@technomoron/api-server-base 2.0.0-beta.21 → 2.0.0-beta.23

package/dist/cjs/server/src/limiter/fixed-window.cjs

@@ -0,0 +1,41 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FixedWindowRateLimiter = void 0;
+class FixedWindowRateLimiter {
+    constructor(maxKeys = 10000) {
+        this.maxKeys = maxKeys;
+        this.buckets = new Map();
+    }
+    check(key, max, windowMs) {
+        if (!key || max <= 0 || windowMs <= 0) {
+            return { allowed: true, retryAfterSec: 0 };
+        }
+        const now = Date.now();
+        const bucket = this.buckets.get(key);
+        if (!bucket || now - bucket.windowStartMs >= windowMs) {
+            this.buckets.delete(key);
+            this.buckets.set(key, { windowStartMs: now, count: 1 });
+            this.prune();
+            return { allowed: true, retryAfterSec: 0 };
+        }
+        bucket.count += 1;
+        // Refresh insertion order to keep active entries at the end for pruning.
+        this.buckets.delete(key);
+        this.buckets.set(key, bucket);
+        if (bucket.count <= max) {
+            return { allowed: true, retryAfterSec: 0 };
+        }
+        const retryAfterSec = Math.max(1, Math.ceil((bucket.windowStartMs + windowMs - now) / 1000));
+        return { allowed: false, retryAfterSec };
+    }
+    prune() {
+        while (this.buckets.size > this.maxKeys) {
+            const oldest = this.buckets.keys().next().value;
+            if (!oldest) {
+                break;
+            }
+            this.buckets.delete(oldest);
+        }
+    }
+}
+exports.FixedWindowRateLimiter = FixedWindowRateLimiter;

package/dist/cjs/server/src/limiter/fixed-window.d.ts

@@ -0,0 +1,11 @@
+export type RateLimitDecision = {
+    allowed: boolean;
+    retryAfterSec: number;
+};
+export declare class FixedWindowRateLimiter {
+    private readonly maxKeys;
+    private readonly buckets;
+    constructor(maxKeys?: number);
+    check(key: string, max: number, windowMs: number): RateLimitDecision;
+    private prune;
+}

package/dist/cjs/{oauth/base.js → server/src/oauth/base.cjs}

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.OAuthStore = void 0;
+/** Base contract for OAuth client/auth-code persistence backends. */
 class OAuthStore {
 }
 exports.OAuthStore = OAuthStore;

package/dist/cjs/{oauth → server/src/oauth}/base.d.ts

@@ -1,10 +1,17 @@
 import type { AuthCode, OAuthClient } from './types.js';
+/** Base contract for OAuth client/auth-code persistence backends. */
 export declare abstract class OAuthStore {
+    /** Fetch an OAuth client by id. */
     abstract getClient(clientId: string): Promise<OAuthClient | null>;
+    /** Create an OAuth client. */
     abstract createClient(input: OAuthClient): Promise<OAuthClient>;
+    /** Verify an OAuth client secret. */
     abstract verifyClientSecret(clientId: string, secret: string | null): Promise<boolean>;
+    /** Persist an authorization code. */
     abstract createAuthCode(code: AuthCode): Promise<void>;
-    abstract consumeAuthCode(code: string): Promise<AuthCode | null>;
+    /** Consume an authorization code once. When clientId is provided, only consume if it matches. */
+    abstract consumeAuthCode(code: string, clientId?: string): Promise<AuthCode | null>;
+    /** Close underlying resources. */
     abstract close(): Promise<void>;
 }
 export type { OAuthClient, AuthCode } from './types.js';

