataTypes.TEXT, allowNull: true, defaultValue: null },
-        first_party: { type: DataTypes.BOOLEAN, allowNull: false, defaultValue: false }
-    }, tableOptions(sequelize, 'oauth_clients', { timestamps: false }));
-    return OAuthClientModel;
-}
-export class OAuthCodeModel extends Model {
-}
-export function initOAuthCodeModel(sequelize) {
-    const idType = integerIdType(sequelize);
-    OAuthCodeModel.init({
-        code: { type: DataTypes.STRING(128), allowNull: false, primaryKey: true },
-        client_id: { type: DataTypes.STRING(128), allowNull: false },
-        user_id: { type: idType, allowNull: false },
-        redirect_uri: { type: DataTypes.TEXT, allowNull: false },
-        scope: { type: DataTypes.TEXT, allowNull: false, defaultValue: '[]' },
-        code_challenge: { type: DataTypes.STRING(255), allowNull: true, defaultValue: null },
-        code_challenge_method: { type: DataTypes.STRING(10), allowNull: true, defaultValue: null },
-        expires: { type: DataTypes.DATE, allowNull: false },
-        metadata: { type: DataTypes.TEXT, allowNull: true, defaultValue: null }
-    }, tableOptions(sequelize, 'oauth_codes', { timestamps: false }));
-    return OAuthCodeModel;
-}
-function encodeStringArray(values) {
-    return JSON.stringify(values ?? []);
-}
-function decodeStringArray(raw) {
-    if (!raw) {
-        return [];
-    }
-    try {
-        const parsed = JSON.parse(raw);
-        if (Array.isArray(parsed)) {
-            return parsed.filter((entry) => typeof entry === 'string' && entry.length > 0);
-        }
-    }
-    catch {
-        // ignore malformed values
-    }
-    return raw
-        .split(/\s+/)
-        .map((entry) => entry.trim())
-        .filter((entry) => entry.length > 0);
-}
+import { initOAuthClientModel, initOAuthCodeModel } from './models.js';
+export { OAuthClientModel, OAuthCodeModel, initOAuthClientModel, initOAuthCodeModel } from './models.js';
 function serializeMetadata(metadata) {
     if (!metadata) {
         return null;
@@ -89,23 +26,22 @@ function parseMetadata(raw) {
     }
     return undefined;
 }
-function normalizeUserId(identifier) {
-    if (typeof identifier === 'number' && Number.isFinite(identifier)) {
-        return identifier;
-    }
-    if (typeof identifier === 'string' && /^\d+$/.test(identifier)) {
-        return Number(identifier);
-    }
-    throw new Error(`Unable to normalise user identifier: ${identifier}`);
-}
 export class SequelizeOAuthStore extends OAuthStore {
     constructor(options) {
         super();
         if (!options?.sequelize) {
             throw new Error('SequelizeOAuthStore requires an initialised Sequelize instance');
         }
-        this.clients = options.clientModel ?? (options.clientModelFactory ?? initOAuthClientModel)(options.sequelize);
-        this.codes = options.codeModel ?? (options.codeModelFactory ?? initOAuthCodeModel)(options.sequelize);
+        this.clients =
+            options.clientModel ??
+                (options.clientModelFactory ?? initOAuthClientModel)(options.sequelize, {
+                    tablePrefix: options.tablePrefix
+                });
+        this.codes =
+            options.codeModel ??
+                (options.codeModelFactory ?? initOAuthCodeModel)(options.sequelize, {
+                    tablePrefix: options.tablePrefix
+                });
         this.bcryptRounds = options.bcryptRounds ?? 12;
     }
     async getClient(clientId) {
@@ -152,7 +88,7 @@ export class SequelizeOAuthStore extends OAuthStore {
         await this.codes.create({
             code: code.code,
             client_id: code.clientId,
-            user_id: normalizeUserId(code.userId),
+            user_id: normalizeNumericUserId(code.userId),
             redirect_uri: code.redirectUri ?? '',
             scope: encodeStringArray(code.scope),
             code_challenge: code.codeChallenge ?? null,
@@ -162,12 +98,21 @@ export class SequelizeOAuthStore extends OAuthStore {
         });
     }
     async consumeAuthCode(code) {
-        const model = await this.codes.findByPk(code);
-        if (!model) {
-            return null;
+        const sequelize = this.codes.sequelize;
+        if (!sequelize) {
+            throw new Error('Code model is not bound to a Sequelize instance');
         }
-        await model.destroy();
-        return this.toAuthCode(model);
+        return sequelize.transaction({ isolationLevel: Transaction.ISOLATION_LEVELS.READ_COMMITTED }, async (transaction) => {
+            const model = await this.codes.findByPk(code, { transaction, lock: true });
+            if (!model) {
+                return null;
+            }
+            await model.destroy({ transaction });
+            if (model.expires.getTime() <= Date.now()) {
+                return null;
+            }
+            return this.toAuthCode(model);
+        });
     }
     async close() {
         return;
@@ -175,7 +120,7 @@ export class SequelizeOAuthStore extends OAuthStore {
     toOAuthClient(model) {
         return {
             clientId: model.client_id,
-            clientSecret: model.client_secret,
+            hasSecret: Boolean(model.client_secret),
             name: model.name ?? undefined,
             redirectUris: decodeStringArray(model.redirect_uris),
             scope: decodeStringArray(model.scope),
@@ -187,7 +132,7 @@ export class SequelizeOAuthStore extends OAuthStore {
         return {
             code: model.code,
             clientId: model.client_id,
-            userId: model.user_id,
+            userId: String(model.user_id),
             redirectUri: model.redirect_uri,
             scope: decodeStringArray(model.scope),
             codeChallenge: model.code_challenge ?? undefined,

