@xtr-dev/rondevu-server 0.5.0 → 0.5.6

package/src/storage/d1.ts

@@ -4,41 +4,41 @@ import {
   Offer,
   IceCandidate,
   CreateOfferRequest,
-  Username,
-  ClaimUsernameRequest,
-  Service,
-  CreateServiceRequest,
+  Credential,
+  GenerateCredentialsRequest,
 } from './types.ts';
 import { generateOfferHash } from './hash-id.ts';
-import { parseServiceFqn } from '../crypto.ts';
 
 const YEAR_IN_MS = 365 * 24 * 60 * 60 * 1000; // 365 days
 
 /**
- * D1 storage adapter for rondevu DNS-like system using Cloudflare D1
+ * D1 storage adapter for rondevu signaling system using Cloudflare D1
  */
 export class D1Storage implements Storage {
   private db: D1Database;
+  private masterEncryptionKey: string;
 
   /**
    * Creates a new D1 storage instance
    * @param db D1Database instance from Cloudflare Workers environment
+   * @param masterEncryptionKey 64-char hex string for encrypting secrets (32 bytes)
    */
-  constructor(db: D1Database) {
+  constructor(db: D1Database, masterEncryptionKey: string) {
     this.db = db;
+    this.masterEncryptionKey = masterEncryptionKey;
   }
 
   /**
-   * Initializes database schema with username and service-based structure
+   * Initializes database schema with tags-based offers
    * This should be run once during setup, not on every request
    */
   async initializeDatabase(): Promise<void> {
     await this.db.exec(`
-      -- WebRTC signaling offers
+      -- WebRTC signaling offers with tags
       CREATE TABLE IF NOT EXISTS offers (
         id TEXT PRIMARY KEY,
         username TEXT NOT NULL,
-        service_id TEXT,
+        tags TEXT NOT NULL,
         sdp TEXT NOT NULL,
         created_at INTEGER NOT NULL,
         expires_at INTEGER NOT NULL,
@@ -49,7 +49,6 @@ export class D1Storage implements Storage {
       );
 
       CREATE INDEX IF NOT EXISTS idx_offers_username ON offers(username);
-      CREATE INDEX IF NOT EXISTS idx_offers_service ON offers(service_id);
       CREATE INDEX IF NOT EXISTS idx_offers_expires ON offers(expires_at);
       CREATE INDEX IF NOT EXISTS idx_offers_last_seen ON offers(last_seen);
       CREATE INDEX IF NOT EXISTS idx_offers_answerer ON offers(answerer_username);
@@ -69,37 +68,35 @@ export class D1Storage implements Storage {
       CREATE INDEX IF NOT EXISTS idx_ice_username ON ice_candidates(username);
       CREATE INDEX IF NOT EXISTS idx_ice_created ON ice_candidates(created_at);
 
-      -- Usernames table
-      CREATE TABLE IF NOT EXISTS usernames (
-        username TEXT PRIMARY KEY,
-        public_key TEXT NOT NULL UNIQUE,
-        claimed_at INTEGER NOT NULL,
+      -- Credentials table (replaces usernames with simpler name + secret auth)
+      CREATE TABLE IF NOT EXISTS credentials (
+        name TEXT PRIMARY KEY,
+        secret TEXT NOT NULL UNIQUE,
+        created_at INTEGER NOT NULL,
         expires_at INTEGER NOT NULL,
         last_used INTEGER NOT NULL,
-        metadata TEXT,
-        CHECK(length(username) >= 3 AND length(username) <= 32)
+        CHECK(length(name) >= 3 AND length(name) <= 32)
       );
 
-      CREATE INDEX IF NOT EXISTS idx_usernames_expires ON usernames(expires_at);
-      CREATE INDEX IF NOT EXISTS idx_usernames_public_key ON usernames(public_key);
+      CREATE INDEX IF NOT EXISTS idx_credentials_expires ON credentials(expires_at);
+      CREATE INDEX IF NOT EXISTS idx_credentials_secret ON credentials(secret);
 
