@ackplus/nest-auth 2.0.0-beta.8 → 2.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +83 -130
- package/dist/index.d.ts +1 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +1 -1
- package/dist/index.js.map +1 -1
- package/dist/lib/admin-console/admin-console.module.js +1 -1
- package/dist/lib/admin-console/admin-console.module.js.map +1 -1
- package/dist/lib/admin-console/controllers/admin-auth.controller.d.ts +3 -3
- package/dist/lib/admin-console/controllers/admin-auth.controller.d.ts.map +1 -1
- package/dist/lib/admin-console/controllers/admin-auth.controller.js +30 -12
- package/dist/lib/admin-console/controllers/admin-auth.controller.js.map +1 -1
- package/dist/lib/admin-console/controllers/admin-console.controller.d.ts +1 -1
- package/dist/lib/admin-console/controllers/admin-console.controller.d.ts.map +1 -1
- package/dist/lib/admin-console/controllers/admin-console.controller.js +19 -9
- package/dist/lib/admin-console/controllers/admin-console.controller.js.map +1 -1
- package/dist/lib/admin-console/controllers/admin-permissions.controller.d.ts.map +1 -1
- package/dist/lib/admin-console/controllers/admin-permissions.controller.js +19 -1
- package/dist/lib/admin-console/controllers/admin-permissions.controller.js.map +1 -1
- package/dist/lib/admin-console/controllers/admin-roles.controller.d.ts.map +1 -1
- package/dist/lib/admin-console/controllers/admin-roles.controller.js +15 -1
- package/dist/lib/admin-console/controllers/admin-roles.controller.js.map +1 -1
- package/dist/lib/admin-console/controllers/admin-tenants.controller.d.ts.map +1 -1
- package/dist/lib/admin-console/controllers/admin-tenants.controller.js +15 -1
- package/dist/lib/admin-console/controllers/admin-tenants.controller.js.map +1 -1
- package/dist/lib/admin-console/controllers/admin-users.controller.d.ts +13 -17
- package/dist/lib/admin-console/controllers/admin-users.controller.d.ts.map +1 -1
- package/dist/lib/admin-console/controllers/admin-users.controller.js +35 -13
- package/dist/lib/admin-console/controllers/admin-users.controller.js.map +1 -1
- package/dist/lib/admin-console/dto/admin-user.dto.d.ts +4 -2
- package/dist/lib/admin-console/dto/admin-user.dto.d.ts.map +1 -1
- package/dist/lib/admin-console/dto/admin-user.dto.js +16 -8
- package/dist/lib/admin-console/dto/admin-user.dto.js.map +1 -1
- package/dist/lib/admin-console/services/admin-console-config.service.d.ts.map +1 -1
- package/dist/lib/admin-console/services/admin-console-config.service.js +10 -4
- package/dist/lib/admin-console/services/admin-console-config.service.js.map +1 -1
- package/dist/lib/admin-console/services/admin-user-management.service.d.ts +1 -1
- package/dist/lib/admin-console/services/admin-user-management.service.d.ts.map +1 -1
- package/dist/lib/admin-console/services/admin-user-management.service.js +1 -1
- package/dist/lib/admin-console/services/admin-user-management.service.js.map +1 -1
- package/dist/lib/admin-console/static/index.html +632 -567
- package/dist/lib/admin-console/static/nest-auth.json +3502 -157
- package/dist/lib/audit/services/audit.service.d.ts +2 -0
- package/dist/lib/audit/services/audit.service.d.ts.map +1 -1
- package/dist/lib/audit/services/audit.service.js +23 -0
- package/dist/lib/audit/services/audit.service.js.map +1 -1
- package/dist/lib/auth/auth.module.d.ts.map +1 -1
- package/dist/lib/auth/auth.module.js +6 -0
- package/dist/lib/auth/auth.module.js.map +1 -1
- package/dist/lib/auth/controllers/auth.controller.d.ts +3 -2
- package/dist/lib/auth/controllers/auth.controller.d.ts.map +1 -1
- package/dist/lib/auth/controllers/auth.controller.js +48 -24
- package/dist/lib/auth/controllers/auth.controller.js.map +1 -1
- package/dist/lib/auth/controllers/mfa.controller.d.ts.map +1 -1
- package/dist/lib/auth/controllers/mfa.controller.js +6 -1
- package/dist/lib/auth/controllers/mfa.controller.js.map +1 -1
- package/dist/lib/auth/dto/credentials/social-credentials.dto.d.ts +2 -0
- package/dist/lib/auth/dto/credentials/social-credentials.dto.d.ts.map +1 -1
- package/dist/lib/auth/dto/credentials/social-credentials.dto.js +28 -0
- package/dist/lib/auth/dto/credentials/social-credentials.dto.js.map +1 -1
- package/dist/lib/auth/dto/requests/verify-2fa.request.dto.d.ts.map +1 -1
- package/dist/lib/auth/dto/requests/verify-2fa.request.dto.js +2 -0
- package/dist/lib/auth/dto/requests/verify-2fa.request.dto.js.map +1 -1
- package/dist/lib/auth/dto/responses/auth.response.dto.d.ts +3 -5
- package/dist/lib/auth/dto/responses/auth.response.dto.d.ts.map +1 -1
- package/dist/lib/auth/dto/responses/auth.response.dto.js +11 -27
- package/dist/lib/auth/dto/responses/auth.response.dto.js.map +1 -1
- package/dist/lib/auth/entities/otp.entity.d.ts +1 -1
- package/dist/lib/auth/entities/otp.entity.d.ts.map +1 -1
- package/dist/lib/auth/entities/otp.entity.js.map +1 -1
- package/dist/lib/auth/entities/trusted-device.entity.d.ts.map +1 -1
- package/dist/lib/auth/entities/trusted-device.entity.js +1 -1
- package/dist/lib/auth/entities/trusted-device.entity.js.map +1 -1
- package/dist/lib/auth/events/login-failed.event.d.ts +15 -0
- package/dist/lib/auth/events/login-failed.event.d.ts.map +1 -0
- package/dist/lib/auth/events/login-failed.event.js +11 -0
- package/dist/lib/auth/events/login-failed.event.js.map +1 -0
- package/dist/lib/auth/events/user-logged-in.event.d.ts +3 -1
- package/dist/lib/auth/events/user-logged-in.event.d.ts.map +1 -1
- package/dist/lib/auth/events/user-logged-in.event.js.map +1 -1
- package/dist/lib/auth/events/user-registered.event.d.ts +2 -1
- package/dist/lib/auth/events/user-registered.event.d.ts.map +1 -1
- package/dist/lib/auth/events/user-registered.event.js.map +1 -1
- package/dist/lib/auth/guards/auth.guard.d.ts.map +1 -1
- package/dist/lib/auth/guards/auth.guard.js +1 -1
- package/dist/lib/auth/guards/auth.guard.js.map +1 -1
- package/dist/lib/auth/interceptors/token-response.interceptor.d.ts.map +1 -1
- package/dist/lib/auth/interceptors/token-response.interceptor.js +4 -3
- package/dist/lib/auth/interceptors/token-response.interceptor.js.map +1 -1
- package/dist/lib/auth/services/auth.service.d.ts +17 -6
- package/dist/lib/auth/services/auth.service.d.ts.map +1 -1
- package/dist/lib/auth/services/auth.service.js +271 -281
- package/dist/lib/auth/services/auth.service.js.map +1 -1
- package/dist/lib/auth/services/logout.service.d.ts +14 -0
- package/dist/lib/auth/services/logout.service.d.ts.map +1 -0
- package/dist/lib/auth/services/logout.service.js +74 -0
- package/dist/lib/auth/services/logout.service.js.map +1 -0
- package/dist/lib/auth/services/mfa.service.d.ts +2 -0
- package/dist/lib/auth/services/mfa.service.d.ts.map +1 -1
- package/dist/lib/auth/services/mfa.service.js +29 -6
- package/dist/lib/auth/services/mfa.service.js.map +1 -1
- package/dist/lib/auth/services/otp-flow.service.d.ts.map +1 -1
- package/dist/lib/auth/services/otp-flow.service.js +1 -2
- package/dist/lib/auth/services/otp-flow.service.js.map +1 -1
- package/dist/lib/auth/services/password.service.d.ts +2 -1
- package/dist/lib/auth/services/password.service.d.ts.map +1 -1
- package/dist/lib/auth/services/password.service.js +19 -6
- package/dist/lib/auth/services/password.service.js.map +1 -1
- package/dist/lib/auth/services/session-token.service.d.ts +37 -0
