@technomoron/api-server-base 2.0.0-beta.2 → 2.0.0-beta.4

package/dist/cjs/index.cjs

@@ -3,7 +3,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.SequelizeOAuthStore = exports.MemoryOAuthStore = exports.OAuthStore = exports.SequelizePasskeyStore = exports.MemoryPasskeyStore = exports.PasskeyStore = exports.PasskeyService = exports.SequelizeTokenStore = exports.MemoryTokenStore = exports.TokenStore = exports.SequelizeUserStore = exports.MemoryUserStore = exports.UserStore = exports.AuthModule = exports.SqlAuthStore = exports.MemAuthStore = exports.AuthStorageAdapter = exports.BaseAuthModule = exports.nullAuthModule = exports.BaseAuthStorage = exports.nullAuthStorage = exports.ApiModule = exports.ApiError = exports.ApiServer = void 0;
+exports.SequelizeOAuthStore = exports.MemoryOAuthStore = exports.OAuthStore = exports.SequelizePasskeyStore = exports.MemoryPasskeyStore = exports.PasskeyStore = exports.PasskeyService = exports.SequelizeTokenStore = exports.MemoryTokenStore = exports.TokenStore = exports.SequelizeUserStore = exports.MemoryUserStore = exports.UserStore = exports.AuthModule = exports.SqlAuthStore = exports.MemAuthStore = exports.CompositeAuthAdapter = exports.BaseAuthModule = exports.nullAuthModule = exports.BaseAuthAdapter = exports.nullAuthAdapter = exports.ApiModule = exports.ApiError = exports.ApiServer = void 0;
 var api_server_base_js_1 = require("./api-server-base.cjs");
 Object.defineProperty(exports, "ApiServer", { enumerable: true, get: function () { return __importDefault(api_server_base_js_1).default; } });
 var api_server_base_js_2 = require("./api-server-base.cjs");
@@ -11,13 +11,13 @@ Object.defineProperty(exports, "ApiError", { enumerable: true, get: function ()
 var api_module_js_1 = require("./api-module.cjs");
 Object.defineProperty(exports, "ApiModule", { enumerable: true, get: function () { return api_module_js_1.ApiModule; } });
 var storage_js_1 = require("./auth-api/storage.js");
-Object.defineProperty(exports, "nullAuthStorage", { enumerable: true, get: function () { return storage_js_1.nullAuthStorage; } });
-Object.defineProperty(exports, "BaseAuthStorage", { enumerable: true, get: function () { return storage_js_1.BaseAuthStorage; } });
+Object.defineProperty(exports, "nullAuthAdapter", { enumerable: true, get: function () { return storage_js_1.nullAuthAdapter; } });
+Object.defineProperty(exports, "BaseAuthAdapter", { enumerable: true, get: function () { return storage_js_1.BaseAuthAdapter; } });
 var module_js_1 = require("./auth-api/module.js");
 Object.defineProperty(exports, "nullAuthModule", { enumerable: true, get: function () { return module_js_1.nullAuthModule; } });
 Object.defineProperty(exports, "BaseAuthModule", { enumerable: true, get: function () { return module_js_1.BaseAuthModule; } });
 var compat_auth_storage_js_1 = require("./auth-api/compat-auth-storage.js");
-Object.defineProperty(exports, "AuthStorageAdapter", { enumerable: true, get: function () { return compat_auth_storage_js_1.AuthStorageAdapter; } });
+Object.defineProperty(exports, "CompositeAuthAdapter", { enumerable: true, get: function () { return compat_auth_storage_js_1.CompositeAuthAdapter; } });
 var mem_auth_store_js_1 = require("./auth-api/mem-auth-store.js");
 Object.defineProperty(exports, "MemAuthStore", { enumerable: true, get: function () { return mem_auth_store_js_1.MemAuthStore; } });
 var sql_auth_store_js_1 = require("./auth-api/sql-auth-store.js");

