@technomoron/apicore-server 1.0.0-beta.1

package/dist/esm/upload/tus-module.js

@@ -0,0 +1,266 @@
+import { ApiError, ApiModule } from '../apicore-server.js';
+import { MemoryTusUploadStore, TusUploadExceedsLengthError, TusUploadOffsetError } from './memory.js';
+const TUS_VERSION = '1.0.0';
+function parseNonNegativeInt(raw, headerName) {
+    const value = Array.isArray(raw) ? raw[0] : raw;
+    const parsed = Number.parseInt(String(value ?? ''), 10);
+    if (!Number.isFinite(parsed) || parsed < 0) {
+        throw new ApiError({ code: 400, message: `Missing or invalid ${headerName} header` });
+    }
+    return parsed;
+}
+function parseUploadLength(raw) {
+    return parseNonNegativeInt(raw, 'Upload-Length');
+}
+function parseOffset(raw) {
+    return parseNonNegativeInt(raw, 'Upload-Offset');
+}
+function decodeMetadata(raw) {
+    const source = Array.isArray(raw) ? raw[0] : raw;
+    const input = String(source ?? '').trim();
+    if (!input) {
+        return {};
+    }
+    const out = {};
+    for (const pair of input.split(',')) {
+        const trimmed = pair.trim();
+        if (!trimmed) {
+            continue;
+        }
+        const [key, encoded = ''] = trimmed.split(' ');
+        if (!key) {
+            continue;
+        }
+        try {
+            out[key] = Buffer.from(encoded, 'base64').toString('utf8');
+        }
+        catch {
+            out[key] = '';
+        }
+    }
+    return out;
+}
+async function readChunk(request, maxBytes) {
+    if (Buffer.isBuffer(request.body)) {
+        return request.body;
+    }
+    if (typeof request.body === 'string') {
+        return Buffer.from(request.body);
+    }
+    // Fastify only sets request.body when the Content-Type parser fires.
+    // Fall back to reading the raw stream, but enforce the same size cap to
+    // prevent bodyLimit from being bypassed by omitting the Content-Type header.
+    const parts = [];
+    let total = 0;
+    for await (const chunk of request.raw) {
+        const buf = Buffer.isBuffer(chunk) ? chunk : Buffer.from(String(chunk));
+        total += buf.length;
+        if (total > maxBytes) {
+            throw new ApiError({ code: 413, message: 'Upload chunk exceeds maximum chunk size' });
+        }
+        parts.push(buf);
+    }
+    return Buffer.concat(parts);
+}
+function setTusHeaders(reply, supportsTermination = false) {
+    reply.header('Tus-Resumable', TUS_VERSION);
+    reply.header('Tus-Version', TUS_VERSION);
+    reply.header('Tus-Extension', supportsTermination ? 'creation,termination' : 'creation');
+}
+function toLocation(basePath, uploadId) {
+    const normalized = basePath.endsWith('/') ? basePath.slice(0, -1) : basePath;
+    return `${normalized}/${uploadId}`;
+}
+export class TusUploadModule extends ApiModule {
+    constructor(options = {}) {
+        super({ namespace: '' });
+        const rawPath = options.basePath?.trim() || '/api/v1/upload';
+        this.basePath = rawPath.startsWith('/') ? rawPath : `/${rawPath}`;
+        this.chunkMaxBytes = options.chunkMaxBytes ?? 64 * 1024 * 1024;
+        this.uploadMaxBytes = options.uploadMaxBytes ?? 10 * 1024 * 1024 * 1024; // 10 GiB
+        this.store = options.store ?? new MemoryTusUploadStore();
+        this.auth = options.auth;
+        this.onUploadComplete = options.onUploadComplete;
+    }
+    onMount() {
+        this.installTusRoutes();
+    }
+    /**
+     * Authenticate the request if an auth config was provided.
+     * Returns false and sends a 401/403 response if auth fails, so the caller
+     * can bail out early with `if (!await this.checkAuth(request, reply)) return`.
+     */
+    async checkAuth(request, reply) {
+        if (!this.auth) {
+            return null;
+        }
+        try {
+            const apiReq = await this.server.resolveRequest(request, reply, this.auth);
+            return apiReq.tokenData?.uid != null ? String(apiReq.tokenData.uid) : null;
+        }
+        catch (error) {
+            const code = error instanceof ApiError ? error.code : 401;
+            const message = error instanceof ApiError ? error.message : 'Unauthorized';
+            reply.code(code).send({ success: false, code, message, data: null, errors: {} });
+            return false;
+        }
+    }
+    authFailed(result) {
+        // When auth is configured and checkAuth catches an error, it returns
+        // `false as unknown as string` after sending a response.  We distinguish
+        // that from a legitimate `null` (no auth configured / no uid in token)
+        // by checking the exact `false` sentinel.
+        return result === false;
+    }
+    verifyOwnership(upload, authUserId, reply) {
+        if (upload.userId && authUserId && upload.userId !== authUserId) {
+            reply
+                .code(403)
+                .send({ success: false, code: 403, message: 'Upload belongs to another user', data: null, errors: {} });
+            return false;
+        }
+        return true;
+    }
+    installTusRoutes() {
+        const app = this.server.fastify;
+        const hasTermination = typeof this.store.deleteUpload === 'function';
+        try {
+            app.addContentTypeParser('application/offset+octet-stream', { parseAs: 'buffer' }, (_req, body, done) => {
+                done(null, body);
+            });
+        }
+        catch (error) {
+            // Parser may already be present when mounting multiple upload modules.
+            const message = error instanceof Error ? error.message : '';
+            if (!message.includes('already registered') && !message.includes('already exists')) {
+                throw error;
+            }
+        }