- package/dist/lib/auth/services/session-token.service.d.ts.map +1 -0
- package/dist/lib/auth/services/session-token.service.js +151 -0
- package/dist/lib/auth/services/session-token.service.js.map +1 -0
- package/dist/lib/auth/services/verification.service.d.ts.map +1 -1
- package/dist/lib/auth/services/verification.service.js +0 -5
- package/dist/lib/auth/services/verification.service.js.map +1 -1
- package/dist/lib/auth.constants.d.ts +15 -0
- package/dist/lib/auth.constants.d.ts.map +1 -1
- package/dist/lib/auth.constants.js +11 -0
- package/dist/lib/auth.constants.js.map +1 -1
- package/dist/lib/core/entities.d.ts +5 -3
- package/dist/lib/core/entities.d.ts.map +1 -1
- package/dist/lib/core/entities.js +5 -2
- package/dist/lib/core/entities.js.map +1 -1
- package/dist/lib/core/index.d.ts +1 -0
- package/dist/lib/core/index.d.ts.map +1 -1
- package/dist/lib/core/index.js +1 -0
- package/dist/lib/core/index.js.map +1 -1
- package/dist/lib/core/interfaces/auth-module-options.interface.d.ts +28 -5
- package/dist/lib/core/interfaces/auth-module-options.interface.d.ts.map +1 -1
- package/dist/lib/core/interfaces/session-options.interface.d.ts +5 -1
- package/dist/lib/core/interfaces/session-options.interface.d.ts.map +1 -1
- package/dist/lib/core/interfaces/session-options.interface.js +1 -0
- package/dist/lib/core/interfaces/session-options.interface.js.map +1 -1
- package/dist/lib/core/interfaces/token-payload.interface.d.ts +3 -1
- package/dist/lib/core/interfaces/token-payload.interface.d.ts.map +1 -1
- package/dist/lib/core/providers/apple-auth.provider.d.ts +13 -7
- package/dist/lib/core/providers/apple-auth.provider.d.ts.map +1 -1
- package/dist/lib/core/providers/apple-auth.provider.js +166 -7
- package/dist/lib/core/providers/apple-auth.provider.js.map +1 -1
- package/dist/lib/core/providers/base-auth.provider.d.ts +2 -0
- package/dist/lib/core/providers/base-auth.provider.d.ts.map +1 -1
- package/dist/lib/core/providers/base-auth.provider.js.map +1 -1
- package/dist/lib/core/providers/email-auth.provider.d.ts.map +1 -1
- package/dist/lib/core/providers/email-auth.provider.js +13 -2
- package/dist/lib/core/providers/email-auth.provider.js.map +1 -1
- package/dist/lib/core/providers/github-auth.provider.d.ts +3 -0
- package/dist/lib/core/providers/github-auth.provider.d.ts.map +1 -1
- package/dist/lib/core/providers/github-auth.provider.js +73 -24
- package/dist/lib/core/providers/github-auth.provider.js.map +1 -1
- package/dist/lib/core/providers/google-auth.provider.d.ts +1 -0
- package/dist/lib/core/providers/google-auth.provider.d.ts.map +1 -1
- package/dist/lib/core/providers/google-auth.provider.js +7 -1
- package/dist/lib/core/providers/google-auth.provider.js.map +1 -1
- package/dist/lib/core/providers/jwt-auth.provider.d.ts +2 -1
- package/dist/lib/core/providers/jwt-auth.provider.d.ts.map +1 -1
- package/dist/lib/core/providers/passwordless-auth.provider.d.ts +3 -1
- package/dist/lib/core/providers/passwordless-auth.provider.d.ts.map +1 -1
- package/dist/lib/core/providers/passwordless-auth.provider.js +11 -1
- package/dist/lib/core/providers/passwordless-auth.provider.js.map +1 -1
- package/dist/lib/core/providers/phone-auth.provider.d.ts.map +1 -1
- package/dist/lib/core/providers/phone-auth.provider.js +13 -2
- package/dist/lib/core/providers/phone-auth.provider.js.map +1 -1
- package/dist/lib/core/services/auth-config.service.d.ts.map +1 -1
- package/dist/lib/core/services/auth-config.service.js +6 -0
- package/dist/lib/core/services/auth-config.service.js.map +1 -1
- package/dist/lib/core/services/jwt.service.d.ts.map +1 -1
- package/dist/lib/core/services/jwt.service.js +10 -5
- package/dist/lib/core/services/jwt.service.js.map +1 -1
- package/dist/lib/core/swagger/api-responses.decorator.d.ts +15 -0
- package/dist/lib/core/swagger/api-responses.decorator.d.ts.map +1 -0
- package/dist/lib/core/swagger/api-responses.decorator.js +57 -0
- package/dist/lib/core/swagger/api-responses.decorator.js.map +1 -0
- package/dist/lib/nest-auth.module.d.ts.map +1 -1
- package/dist/lib/nest-auth.module.js +18 -2
- package/dist/lib/nest-auth.module.js.map +1 -1
- package/dist/lib/permission/events/permission-created.event.d.ts +9 -0
- package/dist/lib/permission/events/permission-created.event.d.ts.map +1 -0
- package/dist/lib/permission/events/permission-created.event.js +11 -0
- package/dist/lib/permission/events/permission-created.event.js.map +1 -0
- package/dist/lib/permission/events/permission-deleted.event.d.ts +9 -0
- package/dist/lib/permission/events/permission-deleted.event.d.ts.map +1 -0
- package/dist/lib/permission/events/permission-deleted.event.js +11 -0
- package/dist/lib/permission/events/permission-deleted.event.js.map +1 -0
- package/dist/lib/permission/events/permission-updated.event.d.ts +10 -0
- package/dist/lib/permission/events/permission-updated.event.d.ts.map +1 -0
- package/dist/lib/permission/events/permission-updated.event.js +11 -0
- package/dist/lib/permission/events/permission-updated.event.js.map +1 -0
- package/dist/lib/permission/index.d.ts +3 -0
- package/dist/lib/permission/index.d.ts.map +1 -1
- package/dist/lib/permission/index.js +3 -0
- package/dist/lib/permission/index.js.map +1 -1
- package/dist/lib/permission/services/permission.service.d.ts +3 -1
- package/dist/lib/permission/services/permission.service.d.ts.map +1 -1
- package/dist/lib/permission/services/permission.service.js +16 -4
- package/dist/lib/permission/services/permission.service.js.map +1 -1
- package/dist/lib/request-context/request-context.d.ts +1 -1
- package/dist/lib/request-context/request-context.d.ts.map +1 -1
- package/dist/lib/request-context/request-context.js +3 -3
- package/dist/lib/request-context/request-context.js.map +1 -1
- package/dist/lib/role/entities/role.entity.d.ts +3 -1
- package/dist/lib/role/entities/role.entity.d.ts.map +1 -1
- package/dist/lib/role/entities/role.entity.js +7 -1
- package/dist/lib/role/entities/role.entity.js.map +1 -1
- package/dist/lib/role/events/role-created.event.d.ts +9 -0
- package/dist/lib/role/events/role-created.event.d.ts.map +1 -0
- package/dist/lib/role/events/role-created.event.js +11 -0
- package/dist/lib/role/events/role-created.event.js.map +1 -0
- package/dist/lib/role/events/role-deleted.event.d.ts +9 -0
- package/dist/lib/role/events/role-deleted.event.d.ts.map +1 -0
- package/dist/lib/role/events/role-deleted.event.js +11 -0
- package/dist/lib/role/events/role-deleted.event.js.map +1 -0
- package/dist/lib/role/events/role-updated.event.d.ts +10 -0
- package/dist/lib/role/events/role-updated.event.d.ts.map +1 -0
- package/dist/lib/role/events/role-updated.event.js +11 -0
- package/dist/lib/role/events/role-updated.event.js.map +1 -0
- package/dist/lib/role/index.d.ts +3 -0
- package/dist/lib/role/index.d.ts.map +1 -1
- package/dist/lib/role/index.js +3 -0
- package/dist/lib/role/index.js.map +1 -1
- package/dist/lib/role/services/role.service.d.ts +3 -1
- package/dist/lib/role/services/role.service.d.ts.map +1 -1
- package/dist/lib/role/services/role.service.js +29 -41
- package/dist/lib/role/services/role.service.js.map +1 -1
- package/dist/lib/role/utils/access-role-resolver.util.d.ts +20 -0
- package/dist/lib/role/utils/access-role-resolver.util.d.ts.map +1 -0
- package/dist/lib/role/utils/access-role-resolver.util.js +63 -0
