@technomoron/api-server-base 2.0.0-beta.21 → 2.0.0-beta.23

package/dist/cjs/{auth-api/auth-module.js → server/src/auth-api/auth-module.cjs}

@@ -2,12 +2,17 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 const node_crypto_1 = require("node:crypto");
 const helpers_1 = require("@simplewebauthn/server/helpers");
-const api_server_base_js_1 = require("../api-server-base.js");
-const auth_cookie_options_js_1 = require("../auth-cookie-options.js");
-const module_js_1 = require("./module.js");
-const storage_js_1 = require("./storage.js");
+const api_server_base_js_1 = require("../api-server-base.cjs");
+const auth_cookie_options_js_1 = require("../auth-cookie-options.cjs");
+const module_js_1 = require("./module.cjs");
+const schemas_js_1 = require("./schemas.cjs");
+const storage_js_1 = require("./storage.cjs");
 function isAuthIdentifier(value) {
-    return typeof value === 'string' || typeof value === 'number';
+    if (typeof value === 'string')
+        return value.length > 0;
+    if (typeof value === 'number')
+        return Number.isFinite(value);
+    return false;
 }
 function toStringOrNull(value) {
     if (typeof value === 'string') {
@@ -44,7 +49,7 @@ class AuthModule extends module_js_1.BaseAuthModule {
         this.defaultDomain = options.defaultDomain;
         this.canImpersonateHook = options.canImpersonate;
         this.rateLimitHook = options.rateLimit;
-        this.allowInsecurePkcePlain = options.allowInsecurePkcePlain ?? true;
+        this.allowInsecurePkcePlain = options.allowInsecurePkcePlain ?? false;
     }
     get storage() {
         return this.server.getAuthStorage();
@@ -60,16 +65,17 @@ class AuthModule extends module_js_1.BaseAuthModule {
                 targetUser,
                 effectiveUserId
             });
-            if (allowed) {
+            if (allowed === true)
                 return true;
-            }
+            if (allowed === false)
+                return false;
         }
         const storageWithHook = this.storage;
         if (typeof storageWithHook.canImpersonate === 'function') {
             const allowed = await storageWithHook.canImpersonate({ realUserId, effectiveUserId });
             return !!allowed;
         }
-        return realUserId === effectiveUserId;
+        return String(realUserId) === String(effectiveUserId);
     }
     async ensureImpersonationAllowed(apiReq, realUser, targetUser) {
         const permitted = await this.canImpersonate(apiReq, realUser, targetUser);
@@ -257,6 +263,9 @@ class AuthModule extends module_js_1.BaseAuthModule {
         const accessMaxAge = Math.max(1, conf.accessExpiry) * 1000;
         const refreshSeconds = Math.max(1, preferences.refreshTtlSeconds ?? conf.refreshExpiry);
         const refreshMaxAge = refreshSeconds * 1000;
+        // When sessionCookie is true we omit maxAge so the browser deletes the
+        // cookie on close.  The server-side JWT still has its own expiry, which
+        // limits exposure if the browser crashes without running its cleanup.
         const accessOptions = sessionCookie ? options : { ...options, maxAge: accessMaxAge };
         const refreshOptions = sessionCookie ? options : { ...options, maxAge: refreshMaxAge };
         if (tokens.accessToken) {
@@ -346,19 +355,10 @@ class AuthModule extends module_js_1.BaseAuthModule {
     }
     parseLoginBody(apiReq) {
         const body = (apiReq.req.body ?? {});
-        const login = toStringOrNull(body.login);
-        const password = toStringOrNull(body.password);
+        // login and password are guaranteed present and non-empty by JSON Schema
+        const login = body.login;
+        const password = body.password;
         const sessionPrefs = this.resolveSessionPreferences(body.keepSession);
-        if (!login || !password) {
-            const errors = {};
-            if (!login) {
-                errors.login = 'Login is required';
-            }
-            if (!password) {
-                errors.password = 'Password is required';
-            }
-            throw new api_server_base_js_1.ApiError({ code: 400, message: 'Missing credentials', errors });
-        }
         return {
             login,
             password,
@@ -453,7 +453,9 @@ class AuthModule extends module_js_1.BaseAuthModule {
         const { login, password, ...metadata } = this.parseLoginBody(apiReq);
         const user = await this.storage.getUser(login);
         const hash = user ? this.storage.getUserPasswordHash(user) : '';
-        const verified = user ? await this.storage.verifyPassword(password, hash) : false;
+        // Reject users with no password hash (e.g. OAuth/passkey-only accounts) before
+        // calling verifyPassword, since bcrypt behaviour on an empty hash is undefined.
