@technomoron/apicore-server 1.0.0-beta.1

package/dist/cjs/limiter/auth-rate-limiter.cjs

@@ -0,0 +1,35 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createAuthRateLimitHook = createAuthRateLimitHook;
+const apicore_server_js_1 = require("../apicore-server.cjs");
+const fixed_window_js_1 = require("./fixed-window.cjs");
+function createAuthRateLimitHook(config, limiter) {
+    if (!config || Object.keys(config).length === 0) {
+        return () => { };
+    }
+    const instance = limiter ?? new fixed_window_js_1.FixedWindowRateLimiter();
+    return (ctx) => {
+        const endpointConfig = config[ctx.endpoint];
+        if (!endpointConfig) {
+            return;
+        }
+        const windowSec = endpointConfig.windowSec ?? 0;
+        const max = endpointConfig.max ?? 0;
+        if (windowSec <= 0 || max <= 0) {
+            return;
+        }
+        const clientIp = ctx.apiReq.getClientIp() ?? '';
+        if (!clientIp) {
+            return;
+        }
+        const key = `${ctx.endpoint}:${clientIp}`;
+        const decision = instance.check(key, max, windowSec * 1000);
+        if (!decision.allowed) {
+            throw new apicore_server_js_1.ApiError({
+                code: 429,
+                message: 'Too many requests; try again later',
+                data: { retryAfterSec: decision.retryAfterSec }
+            });
+        }
+    };
+}

package/dist/cjs/limiter/auth-rate-limiter.d.ts

@@ -0,0 +1,12 @@
+import { type ApiRequest } from '../apicore-server.js';
+import { FixedWindowRateLimiter } from './fixed-window.js';
+type AuthRateLimitEndpoint = 'login' | 'passkey-challenge' | 'oauth-token' | 'oauth-authorize';
+export interface AuthRateLimitConfig {
+    windowSec?: number;
+    max?: number;
+}
+export declare function createAuthRateLimitHook(config: Partial<Record<AuthRateLimitEndpoint, AuthRateLimitConfig>>, limiter?: FixedWindowRateLimiter): (ctx: {
+    apiReq: ApiRequest;
+    endpoint: string;
+}) => void;
+export {};

package/dist/cjs/limiter/fixed-window.cjs

@@ -0,0 +1,41 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FixedWindowRateLimiter = void 0;
+class FixedWindowRateLimiter {
+    constructor(maxKeys = 10000) {
+        this.maxKeys = maxKeys;
+        this.buckets = new Map();
+    }
+    check(key, max, windowMs) {
+        if (!key || max <= 0 || windowMs <= 0) {
+            return { allowed: true, retryAfterSec: 0 };
+        }
+        const now = Date.now();
+        const bucket = this.buckets.get(key);
+        if (!bucket || now - bucket.windowStartMs >= windowMs) {
+            this.buckets.delete(key);
+            this.buckets.set(key, { windowStartMs: now, count: 1 });
+            this.prune();
+            return { allowed: true, retryAfterSec: 0 };
+        }
+        bucket.count += 1;
+        // Refresh insertion order to keep active entries at the end for pruning.
+        this.buckets.delete(key);
+        this.buckets.set(key, bucket);
+        if (bucket.count <= max) {
+            return { allowed: true, retryAfterSec: 0 };
+        }
+        const retryAfterSec = Math.max(1, Math.ceil((bucket.windowStartMs + windowMs - now) / 1000));
+        return { allowed: false, retryAfterSec };
+    }
+    prune() {
+        while (this.buckets.size > this.maxKeys) {
+            const oldest = this.buckets.keys().next().value;
+            if (!oldest) {
+                break;
+            }
+            this.buckets.delete(oldest);
+        }
+    }
+}
+exports.FixedWindowRateLimiter = FixedWindowRateLimiter;

package/dist/cjs/limiter/fixed-window.d.ts

@@ -0,0 +1,11 @@
+export type RateLimitDecision = {
+    allowed: boolean;
+    retryAfterSec: number;
+};
+export declare class FixedWindowRateLimiter {
+    private readonly maxKeys;
+    private readonly buckets;
+    constructor(maxKeys?: number);
+    check(key: string, max: number, windowMs: number): RateLimitDecision;
+    private prune;
+}