- package/dist/lib/role/utils/access-role-resolver.util.js.map +1 -0
- package/dist/lib/session/services/session-manager.service.d.ts +8 -3
- package/dist/lib/session/services/session-manager.service.d.ts.map +1 -1
- package/dist/lib/session/services/session-manager.service.js +30 -11
- package/dist/lib/session/services/session-manager.service.js.map +1 -1
- package/dist/lib/session/session.module.d.ts.map +1 -1
- package/dist/lib/session/session.module.js +5 -1
- package/dist/lib/session/session.module.js.map +1 -1
- package/dist/lib/tenant/decorators/current-tenant.decorator.d.ts.map +1 -1
- package/dist/lib/tenant/decorators/current-tenant.decorator.js.map +1 -1
- package/dist/lib/tenant/entities/tenant.entity.d.ts +1 -1
- package/dist/lib/tenant/entities/tenant.entity.d.ts.map +1 -1
- package/dist/lib/tenant/entities/tenant.entity.js +1 -1
- package/dist/lib/tenant/entities/tenant.entity.js.map +1 -1
- package/dist/lib/tenant/index.d.ts +1 -1
- package/dist/lib/tenant/index.d.ts.map +1 -1
- package/dist/lib/tenant/index.js +1 -1
- package/dist/lib/tenant/index.js.map +1 -1
- package/dist/lib/tenant/tenant-context/services/base-tenant-context.service.d.ts +1 -1
- package/dist/lib/tenant/tenant-context/services/base-tenant-context.service.d.ts.map +1 -1
- package/dist/lib/tenant/tenant-context/services/disabled-tenant-context.service.d.ts +1 -1
- package/dist/lib/tenant/tenant-context/services/disabled-tenant-context.service.d.ts.map +1 -1
- package/dist/lib/tenant/tenant-context/tenant-context.interface.d.ts +1 -1
- package/dist/lib/tenant/tenant-context/tenant-context.interface.d.ts.map +1 -1
- package/dist/lib/user/entities/platform-access.entity.d.ts +16 -0
- package/dist/lib/user/entities/platform-access.entity.d.ts.map +1 -0
- package/dist/lib/user/entities/platform-access.entity.js +95 -0
- package/dist/lib/user/entities/platform-access.entity.js.map +1 -0
- package/dist/lib/user/entities/user-access.entity.d.ts +22 -0
- package/dist/lib/user/entities/user-access.entity.d.ts.map +1 -0
- package/dist/lib/{tenant → user}/entities/user-access.entity.js +35 -4
- package/dist/lib/user/entities/user-access.entity.js.map +1 -0
- package/dist/lib/user/entities/user.entity.d.ts +10 -12
- package/dist/lib/user/entities/user.entity.d.ts.map +1 -1
- package/dist/lib/user/entities/user.entity.js +91 -73
- package/dist/lib/user/entities/user.entity.js.map +1 -1
- package/dist/lib/user/services/access-key.service.d.ts +1 -0
- package/dist/lib/user/services/access-key.service.d.ts.map +1 -1
- package/dist/lib/user/services/access-key.service.js +19 -3
- package/dist/lib/user/services/access-key.service.js.map +1 -1
- package/dist/lib/user/services/user.service.d.ts +27 -22
- package/dist/lib/user/services/user.service.d.ts.map +1 -1
- package/dist/lib/user/services/user.service.js +135 -84
- package/dist/lib/user/services/user.service.js.map +1 -1
- package/dist/lib/user/user.module.d.ts.map +1 -1
- package/dist/lib/user/user.module.js +3 -2
- package/dist/lib/user/user.module.js.map +1 -1
- package/package.json +14 -9
- package/dist/lib/tenant/entities/user-access.entity.d.ts +0 -19
- package/dist/lib/tenant/entities/user-access.entity.d.ts.map +0 -1
- package/dist/lib/tenant/entities/user-access.entity.js.map +0 -1
|
@@ -18,6 +18,7 @@ const common_2 = require("@nestjs/common");
|
|
|
18
18
|
const typeorm_1 = require("@nestjs/typeorm");
|
|
19
19
|
const typeorm_2 = require("typeorm");
|
|
20
20
|
const user_entity_1 = require("../../user/entities/user.entity");
|
|
21
|
+
const access_role_resolver_util_1 = require("../../role/utils/access-role-resolver.util");
|
|
21
22
|
const auth_constants_1 = require("../../auth.constants");
|
|
22
23
|
const mfa_service_1 = require("./mfa.service");
|
|
23
24
|
const jwt_service_1 = require("../../core/services/jwt.service");
|
|
@@ -26,11 +27,12 @@ const session_manager_service_1 = require("../../session/services/session-manage
|
|
|
26
27
|
const request_context_1 = require("../../request-context/request-context");
|
|
27
28
|
const nest_auth_contracts_1 = require("@ackplus/nest-auth-contracts");
|
|
28
29
|
const user_registered_event_1 = require("../events/user-registered.event");
|
|
30
|
+
const user_created_event_1 = require("../../user/events/user-created.event");
|
|
31
|
+
const has_token_1 = require("../../utils/has-token");
|
|
29
32
|
const user_logged_in_event_1 = require("../events/user-logged-in.event");
|
|
33
|
+
const login_failed_event_1 = require("../events/login-failed.event");
|
|
30
34
|
const user_2fa_verified_event_1 = require("../events/user-2fa-verified.event");
|
|
31
35
|
const user_refresh_token_event_1 = require("../events/user-refresh-token.event");
|
|
32
|
-
const logged_out_event_1 = require("../events/logged-out.event");
|
|
33
|
-
const logged_out_all_event_1 = require("../events/logged-out-all.event");
|
|
34
36
|
const auth_provider_registry_service_1 = require("../../core/services/auth-provider-registry.service");
|
|
35
37
|
const tenant_service_1 = require("../../tenant/services/tenant.service");
|
|
36
38
|
const debug_logger_service_1 = require("../../core/services/debug-logger.service");
|
|
@@ -41,8 +43,11 @@ const auth_constants_2 = require("../../auth.constants");
|
|
|
41
43
|
const role_mapper_util_1 = require("../../role/utils/role-mapper.util");
|
|
42
44
|
const utils_1 = require("../../utils");
|
|
43
45
|
const otp_flow_service_1 = require("./otp-flow.service");
|
|
46
|
+
const logout_service_1 = require("./logout.service");
|
|
47
|
+
const session_token_service_1 = require("./session-token.service");
|
|
44
48
|
const passwordless_code_requested_event_1 = require("../events/passwordless-code-requested.event");
|
|
45
49
|
const lodash_1 = require("lodash");
|
|
50
|
+
const platform_access_entity_1 = require("../../user/entities/platform-access.entity");
|
|
46
51
|
let AuthService = class AuthService {
|
|
47
52
|
userRepository;
|
|
48
53
|
authProviderRegistry;
|
|
@@ -55,9 +60,11 @@ let AuthService = class AuthService {
|
|
|
55
60
|
authConfigService;
|
|
56
61
|
userService;
|
|
57
62
|
otpFlow;
|
|
63
|
+
logoutService;
|
|
64
|
+
sessionTokenService;
|
|
58
65
|
tenantContext;
|
|
59
66
|
authConfig;
|
|
60
|
-
constructor(userRepository, authProviderRegistry, mfaService, sessionManager, jwtService, eventEmitter, tenantService, debugLogger, authConfigService, userService, otpFlow, tenantContext) {
|
|
67
|
+
constructor(userRepository, authProviderRegistry, mfaService, sessionManager, jwtService, eventEmitter, tenantService, debugLogger, authConfigService, userService, otpFlow, logoutService, sessionTokenService, tenantContext) {
|
|
61
68
|
this.userRepository = userRepository;
|
|
62
69
|
this.authProviderRegistry = authProviderRegistry;
|
|
63
70
|
this.mfaService = mfaService;
|
|
@@ -69,36 +76,19 @@ let AuthService = class AuthService {
|
|
|
69
76
|
this.authConfigService = authConfigService;
|
|
70
77
|
this.userService = userService;
|
|
71
78
|
this.otpFlow = otpFlow;
|
|
79
|
+
this.logoutService = logoutService;
|
|
80
|
+
this.sessionTokenService = sessionTokenService;
|
|
72
81
|
this.tenantContext = tenantContext;
|
|
73
82
|
this.authConfig = this.authConfigService.getConfig();
|
|
74
83
|
}
|
|
75
84
|
getUserWithRoles(userId, relations = []) {
|
|
76
|
-
return this.
