@ackplus/nest-auth 2.0.0-beta.8 → 2.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (276) hide show
  1. package/README.md +83 -130
  2. package/dist/index.d.ts +1 -1
  3. package/dist/index.d.ts.map +1 -1
  4. package/dist/index.js +1 -1
  5. package/dist/index.js.map +1 -1
  6. package/dist/lib/admin-console/admin-console.module.js +1 -1
  7. package/dist/lib/admin-console/admin-console.module.js.map +1 -1
  8. package/dist/lib/admin-console/controllers/admin-auth.controller.d.ts +3 -3
  9. package/dist/lib/admin-console/controllers/admin-auth.controller.d.ts.map +1 -1
  10. package/dist/lib/admin-console/controllers/admin-auth.controller.js +30 -12
  11. package/dist/lib/admin-console/controllers/admin-auth.controller.js.map +1 -1
  12. package/dist/lib/admin-console/controllers/admin-console.controller.d.ts +1 -1
  13. package/dist/lib/admin-console/controllers/admin-console.controller.d.ts.map +1 -1
  14. package/dist/lib/admin-console/controllers/admin-console.controller.js +19 -9
  15. package/dist/lib/admin-console/controllers/admin-console.controller.js.map +1 -1
  16. package/dist/lib/admin-console/controllers/admin-permissions.controller.d.ts.map +1 -1
  17. package/dist/lib/admin-console/controllers/admin-permissions.controller.js +19 -1
  18. package/dist/lib/admin-console/controllers/admin-permissions.controller.js.map +1 -1
  19. package/dist/lib/admin-console/controllers/admin-roles.controller.d.ts.map +1 -1
  20. package/dist/lib/admin-console/controllers/admin-roles.controller.js +15 -1
  21. package/dist/lib/admin-console/controllers/admin-roles.controller.js.map +1 -1
  22. package/dist/lib/admin-console/controllers/admin-tenants.controller.d.ts.map +1 -1
  23. package/dist/lib/admin-console/controllers/admin-tenants.controller.js +15 -1
  24. package/dist/lib/admin-console/controllers/admin-tenants.controller.js.map +1 -1
  25. package/dist/lib/admin-console/controllers/admin-users.controller.d.ts +13 -17
  26. package/dist/lib/admin-console/controllers/admin-users.controller.d.ts.map +1 -1
  27. package/dist/lib/admin-console/controllers/admin-users.controller.js +35 -13
  28. package/dist/lib/admin-console/controllers/admin-users.controller.js.map +1 -1
  29. package/dist/lib/admin-console/dto/admin-user.dto.d.ts +4 -2
  30. package/dist/lib/admin-console/dto/admin-user.dto.d.ts.map +1 -1
  31. package/dist/lib/admin-console/dto/admin-user.dto.js +16 -8
  32. package/dist/lib/admin-console/dto/admin-user.dto.js.map +1 -1
  33. package/dist/lib/admin-console/services/admin-console-config.service.d.ts.map +1 -1
  34. package/dist/lib/admin-console/services/admin-console-config.service.js +10 -4
  35. package/dist/lib/admin-console/services/admin-console-config.service.js.map +1 -1
  36. package/dist/lib/admin-console/services/admin-user-management.service.d.ts +1 -1
  37. package/dist/lib/admin-console/services/admin-user-management.service.d.ts.map +1 -1
  38. package/dist/lib/admin-console/services/admin-user-management.service.js +1 -1
  39. package/dist/lib/admin-console/services/admin-user-management.service.js.map +1 -1
  40. package/dist/lib/admin-console/static/index.html +632 -567
  41. package/dist/lib/admin-console/static/nest-auth.json +3502 -157
  42. package/dist/lib/audit/services/audit.service.d.ts +2 -0
  43. package/dist/lib/audit/services/audit.service.d.ts.map +1 -1
  44. package/dist/lib/audit/services/audit.service.js +23 -0
  45. package/dist/lib/audit/services/audit.service.js.map +1 -1
  46. package/dist/lib/auth/auth.module.d.ts.map +1 -1
  47. package/dist/lib/auth/auth.module.js +6 -0
  48. package/dist/lib/auth/auth.module.js.map +1 -1
  49. package/dist/lib/auth/controllers/auth.controller.d.ts +3 -2
  50. package/dist/lib/auth/controllers/auth.controller.d.ts.map +1 -1
  51. package/dist/lib/auth/controllers/auth.controller.js +48 -24
  52. package/dist/lib/auth/controllers/auth.controller.js.map +1 -1
  53. package/dist/lib/auth/controllers/mfa.controller.d.ts.map +1 -1
  54. package/dist/lib/auth/controllers/mfa.controller.js +6 -1
  55. package/dist/lib/auth/controllers/mfa.controller.js.map +1 -1
  56. package/dist/lib/auth/dto/credentials/social-credentials.dto.d.ts +2 -0
  57. package/dist/lib/auth/dto/credentials/social-credentials.dto.d.ts.map +1 -1
  58. package/dist/lib/auth/dto/credentials/social-credentials.dto.js +28 -0
  59. package/dist/lib/auth/dto/credentials/social-credentials.dto.js.map +1 -1
  60. package/dist/lib/auth/dto/requests/verify-2fa.request.dto.d.ts.map +1 -1
  61. package/dist/lib/auth/dto/requests/verify-2fa.request.dto.js +2 -0
  62. package/dist/lib/auth/dto/requests/verify-2fa.request.dto.js.map +1 -1
  63. package/dist/lib/auth/dto/responses/auth.response.dto.d.ts +3 -5
  64. package/dist/lib/auth/dto/responses/auth.response.dto.d.ts.map +1 -1
  65. package/dist/lib/auth/dto/responses/auth.response.dto.js +11 -27
  66. package/dist/lib/auth/dto/responses/auth.response.dto.js.map +1 -1
  67. package/dist/lib/auth/entities/otp.entity.d.ts +1 -1
  68. package/dist/lib/auth/entities/otp.entity.d.ts.map +1 -1
  69. package/dist/lib/auth/entities/otp.entity.js.map +1 -1
  70. package/dist/lib/auth/entities/trusted-device.entity.d.ts.map +1 -1
  71. package/dist/lib/auth/entities/trusted-device.entity.js +1 -1
  72. package/dist/lib/auth/entities/trusted-device.entity.js.map +1 -1
  73. package/dist/lib/auth/events/login-failed.event.d.ts +15 -0
  74. package/dist/lib/auth/events/login-failed.event.d.ts.map +1 -0
  75. package/dist/lib/auth/events/login-failed.event.js +11 -0
  76. package/dist/lib/auth/events/login-failed.event.js.map +1 -0
  77. package/dist/lib/auth/events/user-logged-in.event.d.ts +3 -1
  78. package/dist/lib/auth/events/user-logged-in.event.d.ts.map +1 -1
  79. package/dist/lib/auth/events/user-logged-in.event.js.map +1 -1
  80. package/dist/lib/auth/events/user-registered.event.d.ts +2 -1
  81. package/dist/lib/auth/events/user-registered.event.d.ts.map +1 -1
  82. package/dist/lib/auth/events/user-registered.event.js.map +1 -1
  83. package/dist/lib/auth/guards/auth.guard.d.ts.map +1 -1
  84. package/dist/lib/auth/guards/auth.guard.js +1 -1
  85. package/dist/lib/auth/guards/auth.guard.js.map +1 -1
  86. package/dist/lib/auth/interceptors/token-response.interceptor.d.ts.map +1 -1
  87. package/dist/lib/auth/interceptors/token-response.interceptor.js +4 -3
  88. package/dist/lib/auth/interceptors/token-response.interceptor.js.map +1 -1
  89. package/dist/lib/auth/services/auth.service.d.ts +17 -6
  90. package/dist/lib/auth/services/auth.service.d.ts.map +1 -1
  91. package/dist/lib/auth/services/auth.service.js +271 -281
  92. package/dist/lib/auth/services/auth.service.js.map +1 -1
  93. package/dist/lib/auth/services/logout.service.d.ts +14 -0
  94. package/dist/lib/auth/services/logout.service.d.ts.map +1 -0
  95. package/dist/lib/auth/services/logout.service.js +74 -0
  96. package/dist/lib/auth/services/logout.service.js.map +1 -0
  97. package/dist/lib/auth/services/mfa.service.d.ts +2 -0
  98. package/dist/lib/auth/services/mfa.service.d.ts.map +1 -1
  99. package/dist/lib/auth/services/mfa.service.js +29 -6
  100. package/dist/lib/auth/services/mfa.service.js.map +1 -1
  101. package/dist/lib/auth/services/otp-flow.service.d.ts.map +1 -1
  102. package/dist/lib/auth/services/otp-flow.service.js +1 -2
  103. package/dist/lib/auth/services/otp-flow.service.js.map +1 -1
