@technomoron/api-server-base 2.0.0-beta.2 → 2.0.0-beta.4

package/dist/cjs/api-server-base.cjs

@@ -370,7 +370,7 @@ class ApiServer {
         this.config = fillConfig(config);
         this.apiBasePath = this.normalizeApiBasePath(this.config.apiBasePath);
         this.startedAt = Date.now();
-        this.storageAdapter = storage_js_1.nullAuthStorage;
+        this.storageAdapter = storage_js_1.nullAuthAdapter;
         this.moduleAdapter = module_js_1.nullAuthModule;
         this.jwtHelper = new JwtHelperStore();
         this.tokenStoreAdapter = this.config.tokenStore ?? null;
@@ -454,7 +454,7 @@ class ApiServer {
         }
         return this.oauthStoreAdapter;
     }
-    // AuthStorage-compatible helpers (used by AuthModule)
+    // AuthAdapter-compatible helpers (used by AuthModule)
     async getUser(identifier) {
         return this.userStoreAdapter ? this.userStoreAdapter.findUser(identifier) : null;
     }

package/dist/cjs/api-server-base.d.ts

@@ -9,7 +9,7 @@ import { ApiModule } from './api-module.js';
 import { TokenStore, type JwtDecodeResult, type JwtSignResult, type JwtVerifyResult } from './token/base.js';
 import type { ApiAuthClass, ApiKey } from './api-module.js';
 import type { AuthProviderModule } from './auth-api/module.js';
-import type { AuthStorage, AuthIdentifier } from './auth-api/types.js';
+import type { AuthAdapter, AuthIdentifier } from './auth-api/types.js';
 import type { OAuthStore } from './oauth/base.js';
 import type { AuthCodeData, AuthCodeRequest, OAuthClient } from './oauth/types.js';
 import type { PasskeyService } from './passkey/service.js';
@@ -122,17 +122,17 @@ export declare class ApiServer {
     private canImpersonateAdapter;
     private readonly jwtHelper;
     constructor(config?: Partial<ApiServerConf>);
-    authStorage<UserRow, SafeUser>(storage: AuthStorage<UserRow, SafeUser>): this;
+    authStorage<UserRow, SafeUser>(storage: AuthAdapter<UserRow, SafeUser>): this;
     /**
      * @deprecated Use {@link ApiServer.authStorage} instead.
      */
-    useAuthStorage<UserRow, SafeUser>(storage: AuthStorage<UserRow, SafeUser>): this;
+    useAuthStorage<UserRow, SafeUser>(storage: AuthAdapter<UserRow, SafeUser>): this;
     authModule<UserRow>(module: AuthProviderModule<UserRow>): this;
     /**
      * @deprecated Use {@link ApiServer.authModule} instead.
      */
     useAuthModule<UserRow>(module: AuthProviderModule<UserRow>): this;
-    getAuthStorage(): AuthStorage<any, any>;
+    getAuthStorage(): AuthAdapter<any, any>;
     getAuthModule(): AuthProviderModule<any>;
     setTokenStore(store: TokenStore): this;
     getTokenStore(): TokenStore | null;