package/dist/cjs/index.d.ts

@@ -2,14 +2,14 @@ export { default as ApiServer } from './api-server-base.js';
 export { ApiError } from './api-server-base.js';
 export { ApiModule } from './api-module.js';
 export type { ApiErrorParams, ApiHandler, ApiKey, ApiServerConf, ApiRequest, ApiRoute, ApiAuthType, ApiAuthClass, ApiTokenData, ExtendedReq } from './api-server-base.js';
-export type { AuthIdentifier, AuthStorage } from './auth-api/types.js';
+export type { AuthIdentifier } from './auth-api/types.js';
 export type { Token, TokenPair, TokenStatus } from './token/types.js';
 export type { JwtSignResult, JwtVerifyResult, JwtDecodeResult } from './token/base.js';
 export type { OAuthClient, AuthCodeData, AuthCodeRequest } from './oauth/types.js';
 export type { AuthProviderModule } from './auth-api/module.js';
-export { nullAuthStorage, BaseAuthStorage } from './auth-api/storage.js';
+export { nullAuthAdapter, BaseAuthAdapter } from './auth-api/storage.js';
 export { nullAuthModule, BaseAuthModule } from './auth-api/module.js';
-export { AuthStorageAdapter } from './auth-api/compat-auth-storage.js';
+export { CompositeAuthAdapter } from './auth-api/compat-auth-storage.js';
 export { MemAuthStore } from './auth-api/mem-auth-store.js';
 export { SqlAuthStore } from './auth-api/sql-auth-store.js';
 export { default as AuthModule } from './auth-api/auth-module.js';

package/dist/cjs/passkey/base.d.ts

@@ -6,6 +6,7 @@ export declare abstract class PasskeyStore implements PasskeyStorageAdapter {
         login?: string;
     }): Promise<PasskeyUserDescriptor | null>;
     abstract listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    abstract deleteCredential(credentialId: Buffer | string): Promise<boolean>;
     abstract findCredentialById(credentialId: Buffer): Promise<StoredPasskeyCredential | null>;
     abstract saveCredential(record: StoredPasskeyCredential): Promise<void>;
     abstract updateCredentialCounter(credentialId: Buffer, counter: number): Promise<void>;

package/dist/cjs/passkey/memory.d.ts

@@ -17,6 +17,7 @@ export declare class MemoryPasskeyStore extends PasskeyStore {
         login?: string;
     }): Promise<PasskeyUserDescriptor | null>;
     listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deleteCredential(credentialId: Buffer | string): Promise<boolean>;
     findCredentialById(credentialId: Buffer): Promise<StoredPasskeyCredential | null>;
     saveCredential(record: StoredPasskeyCredential): Promise<void>;
     updateCredentialCounter(credentialId: Buffer, counter: number): Promise<void>;

package/dist/cjs/passkey/memory.js

@@ -37,6 +37,10 @@ class MemoryPasskeyStore extends base_js_1.PasskeyStore {
             .filter((record) => normalizeUserId(record.userId) === normalizedUserId)
             .map((record) => cloneCredential(record));
     }
+    async deleteCredential(credentialId) {
+        const key = encodeCredentialId(credentialId);
+        return this.credentials.delete(key);
+    }
     async findCredentialById(credentialId) {
         const record = this.credentials.get(encodeCredentialId(credentialId));
         return record ? cloneCredential(record) : null;

package/dist/cjs/passkey/sequelize.d.ts

@@ -44,6 +44,7 @@ export declare class SequelizePasskeyStore extends PasskeyStore {
         login?: string;
     }): Promise<PasskeyUserDescriptor | null>;
     listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deleteCredential(credentialId: Buffer | string): Promise<boolean>;
     findCredentialById(credentialId: Buffer): Promise<StoredPasskeyCredential | null>;
     saveCredential(record: StoredPasskeyCredential): Promise<void>;
     updateCredentialCounter(credentialId: Buffer, counter: number): Promise<void>;

package/dist/cjs/passkey/sequelize.js

@@ -147,9 +147,16 @@ class SequelizePasskeyStore extends base_js_1.PasskeyStore {
             counter: model.counter,
             transports: (model.transports ?? undefined),
             backedUp: model.backedUp,
-            deviceType: model.deviceType
+            deviceType: model.deviceType,
+            createdAt: model.createdAt ?? undefined,
+            updatedAt: model.updatedAt ?? undefined
         }));
     }
+    async deleteCredential(credentialId) {
+        const encoded = Buffer.isBuffer(credentialId) ? credentialId.toString('base64') : credentialId;
+        const deleted = await this.credentials.destroy({ where: { credentialId: encoded } });
+        return deleted > 0;
+    }
     async findCredentialById(credentialId) {
         const model = await this.credentials.findByPk(encodeCredentialId(credentialId));
         if (!model) {
@@ -162,7 +169,9 @@ class SequelizePasskeyStore extends base_js_1.PasskeyStore {
             counter: model.counter,
             transports: (model.transports ?? undefined),
             backedUp: model.backedUp,
-            deviceType: model.deviceType
+            deviceType: model.deviceType,
+            createdAt: model.createdAt ?? undefined,
+            updatedAt: model.updatedAt ?? undefined
         };
     }
     async saveCredential(record) {

