@technomoron/api-server-base 2.0.0-beta.22 → 2.0.0-beta.23

package/dist/{cjs → esm/server/src}/passkey/service.d.ts

@@ -8,7 +8,7 @@ export declare class PasskeyService {
     private readonly logger;
     constructor(config: PasskeyServiceConfig, adapter: PasskeyStorageAdapter, logger?: Logger);
     listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
-    deleteCredential(credentialId: Buffer | string): Promise<boolean>;
+    deleteCredential(credentialId: Buffer | string, userId?: AuthIdentifier): Promise<boolean>;
     createChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
     verifyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
     private createRegistrationChallenge;

package/dist/esm/{passkey → server/src/passkey}/service.js

@@ -125,7 +125,19 @@ export class PasskeyService {
     async listUserCredentials(userId) {
         return this.adapter.listUserCredentials(userId);
     }
-    async deleteCredential(credentialId) {
+    async deleteCredential(credentialId, userId) {
+        if (userId !== undefined) {
+            const credentials = await this.adapter.listUserCredentials(userId);
+            const target = Buffer.isBuffer(credentialId) ? credentialId : Buffer.from(String(credentialId), 'base64');
+            const owns = credentials.some((c) => {
+                const stored = Buffer.isBuffer(c.credentialId)
+                    ? c.credentialId
+                    : Buffer.from(String(c.credentialId), 'base64');
+                return stored.equals(target);
+            });
+            if (!owns)
+                return false;
+        }
         return this.adapter.deleteCredential(credentialId);
     }
     async createChallenge(params) {
@@ -251,7 +263,9 @@ export class PasskeyService {
         const attestationResponse = params.response.response;
         const credentialIdPrimary = toBufferOrNull(registrationInfo.credentialID);
         const credentialIdFallback = toBufferOrNull(params.response.id);
-        const credentialId = credentialIdPrimary && credentialIdPrimary.length > 0 ? credentialIdPrimary : credentialIdFallback;
+        const credentialId = credentialIdPrimary && credentialIdPrimary.length > 0
+            ? credentialIdPrimary
+            : (credentialIdFallback ?? Buffer.alloc(0));
         const publicKeyPrimary = toBufferOrNull(registrationInfo.credentialPublicKey);
         let publicKeyFallback = toBufferOrNull(attestationResponse?.publicKey);
         if ((!publicKeyPrimary || publicKeyPrimary.length === 0) && attestationResponse?.attestationObject) {
@@ -294,7 +308,7 @@ export class PasskeyService {
             publicKey: storedPublicKey,
             counter: registrationInfo.counter ?? 0,
             transports: sanitizeTransports(params.response.transports),
-            backedUp: registrationInfo.credentialDeviceType === 'multiDevice',
+            backedUp: registrationInfo.credentialBackedUp ?? registrationInfo.credentialDeviceType === 'multiDevice',
             deviceType: registrationInfo.credentialDeviceType,
             label: toOptionalString(params.label),
             createdDomain: toOptionalString(params.domain),

package/dist/esm/{sequelize-utils.js → server/src/sequelize-utils.js}

@@ -39,10 +39,9 @@ export function decodeStringArray(raw) {
         }
     }
     catch {
-        // ignore malformed values
+        // Malformed JSON — return empty rather than guessing via whitespace split.
+        // A whitespace-split fallback could silently grant unintended permissions
+        // if a scope/role column contains a corrupted value like "admin user".
     }
-    return raw
-        .split(/\s+/)
-        .map((entry) => entry.trim())
-        .filter((entry) => entry.length > 0);
+    return [];
 }

