@technomoron/apicore-server 1.0.0-beta.1

package/dist/cjs/auth-api/schemas.cjs

@@ -0,0 +1,171 @@
+"use strict";
+/**
+ * JSON Schema definitions for auth module routes.
+ * These are the runtime validation source-of-truth; TypeScript interfaces
+ * in auth-module.ts remain for handler-internal typing only.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oauthTokenBodySchema = exports.oauthAuthorizeBodySchema = exports.oauthStartBodySchema = exports.oauthProviderParamsSchema = exports.deleteImpersonationQuerySchema = exports.impersonateBodySchema = exports.passkeyCredentialParamsSchema = exports.passkeyVerifyBodySchema = exports.passkeyChallengeBodySchema = exports.whoamiBodySchema = exports.logoutBodySchema = exports.refreshBodySchema = exports.loginBodySchema = void 0;
+/* ------------------------------------------------------------------ */
+/*  Shared fragments                                                   */
+/* ------------------------------------------------------------------ */
+const tokenMetadataProperties = {
+    domain: { type: 'string' },
+    fingerprint: { type: 'string' },
+    label: { type: 'string' },
+    browser: { type: 'string' },
+    device: { type: 'string' },
+    ip: { type: 'string' },
+    os: { type: 'string' }
+};
+const keepSessionProperty = {
+    keepSession: { type: ['boolean', 'number', 'string'] }
+};
+function authIdentifierProperty(name) {
+    return { [name]: { type: ['string', 'number'] } };
+}
+/* ------------------------------------------------------------------ */
+/*  Auth route schemas                                                 */
+/* ------------------------------------------------------------------ */
+exports.loginBodySchema = {
+    type: 'object',
+    required: ['login', 'password'],
+    properties: {
+        login: { type: 'string', minLength: 1 },
+        password: { type: 'string', minLength: 1 },
+        ...tokenMetadataProperties,
+        ...keepSessionProperty
+    },
+    additionalProperties: true
+};
+exports.refreshBodySchema = {
+    type: 'object',
+    properties: {
+        refreshToken: { type: 'string' },
+        domain: { type: 'string' },
+        fingerprint: { type: 'string' },
+        label: { type: 'string' },
+        ...keepSessionProperty
+    },
+    additionalProperties: false
+};
+exports.logoutBodySchema = {
+    type: 'object',
+    properties: {
+        token: { type: 'string' },
+        refreshToken: { type: 'string' }
+    },
+    additionalProperties: false
+};
+exports.whoamiBodySchema = {
+    type: 'object',
+    properties: {
+        refreshToken: { type: 'string' },
+        refresh: { type: 'boolean' }
+    },
+    additionalProperties: false
+};
+/* ------------------------------------------------------------------ */
+/*  Passkey schemas                                                    */
+/* ------------------------------------------------------------------ */
+exports.passkeyChallengeBodySchema = {
+    type: 'object',
+    required: ['action'],
+    properties: {
+        action: { type: 'string', enum: ['register', 'authenticate'] },
+        login: { type: 'string' },
+        ...authIdentifierProperty('userId')
+    },
+    additionalProperties: false
+};
+exports.passkeyVerifyBodySchema = {
+    type: 'object',
+    required: ['expectedChallenge', 'response'],
+    properties: {
+        expectedChallenge: { type: 'string' },
+        response: { type: 'object' },
+        login: { type: 'string' },
+        ...authIdentifierProperty('userId'),
+        userAgent: { type: 'string' },
+        ...tokenMetadataProperties,
+        ...keepSessionProperty
+    },
+    additionalProperties: true
+};
+exports.passkeyCredentialParamsSchema = {
+    type: 'object',
+    required: ['credentialId'],
+    properties: {
+        credentialId: { type: 'string', minLength: 1 }
+    }
+};
+/* ------------------------------------------------------------------ */
+/*  Impersonation schemas                                              */
+/* ------------------------------------------------------------------ */
+exports.impersonateBodySchema = {
+    type: 'object',
+    properties: {
+        ...authIdentifierProperty('userId'),
+        login: { type: 'string' },
+        ...tokenMetadataProperties,
+        ...keepSessionProperty,
+        clientId: { type: 'string' },
+        scope: {},
+        loginType: { type: 'string' }
+    },
+    additionalProperties: true
+};
+exports.deleteImpersonationQuerySchema = {
+    type: 'object',
+    additionalProperties: true
+};
+/* ------------------------------------------------------------------ */
+/*  OAuth schemas                                                      */
+/* ------------------------------------------------------------------ */
+exports.oauthProviderParamsSchema = {
+    type: 'object',
+    required: ['provider'],
+    properties: {
+        provider: { type: 'string', minLength: 1 }
+    }
+};
+exports.oauthStartBodySchema = {
+    type: 'object',
+    properties: {
+        redirectUri: { type: 'string' },
+        scope: {},
+        state: { type: 'string' },
+        extras: { type: 'object' }
+    },
+    additionalProperties: true
+};
+exports.oauthAuthorizeBodySchema = {
+    type: 'object',
+    required: ['clientId', 'redirectUri'],
+    properties: {
+        clientId: { type: 'string', minLength: 1 },
+        redirectUri: { type: 'string', minLength: 1 },
+        scope: {},
+        state: { type: 'string' },
+        codeChallenge: { type: 'string' },
+        codeChallengeMethod: { type: 'string' },
+        login: { type: 'string' },
+        password: { type: 'string' }
+    },
+    additionalProperties: false
+};
+exports.oauthTokenBodySchema = {
+    type: 'object',
+    required: ['grant_type'],
+    properties: {
+        grant_type: { type: 'string', enum: ['authorization_code', 'refresh_token'] },
+        code: { type: 'string' },
+        redirect_uri: { type: 'string' },
+        code_verifier: { type: 'string' },
+        client_id: { type: 'string' },
+        client_secret: { type: 'string' },
+        refresh_token: { type: 'string' },
+        scope: { type: 'string' }
+    },
+    additionalProperties: false
+};

