@technomoron/api-server-base 2.0.0-beta.21 → 2.0.0-beta.23

package/dist/esm/{auth-api → server/src/auth-api}/auth-module.d.ts

@@ -10,7 +10,7 @@ interface CanImpersonateContext<UserEntity> {
     targetUser: UserEntity;
     effectiveUserId: AuthIdentifier;
 }
-type AuthRateLimitEndpoint = 'login' | 'passkey-challenge' | 'oauth-token';
+type AuthRateLimitEndpoint = 'login' | 'passkey-challenge' | 'oauth-token' | 'oauth-authorize';
 interface AuthModuleOptions<UserEntity> {
     namespace?: string;
     defaultDomain?: string;

package/dist/esm/{auth-api → server/src/auth-api}/auth-module.js

@@ -3,9 +3,14 @@ import { isoBase64URL } from '@simplewebauthn/server/helpers';
 import { ApiError } from '../api-server-base.js';
 import { buildAuthCookieOptions } from '../auth-cookie-options.js';
 import { BaseAuthModule } from './module.js';
+import { loginBodySchema, refreshBodySchema, logoutBodySchema, whoamiBodySchema, passkeyChallengeBodySchema, passkeyVerifyBodySchema, passkeyCredentialParamsSchema, impersonateBodySchema, deleteImpersonationQuerySchema, oauthProviderParamsSchema, oauthStartBodySchema, oauthAuthorizeBodySchema, oauthTokenBodySchema } from './schemas.js';
 import { BaseAuthAdapter } from './storage.js';
 function isAuthIdentifier(value) {
-    return typeof value === 'string' || typeof value === 'number';
+    if (typeof value === 'string')
+        return value.length > 0;
+    if (typeof value === 'number')
+        return Number.isFinite(value);
+    return false;
 }
 function toStringOrNull(value) {
     if (typeof value === 'string') {
@@ -42,7 +47,7 @@ class AuthModule extends BaseAuthModule {
         this.defaultDomain = options.defaultDomain;
         this.canImpersonateHook = options.canImpersonate;
         this.rateLimitHook = options.rateLimit;
-        this.allowInsecurePkcePlain = options.allowInsecurePkcePlain ?? true;
+        this.allowInsecurePkcePlain = options.allowInsecurePkcePlain ?? false;
     }
     get storage() {
         return this.server.getAuthStorage();
@@ -58,16 +63,17 @@ class AuthModule extends BaseAuthModule {
                 targetUser,
                 effectiveUserId
             });
-            if (allowed) {
+            if (allowed === true)
                 return true;
-            }
+            if (allowed === false)
+                return false;
         }
         const storageWithHook = this.storage;
         if (typeof storageWithHook.canImpersonate === 'function') {
             const allowed = await storageWithHook.canImpersonate({ realUserId, effectiveUserId });
             return !!allowed;
         }
-        return realUserId === effectiveUserId;
+        return String(realUserId) === String(effectiveUserId);
     }
     async ensureImpersonationAllowed(apiReq, realUser, targetUser) {
         const permitted = await this.canImpersonate(apiReq, realUser, targetUser);
@@ -255,6 +261,9 @@ class AuthModule extends BaseAuthModule {
         const accessMaxAge = Math.max(1, conf.accessExpiry) * 1000;
         const refreshSeconds = Math.max(1, preferences.refreshTtlSeconds ?? conf.refreshExpiry);
         const refreshMaxAge = refreshSeconds * 1000;
+        // When sessionCookie is true we omit maxAge so the browser deletes the
+        // cookie on close.  The server-side JWT still has its own expiry, which
+        // limits exposure if the browser crashes without running its cleanup.