package/dist/cjs/passkey/service.d.ts

@@ -1,11 +1,14 @@
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyStorageAdapter, PasskeyVerificationParams, PasskeyVerificationResult, PasskeyServiceConfig } from './types.js';
-export type { CredentialDeviceType, PasskeyChallenge, PasskeyChallengeParams, PasskeyChallengeRecord, PasskeyChallengeMetadata, PasskeyUserDescriptor, PasskeyVerificationParams, PasskeyVerificationResult, PasskeyServiceConfig, PasskeyStorageAdapter } from './types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyStorageAdapter, PasskeyVerificationParams, PasskeyVerificationResult, PasskeyServiceConfig, StoredPasskeyCredential } from './types.js';
+import type { AuthIdentifier } from '../auth-api/types.js';
+export type { CredentialDeviceType, PasskeyChallenge, PasskeyChallengeParams, PasskeyChallengeRecord, PasskeyChallengeMetadata, PasskeyUserDescriptor, PasskeyVerificationParams, PasskeyVerificationResult, PasskeyServiceConfig, PasskeyStorageAdapter, StoredPasskeyCredential } from './types.js';
 type Logger = Pick<typeof console, 'error' | 'warn'>;
 export declare class PasskeyService {
     private readonly config;
     private readonly adapter;
     private readonly logger;
     constructor(config: PasskeyServiceConfig, adapter: PasskeyStorageAdapter, logger?: Logger);
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deleteCredential(credentialId: Buffer | string): Promise<boolean>;
     createChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
     private createRegistrationChallenge;

package/dist/cjs/passkey/service.js

@@ -40,6 +40,12 @@ class PasskeyService {
         this.adapter = adapter;
         this.logger = logger;
     }
+    async listUserCredentials(userId) {
+        return this.adapter.listUserCredentials(userId);
+    }
+    async deleteCredential(credentialId) {
+        return this.adapter.deleteCredential(credentialId);
+    }
     async createChallenge(params) {
         await this.adapter.cleanupChallenges?.(new Date());
         const metadata = {

package/dist/cjs/passkey/types.d.ts

@@ -36,6 +36,8 @@ export interface StoredPasskeyCredential {
     transports?: AuthenticatorTransportFuture[];
     backedUp: boolean;
     deviceType: CredentialDeviceType;
+    createdAt?: Date;
+    updatedAt?: Date;
 }
 export interface PasskeyStorageAdapter {
     resolveUser(params: {
@@ -43,6 +45,7 @@ export interface PasskeyStorageAdapter {
         login?: string;
     }): Promise<PasskeyUserDescriptor | null>;
     listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deleteCredential(credentialId: Buffer | string): Promise<boolean>;
     findCredentialById(credentialId: Buffer): Promise<StoredPasskeyCredential | null>;
     saveCredential(record: StoredPasskeyCredential): Promise<void>;
     updateCredentialCounter(credentialId: Buffer, counter: number): Promise<void>;

