npm - @zintrust/core - Versions diffs - 0.1.42 → 0.1.44 - Mend

@zintrust/core 0.1.42 → 0.1.44

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (381) hide show

package/src/security/TokenRevocation.js CHANGED Viewed

@@ -1,57 +1,585 @@
+import { RemoteSignedJson } from '../common/RemoteSignedJson.js';
+import { Cloudflare } from '../config/cloudflare.js';
+import { Env } from '../config/env.js';
+import { Logger } from '../config/logger.js';
 import { securityConfig } from '../config/security.js';
+import { createRedisConnection } from '../config/workers.js';
+import { ErrorFactory } from '../exceptions/ZintrustError.js';
+import { useDatabase } from '../orm/Database.js';
 import { JwtManager } from './JwtManager.js';
-const revokedTokens = new Map();
+const DEFAULTS = {
+    driver: 'database',
+    dbConnection: 'default',
+    dbTable: 'zintrust_jwt_revocations',
+    redisPrefix: 'zt:jwt:revoked:',
+    kvBinding: 'CACHE',
+    kvRemoteNamespace: '',
+};
 const defaultTtlMs = Math.max(securityConfig.jwt.expiresIn * 1000, 60_000);
+const normalizeDriverName = (raw) => {
+    const value = typeof raw === 'string' ? raw.trim().toLowerCase() : '';
+    if (value === 'db' || value === 'database')
+        return 'database';
+    if (value === 'redis')
+        return 'redis';
+    if (value === 'kv')
+        return 'kv';
+    if (value === 'kv-remote' || value === 'kvremote')
+        return 'kv-remote';
+    if (value === 'memory' || value === 'mem')
+        return 'memory';
+    return DEFAULTS.driver;
+};
+const resolveSigningPrefix = (baseUrl) => {
+    try {
+        const parsed = new URL(baseUrl);
+        const path = parsed.pathname.endsWith('/') ? parsed.pathname.slice(0, -1) : parsed.pathname;
+        if (path === '' || path === '/')
+            return undefined;
+        return path;
+    }
+    catch {
+        return undefined;
+    }
+};
 const getBearerToken = (header) => {
     const value = Array.isArray(header) ? header[0] : header;
     if (typeof value !== 'string')
         return null;
-    const [scheme, token] = value.trim().split(' ');
-    if (scheme.toLowerCase() !== 'bearer')
+    const trimmed = value.trim();
+    if (trimmed === '')
         return null;
-    if (typeof token !== 'string' || token.trim() === '')
+    const [scheme, ...rest] = trimmed.split(/\s+/);
+    if (typeof scheme !== 'string' || scheme.toLowerCase() !== 'bearer')
         return null;
-    return token;
-};
-const cleanupExpired = () => {
-    const now = Date.now();
-    for (const [token, expiresAt] of revokedTokens.entries()) {
-        if (expiresAt <= now) {
-            revokedTokens.delete(token);
-        }
-    }
+    const token = rest.join(' ').trim();
+    return token === '' ? null : token;
 };
 const resolveExpiryMs = (token) => {
     try {
         const payload = JwtManager.create().decode(token);
-        if (typeof payload.exp === 'number' && Number.isFinite(payload.exp)) {
-            return payload.exp * 1000;
+        const expiresAtMs = typeof payload.exp === 'number' && Number.isFinite(payload.exp)
+            ? payload.exp * 1000
+            : Date.now() + defaultTtlMs;
+        const sub = typeof payload.sub === 'string' && payload.sub.trim() !== '' ? payload.sub : undefined;
+        const jti = typeof payload.jti === 'string' && payload.jti.trim() !== '' ? payload.jti : undefined;
+        return { expiresAtMs, sub, jti };
+    }
+    catch {
+        return { expiresAtMs: Date.now() + defaultTtlMs };
+    }
+};
+const resolveKey = (token) => {
+    const { expiresAtMs, sub, jti } = resolveExpiryMs(token);
+    return {
+        id: jti ?? token,
+        expiresAtMs,
+        sub,
+    };
+};
+const logWarnBestEffort = (message, meta) => {
+    const anyLogger = Logger;
+    if (typeof anyLogger.warn === 'function') {
+        anyLogger.warn(message, meta);
+        return;
+    }
+    if (typeof anyLogger.debug === 'function') {
+        anyLogger.debug(message, meta);
+        return;
+    }
+    if (typeof anyLogger.info === 'function') {
+        anyLogger.info(message, meta);
+    }
+};
+const createMemoryStore = () => {
+    const revoked = new Map();
