@technomoron/api-server-base 2.0.0-beta.2 → 2.0.0-beta.21

package/dist/esm/passkey/service.js

@@ -1,5 +1,5 @@
 import { generateAuthenticationOptions, generateRegistrationOptions, verifyAuthenticationResponse, verifyRegistrationResponse } from '@simplewebauthn/server';
-import { isoBase64URL } from '@simplewebauthn/server/helpers';
+import { isoBase64URL, isoCBOR, decodeAttestationObject, parseAuthenticatorData } from '@simplewebauthn/server/helpers';
 const ALLOWED_TRANSPORTS = [
     'ble',
     'cable',
@@ -18,6 +18,13 @@ function sanitizeTransports(input) {
         .filter((value) => ALLOWED_TRANSPORTS.includes(value));
     return filtered.length > 0 ? filtered : undefined;
 }
+function toOptionalString(value) {
+    if (typeof value !== 'string') {
+        return undefined;
+    }
+    const trimmed = value.trim();
+    return trimmed.length > 0 ? trimmed : undefined;
+}
 function toBase64Url(buffer) {
     return isoBase64URL.fromBuffer(new Uint8Array(buffer));
 }
@@ -31,30 +38,112 @@ function toBuffer(value) {
     const view = value instanceof Uint8Array ? value : new Uint8Array(value);
     return Buffer.from(view);
 }
+function toBufferOrNull(value) {
+    if (!value) {
+        return null;
+    }
+    if (Buffer.isBuffer(value)) {
+        return value;
+    }
+    if (value instanceof ArrayBuffer || value instanceof Uint8Array) {
+        return toBuffer(value);
+    }
+    if (typeof value === 'string') {
+        try {
+            return fromBase64Url(value);
+        }
+        catch {
+            return null;
+        }
+    }
+    return null;
+}
+async function spkiToCosePublicKey(spki) {
+    try {
+        const subtle = (globalThis.crypto?.subtle ??
+            (await import('crypto')).webcrypto?.subtle);
+        if (!subtle) {
+            return null;
+        }
+        const spkiView = new Uint8Array(spki);
+        const ecCurves = [
+            { namedCurve: 'P-256', crv: 1, alg: -7, rawLength: 65 },
+            { namedCurve: 'P-384', crv: 2, alg: -35, rawLength: 97 },
+            { namedCurve: 'P-521', crv: 3, alg: -36, rawLength: 133 }
+        ];
+        for (const curve of ecCurves) {
+            try {
+                const key = await subtle.importKey('spki', spkiView, { name: 'ECDSA', namedCurve: curve.namedCurve }, true, ['verify']);
+                const raw = Buffer.from(await subtle.exportKey('raw', key));
+                if (raw.length !== curve.rawLength || raw[0] !== 0x04) {
+                    continue;
+                }
+                const coordLength = (raw.length - 1) / 2;
+                const x = raw.slice(1, 1 + coordLength);
+                const y = raw.slice(1 + coordLength);
+                const coseMap = new Map([
+                    [1, 2], // kty: EC2
+                    [3, curve.alg],
+                    [-1, curve.crv],
+                    [-2, x],
+                    [-3, y]
+                ]);
+                return Buffer.from(isoCBOR.encode(coseMap));
+            }
+            catch {
+                // try next algorithm
+            }
+        }
+        try {
+            const edKey = await subtle.importKey('spki', spkiView, { name: 'Ed25519' }, true, ['verify']);
+            const raw = Buffer.from(await subtle.exportKey('raw', edKey));
+            if (raw.length !== 32) {
+                return null;
+            }
+            const coseMap = new Map([
+                [1, 1], // kty: OKP
+                [3, -8], // alg: EdDSA
+                [-1, 6], // crv: Ed25519
+                [-2, raw]
+            ]);
+            return Buffer.from(isoCBOR.encode(coseMap));
+        }
+        catch {
+            return null;
+        }
+    }
+    catch {
+        return null;
+    }
+}
 export class PasskeyService {
     constructor(config, adapter, logger = console) {
         this.config = config;
         this.adapter = adapter;
         this.logger = logger;
     }
+    async listUserCredentials(userId) {
+        return this.adapter.listUserCredentials(userId);
+    }
+    async deleteCredential(credentialId) {
+        return this.adapter.deleteCredential(credentialId);
+    }
     async createChallenge(params) {
         await this.adapter.cleanupChallenges?.(new Date());
-        const metadata = {
-            domain: typeof params.domain === 'string' ? params.domain : undefined,
-            fingerprint: typeof params.fingerprint === 'string' ? params.fingerprint : undefined,
-            label: typeof params.label === 'string' ? params.label : undefined,
-            userAgent: typeof params.userAgent === 'string' ? params.userAgent : undefined
