@ackplus/nest-auth 1.1.1 → 1.1.2

package/src/lib/admin-console/entities/admin-user.entity.js

@@ -0,0 +1,86 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AdminUser = void 0;
+const tslib_1 = require("tslib");
+const typeorm_1 = require("typeorm");
+const argon2 = tslib_1.__importStar(require("argon2"));
+let AdminUser = class AdminUser extends typeorm_1.BaseEntity {
+    normalizeEmail() {
+        if (this.email) {
+            this.email = this.email.toLowerCase();
+        }
+    }
+    normalizeEmailOnUpdate() {
+        if (this.email) {
+            this.email = this.email.toLowerCase();
+        }
+    }
+    async setPassword(password) {
+        this.passwordHash = await argon2.hash(password, {
+            type: argon2.argon2id,
+            memoryCost: 65536,
+            timeCost: 3,
+            parallelism: 4,
+        });
+    }
+    async validatePassword(password) {
+        if (!this.passwordHash) {
+            return false;
+        }
+        try {
+            return await argon2.verify(this.passwordHash, password);
+        }
+        catch {
+            return false;
+        }
+    }
+};
+exports.AdminUser = AdminUser;
+tslib_1.__decorate([
+    (0, typeorm_1.PrimaryGeneratedColumn)('uuid'),
+    tslib_1.__metadata("design:type", String)
+], AdminUser.prototype, "id", void 0);
+tslib_1.__decorate([
+    (0, typeorm_1.Column)({ unique: true }),
+    (0, typeorm_1.Index)(),
+    tslib_1.__metadata("design:type", String)
+], AdminUser.prototype, "email", void 0);
+tslib_1.__decorate([
+    (0, typeorm_1.Column)({ nullable: true }),
+    tslib_1.__metadata("design:type", String)
+], AdminUser.prototype, "name", void 0);
+tslib_1.__decorate([
+    (0, typeorm_1.Column)(),
+    tslib_1.__metadata("design:type", String)
+], AdminUser.prototype, "passwordHash", void 0);
+tslib_1.__decorate([
+    (0, typeorm_1.Column)({ type: 'simple-json', nullable: true, default: '{}' }),
+    tslib_1.__metadata("design:type", Object)
+], AdminUser.prototype, "metadata", void 0);
+tslib_1.__decorate([
+    (0, typeorm_1.Column)({ type: 'datetime', nullable: true }),
+    tslib_1.__metadata("design:type", Date)
+], AdminUser.prototype, "lastLoginAt", void 0);
+tslib_1.__decorate([
+    (0, typeorm_1.CreateDateColumn)(),
+    tslib_1.__metadata("design:type", Date)
+], AdminUser.prototype, "createdAt", void 0);
+tslib_1.__decorate([
+    (0, typeorm_1.UpdateDateColumn)(),
+    tslib_1.__metadata("design:type", Date)
+], AdminUser.prototype, "updatedAt", void 0);
+tslib_1.__decorate([
+    (0, typeorm_1.BeforeInsert)(),
+    tslib_1.__metadata("design:type", Function),
+    tslib_1.__metadata("design:paramtypes", []),
+    tslib_1.__metadata("design:returntype", void 0)
+], AdminUser.prototype, "normalizeEmail", null);
+tslib_1.__decorate([
+    (0, typeorm_1.BeforeUpdate)(),
+    tslib_1.__metadata("design:type", Function),
+    tslib_1.__metadata("design:paramtypes", []),
+    tslib_1.__metadata("design:returntype", void 0)
+], AdminUser.prototype, "normalizeEmailOnUpdate", null);
+exports.AdminUser = AdminUser = tslib_1.__decorate([
+    (0, typeorm_1.Entity)('nest_auth_admin_users')
+], AdminUser);