  104. package/dist/lib/auth/services/password.service.d.ts +2 -1
  105. package/dist/lib/auth/services/password.service.d.ts.map +1 -1
  106. package/dist/lib/auth/services/password.service.js +19 -6
  107. package/dist/lib/auth/services/password.service.js.map +1 -1
  108. package/dist/lib/auth/services/session-token.service.d.ts +37 -0
  109. package/dist/lib/auth/services/session-token.service.d.ts.map +1 -0
  110. package/dist/lib/auth/services/session-token.service.js +151 -0
  111. package/dist/lib/auth/services/session-token.service.js.map +1 -0
  112. package/dist/lib/auth/services/verification.service.d.ts.map +1 -1
  113. package/dist/lib/auth/services/verification.service.js +0 -5
  114. package/dist/lib/auth/services/verification.service.js.map +1 -1
  115. package/dist/lib/auth.constants.d.ts +15 -0
  116. package/dist/lib/auth.constants.d.ts.map +1 -1
  117. package/dist/lib/auth.constants.js +11 -0
  118. package/dist/lib/auth.constants.js.map +1 -1
  119. package/dist/lib/core/entities.d.ts +5 -3
  120. package/dist/lib/core/entities.d.ts.map +1 -1
  121. package/dist/lib/core/entities.js +5 -2
  122. package/dist/lib/core/entities.js.map +1 -1
  123. package/dist/lib/core/index.d.ts +1 -0
  124. package/dist/lib/core/index.d.ts.map +1 -1
  125. package/dist/lib/core/index.js +1 -0
  126. package/dist/lib/core/index.js.map +1 -1
  127. package/dist/lib/core/interfaces/auth-module-options.interface.d.ts +28 -5
  128. package/dist/lib/core/interfaces/auth-module-options.interface.d.ts.map +1 -1
  129. package/dist/lib/core/interfaces/session-options.interface.d.ts +5 -1
  130. package/dist/lib/core/interfaces/session-options.interface.d.ts.map +1 -1
  131. package/dist/lib/core/interfaces/session-options.interface.js +1 -0
  132. package/dist/lib/core/interfaces/session-options.interface.js.map +1 -1
  133. package/dist/lib/core/interfaces/token-payload.interface.d.ts +3 -1
  134. package/dist/lib/core/interfaces/token-payload.interface.d.ts.map +1 -1
  135. package/dist/lib/core/providers/apple-auth.provider.d.ts +13 -7
  136. package/dist/lib/core/providers/apple-auth.provider.d.ts.map +1 -1
  137. package/dist/lib/core/providers/apple-auth.provider.js +166 -7
  138. package/dist/lib/core/providers/apple-auth.provider.js.map +1 -1
  139. package/dist/lib/core/providers/base-auth.provider.d.ts +2 -0
  140. package/dist/lib/core/providers/base-auth.provider.d.ts.map +1 -1
  141. package/dist/lib/core/providers/base-auth.provider.js.map +1 -1
  142. package/dist/lib/core/providers/email-auth.provider.d.ts.map +1 -1
  143. package/dist/lib/core/providers/email-auth.provider.js +13 -2
  144. package/dist/lib/core/providers/email-auth.provider.js.map +1 -1
  145. package/dist/lib/core/providers/github-auth.provider.d.ts +3 -0
  146. package/dist/lib/core/providers/github-auth.provider.d.ts.map +1 -1
  147. package/dist/lib/core/providers/github-auth.provider.js +73 -24
  148. package/dist/lib/core/providers/github-auth.provider.js.map +1 -1
  149. package/dist/lib/core/providers/google-auth.provider.d.ts +1 -0
  150. package/dist/lib/core/providers/google-auth.provider.d.ts.map +1 -1
  151. package/dist/lib/core/providers/google-auth.provider.js +7 -1
  152. package/dist/lib/core/providers/google-auth.provider.js.map +1 -1
  153. package/dist/lib/core/providers/jwt-auth.provider.d.ts +2 -1
  154. package/dist/lib/core/providers/jwt-auth.provider.d.ts.map +1 -1
  155. package/dist/lib/core/providers/passwordless-auth.provider.d.ts +3 -1
  156. package/dist/lib/core/providers/passwordless-auth.provider.d.ts.map +1 -1
  157. package/dist/lib/core/providers/passwordless-auth.provider.js +11 -1
  158. package/dist/lib/core/providers/passwordless-auth.provider.js.map +1 -1
  159. package/dist/lib/core/providers/phone-auth.provider.d.ts.map +1 -1
  160. package/dist/lib/core/providers/phone-auth.provider.js +13 -2
  161. package/dist/lib/core/providers/phone-auth.provider.js.map +1 -1
  162. package/dist/lib/core/services/auth-config.service.d.ts.map +1 -1
  163. package/dist/lib/core/services/auth-config.service.js +6 -0
  164. package/dist/lib/core/services/auth-config.service.js.map +1 -1
  165. package/dist/lib/core/services/jwt.service.d.ts.map +1 -1
  166. package/dist/lib/core/services/jwt.service.js +10 -5
  167. package/dist/lib/core/services/jwt.service.js.map +1 -1
  168. package/dist/lib/core/swagger/api-responses.decorator.d.ts +15 -0
  169. package/dist/lib/core/swagger/api-responses.decorator.d.ts.map +1 -0
  170. package/dist/lib/core/swagger/api-responses.decorator.js +57 -0
  171. package/dist/lib/core/swagger/api-responses.decorator.js.map +1 -0
  172. package/dist/lib/nest-auth.module.d.ts.map +1 -1
  173. package/dist/lib/nest-auth.module.js +18 -2
  174. package/dist/lib/nest-auth.module.js.map +1 -1
  175. package/dist/lib/permission/events/permission-created.event.d.ts +9 -0
  176. package/dist/lib/permission/events/permission-created.event.d.ts.map +1 -0
  177. package/dist/lib/permission/events/permission-created.event.js +11 -0
  178. package/dist/lib/permission/events/permission-created.event.js.map +1 -0
  179. package/dist/lib/permission/events/permission-deleted.event.d.ts +9 -0
  180. package/dist/lib/permission/events/permission-deleted.event.d.ts.map +1 -0
  181. package/dist/lib/permission/events/permission-deleted.event.js +11 -0
  182. package/dist/lib/permission/events/permission-deleted.event.js.map +1 -0
  183. package/dist/lib/permission/events/permission-updated.event.d.ts +10 -0
  184. package/dist/lib/permission/events/permission-updated.event.d.ts.map +1 -0
  185. package/dist/lib/permission/events/permission-updated.event.js +11 -0
  186. package/dist/lib/permission/events/permission-updated.event.js.map +1 -0
  187. package/dist/lib/permission/index.d.ts +3 -0
  188. package/dist/lib/permission/index.d.ts.map +1 -1
  189. package/dist/lib/permission/index.js +3 -0
  190. package/dist/lib/permission/index.js.map +1 -1
  191. package/dist/lib/permission/services/permission.service.d.ts +3 -1
  192. package/dist/lib/permission/services/permission.service.d.ts.map +1 -1
  193. package/dist/lib/permission/services/permission.service.js +16 -4
  194. package/dist/lib/permission/services/permission.service.js.map +1 -1
  195. package/dist/lib/request-context/request-context.d.ts +1 -1
  196. package/dist/lib/request-context/request-context.d.ts.map +1 -1
  197. package/dist/lib/request-context/request-context.js +3 -3
  198. package/dist/lib/request-context/request-context.js.map +1 -1
  199. package/dist/lib/role/entities/role.entity.d.ts +3 -1
  200. package/dist/lib/role/entities/role.entity.d.ts.map +1 -1
  201. package/dist/lib/role/entities/role.entity.js +7 -1
  202. package/dist/lib/role/entities/role.entity.js.map +1 -1
  203. package/dist/lib/role/events/role-created.event.d.ts +9 -0
  204. package/dist/lib/role/events/role-created.event.d.ts.map +1 -0
  205. package/dist/lib/role/events/role-created.event.js +11 -0
  206. package/dist/lib/role/events/role-created.event.js.map +1 -0
  207. package/dist/lib/role/events/role-deleted.event.d.ts +9 -0
  208. package/dist/lib/role/events/role-deleted.event.d.ts.map +1 -0
  209. package/dist/lib/role/events/role-deleted.event.js +11 -0
  210. package/dist/lib/role/events/role-deleted.event.js.map +1 -0
  211. package/dist/lib/role/events/role-updated.event.d.ts +10 -0