package/dist/cjs/auth-api/auth-module.d.ts

@@ -1,6 +1,6 @@
 import { type ApiRequest, type ApiRoute, type ApiServer } from '../api-server-base.js';
 import { BaseAuthModule, type AuthProviderModule } from './module.js';
-import type { AuthIdentifier, AuthStorage } from './types.js';
+import type { AuthAdapter, AuthIdentifier } from './types.js';
 import type { OAuthCallbackParams, OAuthCallbackResult, OAuthStartParams, OAuthStartResult } from '../oauth/types.js';
 import type { TokenPair, Token } from '../token/types.js';
 interface CanImpersonateContext<UserEntity> {
@@ -46,7 +46,7 @@ export default class AuthModule<UserEntity, PublicUser> extends BaseAuthModule<U
     private readonly defaultDomain?;
     private readonly canImpersonateHook?;
     constructor(options?: AuthModuleOptions<UserEntity>);
-    protected get storage(): AuthStorage<UserEntity, PublicUser>;
+    protected get storage(): AuthAdapter<UserEntity, PublicUser>;
     protected canImpersonate(apiReq: ApiRequest, realUser: UserEntity, targetUser: UserEntity): Promise<boolean>;
     protected ensureImpersonationAllowed(apiReq: ApiRequest, realUser: UserEntity, targetUser: UserEntity): Promise<void>;
     protected buildTokenPayload(user: UserEntity, metadata?: TokenMetadata): TokenClaims;
@@ -57,6 +57,9 @@ export default class AuthModule<UserEntity, PublicUser> extends BaseAuthModule<U
     private resolveSessionPreferences;
     private mergeSessionPreferences;
     private sessionPrefsFromRecord;
+    private validateCredentialId;
+    private normalizeCredentialId;
+    private toIsoDate;
     private cookieOptions;
     private setJwtCookies;
     issueTokens(apiReq: ApiRequest, user: UserEntity, metadata?: TokenIssueOptions): Promise<TokenPair>;
@@ -76,6 +79,8 @@ export default class AuthModule<UserEntity, PublicUser> extends BaseAuthModule<U
     private postWhoAmI;
     private postPasskeyChallenge;
     private postPasskeyVerify;
+    private getPasskeys;
+    private deletePasskey;
     private postImpersonation;
     private deleteImpersonation;
     private getUserFromPasskey;
@@ -91,6 +96,10 @@ export default class AuthModule<UserEntity, PublicUser> extends BaseAuthModule<U
     private resolveClientAuthentication;
     private assertRedirectUriAllowed;
     private resolveUserForOAuth;
+    private hasPasskeyService;
+    private hasOAuthStore;
+    private storageImplements;
+    private storageImplementsAll;
     defineRoutes(): ApiRoute[];
 }
 export {};