package/src/lib/admin-console/guards/admin-session.guard.d.ts

@@ -0,0 +1,17 @@
+import { CanActivate, ExecutionContext } from '@nestjs/common';
+import { Request } from 'express';
+import { AdminSessionService } from '../services/admin-session.service';
+import { AdminUserService } from '../services/admin-user.service';
+import { AdminConsoleConfigService } from '../services/admin-console-config.service';
+import { AdminUser } from '../entities/admin-user.entity';
+export interface AdminRequest extends Request {
+    adminUser?: AdminUser;
+}
+export declare class AdminSessionGuard implements CanActivate {
+    private readonly sessions;
+    private readonly adminUsers;
+    private readonly config;
+    constructor(sessions: AdminSessionService, adminUsers: AdminUserService, config: AdminConsoleConfigService);
+    canActivate(context: ExecutionContext): Promise<boolean>;
+}
+//# sourceMappingURL=admin-session.guard.d.ts.map

package/src/lib/admin-console/guards/admin-session.guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-session.guard.d.ts","sourceRoot":"","sources":["../../../../../../../packages/nest-auth/src/lib/admin-console/guards/admin-session.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,WAAW,EACX,gBAAgB,EAGjB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,mBAAmB,EAAE,MAAM,mCAAmC,CAAC;AACxE,OAAO,EAAE,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AAClE,OAAO,EAAE,yBAAyB,EAAE,MAAM,0CAA0C,CAAC;AACrF,OAAO,EAAE,SAAS,EAAE,MAAM,+BAA+B,CAAC;AAE1D,MAAM,WAAW,YAAa,SAAQ,OAAO;IAC3C,SAAS,CAAC,EAAE,SAAS,CAAC;CACvB;AAED,qBACa,iBAAkB,YAAW,WAAW;IAEjD,OAAO,CAAC,QAAQ,CAAC,QAAQ;IACzB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAFN,QAAQ,EAAE,mBAAmB,EAC7B,UAAU,EAAE,gBAAgB,EAC5B,MAAM,EAAE,yBAAyB;IAG9C,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;CAsB/D"}

package/src/lib/admin-console/guards/admin-session.guard.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AdminSessionGuard = void 0;
+const tslib_1 = require("tslib");
+const common_1 = require("@nestjs/common");
+const admin_session_service_1 = require("../services/admin-session.service");
+const admin_user_service_1 = require("../services/admin-user.service");
+const admin_console_config_service_1 = require("../services/admin-console-config.service");
+let AdminSessionGuard = class AdminSessionGuard {
+    constructor(sessions, adminUsers, config) {
+        this.sessions = sessions;
+        this.adminUsers = adminUsers;
+        this.config = config;
+    }
+    async canActivate(context) {
+        const req = context.switchToHttp().getRequest();
+        this.config.ensureEnabled();
+        const token = this.sessions.extractToken(req);
+        if (!token) {
+            throw new common_1.UnauthorizedException('Admin authentication required');
+        }
+        const payload = this.sessions.verifySession(token);
+        if (!payload) {
+            throw new common_1.UnauthorizedException('Invalid admin session');
+        }
+        const admin = await this.adminUsers.findById(payload.sub);
+        if (!admin) {
+            throw new common_1.UnauthorizedException('Admin account not found');
+        }
+        req.adminUser = admin;
+        return true;
+    }
+};
+exports.AdminSessionGuard = AdminSessionGuard;
+exports.AdminSessionGuard = AdminSessionGuard = tslib_1.__decorate([
+    (0, common_1.Injectable)(),
+    tslib_1.__metadata("design:paramtypes", [admin_session_service_1.AdminSessionService,
+        admin_user_service_1.AdminUserService,
+        admin_console_config_service_1.AdminConsoleConfigService])
+], AdminSessionGuard);