  212. package/dist/lib/role/events/role-updated.event.d.ts.map +1 -0
  213. package/dist/lib/role/events/role-updated.event.js +11 -0
  214. package/dist/lib/role/events/role-updated.event.js.map +1 -0
  215. package/dist/lib/role/index.d.ts +3 -0
  216. package/dist/lib/role/index.d.ts.map +1 -1
  217. package/dist/lib/role/index.js +3 -0
  218. package/dist/lib/role/index.js.map +1 -1
  219. package/dist/lib/role/services/role.service.d.ts +3 -1
  220. package/dist/lib/role/services/role.service.d.ts.map +1 -1
  221. package/dist/lib/role/services/role.service.js +29 -41
  222. package/dist/lib/role/services/role.service.js.map +1 -1
  223. package/dist/lib/role/utils/access-role-resolver.util.d.ts +20 -0
  224. package/dist/lib/role/utils/access-role-resolver.util.d.ts.map +1 -0
  225. package/dist/lib/role/utils/access-role-resolver.util.js +63 -0
  226. package/dist/lib/role/utils/access-role-resolver.util.js.map +1 -0
  227. package/dist/lib/session/services/session-manager.service.d.ts +8 -3
  228. package/dist/lib/session/services/session-manager.service.d.ts.map +1 -1
  229. package/dist/lib/session/services/session-manager.service.js +30 -11
  230. package/dist/lib/session/services/session-manager.service.js.map +1 -1
  231. package/dist/lib/session/session.module.d.ts.map +1 -1
  232. package/dist/lib/session/session.module.js +5 -1
  233. package/dist/lib/session/session.module.js.map +1 -1
  234. package/dist/lib/tenant/decorators/current-tenant.decorator.d.ts.map +1 -1
  235. package/dist/lib/tenant/decorators/current-tenant.decorator.js.map +1 -1
  236. package/dist/lib/tenant/entities/tenant.entity.d.ts +1 -1
  237. package/dist/lib/tenant/entities/tenant.entity.d.ts.map +1 -1
  238. package/dist/lib/tenant/entities/tenant.entity.js +1 -1
  239. package/dist/lib/tenant/entities/tenant.entity.js.map +1 -1
  240. package/dist/lib/tenant/index.d.ts +1 -1
  241. package/dist/lib/tenant/index.d.ts.map +1 -1
  242. package/dist/lib/tenant/index.js +1 -1
  243. package/dist/lib/tenant/index.js.map +1 -1
  244. package/dist/lib/tenant/tenant-context/services/base-tenant-context.service.d.ts +1 -1
  245. package/dist/lib/tenant/tenant-context/services/base-tenant-context.service.d.ts.map +1 -1
  246. package/dist/lib/tenant/tenant-context/services/disabled-tenant-context.service.d.ts +1 -1
  247. package/dist/lib/tenant/tenant-context/services/disabled-tenant-context.service.d.ts.map +1 -1
  248. package/dist/lib/tenant/tenant-context/tenant-context.interface.d.ts +1 -1
  249. package/dist/lib/tenant/tenant-context/tenant-context.interface.d.ts.map +1 -1
  250. package/dist/lib/user/entities/platform-access.entity.d.ts +16 -0
  251. package/dist/lib/user/entities/platform-access.entity.d.ts.map +1 -0
  252. package/dist/lib/user/entities/platform-access.entity.js +95 -0
  253. package/dist/lib/user/entities/platform-access.entity.js.map +1 -0
  254. package/dist/lib/user/entities/user-access.entity.d.ts +22 -0
  255. package/dist/lib/user/entities/user-access.entity.d.ts.map +1 -0
  256. package/dist/lib/{tenant → user}/entities/user-access.entity.js +35 -4
  257. package/dist/lib/user/entities/user-access.entity.js.map +1 -0
  258. package/dist/lib/user/entities/user.entity.d.ts +10 -12
  259. package/dist/lib/user/entities/user.entity.d.ts.map +1 -1
  260. package/dist/lib/user/entities/user.entity.js +91 -73
  261. package/dist/lib/user/entities/user.entity.js.map +1 -1
  262. package/dist/lib/user/services/access-key.service.d.ts +1 -0
  263. package/dist/lib/user/services/access-key.service.d.ts.map +1 -1
  264. package/dist/lib/user/services/access-key.service.js +19 -3
  265. package/dist/lib/user/services/access-key.service.js.map +1 -1
  266. package/dist/lib/user/services/user.service.d.ts +27 -22
  267. package/dist/lib/user/services/user.service.d.ts.map +1 -1
  268. package/dist/lib/user/services/user.service.js +135 -84
  269. package/dist/lib/user/services/user.service.js.map +1 -1
  270. package/dist/lib/user/user.module.d.ts.map +1 -1
  271. package/dist/lib/user/user.module.js +3 -2
  272. package/dist/lib/user/user.module.js.map +1 -1
  273. package/package.json +14 -9
  274. package/dist/lib/tenant/entities/user-access.entity.d.ts +0 -19
  275. package/dist/lib/tenant/entities/user-access.entity.d.ts.map +0 -1
  276. package/dist/lib/tenant/entities/user-access.entity.js.map +0 -1
@@ -18,6 +18,7 @@ const common_2 = require("@nestjs/common");
18
18
  const typeorm_1 = require("@nestjs/typeorm");
19
19
  const typeorm_2 = require("typeorm");
20
20
  const user_entity_1 = require("../../user/entities/user.entity");
21
+ const access_role_resolver_util_1 = require("../../role/utils/access-role-resolver.util");
21
22
  const auth_constants_1 = require("../../auth.constants");
22
23
  const mfa_service_1 = require("./mfa.service");
23
24
  const jwt_service_1 = require("../../core/services/jwt.service");
@@ -26,11 +27,12 @@ const session_manager_service_1 = require("../../session/services/session-manage
26
27
  const request_context_1 = require("../../request-context/request-context");
27
28
  const nest_auth_contracts_1 = require("@ackplus/nest-auth-contracts");
28
29
  const user_registered_event_1 = require("../events/user-registered.event");
30
+ const user_created_event_1 = require("../../user/events/user-created.event");
31
+ const has_token_1 = require("../../utils/has-token");
29
32
  const user_logged_in_event_1 = require("../events/user-logged-in.event");
33
+ const login_failed_event_1 = require("../events/login-failed.event");
30
34
  const user_2fa_verified_event_1 = require("../events/user-2fa-verified.event");
31
35
  const user_refresh_token_event_1 = require("../events/user-refresh-token.event");
32
- const logged_out_event_1 = require("../events/logged-out.event");
33
- const logged_out_all_event_1 = require("../events/logged-out-all.event");
34
36
  const auth_provider_registry_service_1 = require("../../core/services/auth-provider-registry.service");
35
37
  const tenant_service_1 = require("../../tenant/services/tenant.service");
36
38
  const debug_logger_service_1 = require("../../core/services/debug-logger.service");
@@ -41,8 +43,11 @@ const auth_constants_2 = require("../../auth.constants");
41
43
  const role_mapper_util_1 = require("../../role/utils/role-mapper.util");
42
44
  const utils_1 = require("../../utils");
43
45
  const otp_flow_service_1 = require("./otp-flow.service");
46
+ const logout_service_1 = require("./logout.service");
47
+ const session_token_service_1 = require("./session-token.service");
44
48
  const passwordless_code_requested_event_1 = require("../events/passwordless-code-requested.event");
45
49
  const lodash_1 = require("lodash");
50
+ const platform_access_entity_1 = require("../../user/entities/platform-access.entity");
46
51
  let AuthService = class AuthService {
47
52
  userRepository;
48
53
  authProviderRegistry;
@@ -55,9 +60,11 @@ let AuthService = class AuthService {
55
60
  authConfigService;
56
61
  userService;
57
62
  otpFlow;
63
+ logoutService;
64
+ sessionTokenService;
58
65
  tenantContext;
59
66
  authConfig;
60
- constructor(userRepository, authProviderRegistry, mfaService, sessionManager, jwtService, eventEmitter, tenantService, debugLogger, authConfigService, userService, otpFlow, tenantContext) {
67
