@technomoron/apicore-server 1.0.0-beta.1

package/dist/cjs/passkey/service.cjs

@@ -0,0 +1,413 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PasskeyService = void 0;
+const server_1 = require("@simplewebauthn/server");
+const helpers_1 = require("@simplewebauthn/server/helpers");
+const ALLOWED_TRANSPORTS = [
+    'ble',
+    'cable',
+    'hybrid',
+    'internal',
+    'nfc',
+    'smart-card',
+    'usb'
+];
+function sanitizeTransports(input) {
+    if (!Array.isArray(input)) {
+        return undefined;
+    }
+    const filtered = input
+        .map((value) => String(value))
+        .filter((value) => ALLOWED_TRANSPORTS.includes(value));
+    return filtered.length > 0 ? filtered : undefined;
+}
+function toOptionalString(value) {
+    if (typeof value !== 'string') {
+        return undefined;
+    }
+    const trimmed = value.trim();
+    return trimmed.length > 0 ? trimmed : undefined;
+}
+function toBase64Url(buffer) {
+    return helpers_1.isoBase64URL.fromBuffer(new Uint8Array(buffer));
+}
+function fromBase64Url(value) {
+    return Buffer.from(helpers_1.isoBase64URL.toBuffer(value));
+}
+function toBuffer(value) {
+    if (Buffer.isBuffer(value)) {
+        return value;
+    }
+    const view = value instanceof Uint8Array ? value : new Uint8Array(value);
+    return Buffer.from(view);
+}
+function toBufferOrNull(value) {
+    if (!value) {
+        return null;
+    }
+    if (Buffer.isBuffer(value)) {
+        return value;
+    }
+    if (value instanceof ArrayBuffer || value instanceof Uint8Array) {
+        return toBuffer(value);
+    }
+    if (typeof value === 'string') {
+        try {
+            return fromBase64Url(value);
+        }
+        catch {
+            return null;
+        }
+    }
+    return null;
+}
+async function spkiToCosePublicKey(spki) {
+    try {
+        const subtle = (globalThis.crypto?.subtle ??
+            (await Promise.resolve().then(() => __importStar(require('crypto')))).webcrypto?.subtle);
+        if (!subtle) {
+            return null;
+        }
+        const spkiView = new Uint8Array(spki);
+        const ecCurves = [
+            { namedCurve: 'P-256', crv: 1, alg: -7, rawLength: 65 },
+            { namedCurve: 'P-384', crv: 2, alg: -35, rawLength: 97 },
+            { namedCurve: 'P-521', crv: 3, alg: -36, rawLength: 133 }
+        ];
+        for (const curve of ecCurves) {
+            try {
+                const key = await subtle.importKey('spki', spkiView, { name: 'ECDSA', namedCurve: curve.namedCurve }, true, ['verify']);
+                const raw = Buffer.from(await subtle.exportKey('raw', key));
+                if (raw.length !== curve.rawLength || raw[0] !== 0x04) {
+                    continue;
+                }
+                const coordLength = (raw.length - 1) / 2;
+                const x = raw.slice(1, 1 + coordLength);
+                const y = raw.slice(1 + coordLength);
+                const coseMap = new Map([
+                    [1, 2], // kty: EC2
+                    [3, curve.alg],
+                    [-1, curve.crv],
+                    [-2, x],
+                    [-3, y]
+                ]);
+                return Buffer.from(helpers_1.isoCBOR.encode(coseMap));
+            }
+            catch {
+                // try next algorithm
+            }
+        }
+        try {
+            const edKey = await subtle.importKey('spki', spkiView, { name: 'Ed25519' }, true, ['verify']);
+            const raw = Buffer.from(await subtle.exportKey('raw', edKey));
+            if (raw.length !== 32) {
+                return null;
+            }
+            const coseMap = new Map([
+                [1, 1], // kty: OKP
+                [3, -8], // alg: EdDSA
+                [-1, 6], // crv: Ed25519
+                [-2, raw]
+            ]);
+            return Buffer.from(helpers_1.isoCBOR.encode(coseMap));
+        }
+        catch {
+            return null;
+        }
+    }
+    catch {
+        return null;
+    }
+}
+class PasskeyService {
+    constructor(config, adapter, logger = console) {
+        this.config = config;
+        this.adapter = adapter;
+        this.logger = logger;
+    }
+    async listUserCredentials(userId) {
+        return this.adapter.listUserCredentials(userId);
+    }
+    async deleteCredential(credentialId, userId) {
+        if (userId !== undefined) {
+            const credentials = await this.adapter.listUserCredentials(userId);
+            const target = Buffer.isBuffer(credentialId) ? credentialId : Buffer.from(String(credentialId), 'base64');
+            const owns = credentials.some((c) => {
+                const stored = Buffer.isBuffer(c.credentialId)
+                    ? c.credentialId
+                    : Buffer.from(String(c.credentialId), 'base64');
+                return stored.equals(target);
+            });
+            if (!owns)
+                return false;
+        }
+        return this.adapter.deleteCredential(credentialId);
+    }
+    async createChallenge(params) {
+        await this.adapter.cleanupChallenges?.(new Date());
+        if (params.action === 'register') {
+            return this.createRegistrationChallenge(params);
+        }
+        if (params.action === 'authenticate') {
+            return this.createAuthenticationChallenge(params);
+        }
+        throw new Error(`Unsupported passkey action: ${String(params.action)}`);
+    }
