@aooth/user 0.1.6 → 0.1.7

package/dist/atscript-db.d.cts

@@ -1,4 +1,4 @@
-import { S as UserCredentials, n as WithCasOptions, t as UserStore, w as UserStoreUpdate } from "./user-store-B3EStUfT.cjs";
+import { S as UserCredentials, n as WithCasOptions, t as UserStore, w as UserStoreUpdate } from "./user-store-BZsKtBHy.cjs";
 
 //#region src/atscript-db/index.d.ts
 /**

package/dist/atscript-db.d.mts

@@ -1,4 +1,4 @@
-import { S as UserCredentials, n as WithCasOptions, t as UserStore, w as UserStoreUpdate } from "./user-store-C1lxahSB.mjs";
+import { S as UserCredentials, n as WithCasOptions, t as UserStore, w as UserStoreUpdate } from "./user-store-62LCSa8q.mjs";
 
 //#region src/atscript-db/index.d.ts
 /**

package/dist/index.cjs

@@ -338,7 +338,8 @@ function resolveConfig(config) {
 			scryptR: config?.password?.scryptR ?? 8,
 			scryptP: config?.password?.scryptP ?? 1,
 			keyLength: config?.password?.keyLength ?? 64,
-			policies: normalizePolicies(config?.password?.policies)
+			policies: normalizePolicies(config?.password?.policies),
+			maxAgeMs: config?.password?.maxAgeMs ?? 0
 		},
 		lockout: {
 			threshold: config?.lockout?.threshold ?? 0,
@@ -506,6 +507,24 @@ var UserService = class {
 			lockEnds: account.lockEnds
 		};
 	}
+	/**
+	* Returns `true` when the user's password is older than
+	* `config.password.maxAgeMs`. Returns `false` when:
+	* - `maxAgeMs` is unset or `0` (expiry disabled)
+	* - `password.lastChanged` is `0` / falsy (no recorded change — never
+	*   expire a user whose timestamp wasn't captured, since that would
+	*   force-loop on every login)
+	*
+	* Consulted by `@aooth/auth-moost` `LoginWorkflow`'s `credentials`
+	* step to set `ctx.isPasswordExpired` when `guards.passwordExpiry`
+	* is true (the default).
+	*/
+	isPasswordExpired(user, now = this.config.clock()) {
+		const maxAgeMs = this.config.password.maxAgeMs;
+		const lastChanged = user.password.lastChanged;
+		if (!maxAgeMs || !lastChanged) return false;
+		return now - lastChanged > maxAgeMs;
+	}
 	async checkPolicies(password, passwordData) {
 		const result = {
 			passed: true,

package/dist/index.d.cts

@@ -1,4 +1,4 @@
-import { C as UserServiceConfig, S as UserCredentials, _ as PolicyCheckResult, a as LockStatus, b as TrustedDeviceRecord, c as MfaData, d as PasswordConfig, f as PasswordData, g as PasswordPolicyInstance, h as PasswordPolicyEvalFn, i as DeepPartial, l as MfaMethod, m as PasswordPolicyDef, n as WithCasOptions, o as LockoutConfig, p as PasswordPolicyContext, r as AccountData, s as LoginResult, t as UserStore, u as MfaMethodInfo, v as TotpConfig, w as UserStoreUpdate, x as UserAuthErrorType, y as TransferablePolicy } from "./user-store-B3EStUfT.cjs";
+import { C as UserServiceConfig, S as UserCredentials, _ as PolicyCheckResult, a as LockStatus, b as TrustedDeviceRecord, c as MfaData, d as PasswordConfig, f as PasswordData, g as PasswordPolicyInstance, h as PasswordPolicyEvalFn, i as DeepPartial, l as MfaMethod, m as PasswordPolicyDef, n as WithCasOptions, o as LockoutConfig, p as PasswordPolicyContext, r as AccountData, s as LoginResult, t as UserStore, u as MfaMethodInfo, v as TotpConfig, w as UserStoreUpdate, x as UserAuthErrorType, y as TransferablePolicy } from "./user-store-BZsKtBHy.cjs";
 