package/dist/cjs/oauth/base.cjs

@@ -0,0 +1,7 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthStore = void 0;
+/** Base contract for OAuth client/auth-code persistence backends. */
+class OAuthStore {
+}
+exports.OAuthStore = OAuthStore;

package/dist/cjs/oauth/base.d.ts

@@ -0,0 +1,17 @@
+import type { AuthCode, OAuthClient } from './types.js';
+/** Base contract for OAuth client/auth-code persistence backends. */
+export declare abstract class OAuthStore {
+    /** Fetch an OAuth client by id. */
+    abstract getClient(clientId: string): Promise<OAuthClient | null>;
+    /** Create an OAuth client. */
+    abstract createClient(input: OAuthClient): Promise<OAuthClient>;
+    /** Verify an OAuth client secret. */
+    abstract verifyClientSecret(clientId: string, secret: string | null): Promise<boolean>;
+    /** Persist an authorization code. */
+    abstract createAuthCode(code: AuthCode): Promise<void>;
+    /** Consume an authorization code once. When clientId is provided, only consume if it matches. */
+    abstract consumeAuthCode(code: string, clientId?: string): Promise<AuthCode | null>;
+    /** Close underlying resources. */
+    abstract close(): Promise<void>;
+}
+export type { OAuthClient, AuthCode } from './types.js';

package/dist/cjs/oauth/memory.cjs

@@ -0,0 +1,135 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MemoryOAuthStore = void 0;
+const bcryptjs_1 = __importDefault(require("bcryptjs"));
+const user_id_js_1 = require("../auth-api/user-id.cjs");
+const base_js_1 = require("./base.cjs");
+function cloneClient(client) {
+    if (!client) {
+        return null;
+    }
+    return {
+        clientId: client.clientId,
+        hasSecret: Boolean(client.clientSecret),
+        name: client.name,
+        redirectUris: [...client.redirectUris],
+        scope: client.scope ? [...client.scope] : undefined,
+        metadata: client.metadata ? JSON.parse(JSON.stringify(client.metadata)) : undefined,
+        firstParty: client.firstParty
+    };
+}
+function cloneCode(code) {
+    return {
+        ...code,
+        userId: (0, user_id_js_1.normalizeComparableUserId)(code.userId),
+        scope: code.scope ? [...code.scope] : undefined,
+        expiresAt: new Date(code.expiresAt),
+        metadata: code.metadata ? { ...code.metadata } : undefined
+    };
+}
+class MemoryOAuthStore extends base_js_1.OAuthStore {
+    constructor(options = {}) {
+        super();
+        this.clients = new Map();
+        this.codes = new Map();
+        this.bcryptRounds = options.bcryptRounds ?? 12;
+        this.maxClients =
+            typeof options.maxClients === 'number' && Number.isFinite(options.maxClients) && options.maxClients > 0
+                ? Math.floor(options.maxClients)
+                : undefined;
+        this.maxAuthCodes =
+            typeof options.maxAuthCodes === 'number' &&
+                Number.isFinite(options.maxAuthCodes) &&
+                options.maxAuthCodes > 0
+                ? Math.floor(options.maxAuthCodes)
+                : undefined;
+    }
+    async getClient(clientId) {
+        return cloneClient(this.clients.get(clientId));
+    }
+    async createClient(input) {
+        const clientSecret = input.clientSecret ? await bcryptjs_1.default.hash(input.clientSecret, this.bcryptRounds) : '';
+        const stored = {
+            clientId: input.clientId,
+            clientSecret,
+            name: input.name,
+            redirectUris: [...input.redirectUris],
+            scope: input.scope ? [...input.scope] : undefined,
+            metadata: input.metadata ? { ...input.metadata } : undefined,
+            firstParty: input.firstParty
+        };
+        this.clients.set(stored.clientId, stored);
+        this.enforceClientCapacity();
+        return cloneClient(stored);
+    }
+    async verifyClientSecret(clientId, secret) {
+        const client = this.clients.get(clientId);
+        if (!client) {
+            return false;
+        }
+        if (!client.clientSecret) {
+            return !secret || secret.length === 0;
+        }
+        if (!secret) {
+            return false;
+        }
+        return bcryptjs_1.default.compare(secret, client.clientSecret);
+    }
+    async createAuthCode(code) {
+        const record = {
+            ...code,
+            userId: (0, user_id_js_1.normalizeComparableUserId)(code.userId),
+            scope: code.scope ? [...code.scope] : undefined,
+            expiresAt: code.expiresAt,
+            metadata: code.metadata ? { ...code.metadata } : undefined
+        };
+        this.codes.set(record.code, record);
+        this.enforceCodeCapacity();
+    }
+    async consumeAuthCode(code, clientId) {
+        const record = this.codes.get(code);
+        if (!record) {
+            return null;
+        }
+        if (clientId && record.clientId !== clientId) {
+            return null;
+        }
+        if (record.expiresAt.getTime() <= Date.now()) {
+            this.codes.delete(code);
+            return null;
+        }
+        this.codes.delete(code);
+        return cloneCode(record);
+    }
+    async close() {
+        return;
+    }
+    enforceClientCapacity() {
+        if (!this.maxClients) {
+            return;
+        }
+        while (this.clients.size > this.maxClients) {
+            const oldest = this.clients.keys().next().value;
+            if (!oldest) {
+                return;
+            }
+            this.clients.delete(oldest);
+        }
+    }
+    enforceCodeCapacity() {
+        if (!this.maxAuthCodes) {
+            return;
+        }
+        while (this.codes.size > this.maxAuthCodes) {
+            const oldest = this.codes.keys().next().value;
+            if (!oldest) {
+                return;
+            }
+            this.codes.delete(oldest);
+        }
+    }
+}
+exports.MemoryOAuthStore = MemoryOAuthStore;

