npm - @ackplus/nest-auth - Versions diffs - 1.1.28 → 1.1.30 - Mend

@ackplus/nest-auth 1.1.28 → 1.1.30

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (982) hide show

package/src/lib/auth/services/client-config.service.d.ts.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"client-config.service.d.ts","sourceRoot":"","sources":["../../../../../../../packages/nest-auth/src/lib/auth/services/client-config.service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,iBAAiB,EAAE,MAAM,yCAAyC,CAAC;AAC5E,OAAO,EAAE,aAAa,EAAE,MAAM,sCAAsC,CAAC;AACrE,OAAO,EAAE,uBAAuB,EAAE,MAAM,6CAA6C,CAAC;AAEtF,qBACa,mBAAmB;IAExB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;gBADb,UAAU,EAAE,iBAAiB,EAC7B,aAAa,EAAE,aAAa;IAG3C,eAAe,IAAI,OAAO,CAAC,uBAAuB,CAAC;YA4G3C,YAAY;YAoBZ,sBAAsB;CAgBvC"}

package/src/lib/auth/services/client-config.service.js DELETED Viewed

@@ -1,152 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.ClientConfigService = void 0;
-const tslib_1 = require("tslib");
-const common_1 = require("@nestjs/common");
-const auth_config_service_1 = require("../../core/services/auth-config.service");
-const tenant_service_1 = require("../../tenant/services/tenant.service");
-let ClientConfigService = class ClientConfigService {
-    constructor(authConfig, tenantService) {
-        this.authConfig = authConfig;
-        this.tenantService = tenantService;
-    }
-    async getClientConfig() {
-        const config = this.authConfig.getConfig();
-        const tenants = await this.fetchTenants();
-        const defaultTenantId = await this.resolveDefaultTenantId(config.defaultTenant);
-        // Build SSO providers
-        const ssoProviders = [];
-        if (config.google) {
-            const googleAuthUrl = new URL('https://accounts.google.com/o/oauth2/v2/auth');
-            googleAuthUrl.searchParams.set('client_id', config.google.clientId);
-            googleAuthUrl.searchParams.set('redirect_uri', config.google.redirectUri);
-            googleAuthUrl.searchParams.set('response_type', 'code');
-            googleAuthUrl.searchParams.set('scope', 'openid email profile');
-            googleAuthUrl.searchParams.set('access_type', 'offline');
-            googleAuthUrl.searchParams.set('prompt', 'consent');
-            ssoProviders.push({
-                id: 'google',
-                name: 'Google',
-                logoUrl: 'https://www.gstatic.com/firebasejs/ui/2.0.0/images/auth/google.svg',
-                hint: 'Sign in with Google',
-                clientId: config.google.clientId,
-                authorizationUrl: googleAuthUrl.toString(),
-            });
-        }
-        if (config.facebook) {
-            const facebookAuthUrl = new URL('https://www.facebook.com/v18.0/dialog/oauth');
-            facebookAuthUrl.searchParams.set('client_id', config.facebook.appId);
-            facebookAuthUrl.searchParams.set('redirect_uri', config.facebook.redirectUri);
-            facebookAuthUrl.searchParams.set('scope', 'email');
-            facebookAuthUrl.searchParams.set('response_type', 'code');
-            ssoProviders.push({
-                id: 'facebook',
-                name: 'Facebook',
-                logoUrl: 'https://www.gstatic.com/firebasejs/ui/2.0.0/images/auth/facebook.svg',
-                hint: 'Sign in with Facebook',
-                clientId: config.facebook.appId,
-                authorizationUrl: facebookAuthUrl.toString(),
-            });
-        }
-        if (config.apple) {
-            ssoProviders.push({
-                id: 'apple',
-                name: 'Apple',
-                logoUrl: undefined,
-                hint: 'Sign in with Apple',
-            });
-        }
-        if (config.github) {
-            const githubAuthUrl = new URL('https://github.com/login/oauth/authorize');
-            githubAuthUrl.searchParams.set('client_id', config.github.clientId);
-            githubAuthUrl.searchParams.set('redirect_uri', config.github.redirectUri);
-            githubAuthUrl.searchParams.set('scope', 'user:email');
-            githubAuthUrl.searchParams.set('response_type', 'code');
-            ssoProviders.push({
-                id: 'github',
-                name: 'GitHub',
