@ackplus/nest-auth 1.1.19 → 1.1.21

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ackplus/nest-auth",
-  "version": "1.1.19",
+  "version": "1.1.21",
   "type": "commonjs",
   "main": "./src/index.js",
   "types": "./src/index.d.ts",

package/src/lib/audit/services/audit.service.d.ts

@@ -0,0 +1,15 @@
+import { AuthConfigService } from '../../core/services/auth-config.service';
+import { UserLoggedInEvent, LoggedOutEvent, UserRegisteredEvent, UserPasswordChangedEvent, User2faEnabledEvent, User2faDisabledEvent } from '../../auth/events';
+export declare class AuditService {
+    private readonly authConfigService;
+    private readonly logger;
+    constructor(authConfigService: AuthConfigService);
+    private emitAuditEvent;
+    handleUserLoggedIn(payload: UserLoggedInEvent): Promise<void>;
+    handleUserLoggedOut(payload: LoggedOutEvent): Promise<void>;
+    handleUserRegistered(payload: UserRegisteredEvent): Promise<void>;
+    handlePasswordChanged(payload: UserPasswordChangedEvent): Promise<void>;
+    handle2faEnabled(payload: User2faEnabledEvent): Promise<void>;
+    handle2faDisabled(payload: User2faDisabledEvent): Promise<void>;
+}
+//# sourceMappingURL=audit.service.d.ts.map

package/src/lib/audit/services/audit.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.service.d.ts","sourceRoot":"","sources":["../../../../../../../packages/nest-auth/src/lib/audit/services/audit.service.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,iBAAiB,EAAE,MAAM,yCAAyC,CAAC;AAE5E,OAAO,EACH,iBAAiB,EACjB,cAAc,EACd,mBAAmB,EACnB,wBAAwB,EACxB,mBAAmB,EACnB,oBAAoB,EACvB,MAAM,mBAAmB,CAAC;AAG3B,qBACa,YAAY;IAIjB,OAAO,CAAC,QAAQ,CAAC,iBAAiB;IAHtC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAiC;gBAGnC,iBAAiB,EAAE,iBAAiB;YAG3C,cAAc;IAiBtB,kBAAkB,CAAC,OAAO,EAAE,iBAAiB;IAgB7C,mBAAmB,CAAC,OAAO,EAAE,cAAc;IAc3C,oBAAoB,CAAC,OAAO,EAAE,mBAAmB;IAcjD,qBAAqB,CAAC,OAAO,EAAE,wBAAwB;IAavD,gBAAgB,CAAC,OAAO,EAAE,mBAAmB;IAc7C,iBAAiB,CAAC,OAAO,EAAE,oBAAoB;CAWxD"}