package/dist/cjs/auth-api/auth-module.js

@@ -1,8 +1,10 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 const node_crypto_1 = require("node:crypto");
+const helpers_1 = require("@simplewebauthn/server/helpers");
 const api_server_base_js_1 = require("../api-server-base.js");
 const module_js_1 = require("./module.js");
+const storage_js_1 = require("./storage.js");
 function isAuthIdentifier(value) {
     return typeof value === 'string' || typeof value === 'number';
 }
@@ -183,6 +185,44 @@ class AuthModule extends module_js_1.BaseAuthModule {
         }
         return prefs;
     }
+    validateCredentialId(apiReq) {
+        const paramId = toStringOrNull(apiReq.req.params?.credentialId);
+        const bodyId = toStringOrNull(apiReq.req.body?.credentialId);
+        const credentialId = paramId ?? bodyId;
+        if (!credentialId) {
+            throw new api_server_base_js_1.ApiError({ code: 400, message: 'credentialId is required' });
+        }
+        try {
+            helpers_1.isoBase64URL.toBuffer(credentialId);
+        }
+        catch {
+            throw new api_server_base_js_1.ApiError({ code: 400, message: 'Invalid credentialId' });
+        }
+        return credentialId;
+    }
+    normalizeCredentialId(value) {
+        if (Buffer.isBuffer(value)) {
+            return value;
+        }
+        try {
+            return Buffer.from(helpers_1.isoBase64URL.toBuffer(value));
+        }
+        catch {
+            try {
+                return Buffer.from(value, 'base64');
+            }
+            catch {
+                return Buffer.from(value);
+            }
+        }
+    }
+    toIsoDate(value) {
+        if (!value) {
+            return undefined;
+        }
+        const date = value instanceof Date ? value : new Date(value);
+        return Number.isNaN(date.getTime()) ? undefined : date.toISOString();
+    }
     cookieOptions(apiReq) {
         const conf = this.server.config;
         const forwarded = apiReq.req.headers['x-forwarded-proto'];
@@ -598,6 +638,44 @@ class AuthModule extends module_js_1.BaseAuthModule {
         const publicUser = this.storage.filterUser(user);
         return [200, { ...tokens, user: publicUser }];
     }
+    async getPasskeys(apiReq) {
+        if (typeof this.storage.listUserCredentials !== 'function') {
+            throw new api_server_base_js_1.ApiError({ code: 501, message: 'Passkey credential listing is not configured' });
+        }
+        const { userId } = await this.resolveActorContext(apiReq);
+        const credentials = await this.storage.listUserCredentials(userId);
+        const safeCredentials = credentials.map((credential) => {
+            const bufferId = this.normalizeCredentialId(credential.credentialId);
+            return {
+                id: helpers_1.isoBase64URL.fromBuffer(new Uint8Array(bufferId)),
+                transports: credential.transports,
+                backedUp: credential.backedUp,
+                deviceType: credential.deviceType,
+                createdAt: this.toIsoDate(credential.createdAt),
+                updatedAt: this.toIsoDate(credential.updatedAt)
+            };
+        });
+        return [200, { credentials: safeCredentials }];
+    }
+    async deletePasskey(apiReq) {
+        if (typeof this.storage.listUserCredentials !== 'function' ||
+            typeof this.storage.deletePasskeyCredential !== 'function') {
+            throw new api_server_base_js_1.ApiError({ code: 501, message: 'Passkey credential management is not configured' });
+        }
+        const { userId } = await this.resolveActorContext(apiReq);
+        const credentialId = this.validateCredentialId(apiReq);
+        const bufferId = Buffer.from(helpers_1.isoBase64URL.toBuffer(credentialId));
+        const credentials = await this.storage.listUserCredentials(userId);
+        const owns = credentials.some((credential) => {
+            const candidateId = this.normalizeCredentialId(credential.credentialId);
+            return helpers_1.isoBase64URL.fromBuffer(new Uint8Array(candidateId)) === credentialId;
+        });
+        if (!owns) {
+            throw new api_server_base_js_1.ApiError({ code: 404, message: 'Passkey not found' });
+        }
+        const deleted = await this.storage.deletePasskeyCredential(bufferId);
+        return [200, { deleted }];
+    }
     async postImpersonation(apiReq) {
         this.assertAuthReady();
         const { targetIdentifier, metadata } = this.parseImpersonationRequest(apiReq);
@@ -941,47 +1019,91 @@ class AuthModule extends module_js_1.BaseAuthModule {
         }
         throw new api_server_base_js_1.ApiError({ code: 401, message: 'Authorization requires user authentication' });
     }
+    hasPasskeyService() {
+        const storageAny = this.storage;
+        if (storageAny.passkeyService || storageAny.passkeyStore) {
+            return true;
+        }
+        if (storageAny.adapter?.passkeyService || storageAny.adapter?.passkeyStore) {
+            return true;
+        }
+        const serverAny = this.server;
+        return !!serverAny.passkeyServiceAdapter;
+    }
+    hasOAuthStore() {
+        const storageAny = this.storage;
+        if (storageAny.oauthStore) {
+            return true;
+        }
+        if (storageAny.adapter?.oauthStore) {
+            return true;
+        }
+        const serverAny = this.server;
+        return !!serverAny.oauthStoreAdapter;
+    }
+    storageImplements(key) {
+        const candidate = this.storage[key];
