@aranzatech/aranza-auth 0.2.1 → 0.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.d.ts CHANGED
@@ -1,6 +1,6 @@
1
+ import { A as AuthFeatures, a as AuthModuleOptions, b as AuthModuleAsyncOptions, c as AuthHooks, B as BaseAuthAccount, R as RegisterInput, d as AuthTokens, I as IAuthRepository } from './auth-repository.interface--1rv0RCD.js';
2
+ export { e as AuthAccountWithSecrets, f as AuthHooksConstructor, g as AuthIdentifierField, h as AuthJwtConfig, C as CreateAccountData } from './auth-repository.interface--1rv0RCD.js';
1
3
  import { DynamicModule } from '@nestjs/common';
2
- import { A as AuthModuleOptions, a as AuthModuleAsyncOptions, b as AuthHooks, B as BaseAuthAccount, R as RegisterInput, c as AuthTokens, I as IAuthRepository } from './auth-repository.interface-9PpDVOs8.js';
3
- export { d as AuthAccountWithSecrets, e as AuthFeatures, f as AuthIdentifierField, g as AuthJwtConfig, C as CreateAccountData } from './auth-repository.interface-9PpDVOs8.js';
4
4
  import * as _nestjs_passport from '@nestjs/passport';
5
5
  import { JwtService } from '@nestjs/jwt';
6
6
 
@@ -38,20 +38,116 @@ declare const AUTH_RATE_LIMIT_PRESETS: {
38
38
  };
39
39
  type AuthRateLimitPreset = (typeof AUTH_RATE_LIMIT_PRESETS)[keyof typeof AUTH_RATE_LIMIT_PRESETS];
40
40
 
41
- /** Machine-readable auth error codes returned in HTTP responses. */
41
+ /**
42
+ * Maps auth routes to recommended `@nestjs/throttler` presets.
43
+ * Apply per-route with `@Throttle()` in a wrapping controller or global guard.
44
+ *
45
+ * @example
46
+ * ```typescript
47
+ * import { Throttle } from "@nestjs/throttler";
48
+ * import { AUTH_RATE_LIMIT_ROUTES } from "@aranzatech/aranza-auth";
49
+ *
50
+ * @Throttle({ default: AUTH_RATE_LIMIT_ROUTES.login })
51
+ * @Post("login")
52
+ * login() { ... }
53
+ * ```
54
+ */
55
+ declare const AUTH_RATE_LIMIT_ROUTES: {
56
+ readonly login: {
57
+ readonly name: "auth-credentials";
58
+ readonly ttl: 60000;
59
+ readonly limit: 5;
60
+ };
61
+ readonly register: {
62
+ readonly name: "auth-credentials";
63
+ readonly ttl: 60000;
64
+ readonly limit: 5;
65
+ };
66
+ readonly refresh: {
67
+ readonly name: "auth-credentials";
68
+ readonly ttl: 60000;
69
+ readonly limit: 5;
70
+ };
71
+ readonly "forgot-password": {
72
+ readonly name: "auth-password-reset";
73
+ readonly ttl: 60000;
74
+ readonly limit: 3;
75
+ };
76
+ readonly "reset-password": {
77
+ readonly name: "auth-password-reset";
78
+ readonly ttl: 60000;
79
+ readonly limit: 3;
80
+ };
81
+ readonly "resend-verification": {
82
+ readonly name: "auth-password-reset";
83
+ readonly ttl: 60000;
84
+ readonly limit: 3;
85
+ };
86
+ readonly default: {
87
+ readonly name: "auth-default";
88
+ readonly ttl: 60000;
89
+ readonly limit: 10;
90
+ };
91
+ };
92
+ type AuthRateLimitRoute = keyof typeof AUTH_RATE_LIMIT_ROUTES;
93
+
94
+ /** Machine-readable auth error codes returned in HTTP `message` field. */
42
95
  declare const AuthErrorCode: {
43
- readonly INVALID_CREDENTIALS: "Invalid credentials";
44
- readonly INVALID_REFRESH_TOKEN: "Invalid refresh token";
96
+ readonly INVALID_CREDENTIALS: "INVALID_CREDENTIALS";
97
+ readonly INVALID_REFRESH_TOKEN: "INVALID_REFRESH_TOKEN";
45
98
  readonly REFRESH_TOKEN_REUSE: "REFRESH_TOKEN_REUSE";
46
99
  readonly ACCOUNT_DISABLED: "ACCOUNT_DISABLED";
100
+ readonly ACCOUNT_NOT_FOUND: "ACCOUNT_NOT_FOUND";
47
101
  readonly EMAIL_NOT_VERIFIED: "EMAIL_NOT_VERIFIED";
48
102
  readonly TOKEN_INVALID_OR_EXPIRED: "TOKEN_INVALID_OR_EXPIRED";
49
103
  readonly ACCOUNT_LOCKED: "ACCOUNT_LOCKED";
50
104
  readonly INVALID_CURRENT_PASSWORD: "INVALID_CURRENT_PASSWORD";
51
105
  readonly PASSWORD_UNCHANGED: "PASSWORD_UNCHANGED";
106
+ readonly PASSWORD_CHANGED: "PASSWORD_CHANGED";
107
+ /** Missing or invalid Bearer token on a protected route. */
108
+ readonly UNAUTHORIZED: "UNAUTHORIZED";
52
109
  };
53
110
  type AuthErrorCodeValue = (typeof AuthErrorCode)[keyof typeof AuthErrorCode];
54
111
 