-        };
         if (params.action === 'register') {
-            return this.createRegistrationChallenge(params, metadata);
+            return this.createRegistrationChallenge(params);
         }
         if (params.action === 'authenticate') {
-            return this.createAuthenticationChallenge(params, metadata);
+            return this.createAuthenticationChallenge(params);
         }
         throw new Error(`Unsupported passkey action: ${String(params.action)}`);
     }
     async verifyResponse(params) {
         await this.adapter.cleanupChallenges?.(new Date());
+        const existing = this.adapter.getChallenge ? await this.adapter.getChallenge(params.expectedChallenge) : null;
+        if (existing && existing.expiresAt.getTime() <= Date.now()) {
+            return { verified: false };
+        }
         const record = await this.adapter.consumeChallenge(params.expectedChallenge);
         if (!record) {
             return { verified: false };
@@ -75,7 +164,7 @@ export class PasskeyService {
         }
         return { verified: false };
     }
-    async createRegistrationChallenge(params, metadata) {
+    async createRegistrationChallenge(params) {
         const user = await this.requireUser({ userId: params.userId, login: params.login });
         const existing = await this.adapter.listUserCredentials(user.id);
         const excludeCredentials = existing.map((credential) => {
@@ -98,16 +187,16 @@ export class PasskeyService {
             action: 'register',
             userId: user.id,
             login: user.login,
-            expiresAt,
-            metadata
+            expiresAt
         });
         return {
             challenge: options.challenge,
             expiresAt: expiresAt.toISOString(),
-            userId: user.id
+            userId: user.id,
+            publicKey: options
         };
     }
-    async createAuthenticationChallenge(params, metadata) {
+    async createAuthenticationChallenge(params) {
         const user = await this.requireUser({ userId: params.userId, login: params.login });
         const credentials = await this.adapter.listUserCredentials(user.id);
         const allowCredentials = credentials.map((credential) => {
@@ -127,13 +216,13 @@ export class PasskeyService {
             action: 'authenticate',
             userId: user.id,
             login: user.login,
-            expiresAt,
-            metadata
+            expiresAt
         });
         return {
             challenge: options.challenge,
             expiresAt: expiresAt.toISOString(),
-            userId: user.id
+            userId: user.id,
+            publicKey: options
         };
     }
     async verifyRegistration(params, record) {
@@ -149,20 +238,71 @@ export class PasskeyService {
             expectedChallenge: record.challenge,
             expectedOrigin: this.config.origins,
             expectedRPID: this.config.rpId,
-            requireUserVerification: true
+            requireUserVerification: this.requireUserVerification()
         });
         if (!result.verified || !result.registrationInfo) {
+            if (!result.verified) {
+                const err = result.error ?? result;
+                this.logger.error?.('Passkey registration verification failed', err);
+            }
             return { verified: false };
         }
         const registrationInfo = result.registrationInfo;
+        const attestationResponse = params.response.response;
+        const credentialIdPrimary = toBufferOrNull(registrationInfo.credentialID);
+        const credentialIdFallback = toBufferOrNull(params.response.id);
+        const credentialId = credentialIdPrimary && credentialIdPrimary.length > 0 ? credentialIdPrimary : credentialIdFallback;
+        const publicKeyPrimary = toBufferOrNull(registrationInfo.credentialPublicKey);
+        let publicKeyFallback = toBufferOrNull(attestationResponse?.publicKey);
+        if ((!publicKeyPrimary || publicKeyPrimary.length === 0) && attestationResponse?.attestationObject) {
+            try {
+                const attestationObject = String(attestationResponse.attestationObject);
+                const attObj = decodeAttestationObject(isoBase64URL.toBuffer(attestationObject));
+                const parsedAuth = parseAuthenticatorData(attObj.get('authData'));
+                publicKeyFallback = toBufferOrNull(parsedAuth.credentialPublicKey) ?? publicKeyFallback;
+            }
+            catch (error) {
+                this.logger.warn?.('Passkey registration: failed to parse attestationObject', error);