+        app.options(this.basePath, async (_request, reply) => {
+            setTusHeaders(reply, hasTermination);
+            reply.code(204).send();
+        });
+        app.post(this.basePath, async (request, reply) => {
+            const authUserId = await this.checkAuth(request, reply);
+            if (this.authFailed(authUserId))
+                return;
+            setTusHeaders(reply, hasTermination);
+            const length = parseUploadLength(request.headers['upload-length']);
+            if (length <= 0) {
+                reply.code(400).send({
+                    success: false,
+                    code: 400,
+                    message: 'Upload-Length must be greater than zero',
+                    data: null,
+                    errors: {}
+                });
+                return;
+            }
+            if (length > this.uploadMaxBytes) {
+                reply.code(413).send({
+                    success: false,
+                    code: 413,
+                    message: `Upload-Length exceeds the maximum allowed size of ${this.uploadMaxBytes} bytes`,
+                    data: null,
+                    errors: {}
+                });
+                return;
+            }
+            const metadata = decodeMetadata(request.headers['upload-metadata']);
+            const created = await this.store.createUpload({ length, metadata, userId: authUserId ?? undefined });
+            reply.header('Location', toLocation(this.basePath, created.id));
+            reply.header('Upload-Offset', String(created.offset));
+            reply.code(201).send();
+        });
+        app.head(`${this.basePath}/:uploadId`, async (request, reply) => {
+            const authUserId = await this.checkAuth(request, reply);
+            if (this.authFailed(authUserId))
+                return;
+            setTusHeaders(reply, hasTermination);
+            const uploadId = String(request.params.uploadId ?? '');
+            const upload = await this.store.getUpload(uploadId);
+            if (!upload) {
+                reply.code(404).send();
+                return;
+            }
+            if (!this.verifyOwnership(upload, authUserId, reply))
+                return;
+            reply.header('Upload-Offset', String(upload.offset));
+            reply.header('Upload-Length', String(upload.length));
+            reply.code(200).send();
+        });
+        app.patch(`${this.basePath}/:uploadId`, { bodyLimit: this.chunkMaxBytes }, async (request, reply) => {
+            const authUserId = await this.checkAuth(request, reply);
+            if (this.authFailed(authUserId))
+                return;
+            setTusHeaders(reply, hasTermination);
+            const uploadId = String(request.params.uploadId ?? '');
+            const upload = await this.store.getUpload(uploadId);
+            if (!upload) {
+                reply.code(404).send();
+                return;
+            }
+            if (!this.verifyOwnership(upload, authUserId, reply))
+                return;
+            const offset = parseOffset(request.headers['upload-offset']);
+            if (offset !== upload.offset) {
+                reply.header('Upload-Offset', String(upload.offset));
+                reply.code(409).send();
+                return;
+            }
+            const chunk = await readChunk(request, this.chunkMaxBytes);
+            try {
+                const updated = await this.store.appendUpload({ uploadId, offset, chunk });
+                reply.header('Upload-Offset', String(updated.offset));
+                if (updated.completedAt && this.onUploadComplete) {
+                    try {
+                        await this.onUploadComplete(updated);
+                    }
+                    catch (completionError) {
+                        console.error('[TusUploadModule] onUploadComplete callback failed', completionError);
+                    }
+                }
+                reply.code(204).send();
+            }
+            catch (error) {
+                if (error instanceof TusUploadOffsetError) {
+                    reply.header('Upload-Offset', String(error.currentOffset));
+                    reply.code(409).send();
+                    return;
+                }
+                if (error instanceof TusUploadExceedsLengthError) {
+                    reply.code(413).send({
+                        success: false,
+                        code: 413,
+                        message: 'Upload chunk exceeds declared upload length',
+                        data: null,
+                        errors: {}
+                    });
+                    return;
+                }
+                throw error;
+            }
+        });
+        app.delete(`${this.basePath}/:uploadId`, async (request, reply) => {
+            const authUserId = await this.checkAuth(request, reply);
+            if (this.authFailed(authUserId))
+                return;
+            setTusHeaders(reply, hasTermination);
+            const uploadId = String(request.params.uploadId ?? '');
+            if (!this.store.deleteUpload) {
+                reply.header('Allow', 'OPTIONS, POST, HEAD, PATCH');
+                reply.code(405).send();
+                return;
+            }
+            const upload = await this.store.getUpload(uploadId);
+            if (!upload) {
+                reply.code(404).send();
+                return;
+            }
+            if (!this.verifyOwnership(upload, authUserId, reply))
+                return;
+            const deleted = await this.store.deleteUpload(uploadId);
+            reply.code(deleted ? 204 : 404).send();
+        });
+    }
+}