|
|
77
|
-
where: { id: userId },
|
|
78
|
-
relations: [
|
|
79
|
-
'userAccesses',
|
|
80
|
-
'userAccesses.roles',
|
|
81
|
-
...relations
|
|
82
|
-
],
|
|
83
|
-
});
|
|
85
|
+
return this.sessionTokenService.getUserWithRoles(userId, relations);
|
|
84
86
|
}
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
if (!user) {
|
|
88
|
-
return null;
|
|
89
|
-
}
|
|
90
|
-
const fullUser = await this.getUserWithRoles(user.id);
|
|
91
|
-
let serializedUser = fullUser;
|
|
92
|
-
if (this.authConfig.user?.serialize) {
|
|
93
|
-
serializedUser = await this.authConfig.user.serialize(fullUser);
|
|
94
|
-
}
|
|
95
|
-
return serializedUser;
|
|
87
|
+
getUserWithAccess(userId, tenantId, isPlatformAccess = false) {
|
|
88
|
+
return this.sessionTokenService.getUserWithAccess(userId, tenantId, isPlatformAccess);
|
|
96
89
|
}
|
|
97
90
|
async signup(input) {
|
|
98
91
|
this.debugLogger.logFunctionEntry('signup', 'AuthService', { email: input.email, phone: input.phone, hasPassword: !!input.password });
|
|
99
|
-
const config = this.authConfigService.getConfig();
|
|
100
|
-
const tenantMode = config.tenant?.mode ?? nest_auth_contracts_1.TenantModeEnum.ISOLATED;
|
|
101
|
-
const tenetEnabled = config.tenant?.enabled ?? false;
|
|
102
92
|
try {
|
|
103
93
|
if (this.authConfig.registration?.enabled === false) {
|
|
104
94
|
throw new common_1.ForbiddenException({
|
|
@@ -111,6 +101,7 @@ let AuthService = class AuthService {
|
|
|
111
101
|
input = await this.authConfig.registrationHooks.beforeSignup(input, { request: req });
|
|
112
102
|
}
|
|
113
103
|
const { email, phone, password, tenantId } = input;
|
|
104
|
+
this.assertTenantIdAllowed(tenantId);
|
|
114
105
|
await this.tenantService.resolveTenantId(tenantId);
|
|
115
106
|
this.debugLogger.logAuthOperation('signup', 'email|phone', undefined, { email, phone, resolvedTenantId: tenantId });
|
|
116
107
|
if (!email && !phone) {
|
|
@@ -140,11 +131,9 @@ let AuthService = class AuthService {
|
|
|
140
131
|
code: auth_constants_1.ERROR_CODES.PROVIDER_NOT_FOUND,
|
|
141
132
|
});
|
|
142
133
|
}
|
|
143
|
-
console.log('providersToLink', providersToLink);
|
|
144
134
|
for (const item of providersToLink) {
|
|
145
|
-
|
|
146
|
-
const identity = await item.provider.findIdentity(item.providerId,
|
|
147
|
-
console.log('identity', identity);
|
|
135
|
+
const requiredTenantId = this.tenantService.checkRequiredTenant(tenantId);
|
|
136
|
+
const identity = await item.provider.findIdentity(item.providerId, requiredTenantId ? tenantId : undefined);
|
|
148
137
|
if (identity) {
|
|
149
138
|
this.debugLogger.warn('Identity already exists', 'AuthService', { email: !!email, phone: !!phone, tenantId });
|
|
150
139
|
if (item.type === 'email') {
|
|
@@ -162,46 +151,34 @@ let AuthService = class AuthService {
|
|
|
162
151
|
}
|
|
163
152
|
}
|
|
164
153
|
this.debugLogger.debug('Creating new user via UserService', 'AuthService', { email: !!email, phone: !!phone, tenantId });
|
|
165
|
-
|
|
166
|
-
|
|
167
|
-
|
|
168
|
-
|
|
169
|
-
|
|
170
|
-
|
|
171
|
-
|
|
172
|
-
|
|
173
|
-
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
|
|
177
|
-
this.debugLogger.debug('Applying registrationHooks.onSignup hook', 'AuthService', { userId: user.id });
|
|
178
|
-
const request = request_context_1.RequestContext.currentRequest();
|
|
179
|
-
const modifiedUser = await this.authConfig.registrationHooks.onSignup(user, input, { request });
|
|
180
|
-
if (modifiedUser) {
|
|
181
|
-
user = modifiedUser;
|
|
182
|
-
}
|
|
183
|
-
}
|
|
184
|
-
user = await this.getUserWithRoles(user.id, ['userAccesses.roles.permissions', 'userAccesses.tenant']);
|
|
185
|
-
const userRoles = user.userAccesses?.map(access => access.roles).flat();
|
|
186
|
-
if (input?.guard) {
|
|
187
|
-
const isExistsGuard = userRoles?.some(r => r.guard === input.guard);
|
|
188
|
-
if (!isExistsGuard) {
|
|
189
|
-
await this.userService.deleteUser(user.id);
|
|
190
|
-
throw new common_1.UnauthorizedException({
|
|
191
|
-
message: 'Not allowed to signup with this guard',
|
|
192
|
-
code: auth_constants_1.ERROR_CODES.FORBIDDEN,
|
|
193
|
-
});
|
|
154
|
+
const request = request_context_1.RequestContext.currentRequest();
|
|
155
|
+
const user = await this.userService.runInTransaction(async (manager) => {
|
|
156
|
+
const created = await this.userService.createUser({
|
|
157
|
+
email,
|
|
158
|
+
phone,
|
|
159
|
+
emailVerifiedAt: null,
|
|
160
|
+
phoneVerifiedAt: null,
|
|
161
|
+
password
|
|
162
|
+
}, tenantId, input, manager);
|
|
163
|
+
if (this.authConfig.registrationHooks?.onSignup) {
|
|
164
|
+
this.debugLogger.debug('Applying registrationHooks.onSignup hook', 'AuthService', { userId: created.id });
|
|
165
|
+
await this.authConfig.registrationHooks.onSignup(created, input, { request, manager });
|
|
194
166
|
}
|
|
195
|
-
|
|
196
|
-
|
|
197
|
-
|
|
167
|
+
return created;
|
|
168
|
+
});
|
|
169
|
+
this.debugLogger.info('User created successfully', 'AuthService', { userId: user.id, tenantId });
|
|
170
|
+
await this.eventEmitter.emitAsync(auth_constants_1.NestAuthEvents.USER_CREATED, new user_created_event_1.UserCreatedEvent({ user, input, tenantId }));
|
|
171
|
+
const { user: authUser, userAccess } = await this.getUserWithAccess(user.id, tenantId);
|
|
172
|
+
this.debugLogger.debug('Creating session for new user', 'AuthService', { userId: authUser.id });
|
|
173
|
+
const session = await this.sessionManager.createSessionFromUser(authUser, userAccess, { tenantId });
|
|
198
174
|
const tokens = await this.generateTokensFromSession(session);
|
|
199
|
-
const isRequiresMfa = await this.mfaService.isRequiresMfa(
|
|
200
|
-
this.debugLogger.debug('Signup tokens generated', 'AuthService', { userId:
|
|
201
|
-
this.debugLogger.debug('Emitting user registration event', 'AuthService', { userId:
|
|
175
|
+
const isRequiresMfa = await this.mfaService.isRequiresMfa(authUser.id);
|
|
176
|
+
this.debugLogger.debug('Signup tokens generated', 'AuthService', { userId: authUser.id, isRequiresMfa });
|
|
177
|
+
this.debugLogger.debug('Emitting user registration event', 'AuthService', { userId: authUser.id });
|
|
202
178
|
const provider = providersToLink[0]?.provider;
|
|
203
179
|
await this.eventEmitter.emitAsync(auth_constants_1.NestAuthEvents.REGISTERED, new user_registered_event_1.UserRegisteredEvent({
|
|
204
|
-
user,
|
|
180
|
+
user: authUser,
|
|
181
|
+
userAccess,
|
|
205
182
|
tenantId,
|
|
206
183
|
input,
|
|
207
184
|
provider,
|
|
@@ -219,7 +196,7 @@ let AuthService = class AuthService {
|
|
|
219
196
|
isRequiresMfa: false,
|
|
220
197
|
};
|
|
221
198
|
}
|
|
222
|
-
return this.generateAuthResponse(
|
|
199
|
+
return this.generateAuthResponse(authUser, session, tokens, isRequiresMfa, undefined);
|
|
223
200
|
}
|
|
224
201
|
catch (error) {
|
|
225
202
|
this.debugLogger.logError(error, 'signup', { email: input.email, phone: input.phone });
|
|
@@ -229,10 +206,21 @@ let AuthService = class AuthService {
|
|
|
229
206
|
}
|
|
230
207
|
async login(input) {
|
|
231
208
|
let { credentials, providerName, createUserIfNotExists = false, guard, tenantId } = input;
|
|
209
|
+
const isPlatformAccess = await access_role_resolver_util_1.AccessRoleResolver.isPlatformAccess();
|
|
232
210
|
this.debugLogger.logFunctionEntry('login', 'AuthService', { providerName, createUserIfNotExists, guard, tenantId });
|
|
233
211
|
try {
|
|
234
|
-
|
|
235
|
-
|
|
212
|
+
if (!isPlatformAccess) {
|
|
213
|
+
this.assertTenantIdAllowed(tenantId);
|
|
214
|
+
}
|
|
215
|
+
let resolvedTenantId = null;
|
|
216
|
+
if (isPlatformAccess) {
|
|
217
|
+
resolvedTenantId = null;
|
|
218
|
+
}
|
|
219
|
+
else {
|
|
220
|
+
await this.tenantService.resolveTenantId(tenantId);
|
|
221
|
+
resolvedTenantId = tenantId;
|
|
222
|
+
}
|
|
223
|
+
this.debugLogger.logAuthOperation('login', providerName, undefined, { tenantId, resolvedTenantId, createUserIfNotExists, isPlatformAccess });
|
|
236
224
|
const provider = this.authProviderRegistry.getProvider(providerName);
|
|
237
225
|
if (!provider) {
|
|
238
226
|
throw new common_1.UnauthorizedException({
|
|
@@ -247,8 +235,8 @@ let AuthService = class AuthService {
|
|
|
247
235
|
code: auth_constants_1.ERROR_CODES.MISSING_REQUIRED_FIELDS,
|
|
248
236
|
});
|
|
249
237
|
}
|
|
250
|
-
const authProviderUser = await provider.validate(credentials,
|
|
251
|
-
const identity = await provider.
|
|
238
|
+
const authProviderUser = await provider.validate(credentials, resolvedTenantId);
|
|
239
|
+
const identity = await provider.findIdentityByUserId(authProviderUser.userId);
|
|
252
240
|
let user = identity?.user || null;
|
|
253
241
|
if (!user) {
|
|
254
242
|
if (!createUserIfNotExists) {
|
|
@@ -257,7 +245,10 @@ let AuthService = class AuthService {
|
|
|
257
245
|
code: auth_constants_1.ERROR_CODES.INVALID_CREDENTIALS,
|
|
258
246
|
});
|
|
259
247
|
}
|
|
260
|
-
user = await this.handleSocialLogin(provider, authProviderUser,
|
|
248
|
+
user = await this.handleSocialLogin(provider, authProviderUser, resolvedTenantId);
|
|
249
|
+
}
|
|
250
|
+
else {
|
|
251
|
+
user = await this.applyProviderVerification(user, authProviderUser);
|
|
261
252
|
}
|
|
262
253
|
if (user.isActive === false) {
|
|
263
254
|
throw new common_1.UnauthorizedException({
|
|
@@ -265,22 +256,38 @@ let AuthService = class AuthService {
|
|
|
265
256
|
code: auth_constants_1.ERROR_CODES.ACCOUNT_INACTIVE,
|
|
266
257
|
});
|
|
267
258
|
}
|
|
268
|
-
user = await this.