-                logoUrl: 'https://github.githubassets.com/images/modules/logos_page/GitHub-Mark.png',
-                hint: 'Sign in with GitHub',
-                clientId: config.github.clientId,
-                authorizationUrl: githubAuthUrl.toString(),
-            });
-        }
-        // Build default config
-        const defaultConfig = {
-            emailAuth: {
-                enabled: config.emailAuth?.enabled ?? false,
-            },
-            phoneAuth: {
-                enabled: config.phoneAuth?.enabled ?? false,
-            },
-            registration: {
-                enabled: config.registration?.enabled !== false, // Default to true unless explicitly disabled
-                requireInvitation: config.registration?.requireInvitation ?? false,
-                collectProfileFields: config.registration?.collectProfileFields,
-            },
-            mfa: {
-                enabled: config.mfa?.enabled ?? false,
-                methods: config.mfa?.methods?.map((m) => m.toString()) ?? [],
-                allowUserToggle: config.mfa?.allowUserToggle ?? true,
-                allowMethodSelection: config.mfa?.allowMethodSelection ?? true,
-            },
-            tenants: {
-                mode: config.defaultTenant ? 'single' : 'multi',
-                defaultTenantId,
-                options: tenants,
-            },
-            sso: {
-                enabled: Boolean(config.google || config.facebook || config.apple || config.github),
-                providers: ssoProviders,
-            },
-        };
-        // Allow customization via factory function
-        if (config.clientConfig?.factory) {
-            const customized = await config.clientConfig.factory(defaultConfig, {
-                configService: this.authConfig,
-                tenantService: this.tenantService,
-            });
-            return customized ?? defaultConfig;
-        }
-        return defaultConfig;
-    }
-    async fetchTenants() {
-        try {
-            const tenants = await this.tenantService.getTenants({
-                select: ['id', 'name', 'slug', 'metadata', 'isActive'],
-                order: { name: 'ASC' },
-            });
-            return tenants.map((tenant) => ({
-                id: tenant.id,
-                name: tenant.name,
-                slug: tenant.slug,
-                metadata: tenant.metadata ?? {},
-                isActive: tenant.isActive,
-            }));
-        }
-        catch (error) {
-            // Return empty array if tenant service fails (e.g., in single-tenant mode)
-            return [];
-        }
-    }
-    async resolveDefaultTenantId(options) {
-        if (!options?.slug && !options?.domain) {
-            return null;
-        }
-        try {
-            const tenant = options.slug
-                ? await this.tenantService.getTenantBySlug(options.slug)
-                : await this.tenantService.getTenantByDomain(options.domain);
-            return tenant?.id ?? null;
-        }
-        catch (error) {
-            return null;
-        }
-    }
-};
-exports.ClientConfigService = ClientConfigService;
-exports.ClientConfigService = ClientConfigService = tslib_1.__decorate([
-    (0, common_1.Injectable)(),
-    tslib_1.__metadata("design:paramtypes", [auth_config_service_1.AuthConfigService,
-        tenant_service_1.TenantService])
-], ClientConfigService);

package/src/lib/auth/services/cookie.service.d.ts.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"cookie.service.d.ts","sourceRoot":"","sources":["../../../../../../../packages/nest-auth/src/lib/auth/services/cookie.service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAMnC,qBACa,aAAa;IACtB,OAAO,CAAC,OAAO,CAAoB;;IAMnC,oBAAoB,CAAC,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI;IAS7D,qBAAqB,CAAC,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI;IAS9D,YAAY,CAAC,QAAQ,EAAE,QAAQ,GAAG,IAAI;IAKtC,SAAS,CAAC,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,IAAI;CAIjF"}

package/src/lib/auth/services/cookie.service.js DELETED Viewed

@@ -1,42 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.CookieService = void 0;
-const tslib_1 = require("tslib");