 //#region src/errors.d.ts
 declare class UserAuthError extends Error {
@@ -117,6 +117,19 @@ declare class UserService<T extends object = object> {
   lockAccount(username: string, reason: string, duration?: number): Promise<void>;
   unlockAccount(username: string): Promise<void>;
   getLockStatus(account: UserCredentials["account"]): LockStatus;
+  /**
+   * Returns `true` when the user's password is older than
+   * `config.password.maxAgeMs`. Returns `false` when:
+   * - `maxAgeMs` is unset or `0` (expiry disabled)
+   * - `password.lastChanged` is `0` / falsy (no recorded change — never
+   *   expire a user whose timestamp wasn't captured, since that would
+   *   force-loop on every login)
+   *
+   * Consulted by `@aooth/auth-moost` `LoginWorkflow`'s `credentials`
+   * step to set `ctx.isPasswordExpired` when `guards.passwordExpiry`
+   * is true (the default).
+   */
+  isPasswordExpired(user: UserCredentials & T, now?: number): boolean;
   checkPolicies(password: string, passwordData?: PasswordData): Promise<PolicyCheckResult>;
   getTransferablePolicies(): TransferablePolicy[];
   addMfaMethod(username: string, method: MfaMethod): Promise<void>;

package/dist/index.d.mts

@@ -1,4 +1,4 @@
-import { C as UserServiceConfig, S as UserCredentials, _ as PolicyCheckResult, a as LockStatus, b as TrustedDeviceRecord, c as MfaData, d as PasswordConfig, f as PasswordData, g as PasswordPolicyInstance, h as PasswordPolicyEvalFn, i as DeepPartial, l as MfaMethod, m as PasswordPolicyDef, n as WithCasOptions, o as LockoutConfig, p as PasswordPolicyContext, r as AccountData, s as LoginResult, t as UserStore, u as MfaMethodInfo, v as TotpConfig, w as UserStoreUpdate, x as UserAuthErrorType, y as TransferablePolicy } from "./user-store-C1lxahSB.mjs";
+import { C as UserServiceConfig, S as UserCredentials, _ as PolicyCheckResult, a as LockStatus, b as TrustedDeviceRecord, c as MfaData, d as PasswordConfig, f as PasswordData, g as PasswordPolicyInstance, h as PasswordPolicyEvalFn, i as DeepPartial, l as MfaMethod, m as PasswordPolicyDef, n as WithCasOptions, o as LockoutConfig, p as PasswordPolicyContext, r as AccountData, s as LoginResult, t as UserStore, u as MfaMethodInfo, v as TotpConfig, w as UserStoreUpdate, x as UserAuthErrorType, y as TransferablePolicy } from "./user-store-62LCSa8q.mjs";
 
 //#region src/errors.d.ts
 declare class UserAuthError extends Error {
@@ -117,6 +117,19 @@ declare class UserService<T extends object = object> {
   lockAccount(username: string, reason: string, duration?: number): Promise<void>;
   unlockAccount(username: string): Promise<void>;
   getLockStatus(account: UserCredentials["account"]): LockStatus;
+  /**
+   * Returns `true` when the user's password is older than
+   * `config.password.maxAgeMs`. Returns `false` when:
+   * - `maxAgeMs` is unset or `0` (expiry disabled)
+   * - `password.lastChanged` is `0` / falsy (no recorded change — never
+   *   expire a user whose timestamp wasn't captured, since that would
+   *   force-loop on every login)
+   *
+   * Consulted by `@aooth/auth-moost` `LoginWorkflow`'s `credentials`
+   * step to set `ctx.isPasswordExpired` when `guards.passwordExpiry`
+   * is true (the default).
+   */
+  isPasswordExpired(user: UserCredentials & T, now?: number): boolean;
   checkPolicies(password: string, passwordData?: PasswordData): Promise<PolicyCheckResult>;
   getTransferablePolicies(): TransferablePolicy[];
   addMfaMethod(username: string, method: MfaMethod): Promise<void>;