package/dist/esm/api-server-base.d.ts

@@ -9,7 +9,7 @@ import { ApiModule } from './api-module.js';
 import { TokenStore, type JwtDecodeResult, type JwtSignResult, type JwtVerifyResult } from './token/base.js';
 import type { ApiAuthClass, ApiKey } from './api-module.js';
 import type { AuthProviderModule } from './auth-api/module.js';
-import type { AuthStorage, AuthIdentifier } from './auth-api/types.js';
+import type { AuthAdapter, AuthIdentifier } from './auth-api/types.js';
 import type { OAuthStore } from './oauth/base.js';
 import type { AuthCodeData, AuthCodeRequest, OAuthClient } from './oauth/types.js';
 import type { PasskeyService } from './passkey/service.js';
@@ -122,17 +122,17 @@ export declare class ApiServer {
     private canImpersonateAdapter;
     private readonly jwtHelper;
     constructor(config?: Partial<ApiServerConf>);
-    authStorage<UserRow, SafeUser>(storage: AuthStorage<UserRow, SafeUser>): this;
+    authStorage<UserRow, SafeUser>(storage: AuthAdapter<UserRow, SafeUser>): this;
     /**
      * @deprecated Use {@link ApiServer.authStorage} instead.
      */
-    useAuthStorage<UserRow, SafeUser>(storage: AuthStorage<UserRow, SafeUser>): this;
+    useAuthStorage<UserRow, SafeUser>(storage: AuthAdapter<UserRow, SafeUser>): this;
     authModule<UserRow>(module: AuthProviderModule<UserRow>): this;
     /**
      * @deprecated Use {@link ApiServer.authModule} instead.
      */
     useAuthModule<UserRow>(module: AuthProviderModule<UserRow>): this;
-    getAuthStorage(): AuthStorage<any, any>;
+    getAuthStorage(): AuthAdapter<any, any>;
     getAuthModule(): AuthProviderModule<any>;
     setTokenStore(store: TokenStore): this;
     getTokenStore(): TokenStore | null;

package/dist/esm/api-server-base.js

@@ -10,7 +10,7 @@ import cors from 'cors';
 import express from 'express';
 import multer from 'multer';
 import { nullAuthModule } from './auth-api/module.js';
-import { nullAuthStorage } from './auth-api/storage.js';
+import { nullAuthAdapter } from './auth-api/storage.js';
 import { TokenStore } from './token/base.js';
 class JwtHelperStore extends TokenStore {
     async save() {
@@ -362,7 +362,7 @@ export class ApiServer {
         this.config = fillConfig(config);
         this.apiBasePath = this.normalizeApiBasePath(this.config.apiBasePath);
         this.startedAt = Date.now();
-        this.storageAdapter = nullAuthStorage;
+        this.storageAdapter = nullAuthAdapter;
         this.moduleAdapter = nullAuthModule;
         this.jwtHelper = new JwtHelperStore();
         this.tokenStoreAdapter = this.config.tokenStore ?? null;
@@ -446,7 +446,7 @@ export class ApiServer {
         }
         return this.oauthStoreAdapter;
     }
-    // AuthStorage-compatible helpers (used by AuthModule)
+    // AuthAdapter-compatible helpers (used by AuthModule)
     async getUser(identifier) {
         return this.userStoreAdapter ? this.userStoreAdapter.findUser(identifier) : null;
     }

package/dist/esm/auth-api/auth-module.d.ts

@@ -1,6 +1,6 @@
 import { type ApiRequest, type ApiRoute, type ApiServer } from '../api-server-base.js';
 import { BaseAuthModule, type AuthProviderModule } from './module.js';
-import type { AuthIdentifier, AuthStorage } from './types.js';
+import type { AuthAdapter, AuthIdentifier } from './types.js';
 import type { OAuthCallbackParams, OAuthCallbackResult, OAuthStartParams, OAuthStartResult } from '../oauth/types.js';
 import type { TokenPair, Token } from '../token/types.js';
 interface CanImpersonateContext<UserEntity> {
@@ -46,7 +46,7 @@ export default class AuthModule<UserEntity, PublicUser> extends BaseAuthModule<U
     private readonly defaultDomain?;
     private readonly canImpersonateHook?;
     constructor(options?: AuthModuleOptions<UserEntity>);
-    protected get storage(): AuthStorage<UserEntity, PublicUser>;
+    protected get storage(): AuthAdapter<UserEntity, PublicUser>;
     protected canImpersonate(apiReq: ApiRequest, realUser: UserEntity, targetUser: UserEntity): Promise<boolean>;
     protected ensureImpersonationAllowed(apiReq: ApiRequest, realUser: UserEntity, targetUser: UserEntity): Promise<void>;
     protected buildTokenPayload(user: UserEntity, metadata?: TokenMetadata): TokenClaims;
@@ -57,6 +57,9 @@ export default class AuthModule<UserEntity, PublicUser> extends BaseAuthModule<U
     private resolveSessionPreferences;
     private mergeSessionPreferences;
     private sessionPrefsFromRecord;
+    private validateCredentialId;
+    private normalizeCredentialId;
+    private toIsoDate;
     private cookieOptions;
     private setJwtCookies;
     issueTokens(apiReq: ApiRequest, user: UserEntity, metadata?: TokenIssueOptions): Promise<TokenPair>;
@@ -76,6 +79,8 @@ export default class AuthModule<UserEntity, PublicUser> extends BaseAuthModule<U
     private postWhoAmI;
     private postPasskeyChallenge;
     private postPasskeyVerify;
+    private getPasskeys;
+    private deletePasskey;
     private postImpersonation;
     private deleteImpersonation;
     private getUserFromPasskey;
@@ -91,6 +96,10 @@ export default class AuthModule<UserEntity, PublicUser> extends BaseAuthModule<U
     private resolveClientAuthentication;
     private assertRedirectUriAllowed;
     private resolveUserForOAuth;
+    private hasPasskeyService;
+    private hasOAuthStore;
+    private storageImplements;
+    private storageImplementsAll;
     defineRoutes(): ApiRoute[];
 }
 export {};