+    async verifyResponse(params) {
+        await this.adapter.cleanupChallenges?.(new Date());
+        const existing = this.adapter.getChallenge ? await this.adapter.getChallenge(params.expectedChallenge) : null;
+        if (existing && existing.expiresAt.getTime() <= Date.now()) {
+            return { verified: false };
+        }
+        const record = await this.adapter.consumeChallenge(params.expectedChallenge);
+        if (!record) {
+            return { verified: false };
+        }
+        if (record.expiresAt.getTime() <= Date.now()) {
+            return { verified: false };
+        }
+        try {
+            if (record.action === 'register') {
+                return this.verifyRegistration(params, record);
+            }
+            if (record.action === 'authenticate') {
+                return this.verifyAuthentication(params, record);
+            }
+        }
+        catch (error) {
+            this.logger.error?.('Passkey verification failed', error);
+        }
+        return { verified: false };
+    }
+    async createRegistrationChallenge(params) {
+        const user = await this.requireUser({ userId: params.userId, login: params.login });
+        const existing = await this.adapter.listUserCredentials(user.id);
+        const excludeCredentials = existing.map((credential) => {
+            const transports = credential.transports;
+            return transports && transports.length > 0
+                ? { id: toBase64Url(credential.credentialId), transports }
+                : { id: toBase64Url(credential.credentialId) };
+        });
+        const options = await (0, server_1.generateRegistrationOptions)({
+            rpName: this.config.rpName,
+            rpID: this.config.rpId,
+            userID: Buffer.from(String(user.id)),
+            userName: user.login,
+            userDisplayName: user.displayName,
+            excludeCredentials
+        });
+        const expiresAt = this.createExpiry();
+        await this.adapter.saveChallenge({
+            challenge: options.challenge,
+            action: 'register',
+            userId: user.id,
+            login: user.login,
+            expiresAt
+        });
+        return {
+            challenge: options.challenge,
+            expiresAt: expiresAt.toISOString(),
+            userId: user.id,
+            publicKey: options
+        };
+    }
+    async createAuthenticationChallenge(params) {
+        const user = await this.requireUser({ userId: params.userId, login: params.login });
+        const credentials = await this.adapter.listUserCredentials(user.id);
+        const allowCredentials = credentials.map((credential) => {
+            const transports = sanitizeTransports(credential.transports);
+            return transports && transports.length > 0
+                ? { type: 'public-key', id: toBase64Url(credential.credentialId), transports }
+                : { type: 'public-key', id: toBase64Url(credential.credentialId) };
+        });
+        const options = await (0, server_1.generateAuthenticationOptions)({
+            allowCredentials,
+            userVerification: this.config.userVerification,
+            rpID: this.config.rpId
+        });
+        const expiresAt = this.createExpiry();
+        await this.adapter.saveChallenge({
+            challenge: options.challenge,
+            action: 'authenticate',
+            userId: user.id,
+            login: user.login,
+            expiresAt
+        });
+        return {
+            challenge: options.challenge,
+            expiresAt: expiresAt.toISOString(),
+            userId: user.id,
+            publicKey: options
+        };
+    }
+    async verifyRegistration(params, record) {
+        const parsed = typeof params.response === 'object' && params.response ? { ...params.response } : {};
+        const response = {
+            ...parsed,
+            id: String(parsed.id ?? ''),
+            rawId: String(parsed.rawId ?? '')
+        };
+        const user = await this.requireUser({ userId: record.userId, login: record.login });
+        const result = await (0, server_1.verifyRegistrationResponse)({
+            response,
+            expectedChallenge: record.challenge,
+            expectedOrigin: this.config.origins,
+            expectedRPID: this.config.rpId,
+            requireUserVerification: this.requireUserVerification()
+        });
+        if (!result.verified || !result.registrationInfo) {
+            if (!result.verified) {
+                const err = result.error ?? result;
+                this.logger.error?.('Passkey registration verification failed', err);
+            }
+            return { verified: false };
+        }
+        const registrationInfo = result.registrationInfo;
+        const attestationResponse = params.response.response;
+        const credentialIdPrimary = toBufferOrNull(registrationInfo.credentialID);
+        const credentialIdFallback = toBufferOrNull(params.response.id);
+        const credentialId = credentialIdPrimary && credentialIdPrimary.length > 0
+            ? credentialIdPrimary
+            : (credentialIdFallback ?? Buffer.alloc(0));
+        const publicKeyPrimary = toBufferOrNull(registrationInfo.credentialPublicKey);
+        let publicKeyFallback = toBufferOrNull(attestationResponse?.publicKey);
+        if ((!publicKeyPrimary || publicKeyPrimary.length === 0) && attestationResponse?.attestationObject) {
