@technomoron/apicore-server 1.0.0-beta.1

package/dist/cjs/passkey/config.cjs

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.normalizePasskeyConfig = normalizePasskeyConfig;
+const DEFAULT_PASSKEY_CONFIG = {
+    rpId: 'localhost',
+    rpName: 'API Server',
+    origins: ['http://localhost:5173'],
+    timeoutMs: 5 * 60 * 1000,
+    userVerification: 'preferred'
+};
+function isOriginString(origin) {
+    return typeof origin === 'string' && origin.trim().length > 0;
+}
+function normalizePasskeyConfig(config = {}) {
+    const candidateOrigins = Array.isArray(config.origins) && config.origins.length > 0 ? config.origins.filter(isOriginString) : null;
+    return {
+        rpId: config.rpId?.trim() || DEFAULT_PASSKEY_CONFIG.rpId,
+        rpName: config.rpName?.trim() || DEFAULT_PASSKEY_CONFIG.rpName,
+        origins: candidateOrigins ? candidateOrigins.map((origin) => origin.trim()) : DEFAULT_PASSKEY_CONFIG.origins,
+        timeoutMs: typeof config.timeoutMs === 'number' && config.timeoutMs > 0
+            ? config.timeoutMs
+            : DEFAULT_PASSKEY_CONFIG.timeoutMs,
+        userVerification: config.userVerification ?? DEFAULT_PASSKEY_CONFIG.userVerification,
+        debug: Boolean(config.debug)
+    };
+}

package/dist/cjs/passkey/config.d.ts

@@ -0,0 +1,2 @@
+import type { PasskeyServiceConfig } from './types.js';
+export declare function normalizePasskeyConfig(config?: Partial<PasskeyServiceConfig>): PasskeyServiceConfig;

package/dist/cjs/passkey/memory.cjs

@@ -0,0 +1,123 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MemoryPasskeyStore = void 0;
+const user_id_js_1 = require("../auth-api/user-id.cjs");
+const base_js_1 = require("./base.cjs");
+function encodeCredentialId(value) {
+    return Buffer.isBuffer(value) ? value.toString('base64') : value;
+}
+function cloneCredential(record) {
+    return {
+        ...record,
+        credentialId: Buffer.isBuffer(record.credentialId) ? Buffer.from(record.credentialId) : record.credentialId,
+        publicKey: Buffer.from(record.publicKey),
+        transports: record.transports ? [...record.transports] : undefined
+    };
+}
+class MemoryPasskeyStore extends base_js_1.PasskeyStore {
+    constructor(options) {
+        super();
+        this.credentials = new Map();
+        this.challenges = new Map();
+        this.resolveUserFn = options.resolveUser;
+        this.maxCredentials =
+            typeof options.maxCredentials === 'number' &&
+                Number.isFinite(options.maxCredentials) &&
+                options.maxCredentials > 0
+                ? Math.floor(options.maxCredentials)
+                : undefined;
+        this.maxChallenges =
+            typeof options.maxChallenges === 'number' &&
+                Number.isFinite(options.maxChallenges) &&
+                options.maxChallenges > 0
+                ? Math.floor(options.maxChallenges)
+                : undefined;
+    }
+    async resolveUser(params) {
+        return this.resolveUserFn(params);
+    }
+    async listUserCredentials(userId) {
+        const normalizedUserId = (0, user_id_js_1.normalizeComparableUserId)(userId);
+        return [...this.credentials.values()]
+            .filter((record) => (0, user_id_js_1.normalizeComparableUserId)(record.userId) === normalizedUserId)
+            .map((record) => cloneCredential(record));
+    }
+    async deleteCredential(credentialId) {
+        const key = encodeCredentialId(credentialId);
+        return this.credentials.delete(key);
+    }
+    async findCredentialById(credentialId) {
+        const record = this.credentials.get(encodeCredentialId(credentialId));
+        return record ? cloneCredential(record) : null;
+    }
+    async saveCredential(record) {
+        this.credentials.set(encodeCredentialId(record.credentialId), {
+            ...record,
+            userId: (0, user_id_js_1.normalizeComparableUserId)(record.userId),
+            credentialId: Buffer.isBuffer(record.credentialId) ? Buffer.from(record.credentialId) : record.credentialId,
+            transports: record.transports ? [...record.transports] : undefined
+        });
+        this.enforceCredentialCapacity();
+    }
+    async updateCredentialCounter(credentialId, counter) {
+        const key = encodeCredentialId(credentialId);
+        const existing = this.credentials.get(key);
+        if (existing) {
+            existing.counter = counter;
+        }
+    }
+    async saveChallenge(record) {
+        this.challenges.set(record.challenge, {
+            challenge: record.challenge,
+            action: record.action,
+            userId: record.userId !== undefined ? (0, user_id_js_1.normalizeComparableUserId)(record.userId) : undefined,
+            login: record.login ?? undefined,
+            expiresAt: record.expiresAt
+        });
+        this.enforceChallengeCapacity();
+    }
+    async getChallenge(challenge) {
+        const record = this.challenges.get(challenge);
+        return record ? { ...record } : null;
+    }
+    async consumeChallenge(challenge) {
+        const record = this.challenges.get(challenge);
+        if (!record) {
+            return null;
+        }
+        this.challenges.delete(challenge);
+        return { ...record };
+    }
+    async cleanupChallenges(now) {
+        for (const [challenge, record] of this.challenges.entries()) {
+            if (record.expiresAt && new Date(record.expiresAt) <= now) {
+                this.challenges.delete(challenge);
+            }
+        }
+    }
+    enforceCredentialCapacity() {
+        if (!this.maxCredentials) {
+            return;
+        }
+        while (this.credentials.size > this.maxCredentials) {
+            const oldest = this.credentials.keys().next().value;
+            if (!oldest) {
+                return;
+            }
+            this.credentials.delete(oldest);
+        }
+    }
+    enforceChallengeCapacity() {
+        if (!this.maxChallenges) {
+            return;
+        }
+        while (this.challenges.size > this.maxChallenges) {
+            const oldest = this.challenges.keys().next().value;
+            if (!oldest) {
+                return;
+            }
+            this.challenges.delete(oldest);
+        }
+    }
+}
+exports.MemoryPasskeyStore = MemoryPasskeyStore;