|
|
259
|
+
const { user: authUser, userAccess, platformAccess } = await this.getUserWithAccess(user.id, resolvedTenantId, isPlatformAccess);
|
|
269
260
|
if (this.authConfig.loginHooks?.onLogin) {
|
|
270
|
-
this.debugLogger.debug('Applying loginHooks.onLogin hook', 'AuthService', { userId:
|
|
261
|
+
this.debugLogger.debug('Applying loginHooks.onLogin hook', 'AuthService', { userId: authUser.id });
|
|
271
262
|
const request = request_context_1.RequestContext.currentRequest();
|
|
272
|
-
await this.authConfig.loginHooks.onLogin(
|
|
263
|
+
await this.authConfig.loginHooks.onLogin(authUser, input, { userAccess, platformAccess, request, provider });
|
|
264
|
+
}
|
|
265
|
+
if (isPlatformAccess) {
|
|
266
|
+
if (authUser && !platformAccess) {
|
|
267
|
+
throw new common_1.ForbiddenException({
|
|
268
|
+
message: 'Only platform admins can login',
|
|
269
|
+
code: auth_constants_1.ERROR_CODES.ACCESS_DENIED,
|
|
270
|
+
});
|
|
271
|
+
}
|
|
272
|
+
}
|
|
273
|
+
else {
|
|
274
|
+
await this.ensureTenantAccess(authUser, resolvedTenantId, createUserIfNotExists);
|
|
273
275
|
}
|
|
274
|
-
await this.ensureTenantAccess(user, tenantId, createUserIfNotExists);
|
|
275
276
|
let isRequiresMfa = false;
|
|
276
277
|
let isTrusted = false;
|
|
277
278
|
if (!provider.skipMfa) {
|
|
278
|
-
isRequiresMfa = await this.mfaService.isRequiresMfa(
|
|
279
|
+
isRequiresMfa = await this.mfaService.isRequiresMfa(authUser.id);
|
|
279
280
|
}
|
|
280
281
|
user.isMfaEnabled = isRequiresMfa;
|
|
281
|
-
|
|
282
|
-
|
|
283
|
-
|
|
282
|
+
if (guard && (platformAccess || userAccess)) {
|
|
283
|
+
let guardRoles = [];
|
|
284
|
+
if (isPlatformAccess) {
|
|
285
|
+
guardRoles = platformAccess?.roles ?? [];
|
|
286
|
+
}
|
|
287
|
+
else {
|
|
288
|
+
guardRoles = userAccess?.roles ?? [];
|
|
289
|
+
}
|
|
290
|
+
const isExistsGuard = guardRoles.some(r => r.guard === guard);
|
|
284
291
|
if (!isExistsGuard) {
|
|
285
292
|
throw new common_1.UnauthorizedException({
|
|
286
293
|
message: 'Invalid credentials',
|
|
@@ -288,7 +295,11 @@ let AuthService = class AuthService {
|
|
|
288
295
|
});
|
|
289
296
|
}
|
|
290
297
|
}
|
|
291
|
-
let session = await this.sessionManager.createSessionFromUser(
|
|
298
|
+
let session = await this.sessionManager.createSessionFromUser(authUser, userAccess, {
|
|
299
|
+
tenantId: resolvedTenantId,
|
|
300
|
+
platformAccess: platformAccess,
|
|
301
|
+
isPlatformAccess: isPlatformAccess ?? false
|
|
302
|
+
});
|
|
292
303
|
if (isRequiresMfa) {
|
|
293
304
|
isTrusted = await this.checkTrustedDevice(user);
|
|
294
305
|
if (isTrusted) {
|
|
@@ -300,7 +311,9 @@ let AuthService = class AuthService {
|
|
|
300
311
|
}
|
|
301
312
|
const tokens = await this.generateTokensFromSession(session);
|
|
302
313
|
await this.eventEmitter.emitAsync(auth_constants_1.NestAuthEvents.LOGGED_IN, new user_logged_in_event_1.UserLoggedInEvent({
|
|
303
|
-
user,
|
|
314
|
+
user: authUser,
|
|
315
|
+
userAccess,
|
|
316
|
+
platformAccess,
|
|
304
317
|
tenantId,
|
|
305
318
|
input,
|
|
306
319
|
provider,
|
|
@@ -308,14 +321,39 @@ let AuthService = class AuthService {
|
|
|
308
321
|
tokens,
|
|
309
322
|
isRequiresMfa
|
|
310
323
|
}));
|
|
311
|
-
return this.generateAuthResponse(
|
|
324
|
+
return this.generateAuthResponse(authUser, session, tokens, isRequiresMfa);
|
|
312
325
|
}
|
|
313
326
|
catch (error) {
|
|
314
327
|
this.debugLogger.logError(error, 'login', { providerName, createUserIfNotExists });
|
|
328
|
+
await this.emitLoginFailed(input, error);
|
|
315
329
|
this.handleError(error, 'login');
|
|
316
330
|
throw error;
|
|
317
331
|
}
|
|
318
332
|
}
|
|
333
|
+
async emitLoginFailed(input, error) {
|
|
334
|
+
try {
|
|
335
|
+
const creds = input?.credentials ?? {};
|
|
336
|
+
const identifier = creds.email ?? creds.phone ?? creds.identifier ?? undefined;
|
|
337
|
+
const req = request_context_1.RequestContext.currentRequest?.();
|
|
338
|
+
const resp = error?.getResponse?.();
|
|
339
|
+
const status = error?.getStatus?.();
|
|
340
|
+
const reasonCode = (typeof resp === 'object' && resp?.code) ||
|
|
341
|
+
error?.code ||
|
|
342
|
+
(status ? `HTTP_${status}` : 'LOGIN_FAILED');
|
|
343
|
+
await this.eventEmitter.emitAsync(auth_constants_1.NestAuthEvents.LOGIN_FAILED, new login_failed_event_1.LoginFailedEvent({
|
|
344
|
+
identifier,
|
|
345
|
+
providerName: input?.providerName,
|
|
346
|
+
reasonCode,
|
|
347
|
+
reason: error?.message,
|
|
348
|
+
ip: req?.ip ?? req?.headers?.['x-forwarded-for'],
|
|
349
|
+
userAgent: req?.headers?.['user-agent'],
|
|
350
|
+
tenantId: input?.tenantId ?? null,
|
|
351
|
+
at: new Date(),
|
|
352
|
+
}));
|
|
353
|
+
}
|
|
354
|
+
catch {
|
|
355
|
+
}
|
|
356
|
+
}
|
|
319
357
|
async resolveOrCreateUserForSend(input) {
|
|
320
358
|
const passwordlessConfig = this.authConfigService.getConfig().passwordless;
|
|
321
359
|
const { channel, tenantId } = input;
|
|
@@ -355,7 +393,7 @@ let AuthService = class AuthService {
|
|
|
355
393
|
code: auth_constants_1.ERROR_CODES.REGISTRATION_DISABLED,
|
|
356
394
|
});
|
|
357
395
|
}
|
|
358
|
-
return this.userService.createUser({ email: emailNorm
|
|
396
|
+
return this.userService.createUser({ email: emailNorm }, tenantId ?? undefined, { source: 'passwordless', channel: 'email' });
|
|
359
397
|
}
|
|
360
398
|
else {
|
|
361
399
|
const phoneNorm = (0, utils_1.normalizedPhone)(raw);
|
|
@@ -386,7 +424,7 @@ let AuthService = class AuthService {
|
|
|
386
424
|
code: auth_constants_1.ERROR_CODES.REGISTRATION_DISABLED,
|
|
387
425
|
});
|
|
388
426
|
}
|
|
389
|
-
return this.userService.createUser({ phone: phoneNorm
|
|
427
|
+
return this.userService.createUser({ phone: phoneNorm }, tenantId ?? undefined, { source: 'passwordless', channel: 'sms' });
|
|
390
428
|
}
|
|
391
429
|
}
|
|
392
430
|
async passwordlessSend(input) {
|
|
@@ -427,9 +465,9 @@ let AuthService = class AuthService {
|
|
|
427
465
|
async verify2fa(input) {
|
|
428
466
|
this.debugLogger.logFunctionEntry('verify2fa', 'AuthService', { method: input.method });
|
|
429
467
|
try {
|
|
468
|
+
let user = await request_context_1.RequestContext.currentUser();
|
|
430
469
|
const session = request_context_1.RequestContext.currentSession();
|
|
431
470
|
if (!session) {
|
|
432
|
-
this.debugLogger.error('Session not found for 2FA verification', 'AuthService');
|
|
433
471
|
throw new common_1.UnauthorizedException({
|
|
434
472
|
message: 'Session not found',
|
|
435
473
|
code: auth_constants_1.ERROR_CODES.SESSION_NOT_FOUND,
|
|
@@ -438,13 +476,11 @@ let AuthService = class AuthService {
|
|
|
438
476
|
this.debugLogger.debug('Verifying MFA code', 'AuthService', { userId: session.userId, method: input.method });
|
|
439
477
|
const isValid = await this.mfaService.verifyMfa(session.userId, input.otp, input.method);
|
|
440
478
|
if (!isValid) {
|
|
441
|
-
this.debugLogger.warn('Invalid MFA code provided', 'AuthService', { userId: session.userId, method: input.method });
|
|
442
479
|
throw new common_1.UnauthorizedException({
|
|
443
480
|
message: 'Invalid MFA code',
|
|
444
481
|
code: auth_constants_1.ERROR_CODES.MFA_CODE_INVALID,
|
|
445
482
|
});
|
|
446
483
|
}
|
|
447
|
-
this.debugLogger.debug('Updating session with MFA verification', 'AuthService', { sessionId: session.id });
|
|
448
484
|
const payload = await this.sessionManager.updateSession(session.id, {
|
|
449
485
|
data: {
|
|
450
486
|
...session.data,
|
|
@@ -461,10 +497,12 @@ let AuthService = class AuthService {
|
|
|
461
497
|
trustToken = await this.mfaService.createTrustedDevice(session.userId, userAgent, ip);
|
|
462
498
|
}
|
|
463
499
|
}
|
|
464
|
-
|
|
500
|
+
if (!user) {
|
|
501
|
+
return null;
|
|
502
|
+
}
|
|
465
503
|
this.debugLogger.debug('Emitting 2FA verified event', 'AuthService', { userId: user.id });
|
|
466
504
|
await this.eventEmitter.emitAsync(auth_constants_1.NestAuthEvents.TWO_FACTOR_VERIFIED, new user_2fa_verified_event_1.User2faVerifiedEvent({
|
|
467
|
-
user
|
|
505
|
+
user,
|
|
468
506
|
tenantId: payload.data?.tenantId ?? user?.tenantId,
|
|
469
507
|
input,
|
|
470
508
|
session: payload,
|
|
@@ -487,29 +525,40 @@ let AuthService = class AuthService {
|
|
|
487
525
|
code: auth_constants_1.ERROR_CODES.SESSION_NOT_FOUND,
|
|
488
526
|
});
|
|
489
527
|
}
|
|
528
|
+
if (!this.authConfig.tenant?.enabled) {
|
|
529
|
+
throw new common_1.BadRequestException({
|
|
530
|
+
message: 'Multi-tenancy is disabled on this deployment.',
|
|
531
|
+
code: auth_constants_1.ERROR_CODES.TENANT_SWITCHING_DISABLED,
|
|
532
|
+
});
|
|
533
|
+
}
|
|
534
|
+
const tenantMode = this.authConfig.tenant?.mode ?? nest_auth_contracts_1.TenantModeEnum.ISOLATED;
|
|
535
|
+
if (tenantMode === nest_auth_contracts_1.TenantModeEnum.ISOLATED) {
|
|
536
|
+
throw new common_1.BadRequestException({
|
|
537
|
+
message: 'Tenant switching is not supported in isolated mode. Sign in to the target tenant directly.',
|
|
538
|
+
code: auth_constants_1.ERROR_CODES.TENANT_SWITCHING_NOT_SUPPORTED,
|
|
539
|
+
});
|
|
540
|
+
}
|
|
490
541
|
const resolvedTenantId = await this.tenantService.resolveTenantId(tenantId || null);
|
|
491
|
-
const user = await this.