package/src/lib/audit/services/audit.service.js

@@ -0,0 +1,143 @@
+"use strict";
+var AuditService_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuditService = void 0;
+const tslib_1 = require("tslib");
+const common_1 = require("@nestjs/common");
+const event_emitter_1 = require("@nestjs/event-emitter");
+const auth_config_service_1 = require("../../core/services/auth-config.service");
+const auth_constants_1 = require("../../auth.constants");
+const events_1 = require("../../auth/events");
+let AuditService = AuditService_1 = class AuditService {
+    constructor(authConfigService) {
+        this.authConfigService = authConfigService;
+        this.logger = new common_1.Logger(AuditService_1.name);
+    }
+    async emitAuditEvent(event) {
+        const config = this.authConfigService.getConfig();
+        if (config.audit?.enabled === false) {
+            return;
+        }
+        if (config.audit?.onEvent) {
+            try {
+                await config.audit.onEvent(event);
+            }
+            catch (error) {
+                this.logger.error(`Error in audit.onEvent hook: ${error.message}`, error.stack);
+            }
+        }
+    }
+    async handleUserLoggedIn(payload) {
+        await this.emitAuditEvent({
+            type: 'login',
+            userId: payload.payload.user.id,
+            ip: payload.payload.session.ipAddress,
+            userAgent: payload.payload.session.userAgent,
+            success: true,
+            metadata: {
+                provider: payload.payload.provider,
+                tenantId: payload.payload.tenantId,
+            },
+            timestamp: new Date(),
+        });
+    }
+    async handleUserLoggedOut(payload) {
+        await this.emitAuditEvent({
+            type: 'logout',
+            userId: payload.payload.user?.id,
+            success: true,
+            metadata: {
+                reason: payload.payload.reason,
+                sessionId: payload.payload.session.id,
+            },
+            timestamp: new Date(),
+        });
+    }
+    async handleUserRegistered(payload) {
+        await this.emitAuditEvent({
+            type: 'signup',
+            userId: payload.payload.user.id,
+            success: true,
+            metadata: {
+                tenantId: payload.payload.tenantId,
+                provider: payload.payload.provider,
+            },
+            timestamp: new Date(),
+        });
+    }
+    async handlePasswordChanged(payload) {
+        await this.emitAuditEvent({
+            type: 'password_change',
+            userId: payload.payload.user.id,
+            success: true,
+            metadata: {
+                initiatedBy: payload.payload.initiatedBy,
+            },
+            timestamp: new Date(),
+        });
+    }
+    async handle2faEnabled(payload) {
+        await this.emitAuditEvent({
+            type: 'mfa_enable',
+            userId: payload.payload.user.id,
+            success: true,
+            metadata: {
+                method: payload.payload.method,
+                action: 'enabled'
+            },
+            timestamp: new Date(),
+        });
+    }
+    async handle2faDisabled(payload) {
+        await this.emitAuditEvent({
+            type: 'mfa_enable', // reusing type or should add mfa_disable?
+            userId: payload.payload.user.id,
+            success: true,
+            metadata: {
+                action: 'disabled'
+            },
+            timestamp: new Date(),
+        });
+    }
+};
+exports.AuditService = AuditService;
+tslib_1.__decorate([
+    (0, event_emitter_1.OnEvent)(auth_constants_1.NestAuthEvents.LOGGED_IN),
+    tslib_1.__metadata("design:type", Function),
+    tslib_1.__metadata("design:paramtypes", [events_1.UserLoggedInEvent]),
+    tslib_1.__metadata("design:returntype", Promise)
+], AuditService.prototype, "handleUserLoggedIn", null);
+tslib_1.__decorate([
+    (0, event_emitter_1.OnEvent)(auth_constants_1.NestAuthEvents.LOGGED_OUT),
+    tslib_1.__metadata("design:type", Function),
+    tslib_1.__metadata("design:paramtypes", [events_1.LoggedOutEvent]),
+    tslib_1.__metadata("design:returntype", Promise)
+], AuditService.prototype, "handleUserLoggedOut", null);
+tslib_1.__decorate([
+    (0, event_emitter_1.OnEvent)(auth_constants_1.NestAuthEvents.REGISTERED),
+    tslib_1.__metadata("design:type", Function),
+    tslib_1.__metadata("design:paramtypes", [events_1.UserRegisteredEvent]),
+    tslib_1.__metadata("design:returntype", Promise)
+], AuditService.prototype, "handleUserRegistered", null);
+tslib_1.__decorate([
+    (0, event_emitter_1.OnEvent)(auth_constants_1.NestAuthEvents.PASSWORD_CHANGED),
+    tslib_1.__metadata("design:type", Function),
+    tslib_1.__metadata("design:paramtypes", [events_1.UserPasswordChangedEvent]),
+    tslib_1.__metadata("design:returntype", Promise)
+], AuditService.prototype, "handlePasswordChanged", null);
+tslib_1.__decorate([
+    (0, event_emitter_1.OnEvent)(auth_constants_1.NestAuthEvents.TWO_FACTOR_ENABLED),
+    tslib_1.__metadata("design:type", Function),
+    tslib_1.__metadata("design:paramtypes", [events_1.User2faEnabledEvent]),
+    tslib_1.__metadata("design:returntype", Promise)
+], AuditService.prototype, "handle2faEnabled", null);
+tslib_1.__decorate([
+    (0, event_emitter_1.OnEvent)(auth_constants_1.NestAuthEvents.TWO_FACTOR_DISABLED),
+    tslib_1.__metadata("design:type", Function),
+    tslib_1.__metadata("design:paramtypes", [events_1.User2faDisabledEvent]),
+    tslib_1.__metadata("design:returntype", Promise)
+], AuditService.prototype, "handle2faDisabled", null);
+exports.AuditService = AuditService = AuditService_1 = tslib_1.__decorate([
+    (0, common_1.Injectable)(),
+    tslib_1.__metadata("design:paramtypes", [auth_config_service_1.AuthConfigService])
+], AuditService);

package/src/lib/auth/controllers/auth.controller.d.ts

@@ -65,7 +65,7 @@ export declare class AuthController {
      */
     resetPassword(input: ResetPasswordRequestDto): Promise<MessageResponseDto>;
     resetPasswordWithToken(input: ResetPasswordWithTokenRequestDto): Promise<MessageResponseDto>;
-    getUser(): Promise<import("../../core").NestAuthUser>;
+    getUser(): Promise<Partial<import("../../core").NestAuthUser>>;
     sendEmailVerification(input: SendEmailVerificationRequestDto): Promise<MessageResponseDto>;
     verifyEmail(input: VerifyEmailRequestDto): Promise<MessageResponseDto>;
     getClientConfig(): Promise<ClientConfigResponseDto>;

package/src/lib/auth/events/index.d.ts

@@ -0,0 +1,13 @@
+export * from './user-logged-in.event';
+export * from './logged-out.event';
+export * from './logged-out-all.event';
+export * from './user-registered.event';
+export * from './password-reset-requested.event';
+export * from './password-reset.event';
+export * from './two-factor-code-sent.event';
+export * from './user-2fa-verified.event';
+export * from './user-refresh-token.event';
+export * from './user-password-changed.event';
+export * from './user-2fa-enabled.event';
+export * from './user-2fa-disabled.event';
+//# sourceMappingURL=index.d.ts.map

package/src/lib/auth/events/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../../../packages/nest-auth/src/lib/auth/events/index.ts"],"names":[],"mappings":"AAAA,cAAc,wBAAwB,CAAC;AACvC,cAAc,oBAAoB,CAAC;AACnC,cAAc,wBAAwB,CAAC;AACvC,cAAc,yBAAyB,CAAC;AACxC,cAAc,kCAAkC,CAAC;AACjD,cAAc,wBAAwB,CAAC;AACvC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,2BAA2B,CAAC;AAC1C,cAAc,4BAA4B,CAAC;AAC3C,cAAc,+BAA+B,CAAC;AAC9C,cAAc,0BAA0B,CAAC;AACzC,cAAc,2BAA2B,CAAC"}