+ constructor(userRepository, authProviderRegistry, mfaService, sessionManager, jwtService, eventEmitter, tenantService, debugLogger, authConfigService, userService, otpFlow, logoutService, sessionTokenService, tenantContext) {
61
68
  this.userRepository = userRepository;
62
69
  this.authProviderRegistry = authProviderRegistry;
63
70
  this.mfaService = mfaService;
@@ -69,36 +76,19 @@ let AuthService = class AuthService {
69
76
  this.authConfigService = authConfigService;
70
77
  this.userService = userService;
71
78
  this.otpFlow = otpFlow;
79
+ this.logoutService = logoutService;
80
+ this.sessionTokenService = sessionTokenService;
72
81
  this.tenantContext = tenantContext;
73
82
  this.authConfig = this.authConfigService.getConfig();
74
83
  }
75
84
  getUserWithRoles(userId, relations = []) {
76
- return this.userRepository.findOne({
77
- where: { id: userId },
78
- relations: [
79
- 'userAccesses',
80
- 'userAccesses.roles',
81
- ...relations
82
- ],
83
- });
85
+ return this.sessionTokenService.getUserWithRoles(userId, relations);
84
86
  }
85
- async getUser() {
86
- const user = await request_context_1.RequestContext.currentUser();
87
- if (!user) {
88
- return null;
89
- }
90
- const fullUser = await this.getUserWithRoles(user.id);
91
- let serializedUser = fullUser;
92
- if (this.authConfig.user?.serialize) {
93
- serializedUser = await this.authConfig.user.serialize(fullUser);
94
- }
95
- return serializedUser;
87
+ getUserWithAccess(userId, tenantId, isPlatformAccess = false) {
88
+ return this.sessionTokenService.getUserWithAccess(userId, tenantId, isPlatformAccess);
96
89
  }
97
90
  async signup(input) {
98
91
  this.debugLogger.logFunctionEntry('signup', 'AuthService', { email: input.email, phone: input.phone, hasPassword: !!input.password });
99
- const config = this.authConfigService.getConfig();
100
- const tenantMode = config.tenant?.mode ?? nest_auth_contracts_1.TenantModeEnum.ISOLATED;
101
- const tenetEnabled = config.tenant?.enabled ?? false;
102
92
  try {
103
93
  if (this.authConfig.registration?.enabled === false) {
104
94
  throw new common_1.ForbiddenException({
@@ -111,6 +101,7 @@ let AuthService = class AuthService {
111
101
  input = await this.authConfig.registrationHooks.beforeSignup(input, { request: req });
112
102
  }
113
103
  const { email, phone, password, tenantId } = input;
104
+ this.assertTenantIdAllowed(tenantId);
114
105
  await this.tenantService.resolveTenantId(tenantId);
115
106
  this.debugLogger.logAuthOperation('signup', 'email|phone', undefined, { email, phone, resolvedTenantId: tenantId });
116
107
  if (!email && !phone) {
@@ -140,11 +131,9 @@ let AuthService = class AuthService {
140
131
  code: auth_constants_1.ERROR_CODES.PROVIDER_NOT_FOUND,
141
132
  });
142
133
  }
143
- console.log('providersToLink', providersToLink);
144
134
  for (const item of providersToLink) {
145
- this.debugLogger.debug('Checking for existing identity', 'AuthService', { providerId: item.providerId, type: item.type });
146
- const identity = await item.provider.findIdentity(item.providerId, (tenantMode === nest_auth_contracts_1.TenantModeEnum.ISOLATED && tenetEnabled) ? tenantId : undefined);
147
- console.log('identity', identity);
135
+ const requiredTenantId = this.tenantService.checkRequiredTenant(tenantId);
136
+ const identity = await item.provider.findIdentity(item.providerId, requiredTenantId ? tenantId : undefined);
148
137
  if (identity) {
149
138
  this.debugLogger.warn('Identity already exists', 'AuthService', { email: !!email, phone: !!phone, tenantId });
150
139
  if (item.type === 'email') {
@@ -162,46 +151,34 @@ let AuthService = class AuthService {
162
151
  }
163
152
  }
164
153
  this.debugLogger.debug('Creating new user via UserService', 'AuthService', { email: !!email, phone: !!phone, tenantId });
165
- let user = await this.userService.createUser({
166
- email,
167
- phone,
168
- isVerified: false,
169
- password
170
- }, tenantId, input);
171
- this.debugLogger.info('User created successfully', 'AuthService', { userId: user.id, tenantId });
172
- for (const item of providersToLink) {
173
- this.debugLogger.debug('Linking user to provider', 'AuthService', { userId: user.id, providerName: item.provider.providerName });
174
- await item.provider.linkToUser(user.id, item.providerId);
175
- }
176
- if (this.authConfig.registrationHooks?.onSignup) {
177
- this.debugLogger.debug('Applying registrationHooks.onSignup hook', 'AuthService', { userId: user.id });
178
- const request = request_context_1.RequestContext.currentRequest();
179
- const modifiedUser = await this.authConfig.registrationHooks.onSignup(user, input, { request });
180
- if (modifiedUser) {
181
- user = modifiedUser;
182
- }
183
- }
184
- user = await this.getUserWithRoles(user.id, ['userAccesses.roles.permissions', 'userAccesses.tenant']);
185
- const userRoles = user.userAccesses?.map(access => access.roles).flat();
186
- if (input?.guard) {
187
- const isExistsGuard = userRoles?.some(r => r.guard === input.guard);
188
- if (!isExistsGuard) {
189
- await this.userService.deleteUser(user.id);
190
- throw new common_1.UnauthorizedException({
191
- message: 'Not allowed to signup with this guard',
192
- code: auth_constants_1.ERROR_CODES.FORBIDDEN,
193
- });
154
+ const request = request_context_1.RequestContext.currentRequest();
155
+ const user = await this.userService.runInTransaction(async (manager) => {
156
+ const created = await this.userService.createUser({
157
+ email,
158
+ phone,
159
+ emailVerifiedAt: null,
160
+ phoneVerifiedAt: null,
161
+ password
162
+ }, tenantId, input, manager);
163
+ if (this.authConfig.registrationHooks?.onSignup) {
164
+ this.debugLogger.debug('Applying registrationHooks.onSignup hook', 'AuthService', { userId: created.id });
165
+ await this.authConfig.registrationHooks.onSignup(created, input, { request, manager });
194
166
  }
195
- }
196
- this.debugLogger.debug('Creating session for new user', 'AuthService', { userId: user.id });
197
- const session = await this.sessionManager.createSessionFromUser(user, { tenantId });
167
+ return created;
168
+ });
169
+ this.debugLogger.info('User created successfully', 'AuthService', { userId: user.id, tenantId });
170
+ await this.eventEmitter.emitAsync(auth_constants_1.NestAuthEvents.USER_CREATED, new user_created_event_1.UserCreatedEvent({ user, input, tenantId }));
171
+ const { user: authUser, userAccess } = await this.getUserWithAccess(user.id, tenantId);
172
+ this.debugLogger.debug('Creating session for new user', 'AuthService', { userId: authUser.id });
173
+ const session = await this.sessionManager.createSessionFromUser(authUser, userAccess, { tenantId });
198
174
  const tokens = await this.generateTokensFromSession(session);
199
- const isRequiresMfa = await this.mfaService.isRequiresMfa(user.id);
200
- this.debugLogger.debug('Signup tokens generated', 'AuthService', { userId: user.id, isRequiresMfa });
201
- this.debugLogger.debug('Emitting user registration event', 'AuthService', { userId: user.id });
175
+ const isRequiresMfa = await this.mfaService.isRequiresMfa(authUser.id);
176
+ this.debugLogger.debug('Signup tokens generated', 'AuthService', { userId: authUser.id, isRequiresMfa });
177
+ this.debugLogger.debug('Emitting user registration event', 'AuthService', { userId: authUser.id });
202
178
  const provider = providersToLink[0]?.provider;
203
179
  await this.eventEmitter.emitAsync(auth_constants_1.NestAuthEvents.REGISTERED, new user_registered_event_1.UserRegisteredEvent({