package/dist/esm/upload/types.d.ts

@@ -0,0 +1,28 @@
+export type TusMetadata = Record<string, string>;
+export interface TusUploadRecord {
+    id: string;
+    length: number;
+    offset: number;
+    metadata: TusMetadata;
+    userId?: string;
+    createdAt: Date;
+    updatedAt: Date;
+    completedAt?: Date;
+}
+export interface TusCreateUploadInput {
+    id?: string;
+    length: number;
+    metadata: TusMetadata;
+    userId?: string;
+}
+export interface TusAppendInput {
+    uploadId: string;
+    offset: number;
+    chunk: Buffer;
+}
+export interface TusUploadStore {
+    createUpload(input: TusCreateUploadInput): Promise<TusUploadRecord>;
+    getUpload(uploadId: string): Promise<TusUploadRecord | null>;
+    appendUpload(input: TusAppendInput): Promise<TusUploadRecord>;
+    deleteUpload?(uploadId: string): Promise<boolean>;
+}

package/dist/esm/upload/types.js

@@ -0,0 +1 @@
+export {};

package/dist/esm/user/base.d.ts

@@ -0,0 +1,36 @@
+import type { CreateUserInput, PublicUserMapper, UpdateUserInput } from './types.js';
+import type { AuthIdentifier } from '../auth-api/types.js';
+/** Base contract for user persistence backends. */
+export declare abstract class UserStore<User, PublicUser> {
+    protected readonly toPublicUser: PublicUserMapper<User, PublicUser>;
+    private readonly bcryptRounds;
+    private readonly bcryptPepper?;
+    constructor(opts?: {
+        toPublic?: PublicUserMapper<User, PublicUser>;
+        bcryptRounds?: number;
+        bcryptPepper?: string;
+    });
+    private applyPepper;
+    protected hashPassword(plain: string): Promise<string>;
+    verifyPassword(plain: string, hashed: string): Promise<boolean>;
+    protected normalizeUserInput(input: Partial<CreateUserInput>): CreateUserInput;
+    /** Find a user by id/login/email identifier. */
+    abstract findUser(identifier: AuthIdentifier | string): Promise<User | null>;
+    /** Find a user by primary id only. */
+    abstract findById(id: AuthIdentifier): Promise<User | null>;
+    /** Find a user by login or email value. */
+    abstract findByLoginOrEmail(loginOrEmail: string): Promise<User | null>;
+    /** Create a new user record. */
+    abstract createUser(input: CreateUserInput): Promise<User>;
+    abstract upsertUser(input: CreateUserInput): Promise<User>;
+    /** Update selected user fields. */
+    abstract updateUser(id: AuthIdentifier, patch: UpdateUserInput): Promise<User>;
+    /** Persist a password hash for the given user id. */
+    abstract setPasswordHash(id: AuthIdentifier, hash: string): Promise<void>;
+    /** Extract the password hash from a user record. */
+    abstract getPasswordHash(user: User): string | null;
+    /** Extract the stable user identifier from a user record. */
+    abstract getUserId(user: User): AuthIdentifier;
+    toPublic(user: User): PublicUser;
+}
+export type { CreateUserInput, UpdateUserInput, PublicUserMapper } from './types.js';

package/dist/esm/user/base.js

@@ -0,0 +1,46 @@
+import { createHmac } from 'node:crypto';
+import bcrypt from 'bcryptjs';
+/** Base contract for user persistence backends. */
+export class UserStore {
+    constructor(opts = {}) {
+        this.toPublicUser = opts.toPublic ?? ((u) => u);
+        const rounds = typeof opts.bcryptRounds === 'number' && Number.isFinite(opts.bcryptRounds)
+            ? Math.max(4, Math.floor(opts.bcryptRounds))
+            : 12;
+        this.bcryptRounds = rounds;
+        this.bcryptPepper =
+            typeof opts.bcryptPepper === 'string' && opts.bcryptPepper.length > 0 ? opts.bcryptPepper : undefined;
+    }
+    applyPepper(plain) {
+        if (!this.bcryptPepper) {
+            return plain;
+        }
+        return createHmac('sha256', this.bcryptPepper).update(plain).digest('hex');
+    }
+    async hashPassword(plain) {
+        const candidate = this.applyPepper(plain);
+        return bcrypt.hash(candidate, this.bcryptRounds);
+    }
+    async verifyPassword(plain, hashed) {
+        const candidate = this.applyPepper(plain);
+        return bcrypt.compare(candidate, hashed);
+    }
+    normalizeUserInput(input) {
+        const login = typeof input.login === 'string' ? input.login.trim() : '';
+        const email = typeof input.email === 'string' ? input.email.trim() : '';
+        if (!login || !email) {
+            throw new Error('login and email are required');
+        }
+        const password = typeof input.password === 'string' ? input.password : undefined;
+        return { ...input, login, email, password };
+    }
+    toPublic(user) {
+        const mapped = this.toPublicUser(user);
+        if (mapped && typeof mapped === 'object') {
+            const rest = { ...mapped };
+            delete rest.password;
+            return rest;
+        }
+        return mapped;
+    }
+}

