@ciscode/authentication-kit 1.1.0 → 1.1.2

package/README.md

@@ -1,48 +1,31 @@
-Auth Service (Express · JWT · Multi‑Tenant · RBAC)
-Internal package — private to the company.
-This package is not published on npmjs. Install it only from the company’s Azure Artifacts feed using a project or user-level .npmrc.
+Auth Service (NestJS, JWT, Multi-tenant, RBAC)
+Internal package - private to the company.
+This package is not published on npmjs. Install it only from the company Azure Artifacts feed using a project or user-level .npmrc.
 
-Authentication & authorization service for Node/Express apps.
-Provides local email/password auth with lockout, JWT access tokens + refresh, tenant scoping, RBAC, and optional Microsoft Entra (Azure AD) OAuth.
+Authentication and authorization module for NestJS apps.
+Provides local email/password auth with lockout, JWT access tokens and refresh, tenant scoping, RBAC, and optional OAuth (Microsoft Entra, Google, Facebook).
 
 Features
 Local auth (email/password) with account lockout policy.
 JWT access tokens (Bearer) and refresh endpoint (cookie or body).
 Multi-tenant scope on requests.
-RBAC (roles → permission strings).
-Microsoft Entra (Azure AD) OAuth (optional).
+RBAC (roles -> permission strings).
+Microsoft Entra (Azure AD), Google, Facebook OAuth (optional).
 MongoDB/Mongoose models.
+
 Routes are mounted under:
 
 /api/auth (auth, password reset)
 /api/users (user admin)
 /api/auth/roles and /api/auth/permissions (RBAC)
-Installation (Azure Artifacts only)
-1) Configure .npmrc
-Do not commit real tokens. Prefer ~/.npmrc or generate .npmrc in CI using secrets.
-
-For developers (user-level ~/.npmrc):
-
-registry=https://registry.npmjs.org/
-
-# Route @ciscodeapps scope to the private feed
-@ciscodeapps:registry=https://pkgs.dev.azure.com/CISCODEAPPS/Templates/_packaging/testfeed/npm/registry/
+/api/admin (admin actions)
 
-//pkgs.dev.azure.com/CISCODEAPPS/Templates/_packaging/testfeed/npm/registry/:_authToken=${AZURE_ARTIFACTS_PAT}
-always-auth=true
-Set the token as an environment variable before installing:
+Installation
 
-export AZURE_ARTIFACTS_PAT="<your PAT with Packaging:Read>"
-You can also use the username/_password form:
+1) Install the package
+npm i @ciscode/authentication-kit
 
-//pkgs.dev.azure.com/...:username=AzureDevOps
-//pkgs.dev.azure.com/...:_password=${BASE64_PAT}
-//pkgs.dev.azure.com/...:email=not-used@localhost
-where BASE64_PAT=$(printf %s "$AZURE_ARTIFACTS_PAT" | base64).
-
-2) Install the package
-npm i @ciscodeapps/auth-service
-3) Required environment variables (host app)
+2) Required environment variables (host app)
 Create a .env in the host project:
 
 # Server
@@ -64,61 +47,59 @@ MAX_FAILED_LOGIN_ATTEMPTS=5
 ACCOUNT_LOCK_TIME_MINUTES=15
 
 # (Optional) Microsoft Entra ID (Azure AD)
-MICROSOFT_TENANT=organizations
+MICROSOFT_TENANT_ID=common
 MICROSOFT_CLIENT_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
 MICROSOFT_CLIENT_SECRET=your-secret
 MICROSOFT_CALLBACK_URL=${BASE_URL}/api/auth/microsoft/callback
-Use inside an existing Express app
-Your package exports an Express app that already parses JSON, connects to Mongo, and mounts its routes. Just mount it:
 
-// server.js (host app)
-require('dotenv').config();
-const express = require('express');
-const authApp = require('@ciscodeapps/auth-service');
+Use inside an existing Nest app
+The module connects to Mongo on init and mounts its controllers.
+
+// app.module.ts (host app)
+import { Module } from '@nestjs/common';
+import { AuthKitModule } from '@ciscode/authentication-kit';
+
+@Module({
+  imports: [AuthKitModule]
+})
+export class AppModule {}
 
-const app = express();
-app.use(authApp);           // exposes /api/auth, /api/users, /api/auth/roles, /api/auth/permissions
+If you need to run it standalone, build and start the package:
 