package/dist/{cjs → esm/server/src}/token/base.d.ts

@@ -17,20 +17,27 @@ export interface JwtDecodeResult<T> {
     data?: T;
     error?: string;
 }
+/** Base contract for token/session persistence backends plus shared JWT helpers. */
 export declare abstract class TokenStore {
+    /** Create/persist a token record. */
     abstract save(record: Token): Promise<void>;
+    /** Read a token record by partial query. */
     abstract get(query: Partial<Token>, opts?: {
         includeExpired?: boolean;
     }): Promise<Token | null>;
+    /** Delete token records matching a partial query. */
     abstract delete(query: Partial<Token>): Promise<number>;
+    /** Update a token identified by refresh token. */
     abstract update(update: Partial<Token> & {
         refreshToken: string;
     }): Promise<boolean>;
+    /** List tokens for a specific user. */
     abstract list(userId: string | number, opts?: {
         limit?: number;
         offset?: number;
         includeExpired?: boolean;
     }): Promise<Token[]>;
+    /** Close underlying resources. */
     abstract close(): Promise<void>;
     normalizeToken(token: Partial<Token>): Token;
     jwtSign(payload: JwtSignPayload, secret: string, expiresInSeconds: number, options?: SignOptions): JwtSignResult;

package/dist/esm/{token → server/src/token}/base.js

@@ -36,6 +36,9 @@ function normalizeTokenInternal(input) {
     const userId = String(input.userId);
     const ruid = input.ruid === undefined || input.ruid === null ? undefined : String(input.ruid);
     const expires = input.expires ? new Date(input.expires) : new Date(Date.now() + 30 * 24 * 60 * 60 * 1000);
+    if (Number.isNaN(expires.getTime())) {
+        throw new Error(`Invalid token expiry value: ${String(input.expires)}`);
+    }
     const issuedAt = input.issuedAt ? new Date(input.issuedAt) : new Date();
     const lastSeenAt = input.lastSeenAt ? new Date(input.lastSeenAt) : issuedAt;
     const scope = normalizeScope(input.scope);
@@ -65,6 +68,7 @@ function normalizeTokenInternal(input) {
         sessionCookie
     };
 }
+/** Base contract for token/session persistence backends plus shared JWT helpers. */
 export class TokenStore {
     // Instance helpers
     normalizeToken(token) {

package/dist/esm/{token → server/src/token}/memory.js

@@ -15,16 +15,16 @@ function cloneToken(record) {
     };
 }
 function matchesQuery(record, query, includeExpired) {
-    if (query.refreshToken && record.refreshToken !== query.refreshToken) {
+    if (query.refreshToken !== undefined && record.refreshToken !== query.refreshToken) {
         return false;
     }
-    if (query.accessToken && record.accessToken !== query.accessToken) {
+    if (query.accessToken !== undefined && record.accessToken !== query.accessToken) {
         return false;
     }
     if (query.userId !== undefined && comparableUserId(record.userId) !== comparableUserId(query.userId)) {
         return false;
     }
-    if (query.clientId && record.clientId !== query.clientId) {
+    if (query.clientId !== undefined && record.clientId !== query.clientId) {
         return false;
     }
     if (query.domain !== undefined && (record.domain ?? '') !== (query.domain ?? '')) {
@@ -36,11 +36,14 @@ function matchesQuery(record, query, includeExpired) {
     if (query.loginType !== undefined && record.loginType !== (query.loginType ?? undefined)) {
         return false;
     }
-    if (query.label && record.label !== query.label) {
+    if (query.label !== undefined && record.label !== query.label) {
         return false;
     }
-    if (!includeExpired && (record.expires ?? new Date(0)).getTime() < Date.now()) {
-        return false;
+    if (!includeExpired) {
+        const expiresTime = record.expires ? record.expires.getTime() : Infinity;
+        if (expiresTime < Date.now()) {
+            return false;
+        }
     }
     return true;
 }
@@ -163,16 +166,14 @@ export class MemoryTokenStore extends TokenStore {
         const merged = { ...token };
         const maybeAssign = (key) => {
             const value = params[key];
-            if (value !== undefined) {
+            if (value !== undefined && value !== null) {
                 merged[key] = value;
             }
         };
-        if (params.accessToken !== undefined && params.accessToken !== null) {
-            merged.accessToken = params.accessToken;
-        }
-        if (params.expires !== undefined && params.expires !== null) {
-            merged.expires = params.expires;
-        }
+        maybeAssign('accessToken');
+        maybeAssign('expires');
+        maybeAssign('issuedAt');
+        maybeAssign('lastSeenAt');
         maybeAssign('scope');
         maybeAssign('label');
         maybeAssign('domain');
@@ -183,12 +184,6 @@ export class MemoryTokenStore extends TokenStore {
         maybeAssign('os');
         maybeAssign('refreshTtlSeconds');
         maybeAssign('loginType');
-        if (params.issuedAt !== undefined && params.issuedAt !== null) {
-            merged.issuedAt = params.issuedAt;
-        }
-        if (params.lastSeenAt !== undefined && params.lastSeenAt !== null) {
-            merged.lastSeenAt = params.lastSeenAt;
-        }
         maybeAssign('sessionCookie');
         const normalized = this.normalizeToken(merged);
         const previousUserId = token.userId;