-const common_1 = require("@nestjs/common");
-const auth_constants_1 = require("../../auth.constants");
-const ms_1 = tslib_1.__importDefault(require("ms"));
-const auth_config_service_1 = require("../../core/services/auth-config.service");
-let CookieService = class CookieService {
-    constructor() {
-        this.options = auth_config_service_1.AuthConfigService.getOptions();
-    }
-    setAccessTokenCookie(response, token) {
-        response.cookie(auth_constants_1.ACCESS_TOKEN_COOKIE_NAME, token, {
-            httpOnly: true,
-            secure: this.options.cookieOptions.secure,
-            sameSite: this.options.cookieOptions.sameSite,
-            maxAge: (0, ms_1.default)(this.options.session.sessionExpiry),
-        });
-    }
-    setRefreshTokenCookie(response, token) {
-        response.cookie(auth_constants_1.REFRESH_TOKEN_COOKIE_NAME, token, {
-            httpOnly: true,
-            secure: this.options.cookieOptions.secure,
-            sameSite: this.options.cookieOptions.sameSite,
-            maxAge: (0, ms_1.default)(this.options.session.refreshTokenExpiry),
-        });
-    }
-    clearCookies(response) {
-        response.clearCookie(auth_constants_1.ACCESS_TOKEN_COOKIE_NAME);
-        response.clearCookie(auth_constants_1.REFRESH_TOKEN_COOKIE_NAME);
-    }
-    setTokens(response, accessToken, refreshToken) {
-        this.setAccessTokenCookie(response, accessToken);
-        this.setRefreshTokenCookie(response, refreshToken);
-    }
-};
-exports.CookieService = CookieService;
-exports.CookieService = CookieService = tslib_1.__decorate([
-    (0, common_1.Injectable)(),
-    tslib_1.__metadata("design:paramtypes", [])
-], CookieService);

package/src/lib/auth/services/mfa.service.d.ts.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"mfa.service.d.ts","sourceRoot":"","sources":["../../../../../../../packages/nest-auth/src/lib/auth/services/mfa.service.ts"],"names":[],"mappings":"AAEA,OAAO,EAAY,UAAU,EAAE,MAAM,SAAS,CAAC;AAC/C,OAAO,EAAE,iBAAiB,EAAE,MAAM,uCAAuC,CAAC;AAG1E,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,6CAA6C,CAAC;AAKxF,OAAO,EAAE,YAAY,EAAE,MAAM,iCAAiC,CAAC;AAC/D,OAAO,EAAE,WAAW,EAAE,MAAM,gCAAgC,CAAC;AAK7D,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAEtD,OAAO,EAAE,qBAAqB,EAAE,MAAM,mCAAmC,CAAC;AAM1E,qBACa,UAAU;IAIf,OAAO,CAAC,mBAAmB;IAG3B,OAAO,CAAC,cAAc;IAGtB,OAAO,CAAC,aAAa;IAGrB,OAAO,CAAC,uBAAuB;IAE/B,OAAO,CAAC,YAAY;gBAXZ,mBAAmB,EAAE,UAAU,CAAC,iBAAiB,CAAC,EAGlD,cAAc,EAAE,UAAU,CAAC,YAAY,CAAC,EAGxC,aAAa,EAAE,UAAU,CAAC,WAAW,CAAC,EAGtC,uBAAuB,EAAE,UAAU,CAAC,qBAAqB,CAAC,EAE1D,YAAY,EAAE,aAAa;IAGvC,IAAI,SAAS,IAAI,UAAU,CAE1B;IAED,uBAAuB,CAAC,UAAU,GAAE,OAAc;IAalD,OAAO,CAAC,uBAAuB;IAIzB,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAiC5D,iBAAiB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAmC3D,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC;IAyDpE,SAAS,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC;IAwDpF,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IAqBjG,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IA6BnF,cAAc,CAAC,MAAM,EAAE,MAAM;;;;;;;;IAmB7B,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAM7C,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAgB/C,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAW9C,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAQ/D,SAAS,CAAC,MAAM,EAAE,MAAM;IAgCxB,UAAU,CAAC,MAAM,EAAE,MAAM;IAsBzB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAMjD,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAUrD,QAAQ,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;IA6B1E,mBAAmB,IAAI,aAAa,EAAE;IAOhC,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAajD,mBAAmB,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAkB1F,qBAAqB,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;CAiB/E"}

package/src/lib/auth/services/mfa.service.js DELETED Viewed

@@ -1,410 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.MfaService = void 0;
-const tslib_1 = require("tslib");
-const common_1 = require("@nestjs/common");
-const typeorm_1 = require("@nestjs/typeorm");
-const typeorm_2 = require("typeorm");
-const mfa_secret_entity_1 = require("../../auth/entities/mfa-secret.entity");
-const speakeasy_1 = tslib_1.__importDefault(require("speakeasy"));