+        const verified = user && hash ? await this.storage.verifyPassword(password, hash) : false;
         if (!user || !verified) {
             throw new api_server_base_js_1.ApiError({
                 code: 400,
@@ -484,6 +486,13 @@ class AuthModule extends module_js_1.BaseAuthModule {
                 message: verify.error ?? 'Unable to verify refresh token'
             });
         }
+        // Delete the token immediately after verification to narrow the TOCTOU window.
+        // This must happen before the slower getUserOrThrow call.
+        const deleted = await this.storage.deleteToken({ refreshToken: providedToken });
+        if (deleted === 0) {
+            // Another concurrent request already consumed this refresh token.
+            throw new api_server_base_js_1.ApiError({ code: 401, message: 'Invalid refresh token' });
+        }
         const user = await this.getUserOrThrow(stored.userId ?? verify.data.uid, 'User not found');
         const metadata = {
             domain: stored.domain,
@@ -499,7 +508,6 @@ class AuthModule extends module_js_1.BaseAuthModule {
             refreshTtlSeconds: sessionPrefs.refreshTtlSeconds ?? stored.refreshTtlSeconds,
             sessionCookie: sessionPrefs.sessionCookie ?? stored.sessionCookie
         };
-        await this.storage.deleteToken({ refreshToken: providedToken });
         const pair = await this.issueTokens(apiReq, user, metadata);
         const publicUser = this.storage.filterUser(user);
         return [200, { ...pair, user: publicUser }];
@@ -539,8 +547,7 @@ class AuthModule extends module_js_1.BaseAuthModule {
                 apiReq.req.cookies[conf.accessCookie].trim().length > 0);
         const shouldRefresh = Boolean(body.refresh) || !hasAccessToken;
         if (shouldRefresh) {
-            const updateToken = this.storage.updateToken;
-            if (typeof updateToken !== 'function' || !this.storageImplements('updateToken')) {
+            if (typeof this.storage.updateToken !== 'function' || !this.storageImplements('updateToken')) {
                 throw new api_server_base_js_1.ApiError({ code: 501, message: 'Token update storage is not configured' });
             }
             // Sign a new access token without embedding stored token secrets into the JWT payload.