package/src/lib/auth/events/index.js

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const tslib_1 = require("tslib");
+tslib_1.__exportStar(require("./user-logged-in.event"), exports);
+tslib_1.__exportStar(require("./logged-out.event"), exports);
+tslib_1.__exportStar(require("./logged-out-all.event"), exports);
+tslib_1.__exportStar(require("./user-registered.event"), exports);
+tslib_1.__exportStar(require("./password-reset-requested.event"), exports);
+tslib_1.__exportStar(require("./password-reset.event"), exports);
+tslib_1.__exportStar(require("./two-factor-code-sent.event"), exports);
+tslib_1.__exportStar(require("./user-2fa-verified.event"), exports);
+tslib_1.__exportStar(require("./user-refresh-token.event"), exports);
+tslib_1.__exportStar(require("./user-password-changed.event"), exports);
+tslib_1.__exportStar(require("./user-2fa-enabled.event"), exports);
+tslib_1.__exportStar(require("./user-2fa-disabled.event"), exports);

package/src/lib/auth/events/user-2fa-disabled.event.d.ts

@@ -0,0 +1,10 @@
+import { NestAuthUser } from "../../user/entities/user.entity";
+export interface User2faDisabledEventPayload {
+    user: NestAuthUser;
+}
+export declare class User2faDisabledEvent {
+    readonly payload: User2faDisabledEventPayload;
+    constructor(payload: User2faDisabledEventPayload);
+    get user(): NestAuthUser;
+}
+//# sourceMappingURL=user-2fa-disabled.event.d.ts.map

package/src/lib/auth/events/user-2fa-disabled.event.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-2fa-disabled.event.d.ts","sourceRoot":"","sources":["../../../../../../../packages/nest-auth/src/lib/auth/events/user-2fa-disabled.event.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,iCAAiC,CAAC;AAE/D,MAAM,WAAW,2BAA2B;IACxC,IAAI,EAAE,YAAY,CAAC;CACtB;AAED,qBAAa,oBAAoB;aAET,OAAO,EAAE,2BAA2B;gBAApC,OAAO,EAAE,2BAA2B;IAGxD,IAAI,IAAI,IAAI,YAAY,CAEvB;CACJ"}

package/src/lib/auth/events/user-2fa-disabled.event.js

@@ -0,0 +1,12 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.User2faDisabledEvent = void 0;
+class User2faDisabledEvent {
+    constructor(payload) {
+        this.payload = payload;
+    }
+    get user() {
+        return this.payload.user;
+    }
+}
+exports.User2faDisabledEvent = User2faDisabledEvent;

package/src/lib/auth/events/user-2fa-enabled.event.d.ts

@@ -0,0 +1,13 @@
+import { NestAuthUser } from "../../user/entities/user.entity";
+import { MFAMethodEnum } from "../../core/interfaces/mfa-options.interface";
+export interface User2faEnabledEventPayload {
+    user: NestAuthUser;
+    method?: MFAMethodEnum;
+}
+export declare class User2faEnabledEvent {
+    readonly payload: User2faEnabledEventPayload;
+    constructor(payload: User2faEnabledEventPayload);
+    get user(): NestAuthUser;
+    get method(): MFAMethodEnum | undefined;
+}
+//# sourceMappingURL=user-2fa-enabled.event.d.ts.map

package/src/lib/auth/events/user-2fa-enabled.event.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-2fa-enabled.event.d.ts","sourceRoot":"","sources":["../../../../../../../packages/nest-auth/src/lib/auth/events/user-2fa-enabled.event.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,iCAAiC,CAAC;AAC/D,OAAO,EAAE,aAAa,EAAE,MAAM,6CAA6C,CAAC;AAE5E,MAAM,WAAW,0BAA0B;IACvC,IAAI,EAAE,YAAY,CAAC;IACnB,MAAM,CAAC,EAAE,aAAa,CAAC;CAC1B;AAED,qBAAa,mBAAmB;aAER,OAAO,EAAE,0BAA0B;gBAAnC,OAAO,EAAE,0BAA0B;IAGvD,IAAI,IAAI,IAAI,YAAY,CAEvB;IAED,IAAI,MAAM,IAAI,aAAa,GAAG,SAAS,CAEtC;CACJ"}

package/src/lib/auth/events/user-2fa-enabled.event.js

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.User2faEnabledEvent = void 0;
+class User2faEnabledEvent {
+    constructor(payload) {
+        this.payload = payload;
+    }
+    get user() {
+        return this.payload.user;
+    }
+    get method() {
+        return this.payload.method;
+    }
+}
+exports.User2faEnabledEvent = User2faEnabledEvent;

package/src/lib/auth/events/user-password-changed.event.d.ts

@@ -0,0 +1,12 @@
+import { NestAuthUser } from "../../user/entities/user.entity";
+export interface UserPasswordChangedEventPayload {
+    user: NestAuthUser;
+    initiatedBy: 'user' | 'admin';
+}
+export declare class UserPasswordChangedEvent {
+    readonly payload: UserPasswordChangedEventPayload;
+    constructor(payload: UserPasswordChangedEventPayload);
+    get user(): NestAuthUser;
+    get initiatedBy(): 'user' | 'admin';
+}
+//# sourceMappingURL=user-password-changed.event.d.ts.map

package/src/lib/auth/events/user-password-changed.event.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-password-changed.event.d.ts","sourceRoot":"","sources":["../../../../../../../packages/nest-auth/src/lib/auth/events/user-password-changed.event.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,iCAAiC,CAAC;AAE/D,MAAM,WAAW,+BAA+B;IAC5C,IAAI,EAAE,YAAY,CAAC;IACnB,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC;CACjC;AAED,qBAAa,wBAAwB;aAEb,OAAO,EAAE,+BAA+B;gBAAxC,OAAO,EAAE,+BAA+B;IAG5D,IAAI,IAAI,IAAI,YAAY,CAEvB;IAED,IAAI,WAAW,IAAI,MAAM,GAAG,OAAO,CAElC;CACJ"}