+        if (typeof candidate !== 'function') {
+            return false;
+        }
+        const baseImpl = storage_js_1.BaseAuthAdapter.prototype[key];
+        return candidate !== baseImpl;
+    }
+    storageImplementsAll(keys) {
+        return keys.every((key) => this.storageImplements(key));
+    }
     defineRoutes() {
-        const routes = [
-            {
-                method: 'post',
-                path: '/v1/login',
-                handler: (req) => this.postLogin(req),
-                auth: { type: 'none', req: 'any' }
-            },
-            {
-                method: 'post',
-                path: '/v1/refresh',
-                handler: (req) => this.postRefresh(req),
-                auth: { type: 'none', req: 'any' }
-            },
-            {
-                method: 'post',
-                path: '/v1/logout',
-                handler: (req) => this.postLogout(req),
-                auth: { type: 'maybe', req: 'any' }
-            },
-            {
-                method: 'post',
-                path: '/v1/whoami',
-                handler: (req) => this.postWhoAmI(req),
-                auth: { type: 'maybe', req: 'any' }
-            },
-            {
-                method: 'post',
-                path: '/v1/impersonations',
-                handler: (req) => this.postImpersonation(req),
-                auth: { type: 'strict', req: 'any' }
-            },
-            {
-                method: 'delete',
-                path: '/v1/impersonations',
-                handler: (req) => this.deleteImpersonation(req),
-                auth: { type: 'strict', req: 'any' }
-            }
-        ];
-        const storage = this.storage;
-        const passkeysSupported = typeof storage.createPasskeyChallenge === 'function' && typeof storage.verifyPasskeyResponse === 'function';
+        const routes = [];
+        const coreAuthSupported = this.storageImplementsAll([
+            'getUser',
+            'getUserPasswordHash',
+            'getUserId',
+            'verifyPassword',
+            'filterUser',
+            'storeToken',
+            'getToken',
+            'deleteToken'
+        ]);
+        if (!coreAuthSupported) {
+            return routes;
+        }
+        routes.push({
+            method: 'post',
+            path: '/v1/login',
+            handler: (req) => this.postLogin(req),
+            auth: { type: 'none', req: 'any' }
+        }, {
+            method: 'post',
+            path: '/v1/refresh',
+            handler: (req) => this.postRefresh(req),
+            auth: { type: 'none', req: 'any' }
+        }, {
+            method: 'post',
+            path: '/v1/logout',
+            handler: (req) => this.postLogout(req),
+            auth: { type: 'maybe', req: 'any' }
+        }, {
+            method: 'post',
+            path: '/v1/whoami',
+            handler: (req) => this.postWhoAmI(req),
+            auth: { type: 'maybe', req: 'any' }
+        }, {
+            method: 'post',
+            path: '/v1/impersonations',
+            handler: (req) => this.postImpersonation(req),
+            auth: { type: 'strict', req: 'any' }
+        }, {
+            method: 'delete',
+            path: '/v1/impersonations',
+            handler: (req) => this.deleteImpersonation(req),
+            auth: { type: 'strict', req: 'any' }
+        });
+        const passkeysSupported = this.hasPasskeyService() &&
+            this.storageImplements('createPasskeyChallenge') &&
+            this.storageImplements('verifyPasskeyResponse');
+        const passkeyCredentialsSupported = passkeysSupported &&
+            this.storageImplements('listUserCredentials') &&
+            this.storageImplements('deletePasskeyCredential');
         if (passkeysSupported) {
             routes.push({
                 method: 'post',
@@ -994,6 +1116,19 @@ class AuthModule extends module_js_1.BaseAuthModule {
                 handler: (req) => this.postPasskeyVerify(req),
                 auth: { type: 'none', req: 'any' }
             });
+            if (passkeyCredentialsSupported) {
+                routes.push({
+                    method: 'get',
+                    path: '/v1/passkeys',
+                    handler: (req) => this.getPasskeys(req),
+                    auth: { type: 'strict', req: 'any' }
+                }, {
+                    method: 'delete',
+                    path: '/v1/passkeys/:credentialId?',
+                    handler: (req) => this.deletePasskey(req),
+                    auth: { type: 'strict', req: 'any' }
+                });
+            }
         }
         const externalOAuthSupported = typeof this.server.initiateOAuth === 'function' && typeof this.server.completeOAuth === 'function';
         if (externalOAuthSupported) {
@@ -1009,9 +1144,10 @@ class AuthModule extends module_js_1.BaseAuthModule {
                 auth: { type: 'none', req: 'any' }
             });
         }
-        const oauthStorageSupported = typeof storage.getClient === 'function' &&
-            typeof storage.createAuthCode === 'function' &&
-            typeof storage.consumeAuthCode === 'function';
+        const oauthStorageSupported = this.hasOAuthStore() &&
+            this.storageImplements('getClient') &&
+            this.storageImplements('createAuthCode') &&
+            this.storageImplements('consumeAuthCode');
         if (oauthStorageSupported) {
             routes.push({
                 method: 'post',