@@ -564,7 +571,7 @@ class AuthModule extends module_js_1.BaseAuthModule {
             if (!access.success || !access.token) {
                 throw new api_server_base_js_1.ApiError({ code: 500, message: access.error ?? 'Unable to sign access token' });
             }
-            const updated = await updateToken.call(this.storage, {
+            const updated = await this.storage.updateToken({
                 refreshToken,
                 accessToken: access.token,
                 lastSeenAt: new Date()
@@ -610,12 +617,10 @@ class AuthModule extends module_js_1.BaseAuthModule {
             throw new api_server_base_js_1.ApiError({ code: 501, message: 'Passkey support is not configured' });
         }
         const body = (apiReq.req.body ?? {});
-        const action = toStringOrNull(body.action);
-        if (action !== 'register' && action !== 'authenticate') {
-            throw new api_server_base_js_1.ApiError({ code: 400, message: 'Passkey action must be "register" or "authenticate"' });
-        }
+        // action is guaranteed to be 'register' | 'authenticate' by JSON Schema
+        const action = body.action;
         const params = {
-            action,
+            action: action,
             login: toStringOrNull(body.login) ?? undefined,
             userId: isAuthIdentifier(body.userId) ? body.userId : undefined
         };
@@ -628,11 +633,9 @@ class AuthModule extends module_js_1.BaseAuthModule {
         }
         const body = (apiReq.req.body ?? {});
         const sessionPrefs = this.resolveSessionPreferences(body.keepSession);
-        const expectedChallenge = toStringOrNull(body.expectedChallenge);
+        // expectedChallenge (string) and response (object) are guaranteed by JSON Schema
+        const expectedChallenge = body.expectedChallenge;
         const response = body.response;
-        if (!expectedChallenge || typeof response !== 'object' || response === null) {
-            throw new api_server_base_js_1.ApiError({ code: 400, message: 'Malformed passkey verification payload' });
-        }
         const rawMetadata = {
             domain: toStringOrNull(body.domain) ?? undefined,
             fingerprint: toStringOrNull(body.fingerprint) ?? undefined,
@@ -742,6 +745,15 @@ class AuthModule extends module_js_1.BaseAuthModule {
     }
     async deleteImpersonation(apiReq) {
         this.assertAuthReady();
+        if (!apiReq.isImpersonating()) {
+            throw new api_server_base_js_1.ApiError({ code: 400, message: 'Not currently impersonating' });
+        }
+        // Revoke the active impersonation refresh token before issuing new real-user tokens
+        // so that a captured impersonation token cannot be reused after impersonation ends.
+        const impersonationRefreshToken = this.extractRefreshToken(apiReq, {});
+        if (impersonationRefreshToken) {
+            await this.storage.deleteToken({ refreshToken: impersonationRefreshToken });
+        }
         const actor = await this.resolveActorContext(apiReq);
         const query = (apiReq.req.query ?? {});
         const metadata = this.buildImpersonationMetadata(query);
@@ -778,9 +790,7 @@ class AuthModule extends module_js_1.BaseAuthModule {
                 ? apiReq.req.body.extras
                 : undefined
         };
-        if (!params.provider) {
-            throw new api_server_base_js_1.ApiError({ code: 400, message: 'OAuth provider is required' });
-        }
+        // provider is guaranteed present and non-empty by params schema
         const result = await this.server.initiateOAuth(params);
         return [200, result];
     }
@@ -793,9 +803,6 @@ class AuthModule extends module_js_1.BaseAuthModule {
             query: apiReq.req.query,
             body: (apiReq.req.body ?? {})
         };
-        if (!params.provider) {
-            throw new api_server_base_js_1.ApiError({ code: 400, message: 'OAuth provider is required' });
-        }
         const result = await this.server.completeOAuth(params);
         if (result.tokens?.accessToken && result.tokens.refreshToken) {
             this.setJwtCookies(apiReq, {
@@ -809,20 +816,16 @@ class AuthModule extends module_js_1.BaseAuthModule {
         if (typeof this.storage.getClient !== 'function' || typeof this.storage.createAuthCode !== 'function') {