package/dist/esm/auth-api/auth-module.js

@@ -1,6 +1,8 @@
 import { createHash } from 'node:crypto';
+import { isoBase64URL } from '@simplewebauthn/server/helpers';
 import { ApiError } from '../api-server-base.js';
 import { BaseAuthModule } from './module.js';
+import { BaseAuthAdapter } from './storage.js';
 function isAuthIdentifier(value) {
     return typeof value === 'string' || typeof value === 'number';
 }
@@ -181,6 +183,44 @@ class AuthModule extends BaseAuthModule {
         }
         return prefs;
     }
+    validateCredentialId(apiReq) {
+        const paramId = toStringOrNull(apiReq.req.params?.credentialId);
+        const bodyId = toStringOrNull(apiReq.req.body?.credentialId);
+        const credentialId = paramId ?? bodyId;
+        if (!credentialId) {
+            throw new ApiError({ code: 400, message: 'credentialId is required' });
+        }
+        try {
+            isoBase64URL.toBuffer(credentialId);
+        }
+        catch {
+            throw new ApiError({ code: 400, message: 'Invalid credentialId' });
+        }
+        return credentialId;
+    }
+    normalizeCredentialId(value) {
+        if (Buffer.isBuffer(value)) {
+            return value;
+        }
+        try {
+            return Buffer.from(isoBase64URL.toBuffer(value));
+        }
+        catch {
+            try {
+                return Buffer.from(value, 'base64');
+            }
+            catch {
+                return Buffer.from(value);
+            }
+        }
+    }
+    toIsoDate(value) {
+        if (!value) {
+            return undefined;
+        }
+        const date = value instanceof Date ? value : new Date(value);
+        return Number.isNaN(date.getTime()) ? undefined : date.toISOString();
+    }
     cookieOptions(apiReq) {
         const conf = this.server.config;
         const forwarded = apiReq.req.headers['x-forwarded-proto'];
@@ -596,6 +636,44 @@ class AuthModule extends BaseAuthModule {
         const publicUser = this.storage.filterUser(user);
         return [200, { ...tokens, user: publicUser }];
     }
+    async getPasskeys(apiReq) {
+        if (typeof this.storage.listUserCredentials !== 'function') {
+            throw new ApiError({ code: 501, message: 'Passkey credential listing is not configured' });
+        }
+        const { userId } = await this.resolveActorContext(apiReq);
+        const credentials = await this.storage.listUserCredentials(userId);
+        const safeCredentials = credentials.map((credential) => {
+            const bufferId = this.normalizeCredentialId(credential.credentialId);
+            return {
+                id: isoBase64URL.fromBuffer(new Uint8Array(bufferId)),
+                transports: credential.transports,
+                backedUp: credential.backedUp,
+                deviceType: credential.deviceType,
+                createdAt: this.toIsoDate(credential.createdAt),
+                updatedAt: this.toIsoDate(credential.updatedAt)
+            };
+        });
+        return [200, { credentials: safeCredentials }];
+    }
+    async deletePasskey(apiReq) {
+        if (typeof this.storage.listUserCredentials !== 'function' ||
+            typeof this.storage.deletePasskeyCredential !== 'function') {
+            throw new ApiError({ code: 501, message: 'Passkey credential management is not configured' });
+        }
+        const { userId } = await this.resolveActorContext(apiReq);
+        const credentialId = this.validateCredentialId(apiReq);
+        const bufferId = Buffer.from(isoBase64URL.toBuffer(credentialId));
+        const credentials = await this.storage.listUserCredentials(userId);
+        const owns = credentials.some((credential) => {
+            const candidateId = this.normalizeCredentialId(credential.credentialId);
+            return isoBase64URL.fromBuffer(new Uint8Array(candidateId)) === credentialId;
+        });
+        if (!owns) {
+            throw new ApiError({ code: 404, message: 'Passkey not found' });
+        }
+        const deleted = await this.storage.deletePasskeyCredential(bufferId);
+        return [200, { deleted }];
+    }
     async postImpersonation(apiReq) {
         this.assertAuthReady();
         const { targetIdentifier, metadata } = this.parseImpersonationRequest(apiReq);
@@ -939,47 +1017,91 @@ class AuthModule extends BaseAuthModule {
         }
         throw new ApiError({ code: 401, message: 'Authorization requires user authentication' });
     }
+    hasPasskeyService() {
+        const storageAny = this.storage;
+        if (storageAny.passkeyService || storageAny.passkeyStore) {
+            return true;
+        }
+        if (storageAny.adapter?.passkeyService || storageAny.adapter?.passkeyStore) {
+            return true;
+        }
+        const serverAny = this.server;
+        return !!serverAny.passkeyServiceAdapter;
+    }
+    hasOAuthStore() {
+        const storageAny = this.storage;
+        if (storageAny.oauthStore) {
+            return true;
+        }
+        if (storageAny.adapter?.oauthStore) {
+            return true;
+        }
+        const serverAny = this.server;
+        return !!serverAny.oauthStoreAdapter;
+    }
+    storageImplements(key) {
+        const candidate = this.storage[key];
+        if (typeof candidate !== 'function') {
+            return false;
+        }