+            try {
+                const attestationObject = String(attestationResponse.attestationObject);
+                const attObj = (0, helpers_1.decodeAttestationObject)(helpers_1.isoBase64URL.toBuffer(attestationObject));
+                const parsedAuth = (0, helpers_1.parseAuthenticatorData)(attObj.get('authData'));
+                publicKeyFallback = toBufferOrNull(parsedAuth.credentialPublicKey) ?? publicKeyFallback;
+            }
+            catch (error) {
+                this.logger.warn?.('Passkey registration: failed to parse attestationObject', error);
+            }
+        }
+        const publicKey = publicKeyPrimary && publicKeyPrimary.length > 0 ? publicKeyPrimary : publicKeyFallback;
+        if (this.config.debug && this.logger?.warn) {
+            const pkPrimaryHex = publicKeyPrimary ? publicKeyPrimary.slice(0, 4).toString('hex') : 'null';
+            const pkFallbackHex = publicKeyFallback ? publicKeyFallback.slice(0, 4).toString('hex') : 'null';
+            this.logger.warn(`Passkey registration: pkPrimary len=${publicKeyPrimary?.length ?? 0} head=${pkPrimaryHex}, pkFallback len=${publicKeyFallback?.length ?? 0} head=${pkFallbackHex}`);
+        }
+        if (!credentialId || credentialId.length === 0) {
+            return { verified: false, message: 'Missing credential id in registration response' };
+        }
+        if (!publicKey || publicKey.length === 0) {
+            return { verified: false, message: 'Missing public key in registration response' };
+        }
+        let storedPublicKey = Buffer.isBuffer(publicKey) ? publicKey : toBuffer(publicKey);
+        // If fallback is an SPKI key (DER, starts with 0x30) convert to COSE so verification succeeds.
+        if (storedPublicKey[0] === 0x30) {
+            const converted = await spkiToCosePublicKey(storedPublicKey);
+            if (converted) {
+                storedPublicKey = converted;
+            }
+            else {
+                this.logger.warn?.('Passkey registration: failed to convert SPKI public key to COSE');
+            }
+        }
+        await this.adapter.saveCredential({
+            userId: user.id,
+            credentialId,
+            publicKey: storedPublicKey,
+            counter: registrationInfo.counter ?? 0,
+            transports: sanitizeTransports(params.response.transports),
+            backedUp: registrationInfo.credentialBackedUp ?? registrationInfo.credentialDeviceType === 'multiDevice',
+            deviceType: registrationInfo.credentialDeviceType,
+            label: toOptionalString(params.label),
+            createdDomain: toOptionalString(params.domain),
+            createdUserAgent: toOptionalString(params.userAgent),
+            createdBrowser: toOptionalString(params.browser),
+            createdOs: toOptionalString(params.os),
+            createdDevice: toOptionalString(params.device),
+            createdIp: toOptionalString(params.ip)
+        });
+        return { verified: true, userId: user.id, login: user.login };
+    }
+    async verifyAuthentication(params, record) {
+        const parsed = typeof params.response === 'object' && params.response ? { ...params.response } : {};
+        const response = {
+            ...parsed,
+            id: String(parsed.id ?? ''),
+            rawId: String(parsed.rawId ?? '')
+        };
+        const credential = await this.adapter.findCredentialById(fromBase64Url(response.id));
+        if (!credential) {
+            return { verified: false };
+        }
+        const user = await this.requireUser({ userId: credential.userId, login: record.login });
+        const storedAuthData = {
+            id: toBase64Url(credential.credentialId),
+            publicKey: new Uint8Array(toBuffer(credential.publicKey)),
+            counter: credential.counter,
+            transports: credential.transports ?? undefined
+            // simplewebauthn accepts either Uint8Array or Buffer; ensure Buffer
+            // see https://github.com/MasterKale/SimpleWebAuthn/blob/master/packages/server/src/authentication/verifyAuthenticationResponse.ts
+        };
+        const result = await (0, server_1.verifyAuthenticationResponse)({
+            response,
+            expectedChallenge: record.challenge,
+            expectedOrigin: this.config.origins,
+            expectedRPID: this.config.rpId,
+            credential: storedAuthData,
+            requireUserVerification: this.requireUserVerification()
+        });
+        if (!result.verified) {
+            const err = result.error ?? result;
+            this.logger.error?.('Passkey authentication verification failed', err);
+            return { verified: false };
+        }
+        await this.adapter.updateCredentialCounter(credential.credentialId, result.authenticationInfo.newCounter);
+        return {
+            verified: true,
+            userId: user.id,
+            login: user.login
+        };
+    }
+    async requireUser(params) {
+        const user = await this.adapter.resolveUser(params);
+        if (!user) {
+            throw new Error('User not found');
+        }
+        return user;
+    }
+    createExpiry() {
+        return new Date(Date.now() + this.config.timeoutMs);
+    }
+    requireUserVerification() {
+        return this.config.userVerification !== 'discouraged';
+    }
+}
+exports.PasskeyService = PasskeyService;