204
- user,
180
+ user: authUser,
181
+ userAccess,
205
182
  tenantId,
206
183
  input,
207
184
  provider,
@@ -219,7 +196,7 @@ let AuthService = class AuthService {
219
196
  isRequiresMfa: false,
220
197
  };
221
198
  }
222
- return this.generateAuthResponse(user, session, tokens, isRequiresMfa, undefined);
199
+ return this.generateAuthResponse(authUser, session, tokens, isRequiresMfa, undefined);
223
200
  }
224
201
  catch (error) {
225
202
  this.debugLogger.logError(error, 'signup', { email: input.email, phone: input.phone });
@@ -229,10 +206,21 @@ let AuthService = class AuthService {
229
206
  }
230
207
  async login(input) {
231
208
  let { credentials, providerName, createUserIfNotExists = false, guard, tenantId } = input;
209
+ const isPlatformAccess = await access_role_resolver_util_1.AccessRoleResolver.isPlatformAccess();
232
210
  this.debugLogger.logFunctionEntry('login', 'AuthService', { providerName, createUserIfNotExists, guard, tenantId });
233
211
  try {
234
- await this.tenantService.resolveTenantId(tenantId);
235
- this.debugLogger.logAuthOperation('login', providerName, undefined, { resolvedTenantId: tenantId, createUserIfNotExists });
212
+ if (!isPlatformAccess) {
213
+ this.assertTenantIdAllowed(tenantId);
214
+ }
215
+ let resolvedTenantId = null;
216
+ if (isPlatformAccess) {
217
+ resolvedTenantId = null;
218
+ }
219
+ else {
220
+ await this.tenantService.resolveTenantId(tenantId);
221
+ resolvedTenantId = tenantId;
222
+ }
223
+ this.debugLogger.logAuthOperation('login', providerName, undefined, { tenantId, resolvedTenantId, createUserIfNotExists, isPlatformAccess });
236
224
  const provider = this.authProviderRegistry.getProvider(providerName);
237
225
  if (!provider) {
238
226
  throw new common_1.UnauthorizedException({
@@ -247,8 +235,8 @@ let AuthService = class AuthService {
247
235
  code: auth_constants_1.ERROR_CODES.MISSING_REQUIRED_FIELDS,
248
236
  });
249
237
  }
250
- const authProviderUser = await provider.validate(credentials, tenantId);
251
- const identity = await provider.findIdentity(authProviderUser.userId, tenantId);
238
+ const authProviderUser = await provider.validate(credentials, resolvedTenantId);
239
+ const identity = await provider.findIdentityByUserId(authProviderUser.userId);
252
240
  let user = identity?.user || null;
253
241
  if (!user) {
254
242
  if (!createUserIfNotExists) {
@@ -257,7 +245,10 @@ let AuthService = class AuthService {
257
245
  code: auth_constants_1.ERROR_CODES.INVALID_CREDENTIALS,
258
246
  });
259
247
  }
260
- user = await this.handleSocialLogin(provider, authProviderUser, tenantId);
248
+ user = await this.handleSocialLogin(provider, authProviderUser, resolvedTenantId);
249
+ }
250
+ else {
251
+ user = await this.applyProviderVerification(user, authProviderUser);
261
252
  }
262
253
  if (user.isActive === false) {
263
254
  throw new common_1.UnauthorizedException({
@@ -265,22 +256,38 @@ let AuthService = class AuthService {
265
256
  code: auth_constants_1.ERROR_CODES.ACCOUNT_INACTIVE,
266
257
  });
267
258
  }
268
- user = await this.getUserWithRoles(user.id, ['userAccesses.tenant']);
259
+ const { user: authUser, userAccess, platformAccess } = await this.getUserWithAccess(user.id, resolvedTenantId, isPlatformAccess);
269
260
  if (this.authConfig.loginHooks?.onLogin) {
270
- this.debugLogger.debug('Applying loginHooks.onLogin hook', 'AuthService', { userId: user.id });
261
+ this.debugLogger.debug('Applying loginHooks.onLogin hook', 'AuthService', { userId: authUser.id });
271
262
  const request = request_context_1.RequestContext.currentRequest();
272
- await this.authConfig.loginHooks.onLogin(user, input, { request, provider });
263
+ await this.authConfig.loginHooks.onLogin(authUser, input, { userAccess, platformAccess, request, provider });
264
+ }
265
+ if (isPlatformAccess) {
266
+ if (authUser && !platformAccess) {
267
+ throw new common_1.ForbiddenException({
268
+ message: 'Only platform admins can login',
269
+ code: auth_constants_1.ERROR_CODES.ACCESS_DENIED,
270
+ });
271
+ }
272
+ }
273
+ else {
274
+ await this.ensureTenantAccess(authUser, resolvedTenantId, createUserIfNotExists);
273
275
  }
274
- await this.ensureTenantAccess(user, tenantId, createUserIfNotExists);
275
276
  let isRequiresMfa = false;
276
277
  let isTrusted = false;
277
278
  if (!provider.skipMfa) {
278
- isRequiresMfa = await this.mfaService.isRequiresMfa(user.id);
279
+ isRequiresMfa = await this.mfaService.isRequiresMfa(authUser.id);
279
280
  }
280
281
  user.isMfaEnabled = isRequiresMfa;
281
- const userRoles = user.userAccesses?.map(access => access.roles).flat();
282
- if (guard && userRoles?.length) {
283
- const isExistsGuard = userRoles.some(r => r.guard === guard);
282
+ if (guard && (platformAccess || userAccess)) {
283
+ let guardRoles = [];
284
+ if (isPlatformAccess) {
285
+ guardRoles = platformAccess?.roles ?? [];
286
+ }
287
+ else {
288
+ guardRoles = userAccess?.roles ?? [];
289
+ }
290
+ const isExistsGuard = guardRoles.some(r => r.guard === guard);
284
291
  if (!isExistsGuard) {
285
292
  throw new common_1.UnauthorizedException({
286
293
  message: 'Invalid credentials',
@@ -288,7 +295,11 @@ let AuthService = class AuthService {
288
295
  });
289
296
  }
290
297
  }
291
- let session = await this.sessionManager.createSessionFromUser(user, { tenantId });
298
+ let session = await this.sessionManager.createSessionFromUser(authUser, userAccess, {
299
+ tenantId: resolvedTenantId,
300
+ platformAccess: platformAccess,
301
+ isPlatformAccess: isPlatformAccess ?? false
302
+ });
292
303
  if (isRequiresMfa) {
293
304
  isTrusted = await this.checkTrustedDevice(user);
294
305
  if (isTrusted) {
@@ -300,7 +311,9 @@ let AuthService = class AuthService {
300
311
  }
301
312
  const tokens = await this.generateTokensFromSession(session);
302
313
  await this.eventEmitter.emitAsync(auth_constants_1.NestAuthEvents.LOGGED_IN, new user_logged_in_event_1.UserLoggedInEvent({
303
- user,
314
+ user: authUser,
315
+ userAccess,
316
+ platformAccess,
304
317
  tenantId,
305
318
  input,
306
319
  provider,
@@ -308,14 +321,39 @@ let AuthService = class AuthService {
308
321
  tokens,
309
322
  isRequiresMfa
310
323
  }));
311
- return this.generateAuthResponse(user, session, tokens, isRequiresMfa);
324
+ return this.generateAuthResponse(authUser, session, tokens, isRequiresMfa);
312
325
  }
313
326
  catch (error) {
314
327
  this.debugLogger.logError(error, 'login', { providerName, createUserIfNotExists });
328
+ await this.emitLoginFailed(input, error);
315
329
  this.handleError(error, 'login');
316
330
  throw error;
317
331
  }
318
332
  }
333
+ async emitLoginFailed(input, error) {
334
+ try {
335
+ const creds = input?.credentials ?? {};
336
+ const identifier = creds.email ?? creds.phone ?? creds.identifier ?? undefined;
337
+ const req = request_context_1.RequestContext.currentRequest?.();
338
+ const resp = error?.getResponse?.();
339
+ const status = error?.getStatus?.();
340
+ const reasonCode = (typeof resp === 'object' && resp?.code) ||
341
+ error?.code ||
342
+ (status ? `HTTP_${status}` : 'LOGIN_FAILED');
343
+ await this.eventEmitter.emitAsync(auth_constants_1.NestAuthEvents.LOGIN_FAILED, new login_failed_event_1.LoginFailedEvent({
344
+ identifier,
345
+ providerName: input?.providerName,
346
+ reasonCode,
347
+ reason: error?.message,
348
+ ip: req?.ip ?? req?.headers?.['x-forwarded-for'],