package/dist/cjs/passkey/memory.d.ts

@@ -0,0 +1,34 @@
+import { PasskeyStore } from './base.js';
+import type { PasskeyChallengeRecord, PasskeyUserDescriptor, StoredPasskeyCredential } from './types.js';
+import type { AuthIdentifier } from '../auth-api/types.js';
+export interface MemoryPasskeyStoreOptions {
+    resolveUser: (params: {
+        userId?: AuthIdentifier;
+        login?: string;
+    }) => Promise<PasskeyUserDescriptor | null>;
+    maxCredentials?: number;
+    maxChallenges?: number;
+}
+export declare class MemoryPasskeyStore extends PasskeyStore {
+    private readonly resolveUserFn;
+    private readonly credentials;
+    private readonly challenges;
+    private readonly maxCredentials?;
+    private readonly maxChallenges?;
+    constructor(options: MemoryPasskeyStoreOptions);
+    resolveUser(params: {
+        userId?: AuthIdentifier;
+        login?: string;
+    }): Promise<PasskeyUserDescriptor | null>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deleteCredential(credentialId: Buffer | string): Promise<boolean>;
+    findCredentialById(credentialId: Buffer): Promise<StoredPasskeyCredential | null>;
+    saveCredential(record: StoredPasskeyCredential): Promise<void>;
+    updateCredentialCounter(credentialId: Buffer, counter: number): Promise<void>;
+    saveChallenge(record: PasskeyChallengeRecord): Promise<void>;
+    getChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
+    consumeChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
+    cleanupChallenges(now: Date): Promise<void>;
+    private enforceCredentialCapacity;
+    private enforceChallengeCapacity;
+}