         const accessOptions = sessionCookie ? options : { ...options, maxAge: accessMaxAge };
         const refreshOptions = sessionCookie ? options : { ...options, maxAge: refreshMaxAge };
         if (tokens.accessToken) {
@@ -344,19 +353,10 @@ class AuthModule extends BaseAuthModule {
     }
     parseLoginBody(apiReq) {
         const body = (apiReq.req.body ?? {});
-        const login = toStringOrNull(body.login);
-        const password = toStringOrNull(body.password);
+        // login and password are guaranteed present and non-empty by JSON Schema
+        const login = body.login;
+        const password = body.password;
         const sessionPrefs = this.resolveSessionPreferences(body.keepSession);
-        if (!login || !password) {
-            const errors = {};
-            if (!login) {
-                errors.login = 'Login is required';
-            }
-            if (!password) {
-                errors.password = 'Password is required';
-            }
-            throw new ApiError({ code: 400, message: 'Missing credentials', errors });
-        }
         return {
             login,
             password,
@@ -451,7 +451,9 @@ class AuthModule extends BaseAuthModule {
         const { login, password, ...metadata } = this.parseLoginBody(apiReq);
         const user = await this.storage.getUser(login);
         const hash = user ? this.storage.getUserPasswordHash(user) : '';
-        const verified = user ? await this.storage.verifyPassword(password, hash) : false;
+        // Reject users with no password hash (e.g. OAuth/passkey-only accounts) before
+        // calling verifyPassword, since bcrypt behaviour on an empty hash is undefined.
+        const verified = user && hash ? await this.storage.verifyPassword(password, hash) : false;
         if (!user || !verified) {
             throw new ApiError({
                 code: 400,
@@ -482,6 +484,13 @@ class AuthModule extends BaseAuthModule {
                 message: verify.error ?? 'Unable to verify refresh token'
             });
         }
+        // Delete the token immediately after verification to narrow the TOCTOU window.
+        // This must happen before the slower getUserOrThrow call.
+        const deleted = await this.storage.deleteToken({ refreshToken: providedToken });
+        if (deleted === 0) {
+            // Another concurrent request already consumed this refresh token.
+            throw new ApiError({ code: 401, message: 'Invalid refresh token' });
+        }
         const user = await this.getUserOrThrow(stored.userId ?? verify.data.uid, 'User not found');
         const metadata = {
             domain: stored.domain,
@@ -497,7 +506,6 @@ class AuthModule extends BaseAuthModule {
             refreshTtlSeconds: sessionPrefs.refreshTtlSeconds ?? stored.refreshTtlSeconds,
             sessionCookie: sessionPrefs.sessionCookie ?? stored.sessionCookie
         };
-        await this.storage.deleteToken({ refreshToken: providedToken });
         const pair = await this.issueTokens(apiReq, user, metadata);
         const publicUser = this.storage.filterUser(user);
         return [200, { ...pair, user: publicUser }];
@@ -537,8 +545,7 @@ class AuthModule extends BaseAuthModule {
                 apiReq.req.cookies[conf.accessCookie].trim().length > 0);
         const shouldRefresh = Boolean(body.refresh) || !hasAccessToken;
         if (shouldRefresh) {
-            const updateToken = this.storage.updateToken;
-            if (typeof updateToken !== 'function' || !this.storageImplements('updateToken')) {
+            if (typeof this.storage.updateToken !== 'function' || !this.storageImplements('updateToken')) {
                 throw new ApiError({ code: 501, message: 'Token update storage is not configured' });
             }
             // Sign a new access token without embedding stored token secrets into the JWT payload.
@@ -562,7 +569,7 @@ class AuthModule extends BaseAuthModule {
             if (!access.success || !access.token) {
                 throw new ApiError({ code: 500, message: access.error ?? 'Unable to sign access token' });
             }
-            const updated = await updateToken.call(this.storage, {
+            const updated = await this.storage.updateToken({
                 refreshToken,
                 accessToken: access.token,
                 lastSeenAt: new Date()
@@ -608,12 +615,10 @@ class AuthModule extends BaseAuthModule {
             throw new ApiError({ code: 501, message: 'Passkey support is not configured' });
         }
         const body = (apiReq.req.body ?? {});
-        const action = toStringOrNull(body.action);
-        if (action !== 'register' && action !== 'authenticate') {
-            throw new ApiError({ code: 400, message: 'Passkey action must be "register" or "authenticate"' });
-        }
+        // action is guaranteed to be 'register' | 'authenticate' by JSON Schema
+        const action = body.action;
         const params = {
-            action,
+            action: action,
             login: toStringOrNull(body.login) ?? undefined,
             userId: isAuthIdentifier(body.userId) ? body.userId : undefined
         };
@@ -626,11 +631,9 @@ class AuthModule extends BaseAuthModule {
         }
         const body = (apiReq.req.body ?? {});
         const sessionPrefs = this.resolveSessionPreferences(body.keepSession);
-        const expectedChallenge = toStringOrNull(body.expectedChallenge);
+        // expectedChallenge (string) and response (object) are guaranteed by JSON Schema
+        const expectedChallenge = body.expectedChallenge;
         const response = body.response;
-        if (!expectedChallenge || typeof response !== 'object' || response === null) {
-            throw new ApiError({ code: 400, message: 'Malformed passkey verification payload' });
-        }
         const rawMetadata = {
             domain: toStringOrNull(body.domain) ?? undefined,
             fingerprint: toStringOrNull(body.fingerprint) ?? undefined,
@@ -740,6 +743,15 @@ class AuthModule extends BaseAuthModule {
     }
     async deleteImpersonation(apiReq) {
         this.assertAuthReady();
+        if (!apiReq.isImpersonating()) {
+            throw new ApiError({ code: 400, message: 'Not currently impersonating' });
+        }
+        // Revoke the active impersonation refresh token before issuing new real-user tokens
+        // so that a captured impersonation token cannot be reused after impersonation ends.