-app.get('/health', (_, res) => res.json({ ok: true }));
-app.listen(process.env.PORT || 3000, () =>
-  console.log('Host app on', process.env.PORT || 3000)
-);
-Prefer mounting the service. If you need to run it standalone, you can also start this package directly (it calls connectDB() on import).
+npm run build
+npm start
 
-What’s included (routes & behavior)
+What is included (routes and behavior)
 Auth
-POST /api/auth/register – Create a user (email/password).
-POST /api/auth/login – Local login. On success, returns accessToken and may set a refreshToken httpOnly cookie.
-POST /api/auth/verify-otp – If OTP/step-up is enabled, verifies the code and completes login.
-POST /api/auth/refresh-token – New access token from a valid refresh token (cookie or body).
-POST /api/auth/request-password-reset – Sends a reset token (e.g., by email).
-PATCH /api/auth/reset-password – Consumes the reset token and sets a new password.
-GET /api/auth/microsoft → GET /api/auth/microsoft/callback – Optional Microsoft Entra OAuth; issues first-party tokens.
+POST /api/auth/login - Local login. On success, returns accessToken and may set a refreshToken httpOnly cookie.
+POST /api/auth/refresh-token - New access token from a valid refresh token (cookie or body).
+POST /api/auth/request-password-reset - Sends a reset token (e.g., by email).
+POST /api/auth/reset-password - Consumes the reset token and sets a new password.
+GET /api/auth/microsoft - GET /api/auth/microsoft/callback - Optional Microsoft Entra OAuth; issues first-party tokens.
 Users
-GET /api/users – List users (tenant-scoped, paginated).
-POST /api/users – Create a user (requires permission).
+GET /api/users - List users (tenant-scoped, paginated).
+POST /api/users - Create a user.
 Additional CRUD endpoints as exposed by controllers.
-Roles & Permissions
-GET/POST /api/auth/roles – Manage roles (name, tenantId, permissions: string[]).
-GET /api/auth/permissions – List permission strings and metadata.
+Roles and Permissions
+GET/POST /api/auth/roles - Manage roles (name, tenantId, permissions: string[]).
+GET /api/auth/permissions - List permission strings and metadata.
+
 Protecting your own routes (host app)
-const authenticate = require('@ciscodeapps/auth-service/src/middleware/authenticate'); // JWT
-const { hasPermission } = require('@ciscodeapps/auth-service/src/middleware/rbac.middleware'); // RBAC
-
-app.get('/reports',
-  authenticate,
-  hasPermission('reports:read'),
-  (req, res) => res.json({ ok: true })
-);
+import { UseGuards } from '@nestjs/common';
+import { AuthenticateGuard, hasPermission } from '@ciscode/authentication-kit';
+
+@UseGuards(AuthenticateGuard, hasPermission('reports:read'))
+@Get('reports')
+getReports() {
+  return { ok: true };
+}
+
 Tenant scope comes from the JWT payload (e.g., tenantId) and is used inside controllers/guards to filter queries.
 
 Quick start (smoke tests)
-Start your host app:
-
-node server.js
-Register & Login
+Start your host app, then create a user and log in:
 
-curl -X POST http://localhost:3000/api/auth/register \
+curl -X POST http://localhost:3000/api/users \
   -H 'Content-Type: application/json' \
   -d '{"email":"a@b.com","password":"Secret123!","tenantId":"t-001","name":"Alice"}'
 
@@ -126,17 +107,20 @@ curl -X POST http://localhost:3000/api/auth/login \
   -H 'Content-Type: application/json' \
   -d '{"email":"a@b.com","password":"Secret123!","tenantId":"t-001"}'
 # => { "accessToken": "...", "refreshToken": "..." }
+
 Call a protected route
 
 ACCESS=<paste_access_token_here>
 curl http://localhost:3000/api/users -H "Authorization: Bearer $ACCESS"
+
 Refresh token
 
 curl -X POST http://localhost:3000/api/auth/refresh-token \
   -H 'Content-Type: application/json' \
   -d '{"refreshToken":"<paste_refresh_token_here>"}'
 # => { "accessToken": "..." }
-Microsoft OAuth (optional) - Visit: http://localhost:3000/api/auth/microsoft → complete sign-in.
+
+Microsoft OAuth (optional) - Visit: http://localhost:3000/api/auth/microsoft to complete sign-in.
 - Callback: ${BASE_URL}/api/auth/microsoft/callback returns tokens (and may set the refresh cookie).
 