package/dist/cjs/{oauth/memory.js → server/src/oauth/memory.cjs}

@@ -5,8 +5,8 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.MemoryOAuthStore = void 0;
 const bcryptjs_1 = __importDefault(require("bcryptjs"));
-const user_id_js_1 = require("../auth-api/user-id.js");
-const base_js_1 = require("./base.js");
+const user_id_js_1 = require("../auth-api/user-id.cjs");
+const base_js_1 = require("./base.cjs");
 function cloneClient(client) {
     if (!client) {
         return null;
@@ -17,7 +17,7 @@ function cloneClient(client) {
         name: client.name,
         redirectUris: [...client.redirectUris],
         scope: client.scope ? [...client.scope] : undefined,
-        metadata: client.metadata ? { ...client.metadata } : undefined,
+        metadata: client.metadata ? JSON.parse(JSON.stringify(client.metadata)) : undefined,
         firstParty: client.firstParty
     };
 }
@@ -89,11 +89,14 @@ class MemoryOAuthStore extends base_js_1.OAuthStore {
         this.codes.set(record.code, record);
         this.enforceCodeCapacity();
     }
-    async consumeAuthCode(code) {
+    async consumeAuthCode(code, clientId) {
         const record = this.codes.get(code);
         if (!record) {
             return null;
         }
+        if (clientId && record.clientId !== clientId) {
+            return null;
+        }
         if (record.expiresAt.getTime() <= Date.now()) {
             this.codes.delete(code);
             return null;

package/dist/{esm → cjs/server/src}/oauth/memory.d.ts

@@ -15,7 +15,7 @@ export declare class MemoryOAuthStore extends OAuthStore {
     createClient(input: OAuthClient): Promise<OAuthClient>;
     verifyClientSecret(clientId: string, secret: string | null): Promise<boolean>;
     createAuthCode(code: AuthCode): Promise<void>;
-    consumeAuthCode(code: string): Promise<AuthCode | null>;
+    consumeAuthCode(code: string, clientId?: string): Promise<AuthCode | null>;
     close(): Promise<void>;
     private enforceClientCapacity;
     private enforceCodeCapacity;

package/dist/cjs/{oauth/models.js → server/src/oauth/models.cjs}

@@ -4,8 +4,8 @@ exports.OAuthCodeModel = exports.OAuthClientModel = exports.tableOptions = expor
 exports.initOAuthClientModel = initOAuthClientModel;
 exports.initOAuthCodeModel = initOAuthCodeModel;
 const sequelize_1 = require("sequelize");
-const sequelize_utils_js_1 = require("../sequelize-utils.js");
-var sequelize_utils_js_2 = require("../sequelize-utils.js");
+const sequelize_utils_js_1 = require("../sequelize-utils.cjs");
+var sequelize_utils_js_2 = require("../sequelize-utils.cjs");
 Object.defineProperty(exports, "integerIdType", { enumerable: true, get: function () { return sequelize_utils_js_2.integerIdType; } });
 Object.defineProperty(exports, "tableOptions", { enumerable: true, get: function () { return sequelize_utils_js_2.tableOptions; } });
 class OAuthClientModel extends sequelize_1.Model {

package/dist/cjs/{oauth/sequelize.js → server/src/oauth/sequelize.cjs}

@@ -6,11 +6,11 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.SequelizeOAuthStore = exports.initOAuthCodeModel = exports.initOAuthClientModel = exports.OAuthCodeModel = exports.OAuthClientModel = void 0;
 const bcryptjs_1 = __importDefault(require("bcryptjs"));
 const sequelize_1 = require("sequelize");
-const user_id_js_1 = require("../auth-api/user-id.js");
-const sequelize_utils_js_1 = require("../sequelize-utils.js");
-const base_js_1 = require("./base.js");
-const models_js_1 = require("./models.js");
-var models_js_2 = require("./models.js");
+const user_id_js_1 = require("../auth-api/user-id.cjs");
+const sequelize_utils_js_1 = require("../sequelize-utils.cjs");
+const base_js_1 = require("./base.cjs");
+const models_js_1 = require("./models.cjs");
+var models_js_2 = require("./models.cjs");
 Object.defineProperty(exports, "OAuthClientModel", { enumerable: true, get: function () { return models_js_2.OAuthClientModel; } });
 Object.defineProperty(exports, "OAuthCodeModel", { enumerable: true, get: function () { return models_js_2.OAuthCodeModel; } });
 Object.defineProperty(exports, "initOAuthClientModel", { enumerable: true, get: function () { return models_js_2.initOAuthClientModel; } });
@@ -107,13 +107,17 @@ class SequelizeOAuthStore extends base_js_1.OAuthStore {
             metadata: serializeMetadata(code.metadata)
         });
     }
-    async consumeAuthCode(code) {
+    async consumeAuthCode(code, clientId) {
         const sequelize = this.codes.sequelize;
         if (!sequelize) {
             throw new Error('Code model is not bound to a Sequelize instance');
         }
         return sequelize.transaction({ isolationLevel: sequelize_1.Transaction.ISOLATION_LEVELS.READ_COMMITTED }, async (transaction) => {
-            const model = await this.codes.findByPk(code, { transaction, lock: true });
+            const where = { code };
+            if (clientId) {
+                where.client_id = clientId;
+            }
+            const model = await this.codes.findOne({ where, transaction, lock: true });
             if (!model) {
                 return null;
             }