-      -- Services table (new schema with extracted fields for discovery)
-      CREATE TABLE IF NOT EXISTS services (
-        id TEXT PRIMARY KEY,
-        service_fqn TEXT NOT NULL,
-        service_name TEXT NOT NULL,
-        version TEXT NOT NULL,
-        username TEXT NOT NULL,
-        created_at INTEGER NOT NULL,
-        expires_at INTEGER NOT NULL,
-        FOREIGN KEY (username) REFERENCES usernames(username) ON DELETE CASCADE,
-        UNIQUE(service_fqn)
+      -- Rate limits table (for distributed rate limiting)
+      CREATE TABLE IF NOT EXISTS rate_limits (
+        identifier TEXT PRIMARY KEY,
+        count INTEGER NOT NULL,
+        reset_time INTEGER NOT NULL
+      );
+
+      CREATE INDEX IF NOT EXISTS idx_rate_limits_reset ON rate_limits(reset_time);
+
+      -- Nonces table (for replay attack prevention)
+      CREATE TABLE IF NOT EXISTS nonces (
+        nonce_key TEXT PRIMARY KEY,
+        expires_at INTEGER NOT NULL
       );
 
-      CREATE INDEX IF NOT EXISTS idx_services_fqn ON services(service_fqn);
-      CREATE INDEX IF NOT EXISTS idx_services_discovery ON services(service_name, version);
-      CREATE INDEX IF NOT EXISTS idx_services_username ON services(username);
-      CREATE INDEX IF NOT EXISTS idx_services_expires ON services(expires_at);
+      CREATE INDEX IF NOT EXISTS idx_nonces_expires ON nonces(expires_at);
     `);
   }
 
@@ -114,15 +111,14 @@ export class D1Storage implements Storage {
       const now = Date.now();
 
       await this.db.prepare(`
-        INSERT INTO offers (id, username, service_id, sdp, created_at, expires_at, last_seen)
+        INSERT INTO offers (id, username, tags, sdp, created_at, expires_at, last_seen)
         VALUES (?, ?, ?, ?, ?, ?, ?)
-      `).bind(id, offer.username, offer.serviceId || null, offer.sdp, now, offer.expiresAt, now).run();
+      `).bind(id, offer.username, JSON.stringify(offer.tags), offer.sdp, now, offer.expiresAt, now).run();
 
       created.push({
         id,
         username: offer.username,
-        serviceId: offer.serviceId,
-        serviceFqn: offer.serviceFqn,
+        tags: offer.tags,
         sdp: offer.sdp,
         createdAt: now,
         expiresAt: offer.expiresAt,
@@ -231,6 +227,94 @@ export class D1Storage implements Storage {
     return result.results.map(row => this.rowToOffer(row as any));
   }
 
+  async getOffersAnsweredBy(answererUsername: string): Promise<Offer[]> {
+    const result = await this.db.prepare(`
+      SELECT * FROM offers
+      WHERE answerer_username = ? AND expires_at > ?
+      ORDER BY answered_at DESC
+    `).bind(answererUsername, Date.now()).all();
+
+    if (!result.results) {
+      return [];
+    }
+
+    return result.results.map(row => this.rowToOffer(row as any));
+  }
+
+  // ===== Discovery =====
+
+  async discoverOffers(
+    tags: string[],
+    excludeUsername: string | null,
+    limit: number,
+    offset: number
+  ): Promise<Offer[]> {
+    if (tags.length === 0) {
+      return [];
+    }
+
+    // Build query with JSON tag matching (OR logic)
+    // D1/SQLite: Use json_each() to expand tags array and check if any tag matches
+    const placeholders = tags.map(() => '?').join(',');
+
+    let query = `
+      SELECT DISTINCT o.* FROM offers o, json_each(o.tags) as t
+      WHERE t.value IN (${placeholders})
+        AND o.expires_at > ?
+        AND o.answerer_username IS NULL
+    `;
+
+    const params: any[] = [...tags, Date.now()];
+
+    if (excludeUsername) {
+      query += ' AND o.username != ?';
+      params.push(excludeUsername);
+    }
+
+    query += ' ORDER BY o.created_at DESC LIMIT ? OFFSET ?';
+    params.push(limit, offset);
+
+    const result = await this.db.prepare(query).bind(...params).all();
+
+    if (!result.results) {
+      return [];
+    }
+
+    return result.results.map(row => this.rowToOffer(row as any));
+  }
+
+  async getRandomOffer(
+    tags: string[],
+    excludeUsername: string | null
+  ): Promise<Offer | null> {
+    if (tags.length === 0) {
+      return null;
+    }
+
+    // Build query with JSON tag matching (OR logic)
+    const placeholders = tags.map(() => '?').join(',');
+
+    let query = `
+      SELECT DISTINCT o.* FROM offers o, json_each(o.tags) as t
+      WHERE t.value IN (${placeholders})
+        AND o.expires_at > ?
+        AND o.answerer_username IS NULL
+    `;
+
+    const params: any[] = [...tags, Date.now()];
+
+    if (excludeUsername) {
+      query += ' AND o.username != ?';
+      params.push(excludeUsername);
+    }
+
+    query += ' ORDER BY RANDOM() LIMIT 1';
+
+    const result = await this.db.prepare(query).bind(...params).first();
+
+    return result ? this.rowToOffer(result as any) : null;
+  }
+
   // ===== ICE Candidate Management =====
 