+        const impersonationRefreshToken = this.extractRefreshToken(apiReq, {});
+        if (impersonationRefreshToken) {
+            await this.storage.deleteToken({ refreshToken: impersonationRefreshToken });
+        }
         const actor = await this.resolveActorContext(apiReq);
         const query = (apiReq.req.query ?? {});
         const metadata = this.buildImpersonationMetadata(query);
@@ -776,9 +788,7 @@ class AuthModule extends BaseAuthModule {
                 ? apiReq.req.body.extras
                 : undefined
         };
-        if (!params.provider) {
-            throw new ApiError({ code: 400, message: 'OAuth provider is required' });
-        }
+        // provider is guaranteed present and non-empty by params schema
         const result = await this.server.initiateOAuth(params);
         return [200, result];
     }
@@ -791,9 +801,6 @@ class AuthModule extends BaseAuthModule {
             query: apiReq.req.query,
             body: (apiReq.req.body ?? {})
         };
-        if (!params.provider) {
-            throw new ApiError({ code: 400, message: 'OAuth provider is required' });
-        }
         const result = await this.server.completeOAuth(params);
         if (result.tokens?.accessToken && result.tokens.refreshToken) {
             this.setJwtCookies(apiReq, {
@@ -807,20 +814,16 @@ class AuthModule extends BaseAuthModule {
         if (typeof this.storage.getClient !== 'function' || typeof this.storage.createAuthCode !== 'function') {
             throw new ApiError({ code: 501, message: 'OAuth authorization storage is not configured' });
         }
+        await this.applyRateLimit(apiReq, 'oauth-authorize');
         const body = (apiReq.req.body ?? {});
-        const clientId = toStringOrNull(body.clientId);
-        const redirectUri = toStringOrNull(body.redirectUri);
+        // clientId and redirectUri are guaranteed present and non-empty by JSON Schema
+        const clientId = body.clientId;
+        const redirectUri = body.redirectUri;
         const scope = toScopeArray(body.scope) ?? [];
         const state = toStringOrNull(body.state) ?? undefined;
         const codeChallenge = toStringOrNull(body.codeChallenge) ?? undefined;
         const codeChallengeMethod = toStringOrNull(body.codeChallengeMethod) ?? undefined;
         const resolvedCodeChallengeMethod = this.resolvePkceChallengeMethod(codeChallengeMethod);
-        if (!clientId) {
-            throw new ApiError({ code: 400, message: 'clientId is required' });
-        }
-        if (!redirectUri) {
-            throw new ApiError({ code: 400, message: 'redirectUri is required' });
-        }
         const client = await this.storage.getClient(clientId);
         if (!client) {
             throw new ApiError({ code: 400, message: 'Unknown client_id' });
@@ -850,10 +853,8 @@ class AuthModule extends BaseAuthModule {
             throw new ApiError({ code: 501, message: 'OAuth token storage is not configured' });
         }
         const body = (apiReq.req.body ?? {});
-        const grantType = toStringOrNull(body.grant_type);
-        if (!grantType) {
-            throw new ApiError({ code: 400, message: 'grant_type is required' });
-        }
+        // grant_type is guaranteed to be 'authorization_code' | 'refresh_token' by JSON Schema
+        const grantType = body.grant_type;
         const { client, clientSecretProvided } = await this.resolveClientAuthentication(apiReq, body);
         switch (grantType) {
             case 'authorization_code':
@@ -907,7 +908,7 @@ class AuthModule extends BaseAuthModule {
                 }
             }
         }
-        else if (!clientSecretProvided && (client.hasSecret ?? Boolean(client.clientSecret))) {
+        else if (!clientSecretProvided && (client.hasSecret ?? false)) {
             throw new ApiError({ code: 400, message: 'Client authentication required when no PKCE challenge present' });
         }
         const user = await this.getUserOrThrow(record.userId, 'User not found');
@@ -941,8 +942,12 @@ class AuthModule extends BaseAuthModule {
         if (stored.clientId && stored.clientId !== client.clientId) {
             throw new ApiError({ code: 400, message: 'Refresh token issued to another client' });
         }
+        // Delete the token immediately after verification to narrow the TOCTOU window.