package/dist/cjs/auth-api/schemas.d.ts

@@ -0,0 +1,21 @@
+/**
+ * JSON Schema definitions for auth module routes.
+ * These are the runtime validation source-of-truth; TypeScript interfaces
+ * in auth-module.ts remain for handler-internal typing only.
+ */
+/** Loose JSON Schema object type used for Fastify route schema definitions. */
+type JsonSchema = Record<string, unknown>;
+export declare const loginBodySchema: JsonSchema;
+export declare const refreshBodySchema: JsonSchema;
+export declare const logoutBodySchema: JsonSchema;
+export declare const whoamiBodySchema: JsonSchema;
+export declare const passkeyChallengeBodySchema: JsonSchema;
+export declare const passkeyVerifyBodySchema: JsonSchema;
+export declare const passkeyCredentialParamsSchema: JsonSchema;
+export declare const impersonateBodySchema: JsonSchema;
+export declare const deleteImpersonationQuerySchema: JsonSchema;
+export declare const oauthProviderParamsSchema: JsonSchema;
+export declare const oauthStartBodySchema: JsonSchema;
+export declare const oauthAuthorizeBodySchema: JsonSchema;
+export declare const oauthTokenBodySchema: JsonSchema;
+export {};

package/dist/cjs/auth-api/sql-auth-store.cjs

@@ -0,0 +1,179 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SqlAuthStore = void 0;
+const sequelize_js_1 = require("../oauth/sequelize.cjs");
+const config_js_1 = require("../passkey/config.cjs");
+const sequelize_js_2 = require("../passkey/sequelize.cjs");
+const sequelize_utils_js_1 = require("../sequelize-utils.cjs");
+const sequelize_js_3 = require("../token/sequelize.cjs");
+const sequelize_js_4 = require("../user/sequelize.cjs");
+const compat_auth_storage_js_1 = require("./compat-auth-storage.cjs");
+const user_id_js_1 = require("./user-id.cjs");
+function resolveTablePrefix(...prefixes) {
+    for (const prefix of prefixes) {
+        const normalized = (0, sequelize_utils_js_1.normalizeTablePrefix)(prefix);
+        if (normalized) {
+            return normalized;
+        }
+    }
+    return undefined;
+}
+class SqlAuthStore {
+    constructor(params) {
+        this.closed = false;
+        if (!params?.sequelize) {
+            throw new Error('SqlAuthStore requires an initialised Sequelize instance');
+        }
+        this.sequelize = params.sequelize;
+        this.syncOptions = params.syncOptions;
+        const moduleTablePrefixes = params.tablePrefixes ?? {};
+        const userTablePrefix = resolveTablePrefix(moduleTablePrefixes.user, params.tablePrefix);
+        this.userStore = new sequelize_js_4.SequelizeUserStore({
+            sequelize: this.sequelize,
+            userModel: params.userModel,
+            userModelFactory: params.userModelFactory,
+            recordMapper: params.userRecordMapper,
+            toPublic: params.publicUserMapper,
+            bcryptRounds: params.bcryptRounds,
+            bcryptPepper: params.passwordPepper,
+            tablePrefix: userTablePrefix
+        });
+        const tokenTablePrefix = resolveTablePrefix(params.tokenStoreOptions?.tablePrefix, moduleTablePrefixes.token, params.tablePrefix);
+        this.tokenStore =
+            params.tokenStore ??
+                new sequelize_js_3.SequelizeTokenStore({
+                    sequelize: this.sequelize,
+                    ...params.tokenStoreOptions,
+                    tablePrefix: tokenTablePrefix
+                });
+        const oauthTablePrefix = resolveTablePrefix(params.oauthStoreOptions?.tablePrefix, moduleTablePrefixes.oauth, params.tablePrefix);
+        this.oauthStore = new sequelize_js_1.SequelizeOAuthStore({
+            sequelize: this.sequelize,
+            ...params.oauthStoreOptions,
+            tablePrefix: oauthTablePrefix,
+            bcryptRounds: params.bcryptRounds
+        });
+        let passkeyStore;
+        let passkeyConfig;
+        if (params.passkeys !== false) {
+            const passkeyTablePrefix = resolveTablePrefix(moduleTablePrefixes.passkey, params.tablePrefix);
+            passkeyConfig = (0, config_js_1.normalizePasskeyConfig)(params.passkeys ?? {});
+            const resolveUser = async (lookup) => {
+                const found = await this.userStore.findUser(lookup.userId ?? lookup.login ?? '');
