@aranzatech/aranza-auth 0.2.1 → 0.2.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +60 -2
- package/README.md +180 -16
- package/SECURITY.md +11 -0
- package/dist/{auth-repository.interface-9PpDVOs8.d.cts → auth-repository.interface--1rv0RCD.d.cts} +22 -3
- package/dist/{auth-repository.interface-9PpDVOs8.d.ts → auth-repository.interface--1rv0RCD.d.ts} +22 -3
- package/dist/index.cjs +621 -186
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +142 -11
- package/dist/index.d.ts +142 -11
- package/dist/index.js +617 -188
- package/dist/index.js.map +1 -1
- package/dist/mongo/index.cjs +34 -6
- package/dist/mongo/index.cjs.map +1 -1
- package/dist/mongo/index.d.cts +4 -1
- package/dist/mongo/index.d.ts +4 -1
- package/dist/mongo/index.js +34 -6
- package/dist/mongo/index.js.map +1 -1
- package/package.json +12 -1
package/dist/index.d.ts
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
|
+
import { A as AuthFeatures, a as AuthModuleOptions, b as AuthModuleAsyncOptions, c as AuthHooks, B as BaseAuthAccount, R as RegisterInput, d as AuthTokens, I as IAuthRepository } from './auth-repository.interface--1rv0RCD.js';
|
|
2
|
+
export { e as AuthAccountWithSecrets, f as AuthHooksConstructor, g as AuthIdentifierField, h as AuthJwtConfig, C as CreateAccountData } from './auth-repository.interface--1rv0RCD.js';
|
|
1
3
|
import { DynamicModule } from '@nestjs/common';
|
|
2
|
-
import { A as AuthModuleOptions, a as AuthModuleAsyncOptions, b as AuthHooks, B as BaseAuthAccount, R as RegisterInput, c as AuthTokens, I as IAuthRepository } from './auth-repository.interface-9PpDVOs8.js';
|
|
3
|
-
export { d as AuthAccountWithSecrets, e as AuthFeatures, f as AuthIdentifierField, g as AuthJwtConfig, C as CreateAccountData } from './auth-repository.interface-9PpDVOs8.js';
|
|
4
4
|
import * as _nestjs_passport from '@nestjs/passport';
|
|
5
5
|
import { JwtService } from '@nestjs/jwt';
|
|
6
6
|
|
|
@@ -38,20 +38,116 @@ declare const AUTH_RATE_LIMIT_PRESETS: {
|
|
|
38
38
|
};
|
|
39
39
|
type AuthRateLimitPreset = (typeof AUTH_RATE_LIMIT_PRESETS)[keyof typeof AUTH_RATE_LIMIT_PRESETS];
|
|
40
40
|
|
|
41
|
-
/**
|
|
41
|
+
/**
|
|
42
|
+
* Maps auth routes to recommended `@nestjs/throttler` presets.
|
|
43
|
+
* Apply per-route with `@Throttle()` in a wrapping controller or global guard.
|
|
44
|
+
*
|
|
45
|
+
* @example
|
|
46
|
+
* ```typescript
|
|
47
|
+
* import { Throttle } from "@nestjs/throttler";
|
|
48
|
+
* import { AUTH_RATE_LIMIT_ROUTES } from "@aranzatech/aranza-auth";
|
|
49
|
+
*
|
|
50
|
+
* @Throttle({ default: AUTH_RATE_LIMIT_ROUTES.login })
|
|
51
|
+
* @Post("login")
|
|
52
|
+
* login() { ... }
|
|
53
|
+
* ```
|
|
54
|
+
*/
|
|
55
|
+
declare const AUTH_RATE_LIMIT_ROUTES: {
|
|
56
|
+
readonly login: {
|
|
57
|
+
readonly name: "auth-credentials";
|
|
58
|
+
readonly ttl: 60000;
|
|
59
|
+
readonly limit: 5;
|
|
60
|
+
};
|
|
61
|
+
readonly register: {
|
|
62
|
+
readonly name: "auth-credentials";
|
|
63
|