package/src/lib/auth/events/user-password-changed.event.js

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UserPasswordChangedEvent = void 0;
+class UserPasswordChangedEvent {
+    constructor(payload) {
+        this.payload = payload;
+    }
+    get user() {
+        return this.payload.user;
+    }
+    get initiatedBy() {
+        return this.payload.initiatedBy;
+    }
+}
+exports.UserPasswordChangedEvent = UserPasswordChangedEvent;

package/src/lib/auth/guards/auth.guard.d.ts

@@ -3,6 +3,7 @@ import { Reflector } from '@nestjs/core';
 import { JwtService } from '../../core/services/jwt.service';
 import { SessionManagerService } from '../../session/services/session-manager.service';
 import { AccessKeyService } from '../../user/services/access-key.service';
+import { AuthConfigService } from '../../core/services/auth-config.service';
 export declare const OPTIONAL_AUTH_KEY = "optional_auth";
 /**
  * NestAuthAuthGuard
@@ -23,7 +24,8 @@ export declare class NestAuthAuthGuard implements CanActivate {
     private jwtService;
     private sessionManager;
     private accessKeyService;
-    constructor(reflector: Reflector, jwtService: JwtService, sessionManager: SessionManagerService, accessKeyService: AccessKeyService);
+    private authConfigService;
+    constructor(reflector: Reflector, jwtService: JwtService, sessionManager: SessionManagerService, accessKeyService: AccessKeyService, authConfigService: AuthConfigService);
     canActivate(context: ExecutionContext): Promise<boolean>;
     private handleJwtAuth;
     private handleApiKeyAuth;
@@ -40,10 +42,26 @@ export declare class NestAuthAuthGuard implements CanActivate {
      * Get required roles from decorator
      */
     private getRequiredRoles;
+    /**
+     * Check if user has required roles
+     */
+    /**
+     * Check if user has required roles
+     */
+    /**
+     * Helper to resolve user roles
+     */
+    private resolveUserRoles;
     /**
      * Check if user has required roles
      */
     private checkRoles;
+    /**
+     * Check if user has required permissions
+     */
+    /**
+     * Check if user has required permissions
+     */
     /**
      * Check if user has required permissions
      */

package/src/lib/auth/guards/auth.guard.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.guard.d.ts","sourceRoot":"","sources":["../../../../../../../packages/nest-auth/src/lib/auth/guards/auth.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,WAAW,EAAE,gBAAgB,EAA6C,MAAM,gBAAgB,CAAC;AAEtH,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAEzC,OAAO,EAAE,UAAU,EAAE,MAAM,iCAAiC,CAAC;AAC7D,OAAO,EAAE,qBAAqB,EAAE,MAAM,gDAAgD,CAAC;AACvF,OAAO,EAAE,gBAAgB,EAAE,MAAM,wCAAwC,CAAC;AAO1E,eAAO,MAAM,iBAAiB,kBAAkB,CAAC;AAEjD;;;;;;;;;;;;;GAaG;AACH,qBACa,iBAAkB,YAAW,WAAW;IAE7C,OAAO,CAAC,SAAS;IACjB,OAAO,CAAC,UAAU;IAClB,OAAO,CAAC,cAAc;IACtB,OAAO,CAAC,gBAAgB;gBAHhB,SAAS,EAAE,SAAS,EACpB,UAAU,EAAE,UAAU,EACtB,cAAc,EAAE,qBAAqB,EACrC,gBAAgB,EAAE,gBAAgB;IAGxC,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;YAyFhD,aAAa;YA2Cb,gBAAgB;YAqDhB,QAAQ;IA0BtB;;OAEG;YACW,kBAAkB;IA+BhC;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAc9B;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAcxB;;OAEG;IACH,OAAO,CAAC,UAAU;IAyBlB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IA4BxB;;OAEG;IACH,OAAO,CAAC,kBAAkB;CAiB7B"}
+{"version":3,"file":"auth.guard.d.ts","sourceRoot":"","sources":["../../../../../../../packages/nest-auth/src/lib/auth/guards/auth.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,WAAW,EAAE,gBAAgB,EAA6C,MAAM,gBAAgB,CAAC;AAEtH,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAEzC,OAAO,EAAE,UAAU,EAAE,MAAM,iCAAiC,CAAC;AAC7D,OAAO,EAAE,qBAAqB,EAAE,MAAM,gDAAgD,CAAC;AACvF,OAAO,EAAE,gBAAgB,EAAE,MAAM,wCAAwC,CAAC;AAK1E,OAAO,EAAE,iBAAiB,EAAE,MAAM,yCAAyC,CAAC;AAG5E,eAAO,MAAM,iBAAiB,kBAAkB,CAAC;AAEjD;;;;;;;;;;;;;GAaG;AACH,qBACa,iBAAkB,YAAW,WAAW;IAE7C,OAAO,CAAC,SAAS;IACjB,OAAO,CAAC,UAAU;IAClB,OAAO,CAAC,cAAc;IACtB,OAAO,CAAC,gBAAgB;IACxB,OAAO,CAAC,iBAAiB;gBAJjB,SAAS,EAAE,SAAS,EACpB,UAAU,EAAE,UAAU,EACtB,cAAc,EAAE,qBAAqB,EACrC,gBAAgB,EAAE,gBAAgB,EAClC,iBAAiB,EAAE,iBAAiB;IAG1C,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;YAyFhD,aAAa;YAgFb,gBAAgB;YAqDhB,QAAQ;IA0BtB;;OAEG;YACW,kBAAkB;IA+BhC;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAc9B;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAcxB;;OAEG;IACH;;OAEG;IACH;;OAEG;YACW,gBAAgB;IAoB9B;;OAEG;YACW,UAAU;IAsBxB;;OAEG;IACH;;OAEG;IACH;;OAEG;YACW,gBAAgB;IAuC9B;;OAEG;IACH,OAAO,CAAC,kBAAkB;CAiB7B"}