-const qrcode_1 = tslib_1.__importDefault(require("qrcode"));
-const mfa_options_interface_1 = require("../../core/interfaces/mfa-options.interface");
-const auth_constants_1 = require("../../auth.constants");
-const user_entity_1 = require("../../user/entities/user.entity");
-const otp_entity_1 = require("../../auth/entities/otp.entity");
-const otp_interface_1 = require("../../core/interfaces/otp.interface");
-const otp_1 = require("../../utils/otp");
-const ms_1 = tslib_1.__importDefault(require("ms"));
-const auth_config_service_1 = require("../../core/services/auth-config.service");
-const event_emitter_1 = require("@nestjs/event-emitter");
-const two_factor_code_sent_event_1 = require("../events/two-factor-code-sent.event");
-const trusted_device_entity_1 = require("../entities/trusted-device.entity");
-const crypto_1 = require("crypto");
-const user_2fa_enabled_event_1 = require("../events/user-2fa-enabled.event");
-const user_2fa_disabled_event_1 = require("../events/user-2fa-disabled.event");
-let MfaService = class MfaService {
-    constructor(mfaSecretRepository, userRepository, otpRepository, trustedDeviceRepository, eventEmitter) {
-        this.mfaSecretRepository = mfaSecretRepository;
-        this.userRepository = userRepository;
-        this.otpRepository = otpRepository;
-        this.trustedDeviceRepository = trustedDeviceRepository;
-        this.eventEmitter = eventEmitter;
-    }
-    get mfaConfig() {
-        return auth_config_service_1.AuthConfigService.getOptions().mfa || {};
-    }
-    requireMfaEnabledForApp(throwError = true) {
-        if (!this.mfaConfig.enabled) {
-            if (throwError) {
-                throw new common_1.ForbiddenException({
-                    message: 'MFA is not enabled for the application',
-                    code: auth_constants_1.ERROR_CODES.MFA_NOT_ENABLED,
-                });
-            }
-            return false;
-        }
-        return true;
-    }
-    checkIsMfaEnabledForApp(throwError = true) {
-        return this.requireMfaEnabledForApp(throwError);
-    }
-    async getVerifiedMethods(userId) {
-        if (!this.requireMfaEnabledForApp(false)) {
-            return [];
-        }
-        const verifiedMethods = [];
-        // Check for verified TOTP devices
-        const verifiedTotpDevice = await this.mfaSecretRepository.findOne({
-            where: {
-                userId,
-                verified: true,
-            },
-        });
-        if (verifiedTotpDevice && this.mfaConfig.methods?.includes(mfa_options_interface_1.MFAMethodEnum.TOTP)) {
-            verifiedMethods.push(mfa_options_interface_1.MFAMethodEnum.TOTP);
-        }
-        // Note: EMAIL and SMS methods are always available if configured
-        // They don't require pre-verification like TOTP does
-        // But we only include them if they're in the config
-        if (this.mfaConfig.methods?.includes(mfa_options_interface_1.MFAMethodEnum.EMAIL)) {
-            verifiedMethods.push(mfa_options_interface_1.MFAMethodEnum.EMAIL);
-        }
-        if (this.mfaConfig.methods?.includes(mfa_options_interface_1.MFAMethodEnum.SMS)) {
-            verifiedMethods.push(mfa_options_interface_1.MFAMethodEnum.SMS);
-        }
-        return verifiedMethods;
-    }
-    async getEnabledMethods(userId) {
-        if (!this.requireMfaEnabledForApp(false)) {
-            return [];
-        }
-        const isEnabled = await this.isMfaEnabled(userId);
-        if (!isEnabled) {
-            return [];
-        }
-        const enableMethod = [];
-        if (this.mfaConfig.methods?.includes(mfa_options_interface_1.MFAMethodEnum.EMAIL)) {
-            enableMethod.push(mfa_options_interface_1.MFAMethodEnum.EMAIL);
-        }
-        if (this.mfaConfig.methods?.includes(mfa_options_interface_1.MFAMethodEnum.SMS)) {
-            enableMethod.push(mfa_options_interface_1.MFAMethodEnum.SMS);
-        }
-        const verifiedTotpDevice = await this.mfaSecretRepository.findOne({
-            where: {
-                userId,
-                verified: true,
-            },
-        });
-        if (verifiedTotpDevice) {
-            enableMethod.push(mfa_options_interface_1.MFAMethodEnum.TOTP);