+
readonly ttl: 60000;
|
|
64
|
+
readonly limit: 5;
|
|
65
|
+
};
|
|
66
|
+
readonly refresh: {
|
|
67
|
+
readonly name: "auth-credentials";
|
|
68
|
+
readonly ttl: 60000;
|
|
69
|
+
readonly limit: 5;
|
|
70
|
+
};
|
|
71
|
+
readonly "forgot-password": {
|
|
72
|
+
readonly name: "auth-password-reset";
|
|
73
|
+
readonly ttl: 60000;
|
|
74
|
+
readonly limit: 3;
|
|
75
|
+
};
|
|
76
|
+
readonly "reset-password": {
|
|
77
|
+
readonly name: "auth-password-reset";
|
|
78
|
+
readonly ttl: 60000;
|
|
79
|
+
readonly limit: 3;
|
|
80
|
+
};
|
|
81
|
+
readonly "resend-verification": {
|
|
82
|
+
readonly name: "auth-password-reset";
|
|
83
|
+
readonly ttl: 60000;
|
|
84
|
+
readonly limit: 3;
|
|
85
|
+
};
|
|
86
|
+
readonly default: {
|
|
87
|
+
readonly name: "auth-default";
|
|
88
|
+
readonly ttl: 60000;
|
|
89
|
+
readonly limit: 10;
|
|
90
|
+
};
|
|
91
|
+
};
|
|
92
|
+
type AuthRateLimitRoute = keyof typeof AUTH_RATE_LIMIT_ROUTES;
|
|
93
|
+
|
|
94
|
+
/** Machine-readable auth error codes returned in HTTP `message` field. */
|
|
42
95
|
declare const AuthErrorCode: {
|
|
43
|
-
readonly INVALID_CREDENTIALS: "
|
|
44
|
-
readonly INVALID_REFRESH_TOKEN: "
|
|
96
|
+
readonly INVALID_CREDENTIALS: "INVALID_CREDENTIALS";
|
|
97
|
+
readonly INVALID_REFRESH_TOKEN: "INVALID_REFRESH_TOKEN";
|
|
45
98
|
readonly REFRESH_TOKEN_REUSE: "REFRESH_TOKEN_REUSE";
|
|
46
99
|
readonly ACCOUNT_DISABLED: "ACCOUNT_DISABLED";
|
|
100
|
+
readonly ACCOUNT_NOT_FOUND: "ACCOUNT_NOT_FOUND";
|
|
47
101
|
readonly EMAIL_NOT_VERIFIED: "EMAIL_NOT_VERIFIED";
|
|
48
102
|
readonly TOKEN_INVALID_OR_EXPIRED: "TOKEN_INVALID_OR_EXPIRED";
|
|
49
103
|
readonly ACCOUNT_LOCKED: "ACCOUNT_LOCKED";
|
|
50
104
|
readonly INVALID_CURRENT_PASSWORD: "INVALID_CURRENT_PASSWORD";
|
|
51
105
|
readonly PASSWORD_UNCHANGED: "PASSWORD_UNCHANGED";
|
|
106
|
+
readonly PASSWORD_CHANGED: "PASSWORD_CHANGED";
|
|
107
|
+
/** Missing or invalid Bearer token on a protected route. */
|
|
108
|
+
readonly UNAUTHORIZED: "UNAUTHORIZED";
|
|
52
109
|
};
|
|
53
110
|
type AuthErrorCodeValue = (typeof AuthErrorCode)[keyof typeof AuthErrorCode];
|
|
54
111
|
|
|
112
|
+
interface AuthSwaggerOptions {
|
|
113
|
+
/** OpenAPI document title. Default: `API`. */
|
|
114
|
+
title?: string;
|
|
115
|
+
/** API description shown in Swagger UI. */
|
|
116
|
+
description?: string;
|
|
117
|
+
/** Swagger UI path. Default: `api`. */
|
|
118
|
+
path?: string;
|
|
119
|
+
/** API version string. Default: `1.0`. */
|
|
120
|
+
version?: string;
|
|
121
|
+
/** Enabled auth features — appended to the OpenAPI description. */
|
|
122
|
+
features?: Partial<AuthFeatures>;
|
|
123
|
+
/** Write `openapi.json` to this path when set (relative to process cwd). */
|
|
124
|
+
exportPath?: string;
|
|
125
|
+
}
|
|
126
|
+
/**
|
|
127
|
+
* Configures Swagger UI with JWT Bearer auth for apps using `@aranzatech/aranza-auth`.
|
|
128
|
+
* Requires `@nestjs/swagger` installed in the host application.