   async addIceCandidates(
@@ -292,270 +376,251 @@ export class D1Storage implements Storage {
     }));
   }
 
-  // ===== Username Management =====
-
-  async claimUsername(request: ClaimUsernameRequest): Promise<Username> {
-    const now = Date.now();
-    const expiresAt = now + YEAR_IN_MS;
+  async getIceCandidatesForMultipleOffers(
+    offerIds: string[],
+    username: string,
+    since?: number
+  ): Promise<Map<string, IceCandidate[]>> {
+    const result = new Map<string, IceCandidate[]>();
 
-    try {
-      // Try to insert or update
-      const result = await this.db.prepare(`
-        INSERT INTO usernames (username, public_key, claimed_at, expires_at, last_used, metadata)
-        VALUES (?, ?, ?, ?, ?, NULL)
-        ON CONFLICT(username) DO UPDATE SET
-          expires_at = ?,
-          last_used = ?
-        WHERE public_key = ?
-      `).bind(
-        request.username,
-        request.publicKey,
-        now,
-        expiresAt,
-        now,
-        expiresAt,
-        now,
-        request.publicKey
-      ).run();
+    // Return empty map if no offer IDs provided
+    if (offerIds.length === 0) {
+      return result;
+    }
 
-      if ((result.meta.changes || 0) === 0) {
-        throw new Error('Username already claimed by different public key');
-      }
+    // Validate array contains only strings
+    if (!Array.isArray(offerIds) || !offerIds.every(id => typeof id === 'string')) {
+      throw new Error('Invalid offer IDs: must be array of strings');
+    }
 
-      return {
-        username: request.username,
-        publicKey: request.publicKey,
-        claimedAt: now,
-        expiresAt,
-        lastUsed: now,
-      };
-    } catch (err: any) {
-      // Handle UNIQUE constraint on public_key
-      if (err.message?.includes('UNIQUE constraint failed: usernames.public_key')) {
-        throw new Error('This public key has already claimed a different username');
-      }
-      throw err;
+    // Prevent DoS attacks from extremely large IN clauses
+    if (offerIds.length > 1000) {
+      throw new Error('Too many offer IDs (max 1000)');
     }
-  }
 
-  async getUsername(username: string): Promise<Username | null> {
-    const result = await this.db.prepare(`
-      SELECT * FROM usernames
-      WHERE username = ? AND expires_at > ?
-    `).bind(username, Date.now()).first();
+    // Build query that fetches candidates from the OTHER peer only
+    const placeholders = offerIds.map(() => '?').join(',');
 
-    if (!result) {
-      return null;
+    let query = `
+      SELECT ic.*, o.username as offer_username
+      FROM ice_candidates ic
+      INNER JOIN offers o ON o.id = ic.offer_id
+      WHERE ic.offer_id IN (${placeholders})
+      AND (
+        (o.username = ? AND ic.role = 'answerer')
+        OR (o.answerer_username = ? AND ic.role = 'offerer')
+      )
+    `;
+
+    const params: any[] = [...offerIds, username, username];
+
+    if (since !== undefined) {
+      query += ' AND ic.created_at > ?';
+      params.push(since);
     }
 
-    const row = result as any;
+    query += ' ORDER BY ic.created_at ASC';
 
-    return {
-      username: row.username,
-      publicKey: row.public_key,
-      claimedAt: row.claimed_at,
-      expiresAt: row.expires_at,
-      lastUsed: row.last_used,
-      metadata: row.metadata || undefined,
-    };
-  }
+    const queryResult = await this.db.prepare(query).bind(...params).all();
 