+                if (!found) {
+                    return null;
+                }
+                const mapper = params.passkeyUserMapper ??
+                    ((user) => ({
+                        id: (this.userStore.getUserId(user) ?? user['user_id']),
+                        login: user.login ?? String(this.userStore.getUserId(user)),
+                        displayName: user.login ?? String(this.userStore.getUserId(user))
+                    }));
+                return mapper(found);
+            };
+            passkeyStore = new sequelize_js_2.SequelizePasskeyStore({
+                sequelize: this.sequelize,
+                resolveUser,
+                tablePrefix: passkeyTablePrefix
+            });
+            this.passkeyStore = passkeyStore;
+        }
+        this.adapter = new compat_auth_storage_js_1.CompositeAuthAdapter({
+            userStore: this.userStore,
+            tokenStore: this.tokenStore,
+            passkeys: passkeyStore && passkeyConfig ? { store: passkeyStore, config: passkeyConfig } : undefined,
+            oauthStore: this.oauthStore,
+            canImpersonate: params.canImpersonate
+        });
+    }
+    async initialise(withSync = false) {
+        await this.sequelize.authenticate();
+        if (withSync) {
+            await this.sequelize.sync(this.syncOptions);
+        }
+    }
+    async close() {
+        if (this.closed) {
+            return;
+        }
+        this.closed = true;
+        try {
+            await this.sequelize.close();
+        }
+        catch (error) {
+            const message = error?.message ?? '';
+            if (!/closed/i.test(message)) {
+                throw error;
+            }
+        }
+        finally {
+            // Prevent double-close errors when the same Sequelize instance is shared with other code.
+            this.sequelize.close = async () => { };
+        }
+    }
+    async getUser(identifier) {
+        return this.adapter.getUser(identifier);
+    }
+    getUserPasswordHash(user) {
+        return this.adapter.getUserPasswordHash(user);
+    }
+    getUserId(user) {
+        return this.adapter.getUserId(user);
+    }
+    filterUser(user) {
+        return this.adapter.filterUser(user);
+    }
+    async verifyPassword(password, hash) {
+        return this.adapter.verifyPassword(password, hash);
+    }
+    async storeToken(data) {
+        return this.adapter.storeToken(data);
+    }
+    async getToken(query, opts) {
+        const normalized = {
+            ...query,
+            userId: (0, user_id_js_1.toOptionalStringId)(query.userId),
+            ruid: (0, user_id_js_1.toOptionalStringId)(query.ruid)
+        };
+        return this.adapter.getToken(normalized, opts);
+    }
+    async deleteToken(query) {
+        const normalized = {
+            ...query,
+            userId: (0, user_id_js_1.toOptionalStringId)(query.userId),
+            ruid: (0, user_id_js_1.toOptionalStringId)(query.ruid)
+        };
+        return this.adapter.deleteToken(normalized);
+    }
+    async updateToken(updates) {
+        return this.adapter.updateToken(updates);
+    }
+    async createPasskeyChallenge(params) {
+        return this.adapter.createPasskeyChallenge(params);
+    }
+    async verifyPasskeyResponse(params) {
+        return this.adapter.verifyPasskeyResponse(params);
+    }
+    async listUserCredentials(userId) {
+        return this.adapter.listUserCredentials(userId);
+    }
+    async deletePasskeyCredential(credentialId) {
+        return this.adapter.deletePasskeyCredential(credentialId);
+    }
+    async getClient(clientId) {
+        return this.adapter.getClient(clientId);
+    }
+    async verifyClientSecret(client, clientSecret) {
+        return this.adapter.verifyClientSecret(client, clientSecret);
+    }
+    async createAuthCode(request) {
+        return this.adapter.createAuthCode(request);
+    }
+    async consumeAuthCode(code, clientId) {
+        return this.adapter.consumeAuthCode(code, clientId);
+    }
+    async canImpersonate(params) {
+        return this.adapter.canImpersonate(params);
+    }
+}
+exports.SqlAuthStore = SqlAuthStore;