|
|
492
|
-
where: { id: session.userId },
|
|
493
|
-
relations: [
|
|
494
|
-
'userAccesses',
|
|
495
|
-
'userAccesses.tenant',
|
|
496
|
-
'userAccesses.roles',
|
|
497
|
-
'userAccesses.roles.rolePermissions',
|
|
498
|
-
'userAccesses.roles.rolePermissions.permission',
|
|
499
|
-
],
|
|
500
|
-
});
|
|
542
|
+
const { user, userAccess } = await this.getUserWithAccess(session.userId, resolvedTenantId);
|
|
501
543
|
if (!user) {
|
|
502
544
|
throw new common_1.UnauthorizedException({
|
|
503
545
|
message: 'User not found',
|
|
504
546
|
code: auth_constants_1.ERROR_CODES.USER_NOT_FOUND,
|
|
505
547
|
});
|
|
506
548
|
}
|
|
549
|
+
if (resolvedTenantId && !userAccess) {
|
|
550
|
+
const platformAccess = await platform_access_entity_1.NestAuthPlatformAccess.findOne({
|
|
551
|
+
where: { userId: user.id, isActive: true },
|
|
552
|
+
});
|
|
553
|
+
if (!platformAccess) {
|
|
554
|
+
throw new common_1.ForbiddenException({
|
|
555
|
+
message: 'You do not have access to that tenant.',
|
|
556
|
+
code: auth_constants_1.ERROR_CODES.NOT_A_MEMBER_OF_TENANT,
|
|
557
|
+
});
|
|
558
|
+
}
|
|
559
|
+
}
|
|
507
560
|
await this.ensureTenantAccess(user, resolvedTenantId, false);
|
|
508
|
-
const
|
|
509
|
-
const aTenantId = a?.tenantId ?? null;
|
|
510
|
-
return aTenantId === (resolvedTenantId ?? null);
|
|
511
|
-
});
|
|
512
|
-
const rolesWithPermissions = accessForTenant?.roles ?? [];
|
|
561
|
+
const rolesWithPermissions = userAccess?.roles ?? [];
|
|
513
562
|
const permissions = (0, lodash_1.chain)(rolesWithPermissions)
|
|
514
563
|
.map((role) => (0, role_mapper_util_1.getRolePermissionNames)(role))
|
|
515
564
|
.flatten()
|
|
@@ -528,6 +577,36 @@ let AuthService = class AuthService {
|
|
|
528
577
|
const tokens = await this.generateTokensFromSession(updatedSession);
|
|
529
578
|
return this.generateAuthResponse(user, updatedSession, tokens, false);
|
|
530
579
|
}
|
|
580
|
+
async getSessionUserData() {
|
|
581
|
+
const session = request_context_1.RequestContext.currentSession();
|
|
582
|
+
const tenantId = request_context_1.RequestContext.currentTenantId();
|
|
583
|
+
const isPlatformAccess = await access_role_resolver_util_1.AccessRoleResolver.isPlatformAccess();
|
|
584
|
+
const { user, userAccess, platformAccess } = await this.getUserWithAccess(session.userId, tenantId, isPlatformAccess);
|
|
585
|
+
let rolesWithPermissions = [];
|
|
586
|
+
if (isPlatformAccess) {
|
|
587
|
+
rolesWithPermissions = platformAccess?.roles ?? [];
|
|
588
|
+
}
|
|
589
|
+
else {
|
|
590
|
+
rolesWithPermissions = userAccess?.roles ?? [];
|
|
591
|
+
}
|
|
592
|
+
const permissions = (0, lodash_1.chain)(rolesWithPermissions)
|
|
593
|
+
.map((role) => (0, role_mapper_util_1.getRolePermissionNames)(role))
|
|
594
|
+
.flatten()
|
|
595
|
+
.uniq()
|
|
596
|
+
.value();
|
|
597
|
+
const userRoles = rolesWithPermissions.map((role) => (0, lodash_1.pick)(role, ['id', 'name', 'guard']));
|
|
598
|
+
const config = this.authConfigService.getConfig();
|
|
599
|
+
let serializedUser = {};
|
|
600
|
+
if (config.user?.getSessionUserData) {
|
|
601
|
+
serializedUser = await config.user.getSessionUserData(user);
|
|
602
|
+
}
|
|
603
|
+
return {
|
|
604
|
+
...(0, lodash_1.pick)(user, ['id', 'email', 'phone', 'emailVerifiedAt', 'phoneVerifiedAt', 'isMfaEnabled', 'metadata']),
|
|
605
|
+
...(serializedUser || {}),
|
|
606
|
+
roles: userRoles,
|
|
607
|
+
permissions,
|
|
608
|
+
};
|
|
609
|
+
}
|
|
531
610
|
async send2faCode(userId, method) {
|
|
532
611
|
const user = await this.userRepository.findOne({ where: { id: userId } });
|
|
533
612
|
if (!user) {
|
|
@@ -551,7 +630,7 @@ let AuthService = class AuthService {
|
|
|
551
630
|
try {
|
|
552
631
|
user = await this.userService.createUser({
|
|
553
632
|
[linkUserWith]: linkUserValue,
|
|
554
|
-
|
|
633
|
+
emailVerifiedAt: new Date(),
|
|
555
634
|
metadata: providerUser.metadata || {},
|
|
556
635
|
}, tenantId, {
|
|
557
636
|
[linkUserWith]: linkUserValue,
|
|
@@ -577,43 +656,6 @@ let AuthService = class AuthService {
|
|
|
577
656
|
await provider.linkToUser(user.id, providerUser.userId, providerUser.metadata || {});
|
|
578
657
|
return user;
|
|
579
658
|
}
|
|
580
|
-
async buildSessionDataFromUser(params) {
|
|
581
|
-
const { user, tenantId = null, isMfaVerified = false } = params;
|
|
582
|
-
const accessForTenant = (user.userAccesses ?? []).find((a) => {
|
|
583
|
-
const aTenantId = a?.tenantId ?? null;
|
|
584
|
-
return (tenantId ?? null) === aTenantId;
|
|
585
|
-
});
|
|
586
|
-
const rolesFromUser = accessForTenant?.roles ?? [];
|
|
587
|
-
const hasRolesPreloaded = Array.isArray(rolesFromUser) && rolesFromUser.length >= 0;
|
|
588
|
-
const hasRolePermissionsPreloaded = rolesFromUser?.some((r) => Array.isArray(r?.rolePermissions) &&
|
|
589
|
-
r.rolePermissions.some((rp) => !!rp?.permission?.name)) ?? false;
|
|
590
|
-
const roles = hasRolesPreloaded && rolesFromUser.length
|
|
591
|
-
? rolesFromUser
|
|
592
|
-
: await user.getRoles(tenantId, true);
|
|
593
|
-
const permissions = hasRolePermissionsPreloaded
|
|
594
|
-
? (0, lodash_1.chain)(rolesFromUser)
|
|
595
|
-
.map((role) => (0, role_mapper_util_1.getRolePermissionNames)(role))
|
|
596
|
-
.flatten()
|
|
597
|
-
.uniq()
|
|
598
|
-
.value()
|
|
599
|
-
: (0, lodash_1.chain)(roles)
|
|
600
|
-
.map((role) => (0, role_mapper_util_1.getRolePermissionNames)(role))
|
|
601
|
-
.flatten()
|
|
602
|
-
.uniq()
|
|
603
|
-
.value();
|
|
604
|
-
let sessionData = {
|
|
605
|
-
user,
|
|
606
|
-
isMfaVerified,
|
|
607
|
-
roles: roles.map((role) => (0, role_mapper_util_1.mapRoleToSessionSnapshot)(role)),
|
|
608
|
-
permissions,
|
|
609
|
-
tenantId,
|
|
610
|
-
};
|
|
611
|
-
const customize = auth_config_service_1.AuthConfigService.getOptions().session?.customizeSessionData;
|
|
612
|
-
if (customize) {
|
|
613
|
-
sessionData = await customize(sessionData, user);
|
|
614
|
-
}
|
|
615
|
-
return sessionData;
|
|
616
|
-
}
|
|
617
659
|
async refreshToken(refreshToken) {
|
|
618
660
|
this.debugLogger.logFunctionEntry('refreshToken', 'AuthService', { hasRefreshToken: !!refreshToken });
|
|
619
661
|
try {
|
|
@@ -624,6 +666,7 @@ let AuthService = class AuthService {