package/dist/cjs/passkey/models.cjs

@@ -0,0 +1,142 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PasskeyChallengeModel = exports.PasskeyCredentialModel = void 0;
+exports.initPasskeyCredentialModel = initPasskeyCredentialModel;
+exports.initPasskeyChallengeModel = initPasskeyChallengeModel;
+const sequelize_1 = require("sequelize");
+const sequelize_utils_js_1 = require("../sequelize-utils.cjs");
+class PasskeyCredentialModel extends sequelize_1.Model {
+}
+exports.PasskeyCredentialModel = PasskeyCredentialModel;
+class PasskeyChallengeModel extends sequelize_1.Model {
+}
+exports.PasskeyChallengeModel = PasskeyChallengeModel;
+function initPasskeyCredentialModel(sequelize, options = {}) {
+    const idType = (0, sequelize_utils_js_1.integerIdType)(sequelize);
+    return PasskeyCredentialModel.init({
+        credentialId: {
+            field: 'credential_id',
+            type: sequelize_1.DataTypes.STRING(768),
+            primaryKey: true,
+            allowNull: false,
+            get() {
+                const raw = this.getDataValue('credentialId');
+                if (!raw) {
+                    return raw;
+                }
+                if (Buffer.isBuffer(raw)) {
+                    return raw;
+                }
+                return Buffer.from(raw, 'base64');
+            },
+            set(value) {
+                const encoded = typeof value === 'string' ? value : value.toString('base64');
+                this.setDataValue('credentialId', encoded);
+            }
+        },
+        userId: {
+            field: 'user_id',
+            type: idType,
+            allowNull: false
+        },
+        publicKey: {
+            field: 'public_key',
+            type: sequelize_1.DataTypes.BLOB,
+            allowNull: false
+        },
+        counter: {
+            type: sequelize_1.DataTypes.INTEGER,
+            allowNull: false,
+            defaultValue: 0
+        },
+        transports: {
+            type: sequelize_1.DataTypes.JSON,
+            allowNull: true
+        },
+        backedUp: {
+            field: 'backed_up',
+            type: sequelize_1.DataTypes.BOOLEAN,
+            allowNull: false,
+            defaultValue: false
+        },
+        deviceType: {
+            field: 'device_type',
+            type: sequelize_1.DataTypes.STRING(32),
+            allowNull: false,
+            defaultValue: 'multiDevice'
+        },
+        label: {
+            type: sequelize_1.DataTypes.STRING(120),
+            allowNull: true
+        },
+        createdDomain: {
+            field: 'created_domain',
+            type: sequelize_1.DataTypes.STRING(255),
+            allowNull: true
+        },
+        createdUserAgent: {
+            field: 'created_user_agent',
+            type: sequelize_1.DataTypes.TEXT,
+            allowNull: true
+        },
+        createdBrowser: {
+            field: 'created_browser',
+            type: sequelize_1.DataTypes.STRING(120),
+            allowNull: true
+        },
+        createdOs: {
+            field: 'created_os',
+            type: sequelize_1.DataTypes.STRING(120),
+            allowNull: true
+        },
+        createdDevice: {
+            field: 'created_device',
+            type: sequelize_1.DataTypes.STRING(120),
+            allowNull: true
+        },
+        createdIp: {
+            field: 'created_ip',
+            type: sequelize_1.DataTypes.STRING(45),
+            allowNull: true
+        }
+    }, {
+        sequelize,
+        tableName: (0, sequelize_utils_js_1.applyTablePrefix)(options.tablePrefix, 'passkey_credentials'),
+        timestamps: true,
+        underscored: true
+    });
+}
+function initPasskeyChallengeModel(sequelize, options = {}) {
+    const idType = (0, sequelize_utils_js_1.integerIdType)(sequelize);
+    return PasskeyChallengeModel.init({
+        challenge: {
+            type: sequelize_1.DataTypes.STRING(255),
+            primaryKey: true,
+            allowNull: false
+        },
+        action: {
+            type: sequelize_1.DataTypes.STRING(16),
+            allowNull: false
+        },
+        userId: {
+            field: 'user_id',
+            type: idType,
+            allowNull: true
+        },
+        login: {
+            type: sequelize_1.DataTypes.STRING(128),
+            allowNull: true
+        },
+        expiresAt: {
+            field: 'expires_at',
+            type: sequelize_1.DataTypes.DATE,
+            allowNull: false
+        }
+    }, {
+        sequelize,
+        tableName: (0, sequelize_utils_js_1.applyTablePrefix)(options.tablePrefix, 'passkey_challenges'),
+        timestamps: true,
+        underscored: true,
+        indexes: [{ fields: ['expires_at'] }, { fields: ['user_id'] }]
+    });
+}