package/src/lib/auth/guards/auth.guard.js

@@ -11,6 +11,7 @@ const access_key_service_1 = require("../../user/services/access-key.service");
 const skip_mfa_decorator_1 = require("../../core/decorators/skip-mfa.decorator");
 const permissions_decorator_1 = require("../../core/decorators/permissions.decorator");
 const role_decorator_1 = require("../../core/decorators/role.decorator");
+const auth_config_service_1 = require("../../core/services/auth-config.service");
 // Key for optional auth metadata
 exports.OPTIONAL_AUTH_KEY = 'optional_auth';
 /**
@@ -28,11 +29,12 @@ exports.OPTIONAL_AUTH_KEY = 'optional_auth';
  * Note: For automatic token refresh, enable RefreshTokenInterceptor globally.
  */
 let NestAuthAuthGuard = class NestAuthAuthGuard {
-    constructor(reflector, jwtService, sessionManager, accessKeyService) {
+    constructor(reflector, jwtService, sessionManager, accessKeyService, authConfigService) {
         this.reflector = reflector;
         this.jwtService = jwtService;
         this.sessionManager = sessionManager;
         this.accessKeyService = accessKeyService;
+        this.authConfigService = authConfigService;
     }
     async canActivate(context) {
         const request = context.switchToHttp().getRequest();
@@ -122,6 +124,17 @@ let NestAuthAuthGuard = class NestAuthAuthGuard {
         try {
             // Verify the JWT token
             const payload = await this.jwtService.verifyToken(token);
+            const config = this.authConfigService.getConfig();
+            // Apply guards.beforeAuth hook if configured
+            if (config.guards?.beforeAuth) {
+                const result = await config.guards.beforeAuth(request, payload);
+                if (result && result.reject) {
+                    throw new common_1.UnauthorizedException({
+                        message: result.reason || 'Authentication rejected by custom guard',
+                        code: auth_constants_1.ERROR_CODES.ACCESS_DENIED
+                    });
+                }
+            }
             request.user = payload;
             request.authType = 'jwt';
             // Verify session exists
@@ -140,9 +153,29 @@ let NestAuthAuthGuard = class NestAuthAuthGuard {
                     });
                 }
             }
+            // Apply jwt.validateToken hook if configured
+            if (config.jwt?.validateToken) {
+                const isValid = await config.jwt.validateToken(payload, session);
+                if (!isValid) {
+                    throw new common_1.UnauthorizedException({
+                        message: 'Token validation failed',
+                        code: auth_constants_1.ERROR_CODES.INVALID_TOKEN
+                    });
+                }
+            }
             request.session = session;
             // Check MFA requirements
             await this.checkMfa(context, payload, isOptional);
+            // Apply guards.afterAuth hook if configured
+            if (config.guards?.afterAuth) {
+                // We need the full user object for the hook if possible, but the signature asks for NestAuthUser
+                // The payload is just the JWT payload. The session has the user data.
+                // Let's try to use session.data.user if available, otherwise we might need to fetch it or cast payload
+                // The interface says user: NestAuthUser. session.data.user is usually the user object.
+                if (session.data?.user) {
+                    await config.guards.afterAuth(request, session.data.user, session);
+                }
+            }
             return true;
         }
         catch (error) {
@@ -255,11 +288,11 @@ let NestAuthAuthGuard = class NestAuthAuthGuard {
         }
         // Check roles if required
         if (requiredRoles.length > 0) {
-            this.checkRoles(user, requiredRoles);
+            await this.checkRoles(user, requiredRoles);
         }
         // Check permissions if required
         if (requiredPermissions.length > 0) {
-            this.checkPermissions(user, requiredPermissions);
+            await this.checkPermissions(user, requiredPermissions);
         }
     }
     /**
@@ -287,17 +320,39 @@ let NestAuthAuthGuard = class NestAuthAuthGuard {
     /**
      * Check if user has required roles
      */
-    checkRoles(user, requiredRoles) {
+    /**
+     * Check if user has required roles
+     */
+    /**
+     * Helper to resolve user roles
+     */
+    async resolveUserRoles(user) {
+        const config = this.authConfigService.getConfig();
+        // Apply authorization.resolveRoles hook if configured
+        if (config.authorization?.resolveRoles) {
+            return await config.authorization.resolveRoles(user);
+        }
+        // Default behavior
         if (!user.roles || !Array.isArray(user.roles)) {
+            // Return empty array instead of throwing, let the caller decide
+            return [];
+        }
+        // Get active role names
+        return user.roles
+            .filter((role) => role.isActive)
+            .map((role) => role.name);
+    }
+    /**
+     * Check if user has required roles
+     */
+    async checkRoles(user, requiredRoles) {
+        const userRoleNames = await this.resolveUserRoles(user);
+        if (userRoleNames.length === 0 && (!user.roles || !Array.isArray(user.roles))) {
             throw new common_1.ForbiddenException({
                 message: 'Access denied: No roles assigned',
                 code: auth_constants_1.ERROR_CODES.NO_ROLES_ASSIGNED,
             });
         }
-        // Get active role names
-        const userRoleNames = user.roles
-            .filter(role => role.isActive)
-            .map(role => role.name);
         // Check if user has all required roles
         const hasAllRoles = requiredRoles.every(role => userRoleNames.includes(role));
         if (!hasAllRoles) {
@@ -311,15 +366,32 @@ let NestAuthAuthGuard = class NestAuthAuthGuard {
     /**
      * Check if user has required permissions
      */
-    checkPermissions(user, requiredPermissions) {
-        if (!user.roles || !Array.isArray(user.roles)) {
-            throw new common_1.ForbiddenException({
-                message: 'Access denied: No roles assigned for permission check',
-                code: auth_constants_1.ERROR_CODES.NO_ROLES_ASSIGNED,
-            });
+    /**
+     * Check if user has required permissions
+     */
+    /**
+     * Check if user has required permissions
+     */
+    async checkPermissions(user, requiredPermissions) {
+        const config = this.authConfigService.getConfig();
+        let userPermissions = [];
+        // Apply authorization.resolvePermissions hook if configured
+        if (config.authorization?.resolvePermissions) {
+            // Resolve roles first as they are needed for the hook
+            const roles = await this.resolveUserRoles(user);
+            userPermissions = await config.authorization.resolvePermissions(user, roles);
+        }
+        else {
+            // Default behavior
+            if (!user.roles || !Array.isArray(user.roles)) {
+                throw new common_1.ForbiddenException({
+                    message: 'Access denied: No roles assigned for permission check',
+                    code: auth_constants_1.ERROR_CODES.NO_ROLES_ASSIGNED,
+                });
+            }
+            // Get all permissions from user's roles
+            userPermissions = this.getUserPermissions(user.roles);
         }
-        // Get all permissions from user's roles
-        const userPermissions = this.getUserPermissions(user.roles);
         // Check if user has all required permissions
         const hasAllPermissions = requiredPermissions.every(permission => userPermissions.includes(permission));
         if (!hasAllPermissions) {
@@ -354,5 +426,6 @@ exports.NestAuthAuthGuard = NestAuthAuthGuard = tslib_1.__decorate([
     tslib_1.__metadata("design:paramtypes", [core_1.Reflector,
         jwt_service_1.JwtService,
         session_manager_service_1.SessionManagerService,
-        access_key_service_1.AccessKeyService])
+        access_key_service_1.AccessKeyService,
+        auth_config_service_1.AuthConfigService])
 ], NestAuthAuthGuard);