|
|
|
624
666
|
code: auth_constants_1.ERROR_CODES.REFRESH_TOKEN_INVALID,
|
|
625
667
|
});
|
|
626
668
|
}
|
|
669
|
+
const isPlatformAccess = await access_role_resolver_util_1.AccessRoleResolver.isPlatformAccess();
|
|
627
670
|
this.debugLogger.debug('Verifying refresh token', 'AuthService');
|
|
628
671
|
let payload;
|
|
629
672
|
try {
|
|
@@ -649,38 +692,73 @@ let AuthService = class AuthService {
|
|
|
649
692
|
code: auth_constants_1.ERROR_CODES.REFRESH_TOKEN_INVALID,
|
|
650
693
|
});
|
|
651
694
|
}
|
|
652
|
-
const
|
|
653
|
-
|
|
654
|
-
|
|
655
|
-
|
|
695
|
+
const storedRefreshHash = session.refreshToken;
|
|
696
|
+
if (storedRefreshHash) {
|
|
697
|
+
const secret = this.authConfig.session?.jwt?.secret ?? '';
|
|
698
|
+
if (!(0, has_token_1.timingSafeEqualHex)(storedRefreshHash, (0, has_token_1.hmacSha256Hex)(secret, refreshToken))) {
|
|
699
|
+
throw new common_1.UnauthorizedException({
|
|
700
|
+
message: 'Refresh token is no longer valid (rotated or replayed)',
|
|
701
|
+
code: auth_constants_1.ERROR_CODES.REFRESH_TOKEN_INVALID,
|
|
702
|
+
});
|
|
703
|
+
}
|
|
704
|
+
}
|
|
705
|
+
const { user, userAccess, platformAccess } = await this.getUserWithAccess(session.userId, session.data?.tenantId ?? null, isPlatformAccess);
|
|
656
706
|
if (!user) {
|
|
657
|
-
await this.sessionManager.revokeSession(session.id);
|
|
707
|
+
await this.sessionManager.revokeSession(session.id, 'security');
|
|
658
708
|
throw new common_1.UnauthorizedException({
|
|
659
709
|
message: 'User not found',
|
|
660
710
|
code: auth_constants_1.ERROR_CODES.USER_NOT_FOUND,
|
|
661
711
|
});
|
|
662
712
|
}
|
|
663
713
|
if (user.isActive === false) {
|
|
664
|
-
await this.sessionManager.revokeSession(session.id);
|
|
714
|
+
await this.sessionManager.revokeSession(session.id, 'security');
|
|
665
715
|
throw new common_1.UnauthorizedException({
|
|
666
716
|
message: 'Your account is suspended, please contact support',
|
|
667
717
|
code: auth_constants_1.ERROR_CODES.ACCOUNT_INACTIVE,
|
|
668
718
|
});
|
|
669
719
|
}
|
|
670
720
|
const tenantId = session.data?.tenantId ?? null;
|
|
671
|
-
|
|
672
|
-
|
|
721
|
+
if (!isPlatformAccess && !userAccess) {
|
|
722
|
+
try {
|
|
723
|
+
await this.ensureTenantAccess(user, tenantId, false);
|
|
724
|
+
}
|
|
725
|
+
catch (error) {
|
|
726
|
+
await this.sessionManager.revokeSession(session.id, 'security');
|
|
727
|
+
throw error;
|
|
728
|
+
}
|
|
673
729
|
}
|
|
674
|
-
|
|
675
|
-
await this.sessionManager.revokeSession(session.id);
|
|
676
|
-
throw
|
|
730
|
+
if (isPlatformAccess && !platformAccess) {
|
|
731
|
+
await this.sessionManager.revokeSession(session.id, 'security');
|
|
732
|
+
throw new common_1.UnauthorizedException({
|
|
733
|
+
message: 'You are not authorized to platform access',
|
|
734
|
+
code: auth_constants_1.ERROR_CODES.ACCESS_DENIED,
|
|
735
|
+
});
|
|
677
736
|
}
|
|
678
737
|
const isMfaVerified = !!session.data?.isMfaVerified;
|
|
679
|
-
|
|
738
|
+
let roles = [];
|
|
739
|
+
if (isPlatformAccess) {
|
|
740
|
+
roles = platformAccess?.roles ?? [];
|
|
741
|
+
}
|
|
742
|
+
else {
|
|
743
|
+
roles = userAccess?.roles ?? [];
|
|
744
|
+
}
|
|
745
|
+
const permissions = (0, lodash_1.chain)(roles)
|
|
746
|
+
.map((role) => (0, role_mapper_util_1.getRolePermissionNames)(role))
|
|
747
|
+
.flatten()
|
|
748
|
+
.uniq()
|
|
749
|
+
.value();
|
|
750
|
+
let freshSessionData = {
|
|
680
751
|
user,
|
|
681
|
-
tenantId,
|
|
682
752
|
isMfaVerified,
|
|
683
|
-
|
|
753
|
+
roles: roles.map((role) => (0, role_mapper_util_1.mapRoleToSessionSnapshot)(role)),
|
|
754
|
+
permissions,
|
|
755
|
+
tenantId,
|
|
756
|
+
isPlatformAccess: isPlatformAccess ?? false,
|
|
757
|
+
};
|
|
758
|
+
const customize = auth_config_service_1.AuthConfigService.getOptions().session?.customizeSessionData;
|
|
759
|
+
if (customize) {
|
|
760
|
+
freshSessionData = await customize(freshSessionData, user);
|
|
761
|
+
}
|
|
684
762
|
const refreshedSession = await this.sessionManager.refreshSession(session);
|
|
685
763
|
const updatedSession = await this.sessionManager.updateSession(refreshedSession.id, {
|
|
686
764
|
data: {
|
|
@@ -706,39 +784,10 @@ let AuthService = class AuthService {
|
|
|
706
784
|
}
|
|
707
785
|
}
|
|
708
786
|
async logout(logoutType = 'user', reason) {
|
|
709
|
-
|
|
710
|
-
const user = await this.getUser();
|
|
711
|
-
if (session) {
|
|
712
|
-
await this.eventEmitter.emitAsync(auth_constants_1.NestAuthEvents.LOGGED_OUT, new logged_out_event_1.LoggedOutEvent({
|
|
713
|
-
user: user,
|
|
714
|
-
tenantId: session?.data?.tenantId ?? user?.tenantId,
|
|
715
|
-
session,
|
|
716
|
-
logoutType,
|
|
717
|
-
reason,
|
|
718
|
-
}));
|
|
719
|
-
await this.sessionManager.revokeSession(session.id);
|
|
720
|
-
}
|
|
721
|
-
return true;
|
|
787
|
+
return this.logoutService.logout(logoutType, reason);
|
|
722
788
|
}
|
|
723
789
|
async logoutAll(userId, logoutType = 'user', reason) {
|
|
724
|
-
|
|
725
|
-
await this.sessionManager.revokeAllUserSessions(userId);
|
|
726
|
-
const user = await this.userRepository.findOne({ where: { id: userId } });
|
|
727
|
-
if (user) {
|
|
728
|
-
await this.eventEmitter.emitAsync(auth_constants_1.NestAuthEvents.LOGGED_OUT_ALL, new logged_out_all_event_1.LoggedOutAllEvent({
|
|
729
|
-
user,
|
|
730
|
-
tenantId: request_context_1.RequestContext.currentTenantId(),
|
|
731
|
-
logoutType,
|
|
732
|
-
reason,
|
|
733
|
-
sessions,
|
|
734
|
-
}));
|
|
735
|
-
}
|
|
736
|
-
return true;
|
|
737
|
-
}
|
|
738
|
-
getTenantMode() {
|
|
739
|
-
const config = this.authConfigService.getConfig();
|
|
740
|
-
const mode = config.tenant?.mode;
|
|
741
|
-
return mode === nest_auth_contracts_1.TenantModeEnum.SHARED ? nest_auth_contracts_1.TenantModeEnum.SHARED : nest_auth_contracts_1.TenantModeEnum.ISOLATED;
|
|
790
|
+
return this.logoutService.logoutAll(userId, logoutType, reason);
|
|
742
791
|
}
|
|
743
792
|
async ensureTenantAccess(user, tenantId, allowAutoJoin = false) {
|
|
744
793
|
if (!tenantId || !this.tenantContext.isEnabled()) {
|
|
@@ -756,26 +805,6 @@ let AuthService = class AuthService {
|
|
|
756
805
|
});
|
|
757
806
|
}