+    if (!queryResult.results) {
+      return result;
+    }
 
-  async deleteExpiredUsernames(now: number): Promise<number> {
-    const result = await this.db.prepare(`
-      DELETE FROM usernames WHERE expires_at < ?
-    `).bind(now).run();
+    // Group candidates by offer_id
+    for (const row of queryResult.results as any[]) {
+      const candidate: IceCandidate = {
+        id: row.id,
+        offerId: row.offer_id,
+        username: row.username,
+        role: row.role,
+        candidate: JSON.parse(row.candidate),
+        createdAt: row.created_at,
+      };
 
-    return result.meta.changes || 0;
+      if (!result.has(row.offer_id)) {
+        result.set(row.offer_id, []);
+      }
+      result.get(row.offer_id)!.push(candidate);
+    }
+
+    return result;
   }
 
-  // ===== Service Management =====
+  // ===== Credential Management =====
 
-  async createService(request: CreateServiceRequest): Promise<{
-    service: Service;
-    offers: Offer[];
-  }> {
-    const serviceId = crypto.randomUUID();
+  async generateCredentials(request: GenerateCredentialsRequest): Promise<Credential> {
     const now = Date.now();
+    const expiresAt = request.expiresAt || (now + YEAR_IN_MS);
 
-    // Parse FQN to extract components
-    const parsed = parseServiceFqn(request.serviceFqn);
-    if (!parsed) {
-      throw new Error(`Invalid service FQN: ${request.serviceFqn}`);
-    }
-    if (!parsed.username) {
-      throw new Error(`Service FQN must include username: ${request.serviceFqn}`);
-    }
+    const { generateCredentialName, generateSecret } = await import('../crypto.ts');
 
-    const { serviceName, version, username } = parsed;
+    let name: string;
 
-    // Delete existing service with same (service_name, version, username) and its related offers (upsert behavior)
-    // First get the existing service
-    const existingService = await this.db.prepare(`
-      SELECT id FROM services
-      WHERE service_name = ? AND version = ? AND username = ?
-    `).bind(serviceName, version, username).first();
+    if (request.name) {
+      // User requested specific username - check if available
+      const existing = await this.db.prepare(`
+        SELECT name FROM credentials WHERE name = ?
+      `).bind(request.name).first();
 
-    if (existingService) {
-      // Delete related offers first (no FK cascade from offers to services)
-      await this.db.prepare(`
-        DELETE FROM offers WHERE service_id = ?
-      `).bind(existingService.id).run();
+      if (existing) {
+        throw new Error('Username already taken');
+      }
 
-      // Delete the service
-      await this.db.prepare(`
-        DELETE FROM services WHERE id = ?
-      `).bind(existingService.id).run();
-    }
+      name = request.name;
+    } else {
+      // Generate random name - retry until unique
+      let attempts = 0;
+      const maxAttempts = 100;
 
-    // Insert new service with extracted fields
-    await this.db.prepare(`
-      INSERT INTO services (id, service_fqn, service_name, version, username, created_at, expires_at)
-      VALUES (?, ?, ?, ?, ?, ?, ?)
-    `).bind(
-      serviceId,
-      request.serviceFqn,
-      serviceName,
-      version,
-      username,
-      now,
-      request.expiresAt
-    ).run();
-
-    // Create offers with serviceId
-    const offerRequests = request.offers.map(offer => ({
-      ...offer,
-      serviceId,
-    }));
-    const offers = await this.createOffers(offerRequests);
+      while (attempts < maxAttempts) {
+        name = generateCredentialName();
 
-    // Touch username to extend expiry (inline logic)
-    const expiresAt = now + YEAR_IN_MS;
-    await this.db.prepare(`
-      UPDATE usernames
-      SET last_used = ?, expires_at = ?
-      WHERE username = ? AND expires_at > ?
-    `).bind(now, expiresAt, username, now).run();
-
-    return {
-      service: {
-        id: serviceId,
-        serviceFqn: request.serviceFqn,
-        serviceName,
-        version,
-        username,
-        createdAt: now,
-        expiresAt: request.expiresAt,
-      },
-      offers,
-    };
-  }
+        const existing = await this.db.prepare(`
+          SELECT name FROM credentials WHERE name = ?
+        `).bind(name).first();
 