package/src/lib/admin-console/services/admin-auth.service.d.ts

@@ -0,0 +1,22 @@
+import { AdminUserService } from './admin-user.service';
+import { AdminSessionService } from './admin-session.service';
+import { AdminConsoleConfigService } from './admin-console-config.service';
+import { AdminUser } from '../entities/admin-user.entity';
+import { DebugLoggerService } from '../../core/services/debug-logger.service';
+export declare class AdminAuthService {
+    private readonly adminUsers;
+    private readonly sessions;
+    private readonly config;
+    private readonly debugLogger;
+    constructor(adminUsers: AdminUserService, sessions: AdminSessionService, config: AdminConsoleConfigService, debugLogger: DebugLoggerService);
+    validateCredentials(email: string, password: string): Promise<AdminUser>;
+    createInitialAdmin(payload: {
+        setupKey: string;
+        email: string;
+        password: string;
+        name?: string;
+        metadata?: Record<string, any>;
+    }): Promise<AdminUser>;
+    createSession(admin: AdminUser): string;
+}
+//# sourceMappingURL=admin-auth.service.d.ts.map

package/src/lib/admin-console/services/admin-auth.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-auth.service.d.ts","sourceRoot":"","sources":["../../../../../../../packages/nest-auth/src/lib/admin-console/services/admin-auth.service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AACxD,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,yBAAyB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,EAAE,SAAS,EAAE,MAAM,+BAA+B,CAAC;AAC1D,OAAO,EAAE,kBAAkB,EAAE,MAAM,0CAA0C,CAAC;AAG9E,qBACa,gBAAgB;IAEzB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,QAAQ;IACzB,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,WAAW;gBAHX,UAAU,EAAE,gBAAgB,EAC5B,QAAQ,EAAE,mBAAmB,EAC7B,MAAM,EAAE,yBAAyB,EACjC,WAAW,EAAE,kBAAkB;IAG5C,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;IAcxE,kBAAkB,CAAC,OAAO,EAAE;QAChC,QAAQ,EAAE,MAAM,CAAC;QACjB,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,MAAM,CAAC;QACjB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;KAChC,GAAG,OAAO,CAAC,SAAS,CAAC;IAyCtB,aAAa,CAAC,KAAK,EAAE,SAAS,GAAG,MAAM;CAGxC"}

package/src/lib/admin-console/services/admin-auth.service.js

@@ -0,0 +1,77 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AdminAuthService = void 0;
+const tslib_1 = require("tslib");
+const common_1 = require("@nestjs/common");
+const admin_user_service_1 = require("./admin-user.service");
+const admin_session_service_1 = require("./admin-session.service");
+const admin_console_config_service_1 = require("./admin-console-config.service");
+const debug_logger_service_1 = require("../../core/services/debug-logger.service");
+const security_util_1 = require("../../utils/security.util");
+let AdminAuthService = class AdminAuthService {
+    constructor(adminUsers, sessions, config, debugLogger) {
+        this.adminUsers = adminUsers;
+        this.sessions = sessions;
+        this.config = config;
+        this.debugLogger = debugLogger;
+    }
+    async validateCredentials(email, password) {
+        const admin = await this.adminUsers.findByEmail(email);
+        if (!admin) {
+            throw new common_1.UnauthorizedException('Invalid credentials');
+        }
+        const valid = await admin.validatePassword(password);
+        if (!valid) {
+            throw new common_1.UnauthorizedException('Invalid credentials');
+        }
+        admin.lastLoginAt = new Date();
+        await admin.save();
+        return admin;
+    }
+    async createInitialAdmin(payload) {
+        this.config.ensureEnabled();
+        const configuredKey = this.config.getSecretKey();
+        if (!configuredKey) {
+            throw new common_1.BadRequestException({
+                message: 'Admin console setup key is not configured.',
+                code: 'ADMIN_CONSOLE_SETUP_DISABLED',
+            });
+        }
+        // Use constant-time comparison to prevent timing attacks
+        if (!(0, security_util_1.compareKeys)(payload.setupKey, configuredKey)) {
+            throw new common_1.UnauthorizedException({
+                message: 'Invalid admin console setup key.',
+                code: 'INVALID_ADMIN_CONSOLE_SETUP_KEY',
+            });
+        }
+        const existingAdmins = await this.adminUsers.listAdmins();
+        if (existingAdmins.length > 0) {
+            throw new common_1.BadRequestException({
+                message: 'Admin users already exist. Use the dashboard to manage administrators.',
+                code: 'ADMIN_USERS_ALREADY_INITIALIZED',
+            });
+        }
+        // Mask email to avoid logging PII
+        const maskedEmail = payload.email.replace(/(.{2})(.*)(@.*)/, '$1****$3');
+        this.debugLogger.info('Creating initial admin console user', 'AdminAuthService', {
+            email: maskedEmail,
+        });
+        return this.adminUsers.createAdmin({
+            email: payload.email,
+            password: payload.password,
+            name: payload.name,
+            metadata: payload.metadata,
+        });
+    }
+    createSession(admin) {
+        return this.sessions.createSession(admin);
+    }
+};
+exports.AdminAuthService = AdminAuthService;
+exports.AdminAuthService = AdminAuthService = tslib_1.__decorate([
+    (0, common_1.Injectable)(),
+    tslib_1.__metadata("design:paramtypes", [admin_user_service_1.AdminUserService,
+        admin_session_service_1.AdminSessionService,
+        admin_console_config_service_1.AdminConsoleConfigService,
+        debug_logger_service_1.DebugLoggerService])
+], AdminAuthService);