349
+ userAgent: req?.headers?.['user-agent'],
350
+ tenantId: input?.tenantId ?? null,
351
+ at: new Date(),
352
+ }));
353
+ }
354
+ catch {
355
+ }
356
+ }
319
357
  async resolveOrCreateUserForSend(input) {
320
358
  const passwordlessConfig = this.authConfigService.getConfig().passwordless;
321
359
  const { channel, tenantId } = input;
@@ -355,7 +393,7 @@ let AuthService = class AuthService {
355
393
  code: auth_constants_1.ERROR_CODES.REGISTRATION_DISABLED,
356
394
  });
357
395
  }
358
- return this.userService.createUser({ email: emailNorm, isVerified: true }, tenantId ?? undefined, { source: 'passwordless', channel: 'email' });
396
+ return this.userService.createUser({ email: emailNorm }, tenantId ?? undefined, { source: 'passwordless', channel: 'email' });
359
397
  }
360
398
  else {
361
399
  const phoneNorm = (0, utils_1.normalizedPhone)(raw);
@@ -386,7 +424,7 @@ let AuthService = class AuthService {
386
424
  code: auth_constants_1.ERROR_CODES.REGISTRATION_DISABLED,
387
425
  });
388
426
  }
389
- return this.userService.createUser({ phone: phoneNorm, isVerified: true }, tenantId ?? undefined, { source: 'passwordless', channel: 'sms' });
427
+ return this.userService.createUser({ phone: phoneNorm }, tenantId ?? undefined, { source: 'passwordless', channel: 'sms' });
390
428
  }
391
429
  }
392
430
  async passwordlessSend(input) {
@@ -427,9 +465,9 @@ let AuthService = class AuthService {
427
465
  async verify2fa(input) {
428
466
  this.debugLogger.logFunctionEntry('verify2fa', 'AuthService', { method: input.method });
429
467
  try {
468
+ let user = await request_context_1.RequestContext.currentUser();
430
469
  const session = request_context_1.RequestContext.currentSession();
431
470
  if (!session) {
432
- this.debugLogger.error('Session not found for 2FA verification', 'AuthService');
433
471
  throw new common_1.UnauthorizedException({
434
472
  message: 'Session not found',
435
473
  code: auth_constants_1.ERROR_CODES.SESSION_NOT_FOUND,
@@ -438,13 +476,11 @@ let AuthService = class AuthService {
438
476
  this.debugLogger.debug('Verifying MFA code', 'AuthService', { userId: session.userId, method: input.method });
439
477
  const isValid = await this.mfaService.verifyMfa(session.userId, input.otp, input.method);
440
478
  if (!isValid) {
441
- this.debugLogger.warn('Invalid MFA code provided', 'AuthService', { userId: session.userId, method: input.method });
442
479
  throw new common_1.UnauthorizedException({
443
480
  message: 'Invalid MFA code',
444
481
  code: auth_constants_1.ERROR_CODES.MFA_CODE_INVALID,
445
482
  });
446
483
  }
447
- this.debugLogger.debug('Updating session with MFA verification', 'AuthService', { sessionId: session.id });
448
484
  const payload = await this.sessionManager.updateSession(session.id, {
449
485
  data: {
450
486
  ...session.data,
@@ -461,10 +497,12 @@ let AuthService = class AuthService {
461
497
  trustToken = await this.mfaService.createTrustedDevice(session.userId, userAgent, ip);
462
498
  }
463
499
  }
464
- const user = await this.getUser();
500
+ if (!user) {
501
+ return null;
502
+ }
465
503
  this.debugLogger.debug('Emitting 2FA verified event', 'AuthService', { userId: user.id });
466
504
  await this.eventEmitter.emitAsync(auth_constants_1.NestAuthEvents.TWO_FACTOR_VERIFIED, new user_2fa_verified_event_1.User2faVerifiedEvent({
467
- user: user,
505
+ user,
468
506
  tenantId: payload.data?.tenantId ?? user?.tenantId,
469
507
  input,
470
508
  session: payload,
@@ -487,29 +525,40 @@ let AuthService = class AuthService {
487
525
  code: auth_constants_1.ERROR_CODES.SESSION_NOT_FOUND,
488
526
  });
489
527
  }
528
+ if (!this.authConfig.tenant?.enabled) {
529
+ throw new common_1.BadRequestException({
530
+ message: 'Multi-tenancy is disabled on this deployment.',
531
+ code: auth_constants_1.ERROR_CODES.TENANT_SWITCHING_DISABLED,
532
+ });
533
+ }
534
+ const tenantMode = this.authConfig.tenant?.mode ?? nest_auth_contracts_1.TenantModeEnum.ISOLATED;
535
+ if (tenantMode === nest_auth_contracts_1.TenantModeEnum.ISOLATED) {
536
+ throw new common_1.BadRequestException({
537
+ message: 'Tenant switching is not supported in isolated mode. Sign in to the target tenant directly.',
538
+ code: auth_constants_1.ERROR_CODES.TENANT_SWITCHING_NOT_SUPPORTED,
539
+ });
540
+ }
490
541
  const resolvedTenantId = await this.tenantService.resolveTenantId(tenantId || null);
491
- const user = await this.userRepository.findOne({
492
- where: { id: session.userId },
493
- relations: [
494
- 'userAccesses',
495
- 'userAccesses.tenant',
496
- 'userAccesses.roles',
497
- 'userAccesses.roles.rolePermissions',
498
- 'userAccesses.roles.rolePermissions.permission',
499
- ],
500
- });
542
+ const { user, userAccess } = await this.getUserWithAccess(session.userId, resolvedTenantId);
501
543
  if (!user) {
502
544
  throw new common_1.UnauthorizedException({
503
545
  message: 'User not found',
504
546
  code: auth_constants_1.ERROR_CODES.USER_NOT_FOUND,
505
547
  });
506
548
  }
549
+ if (resolvedTenantId && !userAccess) {
550
+ const platformAccess = await platform_access_entity_1.NestAuthPlatformAccess.findOne({
551
+ where: { userId: user.id, isActive: true },
552
+ });
553
+ if (!platformAccess) {
554
+ throw new common_1.ForbiddenException({
555
+ message: 'You do not have access to that tenant.',
556
+ code: auth_constants_1.ERROR_CODES.NOT_A_MEMBER_OF_TENANT,
557
+ });
558
+ }
559
+ }
507
560
  await this.ensureTenantAccess(user, resolvedTenantId, false);
508
- const accessForTenant = (user.userAccesses ?? []).find((a) => {
509
- const aTenantId = a?.tenantId ?? null;
510
- return aTenantId === (resolvedTenantId ?? null);
511
- });
512
- const rolesWithPermissions = accessForTenant?.roles ?? [];
561
+ const rolesWithPermissions = userAccess?.roles ?? [];
513
562
  const permissions = (0, lodash_1.chain)(rolesWithPermissions)
514
563
  .map((role) => (0, role_mapper_util_1.getRolePermissionNames)(role))
515
564
  .flatten()
@@ -528,6 +577,36 @@ let AuthService = class AuthService {
528
577
  const tokens = await this.generateTokensFromSession(updatedSession);
529
578
  return this.generateAuthResponse(user, updatedSession, tokens, false);
530
579
  }
580
+ async getSessionUserData() {
581
+ const session = request_context_1.RequestContext.currentSession();
582
+ const tenantId = request_context_1.RequestContext.currentTenantId();
583
+ const isPlatformAccess = await access_role_resolver_util_1.AccessRoleResolver.isPlatformAccess();
584
+ const { user, userAccess, platformAccess } = await this.getUserWithAccess(session.userId, tenantId, isPlatformAccess);
585
+ let rolesWithPermissions = [];
586
+ if (isPlatformAccess) {
587
+ rolesWithPermissions = platformAccess?.roles ?? [];
588
+ }
589
+ else {
590
+ rolesWithPermissions = userAccess?.roles ?? [];
591
+ }
592
+ const permissions = (0, lodash_1.chain)(rolesWithPermissions)
593
+ .map((role) => (0, role_mapper_util_1.getRolePermissionNames)(role))
594
+ .flatten()
595
+ .uniq()
596
+ .value();
597
+ const userRoles = rolesWithPermissions.map((role) => (0, lodash_1.pick)(role, ['id', 'name', 'guard']));
598
+ const config = this.authConfigService.getConfig();
599
+ let serializedUser = {};
600
+ if (config.user?.getSessionUserData) {
601
+ serializedUser = await config.user.getSessionUserData(user);
602
+ }
603
+ return {
604