+            }
+        }
+        const publicKey = publicKeyPrimary && publicKeyPrimary.length > 0 ? publicKeyPrimary : publicKeyFallback;
+        if (this.config.debug && this.logger?.warn) {
+            const pkPrimaryHex = publicKeyPrimary ? publicKeyPrimary.slice(0, 4).toString('hex') : 'null';
+            const pkFallbackHex = publicKeyFallback ? publicKeyFallback.slice(0, 4).toString('hex') : 'null';
+            this.logger.warn(`Passkey registration: pkPrimary len=${publicKeyPrimary?.length ?? 0} head=${pkPrimaryHex}, pkFallback len=${publicKeyFallback?.length ?? 0} head=${pkFallbackHex}`);
+        }
+        if (!credentialId || credentialId.length === 0) {
+            return { verified: false, message: 'Missing credential id in registration response' };
+        }
+        if (!publicKey || publicKey.length === 0) {
+            return { verified: false, message: 'Missing public key in registration response' };
+        }
+        let storedPublicKey = Buffer.isBuffer(publicKey) ? publicKey : toBuffer(publicKey);
+        // If fallback is an SPKI key (DER, starts with 0x30) convert to COSE so verification succeeds.
+        if (storedPublicKey[0] === 0x30) {
+            const converted = await spkiToCosePublicKey(storedPublicKey);
+            if (converted) {
+                storedPublicKey = converted;
+            }
+            else {
+                this.logger.warn?.('Passkey registration: failed to convert SPKI public key to COSE');
+            }
+        }
         await this.adapter.saveCredential({
             userId: user.id,
-            credentialId: toBuffer(registrationInfo.credentialID),
-            publicKey: toBuffer(registrationInfo.credentialPublicKey),
-            counter: registrationInfo.counter,
+            credentialId,
+            publicKey: storedPublicKey,
+            counter: registrationInfo.counter ?? 0,
             transports: sanitizeTransports(params.response.transports),
             backedUp: registrationInfo.credentialDeviceType === 'multiDevice',
-            deviceType: registrationInfo.credentialDeviceType
+            deviceType: registrationInfo.credentialDeviceType,
+            label: toOptionalString(params.label),
+            createdDomain: toOptionalString(params.domain),
+            createdUserAgent: toOptionalString(params.userAgent),
+            createdBrowser: toOptionalString(params.browser),
+            createdOs: toOptionalString(params.os),
+            createdDevice: toOptionalString(params.device),
+            createdIp: toOptionalString(params.ip)
         });
         return { verified: true, userId: user.id, login: user.login };
     }
@@ -179,22 +319,24 @@ export class PasskeyService {
         }
         const user = await this.requireUser({ userId: credential.userId, login: record.login });
         const storedAuthData = {
-            credentialID: credential.credentialId,
+            id: toBase64Url(credential.credentialId),
+            publicKey: new Uint8Array(toBuffer(credential.publicKey)),
             counter: credential.counter,
-            credentialBackedUp: credential.backedUp,
-            credentialDeviceType: credential.deviceType,
-            credentialPublicKey: credential.publicKey,
             transports: credential.transports ?? undefined
+            // simplewebauthn accepts either Uint8Array or Buffer; ensure Buffer
+            // see https://github.com/MasterKale/SimpleWebAuthn/blob/master/packages/server/src/authentication/verifyAuthenticationResponse.ts
         };
         const result = await verifyAuthenticationResponse({
             response,
             expectedChallenge: record.challenge,
             expectedOrigin: this.config.origins,
             expectedRPID: this.config.rpId,
-            authenticator: storedAuthData,
-            requireUserVerification: true
+            credential: storedAuthData,
+            requireUserVerification: this.requireUserVerification()
         });
         if (!result.verified) {
+            const err = result.error ?? result;
+            this.logger.error?.('Passkey authentication verification failed', err);
             return { verified: false };
         }
         await this.adapter.updateCredentialCounter(credential.credentialId, result.authenticationInfo.newCounter);
@@ -214,4 +356,7 @@ export class PasskeyService {
     createExpiry() {
         return new Date(Date.now() + this.config.timeoutMs);
     }
+    requireUserVerification() {
+        return this.config.userVerification !== 'discouraged';
+    }
 }