package/dist/cjs/oauth/memory.d.ts

@@ -0,0 +1,22 @@
+import { OAuthStore, type AuthCode, type OAuthClient } from './base.js';
+export interface MemoryOAuthStoreOptions {
+    bcryptRounds?: number;
+    maxClients?: number;
+    maxAuthCodes?: number;
+}
+export declare class MemoryOAuthStore extends OAuthStore {
+    private readonly clients;
+    private readonly codes;
+    private readonly bcryptRounds;
+    private readonly maxClients?;
+    private readonly maxAuthCodes?;
+    constructor(options?: MemoryOAuthStoreOptions);
+    getClient(clientId: string): Promise<OAuthClient | null>;
+    createClient(input: OAuthClient): Promise<OAuthClient>;
+    verifyClientSecret(clientId: string, secret: string | null): Promise<boolean>;
+    createAuthCode(code: AuthCode): Promise<void>;
+    consumeAuthCode(code: string, clientId?: string): Promise<AuthCode | null>;
+    close(): Promise<void>;
+    private enforceClientCapacity;
+    private enforceCodeCapacity;
+}

package/dist/cjs/oauth/models.cjs

@@ -0,0 +1,47 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthCodeModel = exports.OAuthClientModel = exports.tableOptions = exports.integerIdType = void 0;
+exports.initOAuthClientModel = initOAuthClientModel;
+exports.initOAuthCodeModel = initOAuthCodeModel;
+const sequelize_1 = require("sequelize");
+const sequelize_utils_js_1 = require("../sequelize-utils.cjs");
+var sequelize_utils_js_2 = require("../sequelize-utils.cjs");
+Object.defineProperty(exports, "integerIdType", { enumerable: true, get: function () { return sequelize_utils_js_2.integerIdType; } });
+Object.defineProperty(exports, "tableOptions", { enumerable: true, get: function () { return sequelize_utils_js_2.tableOptions; } });
+class OAuthClientModel extends sequelize_1.Model {
+}
+exports.OAuthClientModel = OAuthClientModel;
+function initOAuthClientModel(sequelize, options = {}) {
+    OAuthClientModel.init({
+        client_id: { type: sequelize_1.DataTypes.STRING(128), allowNull: false, primaryKey: true },
+        client_secret: { type: sequelize_1.DataTypes.STRING(255), allowNull: false, defaultValue: '' },
+        name: { type: sequelize_1.DataTypes.STRING(128), allowNull: true, defaultValue: null },
+        redirect_uris: { type: sequelize_1.DataTypes.TEXT, allowNull: false, defaultValue: '[]' },
+        scope: { type: sequelize_1.DataTypes.TEXT, allowNull: false, defaultValue: '[]' },
+        metadata: { type: sequelize_1.DataTypes.TEXT, allowNull: true, defaultValue: null },
+        first_party: { type: sequelize_1.DataTypes.BOOLEAN, allowNull: false, defaultValue: false }
+    }, {
+        ...(0, sequelize_utils_js_1.tableOptions)(sequelize, 'oauth_clients', options.tablePrefix, { timestamps: false })
+    });
+    return OAuthClientModel;
+}
+class OAuthCodeModel extends sequelize_1.Model {
+}
+exports.OAuthCodeModel = OAuthCodeModel;
+function initOAuthCodeModel(sequelize, options = {}) {
+    const idType = (0, sequelize_utils_js_1.integerIdType)(sequelize);
+    OAuthCodeModel.init({
+        code: { type: sequelize_1.DataTypes.STRING(128), allowNull: false, primaryKey: true },
+        client_id: { type: sequelize_1.DataTypes.STRING(128), allowNull: false },
+        user_id: { type: idType, allowNull: false },
+        redirect_uri: { type: sequelize_1.DataTypes.TEXT, allowNull: false },
+        scope: { type: sequelize_1.DataTypes.TEXT, allowNull: false, defaultValue: '[]' },
+        code_challenge: { type: sequelize_1.DataTypes.STRING(255), allowNull: true, defaultValue: null },
+        code_challenge_method: { type: sequelize_1.DataTypes.STRING(10), allowNull: true, defaultValue: null },
+        expires: { type: sequelize_1.DataTypes.DATE, allowNull: false },
+        metadata: { type: sequelize_1.DataTypes.TEXT, allowNull: true, defaultValue: null }
+    }, {
+        ...(0, sequelize_utils_js_1.tableOptions)(sequelize, 'oauth_codes', options.tablePrefix, { timestamps: false })
+    });
+    return OAuthCodeModel;
+}

package/dist/cjs/oauth/models.d.ts

@@ -0,0 +1,50 @@
+import { Model, type Optional, type Sequelize } from 'sequelize';
+export { integerIdType, tableOptions } from '../sequelize-utils.js';
+export interface OAuthClientAttributes {
+    client_id: string;
+    client_secret: string;
+    name: string | null;
+    redirect_uris: string;
+    scope: string;
+    metadata: string | null;
+    first_party: boolean;
+}
+export type OAuthClientCreationAttributes = Optional<OAuthClientAttributes, 'client_secret' | 'name' | 'scope' | 'metadata' | 'first_party'>;
+export declare class OAuthClientModel extends Model<OAuthClientAttributes, OAuthClientCreationAttributes> implements OAuthClientAttributes {
+    client_id: string;
+    client_secret: string;
+    name: string | null;
+    redirect_uris: string;
+    scope: string;
+    metadata: string | null;
+    first_party: boolean;
+}
+export declare function initOAuthClientModel(sequelize: Sequelize, options?: {
+    tablePrefix?: string;
+}): typeof OAuthClientModel;
+export interface OAuthCodeAttributes {
+    code: string;
+    client_id: string;
+    user_id: number;
+    redirect_uri: string;
+    scope: string;
+    code_challenge: string | null;
+    code_challenge_method: 'plain' | 'S256' | null;
+    expires: Date;
+    metadata: string | null;
+}
+export type OAuthCodeCreationAttributes = Optional<OAuthCodeAttributes, 'code_challenge' | 'code_challenge_method' | 'metadata'>;
+export declare class OAuthCodeModel extends Model<OAuthCodeAttributes, OAuthCodeCreationAttributes> implements OAuthCodeAttributes {
+    code: string;
+    client_id: string;
+    user_id: number;
+    redirect_uri: string;
+    scope: string;
+    code_challenge: string | null;
+    code_challenge_method: 'plain' | 'S256' | null;
+    expires: Date;
+    metadata: string | null;
+}
+export declare function initOAuthCodeModel(sequelize: Sequelize, options?: {
+    tablePrefix?: string;
+}): typeof OAuthCodeModel;