+    const cleanupExpired = () => {
+        const now = Date.now();
+        for (const [id, expiresAtMs] of revoked.entries()) {
+            if (expiresAtMs <= now)
+                revoked.delete(id);
+        }
+    };
+    return {
+        async revoke(key) {
+            cleanupExpired();
+            revoked.set(key.id, key.expiresAtMs);
+            await Promise.resolve();
+        },
+        async isRevoked(id) {
+            cleanupExpired();
+            const expiresAtMs = revoked.get(id);
+            if (expiresAtMs === undefined)
+                return false;
+            if (expiresAtMs <= Date.now()) {
+                revoked.delete(id);
+                return false;
+            }
+            await Promise.resolve();
+            return true;
+        },
+    };
+};
+const createDatabaseStore = (params) => {
+    let checkCount = 0;
+    const maybeCleanup = async () => {
+        checkCount += 1;
+        if (checkCount % 250 !== 0)
+            return;
+        try {
+            const db = useDatabase(undefined, params.connection);
+            await db.table(params.table).where('expires_at_ms', '<=', Date.now()).delete();
         }
+        catch (error) {
+            Logger.debug('TokenRevocation database cleanup failed', {
+                error: error instanceof Error ? error.message : String(error),
+            });
+        }
+    };
+    return {
+        async revoke(key) {
+            const ttlMs = Math.max(0, key.expiresAtMs - Date.now());
+            if (ttlMs === 0)
+                return;
+            try {
+                const db = useDatabase(undefined, params.connection);
+                const existing = await db
+                    .table(params.table)
+                    .where('jti', '=', key.id)
+                    .first();
+                const payload = {
+                    jti: key.id,
+                    sub: key.sub ?? null,
+                    expires_at_ms: key.expiresAtMs,
+                };
+                if (existing) {
+                    await db.table(params.table).where('jti', '=', key.id).update(payload);
+                }
+                else {
+                    await db.table(params.table).insert(payload);
+                }
+            }
+            catch (error) {
+                logWarnBestEffort('TokenRevocation database revoke failed (token will not be revoked)', {
+                    error: error instanceof Error ? error.message : String(error),
+                    table: params.table,
+                });
+            }
+        },
+        async isRevoked(id) {
+            await maybeCleanup();
+            try {
+                const db = useDatabase(undefined, params.connection);
+                const row = await db
+                    .table(params.table)
+                    .where('jti', '=', id)
+                    .first();
+                if (!row)
+                    return false;
+                const expiresAt = row['expires_at_ms'];
+                const expiresAtMs = typeof expiresAt === 'number' ? expiresAt : Number(expiresAt);
+                if (!Number.isFinite(expiresAtMs))
+                    return true;
+                if (expiresAtMs <= Date.now()) {
+                    await db.table(params.table).where('jti', '=', id).delete();
+                    return false;
+                }
+                return true;
+            }
+            catch (error) {
+                logWarnBestEffort('TokenRevocation database check failed (treating as not revoked)', {
+                    error: error instanceof Error ? error.message : String(error),
+                    table: params.table,
+                });
+                return false;
+            }
+        },
+    };
+};
+const createRedisStore = (params) => {
+    const client = createRedisConnection({
+        host: Env.REDIS_HOST,
+        port: Env.REDIS_PORT,
+        password: Env.REDIS_PASSWORD,
+        db: Env.getInt('JWT_REVOCATION_REDIS_DB', Env.REDIS_DB),
+    });
+    return {
+        async revoke(key) {
+            const ttlMs = Math.max(0, key.expiresAtMs - Date.now());
+            if (ttlMs === 0)