+        const baseImpl = BaseAuthAdapter.prototype[key];
+        return candidate !== baseImpl;
+    }
+    storageImplementsAll(keys) {
+        return keys.every((key) => this.storageImplements(key));
+    }
     defineRoutes() {
-        const routes = [
-            {
-                method: 'post',
-                path: '/v1/login',
-                handler: (req) => this.postLogin(req),
-                auth: { type: 'none', req: 'any' }
-            },
-            {
-                method: 'post',
-                path: '/v1/refresh',
-                handler: (req) => this.postRefresh(req),
-                auth: { type: 'none', req: 'any' }
-            },
-            {
-                method: 'post',
-                path: '/v1/logout',
-                handler: (req) => this.postLogout(req),
-                auth: { type: 'maybe', req: 'any' }
-            },
-            {
-                method: 'post',
-                path: '/v1/whoami',
-                handler: (req) => this.postWhoAmI(req),
-                auth: { type: 'maybe', req: 'any' }
-            },
-            {
-                method: 'post',
-                path: '/v1/impersonations',
-                handler: (req) => this.postImpersonation(req),
-                auth: { type: 'strict', req: 'any' }
-            },
-            {
-                method: 'delete',
-                path: '/v1/impersonations',
-                handler: (req) => this.deleteImpersonation(req),
-                auth: { type: 'strict', req: 'any' }
-            }
-        ];
-        const storage = this.storage;
-        const passkeysSupported = typeof storage.createPasskeyChallenge === 'function' && typeof storage.verifyPasskeyResponse === 'function';
+        const routes = [];
+        const coreAuthSupported = this.storageImplementsAll([
+            'getUser',
+            'getUserPasswordHash',
+            'getUserId',
+            'verifyPassword',
+            'filterUser',
+            'storeToken',
+            'getToken',
+            'deleteToken'
+        ]);
+        if (!coreAuthSupported) {
+            return routes;
+        }
+        routes.push({
+            method: 'post',
+            path: '/v1/login',
+            handler: (req) => this.postLogin(req),
+            auth: { type: 'none', req: 'any' }
+        }, {
+            method: 'post',
+            path: '/v1/refresh',
+            handler: (req) => this.postRefresh(req),
+            auth: { type: 'none', req: 'any' }
+        }, {
+            method: 'post',
+            path: '/v1/logout',
+            handler: (req) => this.postLogout(req),
+            auth: { type: 'maybe', req: 'any' }
+        }, {
+            method: 'post',
+            path: '/v1/whoami',
+            handler: (req) => this.postWhoAmI(req),
+            auth: { type: 'maybe', req: 'any' }
+        }, {
+            method: 'post',
+            path: '/v1/impersonations',
+            handler: (req) => this.postImpersonation(req),
+            auth: { type: 'strict', req: 'any' }
+        }, {
+            method: 'delete',
+            path: '/v1/impersonations',
+            handler: (req) => this.deleteImpersonation(req),
+            auth: { type: 'strict', req: 'any' }
+        });
+        const passkeysSupported = this.hasPasskeyService() &&
+            this.storageImplements('createPasskeyChallenge') &&
+            this.storageImplements('verifyPasskeyResponse');
+        const passkeyCredentialsSupported = passkeysSupported &&
+            this.storageImplements('listUserCredentials') &&
+            this.storageImplements('deletePasskeyCredential');
         if (passkeysSupported) {
             routes.push({
                 method: 'post',
@@ -992,6 +1114,19 @@ class AuthModule extends BaseAuthModule {
                 handler: (req) => this.postPasskeyVerify(req),
                 auth: { type: 'none', req: 'any' }
             });
+            if (passkeyCredentialsSupported) {
+                routes.push({
+                    method: 'get',
+                    path: '/v1/passkeys',
+                    handler: (req) => this.getPasskeys(req),
+                    auth: { type: 'strict', req: 'any' }
+                }, {
+                    method: 'delete',
+                    path: '/v1/passkeys/:credentialId?',
+                    handler: (req) => this.deletePasskey(req),
+                    auth: { type: 'strict', req: 'any' }
+                });
+            }
         }
         const externalOAuthSupported = typeof this.server.initiateOAuth === 'function' && typeof this.server.completeOAuth === 'function';
         if (externalOAuthSupported) {
@@ -1007,9 +1142,10 @@ class AuthModule extends BaseAuthModule {
                 auth: { type: 'none', req: 'any' }
             });
         }
-        const oauthStorageSupported = typeof storage.getClient === 'function' &&
-            typeof storage.createAuthCode === 'function' &&
-            typeof storage.consumeAuthCode === 'function';
+        const oauthStorageSupported = this.hasOAuthStore() &&
+            this.storageImplements('getClient') &&
+            this.storageImplements('createAuthCode') &&
+            this.storageImplements('consumeAuthCode');
         if (oauthStorageSupported) {
             routes.push({
                 method: 'post',