 CI/CD (Azure Pipelines)
@@ -151,7 +135,7 @@ CI/CD (Azure Pipelines)
 
 Security notes
 Never commit real PATs. Use env vars or CI secrets.
-Run behind HTTPS. Rotate JWT & refresh secrets periodically.
+Run behind HTTPS. Rotate JWT and refresh secrets periodically.
 Limit login attempts; log auth events for auditing.
 License
-Internal — Company proprietary.
+Internal - Company proprietary.

package/dist/auth-kit.module.d.ts

@@ -0,0 +1,7 @@
+import 'dotenv/config';
+import { MiddlewareConsumer, NestModule, OnModuleDestroy, OnModuleInit } from '@nestjs/common';
+export declare class AuthKitModule implements NestModule, OnModuleInit, OnModuleDestroy {
+    onModuleInit(): Promise<void>;
+    onModuleDestroy(): Promise<void>;
+    configure(consumer: MiddlewareConsumer): void;
+}

package/dist/auth-kit.module.js

@@ -0,0 +1,50 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthKitModule = void 0;
+require("dotenv/config");
+const common_1 = require("@nestjs/common");
+const passport_config_1 = __importDefault(require("./config/passport.config"));
+const cookie_parser_1 = __importDefault(require("cookie-parser"));
+const mongoose_1 = __importDefault(require("mongoose"));
+const db_config_1 = require("./config/db.config");
+const auth_controller_1 = require("./controllers/auth.controller");
+const password_reset_controller_1 = require("./controllers/password-reset.controller");
+const users_controller_1 = require("./controllers/users.controller");
+const roles_controller_1 = require("./controllers/roles.controller");
+const permissions_controller_1 = require("./controllers/permissions.controller");
+const admin_controller_1 = require("./controllers/admin.controller");
+let AuthKitModule = class AuthKitModule {
+    async onModuleInit() {
+        await (0, db_config_1.connectDB)();
+    }
+    async onModuleDestroy() {
+        await mongoose_1.default.disconnect();
+    }
+    configure(consumer) {
+        consumer
+            .apply((0, cookie_parser_1.default)(), passport_config_1.default.initialize())
+            .forRoutes({ path: '*', method: common_1.RequestMethod.ALL });
+    }
+};
+exports.AuthKitModule = AuthKitModule;
+exports.AuthKitModule = AuthKitModule = __decorate([
+    (0, common_1.Module)({
+        controllers: [
+            auth_controller_1.AuthController,
+            password_reset_controller_1.PasswordResetController,
+            users_controller_1.UsersController,
+            roles_controller_1.RolesController,
+            permissions_controller_1.PermissionsController,
+            admin_controller_1.AdminController,
+        ],
+    })
+], AuthKitModule);

package/dist/config/db.config.d.ts

@@ -0,0 +1 @@
+export declare function connectDB(): Promise<void>;

package/dist/config/db.config.js

@@ -0,0 +1,22 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.connectDB = connectDB;
+const mongoose_1 = __importDefault(require("mongoose"));
+mongoose_1.default.set('strictQuery', false);
+async function connectDB() {
+    try {
+        const mongoURI = process.env.MONGO_URI_T;
+        if (!mongoURI) {
+            throw new Error('MONGO_URI is not defined in the environment variables.');
+        }
+        await mongoose_1.default.connect(mongoURI);
+        console.log('MongoDB Connected...');
+    }
+    catch (error) {
+        console.error('MongoDB Connection Error:', error);
+        process.exit(1);
+    }
+}

package/dist/config/passport.config.d.ts

@@ -0,0 +1,3 @@
+import passport from 'passport';
+import 'dotenv/config';
+export default passport;