package/dist/cjs/auth-api/sql-auth-store.d.ts

@@ -0,0 +1,87 @@
+import { Sequelize, type SyncOptions } from 'sequelize';
+import { SequelizeOAuthStore, type SequelizeOAuthStoreOptions } from '../oauth/sequelize.js';
+import { SequelizePasskeyStore } from '../passkey/sequelize.js';
+import { type SequelizeTokenStoreOptions } from '../token/sequelize.js';
+import { SequelizeUserStore, type AuthUserAttributes, GenericUserModel, GenericUserModelStatic } from '../user/sequelize.js';
+import type { AuthAdapter, AuthIdentifier } from './types.js';
+import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyServiceConfig, PasskeyUserDescriptor, StoredPasskeyCredential, PasskeyVerificationParams, PasskeyVerificationResult } from '../passkey/types.js';
+import type { TokenStore } from '../token/base.js';
+import type { Token } from '../token/types.js';
+interface PasskeyOptions extends Partial<PasskeyServiceConfig> {
+    enabled?: boolean;
+}
+export interface SqlAuthStoreTablePrefixes {
+    user?: string;
+    token?: string;
+    passkey?: string;
+    oauth?: string;
+}
+export interface SqlAuthStoreParams<UserAttributes extends AuthUserAttributes = AuthUserAttributes, PublicUserShape extends Omit<UserAttributes, 'password'> = Omit<UserAttributes, 'password'>> {
+    sequelize: Sequelize;
+    syncOptions?: SyncOptions;
+    bcryptRounds?: number;
+    passwordPepper?: string;
+    tablePrefix?: string;
+    tablePrefixes?: SqlAuthStoreTablePrefixes;
+    userModel?: GenericUserModelStatic;
+    userModelFactory?: (sequelize: Sequelize, options?: {
+        tablePrefix?: string;
+    }) => GenericUserModelStatic;
+    userRecordMapper?: (model: GenericUserModel) => UserAttributes;
+    publicUserMapper?: (user: UserAttributes) => PublicUserShape;
+    passkeyUserMapper?: (user: UserAttributes) => PasskeyUserDescriptor;
+    passkeys?: false | PasskeyOptions;
+    canImpersonate?: (params: {
+        realUserId: AuthIdentifier;
+        effectiveUserId: AuthIdentifier;
+    }) => boolean | Promise<boolean>;
+    tokenStore?: TokenStore;
+    tokenStoreOptions?: Omit<SequelizeTokenStoreOptions, 'sequelize'>;
+    oauthStoreOptions?: Omit<SequelizeOAuthStoreOptions, 'sequelize'>;
+}
+export declare class SqlAuthStore<UserAttributes extends AuthUserAttributes = AuthUserAttributes, PublicUserShape extends Omit<UserAttributes, 'password'> = Omit<UserAttributes, 'password'>> implements AuthAdapter<UserAttributes, PublicUserShape> {
+    readonly userStore: SequelizeUserStore<UserAttributes, PublicUserShape>;
+    readonly tokenStore: TokenStore;
+    readonly passkeyStore?: SequelizePasskeyStore;
+    readonly oauthStore: SequelizeOAuthStore;
+    private readonly adapter;
+    private readonly sequelize;
+    private closed;
+    private readonly syncOptions?;
+    constructor(params: SqlAuthStoreParams<UserAttributes, PublicUserShape>);
+    initialise(withSync?: boolean): Promise<void>;
+    close(): Promise<void>;
+    getUser(identifier: AuthIdentifier): Promise<UserAttributes | null>;
+    getUserPasswordHash(user: UserAttributes): string;
+    getUserId(user: UserAttributes): AuthIdentifier;
+    filterUser(user: UserAttributes): PublicUserShape;
+    verifyPassword(password: string, hash: string): Promise<boolean>;
+    storeToken(data: Token): Promise<void>;
+    getToken(query: Partial<Token> & {
+        userId?: AuthIdentifier;
+        ruid?: AuthIdentifier;
+    }, opts?: {
+        includeExpired?: boolean;
+    }): Promise<Token | null>;
+    deleteToken(query: Partial<Token> & {
+        userId?: AuthIdentifier;
+        ruid?: AuthIdentifier;
+    }): Promise<number>;
+    updateToken(updates: Partial<Token> & {
+        refreshToken: string;
+    }): Promise<boolean>;
+    createPasskeyChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
+    verifyPasskeyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential(credentialId: Buffer | string): Promise<boolean>;
+    getClient(clientId: string): Promise<OAuthClient | null>;
+    verifyClientSecret(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
+    createAuthCode(request: AuthCodeRequest): Promise<AuthCodeData>;
+    consumeAuthCode(code: string, clientId: string): Promise<AuthCodeData | null>;
+    canImpersonate(params: {
+        realUserId: AuthIdentifier;
+        effectiveUserId: AuthIdentifier;
+    }): Promise<boolean>;
+}
+export {};