package/dist/cjs/oauth/sequelize.cjs

@@ -0,0 +1,159 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SequelizeOAuthStore = exports.initOAuthCodeModel = exports.initOAuthClientModel = exports.OAuthCodeModel = exports.OAuthClientModel = void 0;
+const bcryptjs_1 = __importDefault(require("bcryptjs"));
+const sequelize_1 = require("sequelize");
+const user_id_js_1 = require("../auth-api/user-id.cjs");
+const sequelize_utils_js_1 = require("../sequelize-utils.cjs");
+const base_js_1 = require("./base.cjs");
+const models_js_1 = require("./models.cjs");
+var models_js_2 = require("./models.cjs");
+Object.defineProperty(exports, "OAuthClientModel", { enumerable: true, get: function () { return models_js_2.OAuthClientModel; } });
+Object.defineProperty(exports, "OAuthCodeModel", { enumerable: true, get: function () { return models_js_2.OAuthCodeModel; } });
+Object.defineProperty(exports, "initOAuthClientModel", { enumerable: true, get: function () { return models_js_2.initOAuthClientModel; } });
+Object.defineProperty(exports, "initOAuthCodeModel", { enumerable: true, get: function () { return models_js_2.initOAuthCodeModel; } });
+function serializeMetadata(metadata) {
+    if (!metadata) {
+        return null;
+    }
+    return JSON.stringify(metadata);
+}
+function parseMetadata(raw) {
+    if (!raw) {
+        return undefined;
+    }
+    try {
+        const parsed = JSON.parse(raw);
+        if (parsed && typeof parsed === 'object') {
+            return parsed;
+        }
+    }
+    catch {
+        // ignore
+    }
+    return undefined;
+}
+class SequelizeOAuthStore extends base_js_1.OAuthStore {
+    constructor(options) {
+        super();
+        if (!options?.sequelize) {
+            throw new Error('SequelizeOAuthStore requires an initialised Sequelize instance');
+        }
+        this.clients =
+            options.clientModel ??
+                (options.clientModelFactory ?? models_js_1.initOAuthClientModel)(options.sequelize, {
+                    tablePrefix: options.tablePrefix
+                });
+        this.codes =
+            options.codeModel ??
+                (options.codeModelFactory ?? models_js_1.initOAuthCodeModel)(options.sequelize, {
+                    tablePrefix: options.tablePrefix
+                });
+        this.bcryptRounds = options.bcryptRounds ?? 12;
+    }
+    async getClient(clientId) {
+        const model = await this.clients.findByPk(clientId);
+        return model ? this.toOAuthClient(model) : null;
+    }
+    async createClient(input) {
+        const existing = await this.clients.findByPk(input.clientId);
+        const hashedSecret = input.clientSecret !== undefined && input.clientSecret !== null
+            ? await bcryptjs_1.default.hash(input.clientSecret, this.bcryptRounds)
+            : (existing?.client_secret ?? '');
+        const redirectUris = input.redirectUris ?? (existing ? (0, sequelize_utils_js_1.decodeStringArray)(existing.redirect_uris) : undefined);
+        const scope = input.scope ?? (existing ? (0, sequelize_utils_js_1.decodeStringArray)(existing.scope) : undefined);
+        const metadata = input.metadata ?? (existing ? parseMetadata(existing.metadata) : undefined);
+        await this.clients.upsert({
+            client_id: input.clientId,
+            client_secret: hashedSecret,
+            name: input.name ?? existing?.name ?? null,
+            redirect_uris: (0, sequelize_utils_js_1.encodeStringArray)(redirectUris),