package/dist/esm/oauth/types.d.ts

@@ -2,6 +2,7 @@ import type { AuthIdentifier } from '../auth-api/types.js';
 export interface OAuthClient {
     clientId: string;
     clientSecret?: string;
+    hasSecret?: boolean;
     firstParty?: boolean;
     metadata?: Record<string, unknown>;
     name?: string;

package/dist/esm/passkey/base.d.ts

@@ -6,10 +6,12 @@ export declare abstract class PasskeyStore implements PasskeyStorageAdapter {
         login?: string;
     }): Promise<PasskeyUserDescriptor | null>;
     abstract listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    abstract deleteCredential(credentialId: Buffer | string): Promise<boolean>;
     abstract findCredentialById(credentialId: Buffer): Promise<StoredPasskeyCredential | null>;
     abstract saveCredential(record: StoredPasskeyCredential): Promise<void>;
     abstract updateCredentialCounter(credentialId: Buffer, counter: number): Promise<void>;
     abstract saveChallenge(record: PasskeyChallengeRecord): Promise<void>;
+    abstract getChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
     abstract consumeChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
     abstract cleanupChallenges(now: Date): Promise<void>;
 }

package/dist/esm/passkey/config.d.ts

@@ -0,0 +1,2 @@
+import type { PasskeyServiceConfig } from './types.js';
+export declare function normalizePasskeyConfig(config?: Partial<PasskeyServiceConfig>): PasskeyServiceConfig;

package/dist/esm/passkey/config.js

@@ -0,0 +1,23 @@
+const DEFAULT_PASSKEY_CONFIG = {
+    rpId: 'localhost',
+    rpName: 'API Server',
+    origins: ['http://localhost:5173'],
+    timeoutMs: 5 * 60 * 1000,
+    userVerification: 'preferred'
+};
+function isOriginString(origin) {
+    return typeof origin === 'string' && origin.trim().length > 0;
+}
+export function normalizePasskeyConfig(config = {}) {
+    const candidateOrigins = Array.isArray(config.origins) && config.origins.length > 0 ? config.origins.filter(isOriginString) : null;
+    return {
+        rpId: config.rpId?.trim() || DEFAULT_PASSKEY_CONFIG.rpId,
+        rpName: config.rpName?.trim() || DEFAULT_PASSKEY_CONFIG.rpName,
+        origins: candidateOrigins ? candidateOrigins.map((origin) => origin.trim()) : DEFAULT_PASSKEY_CONFIG.origins,
+        timeoutMs: typeof config.timeoutMs === 'number' && config.timeoutMs > 0
+            ? config.timeoutMs
+            : DEFAULT_PASSKEY_CONFIG.timeoutMs,
+        userVerification: config.userVerification ?? DEFAULT_PASSKEY_CONFIG.userVerification,
+        debug: Boolean(config.debug)
+    };
+}

package/dist/esm/passkey/memory.d.ts

@@ -6,21 +6,29 @@ export interface MemoryPasskeyStoreOptions {
         userId?: AuthIdentifier;
         login?: string;
     }) => Promise<PasskeyUserDescriptor | null>;
+    maxCredentials?: number;
+    maxChallenges?: number;
 }
 export declare class MemoryPasskeyStore extends PasskeyStore {
     private readonly resolveUserFn;
     private readonly credentials;
     private readonly challenges;
+    private readonly maxCredentials?;
+    private readonly maxChallenges?;
     constructor(options: MemoryPasskeyStoreOptions);
     resolveUser(params: {
         userId?: AuthIdentifier;
         login?: string;
     }): Promise<PasskeyUserDescriptor | null>;
     listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deleteCredential(credentialId: Buffer | string): Promise<boolean>;
     findCredentialById(credentialId: Buffer): Promise<StoredPasskeyCredential | null>;
     saveCredential(record: StoredPasskeyCredential): Promise<void>;
     updateCredentialCounter(credentialId: Buffer, counter: number): Promise<void>;
     saveChallenge(record: PasskeyChallengeRecord): Promise<void>;
+    getChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
     consumeChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
     cleanupChallenges(now: Date): Promise<void>;
+    private enforceCredentialCapacity;
+    private enforceChallengeCapacity;
 }