package/dist/config/passport.config.js

@@ -0,0 +1,272 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const passport_1 = __importDefault(require("passport"));
+const passport_local_1 = require("passport-local");
+const passport_azure_ad_oauth2_1 = require("passport-azure-ad-oauth2");
+const passport_google_oauth20_1 = require("passport-google-oauth20");
+const passport_facebook_1 = require("passport-facebook");
+const bcryptjs_1 = __importDefault(require("bcryptjs"));
+const jsonwebtoken_1 = require("jsonwebtoken");
+const user_model_1 = __importDefault(require("../models/user.model"));
+const client_model_1 = __importDefault(require("../models/client.model"));
+require("dotenv/config");
+const MAX_FAILED = parseInt(process.env.MAX_FAILED_LOGIN_ATTEMPTS || '', 10) || 3;
+const LOCK_TIME_MIN = parseInt(process.env.ACCOUNT_LOCK_TIME_MINUTES || '', 10) || 15;
+const LOCK_TIME_MS = LOCK_TIME_MIN * 60 * 1000;
+const DEFAULT_TENANT_ID = process.env.DEFAULT_TENANT_ID || 'social-staff';
+passport_1.default.use(new passport_local_1.Strategy({ usernameField: 'email', passwordField: 'password', passReqToCallback: true }, async (req, email, password, done) => {
+    try {
+        const query = { email };
+        if (req.body.tenantId)
+            query.tenantId = String(req.body.tenantId).trim();
+        const user = await user_model_1.default.findOne(query);
+        if (!user)
+            return done(null, false, { message: 'Incorrect email (or tenant).' });
+        if (user.lockUntil && user.lockUntil > Date.now()) {
+            return done(null, false, { message: `Account locked until ${new Date(user.lockUntil).toLocaleString()}.` });
+        }
+        const ok = await bcryptjs_1.default.compare(password, user.password);
+        if (!ok) {
+            user.failedLoginAttempts += 1;
+            if (user.failedLoginAttempts >= MAX_FAILED)
+                user.lockUntil = Date.now() + LOCK_TIME_MS;
+            await user.save();
+            return done(null, false, { message: 'Incorrect password.' });
+        }
+        user.failedLoginAttempts = 0;
+        user.lockUntil = undefined;
+        await user.save();
+        return done(null, user);
+    }
+    catch (err) {
+        return done(err);
+    }
+}));
+passport_1.default.use(new passport_azure_ad_oauth2_1.Strategy({
+    clientID: process.env.MICROSOFT_CLIENT_ID,
+    clientSecret: process.env.MICROSOFT_CLIENT_SECRET,
+    callbackURL: process.env.MICROSOFT_CALLBACK_URL,
+}, async (_at, _rt, params, _profile, done) => {
+    try {
+        const decoded = (0, jsonwebtoken_1.decode)(params.id_token);
+        const microsoftId = decoded.oid;
+        const email = decoded.preferred_username;
+        const name = decoded.name;
+        const tenantId = decoded.tid;
+        let user = await user_model_1.default.findOne({ $or: [{ microsoftId }, { email }] });
+        if (!user) {
+            user = new user_model_1.default({ email, name, tenantId, microsoftId, roles: [], status: 'active' });
+            await user.save();
+        }
+        else {
+            let changed = false;
+            if (!user.microsoftId) {
+                user.microsoftId = microsoftId;
+                changed = true;
+            }
+            if (!user.tenantId) {
+                user.tenantId = tenantId;
+                changed = true;
+            }
+            if (changed)
+                await user.save();
+        }
+        return done(null, user);
+    }
+    catch (err) {
+        return done(err);
+    }
+}));
+passport_1.default.use('azure_ad_oauth2_client', new passport_azure_ad_oauth2_1.Strategy({
+    clientID: process.env.MICROSOFT_CLIENT_ID_CLIENT || process.env.MICROSOFT_CLIENT_ID,
+    clientSecret: process.env.MICROSOFT_CLIENT_SECRET_CLIENT || process.env.MICROSOFT_CLIENT_SECRET,
+    callbackURL: process.env.MICROSOFT_CALLBACK_URL_CLIENT,
+}, async (_at, _rt, params, _profile, done) => {
+    try {
+        const decoded = (0, jsonwebtoken_1.decode)(params.id_token);
+        const microsoftId = decoded.oid;
+        const email = decoded.preferred_username;
+        const name = decoded.name;
+        let client = await client_model_1.default.findOne({ $or: [{ microsoftId }, { email }] });
+        if (!client) {
+            client = new client_model_1.default({ email, name, microsoftId, roles: [] });
+            await client.save();
+        }
+        else if (!client.microsoftId) {
+            client.microsoftId = microsoftId;
+            await client.save();
+        }
+        return done(null, client);
+    }
+    catch (err) {
+        return done(err);
+    }
+}));
+if (process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET && process.env.GOOGLE_CALLBACK_URL_USER) {
+    passport_1.default.use('google-user', new passport_google_oauth20_1.Strategy({
+        clientID: process.env.GOOGLE_CLIENT_ID,
+        clientSecret: process.env.GOOGLE_CLIENT_SECRET,
+        callbackURL: process.env.GOOGLE_CALLBACK_URL_USER
+    }, async (_at, _rt, profile, done) => {
+        var _a;
+        try {
+            const email = profile.emails && ((_a = profile.emails[0]) === null || _a === void 0 ? void 0 : _a.value);
+            if (!email)
+                return done(null, false);
+            let user = await user_model_1.default.findOne({ email });
+            if (!user) {
+                user = new user_model_1.default({
+                    email,
+                    name: profile.displayName,