+            scope: (0, sequelize_utils_js_1.encodeStringArray)(scope),
+            metadata: serializeMetadata(metadata),
+            first_party: input.firstParty ?? existing?.first_party ?? false
+        });
+        const model = await this.clients.findByPk(input.clientId);
+        if (!model) {
+            throw new Error(`Unable to persist OAuth client ${input.clientId}`);
+        }
+        return this.toOAuthClient(model);
+    }
+    async verifyClientSecret(clientId, clientSecret) {
+        const model = await this.clients.findByPk(clientId);
+        if (!model) {
+            return false;
+        }
+        if (!model.client_secret) {
+            return !clientSecret || clientSecret.length === 0;
+        }
+        if (!clientSecret) {
+            return false;
+        }
+        return bcryptjs_1.default.compare(clientSecret, model.client_secret);
+    }
+    async createAuthCode(code) {
+        await this.codes.create({
+            code: code.code,
+            client_id: code.clientId,
+            user_id: (0, user_id_js_1.normalizeNumericUserId)(code.userId),
+            redirect_uri: code.redirectUri ?? '',
+            scope: (0, sequelize_utils_js_1.encodeStringArray)(code.scope),
+            code_challenge: code.codeChallenge ?? null,
+            code_challenge_method: code.codeChallengeMethod ?? null,
+            expires: code.expiresAt,
+            metadata: serializeMetadata(code.metadata)
+        });
+    }
+    async consumeAuthCode(code, clientId) {
+        const sequelize = this.codes.sequelize;
+        if (!sequelize) {
+            throw new Error('Code model is not bound to a Sequelize instance');
+        }
+        return sequelize.transaction({ isolationLevel: sequelize_1.Transaction.ISOLATION_LEVELS.READ_COMMITTED }, async (transaction) => {
+            const where = { code };
+            if (clientId) {
+                where.client_id = clientId;
+            }
+            const model = await this.codes.findOne({ where, transaction, lock: true });
+            if (!model) {
+                return null;
+            }
+            await model.destroy({ transaction });
+            if (model.expires.getTime() <= Date.now()) {
+                return null;
+            }
+            return this.toAuthCode(model);
+        });
+    }
+    async close() {
+        return;
+    }
+    toOAuthClient(model) {
+        return {
+            clientId: model.client_id,
+            hasSecret: Boolean(model.client_secret),
+            name: model.name ?? undefined,
+            redirectUris: (0, sequelize_utils_js_1.decodeStringArray)(model.redirect_uris),
+            scope: (0, sequelize_utils_js_1.decodeStringArray)(model.scope),
+            metadata: parseMetadata(model.metadata),
+            firstParty: model.first_party ?? false
+        };
+    }
+    toAuthCode(model) {
+        return {
+            code: model.code,
+            clientId: model.client_id,
+            userId: String(model.user_id),
+            redirectUri: model.redirect_uri,
+            scope: (0, sequelize_utils_js_1.decodeStringArray)(model.scope),
+            codeChallenge: model.code_challenge ?? undefined,
+            codeChallengeMethod: model.code_challenge_method ?? undefined,
+            expiresAt: model.expires,
+            metadata: parseMetadata(model.metadata)
+        };
+    }
+}
+exports.SequelizeOAuthStore = SequelizeOAuthStore;