package/src/lib/auth/services/auth.service.d.ts

@@ -22,6 +22,8 @@ import { VerifyOtpResponseDto } from '../dto/responses/verify-otp.response.dto';
 import { SendEmailVerificationRequestDto } from '../dto/requests/send-email-verification.request.dto';
 import { VerifyEmailRequestDto } from '../dto/requests/verify-email.request.dto';
 import { AuthConfigService } from '../../core/services/auth-config.service';
+import { AuthTokensResponseDto } from '../dto/responses/auth.response.dto';
+import { UserService } from '../../user/services/user.service';
 export declare class AuthService {
     private readonly userRepository;
     private otpRepository;
@@ -33,9 +35,10 @@ export declare class AuthService {
     private readonly tenantService;
     private readonly debugLogger;
     private readonly authConfigService;
-    constructor(userRepository: Repository<NestAuthUser>, otpRepository: Repository<NestAuthOTP>, authProviderRegistry: AuthProviderRegistryService, mfaService: MfaService, sessionManager: SessionManagerService, jwtService: JwtService, eventEmitter: EventEmitter2, tenantService: TenantService, debugLogger: DebugLoggerService, authConfigService: AuthConfigService);
+    private readonly userService;
+    constructor(userRepository: Repository<NestAuthUser>, otpRepository: Repository<NestAuthOTP>, authProviderRegistry: AuthProviderRegistryService, mfaService: MfaService, sessionManager: SessionManagerService, jwtService: JwtService, eventEmitter: EventEmitter2, tenantService: TenantService, debugLogger: DebugLoggerService, authConfigService: AuthConfigService, userService: UserService);
     getUserWithRolesAndPermissions(userId: string, relations?: string[]): Promise<NestAuthUser>;
-    getUser(): Promise<NestAuthUser>;
+    getUser(): Promise<Partial<NestAuthUser>>;
     signup(input: SignupRequestDto): Promise<AuthResponseDto>;
     login(input: LoginRequestDto): Promise<AuthResponseDto>;
     verify2fa(input: Verify2faRequestDto): Promise<{
@@ -45,10 +48,7 @@ export declare class AuthService {
     }>;
     send2faCode(userId: string, method: MFAMethodEnum): Promise<boolean>;
     private handleSocialLogin;
-    refreshToken(refreshToken: string): Promise<{
-        accessToken: string;
-        refreshToken: string;
-    }>;
+    refreshToken(refreshToken: string): Promise<AuthTokensResponseDto>;
     changePassword(input: ChangePasswordRequestDto): Promise<AuthResponseDto>;
     forgotPassword(input: ForgotPasswordRequestDto): Promise<true | {
         message: string;
@@ -65,6 +65,10 @@ export declare class AuthService {
         message: string;
     }>;
     private generateTokensPayload;
+    /**
+     * Handle errors using the errorHandler hook if configured
+     */
+    private handleError;
     private generateTokensFromSession;
 }
 //# sourceMappingURL=auth.service.d.ts.map