package/src/lib/admin-console/services/admin-console-config.service.d.ts

@@ -0,0 +1,17 @@
+import { AuthConfigService } from '../../core/services/auth-config.service';
+import { AdminConsoleOptions } from '../../core/interfaces/auth-module-options.interface';
+import { CookieOptions } from 'express';
+export declare class AdminConsoleConfigService {
+    private readonly authConfig;
+    constructor(authConfig: AuthConfigService);
+    get options(): AdminConsoleOptions;
+    ensureEnabled(): void;
+    getCookieName(): string;
+    getBasePath(): string;
+    getSessionSecret(): string;
+    getSessionDuration(): string | number;
+    getCookieOptions(): CookieOptions;
+    allowAdminManagement(): boolean;
+    getSecretKey(): string | undefined;
+}
+//# sourceMappingURL=admin-console-config.service.d.ts.map

package/src/lib/admin-console/services/admin-console-config.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-console-config.service.d.ts","sourceRoot":"","sources":["../../../../../../../packages/nest-auth/src/lib/admin-console/services/admin-console-config.service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,iBAAiB,EAAE,MAAM,yCAAyC,CAAC;AAC5E,OAAO,EAAE,mBAAmB,EAAE,MAAM,qDAAqD,CAAC;AAC1F,OAAO,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAExC,qBACa,yBAAyB;IACxB,OAAO,CAAC,QAAQ,CAAC,UAAU;gBAAV,UAAU,EAAE,iBAAiB;IAE1D,IAAI,OAAO,IAAI,mBAAmB,CAEjC;IAED,aAAa,IAAI,IAAI;IAMrB,aAAa,IAAI,MAAM;IAIvB,WAAW,IAAI,MAAM;IAIrB,gBAAgB,IAAI,MAAM;IAK1B,kBAAkB,IAAI,MAAM,GAAG,MAAM;IAIrC,gBAAgB,IAAI,aAAa;IAkBjC,oBAAoB,IAAI,OAAO;IAI/B,YAAY,IAAI,MAAM,GAAG,SAAS;CAGnC"}