+                return;
+            await client.set(`${params.keyPrefix}${key.id}`, '1', 'PX', ttlMs);
+        },
+        async isRevoked(id) {
+            const value = await client.get(`${params.keyPrefix}${id}`);
+            return value !== null;
+        },
+    };
+};
+const createKvStore = (params) => {
+    const getKvOrThrow = () => {
+        const kv = Cloudflare.getKVBinding(params.bindingName);
+        if (kv === null) {
+            throw ErrorFactory.createConfigError(`KV binding '${params.bindingName}' not found`, {
+                bindingName: params.bindingName,
+            });
+        }
+        return kv;
+    };
+    return {
+        async revoke(key) {
+            const ttlMs = Math.max(0, key.expiresAtMs - Date.now());
+            if (ttlMs === 0)
+                return;
+            const ttlSeconds = Math.max(60, Math.ceil(ttlMs / 1000));
+            const kv = getKvOrThrow();
+            await kv.put(`${params.keyPrefix}${key.id}`, '1', { expirationTtl: ttlSeconds });
+        },
+        async isRevoked(id) {
+            const kv = getKvOrThrow();
+            const value = await kv.get(`${params.keyPrefix}${id}`);
+            return value !== null;
+        },
+    };
+};
+const kvRemoteGetProxySettings = () => ({
+    baseUrl: Env.get('KV_REMOTE_URL'),
+    keyId: Env.get('KV_REMOTE_KEY_ID'),
+    secret: Env.get('KV_REMOTE_SECRET', Env.APP_KEY),
+    timeoutMs: Env.getInt('ZT_PROXY_TIMEOUT_MS', Env.REQUEST_TIMEOUT),
+});
+const kvRemoteGetCloudflareCreds = () => ({
+    accountId: Env.get('KV_ACCOUNT_ID', Env.get('CLOUDFLARE_ACCOUNT_ID', '')).trim(),
+    apiToken: Env.get('KV_API_TOKEN', Env.get('CLOUDFLARE_API_TOKEN', '')).trim(),
+    namespaceId: Env.get('KV_NAMESPACE_ID', Env.get('CLOUDFLARE_KV_NAMESPACE_ID', '')).trim(),
+    namespaceTitle: Env.get('KV_NAMESPACE', '').trim(),
+});
+const kvRemoteHasCloudflareApiCreds = (getCreds) => {
+    const creds = getCreds();
+    return creds.accountId !== '' && creds.apiToken !== '';
+};
+const kvRemoteHasProxySigningCreds = (proxy) => proxy.keyId.trim() !== '' && proxy.secret.trim() !== '';
+const kvRemoteBuildCloudflareValueUrl = (creds, key, ttlSeconds) => {
+    const base = `https://api.cloudflare.com/client/v4/accounts/${encodeURIComponent(creds.accountId)}/storage/kv/namespaces/${encodeURIComponent(creds.namespaceId)}/values/${encodeURIComponent(key)}`;
+    if (ttlSeconds === undefined)
+        return base;
+    const ttl = Math.max(60, Math.floor(ttlSeconds));
+    return ttl > 0 ? `${base}?expiration_ttl=${ttl}` : base;
+};
+const kvRemoteCfFetch = async (apiToken, url, init) => {
+    const headers = new Headers(init.headers);
+    headers.set('Authorization', `Bearer ${apiToken}`);
+    return fetch(url, {
+        ...init,
+        headers,
+    });
+};
+const kvRemoteFetchCloudflareNamespacesPage = async (args) => {
+    const url = `https://api.cloudflare.com/client/v4/accounts/${encodeURIComponent(args.accountId)}/storage/kv/namespaces?page=${args.page}&per_page=${args.perPage}`;
+    const res = await args.cfFetch(args.apiToken, url, { method: 'GET' });
+    const text = await res.text();
+    if (!res.ok) {
+        throw ErrorFactory.createConnectionError(`Cloudflare KV namespaces list failed (${res.status})`, {
+            status: res.status,
+            body: text,
+        });
+    }
+    try {
+        return JSON.parse(text);
     }
     catch {
-        // ignore decode errors; fallback to default TTL
+        throw ErrorFactory.createConnectionError('Cloudflare KV namespaces list returned invalid JSON', {
+            body: text,
+        });
     }
-    return Date.now() + defaultTtlMs;
+};
+const kvRemoteResolveNamespaceIdFromPage = (parsed, title) => {
+    const found = (parsed.result ?? []).find((ns) => ns.title === title);
+    return typeof found?.id === 'string' ? found.id.trim() : '';
+};
+const kvRemoteResolveTotalPagesFromPage = (parsed) => {
+    const raw = Number(parsed.result_info?.total_pages ?? 1);
+    return Number.isFinite(raw) ? Math.max(1, Math.floor(raw)) : 1;
+};
+const kvRemoteFindNamespaceIdByTitle = async (args) => {
+    const perPage = 100;