package/src/lib/auth/services/auth.service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.service.d.ts","sourceRoot":"","sources":["../../../../../../../packages/nest-auth/src/lib/auth/services/auth.service.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,YAAY,EAAE,MAAM,iCAAiC,CAAC;AAC/D,OAAO,EAAE,WAAW,EAAE,MAAM,gCAAgC,CAAC;AAU7D,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,MAAM,iCAAiC,CAAC;AAC7D,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,qBAAqB,EAAE,MAAM,gDAAgD,CAAC;AAEvF,OAAO,EAAE,gBAAgB,EAAE,MAAM,oCAAoC,CAAC;AACtE,OAAO,EAAE,eAAe,EAAE,MAAM,oCAAoC,CAAC;AACrE,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAC;AACpE,OAAO,EAAE,mBAAmB,EAAE,MAAM,wCAAwC,CAAC;AAC7E,OAAO,EACH,aAAa,EAChB,MAAM,6CAA6C,CAAC;AAErD,OAAO,EAAE,wBAAwB,EAAE,MAAM,6CAA6C,CAAC;AAEvF,OAAO,EAAE,uBAAuB,EAAE,MAAM,4CAA4C,CAAC;AAUrF,OAAO,EAAE,2BAA2B,EAAE,MAAM,oDAAoD,CAAC;AACjG,OAAO,EAAE,aAAa,EAAE,MAAM,sCAAsC,CAAC;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,0CAA0C,CAAC;AAE9E,OAAO,EAAE,iCAAiC,EAAE,MAAM,wDAAwD,CAAC;AAC3G,OAAO,EAAE,gCAAgC,EAAE,MAAM,uDAAuD,CAAC;AACzG,OAAO,EAAE,wBAAwB,EAAE,MAAM,6CAA6C,CAAC;AACvF,OAAO,EAAE,oBAAoB,EAAE,MAAM,0CAA0C,CAAC;AAChF,OAAO,EAAE,+BAA+B,EAAE,MAAM,qDAAqD,CAAC;AACtG,OAAO,EAAE,qBAAqB,EAAE,MAAM,0CAA0C,CAAC;AACjF,OAAO,EAAE,iBAAiB,EAAE,MAAM,yCAAyC,CAAC;AAG5E,qBACa,WAAW;IAIhB,OAAO,CAAC,QAAQ,CAAC,cAAc;IAG/B,OAAO,CAAC,aAAa;IAErB,OAAO,CAAC,QAAQ,CAAC,oBAAoB;IAErC,OAAO,CAAC,QAAQ,CAAC,UAAU;IAE3B,OAAO,CAAC,QAAQ,CAAC,cAAc;IAE/B,OAAO,CAAC,QAAQ,CAAC,UAAU;IAE3B,OAAO,CAAC,QAAQ,CAAC,YAAY;IAE7B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAE9B,OAAO,CAAC,QAAQ,CAAC,WAAW;IAE5B,OAAO,CAAC,QAAQ,CAAC,iBAAiB;gBAnBjB,cAAc,EAAE,UAAU,CAAC,YAAY,CAAC,EAGjD,aAAa,EAAE,UAAU,CAAC,WAAW,CAAC,EAE7B,oBAAoB,EAAE,2BAA2B,EAEjD,UAAU,EAAE,UAAU,EAEtB,cAAc,EAAE,qBAAqB,EAErC,UAAU,EAAE,UAAU,EAEtB,YAAY,EAAE,aAAa,EAE3B,aAAa,EAAE,aAAa,EAE5B,WAAW,EAAE,kBAAkB,EAE/B,iBAAiB,EAAE,iBAAiB;IAKzD,8BAA8B,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,GAAE,MAAM,EAAO,GAAG,OAAO,CAAC,YAAY,CAAC;IAUzF,OAAO;IAQP,MAAM,CAAC,KAAK,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC;IA6HzD,KAAK,CAAC,KAAK,EAAE,eAAe,GAAG,OAAO,CAAC,eAAe,CAAC;IA6GvD,SAAS,CAAC,KAAK,EAAE,mBAAmB;;;;;IAqEpC,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa;YAezC,iBAAiB;IAiCzB,YAAY,CAAC,YAAY,EAAE,MAAM;qBAupBkD,MAAM;sBAAgB,MAAM;;IA1lB/G,cAAc,CAAC,KAAK,EAAE,wBAAwB,GAAG,OAAO,CAAC,eAAe,CAAC;IA6DzE,cAAc,CAAC,KAAK,EAAE,wBAAwB;;;IAqF9C,uBAAuB,CAAC,KAAK,EAAE,iCAAiC,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAwFhG,aAAa,CAAC,KAAK,EAAE,uBAAuB;IA8E5C,sBAAsB,CAAC,KAAK,EAAE,gCAAgC;IAqE9D,MAAM,CAAC,UAAU,GAAE,MAAM,GAAG,OAAO,GAAG,QAAiB,EAAE,MAAM,CAAC,EAAE,MAAM;IAwBxE,SAAS,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,GAAE,MAAM,GAAG,OAAO,GAAG,QAAiB,EAAE,MAAM,CAAC,EAAE,MAAM;IA+B3F,qBAAqB,CAAC,KAAK,EAAE,+BAA+B;;;IA4D5D,WAAW,CAAC,KAAK,EAAE,qBAAqB;;;YAiFhC,qBAAqB;YAyBrB,yBAAyB;CAK1C"}