package/src/lib/admin-console/services/admin-console-config.service.js

@@ -0,0 +1,58 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AdminConsoleConfigService = void 0;
+const tslib_1 = require("tslib");
+const common_1 = require("@nestjs/common");
+const auth_config_service_1 = require("../../core/services/auth-config.service");
+let AdminConsoleConfigService = class AdminConsoleConfigService {
+    constructor(authConfig) {
+        this.authConfig = authConfig;
+    }
+    get options() {
+        return this.authConfig.getConfig().adminConsole ?? {};
+    }
+    ensureEnabled() {
+        if (this.options?.enabled === false) {
+            throw new common_1.NotFoundException('Admin console is disabled');
+        }
+    }
+    getCookieName() {
+        return this.options?.sessionCookieName ?? 'nest_auth_admin';
+    }
+    getBasePath() {
+        return this.options?.basePath;
+    }
+    getSessionSecret() {
+        // Use secretKey for session signing - unified key for all admin console security operations
+        return this.options?.secretKey ?? 'change-me-admin-secret';
+    }
+    getSessionDuration() {
+        return this.options?.sessionDuration ?? '2h';
+    }
+    getCookieOptions() {
+        // Determine secure flag based on environment
+        const secureDefault = process.env.NODE_ENV === 'production';
+        const base = {
+            httpOnly: true,
+            sameSite: 'lax',
+            secure: secureDefault,
+            path: this.getBasePath(),
+        };
+        return {
+            ...base,
+            ...(this.options?.cookie ?? {}),
+            path: this.options?.cookie?.path ?? base.path,
+        };
+    }
+    allowAdminManagement() {
+        return this.options?.allowAdminManagement !== false;
+    }
+    getSecretKey() {
+        return this.options?.secretKey;
+    }
+};
+exports.AdminConsoleConfigService = AdminConsoleConfigService;
+exports.AdminConsoleConfigService = AdminConsoleConfigService = tslib_1.__decorate([
+    (0, common_1.Injectable)(),
+    tslib_1.__metadata("design:paramtypes", [auth_config_service_1.AuthConfigService])
+], AdminConsoleConfigService);

package/src/lib/admin-console/services/admin-session.service.d.ts

@@ -0,0 +1,27 @@
+import { Request } from 'express';
+import { AdminConsoleConfigService } from './admin-console-config.service';
+import { AdminUser } from '../entities/admin-user.entity';
+interface AdminSessionPayload {
+    sub: string;
+    email: string;
+    iat: number;
+    exp: number;
+}
+export declare class AdminSessionService {
+    private readonly config;
+    constructor(config: AdminConsoleConfigService);
+    createSession(admin: AdminUser): string;
+    verifySession(token: string): AdminSessionPayload | null;
+    getCookieName(): string;
+    getMaxAge(): number | undefined;
+    extractToken(request: Request): string | undefined;
+    /**
+     * Invalidate all sessions for a given admin user.
+     * Since we're using stateless JWT tokens, this is a no-op for now,
+     * but provides a hook for future stateful session implementations.
+     */
+    invalidateSessionForAdmin(adminId: string): Promise<void>;
+    private parseCookieHeader;
+}
+export {};
+//# sourceMappingURL=admin-session.service.d.ts.map

package/src/lib/admin-console/services/admin-session.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-session.service.d.ts","sourceRoot":"","sources":["../../../../../../../packages/nest-auth/src/lib/admin-console/services/admin-session.service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAGlC,OAAO,EAAE,yBAAyB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,EAAE,SAAS,EAAE,MAAM,+BAA+B,CAAC;AAE1D,UAAU,mBAAmB;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb;AAED,qBACa,mBAAmB;IAClB,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,yBAAyB;IAE9D,aAAa,CAAC,KAAK,EAAE,SAAS,GAAG,MAAM;IAgBvC,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,mBAAmB,GAAG,IAAI;IAaxD,aAAa,IAAI,MAAM;IAIvB,SAAS,IAAI,MAAM,GAAG,SAAS;IAW/B,YAAY,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,GAAG,SAAS;IAgBlD;;;;OAIG;IACG,yBAAyB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAO/D,OAAO,CAAC,iBAAiB;CAe1B"}