             throw new api_server_base_js_1.ApiError({ code: 501, message: 'OAuth authorization storage is not configured' });
         }
+        await this.applyRateLimit(apiReq, 'oauth-authorize');
         const body = (apiReq.req.body ?? {});
-        const clientId = toStringOrNull(body.clientId);
-        const redirectUri = toStringOrNull(body.redirectUri);
+        // clientId and redirectUri are guaranteed present and non-empty by JSON Schema
+        const clientId = body.clientId;
+        const redirectUri = body.redirectUri;
         const scope = toScopeArray(body.scope) ?? [];
         const state = toStringOrNull(body.state) ?? undefined;
         const codeChallenge = toStringOrNull(body.codeChallenge) ?? undefined;
         const codeChallengeMethod = toStringOrNull(body.codeChallengeMethod) ?? undefined;
         const resolvedCodeChallengeMethod = this.resolvePkceChallengeMethod(codeChallengeMethod);
-        if (!clientId) {
-            throw new api_server_base_js_1.ApiError({ code: 400, message: 'clientId is required' });
-        }
-        if (!redirectUri) {
-            throw new api_server_base_js_1.ApiError({ code: 400, message: 'redirectUri is required' });
-        }
         const client = await this.storage.getClient(clientId);
         if (!client) {
             throw new api_server_base_js_1.ApiError({ code: 400, message: 'Unknown client_id' });
@@ -852,10 +855,8 @@ class AuthModule extends module_js_1.BaseAuthModule {
             throw new api_server_base_js_1.ApiError({ code: 501, message: 'OAuth token storage is not configured' });
         }
         const body = (apiReq.req.body ?? {});
-        const grantType = toStringOrNull(body.grant_type);
-        if (!grantType) {
-            throw new api_server_base_js_1.ApiError({ code: 400, message: 'grant_type is required' });
-        }
+        // grant_type is guaranteed to be 'authorization_code' | 'refresh_token' by JSON Schema
+        const grantType = body.grant_type;
         const { client, clientSecretProvided } = await this.resolveClientAuthentication(apiReq, body);
         switch (grantType) {
             case 'authorization_code':
@@ -909,7 +910,7 @@ class AuthModule extends module_js_1.BaseAuthModule {
                 }
             }
         }
-        else if (!clientSecretProvided && (client.hasSecret ?? Boolean(client.clientSecret))) {
+        else if (!clientSecretProvided && (client.hasSecret ?? false)) {
             throw new api_server_base_js_1.ApiError({ code: 400, message: 'Client authentication required when no PKCE challenge present' });
         }
         const user = await this.getUserOrThrow(record.userId, 'User not found');
@@ -943,8 +944,12 @@ class AuthModule extends module_js_1.BaseAuthModule {
         if (stored.clientId && stored.clientId !== client.clientId) {
             throw new api_server_base_js_1.ApiError({ code: 400, message: 'Refresh token issued to another client' });
         }
+        // Delete the token immediately after verification to narrow the TOCTOU window.
+        const deleted = await this.storage.deleteToken({ refreshToken });
+        if (deleted === 0) {
+            throw new api_server_base_js_1.ApiError({ code: 401, message: 'Invalid refresh token' });
+        }
         const user = await this.getUserOrThrow(stored.userId ?? verify.data.uid, 'User not found');
-        await this.storage.deleteToken({ refreshToken });
         const tokens = await this.issueTokens(apiReq, user, {
             clientId: client.clientId,
             scope: stored.scope,
@@ -1016,7 +1021,7 @@ class AuthModule extends module_js_1.BaseAuthModule {
         if (!client) {
             throw new api_server_base_js_1.ApiError({ code: 400, message: 'Unknown client_id' });
         }
-        const requiresSecret = client.hasSecret ?? Boolean(client.clientSecret);
+        const requiresSecret = client.hasSecret ?? false;
         if (requiresSecret) {
             if (!secretProvided) {
                 throw new api_server_base_js_1.ApiError({ code: 400, message: 'Client authentication is required' });
@@ -1034,7 +1039,7 @@ class AuthModule extends module_js_1.BaseAuthModule {
     }
     assertRedirectUriAllowed(client, redirectUri) {