package/dist/esm/auth-api/compat-auth-storage.d.ts

@@ -1,9 +1,9 @@
 import { PasskeyService } from '../passkey/service.js';
-import type { AuthIdentifier, AuthStorage } from './types.js';
+import type { AuthAdapter, AuthIdentifier } from './types.js';
 import type { OAuthStore } from '../oauth/base.js';
 import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
 import type { PasskeyStore } from '../passkey/base.js';
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, StoredPasskeyCredential, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
 import type { TokenStore } from '../token/base.js';
 import type { Token } from '../token/types.js';
 import type { UserStore } from '../user/base.js';
@@ -11,7 +11,7 @@ interface PasskeyAdapterOptions {
     store: PasskeyStore;
     config: PasskeyServiceConfig;
 }
-export interface AuthStorageAdapterOptions<UserRow, PublicUser> {
+export interface AuthAdapterOptions<UserRow, PublicUser> {
     userStore: UserStore<UserRow, PublicUser>;
     tokenStore: TokenStore;
     passkeys?: PasskeyAdapterOptions | PasskeyService;
@@ -21,13 +21,13 @@ export interface AuthStorageAdapterOptions<UserRow, PublicUser> {
         effectiveUserId: AuthIdentifier;
     }) => boolean | Promise<boolean>;
 }
-export declare class AuthStorageAdapter<UserRow, PublicUser> implements AuthStorage<UserRow, PublicUser> {
+export declare class CompositeAuthAdapter<UserRow, PublicUser> implements AuthAdapter<UserRow, PublicUser> {
     private readonly userStore;
     private readonly tokenStore;
     private readonly oauthStore?;
     private readonly passkeyService?;
     private readonly canImpersonateFn?;
-    constructor(options: AuthStorageAdapterOptions<UserRow, PublicUser>);
+    constructor(options: AuthAdapterOptions<UserRow, PublicUser>);
     getUser(identifier: AuthIdentifier): Promise<UserRow | null>;
     getUserPasswordHash(user: UserRow): string;
     getUserId(user: UserRow): AuthIdentifier;
@@ -43,6 +43,8 @@ export declare class AuthStorageAdapter<UserRow, PublicUser> implements AuthStor
     }): Promise<boolean>;
     createPasskeyChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyPasskeyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential(credentialId: Buffer | string): Promise<boolean>;
     getClient(clientId: string): Promise<OAuthClient | null>;
     verifyClientSecret(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
     createAuthCode(request: AuthCodeRequest): Promise<AuthCodeData>;