package/dist/{esm → cjs/server/src}/oauth/sequelize.d.ts

@@ -23,7 +23,7 @@ export declare class SequelizeOAuthStore extends OAuthStore {
     createClient(input: OAuthClient): Promise<OAuthClient>;
     verifyClientSecret(clientId: string, clientSecret: string | null): Promise<boolean>;
     createAuthCode(code: AuthCode): Promise<void>;
-    consumeAuthCode(code: string): Promise<AuthCode | null>;
+    consumeAuthCode(code: string, clientId?: string): Promise<AuthCode | null>;
     close(): Promise<void>;
     private toOAuthClient;
     private toAuthCode;

package/dist/cjs/{passkey/base.js → server/src/passkey/base.cjs}

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.PasskeyStore = void 0;
+/** Base contract for passkey credential/challenge persistence backends. */
 class PasskeyStore {
 }
 exports.PasskeyStore = PasskeyStore;

package/dist/{esm → cjs/server/src}/passkey/base.d.ts

@@ -1,17 +1,28 @@
 import type { PasskeyChallengeRecord, PasskeyStorageAdapter, PasskeyUserDescriptor, StoredPasskeyCredential } from './types.js';
 import type { AuthIdentifier } from '../auth-api/types.js';
+/** Base contract for passkey credential/challenge persistence backends. */
 export declare abstract class PasskeyStore implements PasskeyStorageAdapter {
+    /** Resolve a passkey user descriptor by id/login. */
     abstract resolveUser(params: {
         userId?: AuthIdentifier;
         login?: string;
     }): Promise<PasskeyUserDescriptor | null>;
+    /** List passkey credentials for a user. */
     abstract listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    /** Delete a credential by binary/base64url id. */
     abstract deleteCredential(credentialId: Buffer | string): Promise<boolean>;
+    /** Find a credential by binary id. */
     abstract findCredentialById(credentialId: Buffer): Promise<StoredPasskeyCredential | null>;
+    /** Save a credential record. */
     abstract saveCredential(record: StoredPasskeyCredential): Promise<void>;
+    /** Update signature counter for a credential. */
     abstract updateCredentialCounter(credentialId: Buffer, counter: number): Promise<void>;
+    /** Save a challenge record. */
     abstract saveChallenge(record: PasskeyChallengeRecord): Promise<void>;
+    /** Read a challenge without consuming it. */
     abstract getChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
+    /** Consume and return a challenge. */
     abstract consumeChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
+    /** Cleanup expired challenges. */
     abstract cleanupChallenges(now: Date): Promise<void>;
 }

package/dist/cjs/{passkey/memory.js → server/src/passkey/memory.cjs}

@@ -1,8 +1,8 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.MemoryPasskeyStore = void 0;
-const user_id_js_1 = require("../auth-api/user-id.js");
-const base_js_1 = require("./base.js");
+const user_id_js_1 = require("../auth-api/user-id.cjs");
+const base_js_1 = require("./base.cjs");
 function encodeCredentialId(value) {
     return Buffer.isBuffer(value) ? value.toString('base64') : value;
 }

package/dist/cjs/{passkey/models.js → server/src/passkey/models.cjs}

@@ -4,7 +4,7 @@ exports.PasskeyChallengeModel = exports.PasskeyCredentialModel = void 0;
 exports.initPasskeyCredentialModel = initPasskeyCredentialModel;
 exports.initPasskeyChallengeModel = initPasskeyChallengeModel;
 const sequelize_1 = require("sequelize");
-const sequelize_utils_js_1 = require("../sequelize-utils.js");
+const sequelize_utils_js_1 = require("../sequelize-utils.cjs");
 class PasskeyCredentialModel extends sequelize_1.Model {
 }
 exports.PasskeyCredentialModel = PasskeyCredentialModel;