package/dist/esm/user/memory.d.ts

@@ -0,0 +1,37 @@
+import { UserStore } from './base.js';
+import type { CreateUserInput, PublicUserMapper, UpdateUserInput } from './types.js';
+import type { AuthIdentifier } from '../auth-api/types.js';
+export interface MemoryUserAttributes extends Record<string, unknown> {
+    user_id: number;
+    login: string;
+    email: string;
+    password: string;
+}
+export type MemoryPublicUser<UserAttributes extends MemoryUserAttributes = MemoryUserAttributes> = Omit<UserAttributes, 'password'>;
+export interface MemoryUserStoreOptions<UserAttributes extends MemoryUserAttributes = MemoryUserAttributes, PublicUserShape extends Omit<UserAttributes, 'password'> = Omit<UserAttributes, 'password'>> {
+    bcryptRounds?: number;
+    bcryptPepper?: string;
+    toPublic?: PublicUserMapper<UserAttributes, PublicUserShape>;
+    userIdFactory?: () => number;
+    startingUserId?: number;
+    maxUsers?: number;
+}
+export declare class MemoryUserStore<UserAttributes extends MemoryUserAttributes = MemoryUserAttributes, PublicUserShape extends Omit<UserAttributes, 'password'> = Omit<UserAttributes, 'password'>> extends UserStore<UserAttributes, PublicUserShape> {
+    private readonly usersById;
+    private readonly loginToId;
+    private readonly emailToId;
+    private readonly userIdFactory;
+    private readonly maxUsers?;
+    private nextUserId;
+    constructor(options?: MemoryUserStoreOptions<UserAttributes, PublicUserShape>);
+    findUser(identifier: AuthIdentifier | string): Promise<UserAttributes | null>;
+    findById(id: AuthIdentifier): Promise<UserAttributes | null>;
+    findByLoginOrEmail(loginOrEmail: string): Promise<UserAttributes | null>;
+    createUser(input: CreateUserInput): Promise<UserAttributes>;
+    upsertUser(input: CreateUserInput): Promise<UserAttributes>;
+    updateUser(id: AuthIdentifier, patch: UpdateUserInput): Promise<UserAttributes>;
+    setPasswordHash(id: AuthIdentifier, hash: string): Promise<void>;
+    getPasswordHash(user: UserAttributes): string | null;
+    getUserId(user: UserAttributes): AuthIdentifier;
+    private persistUser;
+}