-        }
-        return enableMethod;
-    }
-    async sendMfaCode(userId, method) {
-        this.requireMfaEnabledForApp(true);
-        const options = auth_config_service_1.AuthConfigService.getOptions();
-        let code;
-        // Apply otp.generate hook if configured
-        if (options.otp?.generate) {
-            code = await options.otp.generate(this.mfaConfig.otpLength);
-        }
-        else {
-            code = (0, otp_1.generateOtp)(this.mfaConfig.otpLength);
-        }
-        let expiresAtMs;
-        if (typeof this.mfaConfig.otpExpiresIn === 'string') {
-            expiresAtMs = (0, ms_1.default)(this.mfaConfig.otpExpiresIn); // example: '15m', '1h', '1d'
-        }
-        else {
-            expiresAtMs = this.mfaConfig.otpExpiresIn || 900000; // Default to 15m if undefined
-        }
-        if (!expiresAtMs || isNaN(expiresAtMs) || expiresAtMs <= 0) {
-            throw new Error(`Invalid MFA configuration: otpExpiresIn '${this.mfaConfig.otpExpiresIn}' results in invalid duration`);
-        }
-        // Invalidate previous MFA OTPs for this user
-        await this.otpRepository.delete({
-            userId,
-            type: otp_interface_1.OTPTypeEnum.MFA
-        });
-        const otp = await this.otpRepository.create({
-            userId,
-            type: otp_interface_1.OTPTypeEnum.MFA,
-            expiresAt: new Date(Date.now() + expiresAtMs),
-            code,
-        });
-        await this.otpRepository.save(otp);
-        if (method === mfa_options_interface_1.MFAMethodEnum.EMAIL || method === mfa_options_interface_1.MFAMethodEnum.SMS) {
-            const user = await this.userRepository.findOne({ where: { id: userId } });
-            if (user) {
-                await this.eventEmitter.emitAsync(auth_constants_1.NestAuthEvents.TWO_FACTOR_CODE_SENT, new two_factor_code_sent_event_1.TwoFactorCodeSentEvent({
-                    user,
-                    tenantId: user.tenantId,
-                    method,
-                    code,
-                }));
-            }
-        }
-        return true;
-    }
-    async verifyMfa(userId, inputOtp, method) {
-        this.requireMfaEnabledForApp(true);
-        // Check for default OTP (Magic Code)
-        if (this.mfaConfig.defaultOtp && this.mfaConfig.defaultOtp === inputOtp) {
-            return true;
-        }
-        if (method === mfa_options_interface_1.MFAMethodEnum.TOTP) {
-            const devices = await this.mfaSecretRepository.find({
-                where: { userId, verified: true }
-            });
-            for (const device of devices) {
-                const isValid = speakeasy_1.default.totp.verify({
-                    secret: device.secret,
-                    encoding: 'base32',
-                    token: inputOtp,
-                    window: 1
-                });
-                if (isValid) {
-                    // Update last used timestamp
-                    await this.mfaSecretRepository.update({ id: device.id }, { lastUsedAt: new Date() });
-                    return true;
-                }
-            }
-            return false;
-        }
-        if (method === mfa_options_interface_1.MFAMethodEnum.EMAIL || method === mfa_options_interface_1.MFAMethodEnum.SMS) {
-            const otp = await this.otpRepository.findOne({
-                where: {
-                    userId,
-                    type: otp_interface_1.OTPTypeEnum.MFA,
-                    used: false,
-                    expiresAt: (0, typeorm_2.MoreThan)(new Date()),
-                    code: inputOtp
-                }
-            });
-            if (!otp) {
-                return false;
-            }
-            await this.otpRepository.delete(otp.id);
-            return true;
-        }
-        return false;
-    }
-    async setupTotpDevice(userId, deviceName) {
-        this.requireMfaEnabledForApp(true);
-        const user = await this.userRepository.findOne({ where: { id: userId } });
-        if (!user) {
-            throw new Error('User not found');
-        }
-        const secret = speakeasy_1.default.generateSecret();
-        await this.mfaSecretRepository.save({