package/dist/cjs/{passkey/sequelize.js → server/src/passkey/sequelize.cjs}

@@ -2,9 +2,9 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.SequelizePasskeyStore = void 0;
 const sequelize_1 = require("sequelize");
-const user_id_js_1 = require("../auth-api/user-id.js");
-const base_js_1 = require("./base.js");
-const models_js_1 = require("./models.js");
+const user_id_js_1 = require("../auth-api/user-id.cjs");
+const base_js_1 = require("./base.cjs");
+const models_js_1 = require("./models.cjs");
 function encodeCredentialId(value) {
     return Buffer.isBuffer(value) ? value.toString('base64') : value;
 }

package/dist/cjs/{passkey/service.js → server/src/passkey/service.cjs}

@@ -161,7 +161,19 @@ class PasskeyService {
     async listUserCredentials(userId) {
         return this.adapter.listUserCredentials(userId);
     }
-    async deleteCredential(credentialId) {
+    async deleteCredential(credentialId, userId) {
+        if (userId !== undefined) {
+            const credentials = await this.adapter.listUserCredentials(userId);
+            const target = Buffer.isBuffer(credentialId) ? credentialId : Buffer.from(String(credentialId), 'base64');
+            const owns = credentials.some((c) => {
+                const stored = Buffer.isBuffer(c.credentialId)
+                    ? c.credentialId
+                    : Buffer.from(String(c.credentialId), 'base64');
+                return stored.equals(target);
+            });
+            if (!owns)
+                return false;
+        }
         return this.adapter.deleteCredential(credentialId);
     }
     async createChallenge(params) {
@@ -287,7 +299,9 @@ class PasskeyService {
         const attestationResponse = params.response.response;
         const credentialIdPrimary = toBufferOrNull(registrationInfo.credentialID);
         const credentialIdFallback = toBufferOrNull(params.response.id);
-        const credentialId = credentialIdPrimary && credentialIdPrimary.length > 0 ? credentialIdPrimary : credentialIdFallback;
+        const credentialId = credentialIdPrimary && credentialIdPrimary.length > 0
+            ? credentialIdPrimary
+            : (credentialIdFallback ?? Buffer.alloc(0));
         const publicKeyPrimary = toBufferOrNull(registrationInfo.credentialPublicKey);
         let publicKeyFallback = toBufferOrNull(attestationResponse?.publicKey);
         if ((!publicKeyPrimary || publicKeyPrimary.length === 0) && attestationResponse?.attestationObject) {
@@ -330,7 +344,7 @@ class PasskeyService {
             publicKey: storedPublicKey,
             counter: registrationInfo.counter ?? 0,
             transports: sanitizeTransports(params.response.transports),
-            backedUp: registrationInfo.credentialDeviceType === 'multiDevice',
+            backedUp: registrationInfo.credentialBackedUp ?? registrationInfo.credentialDeviceType === 'multiDevice',
             deviceType: registrationInfo.credentialDeviceType,
             label: toOptionalString(params.label),
             createdDomain: toOptionalString(params.domain),

package/dist/{esm → cjs/server/src}/passkey/service.d.ts

@@ -8,7 +8,7 @@ export declare class PasskeyService {
     private readonly logger;
     constructor(config: PasskeyServiceConfig, adapter: PasskeyStorageAdapter, logger?: Logger);
     listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
-    deleteCredential(credentialId: Buffer | string): Promise<boolean>;
+    deleteCredential(credentialId: Buffer | string, userId?: AuthIdentifier): Promise<boolean>;
     createChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
     private createRegistrationChallenge;

package/dist/cjs/{sequelize-utils.js → server/src/sequelize-utils.cjs}

@@ -48,10 +48,9 @@ function decodeStringArray(raw) {
         }
     }
     catch {
-        // ignore malformed values
+        // Malformed JSON — return empty rather than guessing via whitespace split.
+        // A whitespace-split fallback could silently grant unintended permissions
+        // if a scope/role column contains a corrupted value like "admin user".
     }
-    return raw
-        .split(/\s+/)
-        .map((entry) => entry.trim())
-        .filter((entry) => entry.length > 0);
+    return [];
 }