package/dist/esm/user/memory.js

@@ -0,0 +1,190 @@
+import { normalizeNumericUserId } from '../auth-api/user-id.js';
+import { UserStore } from './base.js';
+function cloneUser(user) {
+    return { ...user };
+}
+export class MemoryUserStore extends UserStore {
+    constructor(options = {}) {
+        super({
+            toPublic: options.toPublic,
+            bcryptRounds: options.bcryptRounds,
+            bcryptPepper: options.bcryptPepper
+        });
+        this.usersById = new Map();
+        this.loginToId = new Map();
+        this.emailToId = new Map();
+        this.nextUserId = Number.isFinite(options.startingUserId) ? Number(options.startingUserId) : 1;
+        this.maxUsers =
+            typeof options.maxUsers === 'number' && Number.isFinite(options.maxUsers) && options.maxUsers > 0
+                ? Math.floor(options.maxUsers)
+                : undefined;
+        this.userIdFactory =
+            options.userIdFactory ??
+                (() => {
+                    const id = this.nextUserId;
+                    this.nextUserId += 1;
+                    return id;
+                });
+    }
+    async findUser(identifier) {
+        if (typeof identifier === 'number') {
+            const user = this.usersById.get(identifier);
+            return user ? cloneUser(user) : null;
+        }
+        if (typeof identifier === 'string') {
+            const numeric = /^\d+$/.test(identifier) ? Number(identifier) : null;
+            if (numeric !== null) {
+                const user = this.usersById.get(numeric);
+                if (user) {
+                    return cloneUser(user);
+                }
+            }
+            const loginId = this.loginToId.get(identifier);
+            if (loginId !== undefined) {
+                const loginUser = this.usersById.get(loginId);
+                if (loginUser)
+                    return cloneUser(loginUser);
+            }
+            const emailId = this.emailToId.get(identifier);
+            if (emailId !== undefined) {
+                const emailUser = this.usersById.get(emailId);
+                if (emailUser)
+                    return cloneUser(emailUser);
+            }
+        }
+        return null;
+    }
+    async findById(id) {
+        try {
+            const numeric = normalizeNumericUserId(id);
+            const user = this.usersById.get(numeric);
+            return user ? cloneUser(user) : null;
+        }
+        catch {
+            return null;
+        }
+    }
+    async findByLoginOrEmail(loginOrEmail) {
+        const loginId = this.loginToId.get(loginOrEmail);
+        if (loginId !== undefined) {
+            const loginUser = this.usersById.get(loginId);
+            if (loginUser)
+                return cloneUser(loginUser);
+        }
+        const emailId = this.emailToId.get(loginOrEmail);
+        if (emailId !== undefined) {
+            const emailUser = this.usersById.get(emailId);
+            if (emailUser)
+                return cloneUser(emailUser);
+        }
+        return null;
+    }
+    async createUser(input) {
+        const normalizedInput = this.normalizeUserInput(input);
+        const providedId = input.user_id;
+        const userId = typeof providedId === 'number' && Number.isFinite(providedId) ? providedId : this.userIdFactory();
+        if (this.usersById.has(userId)) {
+            throw new Error(`User ${userId} already exists`);
+        }
+        if (this.maxUsers !== undefined && this.usersById.size >= this.maxUsers) {
+            throw new Error('MemoryUserStore maxUsers limit reached');
+        }
+        if (this.loginToId.has(normalizedInput.login)) {
+            throw new Error(`User with login ${normalizedInput.login} already exists`);