package/dist/cjs/auth-api/compat-auth-storage.d.ts

@@ -1,9 +1,9 @@
 import { PasskeyService } from '../passkey/service.js';
-import type { AuthIdentifier, AuthStorage } from './types.js';
+import type { AuthAdapter, AuthIdentifier } from './types.js';
 import type { OAuthStore } from '../oauth/base.js';
 import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
 import type { PasskeyStore } from '../passkey/base.js';
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, StoredPasskeyCredential, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
 import type { TokenStore } from '../token/base.js';
 import type { Token } from '../token/types.js';
 import type { UserStore } from '../user/base.js';
@@ -11,7 +11,7 @@ interface PasskeyAdapterOptions {
     store: PasskeyStore;
     config: PasskeyServiceConfig;
 }
-export interface AuthStorageAdapterOptions<UserRow, PublicUser> {
+export interface AuthAdapterOptions<UserRow, PublicUser> {
     userStore: UserStore<UserRow, PublicUser>;
     tokenStore: TokenStore;
     passkeys?: PasskeyAdapterOptions | PasskeyService;
@@ -21,13 +21,13 @@ export interface AuthStorageAdapterOptions<UserRow, PublicUser> {
         effectiveUserId: AuthIdentifier;
     }) => boolean | Promise<boolean>;
 }
-export declare class AuthStorageAdapter<UserRow, PublicUser> implements AuthStorage<UserRow, PublicUser> {
+export declare class CompositeAuthAdapter<UserRow, PublicUser> implements AuthAdapter<UserRow, PublicUser> {
     private readonly userStore;
     private readonly tokenStore;
     private readonly oauthStore?;
     private readonly passkeyService?;
     private readonly canImpersonateFn?;
-    constructor(options: AuthStorageAdapterOptions<UserRow, PublicUser>);
+    constructor(options: AuthAdapterOptions<UserRow, PublicUser>);
     getUser(identifier: AuthIdentifier): Promise<UserRow | null>;
     getUserPasswordHash(user: UserRow): string;
     getUserId(user: UserRow): AuthIdentifier;
@@ -43,6 +43,8 @@ export declare class AuthStorageAdapter<UserRow, PublicUser> implements AuthStor
     }): Promise<boolean>;
     createPasskeyChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyPasskeyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential(credentialId: Buffer | string): Promise<boolean>;
     getClient(clientId: string): Promise<OAuthClient | null>;
     verifyClientSecret(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
     createAuthCode(request: AuthCodeRequest): Promise<AuthCodeData>;

package/dist/cjs/auth-api/compat-auth-storage.js

@@ -1,9 +1,9 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.AuthStorageAdapter = void 0;
+exports.CompositeAuthAdapter = void 0;
 const node_crypto_1 = require("node:crypto");
 const service_js_1 = require("../passkey/service.js");
-class AuthStorageAdapter {
+class CompositeAuthAdapter {
     constructor(options) {
         this.userStore = options.userStore;
         this.tokenStore = options.tokenStore;
@@ -55,6 +55,18 @@ class AuthStorageAdapter {
         }
         return this.passkeyService.verifyResponse(params);
     }
+    async listUserCredentials(userId) {
+        if (!this.passkeyService) {
+            throw new Error('Passkey storage is not configured');
+        }
+        return this.passkeyService.listUserCredentials(userId);
+    }
+    async deletePasskeyCredential(credentialId) {
+        if (!this.passkeyService) {
+            throw new Error('Passkey storage is not configured');
+        }
+        return this.passkeyService.deleteCredential(credentialId);
+    }
     async getClient(clientId) {
         if (!this.oauthStore) {
             return null;
@@ -113,4 +125,4 @@ class AuthStorageAdapter {
         return params.realUserId === params.effectiveUserId;
     }
 }
-exports.AuthStorageAdapter = AuthStorageAdapter;
+exports.CompositeAuthAdapter = CompositeAuthAdapter;