package/dist/cjs/oauth/sequelize.d.ts

@@ -0,0 +1,30 @@
+import { OAuthStore, type AuthCode, type OAuthClient } from './base.js';
+import { OAuthClientModel, OAuthCodeModel } from './models.js';
+export interface SequelizeOAuthStoreOptions {
+    sequelize: import('sequelize').Sequelize;
+    tablePrefix?: string;
+    clientModel?: typeof OAuthClientModel;
+    codeModel?: typeof OAuthCodeModel;
+    clientModelFactory?: (sequelize: import('sequelize').Sequelize, options?: {
+        tablePrefix?: string;
+    }) => typeof OAuthClientModel;
+    codeModelFactory?: (sequelize: import('sequelize').Sequelize, options?: {
+        tablePrefix?: string;
+    }) => typeof OAuthCodeModel;
+    bcryptRounds?: number;
+}
+export { OAuthClientModel, OAuthCodeModel, initOAuthClientModel, initOAuthCodeModel, type OAuthClientAttributes, type OAuthClientCreationAttributes, type OAuthCodeAttributes, type OAuthCodeCreationAttributes } from './models.js';
+export declare class SequelizeOAuthStore extends OAuthStore {
+    private readonly clients;
+    private readonly codes;
+    private readonly bcryptRounds;
+    constructor(options: SequelizeOAuthStoreOptions);
+    getClient(clientId: string): Promise<OAuthClient | null>;
+    createClient(input: OAuthClient): Promise<OAuthClient>;
+    verifyClientSecret(clientId: string, clientSecret: string | null): Promise<boolean>;
+    createAuthCode(code: AuthCode): Promise<void>;
+    consumeAuthCode(code: string, clientId?: string): Promise<AuthCode | null>;
+    close(): Promise<void>;
+    private toOAuthClient;
+    private toAuthCode;
+}