package/dist/esm/{token → server/src/token}/sequelize.js

@@ -164,12 +164,20 @@ export class SequelizeTokenStore extends TokenStore {
             await this.Tokens.destroy({ where: removalWhere, transaction });
             // Access/refresh columns are unique. Remove stale collisions before insert to avoid
             // transient uniqueness failures during retries/rotation edge-cases.
-            await this.Tokens.destroy({
-                where: {
-                    [Op.or]: [{ access: normalized.accessToken ?? '' }, { refresh: normalized.refreshToken }]
-                },
-                transaction
-            });
+            // Only include non-empty token values to prevent matching unrelated rows.
+            const collisionConditions = [];
+            if (normalized.accessToken) {
+                collisionConditions.push({ access: normalized.accessToken });
+            }
+            if (normalized.refreshToken) {
+                collisionConditions.push({ refresh: normalized.refreshToken });
+            }
+            if (collisionConditions.length > 0) {
+                await this.Tokens.destroy({
+                    where: { [Op.or]: collisionConditions },
+                    transaction
+                });
+            }
             await this.Tokens.create({
                 user_id: resolvedUserId,
                 real_user_id: resolvedRealUserId,
@@ -310,8 +318,14 @@ export class SequelizeTokenStore extends TokenStore {
         if (Object.keys(updates).length === 0) {
             return false;
         }
-        const [updated] = await this.Tokens.update(updates, { where });
-        return updated > 0;
+        const sequelize = this.Tokens.sequelize;
+        if (!sequelize) {
+            throw new Error('Token model is not bound to a Sequelize instance');
+        }
+        return sequelize.transaction(async (transaction) => {
+            const [updated] = await this.Tokens.update(updates, { where, transaction });
+            return updated > 0;
+        });
     }
     async list(userId, opts = {}) {
         const where = { user_id: this.normalizeUserId(userId) };

package/dist/esm/server/src/upload/memory.d.ts

@@ -0,0 +1,17 @@
+import type { TusAppendInput, TusCreateUploadInput, TusUploadRecord, TusUploadStore } from './types.js';
+export declare class TusUploadOffsetError extends Error {
+    readonly currentOffset: number;
+    constructor(currentOffset: number);
+}
+export declare class TusUploadExceedsLengthError extends Error {
+    constructor();
+}
+export declare class MemoryTusUploadStore implements TusUploadStore {
+    private readonly uploads;
+    private readonly chunks;
+    createUpload(input: TusCreateUploadInput): Promise<TusUploadRecord>;
+    getUpload(uploadId: string): Promise<TusUploadRecord | null>;
+    appendUpload(input: TusAppendInput): Promise<TusUploadRecord>;
+    deleteUpload(uploadId: string): Promise<boolean>;
+    readUpload(uploadId: string): Buffer | null;
+}