package/dist/cjs/auth-api/mem-auth-store.d.ts

@@ -2,11 +2,11 @@ import { MemoryOAuthStore } from '../oauth/memory.js';
 import { MemoryPasskeyStore } from '../passkey/memory.js';
 import { TokenStore } from '../token/base.js';
 import { MemoryUserStore } from '../user/memory.js';
-import type { AuthIdentifier, AuthStorage } from './types.js';
+import type { AuthAdapter, AuthIdentifier } from './types.js';
 import type { MemoryOAuthStoreOptions } from '../oauth/memory.js';
 import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
 import type { MemoryPasskeyStoreOptions } from '../passkey/memory.js';
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, PasskeyUserDescriptor, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, PasskeyUserDescriptor, StoredPasskeyCredential, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
 import type { Token } from '../token/types.js';
 import type { MemoryUserAttributes, MemoryPublicUser, MemoryUserStoreOptions } from '../user/memory.js';
 interface PasskeyOptions extends Partial<PasskeyServiceConfig> {
@@ -24,7 +24,7 @@ export interface MemAuthStoreParams<UserAttributes extends MemoryUserAttributes
     }) => boolean | Promise<boolean>;
     tokenStore?: TokenStore;
 }
-export declare class MemAuthStore<UserAttributes extends MemoryUserAttributes = MemoryUserAttributes, PublicUserShape extends MemoryPublicUser<UserAttributes> = MemoryPublicUser<UserAttributes>> implements AuthStorage<UserAttributes, PublicUserShape> {
+export declare class MemAuthStore<UserAttributes extends MemoryUserAttributes = MemoryUserAttributes, PublicUserShape extends MemoryPublicUser<UserAttributes> = MemoryPublicUser<UserAttributes>> implements AuthAdapter<UserAttributes, PublicUserShape> {
     readonly userStore: MemoryUserStore<UserAttributes, PublicUserShape>;
     readonly tokenStore: TokenStore;
     readonly passkeyStore?: MemoryPasskeyStore;
@@ -54,6 +54,8 @@ export declare class MemAuthStore<UserAttributes extends MemoryUserAttributes =
     }): Promise<boolean>;
     createPasskeyChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyPasskeyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential(credentialId: Buffer | string): Promise<boolean>;
     getClient(clientId: string): Promise<OAuthClient | null>;
     verifyClientSecret(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
     createAuthCode(request: AuthCodeRequest): Promise<AuthCodeData>;

package/dist/cjs/auth-api/mem-auth-store.js

@@ -59,7 +59,7 @@ class MemAuthStore {
             passkeyStore = new memory_js_2.MemoryPasskeyStore({ resolveUser });
             this.passkeyStore = passkeyStore;
         }
-        this.adapter = new compat_auth_storage_js_1.AuthStorageAdapter({
+        this.adapter = new compat_auth_storage_js_1.CompositeAuthAdapter({
             userStore: this.userStore,
             tokenStore: this.tokenStore,
             passkeys: passkeyStore && passkeyConfig ? { store: passkeyStore, config: passkeyConfig } : undefined,
@@ -116,6 +116,12 @@ class MemAuthStore {
     async verifyPasskeyResponse(params) {
         return this.adapter.verifyPasskeyResponse(params);
     }
+    async listUserCredentials(userId) {
+        return this.adapter.listUserCredentials(userId);
+    }
+    async deletePasskeyCredential(credentialId) {
+        return this.adapter.deletePasskeyCredential(credentialId);
+    }
     async getClient(clientId) {
         return this.adapter.getClient(clientId);
     }