package/dist/index.mjs

@@ -337,7 +337,8 @@ function resolveConfig(config) {
 			scryptR: config?.password?.scryptR ?? 8,
 			scryptP: config?.password?.scryptP ?? 1,
 			keyLength: config?.password?.keyLength ?? 64,
-			policies: normalizePolicies(config?.password?.policies)
+			policies: normalizePolicies(config?.password?.policies),
+			maxAgeMs: config?.password?.maxAgeMs ?? 0
 		},
 		lockout: {
 			threshold: config?.lockout?.threshold ?? 0,
@@ -505,6 +506,24 @@ var UserService = class {
 			lockEnds: account.lockEnds
 		};
 	}
+	/**
+	* Returns `true` when the user's password is older than
+	* `config.password.maxAgeMs`. Returns `false` when:
+	* - `maxAgeMs` is unset or `0` (expiry disabled)
+	* - `password.lastChanged` is `0` / falsy (no recorded change — never
+	*   expire a user whose timestamp wasn't captured, since that would
+	*   force-loop on every login)
+	*
+	* Consulted by `@aooth/auth-moost` `LoginWorkflow`'s `credentials`
+	* step to set `ctx.isPasswordExpired` when `guards.passwordExpiry`
+	* is true (the default).
+	*/
+	isPasswordExpired(user, now = this.config.clock()) {
+		const maxAgeMs = this.config.password.maxAgeMs;
+		const lastChanged = user.password.lastChanged;
+		if (!maxAgeMs || !lastChanged) return false;
+		return now - lastChanged > maxAgeMs;
+	}
 	async checkPolicies(password, passwordData) {
 		const result = {
 			passed: true,

package/dist/{user-store-B3EStUfT.d.cts → user-store-62LCSa8q.d.mts}

@@ -113,6 +113,14 @@ interface PasswordConfig {
   keyLength?: number;
   /** Password policy rules */
   policies?: (PasswordPolicyDef | PasswordPolicyInstance)[];
+  /**
+   * Force re-set of an existing password after this many ms since
+   * `password.lastChanged`. `0` / undefined disables expiry. Read by
+   * `UserService.isPasswordExpired()`; consulted by `@aooth/auth-moost`
+   * `LoginWorkflow`'s forced-change branch when `guards.passwordExpiry`
+   * is true (the default).
+   */
+  maxAgeMs?: number;
 }
 interface LockoutConfig {
   /** Lock after this many failed attempts (0 = disabled) */

package/dist/{user-store-C1lxahSB.d.mts → user-store-BZsKtBHy.d.cts}

@@ -113,6 +113,14 @@ interface PasswordConfig {
   keyLength?: number;
   /** Password policy rules */
   policies?: (PasswordPolicyDef | PasswordPolicyInstance)[];
+  /**
+   * Force re-set of an existing password after this many ms since
+   * `password.lastChanged`. `0` / undefined disables expiry. Read by
+   * `UserService.isPasswordExpired()`; consulted by `@aooth/auth-moost`
+   * `LoginWorkflow`'s forced-change branch when `guards.passwordExpiry`
+   * is true (the default).
+   */
+  maxAgeMs?: number;
 }
 interface LockoutConfig {
   /** Lock after this many failed attempts (0 = disabled) */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aooth/user",
-  "version": "0.1.6",
+  "version": "0.1.7",
   "description": "User credential primitives for aoothjs",
   "keywords": [
     "aoothjs",
@@ -47,9 +47,9 @@
   },
   "devDependencies": {
     "@atscript/core": "^0.1.64",
-    "@atscript/db": "^0.1.90",
-    "@atscript/db-sql-tools": "^0.1.90",
-    "@atscript/db-sqlite": "^0.1.90",
+    "@atscript/db": "^0.1.91",
+    "@atscript/db-sql-tools": "^0.1.91",
+    "@atscript/db-sqlite": "^0.1.91",
     "@atscript/typescript": "^0.1.64",
     "@types/better-sqlite3": "^7.6.13",
     "better-sqlite3": "^12.6.2",