|
|
758
807
|
}
|
|
759
|
-
async generateTokensPayload(session, otherPayload = {}) {
|
|
760
|
-
let payload = {
|
|
761
|
-
id: session.userId,
|
|
762
|
-
sub: session.userId,
|
|
763
|
-
sessionId: session.id,
|
|
764
|
-
email: session.data?.user?.email,
|
|
765
|
-
phone: session.data?.user?.phone,
|
|
766
|
-
isVerified: session.data?.user?.isVerified,
|
|
767
|
-
roles: session.data?.roles || [],
|
|
768
|
-
tenantId: session.data?.tenantId,
|
|
769
|
-
isMfaEnabled: session.data?.user?.isMfaEnabled,
|
|
770
|
-
isMfaVerified: session.data?.isMfaVerified,
|
|
771
|
-
...otherPayload,
|
|
772
|
-
};
|
|
773
|
-
const config = this.authConfigService.getConfig();
|
|
774
|
-
if (config.session?.customizeTokenPayload) {
|
|
775
|
-
payload = await config.session.customizeTokenPayload(payload, session);
|
|
776
|
-
}
|
|
777
|
-
return payload;
|
|
778
|
-
}
|
|
779
808
|
handleError(error, context) {
|
|
780
809
|
const config = this.authConfigService.getConfig();
|
|
781
810
|
if (config.errorHandler) {
|
|
@@ -786,81 +815,40 @@ let AuthService = class AuthService {
|
|
|
786
815
|
}
|
|
787
816
|
}
|
|
788
817
|
async generateTokensFromSession(session) {
|
|
789
|
-
|
|
790
|
-
const tokens = await this.jwtService.generateTokens(payload);
|
|
791
|
-
return tokens;
|
|
818
|
+
return this.sessionTokenService.generateTokensFromSession(session);
|
|
792
819
|
}
|
|
793
820
|
async generateAuthResponse(user, session, tokens, isRequiresMfa, trustToken) {
|
|
794
|
-
|
|
795
|
-
|
|
796
|
-
|
|
797
|
-
|
|
798
|
-
|
|
799
|
-
|
|
800
|
-
|
|
801
|
-
|
|
802
|
-
|
|
803
|
-
|
|
804
|
-
|
|
805
|
-
|
|
806
|
-
|
|
807
|
-
|
|
808
|
-
|
|
809
|
-
|
|
810
|
-
|
|
811
|
-
|
|
812
|
-
|
|
813
|
-
|
|
814
|
-
|
|
815
|
-
|
|
816
|
-
|
|
817
|
-
|
|
818
|
-
|
|
819
|
-
|
|
820
|
-
|
|
821
|
-
|
|
822
|
-
|
|
823
|
-
|
|
824
|
-
} : undefined,
|
|
825
|
-
isActive: access.isActive,
|
|
826
|
-
isDefault: access.isDefault,
|
|
827
|
-
status: access.status,
|
|
828
|
-
metadata: access.metadata ?? {},
|
|
829
|
-
createdAt: access.createdAt,
|
|
830
|
-
updatedAt: access.updatedAt,
|
|
831
|
-
}));
|
|
832
|
-
const rolesForResponse = session?.data?.roles || [];
|
|
833
|
-
const roleNames = rolesForResponse?.map(r => r.name) || [];
|
|
834
|
-
const permissions = session?.data?.permissions || [];
|
|
835
|
-
let response = {
|
|
836
|
-
accessToken: tokens.accessToken,
|
|
837
|
-
refreshToken: tokens.refreshToken,
|
|
838
|
-
isRequiresMfa: isRequiresMfa,
|
|
839
|
-
user: {
|
|
840
|
-
id: serializedUser.id,
|
|
841
|
-
email: serializedUser.email,
|
|
842
|
-
phone: serializedUser.phone,
|
|
843
|
-
isVerified: serializedUser.isVerified,
|
|
844
|
-
isMfaEnabled: serializedUser.isMfaEnabled,
|
|
845
|
-
roles: roleNames,
|
|
846
|
-
permissions,
|
|
847
|
-
metadata: serializedUser.metadata,
|
|
848
|
-
tenantId: activeTenantId,
|
|
849
|
-
userAccesses,
|
|
850
|
-
},
|
|
851
|
-
};
|
|
852
|
-
if (isRequiresMfa) {
|
|
853
|
-
const enabledMethods = await this.mfaService.getEnabledMethods(user.id);
|
|
854
|
-
response.mfaMethods = enabledMethods;
|
|
855
|
-
response.defaultMfaMethod = this.mfaService.mfaConfig?.defaultMethod || enabledMethods[0];
|
|
856
|
-
}
|
|
857
|
-
if (config.auth?.transformResponse) {
|
|
858
|
-
response = await config.auth.transformResponse(response, user, session);
|
|
859
|
-
}
|
|
860
|
-
if (trustToken) {
|
|
861
|
-
response.trustToken = trustToken;
|
|
821
|
+
return this.sessionTokenService.generateAuthResponse(user, session, tokens, isRequiresMfa, trustToken);
|
|
822
|
+
}
|
|
823
|
+
async applyProviderVerification(user, providerUser) {
|
|
824
|
+
const updates = {};
|
|
825
|
+
if (providerUser.emailVerified === true &&
|
|
826
|
+
!user.emailVerifiedAt &&
|
|
827
|
+
user.email &&
|
|
828
|
+
providerUser.email &&
|
|
829
|
+
user.email.toLowerCase() === providerUser.email.toLowerCase()) {
|
|
830
|
+
updates.emailVerifiedAt = new Date();
|
|
831
|
+
}
|
|
832
|
+
if (providerUser.phoneVerified === true &&
|
|
833
|
+
!user.phoneVerifiedAt &&
|
|
834
|
+
user.phone &&
|
|
835
|
+
providerUser.phone &&
|
|
836
|
+
user.phone === providerUser.phone) {
|
|
837
|
+
updates.phoneVerifiedAt = new Date();
|
|
838
|
+
}
|
|
839
|
+
if (Object.keys(updates).length === 0) {
|
|
840
|
+
return user;
|
|
841
|
+
}
|
|
842
|
+
await this.userRepository.update({ id: user.id }, updates);
|
|
843
|
+
return (await this.userRepository.findOne({ where: { id: user.id } })) ?? user;
|
|
844
|
+
}
|
|
845
|
+
assertTenantIdAllowed(tenantId) {
|
|
846
|
+
if (!this.authConfig.tenant?.enabled && tenantId) {
|
|
847
|
+
throw new common_1.BadRequestException({
|
|
848
|
+
message: 'tenantId provided but multi-tenancy is disabled on this deployment.',
|
|
849
|
+
code: auth_constants_1.ERROR_CODES.TENANT_NOT_ENABLED,
|
|
850
|
+
});
|
|
862
851
|
}
|
|
863
|
-
return response;
|
|
864
852
|
}
|
|
865
853
|
async checkTrustedDevice(user) {
|
|
866
854
|
const trustCookieName = auth_config_service_1.AuthConfigService.getOptions().mfa?.trustDeviceStorageName || auth_constants_1.NEST_AUTH_TRUST_DEVICE_KEY;
|
|
@@ -881,7 +869,7 @@ exports.AuthService = AuthService;
|
|
|
881
869
|
exports.AuthService = AuthService = __decorate([
|
|
882
870
|
(0, common_1.Injectable)(),
|
|
883
871
|
__param(0, (0, typeorm_1.InjectRepository)(user_entity_1.NestAuthUser)),
|
|
884
|
-
__param(
|
|
872
|
+
__param(13, (0, common_2.Inject)(auth_constants_2.NEST_AUTH_TENANT_CONTEXT_SERVICE)),
|
|
885
873
|
__metadata("design:paramtypes", [typeorm_2.Repository,
|
|
886
874
|
auth_provider_registry_service_1.AuthProviderRegistryService,
|
|
887
875
|
mfa_service_1.MfaService,
|
|
@@ -892,6 +880,8 @@ exports.AuthService = AuthService = __decorate([
|
|
|
892
880
|
debug_logger_service_1.DebugLoggerService,
|
|
893
881
|
auth_config_service_1.AuthConfigService,
|
|
894
882
|
user_service_1.UserService,
|
|
895
|
-
otp_flow_service_1.OtpFlowService,
|
|
883
|
+
otp_flow_service_1.OtpFlowService,
|
|
884
|
+
logout_service_1.LogoutService,
|
|
885
|
+
session_token_service_1.SessionTokenService, Object])
|
|
896
886
|
], AuthService);
|
|
897
887
|
//# sourceMappingURL=auth.service.js.map
|