-            userId,
-            secret: secret.base32,
-            deviceName: deviceName || 'Authenticator',
-            verified: false
-        });
-        const qrCode = await qrcode_1.default.toDataURL(secret.otpauth_url);
-        return { secret: secret.base32, qrCode };
-    }
-    async verifyTotpSetup(userId, secret, inputOtp) {
-        this.requireMfaEnabledForApp(true);
-        const device = await this.mfaSecretRepository.findOne({
-            where: { userId, secret }
-        });
-        if (device) {
-            if (device.verified) {
-                return true;
-            }
-            const isValid = speakeasy_1.default.totp.verify({
-                secret: device.secret,
-                encoding: 'base32',
-                token: inputOtp,
-                window: 1
-            });
-            if (isValid) {
-                await this.mfaSecretRepository.update({ id: device.id }, { verified: true });
-                return true;
-            }
-        }
-        return false;
-    }
-    async getTotpDevices(userId) {
-        this.requireMfaEnabledForApp(true);
-        const devices = await this.mfaSecretRepository.find({
-            select: ['id', 'deviceName', 'lastUsedAt', 'verified', 'createdAt'],
-            where: { userId },
-            order: { lastUsedAt: 'DESC', createdAt: 'DESC' }
-        });
-        return devices.map(device => ({
-            id: device.id,
-            deviceName: device.deviceName,
-            method: mfa_options_interface_1.MFAMethodEnum.TOTP,
-            lastUsedAt: device.lastUsedAt,
-            createdAt: device.createdAt,
-            verified: device.verified,
-        }));
-    }
-    async removeDevice(deviceId) {
-        this.requireMfaEnabledForApp(true);
-        await this.mfaSecretRepository.delete({ id: deviceId });
-    }
-    async isRequiresMfa(userId) {
-        if (!this.mfaConfig.enabled) {
-            return false;
-        }
-        if (this.mfaConfig.required) {
-            return true;
-        }
-        const user = await this.userRepository.findOne({
-            select: ['id', 'isMfaEnabled'],
-            where: { id: userId },
-        });
-        return !!user?.isMfaEnabled;
-    }
-    async isMfaEnabled(userId) {
-        if (this.mfaConfig.enabled) {
-            const user = await this.userRepository.findOne({
-                select: ['id', 'isMfaEnabled'],
-                where: { id: userId },
-            });
-            return !!user?.isMfaEnabled;
-        }
-        return false;
-    }
-    async markAsVerified(userId, deviceId) {
-        this.requireMfaEnabledForApp(true);
-        await this.mfaSecretRepository.update({ id: deviceId, userId }, { verified: true });
-    }
-    async enableMFA(userId) {
-        this.requireMfaEnabledForApp(true);
-        if (!this.mfaConfig.allowUserToggle) {
-            throw new common_1.ForbiddenException({
-                message: 'MFA toggling is not allowed',
-                code: auth_constants_1.ERROR_CODES.MFA_TOGGLING_NOT_ALLOWED,
-            });
-        }
-        const verifiedMethods = await this.getVerifiedMethods(userId);
-        if (verifiedMethods.length === 0) {
-            throw new common_1.ForbiddenException({
-                message: 'Cannot enable MFA without at least one verified method',
-                code: auth_constants_1.ERROR_CODES.MFA_CANNOT_ENABLE_WITHOUT_METHOD,
-            });
-        }
-        await this.userRepository.update(userId, { isMfaEnabled: true });
-        const user = await this.userRepository.findOne({ where: { id: userId } });
-        if (user) {
-            await this.eventEmitter.emitAsync(auth_constants_1.NestAuthEvents.TWO_FACTOR_ENABLED, new user_2fa_enabled_event_1.User2faEnabledEvent({
-                user,
-                method: verifiedMethods[0] // Default to first verified method
-            }));
-        }
-    }
-    async disableMFA(userId) {
-        this.checkIsMfaEnabledForApp(true);
-        if (!this.mfaConfig.allowUserToggle) {
-            throw new common_1.ForbiddenException({
-                message: 'MFA toggling is not allowed',
-                code: auth_constants_1.ERROR_CODES.MFA_TOGGLING_NOT_ALLOWED,