|
|
129
|
+
*/
|
|
130
|
+
declare function setupAuthSwagger(app: unknown, options?: AuthSwaggerOptions): void;
|
|
131
|
+
|
|
132
|
+
interface RefreshTokenCookieOptions {
|
|
133
|
+
/** Cookie name. Default: `refresh_token`. */
|
|
134
|
+
name?: string;
|
|
135
|
+
/** Cookie path. Default: `/auth/refresh`. */
|
|
136
|
+
path?: string;
|
|
137
|
+
/** `Secure` flag — use `true` in production (HTTPS). Default: `true`. */
|
|
138
|
+
secure?: boolean;
|
|
139
|
+
/** `SameSite` attribute. Default: `strict`. */
|
|
140
|
+
sameSite?: "strict" | "lax" | "none";
|
|
141
|
+
/** Max-Age in seconds. Default: 7 days. */
|
|
142
|
+
maxAgeSeconds?: number;
|
|
143
|
+
/** `HttpOnly` flag. Default: `true`. */
|
|
144
|
+
httpOnly?: boolean;
|
|
145
|
+
}
|
|
146
|
+
/** Builds a `Set-Cookie` header value for storing the refresh token. */
|
|
147
|
+
declare function buildRefreshTokenCookie(refreshToken: string, options?: RefreshTokenCookieOptions): string;
|
|
148
|
+
/** Builds a `Set-Cookie` header value that clears the refresh token cookie. */
|
|
149
|
+
declare function buildClearRefreshTokenCookie(options?: RefreshTokenCookieOptions): string;
|
|
150
|
+
|
|
55
151
|
declare class AuthModule {
|
|
56
152
|
static forRoot(options: AuthModuleOptions): DynamicModule;
|
|
57
153
|
static forRootAsync(options: AuthModuleAsyncOptions): DynamicModule;
|
|
@@ -107,6 +203,20 @@ declare class VerifyEmailDto {
|
|
|
107
203
|
token: string;
|
|
108
204
|
}
|
|
109
205
|
|
|
206
|
+
declare class ResendVerificationDto {
|
|
207
|
+
email: string;
|
|
208
|
+
}
|
|
209
|
+
|
|
210
|
+
declare class MeResponseDto {
|
|
211
|
+
id: string;
|
|
212
|
+
email?: string;
|
|
213
|
+
username?: string;
|
|
214
|
+
emailVerified: boolean;
|
|
215
|
+
disabled: boolean;
|
|
216
|
+
lastLoginAt?: Date;
|
|
217
|
+
passwordChangedAt?: Date;
|
|
218
|
+
}
|
|
219
|
+
|
|
110
220
|
declare const JwtAuthGuard_base: _nestjs_passport.Type<_nestjs_passport.IAuthGuard>;
|
|
111
221
|
declare class JwtAuthGuard extends JwtAuthGuard_base {
|
|
112
222
|
handleRequest<TUser>(err: Error | null, user: TUser, _info: unknown): TUser;
|
|
@@ -120,21 +230,40 @@ declare class DefaultAuthHooks implements AuthHooks {
|
|
|
120
230
|
onAfterLogin(_account: BaseAuthAccount): Promise<void>;
|
|
121
231
|
}
|
|
122
232
|
|
|
123
|
-
/** JWT access
|
|
233
|
+
/** JWT access token payload. Extend via `AuthHooks.buildJwtPayload`. */
|
|
124
234
|
interface AuthJwtPayload {
|
|
125
235
|
sub: string;
|
|
236
|
+
/** `access` — rejected by Passport if a refresh token is presented. */
|
|
237
|
+
typ?: "access" | "refresh";
|
|
238
|
+
/** Unix ms when password last changed — invalidates older access tokens. */
|
|
239
|
+
pwdAt?: number;
|
|
240
|
+
iss?: string;
|
|
241
|
+
aud?: string;
|
|
126
242
|
[claim: string]: unknown;
|
|
127
243
|
}
|
|
128
244
|
/** @deprecated Use `AuthJwtPayload`. */
|
|
129
245
|
type JwtPayload = AuthJwtPayload;
|
|
130
246
|
|
|
247
|
+
declare const JWT_TOKEN_TYPE: {
|
|
248
|
+
readonly ACCESS: "access";
|
|
249
|
+