112
+ interface AuthSwaggerOptions {
113
+ /** OpenAPI document title. Default: `API`. */
114
+ title?: string;
115
+ /** API description shown in Swagger UI. */
116
+ description?: string;
117
+ /** Swagger UI path. Default: `api`. */
118
+ path?: string;
119
+ /** API version string. Default: `1.0`. */
120
+ version?: string;
121
+ /** Enabled auth features — appended to the OpenAPI description. */
122
+ features?: Partial<AuthFeatures>;
123
+ /** Write `openapi.json` to this path when set (relative to process cwd). */
124
+ exportPath?: string;
125
+ }
126
+ /**
127
+ * Configures Swagger UI with JWT Bearer auth for apps using `@aranzatech/aranza-auth`.
128
+ * Requires `@nestjs/swagger` installed in the host application.
129
+ */
130
+ declare function setupAuthSwagger(app: unknown, options?: AuthSwaggerOptions): void;
131
+
132
+ interface RefreshTokenCookieOptions {
133
+ /** Cookie name. Default: `refresh_token`. */
134
+ name?: string;
135
+ /** Cookie path. Default: `/auth/refresh`. */
136
+ path?: string;
137
+ /** `Secure` flag — use `true` in production (HTTPS). Default: `true`. */
138
+ secure?: boolean;
139
+ /** `SameSite` attribute. Default: `strict`. */
140
+ sameSite?: "strict" | "lax" | "none";
141
+ /** Max-Age in seconds. Default: 7 days. */
142
+ maxAgeSeconds?: number;
143
+ /** `HttpOnly` flag. Default: `true`. */
144
+ httpOnly?: boolean;
145
+ }
146
+ /** Builds a `Set-Cookie` header value for storing the refresh token. */
147
+ declare function buildRefreshTokenCookie(refreshToken: string, options?: RefreshTokenCookieOptions): string;
148
+ /** Builds a `Set-Cookie` header value that clears the refresh token cookie. */
149
+ declare function buildClearRefreshTokenCookie(options?: RefreshTokenCookieOptions): string;
150
+
55
151
  declare class AuthModule {
56
152
  static forRoot(options: AuthModuleOptions): DynamicModule;
57
153
  static forRootAsync(options: AuthModuleAsyncOptions): DynamicModule;
@@ -107,6 +203,20 @@ declare class VerifyEmailDto {
107
203
  token: string;
108
204
  }
109
205
 
206
+ declare class ResendVerificationDto {
207
+ email: string;
208
+ }
209
+
210
+ declare class MeResponseDto {
211
+ id: string;
212
+ email?: string;
213
+ username?: string;
214
+ emailVerified: boolean;
215
+ disabled: boolean;
216
+ lastLoginAt?: Date;
217
+ passwordChangedAt?: Date;
218
+ }
219
+
110
220
  declare const JwtAuthGuard_base: _nestjs_passport.Type<_nestjs_passport.IAuthGuard>;
111
221
  declare class JwtAuthGuard extends JwtAuthGuard_base {
112
222
  handleRequest<TUser>(err: Error | null, user: TUser, _info: unknown): TUser;
@@ -120,21 +230,40 @@ declare class DefaultAuthHooks implements AuthHooks {
120
230
  onAfterLogin(_account: BaseAuthAccount): Promise<void>;
121
231
  }
122
232
 