+        }
+        if (this.emailToId.has(normalizedInput.email)) {
+            throw new Error(`User with email ${normalizedInput.email} already exists`);
+        }
+        const passwordHash = normalizedInput.password ? await this.hashPassword(normalizedInput.password) : '';
+        const record = {
+            ...normalizedInput,
+            user_id: userId,
+            password: passwordHash
+        };
+        this.persistUser(record);
+        if (typeof providedId === 'number' && Number.isFinite(providedId)) {
+            this.nextUserId = Math.max(this.nextUserId, providedId + 1);
+        }
+        return cloneUser(record);
+    }
+    async upsertUser(input) {
+        const normalizedInput = this.normalizeUserInput(input);
+        const providedId = input.user_id;
+        if (providedId !== undefined) {
+            const existing = this.usersById.get(providedId);
+            if (!existing) {
+                throw new Error(`User ${providedId} not found`);
+            }
+            const updates = {
+                ...existing,
+                ...normalizedInput
+            };
+            if (updates.login !== existing.login) {
+                const loginOwner = this.loginToId.get(updates.login);
+                if (loginOwner !== undefined && loginOwner !== existing.user_id) {
+                    throw new Error(`User with login ${updates.login} already exists`);
+                }
+            }
+            if (updates.email !== existing.email) {
+                const emailOwner = this.emailToId.get(updates.email);
+                if (emailOwner !== undefined && emailOwner !== existing.user_id) {
+                    throw new Error(`User with email ${updates.email} already exists`);
+                }
+            }
+            if (normalizedInput.password && normalizedInput.password.length > 0) {
+                updates.password = await this.hashPassword(normalizedInput.password);
+            }
+            else {
+                updates.password = existing.password;
+            }
+            this.persistUser(updates);
+            return cloneUser(updates);
+        }
+        return this.createUser(input);
+    }
+    async updateUser(id, patch) {
+        const user = await this.findById(id);
+        if (!user) {
+            throw new Error(`User ${String(id)} not found`);
+        }
+        const updates = { ...user, ...patch };
+        if (patch.password && patch.password.length > 0) {
+            updates.password = await this.hashPassword(patch.password);
+        }
+        else {
+            updates.password = user.password;
+        }
+        this.persistUser(updates);
+        return cloneUser(updates);
+    }
+    async setPasswordHash(id, hash) {
+        const user = await this.findById(id);
+        if (!user) {
+            throw new Error(`User ${String(id)} not found`);
+        }
+        const updates = { ...user, password: hash };
+        this.persistUser(updates);
+    }
+    getPasswordHash(user) {
+        return user.password;
+    }
+    getUserId(user) {
+        return user.user_id;
+    }
+    persistUser(user) {
+        const snapshot = { ...user };
+        this.usersById.set(user.user_id, snapshot);
+        for (const [login, id] of [...this.loginToId.entries()]) {
+            if (id === user.user_id && login !== user.login) {
+                this.loginToId.delete(login);
+            }
+        }
+        for (const [email, id] of [...this.emailToId.entries()]) {
+            if (id === user.user_id && email !== user.email) {
+                this.emailToId.delete(email);
+            }
+        }
+        this.loginToId.set(user.login, user.user_id);
+        this.emailToId.set(user.email, user.user_id);
+    }
+}