         if (client.redirectUris.length === 0) {
-            return;
+            throw new api_server_base_js_1.ApiError({ code: 400, message: 'Client has no registered redirect URIs' });
         }
         if (!client.redirectUris.includes(redirectUri)) {
             throw new api_server_base_js_1.ApiError({ code: 400, message: 'redirect_uri not registered for client' });
@@ -1043,9 +1048,13 @@ class AuthModule extends module_js_1.BaseAuthModule {
     async resolveUserForOAuth(apiReq, body) {
         const refreshToken = this.extractRefreshToken(apiReq, body);
         if (refreshToken) {
+            const verify = this.server.jwtVerify(refreshToken, this.server.config.refreshSecret);
+            if (!verify.success || !verify.data) {
+                throw new api_server_base_js_1.ApiError({ code: 401, message: 'Invalid or expired refresh token' });
+            }
             const stored = await this.storage.getToken({ refreshToken });
             if (stored) {
-                return this.getUserOrThrow(stored.userId, 'User not found for authorization');
+                return this.getUserOrThrow(stored.userId ?? verify.data.uid, 'User not found for authorization');
             }
         }
         const login = toStringOrNull(body.login);
@@ -1053,7 +1062,7 @@ class AuthModule extends module_js_1.BaseAuthModule {
         if (login && password) {
             const user = await this.storage.getUser(login);
             const hash = user ? this.storage.getUserPasswordHash(user) : '';
-            const verified = user ? await this.storage.verifyPassword(password, hash) : false;
+            const verified = user && hash ? await this.storage.verifyPassword(password, hash) : false;
             if (!user || !verified) {
                 throw new api_server_base_js_1.ApiError({ code: 400, message: 'Invalid credentials' });
             }
@@ -1069,8 +1078,7 @@ class AuthModule extends module_js_1.BaseAuthModule {
         if (storageHints.adapter?.passkeyService || storageHints.adapter?.passkeyStore) {
             return true;
         }
-        const serverHints = this.server;
-        return !!serverHints.passkeyServiceAdapter;
+        return false;
     }
     hasOAuthStore() {
         const storageHints = this.storage;
@@ -1080,8 +1088,7 @@ class AuthModule extends module_js_1.BaseAuthModule {
         if (storageHints.adapter?.oauthStore) {
             return true;
         }
-        const serverHints = this.server;
-        return !!serverHints.oauthStoreAdapter;
+        return false;
     }
     storageImplements(key) {
         const candidate = this.storage[key];
@@ -1131,32 +1138,38 @@ class AuthModule extends module_js_1.BaseAuthModule {
             method: 'post',
             path: '/v1/login',
             handler: (req) => this.postLogin(req),
-            auth: { type: 'none', req: 'any' }
+            auth: { type: 'none', req: 'any' },
+            schema: { body: schemas_js_1.loginBodySchema }
         }, {
             method: 'post',
             path: '/v1/refresh',
             handler: (req) => this.postRefresh(req),
-            auth: { type: 'none', req: 'any' }
+            auth: { type: 'none', req: 'any' },
+            schema: { body: schemas_js_1.refreshBodySchema }
         }, {
             method: 'post',
             path: '/v1/logout',
             handler: (req) => this.postLogout(req),
-            auth: { type: 'maybe', req: 'any' }
+            auth: { type: 'maybe', req: 'any' },
+            schema: { body: schemas_js_1.logoutBodySchema }
         }, {
             method: 'post',
             path: '/v1/whoami',
             handler: (req) => this.postWhoAmI(req),
-            auth: { type: 'maybe', req: 'any' }
+            auth: { type: 'maybe', req: 'any' },
+            schema: { body: schemas_js_1.whoamiBodySchema }
         }, {
             method: 'post',
             path: '/v1/impersonations',
             handler: (req) => this.postImpersonation(req),
-            auth: { type: 'strict', req: 'any' }
+            auth: { type: 'strict', req: 'any' },
+            schema: { body: schemas_js_1.impersonateBodySchema }
         }, {
             method: 'delete',
             path: '/v1/impersonations',