package/dist/cjs/auth-api/sql-auth-store.d.ts

@@ -3,9 +3,9 @@ import { SequelizeOAuthStore, type SequelizeOAuthStoreOptions } from '../oauth/s
 import { SequelizePasskeyStore } from '../passkey/sequelize.js';
 import { type SequelizeTokenStoreOptions } from '../token/sequelize.js';
 import { SequelizeUserStore, type AuthUserAttributes, GenericUserModel, GenericUserModelStatic } from '../user/sequelize.js';
-import type { AuthIdentifier, AuthStorage } from './types.js';
+import type { AuthAdapter, AuthIdentifier } from './types.js';
 import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, PasskeyUserDescriptor, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, PasskeyUserDescriptor, StoredPasskeyCredential, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
 import type { TokenStore } from '../token/base.js';
 import type { Token } from '../token/types.js';
 interface PasskeyOptions extends Partial<PasskeyServiceConfig> {
@@ -30,7 +30,7 @@ export interface SqlAuthStoreParams<UserAttributes extends AuthUserAttributes =
     tokenStoreOptions?: Omit<SequelizeTokenStoreOptions, 'sequelize'>;
     oauthStoreOptions?: Omit<SequelizeOAuthStoreOptions, 'sequelize'>;
 }
-export declare class SqlAuthStore<UserAttributes extends AuthUserAttributes = AuthUserAttributes, PublicUserShape extends Omit<UserAttributes, 'password'> = Omit<UserAttributes, 'password'>> implements AuthStorage<UserAttributes, PublicUserShape> {
+export declare class SqlAuthStore<UserAttributes extends AuthUserAttributes = AuthUserAttributes, PublicUserShape extends Omit<UserAttributes, 'password'> = Omit<UserAttributes, 'password'>> implements AuthAdapter<UserAttributes, PublicUserShape> {
     readonly userStore: SequelizeUserStore<UserAttributes, PublicUserShape>;
     readonly tokenStore: TokenStore;
     readonly passkeyStore?: SequelizePasskeyStore;
@@ -63,6 +63,8 @@ export declare class SqlAuthStore<UserAttributes extends AuthUserAttributes = Au
     }): Promise<boolean>;
     createPasskeyChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyPasskeyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential(credentialId: Buffer | string): Promise<boolean>;
     getClient(clientId: string): Promise<OAuthClient | null>;
     verifyClientSecret(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
     createAuthCode(request: AuthCodeRequest): Promise<AuthCodeData>;

package/dist/cjs/auth-api/sql-auth-store.js

@@ -72,7 +72,7 @@ class SqlAuthStore {
             passkeyStore = new sequelize_js_2.SequelizePasskeyStore({ sequelize: this.sequelize, resolveUser });
             this.passkeyStore = passkeyStore;
         }
-        this.adapter = new compat_auth_storage_js_1.AuthStorageAdapter({
+        this.adapter = new compat_auth_storage_js_1.CompositeAuthAdapter({
             userStore: this.userStore,
             tokenStore: this.tokenStore,
             passkeys: passkeyStore && passkeyConfig ? { store: passkeyStore, config: passkeyConfig } : undefined,
@@ -147,6 +147,12 @@ class SqlAuthStore {
     async verifyPasskeyResponse(params) {
         return this.adapter.verifyPasskeyResponse(params);
     }
+    async listUserCredentials(userId) {
+        return this.adapter.listUserCredentials(userId);
+    }
+    async deletePasskeyCredential(credentialId) {
+        return this.adapter.deletePasskeyCredential(credentialId);
+    }
     async getClient(clientId) {
         return this.adapter.getClient(clientId);
     }