package/dist/cjs/auth-api/storage.cjs

@@ -0,0 +1,102 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.nullAuthAdapter = exports.BaseAuthAdapter = void 0;
+// Handy base you can extend when wiring a real auth adapter. Every method
+// throws by default so unimplemented hooks fail loudly.
+class BaseAuthAdapter {
+    // Override to load a user record by identifier
+    async getUser(identifier) {
+        void identifier;
+        return null;
+    }
+    // Override to return the stored password hash for the user
+    getUserPasswordHash(user) {
+        void user;
+        throw new Error('Auth storage not configured');
+    }
+    // Override to expose the canonical user identifier
+    getUserId(user) {
+        void user;
+        throw new Error('Auth storage not configured');
+    }
+    // Override to strip sensitive fields from the user record
+    filterUser(user) {
+        return user;
+    }
+    // Override to validate a raw password against the stored hash
+    async verifyPassword(password, hash) {
+        void password;
+        void hash;
+        throw new Error('Auth storage not configured');
+    }
+    // Override to persist newly issued tokens
+    async storeToken(data) {
+        void data;
+        throw new Error('Auth storage not configured');
+    }
+    // Override to look up a stored token by query
+    async getToken(query, opts) {
+        void query;
+        void opts;
+        return null;
+    }
+    // Override to remove stored tokens that match the query
+    async deleteToken(query) {
+        void query;
+        return 0;
+    }
+    // Override to update metadata for an existing refresh token
+    async updateToken(updates) {
+        void updates;
+        return false;
+    }
+    // Override to create a new passkey challenge record
+    async createPasskeyChallenge(params) {
+        void params;
+        throw new Error('Auth storage not configured');
+    }
+    // Override to verify an incoming WebAuthn response
+    async verifyPasskeyResponse(params) {
+        void params;
+        throw new Error('Auth storage not configured');
+    }
+    // Override to list passkey credentials for a user
+    async listUserCredentials(userId) {
+        void userId;
+        throw new Error('Auth storage not configured');
+    }
+    // Override to delete a passkey credential
+    async deletePasskeyCredential(credentialId) {
+        void credentialId;
+        throw new Error('Auth storage not configured');
+    }
+    // Override to fetch an OAuth client by identifier
+    async getClient(clientId) {
+        void clientId;
+        return null;
+    }
+    // Override to compare a provided client secret against storage
+    async verifyClientSecret(client, clientSecret) {
+        void client;
+        void clientSecret;
+        throw new Error('Auth storage not configured');
+    }
+    // Override to create a new authorization code entry
+    async createAuthCode(request) {
+        void request;
+        throw new Error('Auth storage not configured');
+    }
+    // Override to consume and invalidate an authorization code
+    async consumeAuthCode(code, clientId) {
+        void code;
+        void clientId;
+        return null;
+    }
+    // Override to decide if a real user may impersonate another user
+    async canImpersonate(params) {
+        void params;
+        return false;
+    }
+}
+exports.BaseAuthAdapter = BaseAuthAdapter;
+exports.nullAuthAdapter = new BaseAuthAdapter();