             handler: (req) => this.deleteImpersonation(req),
-            auth: { type: 'strict', req: 'any' }
+            auth: { type: 'strict', req: 'any' },
+            schema: { querystring: schemas_js_1.deleteImpersonationQuerySchema }
         });
         const passkeysSupported = this.hasPasskeyService() &&
             this.storageImplements('createPasskeyChallenge') &&
@@ -1169,12 +1182,14 @@ class AuthModule extends module_js_1.BaseAuthModule {
                 method: 'post',
                 path: '/v1/passkeys/challenge',
                 handler: (req) => this.postPasskeyChallenge(req),
-                auth: { type: 'none', req: 'any' }
+                auth: { type: 'none', req: 'any' },
+                schema: { body: schemas_js_1.passkeyChallengeBodySchema }
             }, {
                 method: 'post',
                 path: '/v1/passkeys/verify',
                 handler: (req) => this.postPasskeyVerify(req),
-                auth: { type: 'none', req: 'any' }
+                auth: { type: 'none', req: 'any' },
+                schema: { body: schemas_js_1.passkeyVerifyBodySchema }
             });
             if (passkeyCredentialsSupported) {
                 routes.push({
@@ -1186,7 +1201,8 @@ class AuthModule extends module_js_1.BaseAuthModule {
                     method: 'delete',
                     path: '/v1/passkeys/:credentialId',
                     handler: (req) => this.deletePasskey(req),
-                    auth: { type: 'strict', req: 'any' }
+                    auth: { type: 'strict', req: 'any' },
+                    schema: { params: schemas_js_1.passkeyCredentialParamsSchema }
                 });
             }
         }
@@ -1196,12 +1212,14 @@ class AuthModule extends module_js_1.BaseAuthModule {
                 method: 'post',
                 path: '/v1/oauth2/:provider/start',
                 handler: (req) => this.postOAuthStart(req),
-                auth: { type: 'none', req: 'any' }
+                auth: { type: 'none', req: 'any' },
+                schema: { body: schemas_js_1.oauthStartBodySchema, params: schemas_js_1.oauthProviderParamsSchema }
             }, {
                 method: 'post',
                 path: '/v1/oauth2/:provider/callback',
                 handler: (req) => this.postOAuthCallback(req),
-                auth: { type: 'none', req: 'any' }
+                auth: { type: 'none', req: 'any' },
+                schema: { params: schemas_js_1.oauthProviderParamsSchema }
             });
         }
         const oauthStorageSupported = this.hasOAuthStore() &&
@@ -1213,12 +1231,14 @@ class AuthModule extends module_js_1.BaseAuthModule {
                 method: 'post',
                 path: '/v1/oauth2/authorize',
                 handler: (req) => this.postOAuthAuthorize(req),
-                auth: { type: 'maybe', req: 'any' }
+                auth: { type: 'maybe', req: 'any' },
+                schema: { body: schemas_js_1.oauthAuthorizeBodySchema }
             }, {
                 method: 'post',
                 path: '/v1/oauth2/token',
                 handler: (req) => this.postOAuthToken(req),
-                auth: { type: 'none', req: 'any' }
+                auth: { type: 'none', req: 'any' },
+                schema: { body: schemas_js_1.oauthTokenBodySchema }
             });
         }
         return routes;

package/dist/cjs/{auth-api → server/src/auth-api}/auth-module.d.ts

@@ -10,7 +10,7 @@ interface CanImpersonateContext<UserEntity> {
     targetUser: UserEntity;
     effectiveUserId: AuthIdentifier;
 }
-type AuthRateLimitEndpoint = 'login' | 'passkey-challenge' | 'oauth-token';
+type AuthRateLimitEndpoint = 'login' | 'passkey-challenge' | 'oauth-token' | 'oauth-authorize';
 interface AuthModuleOptions<UserEntity> {
     namespace?: string;
     defaultDomain?: string;

package/dist/cjs/{auth-api/compat-auth-storage.js → server/src/auth-api/compat-auth-storage.cjs}

@@ -2,7 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.CompositeAuthAdapter = void 0;
 const node_crypto_1 = require("node:crypto");
-const service_js_1 = require("../passkey/service.js");
+const service_js_1 = require("../passkey/service.cjs");
 class CompositeAuthAdapter {
     constructor(options) {
         this.userStore = options.userStore;