package/dist/esm/server/src/upload/memory.js

@@ -0,0 +1,86 @@
+import { randomUUID } from 'node:crypto';
+function cloneRecord(record) {
+    return {
+        ...record,
+        metadata: { ...record.metadata },
+        createdAt: new Date(record.createdAt),
+        updatedAt: new Date(record.updatedAt),
+        ...(record.completedAt ? { completedAt: new Date(record.completedAt) } : {})
+    };
+}
+export class TusUploadOffsetError extends Error {
+    constructor(currentOffset) {
+        super('Upload offset does not match current offset');
+        this.currentOffset = currentOffset;
+    }
+}
+export class TusUploadExceedsLengthError extends Error {
+    constructor() {
+        super('Upload exceeds declared length');
+    }
+}
+export class MemoryTusUploadStore {
+    constructor() {
+        this.uploads = new Map();
+        this.chunks = new Map();
+    }
+    async createUpload(input) {
+        const id = input.id?.trim() || randomUUID();
+        if (this.uploads.has(id)) {
+            throw new Error(`Upload ${id} already exists`);
+        }
+        const now = new Date();
+        const record = {
+            id,
+            length: Math.max(0, Math.floor(input.length)),
+            offset: 0,
+            metadata: { ...input.metadata },
+            ...(input.userId ? { userId: input.userId } : {}),
+            createdAt: now,
+            updatedAt: now
+        };
+        this.uploads.set(id, record);
+        this.chunks.set(id, []);
+        return cloneRecord(record);
+    }
+    async getUpload(uploadId) {
+        const found = this.uploads.get(uploadId);
+        return found ? cloneRecord(found) : null;
+    }
+    async appendUpload(input) {
+        const current = this.uploads.get(input.uploadId);
+        if (!current) {
+            throw new Error('Upload not found');
+        }
+        if (input.offset !== current.offset) {
+            throw new TusUploadOffsetError(current.offset);
+        }
+        const nextOffset = current.offset + input.chunk.length;
+        if (nextOffset > current.length) {
+            throw new TusUploadExceedsLengthError();
+        }
+        const now = new Date();
+        const updated = {
+            ...current,
+            offset: nextOffset,
+            updatedAt: now,
+            ...(nextOffset === current.length ? { completedAt: now } : {})
+        };
+        this.uploads.set(input.uploadId, updated);
+        if (input.chunk.length > 0) {
+            this.chunks.get(input.uploadId)?.push(Buffer.from(input.chunk));
+        }
+        return cloneRecord(updated);
+    }
+    async deleteUpload(uploadId) {
+        this.chunks.delete(uploadId);
+        return this.uploads.delete(uploadId);
+    }
+    readUpload(uploadId) {
+        const chunks = this.chunks.get(uploadId);
+        if (!chunks) {
+            return null;
+        }
+        return Buffer.concat(chunks);
+    }
+}

package/dist/esm/server/src/upload/tus-module.d.ts

@@ -0,0 +1,38 @@
+import { ApiModule, type ApiAuthClass, type ApiAuthType, type ApiServer } from '../api-server-base.js';
+import type { TusUploadRecord, TusUploadStore } from './types.js';
+export interface TusUploadModuleOptions {
+    basePath?: string;
+    store?: TusUploadStore;
+    chunkMaxBytes?: number;
+    /** Maximum allowed value for Upload-Length. Defaults to 10 GiB. */
+    uploadMaxBytes?: number;
+    /**
+     * Authentication requirement for all TUS routes.
+     * When omitted, routes are public (no authentication enforced).
+     * Use `{ type: 'yes', req: 'any' }` to require a valid session.
+     */
+    auth?: {
+        type: ApiAuthType;
+        req?: ApiAuthClass;
+    };
+    onUploadComplete?: (upload: TusUploadRecord) => Promise<void> | void;
+}
+export declare class TusUploadModule extends ApiModule<ApiServer> {
+    private readonly basePath;
+    private readonly chunkMaxBytes;
+    private readonly uploadMaxBytes;
+    private readonly store;
+    private readonly auth?;
+    private readonly onUploadComplete?;
+    constructor(options?: TusUploadModuleOptions);
+    onMount(): void;
+    /**
+     * Authenticate the request if an auth config was provided.
+     * Returns false and sends a 401/403 response if auth fails, so the caller
+     * can bail out early with `if (!await this.checkAuth(request, reply)) return`.
+     */
+    private checkAuth;
+    private authFailed;
+    private verifyOwnership;
+    private installTusRoutes;
+}