+        if (!existing) {
+          break;
+        }
 
-  async getOffersForService(serviceId: string): Promise<Offer[]> {
-    const result = await this.db.prepare(`
-      SELECT * FROM offers
-      WHERE service_id = ? AND expires_at > ?
-      ORDER BY created_at ASC
-    `).bind(serviceId, Date.now()).all();
+        attempts++;
+      }
 
-    if (!result.results) {
-      return [];
+      if (attempts >= maxAttempts) {
+        throw new Error(`Failed to generate unique credential name after ${maxAttempts} attempts`);
+      }
     }
 
-    return result.results.map(row => this.rowToOffer(row as any));
+    const secret = generateSecret();
+
+    // Encrypt secret before storing (AES-256-GCM)
+    const { encryptSecret } = await import('../crypto.ts');
+    const encryptedSecret = await encryptSecret(secret, this.masterEncryptionKey);
+
+    // Insert credential with encrypted secret
+    await this.db.prepare(`
+      INSERT INTO credentials (name, secret, created_at, expires_at, last_used)
+      VALUES (?, ?, ?, ?, ?)
+    `).bind(name!, encryptedSecret, now, expiresAt, now).run();
+
+    // Return plaintext secret to user (only time they'll see it)
+    return {
+      name: name!,
+      secret, // Return plaintext secret, not encrypted
+      createdAt: now,
+      expiresAt,
+      lastUsed: now,
+    };
   }
 
-  async getServiceById(serviceId: string): Promise<Service | null> {
+  async getCredential(name: string): Promise<Credential | null> {
     const result = await this.db.prepare(`
-      SELECT * FROM services
-      WHERE id = ? AND expires_at > ?
-    `).bind(serviceId, Date.now()).first();
+      SELECT * FROM credentials
+      WHERE name = ? AND expires_at > ?
+    `).bind(name, Date.now()).first();
 
     if (!result) {
       return null;
     }
 
-    return this.rowToService(result as any);
-  }
+    const row = result as any;
 
-  async getServiceByFqn(serviceFqn: string): Promise<Service | null> {
-    const result = await this.db.prepare(`
-      SELECT * FROM services
-      WHERE service_fqn = ? AND expires_at > ?
-    `).bind(serviceFqn, Date.now()).first();
+    // Decrypt secret before returning
+    // If decryption fails (e.g., master key rotated), treat as credential not found
+    try {
+      const { decryptSecret } = await import('../crypto.ts');
+      const decryptedSecret = await decryptSecret(row.secret, this.masterEncryptionKey);
 
-    if (!result) {
-      return null;
+      return {
+        name: row.name,
+        secret: decryptedSecret, // Return decrypted secret
+        createdAt: row.created_at,
+        expiresAt: row.expires_at,
+        lastUsed: row.last_used,
+      };
+    } catch (error) {
+      console.error(`Failed to decrypt secret for credential '${name}':`, error);
+      return null; // Treat as credential not found (fail-safe behavior)
     }
+  }
 
-    return this.rowToService(result as any);
+  async updateCredentialUsage(name: string, lastUsed: number, expiresAt: number): Promise<void> {
+    await this.db.prepare(`
+      UPDATE credentials
+      SET last_used = ?, expires_at = ?
+      WHERE name = ?
+    `).bind(lastUsed, expiresAt, name).run();
   }
 
+  async deleteExpiredCredentials(now: number): Promise<number> {
+    const result = await this.db.prepare(`
+      DELETE FROM credentials WHERE expires_at < ?
+    `).bind(now).run();
 
+    return result.meta.changes || 0;
+  }
 
+  // ===== Rate Limiting =====
 
+  async checkRateLimit(identifier: string, limit: number, windowMs: number): Promise<boolean> {
+    const now = Date.now();
+    const resetTime = now + windowMs;
 