package/src/lib/admin-console/services/admin-session.service.js

@@ -0,0 +1,94 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AdminSessionService = void 0;
+const tslib_1 = require("tslib");
+const common_1 = require("@nestjs/common");
+const jwt = tslib_1.__importStar(require("jsonwebtoken"));
+const ms_1 = tslib_1.__importDefault(require("ms"));
+const admin_console_config_service_1 = require("./admin-console-config.service");
+let AdminSessionService = class AdminSessionService {
+    constructor(config) {
+        this.config = config;
+    }
+    createSession(admin) {
+        const secret = this.config.getSessionSecret();
+        const duration = this.config.getSessionDuration();
+        const expiresIn = typeof duration === 'number' ? duration : duration || '2h';
+        return jwt.sign({
+            sub: admin.id,
+            email: admin.email,
+        }, secret, {
+            expiresIn,
+        });
+    }
+    verifySession(token) {
+        if (!token) {
+            return null;
+        }
+        try {
+            return jwt.verify(token, this.config.getSessionSecret());
+        }
+        catch (error) {
+            // Log JWT verification failures for security monitoring
+            console.warn('JWT verification failed:', error.message);
+            return null;
+        }
+    }
+    getCookieName() {
+        return this.config.getCookieName();
+    }
+    getMaxAge() {
+        const duration = this.config.getSessionDuration();
+        if (typeof duration === 'number') {
+            return duration * 1000;
+        }
+        if (typeof duration === 'string') {
+            return (0, ms_1.default)(duration);
+        }
+        return (0, ms_1.default)('2h');
+    }
+    extractToken(request) {
+        const cookieName = this.getCookieName();
+        const cookieHeader = request.headers?.cookie;
+        if (request.cookies && request.cookies[cookieName]) {
+            return request.cookies[cookieName];
+        }
+        if (!cookieHeader) {
+            return undefined;
+        }
+        const cookies = this.parseCookieHeader(cookieHeader);
+        return cookies[cookieName];
+    }
+    /**
+     * Invalidate all sessions for a given admin user.
+     * Since we're using stateless JWT tokens, this is a no-op for now,
+     * but provides a hook for future stateful session implementations.
+     */
+    async invalidateSessionForAdmin(adminId) {
+        // With JWT-based stateless sessions, we can't revoke tokens server-side
+        // This method exists for future implementations that use database-backed sessions
+        // For now, clearing the client cookie in the logout handler is sufficient
+        return Promise.resolve();
+    }
+    parseCookieHeader(header) {
+        return header.split(';').reduce((acc, part) => {
+            const [key, ...rest] = part.split('=');
+            if (!key) {
+                return acc;
+            }
+            try {
+                acc[key.trim()] = decodeURIComponent(rest.join('=').trim());
+            }
+            catch (error) {
+                // If decoding fails, use the raw value
+                acc[key.trim()] = rest.join('=').trim();
+            }
+            return acc;
+        }, {});
+    }
+};
+exports.AdminSessionService = AdminSessionService;
+exports.AdminSessionService = AdminSessionService = tslib_1.__decorate([
+    (0, common_1.Injectable)(),
+    tslib_1.__metadata("design:paramtypes", [admin_console_config_service_1.AdminConsoleConfigService])
+], AdminSessionService);

package/src/lib/admin-console/services/admin-user.service.d.ts

@@ -0,0 +1,24 @@
+import { Repository } from 'typeorm';
+import { AdminUser } from '../entities/admin-user.entity';
+import { DebugLoggerService } from '../../core/services/debug-logger.service';
+export declare class AdminUserService {
+    private readonly adminRepo;
+    private readonly debugLogger;
+    constructor(adminRepo: Repository<AdminUser>, debugLogger: DebugLoggerService);
+    createAdmin(data: {
+        email: string;
+        password: string;
+        name?: string;
+        metadata?: Record<string, any>;
+    }): Promise<AdminUser>;
+    findByEmail(email: string): Promise<AdminUser | null>;
+    findById(id: string): Promise<AdminUser | null>;
+    listAdmins(): Promise<AdminUser[]>;
+    updateAdmin(id: string, data: {
+        name?: string;
+        password?: string;
+        metadata?: Record<string, any>;
+    }): Promise<AdminUser>;
+    deleteAdmin(id: string): Promise<void>;
+}
+//# sourceMappingURL=admin-user.service.d.ts.map