package/dist/cjs/passkey/service.d.ts

@@ -0,0 +1,21 @@
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyStorageAdapter, PasskeyVerificationParams, PasskeyVerificationResult, PasskeyServiceConfig, StoredPasskeyCredential } from './types.js';
+import type { AuthIdentifier } from '../auth-api/types.js';
+export type { CredentialDeviceType, PasskeyChallenge, PasskeyChallengeParams, PasskeyChallengeRecord, PasskeyUserDescriptor, PasskeyVerificationParams, PasskeyVerificationResult, PasskeyServiceConfig, PasskeyStorageAdapter, StoredPasskeyCredential } from './types.js';
+type Logger = Pick<typeof console, 'error' | 'warn'>;
+export declare class PasskeyService {
+    private readonly config;
+    private readonly adapter;
+    private readonly logger;
+    constructor(config: PasskeyServiceConfig, adapter: PasskeyStorageAdapter, logger?: Logger);
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deleteCredential(credentialId: Buffer | string, userId?: AuthIdentifier): Promise<boolean>;
+    createChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
+    verifyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    private createRegistrationChallenge;
+    private createAuthenticationChallenge;
+    private verifyRegistration;
+    private verifyAuthentication;
+    private requireUser;
+    private createExpiry;
+    private requireUserVerification;
+}

package/dist/cjs/passkey/types.cjs

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/cjs/passkey/types.d.ts

@@ -0,0 +1,84 @@
+import type { AuthIdentifier } from '../auth-api/types.js';
+import type { Token, TokenPair } from '../token/types.js';
+import type { AuthenticatorTransportFuture } from '@simplewebauthn/server';
+export type CredentialDeviceType = 'singleDevice' | 'multiDevice';
+export interface PasskeyServiceConfig {
+    rpId: string;
+    rpName: string;
+    origins: string[];
+    timeoutMs: number;
+    userVerification?: 'preferred' | 'required' | 'discouraged';
+    /**
+     * When enabled, PasskeyService emits additional diagnostic logs during registration/authentication.
+     * Defaults to false.
+     */
+    debug?: boolean;
+}
+export interface PasskeyChallengeRecord {
+    challenge: string;
+    action: 'register' | 'authenticate';
+    userId?: AuthIdentifier;
+    login?: string;
+    expiresAt: Date;
+}
+export interface PasskeyUserDescriptor {
+    id: AuthIdentifier;
+    login: string;
+    displayName: string;
+}
+export interface StoredPasskeyCredential {
+    userId: AuthIdentifier;
+    credentialId: Buffer;
+    publicKey: Buffer;
+    counter: number;
+    transports?: AuthenticatorTransportFuture[];
+    backedUp: boolean;
+    deviceType: CredentialDeviceType;
+    label?: string;
+    createdDomain?: string;
+    createdUserAgent?: string;
+    createdBrowser?: string;
+    createdOs?: string;
+    createdDevice?: string;
+    createdIp?: string;
+    createdAt?: Date;
+    updatedAt?: Date;
+}
+export interface PasskeyStorageAdapter {
+    resolveUser(params: {
+        userId?: AuthIdentifier;
+        login?: string;
+    }): Promise<PasskeyUserDescriptor | null>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deleteCredential(credentialId: Buffer | string): Promise<boolean>;
+    findCredentialById(credentialId: Buffer): Promise<StoredPasskeyCredential | null>;
+    saveCredential(record: StoredPasskeyCredential): Promise<void>;
+    updateCredentialCounter(credentialId: Buffer, counter: number): Promise<void>;
+    saveChallenge(record: PasskeyChallengeRecord): Promise<void>;
+    getChallenge?(challenge: string): Promise<PasskeyChallengeRecord | null>;
+    consumeChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
+    cleanupChallenges?(now: Date): Promise<void>;
+}
+export interface PasskeyChallengeParams {
+    action: 'register' | 'authenticate';
+    login?: string;
+    userId?: AuthIdentifier;
+}
+export interface PasskeyChallenge extends Record<string, unknown> {
+    challenge: string;
+    expiresAt?: string | number | Date;
+    userId?: AuthIdentifier;
+}
+export interface PasskeyVerificationParams extends Partial<Omit<Token, 'userId'>> {
+    expectedChallenge: string;
+    login?: string;
+    response: Record<string, unknown>;
+    userId?: AuthIdentifier;
+    userAgent?: string;
+}
+export interface PasskeyVerificationResult extends Record<string, unknown> {
+    login?: string;
+    tokens?: TokenPair;
+    userId?: AuthIdentifier;
+    verified: boolean;
+}