-  async discoverServices(
-    serviceName: string,
-    version: string,
-    limit: number,
-    offset: number
-  ): Promise<Service[]> {
-    // Query for unique services with available offers
-    // We join with offers and filter for available ones (answerer_username IS NULL)
+    // Atomic UPSERT: Insert or increment count, reset if expired
+    // This prevents TOCTOU race conditions by doing check+increment in single operation
     const result = await this.db.prepare(`
-      SELECT DISTINCT s.* FROM services s
-      INNER JOIN offers o ON o.service_id = s.id
-      WHERE s.service_name = ?
-        AND s.version = ?
-        AND s.expires_at > ?
-        AND o.answerer_username IS NULL
-        AND o.expires_at > ?
-      ORDER BY s.created_at DESC
-      LIMIT ? OFFSET ?
-    `).bind(serviceName, version, Date.now(), Date.now(), limit, offset).all();
-
-    if (!result.results) {
-      return [];
-    }
-
-    return result.results.map(row => this.rowToService(row as any));
+      INSERT INTO rate_limits (identifier, count, reset_time)
+      VALUES (?, 1, ?)
+      ON CONFLICT(identifier) DO UPDATE SET
+        count = CASE
+          WHEN reset_time < ? THEN 1
+          ELSE count + 1
+        END,
+        reset_time = CASE
+          WHEN reset_time < ? THEN ?
+          ELSE reset_time
+        END
+      RETURNING count
+    `).bind(identifier, resetTime, now, now, resetTime).first() as { count: number } | null;
+
+    // Check if limit exceeded
+    return result ? result.count <= limit : false;
   }
 
-  async getRandomService(serviceName: string, version: string): Promise<Service | null> {
-    // Get a random service with an available offer
+  async deleteExpiredRateLimits(now: number): Promise<number> {
     const result = await this.db.prepare(`
-      SELECT s.* FROM services s
-      INNER JOIN offers o ON o.service_id = s.id
-      WHERE s.service_name = ?
-        AND s.version = ?
-        AND s.expires_at > ?
-        AND o.answerer_username IS NULL
-        AND o.expires_at > ?
-      ORDER BY RANDOM()
-      LIMIT 1
-    `).bind(serviceName, version, Date.now(), Date.now()).first();
-
-    if (!result) {
-      return null;
-    }
+      DELETE FROM rate_limits WHERE reset_time < ?
+    `).bind(now).run();
 
-    return this.rowToService(result as any);
+    return result.meta.changes || 0;
   }
 
-  async deleteService(serviceId: string, username: string): Promise<boolean> {
-    const result = await this.db.prepare(`
-      DELETE FROM services
-      WHERE id = ? AND username = ?
-    `).bind(serviceId, username).run();
+  // ===== Nonce Tracking (Replay Protection) =====
 
-    return (result.meta.changes || 0) > 0;
+  async checkAndMarkNonce(nonceKey: string, expiresAt: number): Promise<boolean> {
+    try {
+      // Atomic INSERT - if nonce already exists, this will fail with UNIQUE constraint
+      // This prevents replay attacks by ensuring each nonce is only used once
+      const result = await this.db.prepare(`
+        INSERT INTO nonces (nonce_key, expires_at)
+        VALUES (?, ?)
+      `).bind(nonceKey, expiresAt).run();
+
+      // D1 returns success=true if insert succeeded
+      return result.success;
+    } catch (error: any) {
+      // UNIQUE constraint violation means nonce already used (replay attack)
+      if (error?.message?.includes('UNIQUE constraint failed')) {
+        return false;
+      }
+      throw error; // Other errors should propagate
+    }
   }
 
-  async deleteExpiredServices(now: number): Promise<number> {
+  async deleteExpiredNonces(now: number): Promise<number> {
     const result = await this.db.prepare(`
-      DELETE FROM services WHERE expires_at < ?
+      DELETE FROM nonces WHERE expires_at < ?
     `).bind(now).run();
 
     return result.meta.changes || 0;
@@ -575,8 +640,7 @@ export class D1Storage implements Storage {
     return {
       id: row.id,
       username: row.username,
-      serviceId: row.service_id || undefined,
-      serviceFqn: row.service_fqn || undefined,
+      tags: JSON.parse(row.tags),
       sdp: row.sdp,
       createdAt: row.created_at,
       expiresAt: row.expires_at,
@@ -586,19 +650,4 @@ export class D1Storage implements Storage {
       answeredAt: row.answered_at || undefined,
     };
   }
-
-  /**
-   * Helper method to convert database row to Service object
-   */
-  private rowToService(row: any): Service {
-    return {
-      id: row.id,
-      serviceFqn: row.service_fqn,
-      serviceName: row.service_name,
-      version: row.version,
-      username: row.username,
-      createdAt: row.created_at,
-      expiresAt: row.expires_at,
-    };
-  }
 }