package/src/lib/admin-console/services/admin-user.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-user.service.d.ts","sourceRoot":"","sources":["../../../../../../../packages/nest-auth/src/lib/admin-console/services/admin-user.service.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,SAAS,EAAE,MAAM,+BAA+B,CAAC;AAC1D,OAAO,EAAE,kBAAkB,EAAE,MAAM,0CAA0C,CAAC;AAE9E,qBACa,gBAAgB;IAGzB,OAAO,CAAC,QAAQ,CAAC,SAAS;IAC1B,OAAO,CAAC,QAAQ,CAAC,WAAW;gBADX,SAAS,EAAE,UAAU,CAAC,SAAS,CAAC,EAChC,WAAW,EAAE,kBAAkB;IAG5C,WAAW,CAAC,IAAI,EAAE;QACtB,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,MAAM,CAAC;QACjB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;KAChC,GAAG,OAAO,CAAC,SAAS,CAAC;IAsBhB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;IAOrD,QAAQ,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;IAO/C,UAAU,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;IAIlC,WAAW,CACf,EAAE,EAAE,MAAM,EACV,IAAI,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;KAAE,GACzE,OAAO,CAAC,SAAS,CAAC;IAuBf,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAU7C"}

package/src/lib/admin-console/services/admin-user.service.js

@@ -0,0 +1,87 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AdminUserService = void 0;
+const tslib_1 = require("tslib");
+const common_1 = require("@nestjs/common");
+const typeorm_1 = require("@nestjs/typeorm");
+const typeorm_2 = require("typeorm");
+const admin_user_entity_1 = require("../entities/admin-user.entity");
+const debug_logger_service_1 = require("../../core/services/debug-logger.service");
+let AdminUserService = class AdminUserService {
+    constructor(adminRepo, debugLogger) {
+        this.adminRepo = adminRepo;
+        this.debugLogger = debugLogger;
+    }
+    async createAdmin(data) {
+        const email = data.email.toLowerCase();
+        const existing = await this.adminRepo.findOne({ where: { email } });
+        if (existing) {
+            throw new common_1.ConflictException({
+                message: `Admin user with email ${email} already exists.`,
+                code: 'ADMIN_USER_EXISTS',
+            });
+        }
+        const admin = this.adminRepo.create({
+            email,
+            name: data.name,
+            metadata: data.metadata ?? {},
+        });
+        await admin.setPassword(data.password);
+        this.debugLogger.debug('Creating admin user', 'AdminUserService', { email });
+        await this.adminRepo.save(admin);
+        this.debugLogger.info('Admin user created', 'AdminUserService', { id: admin.id, email });
+        return admin;
+    }
+    async findByEmail(email) {
+        if (!email) {
+            return null;
+        }
+        return this.adminRepo.findOne({ where: { email: email.toLowerCase() } });
+    }
+    async findById(id) {
+        if (!id) {
+            return null;
+        }
+        return this.adminRepo.findOne({ where: { id } });
+    }
+    async listAdmins() {
+        return this.adminRepo.find({ order: { createdAt: 'DESC' } });
+    }
+    async updateAdmin(id, data) {
+        const admin = await this.findById(id);
+        if (!admin) {
+            throw new common_1.NotFoundException({
+                message: `Admin user with ID ${id} not found`,
+                code: 'ADMIN_USER_NOT_FOUND',
+            });
+        }
+        if (data.name !== undefined) {
+            admin.name = data.name;
+        }
+        if (data.metadata !== undefined) {
+            admin.metadata = data.metadata;
+        }
+        if (data.password) {
+            await admin.setPassword(data.password);
+        }
+        await this.adminRepo.save(admin);
+        return admin;
+    }
+    async deleteAdmin(id) {
+        const admin = await this.findById(id);
+        if (!admin) {
+            throw new common_1.NotFoundException({
+                message: `Admin user with ID ${id} not found`,
+                code: 'ADMIN_USER_NOT_FOUND',
+            });
+        }
+        await this.adminRepo.delete(id);
+    }
+};
+exports.AdminUserService = AdminUserService;
+exports.AdminUserService = AdminUserService = tslib_1.__decorate([
+    (0, common_1.Injectable)(),
+    tslib_1.__param(0, (0, typeorm_1.InjectRepository)(admin_user_entity_1.AdminUser)),
+    tslib_1.__metadata("design:paramtypes", [typeorm_2.Repository,
+        debug_logger_service_1.DebugLoggerService])
+], AdminUserService);