+    const first = await kvRemoteFetchCloudflareNamespacesPage({
+        apiToken: args.apiToken,
+        accountId: args.accountId,
+        page: 1,
+        perPage,
+        cfFetch: args.cfFetch,
+    });
+    const firstId = kvRemoteResolveNamespaceIdFromPage(first, args.namespaceTitle);
+    if (firstId !== '')
+        return firstId;
+    const maxPages = Math.min(10, kvRemoteResolveTotalPagesFromPage(first));
+    if (maxPages <= 1)
+        return null;
+    const remainingPages = Array.from({ length: maxPages - 1 }, (_, i) => i + 2);
+    const out = await Promise.all(remainingPages.map(async (page) => kvRemoteFetchCloudflareNamespacesPage({
+        apiToken: args.apiToken,
+        accountId: args.accountId,
+        page,
+        perPage,
+        cfFetch: args.cfFetch,
+    })));
+    for (const page of out) {
+        const id = kvRemoteResolveNamespaceIdFromPage(page, args.namespaceTitle);
+        if (id !== '')
+            return id;
+    }
+    return null;
+};
+const createKvRemoteCloudflareNamespaceIdResolver = (args) => {
+    let cachedNamespaceId = null;
+    let cachedNamespaceTitle = null;
+    let cachedAccountId = null;
+    return async () => {
+        const creds = args.getCloudflareCreds();
+        if (creds.namespaceId !== '')
+            return creds.namespaceId;
+        if (cachedNamespaceId !== null &&
+            cachedNamespaceTitle === creds.namespaceTitle &&
+            cachedAccountId === creds.accountId) {
+            return cachedNamespaceId;
+        }
+        if (creds.namespaceTitle === '') {
+            throw ErrorFactory.createConfigError('Cloudflare KV namespace id is missing (KV_NAMESPACE_ID) and no namespace title is provided (KV_NAMESPACE)');
+        }
+        const resolved = await kvRemoteFindNamespaceIdByTitle({
+            apiToken: creds.apiToken,
+            accountId: creds.accountId,
+            namespaceTitle: creds.namespaceTitle,
+            cfFetch: args.cfFetch,
+        });
+        if (resolved === null) {
+            throw ErrorFactory.createConfigError('Cloudflare KV namespace not found', {
+                namespaceTitle: creds.namespaceTitle,
+            });
+        }
+        cachedNamespaceId = resolved;
+        cachedNamespaceTitle = creds.namespaceTitle;
+        cachedAccountId = creds.accountId;
+        return resolved;
+    };
+};
+const kvRemoteCreateRemoteSettings = (proxy) => ({
+    baseUrl: proxy.baseUrl,
+    keyId: proxy.keyId,
+    secret: proxy.secret,
+    timeoutMs: proxy.timeoutMs,
+    signaturePathPrefixToStrip: resolveSigningPrefix(proxy.baseUrl),
+    missingUrlMessage: 'KV remote proxy URL is missing (KV_REMOTE_URL)',
+    missingCredentialsMessage: 'KV remote signing credentials are missing (KV_REMOTE_KEY_ID / KV_REMOTE_SECRET)',
+    messages: {
+        unauthorized: 'KV remote proxy unauthorized',
+        forbidden: 'KV remote proxy forbidden',
+        rateLimited: 'KV remote proxy rate limited',
+        rejected: 'KV remote proxy rejected request',
+        error: 'KV remote proxy error',
+        timedOut: 'KV remote proxy request timed out',
+    },
+});
+const kvRemoteNormalizeNamespace = (value) => {
+    const trimmed = value.trim();
+    return trimmed === '' ? undefined : trimmed;
+};
+const kvRemoteIsRevokedViaCloudflareApi = async (ctx, id, meta) => {
+    const creds = ctx.getCloudflareCreds();
+    const namespaceId = await ctx.resolveCloudflareNamespaceId();
+    const url = ctx.buildCloudflareValueUrl({ accountId: creds.accountId, namespaceId }, `${ctx.keyPrefix}${id}`);
+    const res = await ctx.cfFetch(creds.apiToken, url, { method: 'GET' });
+    if (res.status === 404)
+        return false;
+    if (!res.ok) {
+        const text = await res.text();
+        const warnMeta = {
+            status: res.status,
+            body: text,
+        };
+        if (meta)
+            Object.assign(warnMeta, meta);
+        logWarnBestEffort('TokenRevocation kv-remote (Cloudflare API) check failed', warnMeta);
+        return false;
+    }
+    const value = await res.text();
+    return value.trim() !== '';
+};
+const kvRemoteIsRevokedViaProxy = async (ctx, proxy, id) => {