+{"version":3,"file":"auth.service.d.ts","sourceRoot":"","sources":["../../../../../../../packages/nest-auth/src/lib/auth/services/auth.service.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,YAAY,EAAE,MAAM,iCAAiC,CAAC;AAC/D,OAAO,EAAE,WAAW,EAAE,MAAM,gCAAgC,CAAC;AAU7D,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,MAAM,iCAAiC,CAAC;AAC7D,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,qBAAqB,EAAE,MAAM,gDAAgD,CAAC;AAEvF,OAAO,EAAE,gBAAgB,EAAE,MAAM,oCAAoC,CAAC;AACtE,OAAO,EAAE,eAAe,EAAE,MAAM,oCAAoC,CAAC;AACrE,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAC;AACpE,OAAO,EAAE,mBAAmB,EAAE,MAAM,wCAAwC,CAAC;AAC7E,OAAO,EACH,aAAa,EAChB,MAAM,6CAA6C,CAAC;AAErD,OAAO,EAAE,wBAAwB,EAAE,MAAM,6CAA6C,CAAC;AAEvF,OAAO,EAAE,uBAAuB,EAAE,MAAM,4CAA4C,CAAC;AAUrF,OAAO,EAAE,2BAA2B,EAAE,MAAM,oDAAoD,CAAC;AACjG,OAAO,EAAE,aAAa,EAAE,MAAM,sCAAsC,CAAC;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,0CAA0C,CAAC;AAE9E,OAAO,EAAE,iCAAiC,EAAE,MAAM,wDAAwD,CAAC;AAC3G,OAAO,EAAE,gCAAgC,EAAE,MAAM,uDAAuD,CAAC;AACzG,OAAO,EAAE,wBAAwB,EAAE,MAAM,6CAA6C,CAAC;AACvF,OAAO,EAAE,oBAAoB,EAAE,MAAM,0CAA0C,CAAC;AAChF,OAAO,EAAE,+BAA+B,EAAE,MAAM,qDAAqD,CAAC;AACtG,OAAO,EAAE,qBAAqB,EAAE,MAAM,0CAA0C,CAAC;AACjF,OAAO,EAAE,iBAAiB,EAAE,MAAM,yCAAyC,CAAC;AAI5E,OAAO,EAAE,qBAAqB,EAAE,MAAM,oCAAoC,CAAC;AAC3E,OAAO,EAAE,WAAW,EAAE,MAAM,kCAAkC,CAAC;AAG/D,qBACa,WAAW;IAIhB,OAAO,CAAC,QAAQ,CAAC,cAAc;IAG/B,OAAO,CAAC,aAAa;IAErB,OAAO,CAAC,QAAQ,CAAC,oBAAoB;IAErC,OAAO,CAAC,QAAQ,CAAC,UAAU;IAE3B,OAAO,CAAC,QAAQ,CAAC,cAAc;IAE/B,OAAO,CAAC,QAAQ,CAAC,UAAU;IAE3B,OAAO,CAAC,QAAQ,CAAC,YAAY;IAE7B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAE9B,OAAO,CAAC,QAAQ,CAAC,WAAW;IAE5B,OAAO,CAAC,QAAQ,CAAC,iBAAiB;IAElC,OAAO,CAAC,QAAQ,CAAC,WAAW;gBArBX,cAAc,EAAE,UAAU,CAAC,YAAY,CAAC,EAGjD,aAAa,EAAE,UAAU,CAAC,WAAW,CAAC,EAE7B,oBAAoB,EAAE,2BAA2B,EAEjD,UAAU,EAAE,UAAU,EAEtB,cAAc,EAAE,qBAAqB,EAErC,UAAU,EAAE,UAAU,EAEtB,YAAY,EAAE,aAAa,EAE3B,aAAa,EAAE,aAAa,EAE5B,WAAW,EAAE,kBAAkB,EAE/B,iBAAiB,EAAE,iBAAiB,EAEpC,WAAW,EAAE,WAAW;IAK7C,8BAA8B,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,GAAE,MAAM,EAAO,GAAG,OAAO,CAAC,YAAY,CAAC;IAUzF,OAAO;IAgBP,MAAM,CAAC,KAAK,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC;IAiIzD,KAAK,CAAC,KAAK,EAAE,eAAe,GAAG,OAAO,CAAC,eAAe,CAAC;IA2HvD,SAAS,CAAC,KAAK,EAAE,mBAAmB;;;;;IAsEpC,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa;YAezC,iBAAiB;IAiCzB,YAAY,CAAC,YAAY,EAAE,MAAM;IA8DjC,cAAc,CAAC,KAAK,EAAE,wBAAwB,GAAG,OAAO,CAAC,eAAe,CAAC;IAsEzE,cAAc,CAAC,KAAK,EAAE,wBAAwB;;;IAsF9C,uBAAuB,CAAC,KAAK,EAAE,iCAAiC,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAyFhG,aAAa,CAAC,KAAK,EAAE,uBAAuB;IA+E5C,sBAAsB,CAAC,KAAK,EAAE,gCAAgC;IAsE9D,MAAM,CAAC,UAAU,GAAE,MAAM,GAAG,OAAO,GAAG,QAAiB,EAAE,MAAM,CAAC,EAAE,MAAM;IAwBxE,SAAS,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,GAAE,MAAM,GAAG,OAAO,GAAG,QAAiB,EAAE,MAAM,CAAC,EAAE,MAAM;IAiC3F,qBAAqB,CAAC,KAAK,EAAE,+BAA+B;;;IA6D5D,WAAW,CAAC,KAAK,EAAE,qBAAqB;;;YAkFhC,qBAAqB;IAyBnC;;OAEG;IACH,OAAO,CAAC,WAAW;YAYL,yBAAyB;CAK1C"}