package/dist/cjs/auth-api/storage.d.ts

@@ -0,0 +1,38 @@
+import type { AuthAdapter, AuthIdentifier } from './types.js';
+import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyVerificationParams, PasskeyVerificationResult, StoredPasskeyCredential } from '../passkey/types.js';
+import type { Token } from '../token/types.js';
+export declare class BaseAuthAdapter<UserRow = unknown, SafeUser = unknown> implements AuthAdapter<UserRow, SafeUser> {
+    getUser(identifier: AuthIdentifier): Promise<UserRow | null>;
+    getUserPasswordHash(user: UserRow): string;
+    getUserId(user: UserRow): AuthIdentifier;
+    filterUser(user: UserRow): SafeUser;
+    verifyPassword(password: string, hash: string): Promise<boolean>;
+    storeToken(data: Token): Promise<void>;
+    getToken(query: Partial<Omit<Token, 'userId' | 'ruid'>> & {
+        userId?: string | number;
+        ruid?: string | number;
+    }, opts?: {
+        includeExpired?: boolean;
+    }): Promise<Token | null>;
+    deleteToken(query: Partial<Omit<Token, 'userId' | 'ruid'>> & {
+        userId?: string | number;
+        ruid?: string | number;
+    }): Promise<number>;
+    updateToken(updates: Partial<Token> & {
+        refreshToken: string;
+    }): Promise<boolean>;
+    createPasskeyChallenge(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
+    verifyPasskeyResponse(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential(credentialId: Buffer | string): Promise<boolean>;
+    getClient(clientId: string): Promise<OAuthClient | null>;
+    verifyClientSecret(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
+    createAuthCode(request: AuthCodeRequest): Promise<AuthCodeData>;
+    consumeAuthCode(code: string, clientId: string): Promise<AuthCodeData | null>;
+    canImpersonate(params: {
+        realUserId: AuthIdentifier;
+        effectiveUserId: AuthIdentifier;
+    }): Promise<boolean>;
+}
+export declare const nullAuthAdapter: AuthAdapter<unknown, unknown>;

package/dist/cjs/auth-api/types.cjs

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/cjs/auth-api/types.d.ts

@@ -0,0 +1,34 @@
+import type { AuthCodeData, AuthCodeRequest, OAuthClient } from '../oauth/types.js';
+import type { PasskeyChallenge, PasskeyChallengeParams, PasskeyVerificationParams, PasskeyVerificationResult, StoredPasskeyCredential } from '../passkey/types.js';
+import type { Token } from '../token/types.js';
+export type AuthIdentifier = string | number;
+/** @internal */
+export interface AuthAdapter<UserRow, SafeUser> {
+    getUser(identifier: AuthIdentifier): Promise<UserRow | null>;
+    getUserPasswordHash(user: UserRow): string;
+    getUserId(user: UserRow): AuthIdentifier;
+    filterUser(user: UserRow): SafeUser;
+    verifyPassword(password: string, hash: string): Promise<boolean>;
+    storeToken(data: Token): Promise<void>;
+    getToken(query: Partial<Token>, opts?: {
+        includeExpired?: boolean;
+    }): Promise<Token | null>;
+    deleteToken(query: Partial<Token>): Promise<number>;
+    updateToken?(updates: Partial<Token> & {
+        refreshToken: string;
+    }): Promise<boolean>;
+    createPasskeyChallenge?(params: PasskeyChallengeParams): Promise<PasskeyChallenge>;
+    verifyPasskeyResponse?(params: PasskeyVerificationParams): Promise<PasskeyVerificationResult>;
+    listUserCredentials?(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deletePasskeyCredential?(credentialId: Buffer | string): Promise<boolean>;
+    getClient?(clientId: string): Promise<OAuthClient | null>;
+    verifyClientSecret?(client: OAuthClient, clientSecret: string | null): Promise<boolean>;
+    createAuthCode?(request: AuthCodeRequest): Promise<AuthCodeData>;
+    consumeAuthCode?(code: string, clientId: string): Promise<AuthCodeData | null>;
+    canImpersonate?(params: {
+        realUserId: AuthIdentifier;
+        effectiveUserId: AuthIdentifier;
+    }): Promise<boolean>;
+}
+/** @internal */
+export type AuthStorage<UserRow, SafeUser> = AuthAdapter<UserRow, SafeUser>;