+        const deleted = await this.storage.deleteToken({ refreshToken });
+        if (deleted === 0) {
+            throw new ApiError({ code: 401, message: 'Invalid refresh token' });
+        }
         const user = await this.getUserOrThrow(stored.userId ?? verify.data.uid, 'User not found');
-        await this.storage.deleteToken({ refreshToken });
         const tokens = await this.issueTokens(apiReq, user, {
             clientId: client.clientId,
             scope: stored.scope,
@@ -1014,7 +1019,7 @@ class AuthModule extends BaseAuthModule {
         if (!client) {
             throw new ApiError({ code: 400, message: 'Unknown client_id' });
         }
-        const requiresSecret = client.hasSecret ?? Boolean(client.clientSecret);
+        const requiresSecret = client.hasSecret ?? false;
         if (requiresSecret) {
             if (!secretProvided) {
                 throw new ApiError({ code: 400, message: 'Client authentication is required' });
@@ -1032,7 +1037,7 @@ class AuthModule extends BaseAuthModule {
     }
     assertRedirectUriAllowed(client, redirectUri) {
         if (client.redirectUris.length === 0) {
-            return;
+            throw new ApiError({ code: 400, message: 'Client has no registered redirect URIs' });
         }
         if (!client.redirectUris.includes(redirectUri)) {
             throw new ApiError({ code: 400, message: 'redirect_uri not registered for client' });
@@ -1041,9 +1046,13 @@ class AuthModule extends BaseAuthModule {
     async resolveUserForOAuth(apiReq, body) {
         const refreshToken = this.extractRefreshToken(apiReq, body);
         if (refreshToken) {
+            const verify = this.server.jwtVerify(refreshToken, this.server.config.refreshSecret);
+            if (!verify.success || !verify.data) {
+                throw new ApiError({ code: 401, message: 'Invalid or expired refresh token' });
+            }
             const stored = await this.storage.getToken({ refreshToken });
             if (stored) {
-                return this.getUserOrThrow(stored.userId, 'User not found for authorization');
+                return this.getUserOrThrow(stored.userId ?? verify.data.uid, 'User not found for authorization');
             }
         }
         const login = toStringOrNull(body.login);
@@ -1051,7 +1060,7 @@ class AuthModule extends BaseAuthModule {
         if (login && password) {
             const user = await this.storage.getUser(login);
             const hash = user ? this.storage.getUserPasswordHash(user) : '';
-            const verified = user ? await this.storage.verifyPassword(password, hash) : false;
+            const verified = user && hash ? await this.storage.verifyPassword(password, hash) : false;
             if (!user || !verified) {
                 throw new ApiError({ code: 400, message: 'Invalid credentials' });
             }
@@ -1067,8 +1076,7 @@ class AuthModule extends BaseAuthModule {
         if (storageHints.adapter?.passkeyService || storageHints.adapter?.passkeyStore) {
             return true;
         }
-        const serverHints = this.server;
-        return !!serverHints.passkeyServiceAdapter;
+        return false;
     }
     hasOAuthStore() {
         const storageHints = this.storage;
@@ -1078,8 +1086,7 @@ class AuthModule extends BaseAuthModule {
         if (storageHints.adapter?.oauthStore) {
             return true;
         }
-        const serverHints = this.server;
-        return !!serverHints.oauthStoreAdapter;
+        return false;
     }
     storageImplements(key) {
         const candidate = this.storage[key];
@@ -1129,32 +1136,38 @@ class AuthModule extends BaseAuthModule {
             method: 'post',
             path: '/v1/login',
             handler: (req) => this.postLogin(req),
-            auth: { type: 'none', req: 'any' }
+            auth: { type: 'none', req: 'any' },
+            schema: { body: loginBodySchema }
         }, {
             method: 'post',
             path: '/v1/refresh',
             handler: (req) => this.postRefresh(req),
-            auth: { type: 'none', req: 'any' }
+            auth: { type: 'none', req: 'any' },
+            schema: { body: refreshBodySchema }
         }, {
             method: 'post',
             path: '/v1/logout',
             handler: (req) => this.postLogout(req),
-            auth: { type: 'maybe', req: 'any' }
+            auth: { type: 'maybe', req: 'any' },
+            schema: { body: logoutBodySchema }
         }, {
             method: 'post',
             path: '/v1/whoami',
             handler: (req) => this.postWhoAmI(req),
-            auth: { type: 'maybe', req: 'any' }