package/dist/esm/server/src/upload/tus-module.js

@@ -0,0 +1,266 @@
+import { ApiError, ApiModule } from '../api-server-base.js';
+import { MemoryTusUploadStore, TusUploadExceedsLengthError, TusUploadOffsetError } from './memory.js';
+const TUS_VERSION = '1.0.0';
+function parseNonNegativeInt(raw, headerName) {
+    const value = Array.isArray(raw) ? raw[0] : raw;
+    const parsed = Number.parseInt(String(value ?? ''), 10);
+    if (!Number.isFinite(parsed) || parsed < 0) {
+        throw new ApiError({ code: 400, message: `Missing or invalid ${headerName} header` });
+    }
+    return parsed;
+}
+function parseUploadLength(raw) {
+    return parseNonNegativeInt(raw, 'Upload-Length');
+}
+function parseOffset(raw) {
+    return parseNonNegativeInt(raw, 'Upload-Offset');
+}
+function decodeMetadata(raw) {
+    const source = Array.isArray(raw) ? raw[0] : raw;
+    const input = String(source ?? '').trim();
+    if (!input) {
+        return {};
+    }
+    const out = {};
+    for (const pair of input.split(',')) {
+        const trimmed = pair.trim();
+        if (!trimmed) {
+            continue;
+        }
+        const [key, encoded = ''] = trimmed.split(' ');
+        if (!key) {
+            continue;
+        }
+        try {
+            out[key] = Buffer.from(encoded, 'base64').toString('utf8');
+        }
+        catch {
+            out[key] = '';
+        }
+    }
+    return out;
+}
+async function readChunk(request, maxBytes) {
+    if (Buffer.isBuffer(request.body)) {
+        return request.body;
+    }
+    if (typeof request.body === 'string') {
+        return Buffer.from(request.body);
+    }
+    // Fastify only sets request.body when the Content-Type parser fires.
+    // Fall back to reading the raw stream, but enforce the same size cap to
+    // prevent bodyLimit from being bypassed by omitting the Content-Type header.
+    const parts = [];
+    let total = 0;
+    for await (const chunk of request.raw) {
+        const buf = Buffer.isBuffer(chunk) ? chunk : Buffer.from(String(chunk));
+        total += buf.length;
+        if (total > maxBytes) {
+            throw new ApiError({ code: 413, message: 'Upload chunk exceeds maximum chunk size' });
+        }
+        parts.push(buf);
+    }
+    return Buffer.concat(parts);
+}
+function setTusHeaders(reply, supportsTermination = false) {
+    reply.header('Tus-Resumable', TUS_VERSION);
+    reply.header('Tus-Version', TUS_VERSION);
+    reply.header('Tus-Extension', supportsTermination ? 'creation,termination' : 'creation');
+}
+function toLocation(basePath, uploadId) {
+    const normalized = basePath.endsWith('/') ? basePath.slice(0, -1) : basePath;
+    return `${normalized}/${uploadId}`;
+}
+export class TusUploadModule extends ApiModule {
+    constructor(options = {}) {
+        super({ namespace: '' });
+        const rawPath = options.basePath?.trim() || '/api/v1/upload';
+        this.basePath = rawPath.startsWith('/') ? rawPath : `/${rawPath}`;
+        this.chunkMaxBytes = options.chunkMaxBytes ?? 64 * 1024 * 1024;
+        this.uploadMaxBytes = options.uploadMaxBytes ?? 10 * 1024 * 1024 * 1024; // 10 GiB
+        this.store = options.store ?? new MemoryTusUploadStore();
+        this.auth = options.auth;
+        this.onUploadComplete = options.onUploadComplete;
+    }
+    onMount() {
+        this.installTusRoutes();
+    }
+    /**
+     * Authenticate the request if an auth config was provided.
+     * Returns false and sends a 401/403 response if auth fails, so the caller
+     * can bail out early with `if (!await this.checkAuth(request, reply)) return`.
+     */
+    async checkAuth(request, reply) {
+        if (!this.auth) {
+            return null;
+        }
+        try {
+            const apiReq = await this.server.resolveRequest(request, reply, this.auth);
+            return apiReq.tokenData?.uid != null ? String(apiReq.tokenData.uid) : null;
+        }
+        catch (error) {