package/src/lib/auth/auth.module.d.ts

@@ -0,0 +1,3 @@
+export declare class AuthModule {
+}
+//# sourceMappingURL=auth.module.d.ts.map

package/src/lib/auth/auth.module.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.module.d.ts","sourceRoot":"","sources":["../../../../../../packages/nest-auth/src/lib/auth/auth.module.ts"],"names":[],"mappings":"AAsBA,qBAkCa,UAAU;CACtB"}

package/src/lib/auth/auth.module.js

@@ -0,0 +1,64 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthModule = void 0;
+const tslib_1 = require("tslib");
+const common_1 = require("@nestjs/common");
+const auth_service_1 = require("./services/auth.service");
+const cookie_service_1 = require("./services/cookie.service");
+const mfa_service_1 = require("./services/mfa.service");
+const client_config_service_1 = require("./services/client-config.service");
+const auth_guard_1 = require("./guards/auth.guard");
+const refresh_token_interceptor_1 = require("./interceptors/refresh-token.interceptor");
+const auth_controller_1 = require("./controllers/auth.controller");
+const mfa_controller_1 = require("./controllers/mfa.controller");
+const identity_entity_1 = require("../user/entities/identity.entity");
+const typeorm_1 = require("@nestjs/typeorm");
+const user_entity_1 = require("../user/entities/user.entity");
+const otp_entity_1 = require("./entities/otp.entity");
+const mfa_secret_entity_1 = require("./entities/mfa-secret.entity");
+const access_key_entity_1 = require("../user/entities/access-key.entity");
+const event_emitter_1 = require("@nestjs/event-emitter");
+const user_module_1 = require("../user/user.module");
+const core_module_1 = require("../core/core.module");
+const session_module_1 = require("../session/session.module");
+const tenant_module_1 = require("../tenant/tenant.module");
+const role_module_1 = require("../role/role.module");
+let AuthModule = class AuthModule {
+};
+exports.AuthModule = AuthModule;
+exports.AuthModule = AuthModule = tslib_1.__decorate([
+    (0, common_1.Module)({
+        imports: [
+            event_emitter_1.EventEmitterModule,
+            typeorm_1.TypeOrmModule.forFeature([
+                user_entity_1.NestAuthUser,
+                otp_entity_1.NestAuthOTP,
+                mfa_secret_entity_1.NestAuthMFASecret,
+                access_key_entity_1.NestAuthAccessKey,
+                identity_entity_1.NestAuthIdentity,
+            ]),
+            (0, common_1.forwardRef)(() => core_module_1.CoreModule),
+            (0, common_1.forwardRef)(() => user_module_1.UserModule),
+            (0, common_1.forwardRef)(() => session_module_1.SessionModule),
+            (0, common_1.forwardRef)(() => tenant_module_1.TenantModule),
+            (0, common_1.forwardRef)(() => role_module_1.RoleModule),
+        ],
+        providers: [
+            auth_service_1.AuthService,
+            cookie_service_1.CookieService,
+            mfa_service_1.MfaService,
+            client_config_service_1.ClientConfigService,
+            auth_guard_1.NestAuthAuthGuard,
+            refresh_token_interceptor_1.RefreshTokenInterceptor,
+        ],
+        controllers: [auth_controller_1.AuthController, mfa_controller_1.MfaController],
+        exports: [
+            auth_service_1.AuthService,
+            cookie_service_1.CookieService,
+            mfa_service_1.MfaService,
+            client_config_service_1.ClientConfigService,
+            auth_guard_1.NestAuthAuthGuard,
+            refresh_token_interceptor_1.RefreshTokenInterceptor,
+        ],
+    })
+], AuthModule);