readonly REFRESH: "refresh";
|
|
250
|
+
};
|
|
251
|
+
interface RefreshJwtPayload {
|
|
252
|
+
sub: string;
|
|
253
|
+
typ: typeof JWT_TOKEN_TYPE.REFRESH;
|
|
254
|
+
pwdAt?: number;
|
|
255
|
+
jti: string;
|
|
256
|
+
iss?: string;
|
|
257
|
+
aud?: string;
|
|
258
|
+
}
|
|
259
|
+
|
|
131
260
|
declare class TokenService {
|
|
132
261
|
private readonly jwtService;
|
|
133
262
|
private readonly options;
|
|
134
263
|
constructor(jwtService: JwtService, options: AuthModuleOptions);
|
|
135
|
-
private
|
|
136
|
-
signTokens(
|
|
137
|
-
verifyRefreshToken(refreshToken: string): Promise<
|
|
264
|
+
private signOptions;
|
|
265
|
+
signTokens(accessClaims: Record<string, unknown>, refreshClaims: RefreshJwtPayload): Promise<AuthTokens>;
|
|
266
|
+
verifyRefreshToken(refreshToken: string): Promise<RefreshJwtPayload>;
|
|
138
267
|
hashRefreshToken(refreshToken: string): Promise<string>;
|
|
139
268
|
compareRefreshToken(refreshToken: string, hash: string): Promise<boolean>;
|
|
140
269
|
}
|
|
@@ -171,10 +300,12 @@ declare class AuthService {
|
|
|
171
300
|
resetPassword(token: string, newPassword: string): Promise<{
|
|
172
301
|
reset: true;
|
|
173
302
|
}>;
|
|
303
|
+
resendVerification(email: string): Promise<{
|
|
304
|
+
sent: true;
|
|
305
|
+
}>;
|
|
174
306
|
changePassword(authId: string, currentPassword: string, newPassword: string): Promise<{
|
|
175
307
|
changed: true;
|
|
176
308
|
}>;
|
|
177
|
-
private assertAccountNotLocked;
|
|
178
309
|
private assertAccountActive;
|
|
179
310
|
private assertPasswordPolicy;
|
|
180
311
|
private issueTokens;
|
|
@@ -188,4 +319,4 @@ declare class AuthService {
|
|
|
188
319
|
getIdentifierForAccount(account: BaseAuthAccount): string | undefined;
|
|
189
320
|
}
|
|
190
321
|
|
|
191
|
-
export { AUTH_HOOKS, AUTH_MODULE_OPTIONS, AUTH_RATE_LIMIT_PRESETS, AUTH_REPOSITORY, AuthErrorCode, type AuthErrorCodeValue, AuthHooks, type AuthJwtPayload, AuthModule, AuthModuleAsyncOptions, AuthModuleOptions, type AuthRateLimitPreset, AuthService, AuthTokens, AuthTokensDto, BaseAuthAccount, ChangePasswordDto, CurrentUser, DefaultAuthHooks, ForgotPasswordDto, IAuthRepository, JwtAuthGuard, type JwtPayload, LoginDto, RefreshTokenDto, RegisterAckDto, RegisterDto, RegisterInput, ResetPasswordDto, TokenService, VerifyEmailDto };
|
|
322
|
+
export { AUTH_HOOKS, AUTH_MODULE_OPTIONS, AUTH_RATE_LIMIT_PRESETS, AUTH_RATE_LIMIT_ROUTES, AUTH_REPOSITORY, AuthErrorCode, type AuthErrorCodeValue, AuthFeatures, AuthHooks, type AuthJwtPayload, AuthModule, AuthModuleAsyncOptions, AuthModuleOptions, type AuthRateLimitPreset, type AuthRateLimitRoute, AuthService, type AuthSwaggerOptions, AuthTokens, AuthTokensDto, BaseAuthAccount, ChangePasswordDto, CurrentUser, DefaultAuthHooks, ForgotPasswordDto, IAuthRepository, JwtAuthGuard, type JwtPayload, LoginDto, MeResponseDto, type RefreshTokenCookieOptions, RefreshTokenDto, RegisterAckDto, RegisterDto, RegisterInput, ResendVerificationDto, ResetPasswordDto, TokenService, VerifyEmailDto, buildClearRefreshTokenCookie, buildRefreshTokenCookie, setupAuthSwagger };
|