package/dist/cjs/passkey/models.d.ts

@@ -0,0 +1,34 @@
+import { Model, type InferAttributes, type InferCreationAttributes, type ModelStatic, type Sequelize } from 'sequelize';
+export declare class PasskeyCredentialModel extends Model<InferAttributes<PasskeyCredentialModel>, InferCreationAttributes<PasskeyCredentialModel>> {
+    credentialId: Buffer;
+    userId: number;
+    publicKey: Buffer;
+    counter: number;
+    transports: string[] | null;
+    backedUp: boolean;
+    deviceType: string;
+    label: string | null;
+    createdDomain: string | null;
+    createdUserAgent: string | null;
+    createdBrowser: string | null;
+    createdOs: string | null;
+    createdDevice: string | null;
+    createdIp: string | null;
+    createdAt?: Date;
+    updatedAt?: Date;
+}
+export declare class PasskeyChallengeModel extends Model<InferAttributes<PasskeyChallengeModel>, InferCreationAttributes<PasskeyChallengeModel>> {
+    challenge: string;
+    action: 'register' | 'authenticate';
+    userId: number | null;
+    login: string | null;
+    expiresAt: Date;
+    createdAt?: Date;
+    updatedAt?: Date;
+}
+export declare function initPasskeyCredentialModel(sequelize: Sequelize, options?: {
+    tablePrefix?: string;
+}): ModelStatic<PasskeyCredentialModel>;
+export declare function initPasskeyChallengeModel(sequelize: Sequelize, options?: {
+    tablePrefix?: string;
+}): ModelStatic<PasskeyChallengeModel>;

package/dist/cjs/passkey/sequelize.cjs

@@ -0,0 +1,126 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SequelizePasskeyStore = void 0;
+const sequelize_1 = require("sequelize");
+const user_id_js_1 = require("../auth-api/user-id.cjs");
+const base_js_1 = require("./base.cjs");
+const models_js_1 = require("./models.cjs");
+function encodeCredentialId(value) {
+    return Buffer.isBuffer(value) ? value.toString('base64') : value;
+}
+class SequelizePasskeyStore extends base_js_1.PasskeyStore {
+    constructor(options) {
+        super();
+        if (!options?.sequelize) {
+            throw new Error('SequelizePasskeyStore requires an initialised Sequelize instance');
+        }
+        this.resolveUserFn = options.resolveUser;
+        this.credentials =
+            options.credentialModel ??
+                (options.credentialModelFactory ?? models_js_1.initPasskeyCredentialModel)(options.sequelize, {
+                    tablePrefix: options.tablePrefix
+                });
+        this.challenges =
+            options.challengeModel ??
+                (options.challengeModelFactory ?? models_js_1.initPasskeyChallengeModel)(options.sequelize, {
+                    tablePrefix: options.tablePrefix
+                });
+    }
+    async resolveUser(params) {
+        return this.resolveUserFn(params);
+    }
+    async listUserCredentials(userId) {
+        const models = await this.credentials.findAll({ where: { userId: (0, user_id_js_1.normalizeNumericUserId)(userId) } });
+        return models.map((model) => this.toStoredCredential(model));
+    }
+    async deleteCredential(credentialId) {
+        const encoded = Buffer.isBuffer(credentialId) ? credentialId.toString('base64') : credentialId;
+        const deleted = await this.credentials.destroy({ where: { credentialId: encoded } });
+        return deleted > 0;
+    }
+    async findCredentialById(credentialId) {
+        const model = await this.credentials.findByPk(encodeCredentialId(credentialId));
+        return model ? this.toStoredCredential(model) : null;
+    }
+    async saveCredential(record) {
+        await this.credentials.upsert({
+            credentialId: record.credentialId,
+            userId: (0, user_id_js_1.normalizeNumericUserId)(record.userId),
+            publicKey: record.publicKey,
+            counter: record.counter,
+            transports: record.transports ?? null,
+            backedUp: record.backedUp,
+            deviceType: record.deviceType,
+            label: record.label ?? null,
+            createdDomain: record.createdDomain ?? null,
+            createdUserAgent: record.createdUserAgent ?? null,
+            createdBrowser: record.createdBrowser ?? null,
+            createdOs: record.createdOs ?? null,
+            createdDevice: record.createdDevice ?? null,
+            createdIp: record.createdIp ?? null
+        });
+    }
+    async updateCredentialCounter(credentialId, counter) {
+        await this.credentials.update({ counter }, { where: { credentialId: encodeCredentialId(credentialId) } });
+    }
+    async saveChallenge(record) {
+        await this.challenges.upsert({
+            challenge: record.challenge,
+            action: record.action,
+            userId: record.userId !== undefined ? (0, user_id_js_1.normalizeNumericUserId)(record.userId) : null,
+            login: record.login ?? null,
+            expiresAt: record.expiresAt
+        });
+    }
+    async getChallenge(challenge) {
+        const model = await this.challenges.findByPk(challenge);
+        return model ? this.toChallengeRecord(model) : null;
+    }
+    async consumeChallenge(challenge) {
+        const sequelize = this.challenges.sequelize;
+        if (!sequelize) {
+            throw new Error('Challenge model is not bound to a Sequelize instance');
+        }
+        return sequelize.transaction({ isolationLevel: sequelize_1.Transaction.ISOLATION_LEVELS.READ_COMMITTED }, async (transaction) => {
+            const model = await this.challenges.findByPk(challenge, { transaction, lock: true });
+            if (!model) {
+                return null;
+            }
+            await model.destroy({ transaction });
+            return this.toChallengeRecord(model);
+        });
+    }
+    async cleanupChallenges(now) {
+        await this.challenges.destroy({ where: { expiresAt: { [sequelize_1.Op.lte]: now } } });
+    }
+    toChallengeRecord(model) {
+        return {
+            challenge: model.challenge,
+            action: model.action,
+            userId: model.userId !== null ? String(model.userId) : undefined,
+            login: model.login ?? undefined,
+            expiresAt: model.expiresAt
+        };
+    }
+    toStoredCredential(model) {
+        return {
+            userId: String(model.userId),
+            credentialId: model.credentialId,
+            publicKey: model.publicKey,
+            counter: model.counter,
+            transports: (model.transports ?? undefined),
+            backedUp: model.backedUp,
+            deviceType: model.deviceType,
+            label: model.label ?? undefined,
+            createdDomain: model.createdDomain ?? undefined,
+            createdUserAgent: model.createdUserAgent ?? undefined,
+            createdBrowser: model.createdBrowser ?? undefined,
+            createdOs: model.createdOs ?? undefined,
+            createdDevice: model.createdDevice ?? undefined,
+            createdIp: model.createdIp ?? undefined,
+            createdAt: model.createdAt ?? undefined,
+            updatedAt: model.updatedAt ?? undefined
+        };
+    }
+}
+exports.SequelizePasskeyStore = SequelizePasskeyStore;