package/dist/cjs/{token/base.js → server/src/token/base.cjs}

@@ -42,6 +42,9 @@ function normalizeTokenInternal(input) {
     const userId = String(input.userId);
     const ruid = input.ruid === undefined || input.ruid === null ? undefined : String(input.ruid);
     const expires = input.expires ? new Date(input.expires) : new Date(Date.now() + 30 * 24 * 60 * 60 * 1000);
+    if (Number.isNaN(expires.getTime())) {
+        throw new Error(`Invalid token expiry value: ${String(input.expires)}`);
+    }
     const issuedAt = input.issuedAt ? new Date(input.issuedAt) : new Date();
     const lastSeenAt = input.lastSeenAt ? new Date(input.lastSeenAt) : issuedAt;
     const scope = normalizeScope(input.scope);
@@ -71,6 +74,7 @@ function normalizeTokenInternal(input) {
         sessionCookie
     };
 }
+/** Base contract for token/session persistence backends plus shared JWT helpers. */
 class TokenStore {
     // Instance helpers
     normalizeToken(token) {

package/dist/{esm → cjs/server/src}/token/base.d.ts

@@ -17,20 +17,27 @@ export interface JwtDecodeResult<T> {
     data?: T;
     error?: string;
 }
+/** Base contract for token/session persistence backends plus shared JWT helpers. */
 export declare abstract class TokenStore {
+    /** Create/persist a token record. */
     abstract save(record: Token): Promise<void>;
+    /** Read a token record by partial query. */
     abstract get(query: Partial<Token>, opts?: {
         includeExpired?: boolean;
     }): Promise<Token | null>;
+    /** Delete token records matching a partial query. */
     abstract delete(query: Partial<Token>): Promise<number>;
+    /** Update a token identified by refresh token. */
     abstract update(update: Partial<Token> & {
         refreshToken: string;
     }): Promise<boolean>;
+    /** List tokens for a specific user. */
     abstract list(userId: string | number, opts?: {
         limit?: number;
         offset?: number;
         includeExpired?: boolean;
     }): Promise<Token[]>;
+    /** Close underlying resources. */
     abstract close(): Promise<void>;
     normalizeToken(token: Partial<Token>): Token;
     jwtSign(payload: JwtSignPayload, secret: string, expiresInSeconds: number, options?: SignOptions): JwtSignResult;