+            auth: { type: 'maybe', req: 'any' },
+            schema: { body: whoamiBodySchema }
         }, {
             method: 'post',
             path: '/v1/impersonations',
             handler: (req) => this.postImpersonation(req),
-            auth: { type: 'strict', req: 'any' }
+            auth: { type: 'strict', req: 'any' },
+            schema: { body: impersonateBodySchema }
         }, {
             method: 'delete',
             path: '/v1/impersonations',
             handler: (req) => this.deleteImpersonation(req),
-            auth: { type: 'strict', req: 'any' }
+            auth: { type: 'strict', req: 'any' },
+            schema: { querystring: deleteImpersonationQuerySchema }
         });
         const passkeysSupported = this.hasPasskeyService() &&
             this.storageImplements('createPasskeyChallenge') &&
@@ -1167,12 +1180,14 @@ class AuthModule extends BaseAuthModule {
                 method: 'post',
                 path: '/v1/passkeys/challenge',
                 handler: (req) => this.postPasskeyChallenge(req),
-                auth: { type: 'none', req: 'any' }
+                auth: { type: 'none', req: 'any' },
+                schema: { body: passkeyChallengeBodySchema }
             }, {
                 method: 'post',
                 path: '/v1/passkeys/verify',
                 handler: (req) => this.postPasskeyVerify(req),
-                auth: { type: 'none', req: 'any' }
+                auth: { type: 'none', req: 'any' },
+                schema: { body: passkeyVerifyBodySchema }
             });
             if (passkeyCredentialsSupported) {
                 routes.push({
@@ -1184,7 +1199,8 @@ class AuthModule extends BaseAuthModule {
                     method: 'delete',
                     path: '/v1/passkeys/:credentialId',
                     handler: (req) => this.deletePasskey(req),
-                    auth: { type: 'strict', req: 'any' }
+                    auth: { type: 'strict', req: 'any' },
+                    schema: { params: passkeyCredentialParamsSchema }
                 });
             }
         }
@@ -1194,12 +1210,14 @@ class AuthModule extends BaseAuthModule {
                 method: 'post',
                 path: '/v1/oauth2/:provider/start',
                 handler: (req) => this.postOAuthStart(req),
-                auth: { type: 'none', req: 'any' }
+                auth: { type: 'none', req: 'any' },
+                schema: { body: oauthStartBodySchema, params: oauthProviderParamsSchema }
             }, {
                 method: 'post',
                 path: '/v1/oauth2/:provider/callback',
                 handler: (req) => this.postOAuthCallback(req),
-                auth: { type: 'none', req: 'any' }
+                auth: { type: 'none', req: 'any' },
+                schema: { params: oauthProviderParamsSchema }
             });
         }
         const oauthStorageSupported = this.hasOAuthStore() &&
@@ -1211,12 +1229,14 @@ class AuthModule extends BaseAuthModule {
                 method: 'post',
                 path: '/v1/oauth2/authorize',
                 handler: (req) => this.postOAuthAuthorize(req),
-                auth: { type: 'maybe', req: 'any' }
+                auth: { type: 'maybe', req: 'any' },
+                schema: { body: oauthAuthorizeBodySchema }
             }, {
                 method: 'post',
                 path: '/v1/oauth2/token',
                 handler: (req) => this.postOAuthToken(req),
-                auth: { type: 'none', req: 'any' }
+                auth: { type: 'none', req: 'any' },
+                schema: { body: oauthTokenBodySchema }
             });
         }
         return routes;

package/dist/esm/{auth-api → server/src/auth-api}/compat-auth-storage.js

@@ -109,8 +109,8 @@ export class CompositeAuthAdapter {
         if (!this.oauthStore) {
             return null;
         }
-        const consumed = await this.oauthStore.consumeAuthCode(code);
-        if (!consumed || consumed.clientId !== clientId) {
+        const consumed = await this.oauthStore.consumeAuthCode(code, clientId);
+        if (!consumed) {
             return null;
         }
         return consumed;
@@ -119,6 +119,6 @@ export class CompositeAuthAdapter {
         if (this.canImpersonateFn) {
             return !!(await this.canImpersonateFn(params));
         }
-        return params.realUserId === params.effectiveUserId;
+        return String(params.realUserId) === String(params.effectiveUserId);
     }
 }

package/dist/esm/server/src/auth-api/schemas.d.ts

@@ -0,0 +1,21 @@
+/**
+ * JSON Schema definitions for auth module routes.