+                    tenantId: DEFAULT_TENANT_ID,
+                    googleId: profile.id,
+                    roles: [],
+                    status: 'active'
+                });
+                await user.save();
+            }
+            else {
+                let changed = false;
+                if (!user.googleId) {
+                    user.googleId = profile.id;
+                    changed = true;
+                }
+                if (!user.tenantId) {
+                    user.tenantId = DEFAULT_TENANT_ID;
+                    changed = true;
+                }
+                if (changed)
+                    await user.save();
+            }
+            return done(null, user);
+        }
+        catch (err) {
+            return done(err);
+        }
+    }));
+}
+if (process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET && process.env.GOOGLE_CALLBACK_URL_CLIENT) {
+    passport_1.default.use('google-client', new passport_google_oauth20_1.Strategy({
+        clientID: process.env.GOOGLE_CLIENT_ID,
+        clientSecret: process.env.GOOGLE_CLIENT_SECRET,
+        callbackURL: process.env.GOOGLE_CALLBACK_URL_CLIENT
+    }, async (_at, _rt, profile, done) => {
+        var _a;
+        try {
+            const email = profile.emails && ((_a = profile.emails[0]) === null || _a === void 0 ? void 0 : _a.value);
+            if (!email)
+                return done(null, false);
+            let client = await client_model_1.default.findOne({ email });
+            if (!client) {
+                client = new client_model_1.default({
+                    email,
+                    name: profile.displayName,
+                    googleId: profile.id,
+                    roles: []
+                });
+                await client.save();
+            }
+            else if (!client.googleId) {
+                client.googleId = profile.id;
+                await client.save();
+            }
+            return done(null, client);
+        }
+        catch (err) {
+            return done(err);
+        }
+    }));
+}
+if (process.env.FB_CLIENT_ID && process.env.FB_CLIENT_SECRET && process.env.FB_CALLBACK_URL_USER) {
+    passport_1.default.use('facebook-user', new passport_facebook_1.Strategy({
+        clientID: process.env.FB_CLIENT_ID,
+        clientSecret: process.env.FB_CLIENT_SECRET,
+        callbackURL: process.env.FB_CALLBACK_URL_USER,
+        profileFields: ['id', 'displayName', 'emails']
+    }, async (_at, _rt, profile, done) => {
+        var _a;
+        try {
+            const email = profile.emails && ((_a = profile.emails[0]) === null || _a === void 0 ? void 0 : _a.value);
+            if (!email)
+                return done(null, false);
+            let user = await user_model_1.default.findOne({ email });
+            if (!user) {
+                user = new user_model_1.default({
+                    email,
+                    name: profile.displayName,
+                    tenantId: DEFAULT_TENANT_ID,
+                    facebookId: profile.id,
+                    roles: [],
+                    status: 'active'
+                });
+                await user.save();
+            }
+            else {
+                let changed = false;
+                if (!user.facebookId) {
+                    user.facebookId = profile.id;
+                    changed = true;
+                }
+                if (!user.tenantId) {
+                    user.tenantId = DEFAULT_TENANT_ID;
+                    changed = true;
+                }
+                if (changed)
+                    await user.save();
+            }
+            return done(null, user);
+        }
+        catch (err) {
+            return done(err);
+        }
+    }));
+}
+if (process.env.FB_CLIENT_ID && process.env.FB_CLIENT_SECRET && process.env.FB_CALLBACK_URL_CLIENT) {
+    passport_1.default.use('facebook-client', new passport_facebook_1.Strategy({
+        clientID: process.env.FB_CLIENT_ID,
+        clientSecret: process.env.FB_CLIENT_SECRET,
+        callbackURL: process.env.FB_CALLBACK_URL_CLIENT,
+        profileFields: ['id', 'displayName', 'emails']
+    }, async (_at, _rt, profile, done) => {
+        var _a;
+        try {
+            const email = profile.emails && ((_a = profile.emails[0]) === null || _a === void 0 ? void 0 : _a.value);
+            if (!email)
+                return done(null, false);
+            let client = await client_model_1.default.findOne({ email });
+            if (!client) {
+                client = new client_model_1.default({
+                    email,
+                    name: profile.displayName,
+                    facebookId: profile.id,
+                    roles: []
+                });
+                await client.save();
+            }
+            else if (!client.facebookId) {
+                client.facebookId = profile.id;
+                await client.save();
+            }
+            return done(null, client);
+        }
+        catch (err) {
+            return done(err);
+        }
+    }));
+}
+passport_1.default.serializeUser((principal, done) => done(null, principal.id));
+passport_1.default.deserializeUser(async (id, done) => {
+    try {
+        let principal = await user_model_1.default.findById(id);
+        if (!principal)
+            principal = await client_model_1.default.findById(id);
+        done(null, principal);
+    }
+    catch (err) {
+        done(err);
+    }
+});
+exports.default = passport_1.default;