+    const remote = ctx.createRemoteSettings(proxy);
+    const out = await RemoteSignedJson.request(remote, '/zin/kv/get', {
+        namespace: ctx.normalizeNamespace(ctx.namespace),
+        key: `${ctx.keyPrefix}${id}`,
+        type: 'text',
+    });
+    return out.value !== null && out.value !== undefined && String(out.value).trim() !== '';
+};
+const kvRemoteRevokeViaCloudflareApi = async (ctx, key, ttlSeconds, meta) => {
+    const creds = ctx.getCloudflareCreds();
+    const namespaceId = await ctx.resolveCloudflareNamespaceId();
+    const url = ctx.buildCloudflareValueUrl({ accountId: creds.accountId, namespaceId }, `${ctx.keyPrefix}${key.id}`, ttlSeconds);
+    const res = await ctx.cfFetch(creds.apiToken, url, {
+        method: 'PUT',
+        headers: { 'content-type': 'text/plain' },
+        body: '1',
+    });
+    if (res.ok)
+        return;
+    const text = await res.text();
+    const warnMeta = {
+        status: res.status,
+        body: text,
+    };
+    if (meta)
+        Object.assign(warnMeta, meta);
+    logWarnBestEffort('TokenRevocation kv-remote (Cloudflare API) revoke failed', warnMeta);
+};
+const createKvRemoteRevoke = (ctx) => async (key) => {
+    const ttlMs = Math.max(0, key.expiresAtMs - Date.now());
+    if (ttlMs === 0)
+        return;
+    const ttlSeconds = Math.max(60, Math.ceil(ttlMs / 1000));
+    const proxy = ctx.getProxySettings();
+    const shouldUseCloudflareApiFirst = !ctx.hasProxySigningCreds(proxy) && ctx.hasCloudflareApiCreds();
+    if (shouldUseCloudflareApiFirst) {
+        await kvRemoteRevokeViaCloudflareApi(ctx, key, ttlSeconds);
+        return;
+    }
+    try {
+        const remote = ctx.createRemoteSettings(proxy);
+        await RemoteSignedJson.request(remote, '/zin/kv/put', {
+            namespace: ctx.normalizeNamespace(ctx.namespace),
+            key: `${ctx.keyPrefix}${key.id}`,
+            value: '1',
+            ttlSeconds,
+        });
+    }
+    catch (error) {
+        if (ctx.hasCloudflareApiCreds()) {
+            await kvRemoteRevokeViaCloudflareApi(ctx, key, ttlSeconds, {
+                proxyError: error instanceof Error ? error.message : String(error),
+            });
+            return;
+        }
+        throw error;
+    }
+};
+const createKvRemoteIsRevoked = (ctx) => async (id) => {
+    const proxy = ctx.getProxySettings();
+    const shouldUseCloudflareApiFirst = !ctx.hasProxySigningCreds(proxy) && ctx.hasCloudflareApiCreds();
+    if (shouldUseCloudflareApiFirst)
+        return kvRemoteIsRevokedViaCloudflareApi(ctx, id);
+    try {
+        return await kvRemoteIsRevokedViaProxy(ctx, proxy, id);
+    }
+    catch (error) {
+        if (ctx.hasCloudflareApiCreds()) {
+            return kvRemoteIsRevokedViaCloudflareApi(ctx, id, {
+                proxyError: error instanceof Error ? error.message : String(error),
+            });
+        }
+        throw error;
+    }
+};
+const createKvRemoteStore = (params) => {
+    const getCloudflareCreds = kvRemoteGetCloudflareCreds;
+    const cfFetch = kvRemoteCfFetch;
+    const resolveCloudflareNamespaceId = createKvRemoteCloudflareNamespaceIdResolver({
+        getCloudflareCreds,
+        cfFetch,
+    });
+    const ctx = {
+        keyPrefix: params.keyPrefix,
+        namespace: params.namespace,
+        getProxySettings: kvRemoteGetProxySettings,
+        getCloudflareCreds,
+        hasCloudflareApiCreds: () => kvRemoteHasCloudflareApiCreds(getCloudflareCreds),
+        hasProxySigningCreds: kvRemoteHasProxySigningCreds,
+        buildCloudflareValueUrl: kvRemoteBuildCloudflareValueUrl,
+        cfFetch,
+        resolveCloudflareNamespaceId,
+        createRemoteSettings: kvRemoteCreateRemoteSettings,
+        normalizeNamespace: kvRemoteNormalizeNamespace,
+    };
+    return {
+        revoke: createKvRemoteRevoke(ctx),
+        isRevoked: createKvRemoteIsRevoked(ctx),
+    };
+};
+let cachedStore = null;
+let cachedDriver = null;
+const resolveStore = () => {
+    const driver = normalizeDriverName(Env.get('JWT_REVOCATION_DRIVER', DEFAULTS.driver));
+    if (cachedStore !== null && cachedDriver === driver) {
+        return { driver, store: cachedStore };