+            const code = error instanceof ApiError ? error.code : 401;
+            const message = error instanceof ApiError ? error.message : 'Unauthorized';
+            reply.code(code).send({ success: false, code, message, data: null, errors: {} });
+            return false;
+        }
+    }
+    authFailed(result) {
+        // When auth is configured and checkAuth catches an error, it returns
+        // `false as unknown as string` after sending a response.  We distinguish
+        // that from a legitimate `null` (no auth configured / no uid in token)
+        // by checking the exact `false` sentinel.
+        return result === false;
+    }
+    verifyOwnership(upload, authUserId, reply) {
+        if (upload.userId && authUserId && upload.userId !== authUserId) {
+            reply
+                .code(403)
+                .send({ success: false, code: 403, message: 'Upload belongs to another user', data: null, errors: {} });
+            return false;
+        }
+        return true;
+    }
+    installTusRoutes() {
+        const app = this.server.fastify;
+        const hasTermination = typeof this.store.deleteUpload === 'function';
+        try {
+            app.addContentTypeParser('application/offset+octet-stream', { parseAs: 'buffer' }, (_req, body, done) => {
+                done(null, body);
+            });
+        }
+        catch (error) {
+            // Parser may already be present when mounting multiple upload modules.
+            const message = error instanceof Error ? error.message : '';
+            if (!message.includes('already registered') && !message.includes('already exists')) {
+                throw error;
+            }
+        }
+        app.options(this.basePath, async (_request, reply) => {
+            setTusHeaders(reply, hasTermination);
+            reply.code(204).send();
+        });
+        app.post(this.basePath, async (request, reply) => {
+            const authUserId = await this.checkAuth(request, reply);
+            if (this.authFailed(authUserId))
+                return;
+            setTusHeaders(reply, hasTermination);
+            const length = parseUploadLength(request.headers['upload-length']);
+            if (length <= 0) {
+                reply.code(400).send({
+                    success: false,
+                    code: 400,
+                    message: 'Upload-Length must be greater than zero',
+                    data: null,
+                    errors: {}
+                });
+                return;
+            }
+            if (length > this.uploadMaxBytes) {
+                reply.code(413).send({
+                    success: false,
+                    code: 413,
+                    message: `Upload-Length exceeds the maximum allowed size of ${this.uploadMaxBytes} bytes`,
+                    data: null,
+                    errors: {}
+                });
+                return;
+            }
+            const metadata = decodeMetadata(request.headers['upload-metadata']);
+            const created = await this.store.createUpload({ length, metadata, userId: authUserId ?? undefined });
+            reply.header('Location', toLocation(this.basePath, created.id));
+            reply.header('Upload-Offset', String(created.offset));
+            reply.code(201).send();
+        });
+        app.head(`${this.basePath}/:uploadId`, async (request, reply) => {
+            const authUserId = await this.checkAuth(request, reply);
+            if (this.authFailed(authUserId))
+                return;
+            setTusHeaders(reply, hasTermination);
+            const uploadId = String(request.params.uploadId ?? '');
+            const upload = await this.store.getUpload(uploadId);
+            if (!upload) {
+                reply.code(404).send();
+                return;
+            }
+            if (!this.verifyOwnership(upload, authUserId, reply))
+                return;
+            reply.header('Upload-Offset', String(upload.offset));