+ ...(0, lodash_1.pick)(user, ['id', 'email', 'phone', 'emailVerifiedAt', 'phoneVerifiedAt', 'isMfaEnabled', 'metadata']),
605
+ ...(serializedUser || {}),
606
+ roles: userRoles,
607
+ permissions,
608
+ };
609
+ }
531
610
  async send2faCode(userId, method) {
532
611
  const user = await this.userRepository.findOne({ where: { id: userId } });
533
612
  if (!user) {
@@ -551,7 +630,7 @@ let AuthService = class AuthService {
551
630
  try {
552
631
  user = await this.userService.createUser({
553
632
  [linkUserWith]: linkUserValue,
554
- isVerified: true,
633
+ emailVerifiedAt: new Date(),
555
634
  metadata: providerUser.metadata || {},
556
635
  }, tenantId, {
557
636
  [linkUserWith]: linkUserValue,
@@ -577,43 +656,6 @@ let AuthService = class AuthService {
577
656
  await provider.linkToUser(user.id, providerUser.userId, providerUser.metadata || {});
578
657
  return user;
579
658
  }
580
- async buildSessionDataFromUser(params) {
581
- const { user, tenantId = null, isMfaVerified = false } = params;
582
- const accessForTenant = (user.userAccesses ?? []).find((a) => {
583
- const aTenantId = a?.tenantId ?? null;
584
- return (tenantId ?? null) === aTenantId;
585
- });
586
- const rolesFromUser = accessForTenant?.roles ?? [];
587
- const hasRolesPreloaded = Array.isArray(rolesFromUser) && rolesFromUser.length >= 0;
588
- const hasRolePermissionsPreloaded = rolesFromUser?.some((r) => Array.isArray(r?.rolePermissions) &&
589
- r.rolePermissions.some((rp) => !!rp?.permission?.name)) ?? false;
590
- const roles = hasRolesPreloaded && rolesFromUser.length
591
- ? rolesFromUser
592
- : await user.getRoles(tenantId, true);
593
- const permissions = hasRolePermissionsPreloaded
594
- ? (0, lodash_1.chain)(rolesFromUser)
595
- .map((role) => (0, role_mapper_util_1.getRolePermissionNames)(role))
596
- .flatten()
597
- .uniq()
598
- .value()
599
- : (0, lodash_1.chain)(roles)
600
- .map((role) => (0, role_mapper_util_1.getRolePermissionNames)(role))
601
- .flatten()
602
- .uniq()
603
- .value();
604
- let sessionData = {
605
- user,
606
- isMfaVerified,
607
- roles: roles.map((role) => (0, role_mapper_util_1.mapRoleToSessionSnapshot)(role)),
608
- permissions,
609
- tenantId,
610
- };
611
- const customize = auth_config_service_1.AuthConfigService.getOptions().session?.customizeSessionData;
612
- if (customize) {
613
- sessionData = await customize(sessionData, user);
614
- }
615
- return sessionData;
616
- }
617
659
  async refreshToken(refreshToken) {
618
660
  this.debugLogger.logFunctionEntry('refreshToken', 'AuthService', { hasRefreshToken: !!refreshToken });
619
661
  try {
@@ -624,6 +666,7 @@ let AuthService = class AuthService {
624
666
  code: auth_constants_1.ERROR_CODES.REFRESH_TOKEN_INVALID,
625
667
  });
626
668
  }
669
+ const isPlatformAccess = await access_role_resolver_util_1.AccessRoleResolver.isPlatformAccess();
627
670
  this.debugLogger.debug('Verifying refresh token', 'AuthService');
628
671
  let payload;
629
672
  try {
@@ -649,38 +692,73 @@ let AuthService = class AuthService {
649
692
  code: auth_constants_1.ERROR_CODES.REFRESH_TOKEN_INVALID,
650
693
  });
651
694
  }
652
- const user = await this.userRepository.findOne({
653
- where: { id: session.userId },
654
- relations: ['userAccesses.roles.permissions', 'userAccesses.tenant']
655
- });
695
+ const storedRefreshHash = session.refreshToken;
696
+ if (storedRefreshHash) {
697
+ const secret = this.authConfig.session?.jwt?.secret ?? '';
698
+ if (!(0, has_token_1.timingSafeEqualHex)(storedRefreshHash, (0, has_token_1.hmacSha256Hex)(secret, refreshToken))) {
699
+ throw new common_1.UnauthorizedException({
700
+ message: 'Refresh token is no longer valid (rotated or replayed)',
701
+ code: auth_constants_1.ERROR_CODES.REFRESH_TOKEN_INVALID,
702
+ });
703
+ }
704
+ }
705
+ const { user, userAccess, platformAccess } = await this.getUserWithAccess(session.userId, session.data?.tenantId ?? null, isPlatformAccess);
656
706
  if (!user) {
657
- await this.sessionManager.revokeSession(session.id);
707
+ await this.sessionManager.revokeSession(session.id, 'security');
658
708
  throw new common_1.UnauthorizedException({
659
709
  message: 'User not found',
660
710
  code: auth_constants_1.ERROR_CODES.USER_NOT_FOUND,
661
711
  });
662
712
  }
663
713
  if (user.isActive === false) {
664
- await this.sessionManager.revokeSession(session.id);
714
+ await this.sessionManager.revokeSession(session.id, 'security');
665
715
  throw new common_1.UnauthorizedException({
666
716
  message: 'Your account is suspended, please contact support',
667
717
  code: auth_constants_1.ERROR_CODES.ACCOUNT_INACTIVE,
668
718
  });
669
719
  }
670
720
  const tenantId = session.data?.tenantId ?? null;
671
- try {
672
- await this.ensureTenantAccess(user, tenantId, false);
721
+ if (!isPlatformAccess && !userAccess) {
722
+ try {
723
+ await this.ensureTenantAccess(user, tenantId, false);
724
+ }
725
+ catch (error) {
726
+ await this.sessionManager.revokeSession(session.id, 'security');
727
+ throw error;
728
+ }
673
729
  }
674
- catch (e) {
675
- await this.sessionManager.revokeSession(session.id);
676
- throw e;
730
+ if (isPlatformAccess && !platformAccess) {
731
+ await this.sessionManager.revokeSession(session.id, 'security');
732
+ throw new common_1.UnauthorizedException({
733
+ message: 'You are not authorized to platform access',
734
+ code: auth_constants_1.ERROR_CODES.ACCESS_DENIED,
735
+ });
677
736
  }
678
737
  const isMfaVerified = !!session.data?.isMfaVerified;
679
- const freshSessionData = await this.buildSessionDataFromUser({
738
+ let roles = [];
739
+ if (isPlatformAccess) {
740
+ roles = platformAccess?.roles ?? [];
741
+ }
742
+ else {
743
+ roles = userAccess?.roles ?? [];
744
+ }
745
+ const permissions = (0, lodash_1.chain)(roles)
746
+ .map((role) => (0, role_mapper_util_1.getRolePermissionNames)(role))
747
+ .flatten()
748
+ .uniq()
749
+ .value();
750
+ let freshSessionData = {
680
751
  user,
681
- tenantId,
682
752
  isMfaVerified,
683
- });
753
+ roles: roles.map((role) => (0, role_mapper_util_1.mapRoleToSessionSnapshot)(role)),
754
+ permissions,
755
+ tenantId,
756
+ isPlatformAccess: isPlatformAccess ?? false,
757
+ };
758
+ const customize = auth_config_service_1.AuthConfigService.getOptions().session?.customizeSessionData;
759
+ if (customize) {
760
+ freshSessionData = await customize(freshSessionData, user);
761
+ }
684
762
  const refreshedSession = await this.sessionManager.refreshSession(session);
685
763
  const updatedSession = await this.sessionManager.updateSession(refreshedSession.id, {
686
764
  data: {
@@ -706,39 +784,10 @@ let AuthService = class AuthService {
706
784
  }
707
785
  }
708
786
  async logout(logoutType = 'user', reason) {
709
- const session = request_context_1.RequestContext.currentSession();
710
- const user = await this.getUser();
711
- if (session) {
712
- await this.eventEmitter.emitAsync(auth_constants_1.NestAuthEvents.LOGGED_OUT, new logged_out_event_1.LoggedOutEvent({
713
- user: user,
714
- tenantId: session?.data?.tenantId ?? user?.tenantId,
715
- session,
716
- logoutType,
717
- reason,
718
- }));
719
- await this.sessionManager.revokeSession(session.id);
720
- }
721
- return true;
787
+ return this.logoutService.logout(logoutType, reason);
722
788
  }
723
789
  async logoutAll(userId, logoutType = 'user', reason) {
724
- const sessions = await this.sessionManager.getUserSessions(userId);
725