package/dist/cjs/sequelize-utils.cjs

@@ -0,0 +1,56 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DIALECTS_SUPPORTING_UNSIGNED = void 0;
+exports.integerIdType = integerIdType;
+exports.tableOptions = tableOptions;
+exports.normalizeTablePrefix = normalizeTablePrefix;
+exports.applyTablePrefix = applyTablePrefix;
+exports.encodeStringArray = encodeStringArray;
+exports.decodeStringArray = decodeStringArray;
+const sequelize_1 = require("sequelize");
+exports.DIALECTS_SUPPORTING_UNSIGNED = new Set(['mysql', 'mariadb']);
+function integerIdType(sequelize) {
+    return exports.DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect()) ? sequelize_1.DataTypes.INTEGER.UNSIGNED : sequelize_1.DataTypes.INTEGER;
+}
+function tableOptions(sequelize, tableName, tablePrefix, extra) {
+    const opts = { sequelize, tableName: applyTablePrefix(tablePrefix, tableName) };
+    if (extra) {
+        Object.assign(opts, extra);
+    }
+    if (exports.DIALECTS_SUPPORTING_UNSIGNED.has(sequelize.getDialect())) {
+        opts.charset = 'utf8mb4';
+        opts.collate = 'utf8mb4_unicode_ci';
+    }
+    return opts;
+}
+function normalizeTablePrefix(prefix) {
+    if (!prefix) {
+        return undefined;
+    }
+    const trimmed = prefix.trim();
+    return trimmed.length > 0 ? trimmed : undefined;
+}
+function applyTablePrefix(prefix, tableName) {
+    const normalized = normalizeTablePrefix(prefix);
+    return normalized ? `${normalized}${tableName}` : tableName;
+}
+function encodeStringArray(values) {
+    return JSON.stringify(values ?? []);
+}
+function decodeStringArray(raw) {
+    if (!raw) {
+        return [];
+    }
+    try {
+        const parsed = JSON.parse(raw);
+        if (Array.isArray(parsed)) {
+            return parsed.filter((entry) => typeof entry === 'string' && entry.length > 0);
+        }
+    }
+    catch {
+        // Malformed JSON — return empty rather than guessing via whitespace split.
+        // A whitespace-split fallback could silently grant unintended permissions
+        // if a scope/role column contains a corrupted value like "admin user".
+    }
+    return [];
+}

package/dist/cjs/sequelize-utils.d.ts

@@ -0,0 +1,8 @@
+import { DataTypes, type InitOptions, type Model, type Sequelize } from 'sequelize';
+export declare const DIALECTS_SUPPORTING_UNSIGNED: Set<string>;
+export declare function integerIdType(sequelize: Sequelize): DataTypes.IntegerDataTypeConstructor;
+export declare function tableOptions<ModelType extends Model>(sequelize: Sequelize, tableName: string, tablePrefix?: string, extra?: Partial<InitOptions<ModelType>>): InitOptions<ModelType>;
+export declare function normalizeTablePrefix(prefix?: string): string | undefined;
+export declare function applyTablePrefix(prefix: string | undefined, tableName: string): string;
+export declare function encodeStringArray(values: string[] | undefined): string;
+export declare function decodeStringArray(raw: string | null | undefined): string[];