+            reply.header('Upload-Length', String(upload.length));
+            reply.code(200).send();
+        });
+        app.patch(`${this.basePath}/:uploadId`, { bodyLimit: this.chunkMaxBytes }, async (request, reply) => {
+            const authUserId = await this.checkAuth(request, reply);
+            if (this.authFailed(authUserId))
+                return;
+            setTusHeaders(reply, hasTermination);
+            const uploadId = String(request.params.uploadId ?? '');
+            const upload = await this.store.getUpload(uploadId);
+            if (!upload) {
+                reply.code(404).send();
+                return;
+            }
+            if (!this.verifyOwnership(upload, authUserId, reply))
+                return;
+            const offset = parseOffset(request.headers['upload-offset']);
+            if (offset !== upload.offset) {
+                reply.header('Upload-Offset', String(upload.offset));
+                reply.code(409).send();
+                return;
+            }
+            const chunk = await readChunk(request, this.chunkMaxBytes);
+            try {
+                const updated = await this.store.appendUpload({ uploadId, offset, chunk });
+                reply.header('Upload-Offset', String(updated.offset));
+                if (updated.completedAt && this.onUploadComplete) {
+                    try {
+                        await this.onUploadComplete(updated);
+                    }
+                    catch (completionError) {
+                        console.error('[TusUploadModule] onUploadComplete callback failed', completionError);
+                    }
+                }
+                reply.code(204).send();
+            }
+            catch (error) {
+                if (error instanceof TusUploadOffsetError) {
+                    reply.header('Upload-Offset', String(error.currentOffset));
+                    reply.code(409).send();
+                    return;
+                }
+                if (error instanceof TusUploadExceedsLengthError) {
+                    reply.code(413).send({
+                        success: false,
+                        code: 413,
+                        message: 'Upload chunk exceeds declared upload length',
+                        data: null,
+                        errors: {}
+                    });
+                    return;
+                }
+                throw error;
+            }
+        });
+        app.delete(`${this.basePath}/:uploadId`, async (request, reply) => {
+            const authUserId = await this.checkAuth(request, reply);
+            if (this.authFailed(authUserId))
+                return;
+            setTusHeaders(reply, hasTermination);
+            const uploadId = String(request.params.uploadId ?? '');
+            if (!this.store.deleteUpload) {
+                reply.header('Allow', 'OPTIONS, POST, HEAD, PATCH');
+                reply.code(405).send();
+                return;
+            }
+            const upload = await this.store.getUpload(uploadId);
+            if (!upload) {
+                reply.code(404).send();
+                return;
+            }
+            if (!this.verifyOwnership(upload, authUserId, reply))
+                return;
+            const deleted = await this.store.deleteUpload(uploadId);
+            reply.code(deleted ? 204 : 404).send();
+        });
+    }
+}

package/dist/esm/server/src/upload/types.d.ts

@@ -0,0 +1,8 @@
+import type { TusAppendInput, TusCreateUploadInput, TusUploadRecord } from '#common';
+export type { TusAppendInput, TusCreateUploadInput, TusMetadata, TusUploadRecord } from '#common';
+export interface TusUploadStore {
+    createUpload(input: TusCreateUploadInput): Promise<TusUploadRecord>;
+    getUpload(uploadId: string): Promise<TusUploadRecord | null>;
+    appendUpload(input: TusAppendInput): Promise<TusUploadRecord>;
+    deleteUpload?(uploadId: string): Promise<boolean>;
+}