package/dist/cjs/{token/memory.js → server/src/token/memory.cjs}

@@ -1,7 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.MemoryTokenStore = void 0;
-const base_js_1 = require("./base.js");
+const base_js_1 = require("./base.cjs");
 function comparableUserId(value) {
     if (value === undefined) {
         return undefined;
@@ -18,16 +18,16 @@ function cloneToken(record) {
     };
 }
 function matchesQuery(record, query, includeExpired) {
-    if (query.refreshToken && record.refreshToken !== query.refreshToken) {
+    if (query.refreshToken !== undefined && record.refreshToken !== query.refreshToken) {
         return false;
     }
-    if (query.accessToken && record.accessToken !== query.accessToken) {
+    if (query.accessToken !== undefined && record.accessToken !== query.accessToken) {
         return false;
     }
     if (query.userId !== undefined && comparableUserId(record.userId) !== comparableUserId(query.userId)) {
         return false;
     }
-    if (query.clientId && record.clientId !== query.clientId) {
+    if (query.clientId !== undefined && record.clientId !== query.clientId) {
         return false;
     }
     if (query.domain !== undefined && (record.domain ?? '') !== (query.domain ?? '')) {
@@ -39,11 +39,14 @@ function matchesQuery(record, query, includeExpired) {
     if (query.loginType !== undefined && record.loginType !== (query.loginType ?? undefined)) {
         return false;
     }
-    if (query.label && record.label !== query.label) {
+    if (query.label !== undefined && record.label !== query.label) {
         return false;
     }
-    if (!includeExpired && (record.expires ?? new Date(0)).getTime() < Date.now()) {
-        return false;
+    if (!includeExpired) {
+        const expiresTime = record.expires ? record.expires.getTime() : Infinity;
+        if (expiresTime < Date.now()) {
+            return false;
+        }
     }
     return true;
 }
@@ -166,16 +169,14 @@ class MemoryTokenStore extends base_js_1.TokenStore {
         const merged = { ...token };
         const maybeAssign = (key) => {
             const value = params[key];
-            if (value !== undefined) {
+            if (value !== undefined && value !== null) {
                 merged[key] = value;
             }
         };
-        if (params.accessToken !== undefined && params.accessToken !== null) {
-            merged.accessToken = params.accessToken;
-        }
-        if (params.expires !== undefined && params.expires !== null) {
-            merged.expires = params.expires;
-        }
+        maybeAssign('accessToken');
+        maybeAssign('expires');
+        maybeAssign('issuedAt');
+        maybeAssign('lastSeenAt');
         maybeAssign('scope');
         maybeAssign('label');
         maybeAssign('domain');
@@ -186,12 +187,6 @@ class MemoryTokenStore extends base_js_1.TokenStore {
         maybeAssign('os');
         maybeAssign('refreshTtlSeconds');
         maybeAssign('loginType');
-        if (params.issuedAt !== undefined && params.issuedAt !== null) {
-            merged.issuedAt = params.issuedAt;
-        }
-        if (params.lastSeenAt !== undefined && params.lastSeenAt !== null) {
-            merged.lastSeenAt = params.lastSeenAt;
-        }
         maybeAssign('sessionCookie');
         const normalized = this.normalizeToken(merged);
         const previousUserId = token.userId;

package/dist/cjs/{token/sequelize.js → server/src/token/sequelize.cjs}

@@ -2,9 +2,9 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.SequelizeTokenStore = void 0;
 const sequelize_1 = require("sequelize");
-const user_id_js_1 = require("../auth-api/user-id.js");
-const sequelize_utils_js_1 = require("../sequelize-utils.js");
-const base_js_1 = require("./base.js");
+const user_id_js_1 = require("../auth-api/user-id.cjs");
+const sequelize_utils_js_1 = require("../sequelize-utils.cjs");
+const base_js_1 = require("./base.cjs");
 class TokenModel extends sequelize_1.Model {
 }
 function initTokenModel(sequelize, options = {}) {
@@ -167,12 +167,20 @@ class SequelizeTokenStore extends base_js_1.TokenStore {
             await this.Tokens.destroy({ where: removalWhere, transaction });
             // Access/refresh columns are unique. Remove stale collisions before insert to avoid
             // transient uniqueness failures during retries/rotation edge-cases.
-            await this.Tokens.destroy({
-                where: {
-                    [sequelize_1.Op.or]: [{ access: normalized.accessToken ?? '' }, { refresh: normalized.refreshToken }]
-                },
-                transaction
-            });
+            // Only include non-empty token values to prevent matching unrelated rows.
+            const collisionConditions = [];
+            if (normalized.accessToken) {
+                collisionConditions.push({ access: normalized.accessToken });
+            }
+            if (normalized.refreshToken) {
+                collisionConditions.push({ refresh: normalized.refreshToken });
+            }
+            if (collisionConditions.length > 0) {
+                await this.Tokens.destroy({
+                    where: { [sequelize_1.Op.or]: collisionConditions },
+                    transaction
+                });
+            }
             await this.Tokens.create({
                 user_id: resolvedUserId,
                 real_user_id: resolvedRealUserId,
@@ -313,8 +321,14 @@ class SequelizeTokenStore extends base_js_1.TokenStore {
         if (Object.keys(updates).length === 0) {
             return false;
         }
-        const [updated] = await this.Tokens.update(updates, { where });
-        return updated > 0;
+        const sequelize = this.Tokens.sequelize;
+        if (!sequelize) {
+            throw new Error('Token model is not bound to a Sequelize instance');
+        }
+        return sequelize.transaction(async (transaction) => {
+            const [updated] = await this.Tokens.update(updates, { where, transaction });
+            return updated > 0;
+        });
     }
     async list(userId, opts = {}) {
         const where = { user_id: this.normalizeUserId(userId) };