+    }
+    if (driver === 'memory') {
+        cachedStore = createMemoryStore();
+        cachedDriver = driver;
+        return { driver, store: cachedStore };
+    }
+    if (driver === 'database') {
+        const connection = Env.get('JWT_REVOCATION_DB_CONNECTION', DEFAULTS.dbConnection);
+        const table = Env.get('JWT_REVOCATION_DB_TABLE', DEFAULTS.dbTable);
+        cachedStore = createDatabaseStore({ connection, table });
+        cachedDriver = driver;
+        return { driver, store: cachedStore };
+    }
+    if (driver === 'redis') {
+        const keyPrefix = Env.get('JWT_REVOCATION_REDIS_PREFIX', DEFAULTS.redisPrefix);
+        cachedStore = createRedisStore({ keyPrefix });
+        cachedDriver = driver;
+        return { driver, store: cachedStore };
+    }
+    if (driver === 'kv-remote') {
+        const keyPrefix = Env.get('JWT_REVOCATION_KV_PREFIX', DEFAULTS.redisPrefix);
+        const namespace = Env.get('KV_REMOTE_NAMESPACE', DEFAULTS.kvRemoteNamespace);
+        cachedStore = createKvRemoteStore({ keyPrefix, namespace });
+        cachedDriver = driver;
+        return { driver, store: cachedStore };
+    }
+    const bindingName = Env.get('JWT_REVOCATION_KV_BINDING', DEFAULTS.kvBinding);
+    const keyPrefix = Env.get('JWT_REVOCATION_KV_PREFIX', DEFAULTS.redisPrefix);
+    cachedStore = createKvStore({ bindingName, keyPrefix });
+    cachedDriver = driver;
+    return { driver, store: cachedStore };
 };
 export const TokenRevocation = Object.freeze({
-    revoke(header) {
+    /**
+     * Mark a token as revoked.
+     *
+     * Storage is keyed by JWT `jti` when present; otherwise falls back to the raw token string.
+     */
+    async revoke(header) {
         const token = getBearerToken(header);
         if (token === null)
             return null;
-        cleanupExpired();
-        revokedTokens.set(token, resolveExpiryMs(token));
+        const { store } = resolveStore();
+        const key = resolveKey(token);
+        await store.revoke(key);
         return token;
     },
-    isRevoked(token) {
-        cleanupExpired();
-        const expiresAt = revokedTokens.get(token);
-        if (expiresAt === undefined)
-            return false;
-        if (expiresAt <= Date.now()) {
-            revokedTokens.delete(token);
-            return false;
-        }
-        return true;
+    /**
+     * Check if a token is revoked.
+     */
+    async isRevoked(token) {
+        const { store } = resolveStore();
+        const key = resolveKey(token);
+        return store.isRevoked(key.id);
+    },
+    /**
+     * For observability.
+     */
+    getDriver() {
+        return resolveStore().driver;
+    },
+    /**
+     * Test/boot helper: reset cached driver.
+     */
+    _resetForTests() {
+        cachedStore = null;
+        cachedDriver = null;
     },
 });
 export default TokenRevocation;

package/src/templates/project/basic/app/Controllers/AuthController.ts.tpl CHANGED Viewed

@@ -148,9 +148,17 @@ async function register(req: IRequest, res: IResponse): Promise<void> {
       password: passwordHash,
     });
-    if (result.id !== null && result.id !== undefined) {
+    let insertedUserId: unknown = result.id;
+    if (insertedUserId === null || insertedUserId === undefined) {
+      const inserted = await User.where('email', '=', email).limit(1).first<UserRow>();
+      if (inserted?.id !== null && inserted?.id !== undefined) {
+        insertedUserId = inserted.id;
+      }
+    }
+    if (insertedUserId !== null && insertedUserId !== undefined) {
       Logger.info('AuthController.register: successful registration', {
-        user_id: result.id,
+        user_id: insertedUserId,
         email,
         ip: ipAddress,
         timestamp: new Date().toISOString(),
@@ -179,7 +187,7 @@ async function register(req: IRequest, res: IResponse): Promise<void> {
 async function logout(req: IRequest, res: IResponse): Promise<void> {
   const authHeader =
     typeof req.getHeader === 'function' ? req.getHeader('authorization') : undefined;
-  TokenRevocation.revoke(authHeader);
+  await TokenRevocation.revoke(authHeader);
   res.json({ message: 'Logged out' });
 }