package/dist/cjs/auth-api/storage.d.ts

@@ -1,8 +1,8 @@
-import type { AuthIdentifier, AuthStorage } from './types.js';
+import type { AuthAdapter, AuthIdentifier } from './types.js';
 import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyVerificationParams, PasskeyVerificationResult, StoredPasskeyCredential } from '../passkey/types.js';
 import type { Token } from '../token/types.js';
-export declare class BaseAuthStorage<UserRow = unknown, SafeUser = unknown> implements AuthStorage<UserRow, SafeUser> {
+export declare class BaseAuthAdapter<UserRow = unknown, SafeUser = unknown> implements AuthAdapter<UserRow, SafeUser> {
     getUser(identifier: AuthIdentifier): Promise<UserRow | null>;
     getUserPasswordHash(user: UserRow): string;
     getUserId(user: UserRow): AuthIdentifier;
@@ -24,6 +24,8 @@ export declare class BaseAuthStorage<UserRow = unknown, SafeUser = unknown> impl
     }): Promise<boolean>;
     createPasskeyChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyPasskeyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential(credentialId: Buffer | string): Promise<boolean>;
     getClient(clientId: string): Promise<OAuthClient | null>;
     verifyClientSecret(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
     createAuthCode(request: AuthCodeRequest): Promise<AuthCodeData>;
@@ -33,4 +35,4 @@ export declare class BaseAuthStorage<UserRow = unknown, SafeUser = unknown> impl
         effectiveUserId: AuthIdentifier;
     }): Promise<boolean>;
 }
-export declare const nullAuthStorage: AuthStorage<unknown, unknown>;
+export declare const nullAuthAdapter: AuthAdapter<unknown, unknown>;

package/dist/cjs/auth-api/storage.js

@@ -1,9 +1,9 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.nullAuthStorage = exports.BaseAuthStorage = void 0;
-// Handy base you can extend when wiring a real storage adapter. Every method
+exports.nullAuthAdapter = exports.BaseAuthAdapter = void 0;
+// Handy base you can extend when wiring a real auth adapter. Every method
 // throws by default so unimplemented hooks fail loudly.
-class BaseAuthStorage {
+class BaseAuthAdapter {
     // Override to load a user record by identifier
     async getUser(identifier) {
         void identifier;
@@ -60,6 +60,16 @@ class BaseAuthStorage {
         void params;
         throw new Error('Auth storage not configured');
     }
+    // Override to list passkey credentials for a user
+    async listUserCredentials(userId) {
+        void userId;
+        throw new Error('Auth storage not configured');
+    }
+    // Override to delete a passkey credential
+    async deletePasskeyCredential(credentialId) {
+        void credentialId;
+        throw new Error('Auth storage not configured');
+    }
     // Override to fetch an OAuth client by identifier
     async getClient(clientId) {
         void clientId;
@@ -88,5 +98,5 @@ class BaseAuthStorage {
         return false;
     }
 }
-exports.BaseAuthStorage = BaseAuthStorage;
-exports.nullAuthStorage = new BaseAuthStorage();
+exports.BaseAuthAdapter = BaseAuthAdapter;
+exports.nullAuthAdapter = new BaseAuthAdapter();

package/dist/cjs/auth-api/types.d.ts

@@ -1,8 +1,9 @@
 import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyVerificationParams, PasskeyVerificationResult, StoredPasskeyCredential } from '../passkey/types.js';
 import type { Token } from '../token/types.js';
 export type AuthIdentifier = string | number;
-export interface AuthStorage<UserRow, SafeUser> {
+/** @internal */
+export interface AuthAdapter<UserRow, SafeUser> {
     getUser(identifier: AuthIdentifier): Promise<UserRow | null>;
     getUserPasswordHash(user: UserRow): string;
     getUserId(user: UserRow): AuthIdentifier;
@@ -18,6 +19,8 @@ export interface AuthStorage<UserRow, SafeUser> {
     }): Promise<boolean>;
     createPasskeyChallenge?(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyPasskeyResponse?(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials?(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential?(credentialId: Buffer | string): Promise<boolean>;
     getClient?(clientId: string): Promise<OAuthClient | null>;
     verifyClientSecret?(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
     createAuthCode?(request: AuthCodeRequest): Promise<AuthCodeData>;
@@ -27,3 +30,5 @@ export interface AuthStorage<UserRow, SafeUser> {
         effectiveUserId: AuthIdentifier;
     }): Promise<boolean>;
 }
+/** @internal */
+export type AuthStorage<UserRow, SafeUser> = AuthAdapter<UserRow, SafeUser>;