123
- /** JWT access/refresh payload. Extend via `AuthHooks.buildJwtPayload`. */
233
+ /** JWT access token payload. Extend via `AuthHooks.buildJwtPayload`. */
124
234
  interface AuthJwtPayload {
125
235
  sub: string;
236
+ /** `access` — rejected by Passport if a refresh token is presented. */
237
+ typ?: "access" | "refresh";
238
+ /** Unix ms when password last changed — invalidates older access tokens. */
239
+ pwdAt?: number;
240
+ iss?: string;
241
+ aud?: string;
126
242
  [claim: string]: unknown;
127
243
  }
128
244
  /** @deprecated Use `AuthJwtPayload`. */
129
245
  type JwtPayload = AuthJwtPayload;
130
246
 
247
+ declare const JWT_TOKEN_TYPE: {
248
+ readonly ACCESS: "access";
249
+ readonly REFRESH: "refresh";
250
+ };
251
+ interface RefreshJwtPayload {
252
+ sub: string;
253
+ typ: typeof JWT_TOKEN_TYPE.REFRESH;
254
+ pwdAt?: number;
255
+ jti: string;
256
+ iss?: string;
257
+ aud?: string;
258
+ }
259
+
131
260
  declare class TokenService {
132
261
  private readonly jwtService;
133
262
  private readonly options;
134
263
  constructor(jwtService: JwtService, options: AuthModuleOptions);
135
- private get bcryptRounds();
136
- signTokens(payload: AuthJwtPayload): Promise<AuthTokens>;
137
- verifyRefreshToken(refreshToken: string): Promise<AuthJwtPayload>;
264
+ private signOptions;
265
+ signTokens(accessClaims: Record<string, unknown>, refreshClaims: RefreshJwtPayload): Promise<AuthTokens>;
266
+ verifyRefreshToken(refreshToken: string): Promise<RefreshJwtPayload>;
138
267
  hashRefreshToken(refreshToken: string): Promise<string>;
139
268
  compareRefreshToken(refreshToken: string, hash: string): Promise<boolean>;
140
269
  }
@@ -171,10 +300,12 @@ declare class AuthService {
171
300
  resetPassword(token: string, newPassword: string): Promise<{
172
301
  reset: true;
173
302
  }>;
303
+ resendVerification(email: string): Promise<{
304
+ sent: true;
305
+ }>;
174
306
  changePassword(authId: string, currentPassword: string, newPassword: string): Promise<{
175
307
  changed: true;
176
308
  }>;
177
- private assertAccountNotLocked;
178
309
  private assertAccountActive;
179
310
  private assertPasswordPolicy;
180
311
  private issueTokens;
@@ -188,4 +319,4 @@ declare class AuthService {
188
319
  getIdentifierForAccount(account: BaseAuthAccount): string | undefined;
189
320
  }
190
321
 
191
- export { AUTH_HOOKS, AUTH_MODULE_OPTIONS, AUTH_RATE_LIMIT_PRESETS, AUTH_REPOSITORY, AuthErrorCode, type AuthErrorCodeValue, AuthHooks, type AuthJwtPayload, AuthModule, AuthModuleAsyncOptions, AuthModuleOptions, type AuthRateLimitPreset, AuthService, AuthTokens, AuthTokensDto, BaseAuthAccount, ChangePasswordDto, CurrentUser, DefaultAuthHooks, ForgotPasswordDto, IAuthRepository, JwtAuthGuard, type JwtPayload, LoginDto, RefreshTokenDto, RegisterAckDto, RegisterDto, RegisterInput, ResetPasswordDto, TokenService, VerifyEmailDto };
322
+ export { AUTH_HOOKS, AUTH_MODULE_OPTIONS, AUTH_RATE_LIMIT_PRESETS, AUTH_RATE_LIMIT_ROUTES, AUTH_REPOSITORY, AuthErrorCode, type AuthErrorCodeValue, AuthFeatures, AuthHooks, type AuthJwtPayload, AuthModule, AuthModuleAsyncOptions, AuthModuleOptions, type AuthRateLimitPreset, type AuthRateLimitRoute, AuthService, type AuthSwaggerOptions, AuthTokens, AuthTokensDto, BaseAuthAccount, ChangePasswordDto, CurrentUser, DefaultAuthHooks, ForgotPasswordDto, IAuthRepository, JwtAuthGuard, type JwtPayload, LoginDto, MeResponseDto, type RefreshTokenCookieOptions, RefreshTokenDto, RegisterAckDto, RegisterDto, RegisterInput, ResendVerificationDto, ResetPasswordDto, TokenService, VerifyEmailDto, buildClearRefreshTokenCookie, buildRefreshTokenCookie, setupAuthSwagger };