package/dist/cjs/passkey/sequelize.d.ts

@@ -0,0 +1,42 @@
+import { type ModelStatic, type Sequelize } from 'sequelize';
+import { PasskeyStore } from './base.js';
+import { PasskeyChallengeModel, PasskeyCredentialModel } from './models.js';
+import type { PasskeyChallengeRecord, PasskeyUserDescriptor, StoredPasskeyCredential } from './types.js';
+import type { AuthIdentifier } from '../auth-api/types.js';
+export interface SequelizePasskeyStoreOptions {
+    sequelize: Sequelize;
+    tablePrefix?: string;
+    credentialModel?: ModelStatic<PasskeyCredentialModel>;
+    challengeModel?: ModelStatic<PasskeyChallengeModel>;
+    credentialModelFactory?: (sequelize: Sequelize, options?: {
+        tablePrefix?: string;
+    }) => ModelStatic<PasskeyCredentialModel>;
+    challengeModelFactory?: (sequelize: Sequelize, options?: {
+        tablePrefix?: string;
+    }) => ModelStatic<PasskeyChallengeModel>;
+    resolveUser: (params: {
+        userId?: AuthIdentifier;
+        login?: string;
+    }) => Promise<PasskeyUserDescriptor | null>;
+}
+export declare class SequelizePasskeyStore extends PasskeyStore {
+    private readonly resolveUserFn;
+    private readonly credentials;
+    private readonly challenges;
+    constructor(options: SequelizePasskeyStoreOptions);
+    resolveUser(params: {
+        userId?: AuthIdentifier;
+        login?: string;
+    }): Promise<PasskeyUserDescriptor | null>;
+    listUserCredentials(userId: AuthIdentifier): Promise<StoredPasskeyCredential[]>;
+    deleteCredential(credentialId: Buffer | string): Promise<boolean>;
+    findCredentialById(credentialId: Buffer): Promise<StoredPasskeyCredential | null>;
+    saveCredential(record: StoredPasskeyCredential): Promise<void>;
+    updateCredentialCounter(credentialId: Buffer, counter: number): Promise<void>;
+    saveChallenge(record: PasskeyChallengeRecord): Promise<void>;
+    getChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
+    consumeChallenge(challenge: string): Promise<PasskeyChallengeRecord | null>;
+    cleanupChallenges(now: Date): Promise<void>;
+    private toChallengeRecord;
+    private toStoredCredential;
+}