-            });
-        }
-        await this.userRepository.update(userId, { isMfaEnabled: false });
-        const user = await this.userRepository.findOne({ where: { id: userId } });
-        if (user) {
-            await this.eventEmitter.emitAsync(auth_constants_1.NestAuthEvents.TWO_FACTOR_DISABLED, new user_2fa_disabled_event_1.User2faDisabledEvent({
-                user
-            }));
-        }
-    }
-    async removeTotpDevice(deviceId) {
-        this.checkIsMfaEnabledForApp(true);
-        await this.mfaSecretRepository.delete({ id: deviceId });
-    }
-    async generateRecoveryCode(userId) {
-        this.checkIsMfaEnabledForApp(true);
-        const secret = speakeasy_1.default.generateSecret({
-            name: `NestAuth:${userId}`,
-        });
-        await this.userRepository.update(userId, { mfaRecoveryCode: secret.base32 });
-        return secret.base32;
-    }
-    async resetMfa(userId, code) {
-        this.checkIsMfaEnabledForApp(true);
-        const user = await this.userRepository.findOne({ where: { id: userId } });
-        if (!user) {
-            throw new common_1.UnauthorizedException({
-                message: 'User not found',
-                code: auth_constants_1.ERROR_CODES.USER_NOT_FOUND
-            });
-        }
-        if (user.mfaRecoveryCode === code) {
-            // Delete recovery code
-            await this.userRepository.update(userId, { mfaRecoveryCode: null });
-            // Delete all mfa secrets
-            await this.mfaSecretRepository.delete({ userId });
-            return {
-                message: 'Recovery code verified',
-            };
-        }
-        throw new common_1.UnauthorizedException({
-            message: 'Invalid recovery code',
-            code: auth_constants_1.ERROR_CODES.MFA_RECOVERY_CODE_INVALID
-        });
-    }
-    getAvailableMethods() {
-        if (!this.requireMfaEnabledForApp(false)) {
-            return [];
-        }
-        return this.mfaConfig.methods ?? [];
-    }
-    async hasRecoveryCode(userId) {
-        if (!this.checkIsMfaEnabledForApp(false)) {
-            return false;
-        }
-        const user = await this.userRepository.findOne({
-            select: ['id', 'mfaRecoveryCode'],
-            where: { id: userId },
-        });
-        return Boolean(user?.mfaRecoveryCode);
-    }
-    async createTrustedDevice(userId, userAgent, ipAddress) {
-        this.requireMfaEnabledForApp(true);
-        const token = (0, crypto_1.randomBytes)(32).toString('hex');
-        const duration = this.mfaConfig.trustedDeviceDuration || '30d';
-        const expiresAtMs = typeof duration === 'string' ? (0, ms_1.default)(duration) : duration;
-        await this.trustedDeviceRepository.save({
-            userId,
-            token,
-            userAgent,
-            ipAddress,
-            expiresAt: new Date(Date.now() + expiresAtMs),
-        });
-        return token;
-    }
-    async validateTrustedDevice(userId, token) {
-        if (!token)
-            return false;
-        const device = await this.trustedDeviceRepository.findOne({
-            where: { userId, token },
-        });
-        if (!device)
-            return false;
-        if (device.expiresAt < new Date()) {
-            await this.trustedDeviceRepository.remove(device);
-            return false;
-        }
-        await this.trustedDeviceRepository.update(device.id, { lastUsedAt: new Date() });
-        return true;
-    }
-};
-exports.MfaService = MfaService;
-exports.MfaService = MfaService = tslib_1.__decorate([
-    (0, common_1.Injectable)(),
-    tslib_1.__param(0, (0, typeorm_1.InjectRepository)(mfa_secret_entity_1.NestAuthMFASecret)),
-    tslib_1.__param(1, (0, typeorm_1.InjectRepository)(user_entity_1.NestAuthUser)),
-    tslib_1.__param(2, (0, typeorm_1.InjectRepository)(otp_entity_1.NestAuthOTP)),
-    tslib_1.__param(3, (0, typeorm_1.InjectRepository)(trusted_device_entity_1.NestAuthTrustedDevice)),
-    tslib_1.__metadata("design:paramtypes", [typeorm_2.Repository,
-        typeorm_2.Repository,
-        typeorm_2.Repository,
-        typeorm_2.Repository,
-        event_emitter_1.EventEmitter2])
-], MfaService);