package/dist/esm/passkey/types.d.ts

@@ -8,12 +8,11 @@ export interface PasskeyServiceConfig {
     origins: string[];
     timeoutMs: number;
     userVerification?: 'preferred' | 'required' | 'discouraged';
-}
-export interface PasskeyChallengeMetadata {
-    domain?: string;
-    fingerprint?: string;
-    label?: string;
-    userAgent?: string;
+    /**
+     * When enabled, PasskeyService emits additional diagnostic logs during registration/authentication.
+     * Defaults to false.
+     */
+    debug?: boolean;
 }
 export interface PasskeyChallengeRecord {
     challenge: string;
@@ -21,7 +20,6 @@ export interface PasskeyChallengeRecord {
     userId?: AuthIdentifier;
     login?: string;
     expiresAt: Date;
-    metadata: PasskeyChallengeMetadata;
 }
 export interface PasskeyUserDescriptor {
     id: AuthIdentifier;
@@ -36,6 +34,15 @@ export interface StoredPasskeyCredential {
     transports?: AuthenticatorTransportFuture[];
     backedUp: boolean;
     deviceType: CredentialDeviceType;
+    label?: string;
+    createdDomain?: string;
+    createdUserAgent?: string;
+    createdBrowser?: string;
+    createdOs?: string;
+    createdDevice?: string;
+    createdIp?: string;
+    createdAt?: Date;
+    updatedAt?: Date;
 }
 export interface PasskeyStorageAdapter {
     resolveUser(params: {
@@ -43,17 +50,18 @@ export interface PasskeyStorageAdapter {
         login?: string;
     }): Promise<PasskeyUserDescriptor | null>;
     listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deleteCredential(credentialId: Buffer | string): Promise<boolean>;
     findCredentialById(credentialId: Buffer): Promise<StoredPasskeyCredential | null>;
     saveCredential(record: StoredPasskeyCredential): Promise<void>;
     updateCredentialCounter(credentialId: Buffer, counter: number): Promise<void>;
     saveChallenge(record: PasskeyChallengeRecord): Promise<void>;
+    getChallenge?(challenge: string): Promise<PasskeyChallengeRecord | null>;
     consumeChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
     cleanupChallenges?(now: Date): Promise<void>;
 }
-export interface PasskeyChallengeParams extends Partial<Omit<Token, 'userId'>> {
+export interface PasskeyChallengeParams {
     action: 'register' | 'authenticate';
     login?: string;
-    userAgent?: string;
     userId?: AuthIdentifier;
 }
 export interface PasskeyChallenge extends Record<string, unknown> {
@@ -66,6 +74,7 @@ export interface PasskeyVerificationParams extends Partial<Omit<Token, 'userId'>
     login?: string;
     response: Record<string, unknown>;
     userId?: AuthIdentifier;
+    userAgent?: string;
 }
 export interface PasskeyVerificationResult extends Record<string, unknown> {
     login?: string;

package/dist/esm/sequelize-utils.d.ts

@@ -0,0 +1,8 @@
+import { DataTypes, type InitOptions, type Model, type Sequelize } from 'sequelize';
+export declare const DIALECTS_SUPPORTING_UNSIGNED: Set<string>;
+export declare function integerIdType(sequelize: Sequelize): DataTypes.IntegerDataTypeConstructor;
+export declare function tableOptions<ModelType extends Model>(sequelize: Sequelize, tableName: string, tablePrefix?: string, extra?: Partial<InitOptions<ModelType>>): InitOptions<ModelType>;
+export declare function normalizeTablePrefix(prefix?: string): string | undefined;
+export declare function applyTablePrefix(prefix: string | undefined, tableName: string): string;
+export declare function encodeStringArray(values: string[] | undefined): string;
+export declare function decodeStringArray(raw: string | null | undefined): string[];