package/dist/esm/auth-api/compat-auth-storage.js

@@ -1,6 +1,6 @@
 import { randomUUID } from 'node:crypto';
 import { PasskeyService } from '../passkey/service.js';
-export class AuthStorageAdapter {
+export class CompositeAuthAdapter {
     constructor(options) {
         this.userStore = options.userStore;
         this.tokenStore = options.tokenStore;
@@ -52,6 +52,18 @@ export class AuthStorageAdapter {
         }
         return this.passkeyService.verifyResponse(params);
     }
+    async listUserCredentials(userId) {
+        if (!this.passkeyService) {
+            throw new Error('Passkey storage is not configured');
+        }
+        return this.passkeyService.listUserCredentials(userId);
+    }
+    async deletePasskeyCredential(credentialId) {
+        if (!this.passkeyService) {
+            throw new Error('Passkey storage is not configured');
+        }
+        return this.passkeyService.deleteCredential(credentialId);
+    }
     async getClient(clientId) {
         if (!this.oauthStore) {
             return null;

package/dist/esm/auth-api/mem-auth-store.d.ts

@@ -2,11 +2,11 @@ import { MemoryOAuthStore } from '../oauth/memory.js';
 import { MemoryPasskeyStore } from '../passkey/memory.js';
 import { TokenStore } from '../token/base.js';
 import { MemoryUserStore } from '../user/memory.js';
-import type { AuthIdentifier, AuthStorage } from './types.js';
+import type { AuthAdapter, AuthIdentifier } from './types.js';
 import type { MemoryOAuthStoreOptions } from '../oauth/memory.js';
 import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
 import type { MemoryPasskeyStoreOptions } from '../passkey/memory.js';
-import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, PasskeyUserDescriptor, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, PasskeyUserDescriptor, StoredPasskeyCredential, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
 import type { Token } from '../token/types.js';
 import type { MemoryUserAttributes, MemoryPublicUser, MemoryUserStoreOptions } from '../user/memory.js';
 interface PasskeyOptions extends Partial<PasskeyServiceConfig> {
@@ -24,7 +24,7 @@ export interface MemAuthStoreParams<UserAttributes extends MemoryUserAttributes
     }) => boolean | Promise<boolean>;
     tokenStore?: TokenStore;
 }
-export declare class MemAuthStore<UserAttributes extends MemoryUserAttributes = MemoryUserAttributes, PublicUserShape extends MemoryPublicUser<UserAttributes> = MemoryPublicUser<UserAttributes>> implements AuthStorage<UserAttributes, PublicUserShape> {
+export declare class MemAuthStore<UserAttributes extends MemoryUserAttributes = MemoryUserAttributes, PublicUserShape extends MemoryPublicUser<UserAttributes> = MemoryPublicUser<UserAttributes>> implements AuthAdapter<UserAttributes, PublicUserShape> {
     readonly userStore: MemoryUserStore<UserAttributes, PublicUserShape>;
     readonly tokenStore: TokenStore;
     readonly passkeyStore?: MemoryPasskeyStore;
@@ -54,6 +54,8 @@ export declare class MemAuthStore<UserAttributes extends MemoryUserAttributes =
     }): Promise<boolean>;
     createPasskeyChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyPasskeyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential(credentialId: Buffer | string): Promise<boolean>;
     getClient(clientId: string): Promise<OAuthClient | null>;
     verifyClientSecret(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
     createAuthCode(request: AuthCodeRequest): Promise<AuthCodeData>;