@@ -112,8 +112,8 @@ class CompositeAuthAdapter {
         if (!this.oauthStore) {
             return null;
         }
-        const consumed = await this.oauthStore.consumeAuthCode(code);
-        if (!consumed || consumed.clientId !== clientId) {
+        const consumed = await this.oauthStore.consumeAuthCode(code, clientId);
+        if (!consumed) {
             return null;
         }
         return consumed;
@@ -122,7 +122,7 @@ class CompositeAuthAdapter {
         if (this.canImpersonateFn) {
             return !!(await this.canImpersonateFn(params));
         }
-        return params.realUserId === params.effectiveUserId;
+        return String(params.realUserId) === String(params.effectiveUserId);
     }
 }
 exports.CompositeAuthAdapter = CompositeAuthAdapter;

package/dist/cjs/{auth-api/mem-auth-store.js → server/src/auth-api/mem-auth-store.cjs}

@@ -1,13 +1,13 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.MemAuthStore = void 0;
-const memory_js_1 = require("../oauth/memory.js");
-const config_js_1 = require("../passkey/config.js");
-const memory_js_2 = require("../passkey/memory.js");
-const memory_js_3 = require("../token/memory.js");
-const memory_js_4 = require("../user/memory.js");
-const compat_auth_storage_js_1 = require("./compat-auth-storage.js");
-const user_id_js_1 = require("./user-id.js");
+const memory_js_1 = require("../oauth/memory.cjs");
+const config_js_1 = require("../passkey/config.cjs");
+const memory_js_2 = require("../passkey/memory.cjs");
+const memory_js_3 = require("../token/memory.cjs");
+const memory_js_4 = require("../user/memory.cjs");
+const compat_auth_storage_js_1 = require("./compat-auth-storage.cjs");
+const user_id_js_1 = require("./user-id.cjs");
 class MemAuthStore {
     constructor(params = {}) {
         this.userStore = new memory_js_4.MemoryUserStore({

package/dist/cjs/{auth-api/module.js → server/src/auth-api/module.cjs}

@@ -1,7 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.nullAuthModule = exports.BaseAuthModule = void 0;
-const api_module_js_1 = require("../api-module.js");
+const api_module_js_1 = require("../api-module.cjs");
 // Handy base that you can extend when wiring a real auth module. Subclasses
 // must supply a namespace via the constructor and implement token issuance.
 class BaseAuthModule extends api_module_js_1.ApiModule {

package/dist/cjs/server/src/auth-api/schemas.cjs

@@ -0,0 +1,171 @@
+"use strict";
+/**
+ * JSON Schema definitions for auth module routes.
+ * These are the runtime validation source-of-truth; TypeScript interfaces
+ * in auth-module.ts remain for handler-internal typing only.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oauthTokenBodySchema = exports.oauthAuthorizeBodySchema = exports.oauthStartBodySchema = exports.oauthProviderParamsSchema = exports.deleteImpersonationQuerySchema = exports.impersonateBodySchema = exports.passkeyCredentialParamsSchema = exports.passkeyVerifyBodySchema = exports.passkeyChallengeBodySchema = exports.whoamiBodySchema = exports.logoutBodySchema = exports.refreshBodySchema = exports.loginBodySchema = void 0;
+/* ------------------------------------------------------------------ */
+/*  Shared fragments                                                   */
+/* ------------------------------------------------------------------ */
+const tokenMetadataProperties = {
+    domain: { type: 'string' },
+    fingerprint: { type: 'string' },
+    label: { type: 'string' },
+    browser: { type: 'string' },
+    device: { type: 'string' },
+    ip: { type: 'string' },
+    os: { type: 'string' }
+};
+const keepSessionProperty = {
+    keepSession: { type: ['boolean', 'number', 'string'] }
+};
+function authIdentifierProperty(name) {
+    return { [name]: { type: ['string', 'number'] } };
+}
+/* ------------------------------------------------------------------ */
+/*  Auth route schemas                                                 */
+/* ------------------------------------------------------------------ */
+exports.loginBodySchema = {
+    type: 'object',
+    required: ['login', 'password'],
+    properties: {
+        login: { type: 'string', minLength: 1 },
+        password: { type: 'string', minLength: 1 },
+        ...tokenMetadataProperties,