package/dist/cjs/oauth/types.cjs

@@ -0,0 +1,3 @@
+"use strict";
+// OAuth-specific contracts kept alongside the OAuth module.
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/cjs/oauth/types.d.ts

@@ -0,0 +1,51 @@
+import type { AuthIdentifier } from '../auth-api/types.js';
+export interface OAuthClient {
+    clientId: string;
+    clientSecret?: string;
+    hasSecret?: boolean;
+    firstParty?: boolean;
+    metadata?: Record<string, unknown>;
+    name?: string;
+    redirectUris: string[];
+    scope?: string[];
+}
+export interface AuthCodeData {
+    code: string;
+    clientId: string;
+    codeChallenge?: string;
+    codeChallengeMethod?: 'plain' | 'S256';
+    expiresAt: Date;
+    metadata?: Record<string, unknown>;
+    redirectUri?: string;
+    scope?: string[];
+    userId: AuthIdentifier;
+}
+export type AuthCode = AuthCodeData;
+export type AuthCodeRequest = Omit<AuthCodeData, 'code' | 'expiresAt'> & {
+    code?: string;
+    expiresInSeconds?: number;
+};
+export interface OAuthStartParams {
+    provider: string;
+    redirectUri?: string;
+    scope?: string | string[];
+    state?: string;
+    extras?: Record<string, unknown>;
+}
+export interface OAuthStartResult extends Record<string, unknown> {
+    url: string;
+    state?: string;
+    codeVerifier?: string;
+}
+export interface OAuthCallbackParams {
+    provider: string;
+    query: Record<string, string | string[]>;
+    body: Record<string, unknown>;
+}
+export interface OAuthCallbackResult<PublicUser> extends Record<string, unknown> {
+    user: PublicUser;
+    tokens?: {
+        accessToken: string;
+        refreshToken: string;
+    };
+}

package/dist/cjs/passkey/base.cjs

@@ -0,0 +1,7 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PasskeyStore = void 0;
+/** Base contract for passkey credential/challenge persistence backends. */
+class PasskeyStore {
+}
+exports.PasskeyStore = PasskeyStore;

package/dist/cjs/passkey/base.d.ts

@@ -0,0 +1,28 @@
+import type { PasskeyChallengeRecord, PasskeyStorageAdapter, PasskeyUserDescriptor, StoredPasskeyCredential } from './types.js';
+import type { AuthIdentifier } from '../auth-api/types.js';
+/** Base contract for passkey credential/challenge persistence backends. */
+export declare abstract class PasskeyStore implements PasskeyStorageAdapter {
+    /** Resolve a passkey user descriptor by id/login. */
+    abstract resolveUser(params: {
+        userId?: AuthIdentifier;
+        login?: string;
+    }): Promise<PasskeyUserDescriptor | null>;
+    /** List passkey credentials for a user. */
+    abstract listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    /** Delete a credential by binary/base64url id. */
+    abstract deleteCredential(credentialId: Buffer | string): Promise<boolean>;
+    /** Find a credential by binary id. */
+    abstract findCredentialById(credentialId: Buffer): Promise<StoredPasskeyCredential | null>;
+    /** Save a credential record. */
+    abstract saveCredential(record: StoredPasskeyCredential): Promise<void>;
+    /** Update signature counter for a credential. */
+    abstract updateCredentialCounter(credentialId: Buffer, counter: number): Promise<void>;
+    /** Save a challenge record. */
+    abstract saveChallenge(record: PasskeyChallengeRecord): Promise<void>;
+    /** Read a challenge without consuming it. */
+    abstract getChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
+    /** Consume and return a challenge. */
+    abstract consumeChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
+    /** Cleanup expired challenges. */
+    abstract cleanupChallenges(now: Date): Promise<void>;
+}