package/dist/esm/sequelize-utils.js

@@ -0,0 +1,48 @@
+import { DataTypes } from 'sequelize';
+export const DIALECTS_SUPPORTING_UNSIGNED = new Set(['mysql', 'mariadb']);
+export function integerIdType(sequelize) {
+    return DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? DataTypes.INTEGER.UNSIGNED : DataTypes.INTEGER;
+}
+export function tableOptions(sequelize, tableName, tablePrefix, extra) {
+    const opts = { sequelize, tableName: applyTablePrefix(tablePrefix, tableName) };
+    if (extra) {
+        Object.assign(opts, extra);
+    }
+    if (DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect())) {
+        opts.charset = 'utf8mb4';
+        opts.collate = 'utf8mb4_unicode_ci';
+    }
+    return opts;
+}
+export function normalizeTablePrefix(prefix) {
+    if (!prefix) {
+        return undefined;
+    }
+    const trimmed = prefix.trim();
+    return trimmed.length > 0 ? trimmed : undefined;
+}
+export function applyTablePrefix(prefix, tableName) {
+    const normalized = normalizeTablePrefix(prefix);
+    return normalized ? `${normalized}${tableName}` : tableName;
+}
+export function encodeStringArray(values) {
+    return JSON.stringify(values ?? []);
+}
+export function decodeStringArray(raw) {
+    if (!raw) {
+        return [];
+    }
+    try {
+        const parsed = JSON.parse(raw);
+        if (Array.isArray(parsed)) {
+            return parsed.filter((entry) => typeof entry === 'string' && entry.length > 0);
+        }
+    }
+    catch {
+        // ignore malformed values
+    }
+    return raw
+        .split(/\s+/)
+        .map((entry) => entry.trim())
+        .filter((entry) => entry.length > 0);
+}

package/dist/esm/token/base.d.ts

@@ -5,6 +5,7 @@ export interface JwtSignResult {
     token?: string;
     error?: string;
 }
+export type JwtSignPayload = string | Buffer | Record<string, unknown>;
 export interface JwtVerifyResult<T> {
     success: boolean;
     data?: T;
@@ -32,7 +33,7 @@ export declare abstract class TokenStore {
     }): Promise<Token[]>;
     abstract close(): Promise<void>;
     normalizeToken(token: Partial<Token>): Token;
-    jwtSign(payload: any, secret: string, expiresInSeconds: number, options?: SignOptions): JwtSignResult;
+    jwtSign(payload: JwtSignPayload, secret: string, expiresInSeconds: number, options?: SignOptions): JwtSignResult;
     jwtVerify<T>(token: string, secret: string, options?: VerifyOptions): JwtVerifyResult<T>;
     jwtDecode<T>(token: string, options?: DecodeOptions): JwtDecodeResult<T>;
 }

package/dist/esm/token/base.js

@@ -43,10 +43,10 @@ function normalizeTokenInternal(input) {
     const status = input.status === 'revoked' ? 'revoked' : expires.getTime() < Date.now() ? 'expired' : 'active';
     const sessionCookie = typeof input.sessionCookie === 'boolean' ? input.sessionCookie : false;
     return {
-        ...input,
         accessToken: input.accessToken,
         refreshToken: input.refreshToken,
         userId,
+        clientId: typeof input.clientId === 'string' && input.clientId.length > 0 ? input.clientId : undefined,
         domain: typeof input.domain === 'string' ? input.domain : '',
         fingerprint: typeof input.fingerprint === 'string' ? input.fingerprint : '',
         label: typeof input.label === 'string' ? input.label : '',
@@ -70,6 +70,8 @@ export class TokenStore {
     normalizeToken(token) {
         return normalizeTokenInternal(token);
     }
+    // JWT helpers live on TokenStore so every adapter automatically exposes
+    // signing/verification without additional wiring.
     jwtSign(payload, secret, expiresInSeconds, options) {
         const opts = { ...(options ?? {}), expiresIn: expiresInSeconds };
         try {

package/dist/esm/token/memory.d.ts

@@ -1,7 +1,16 @@
 import { TokenStore } from './base.js';
 import type { Token } from './types.js';
+export interface MemoryTokenStoreOptions {
+    maxTokens?: number;
+}
 export declare class MemoryTokenStore extends TokenStore {
     private readonly tokens;
+    private readonly tokensByUser;
+    private readonly maxTokens?;
+    constructor(options?: MemoryTokenStoreOptions);
+    private indexToken;
+    private unindexToken;
+    private removeByRefreshToken;
     save(record: Token): Promise<void>;
     get(query: Partial<Token>, opts?: {
         includeExpired?: boolean;
@@ -16,4 +25,5 @@ export declare class MemoryTokenStore extends TokenStore {
         includeExpired?: boolean;
     }): Promise<Token[]>;
     close(): Promise<void>;
+    private enforceCapacity;
 }