+        ...keepSessionProperty
+    },
+    additionalProperties: true
+};
+exports.refreshBodySchema = {
+    type: 'object',
+    properties: {
+        refreshToken: { type: 'string' },
+        domain: { type: 'string' },
+        fingerprint: { type: 'string' },
+        label: { type: 'string' },
+        ...keepSessionProperty
+    },
+    additionalProperties: false
+};
+exports.logoutBodySchema = {
+    type: 'object',
+    properties: {
+        token: { type: 'string' },
+        refreshToken: { type: 'string' }
+    },
+    additionalProperties: false
+};
+exports.whoamiBodySchema = {
+    type: 'object',
+    properties: {
+        refreshToken: { type: 'string' },
+        refresh: { type: 'boolean' }
+    },
+    additionalProperties: false
+};
+/* ------------------------------------------------------------------ */
+/*  Passkey schemas                                                    */
+/* ------------------------------------------------------------------ */
+exports.passkeyChallengeBodySchema = {
+    type: 'object',
+    required: ['action'],
+    properties: {
+        action: { type: 'string', enum: ['register', 'authenticate'] },
+        login: { type: 'string' },
+        ...authIdentifierProperty('userId')
+    },
+    additionalProperties: false
+};
+exports.passkeyVerifyBodySchema = {
+    type: 'object',
+    required: ['expectedChallenge', 'response'],
+    properties: {
+        expectedChallenge: { type: 'string' },
+        response: { type: 'object' },
+        login: { type: 'string' },
+        ...authIdentifierProperty('userId'),
+        userAgent: { type: 'string' },
+        ...tokenMetadataProperties,
+        ...keepSessionProperty
+    },
+    additionalProperties: true
+};
+exports.passkeyCredentialParamsSchema = {
+    type: 'object',
+    required: ['credentialId'],
+    properties: {
+        credentialId: { type: 'string', minLength: 1 }
+    }
+};
+/* ------------------------------------------------------------------ */
+/*  Impersonation schemas                                              */
+/* ------------------------------------------------------------------ */
+exports.impersonateBodySchema = {
+    type: 'object',
+    properties: {
+        ...authIdentifierProperty('userId'),
+        login: { type: 'string' },
+        ...tokenMetadataProperties,
+        ...keepSessionProperty,
+        clientId: { type: 'string' },
+        scope: {},
+        loginType: { type: 'string' }
+    },
+    additionalProperties: true
+};
+exports.deleteImpersonationQuerySchema = {
+    type: 'object',
+    additionalProperties: true
+};
+/* ------------------------------------------------------------------ */
+/*  OAuth schemas                                                      */
+/* ------------------------------------------------------------------ */
+exports.oauthProviderParamsSchema = {
+    type: 'object',
+    required: ['provider'],
+    properties: {
+        provider: { type: 'string', minLength: 1 }
+    }
+};
+exports.oauthStartBodySchema = {
+    type: 'object',
+    properties: {
+        redirectUri: { type: 'string' },
+        scope: {},
+        state: { type: 'string' },
+        extras: { type: 'object' }
+    },
+    additionalProperties: true
+};
+exports.oauthAuthorizeBodySchema = {
+    type: 'object',
+    required: ['clientId', 'redirectUri'],
+    properties: {
+        clientId: { type: 'string', minLength: 1 },
+        redirectUri: { type: 'string', minLength: 1 },
+        scope: {},
+        state: { type: 'string' },
+        codeChallenge: { type: 'string' },
+        codeChallengeMethod: { type: 'string' },
+        login: { type: 'string' },
+        password: { type: 'string' }
+    },
+    additionalProperties: false
+};
+exports.oauthTokenBodySchema = {
+    type: 'object',
+    required: ['grant_type'],
+    properties: {
+        grant_type: { type: 'string', enum: ['authorization_code', 'refresh_token'] },
+        code: { type: 'string' },
+        redirect_uri: { type: 'string' },
+        code_verifier: { type: 'string' },
+        client_id: { type: 'string' },
+        client_secret: { type: 'string' },
+        refresh_token: { type: 'string' },
+        scope: { type: 'string' }
+    },
+    additionalProperties: false
+};