+ * These are the runtime validation source-of-truth; TypeScript interfaces
+ * in auth-module.ts remain for handler-internal typing only.
+ */
+/** Loose JSON Schema object type used for Fastify route schema definitions. */
+type JsonSchema = Record<string, unknown>;
+export declare const loginBodySchema: JsonSchema;
+export declare const refreshBodySchema: JsonSchema;
+export declare const logoutBodySchema: JsonSchema;
+export declare const whoamiBodySchema: JsonSchema;
+export declare const passkeyChallengeBodySchema: JsonSchema;
+export declare const passkeyVerifyBodySchema: JsonSchema;
+export declare const passkeyCredentialParamsSchema: JsonSchema;
+export declare const impersonateBodySchema: JsonSchema;
+export declare const deleteImpersonationQuerySchema: JsonSchema;
+export declare const oauthProviderParamsSchema: JsonSchema;
+export declare const oauthStartBodySchema: JsonSchema;
+export declare const oauthAuthorizeBodySchema: JsonSchema;
+export declare const oauthTokenBodySchema: JsonSchema;
+export {};

package/dist/esm/server/src/auth-api/schemas.js

@@ -0,0 +1,168 @@
+/**
+ * JSON Schema definitions for auth module routes.
+ * These are the runtime validation source-of-truth; TypeScript interfaces
+ * in auth-module.ts remain for handler-internal typing only.
+ */
+/* ------------------------------------------------------------------ */
+/*  Shared fragments                                                   */
+/* ------------------------------------------------------------------ */
+const tokenMetadataProperties = {
+    domain: { type: 'string' },
+    fingerprint: { type: 'string' },
+    label: { type: 'string' },
+    browser: { type: 'string' },
+    device: { type: 'string' },
+    ip: { type: 'string' },
+    os: { type: 'string' }
+};
+const keepSessionProperty = {
+    keepSession: { type: ['boolean', 'number', 'string'] }
+};
+function authIdentifierProperty(name) {
+    return { [name]: { type: ['string', 'number'] } };
+}
+/* ------------------------------------------------------------------ */
+/*  Auth route schemas                                                 */
+/* ------------------------------------------------------------------ */
+export const loginBodySchema = {
+    type: 'object',
+    required: ['login', 'password'],
+    properties: {
+        login: { type: 'string', minLength: 1 },
+        password: { type: 'string', minLength: 1 },
+        ...tokenMetadataProperties,
+        ...keepSessionProperty
+    },
+    additionalProperties: true
+};
+export const refreshBodySchema = {
+    type: 'object',
+    properties: {
+        refreshToken: { type: 'string' },
+        domain: { type: 'string' },
+        fingerprint: { type: 'string' },
+        label: { type: 'string' },
+        ...keepSessionProperty
+    },
+    additionalProperties: false
+};
+export const logoutBodySchema = {
+    type: 'object',
+    properties: {
+        token: { type: 'string' },
+        refreshToken: { type: 'string' }
+    },
+    additionalProperties: false
+};
+export const whoamiBodySchema = {
+    type: 'object',
+    properties: {
+        refreshToken: { type: 'string' },
+        refresh: { type: 'boolean' }
+    },
+    additionalProperties: false
+};
+/* ------------------------------------------------------------------ */
+/*  Passkey schemas                                                    */
+/* ------------------------------------------------------------------ */
+export const passkeyChallengeBodySchema = {
+    type: 'object',
+    required: ['action'],
+    properties: {
+        action: { type: 'string', enum: ['register', 'authenticate'] },
+        login: { type: 'string' },
+        ...authIdentifierProperty('userId')
+    },
+    additionalProperties: false
+};
+export const passkeyVerifyBodySchema = {
+    type: 'object',
+    required: ['expectedChallenge', 'response'],
+    properties: {
+        expectedChallenge: { type: 'string' },
+        response: { type: 'object' },
+        login: { type: 'string' },
+        ...authIdentifierProperty('userId'),