package/dist/esm/user/sequelize.d.ts

@@ -0,0 +1,46 @@
+import { CreationOptional, Model, type InferAttributes, type InferCreationAttributes, type ModelStatic, type Sequelize } from 'sequelize';
+import { UserStore } from './base.js';
+import type { CreateUserInput, PublicUserMapper, UpdateUserInput } from './types.js';
+import type { AuthIdentifier } from '../auth-api/types.js';
+export declare class AuthUserModel extends Model<InferAttributes<AuthUserModel>, InferCreationAttributes<AuthUserModel>> implements InferAttributes<AuthUserModel> {
+    user_id: CreationOptional<number>;
+    login: string;
+    email: string;
+    password: string;
+}
+export type AuthUserAttributes = InferAttributes<AuthUserModel>;
+export type AuthUserCreationAttributes = InferCreationAttributes<AuthUserModel>;
+export declare function initAuthUserModel(sequelize: Sequelize, options?: {
+    tablePrefix?: string;
+}): typeof AuthUserModel;
+export type GenericUserModel = Model<Record<string, unknown>, Record<string, unknown>>;
+export type GenericUserModelStatic = ModelStatic<GenericUserModel>;
+export interface SequelizeUserStoreOptions<UserAttributes extends AuthUserAttributes = AuthUserAttributes, PublicUserShape extends Omit<UserAttributes, 'password'> = Omit<UserAttributes, 'password'>> {
+    bcryptRounds?: number;
+    bcryptPepper?: string;
+    sequelize: Sequelize;
+    tablePrefix?: string;
+    userModel?: GenericUserModelStatic;
+    userModelFactory?: (sequelize: Sequelize, options?: {
+        tablePrefix?: string;
+    }) => GenericUserModelStatic;
+    recordMapper?: (model: GenericUserModel) => UserAttributes;
+    toPublic?: PublicUserMapper<UserAttributes, PublicUserShape>;
+}
+export declare class SequelizeUserStore<UserAttributes extends AuthUserAttributes = AuthUserAttributes, PublicUserShape extends Omit<UserAttributes, 'password'> = Omit<UserAttributes, 'password'>> extends UserStore<UserAttributes, PublicUserShape> {
+    readonly Users: GenericUserModelStatic;
+    private readonly recordMapper;
+    constructor(options: SequelizeUserStoreOptions<UserAttributes, PublicUserShape>);
+    findUser(identifier: AuthIdentifier | string): Promise<UserAttributes | null>;
+    findById(id: AuthIdentifier): Promise<UserAttributes | null>;
+    findByLoginOrEmail(loginOrEmail: string): Promise<UserAttributes | null>;
+    createUser(input: CreateUserInput): Promise<UserAttributes>;
+    upsertUser(input: CreateUserInput): Promise<UserAttributes>;
+    updateUser(id: AuthIdentifier, patch: UpdateUserInput): Promise<UserAttributes>;
+    setPasswordHash(id: AuthIdentifier, hash: string): Promise<void>;
+    getPasswordHash(user: UserAttributes): string | null;
+    getUserId(user: UserAttributes): AuthIdentifier;
+    protected toUserRecord(model: GenericUserModel): UserAttributes;
+    private static mapModelToUser;
+    private normalizeUserId;
+}