- await this.sessionManager.revokeAllUserSessions(userId);
726
- const user = await this.userRepository.findOne({ where: { id: userId } });
727
- if (user) {
728
- await this.eventEmitter.emitAsync(auth_constants_1.NestAuthEvents.LOGGED_OUT_ALL, new logged_out_all_event_1.LoggedOutAllEvent({
729
- user,
730
- tenantId: request_context_1.RequestContext.currentTenantId(),
731
- logoutType,
732
- reason,
733
- sessions,
734
- }));
735
- }
736
- return true;
737
- }
738
- getTenantMode() {
739
- const config = this.authConfigService.getConfig();
740
- const mode = config.tenant?.mode;
741
- return mode === nest_auth_contracts_1.TenantModeEnum.SHARED ? nest_auth_contracts_1.TenantModeEnum.SHARED : nest_auth_contracts_1.TenantModeEnum.ISOLATED;
790
+ return this.logoutService.logoutAll(userId, logoutType, reason);
742
791
  }
743
792
  async ensureTenantAccess(user, tenantId, allowAutoJoin = false) {
744
793
  if (!tenantId || !this.tenantContext.isEnabled()) {
@@ -756,26 +805,6 @@ let AuthService = class AuthService {
756
805
  });
757
806
  }
758
807
  }
759
- async generateTokensPayload(session, otherPayload = {}) {
760
- let payload = {
761
- id: session.userId,
762
- sub: session.userId,
763
- sessionId: session.id,
764
- email: session.data?.user?.email,
765
- phone: session.data?.user?.phone,
766
- isVerified: session.data?.user?.isVerified,
767
- roles: session.data?.roles || [],
768
- tenantId: session.data?.tenantId,
769
- isMfaEnabled: session.data?.user?.isMfaEnabled,
770
- isMfaVerified: session.data?.isMfaVerified,
771
- ...otherPayload,
772
- };
773
- const config = this.authConfigService.getConfig();
774
- if (config.session?.customizeTokenPayload) {
775
- payload = await config.session.customizeTokenPayload(payload, session);
776
- }
777
- return payload;
778
- }
779
808
  handleError(error, context) {
780
809
  const config = this.authConfigService.getConfig();
781
810
  if (config.errorHandler) {
@@ -786,81 +815,40 @@ let AuthService = class AuthService {
786
815
  }
787
816
  }
788
817
  async generateTokensFromSession(session) {
789
- const payload = await this.generateTokensPayload(session);
790
- const tokens = await this.jwtService.generateTokens(payload);
791
- return tokens;
818
+ return this.sessionTokenService.generateTokensFromSession(session);
792
819
  }
793
820
  async generateAuthResponse(user, session, tokens, isRequiresMfa, trustToken) {
794
- const config = this.authConfigService.getConfig();
795
- let serializedUser = user;
796
- if (config.user?.serialize) {
797
- serializedUser = await config.user.serialize(user);
798
- }
799
- const activeTenantId = session?.data?.tenantId;
800
- let tenants = await this.userService.getUserTenants(user.id);
801
- if (!tenants.length && activeTenantId) {
802
- const fallbackTenant = await this.tenantService.getTenantById(activeTenantId);
803
- if (fallbackTenant) {
804
- tenants = [fallbackTenant];
805
- }
806
- }
807
- let userWithAccesses = user;
808
- if (!user?.userAccesses?.length) {
809
- userWithAccesses = await this.getUserWithRoles(user.id, [
810
- 'userAccesses.tenant',
811
- ]);
812
- }
813
- const userAccesses = (userWithAccesses.userAccesses ?? []).map((access) => ({
814
- id: access.id,
815
- userId: access.userId,
816
- tenantId: access.tenantId,
817
- tenant: access.tenant ? {
818
- id: access.tenant.id,
819
- name: access.tenant.name,
820
- slug: access.tenant.slug,
821
- description: access.tenant.description,
822
- metadata: access.tenant.metadata,
823
- isActive: access.tenant.isActive,
824
- } : undefined,
825
- isActive: access.isActive,
826
- isDefault: access.isDefault,
827
- status: access.status,
828
- metadata: access.metadata ?? {},
829
- createdAt: access.createdAt,
830
- updatedAt: access.updatedAt,
831
- }));
832
- const rolesForResponse = session?.data?.roles || [];
833
- const roleNames = rolesForResponse?.map(r => r.name) || [];
834
- const permissions = session?.data?.permissions || [];
835
- let response = {
836
- accessToken: tokens.accessToken,
837
- refreshToken: tokens.refreshToken,
838
- isRequiresMfa: isRequiresMfa,
839
- user: {
840
- id: serializedUser.id,
841
- email: serializedUser.email,
842
- phone: serializedUser.phone,
843
- isVerified: serializedUser.isVerified,
844
- isMfaEnabled: serializedUser.isMfaEnabled,
845
- roles: roleNames,
846
- permissions,
847
- metadata: serializedUser.metadata,
848
- tenantId: activeTenantId,
849
- userAccesses,
850
- },
851
- };
852
- if (isRequiresMfa) {
853
- const enabledMethods = await this.mfaService.getEnabledMethods(user.id);
854
- response.mfaMethods = enabledMethods;
855
- response.defaultMfaMethod = this.mfaService.mfaConfig?.defaultMethod || enabledMethods[0];
856
- }
857
- if (config.auth?.transformResponse) {
858
- response = await config.auth.transformResponse(response, user, session);
859
- }
860
- if (trustToken) {
861
- response.trustToken = trustToken;
821
+ return this.sessionTokenService.generateAuthResponse(user, session, tokens, isRequiresMfa, trustToken);
822
+ }
823
+ async applyProviderVerification(user, providerUser) {
824
+ const updates = {};
825
+ if (providerUser.emailVerified === true &&
826
+ !user.emailVerifiedAt &&
827
+ user.email &&
828
+ providerUser.email &&
829
+ user.email.toLowerCase() === providerUser.email.toLowerCase()) {
830
+ updates.emailVerifiedAt = new Date();
831
+ }
832
+ if (providerUser.phoneVerified === true &&
833
+ !user.phoneVerifiedAt &&
834
+ user.phone &&
835
+ providerUser.phone &&
836
+ user.phone === providerUser.phone) {
837
+ updates.phoneVerifiedAt = new Date();
838
+ }
839
+ if (Object.keys(updates).length === 0) {
840
+ return user;
841
+ }
842
+ await this.userRepository.update({ id: user.id }, updates);
843
+ return (await this.userRepository.findOne({ where: { id: user.id } })) ?? user;
844
+ }
845
+ assertTenantIdAllowed(tenantId) {
846
+ if (!this.authConfig.tenant?.enabled && tenantId) {
847
+ throw new common_1.BadRequestException({
848
+ message: 'tenantId provided but multi-tenancy is disabled on this deployment.',
849
+ code: auth_constants_1.ERROR_CODES.TENANT_NOT_ENABLED,
850
+ });
862
851
  }
863
- return response;
864
852
  }
865
853
  async checkTrustedDevice(user) {
866
854
  const trustCookieName = auth_config_service_1.AuthConfigService.getOptions().mfa?.trustDeviceStorageName || auth_constants_1.NEST_AUTH_TRUST_DEVICE_KEY;
@@ -881,7 +869,7 @@ exports.AuthService = AuthService;
881
869
  exports.AuthService = AuthService = __decorate([
882
870
  (0, common_1.Injectable)(),
883
871
  __param(0, (0, typeorm_1.InjectRepository)(user_entity_1.NestAuthUser)),
884
- __param(11, (0, common_2.Inject)(auth_constants_2.NEST_AUTH_TENANT_CONTEXT_SERVICE)),
872
+ __param(13, (0, common_2.Inject)(auth_constants_2.NEST_AUTH_TENANT_CONTEXT_SERVICE)),
885
873
  __metadata("design:paramtypes", [typeorm_2.Repository,
886
874
  auth_provider_registry_service_1.AuthProviderRegistryService,
887
875
  mfa_service_1.MfaService,
@@ -892,6 +880,8 @@ exports.AuthService = AuthService = __decorate([
892
880
  debug_logger_service_1.DebugLoggerService,
893
881
  auth_config_service_1.AuthConfigService,
894
882
  user_service_1.UserService,
895
- otp_flow_service_1.OtpFlowService, Object])
883
+ otp_flow_service_1.OtpFlowService,
884
+ logout_service_1.LogoutService,
885
+ session_token_service_1.SessionTokenService, Object])
896
886
  ], AuthService);
897
887
  //# sourceMappingURL=auth.service.js.map