+        userAgent: { type: 'string' },
+        ...tokenMetadataProperties,
+        ...keepSessionProperty
+    },
+    additionalProperties: true
+};
+export const passkeyCredentialParamsSchema = {
+    type: 'object',
+    required: ['credentialId'],
+    properties: {
+        credentialId: { type: 'string', minLength: 1 }
+    }
+};
+/* ------------------------------------------------------------------ */
+/*  Impersonation schemas                                              */
+/* ------------------------------------------------------------------ */
+export const impersonateBodySchema = {
+    type: 'object',
+    properties: {
+        ...authIdentifierProperty('userId'),
+        login: { type: 'string' },
+        ...tokenMetadataProperties,
+        ...keepSessionProperty,
+        clientId: { type: 'string' },
+        scope: {},
+        loginType: { type: 'string' }
+    },
+    additionalProperties: true
+};
+export const deleteImpersonationQuerySchema = {
+    type: 'object',
+    additionalProperties: true
+};
+/* ------------------------------------------------------------------ */
+/*  OAuth schemas                                                      */
+/* ------------------------------------------------------------------ */
+export const oauthProviderParamsSchema = {
+    type: 'object',
+    required: ['provider'],
+    properties: {
+        provider: { type: 'string', minLength: 1 }
+    }
+};
+export const oauthStartBodySchema = {
+    type: 'object',
+    properties: {
+        redirectUri: { type: 'string' },
+        scope: {},
+        state: { type: 'string' },
+        extras: { type: 'object' }
+    },
+    additionalProperties: true
+};
+export const oauthAuthorizeBodySchema = {
+    type: 'object',
+    required: ['clientId', 'redirectUri'],
+    properties: {
+        clientId: { type: 'string', minLength: 1 },
+        redirectUri: { type: 'string', minLength: 1 },
+        scope: {},
+        state: { type: 'string' },
+        codeChallenge: { type: 'string' },
+        codeChallengeMethod: { type: 'string' },
+        login: { type: 'string' },
+        password: { type: 'string' }
+    },
+    additionalProperties: false
+};
+export const oauthTokenBodySchema = {
+    type: 'object',
+    required: ['grant_type'],
+    properties: {
+        grant_type: { type: 'string', enum: ['authorization_code', 'refresh_token'] },
+        code: { type: 'string' },
+        redirect_uri: { type: 'string' },
+        code_verifier: { type: 'string' },
+        client_id: { type: 'string' },
+        client_secret: { type: 'string' },
+        refresh_token: { type: 'string' },
+        scope: { type: 'string' }
+    },
+    additionalProperties: false
+};

package/dist/esm/{auth-api → server/src/auth-api}/user-id.js

@@ -8,7 +8,12 @@ export function normalizeComparableUserId(identifier) {
             throw new Error(`Unable to normalise user identifier: ${identifier}`);
         }
         if (/^\d+$/.test(trimmed)) {
-            return String(Number(trimmed));
+            const num = Number(trimmed);
+            // Avoid precision loss for large numeric strings
+            if (!Number.isSafeInteger(num)) {
+                return trimmed;
+            }
+            return String(num);
         }
         return trimmed;
     }
@@ -17,9 +22,13 @@ export function normalizeComparableUserId(identifier) {
 export function normalizeNumericUserId(identifier) {
     const normalized = normalizeComparableUserId(identifier);
     if (/^\d+$/.test(normalized)) {
-        return Number(normalized);
+        const num = Number(normalized);
+        if (!Number.isSafeInteger(num)) {
+            throw new Error(`Sequelize OAuth/Passkey store requires numeric user IDs within safe integer range: ${identifier}`);
+        }
+        return num;
     }
-    throw new Error(`Unable to normalise user identifier: ${identifier}`);
+    throw new Error(`Sequelize OAuth/Passkey store requires numeric user IDs: ${identifier}`);
 }
 export function normalizeStringUserId(identifier) {
     return normalizeComparableUserId(identifier);