package/dist/cjs/server/src/upload/memory.cjs

@@ -0,0 +1,92 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MemoryTusUploadStore = exports.TusUploadExceedsLengthError = exports.TusUploadOffsetError = void 0;
+const node_crypto_1 = require("node:crypto");
+function cloneRecord(record) {
+    return {
+        ...record,
+        metadata: { ...record.metadata },
+        createdAt: new Date(record.createdAt),
+        updatedAt: new Date(record.updatedAt),
+        ...(record.completedAt ? { completedAt: new Date(record.completedAt) } : {})
+    };
+}
+class TusUploadOffsetError extends Error {
+    constructor(currentOffset) {
+        super('Upload offset does not match current offset');
+        this.currentOffset = currentOffset;
+    }
+}
+exports.TusUploadOffsetError = TusUploadOffsetError;
+class TusUploadExceedsLengthError extends Error {
+    constructor() {
+        super('Upload exceeds declared length');
+    }
+}
+exports.TusUploadExceedsLengthError = TusUploadExceedsLengthError;
+class MemoryTusUploadStore {
+    constructor() {
+        this.uploads = new Map();
+        this.chunks = new Map();
+    }
+    async createUpload(input) {
+        const id = input.id?.trim() || (0, node_crypto_1.randomUUID)();
+        if (this.uploads.has(id)) {
+            throw new Error(`Upload ${id} already exists`);
+        }
+        const now = new Date();
+        const record = {
+            id,
+            length: Math.max(0, Math.floor(input.length)),
+            offset: 0,
+            metadata: { ...input.metadata },
+            ...(input.userId ? { userId: input.userId } : {}),
+            createdAt: now,
+            updatedAt: now
+        };
+        this.uploads.set(id, record);
+        this.chunks.set(id, []);
+        return cloneRecord(record);
+    }
+    async getUpload(uploadId) {
+        const found = this.uploads.get(uploadId);
+        return found ? cloneRecord(found) : null;
+    }
+    async appendUpload(input) {
+        const current = this.uploads.get(input.uploadId);
+        if (!current) {
+            throw new Error('Upload not found');
+        }
+        if (input.offset !== current.offset) {
+            throw new TusUploadOffsetError(current.offset);
+        }
+        const nextOffset = current.offset + input.chunk.length;
+        if (nextOffset > current.length) {
+            throw new TusUploadExceedsLengthError();
+        }
+        const now = new Date();
+        const updated = {
+            ...current,
+            offset: nextOffset,
+            updatedAt: now,
+            ...(nextOffset === current.length ? { completedAt: now } : {})
+        };
+        this.uploads.set(input.uploadId, updated);
+        if (input.chunk.length > 0) {
+            this.chunks.get(input.uploadId)?.push(Buffer.from(input.chunk));
+        }
+        return cloneRecord(updated);
+    }
+    async deleteUpload(uploadId) {
+        this.chunks.delete(uploadId);
+        return this.uploads.delete(uploadId);
+    }
+    readUpload(uploadId) {
+        const chunks = this.chunks.get(uploadId);
+        if (!chunks) {
+            return null;
+        }
+        return Buffer.concat(chunks);
+    }
+}
+exports.MemoryTusUploadStore = MemoryTusUploadStore;

package/dist/cjs/server/src/upload/memory.d.ts

@@ -0,0 +1,17 @@
+import type { TusAppendInput, TusCreateUploadInput, TusUploadRecord, TusUploadStore } from './types.js';
+export declare class TusUploadOffsetError extends Error {
+    readonly currentOffset: number;
+    constructor(currentOffset: number);
+}
+export declare class TusUploadExceedsLengthError extends Error {
+    constructor();
+}
+export declare class MemoryTusUploadStore implements TusUploadStore {
+    private readonly uploads;
+    private readonly chunks;
+    createUpload(input: TusCreateUploadInput): Promise<TusUploadRecord>;
+    getUpload(uploadId: string): Promise<TusUploadRecord | null>;
+    appendUpload(input: TusAppendInput): Promise<TusUploadRecord>;
+    deleteUpload(uploadId: string): Promise<boolean>;
+    readUpload(uploadId: string): Buffer | null;
+}