package/dist/controllers/admin.controller.d.ts

@@ -0,0 +1,4 @@
+import type { Request, Response } from 'express';
+export declare class AdminController {
+    suspendUser(req: Request, res: Response): Promise<Response<any, Record<string, any>>>;
+}

package/dist/controllers/admin.controller.js

@@ -0,0 +1,59 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AdminController = void 0;
+const common_1 = require("@nestjs/common");
+const user_model_1 = __importDefault(require("../models/user.model"));
+const authenticate_guard_1 = require("../middleware/authenticate.guard");
+let AdminController = class AdminController {
+    async suspendUser(req, res) {
+        try {
+            if (!req.user || !req.user.roles) {
+                return res.status(403).json({ message: 'Access denied. Superadmin privileges required.' });
+            }
+            if (!req.user.roles.includes('superadmin')) {
+                return res.status(403).json({ message: 'Access denied. Superadmin privileges required.' });
+            }
+            const { id } = req.params;
+            if (!id) {
+                return res.status(400).json({ message: 'User ID is required in the URL.' });
+            }
+            const updatedUser = await user_model_1.default.findByIdAndUpdate(id, { status: 'suspended' }, { new: true });
+            if (!updatedUser) {
+                return res.status(404).json({ message: 'User not found.' });
+            }
+            return res.status(200).json({ message: 'User suspended successfully.', user: updatedUser });
+        }
+        catch (error) {
+            console.error('Error suspending user:', error);
+            return res.status(500).json({ message: 'Server error', error: error.message });
+        }
+    }
+};
+exports.AdminController = AdminController;
+__decorate([
+    (0, common_1.Put)(':id/suspend'),
+    __param(0, (0, common_1.Req)()),
+    __param(1, (0, common_1.Res)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [Object, Object]),
+    __metadata("design:returntype", Promise)
+], AdminController.prototype, "suspendUser", null);
+exports.AdminController = AdminController = __decorate([
+    (0, common_1.UseGuards)(authenticate_guard_1.AuthenticateGuard),
+    (0, common_1.Controller)('api/admin')
+], AdminController);

package/dist/controllers/auth.controller.d.ts

@@ -0,0 +1,23 @@
+import type { Request, Response, NextFunction } from 'express';
+export declare class AuthController {
+    private issueTokensAndRespond;
+    private respondWebOrMobile;
+    registerClient(req: Request, res: Response): Promise<Response<any, Record<string, any>>>;
+    clientLogin(req: Request, res: Response): Promise<Response<any, Record<string, any>>>;
+    localLogin(req: Request, res: Response, next: NextFunction): any;
+    microsoftLogin(req: Request, res: Response, next: NextFunction): any;
+    microsoftCallback(req: Request, res: Response, next: NextFunction): void;
+    microsoftExchange(req: Request, res: Response): Promise<Response<any, Record<string, any>>>;
+    googleUserLogin(req: Request, res: Response, next: NextFunction): any;
+    googleUserCallback(req: Request, res: Response, next: NextFunction): void;
+    googleClientLogin(req: Request, res: Response, next: NextFunction): any;
+    googleClientCallback(req: Request, res: Response, next: NextFunction): void;
+    googleExchange(req: Request, res: Response): Promise<Response<any, Record<string, any>>>;
+    facebookUserLogin(req: Request, res: Response, next: NextFunction): any;
+    facebookUserCallback(req: Request, res: Response, next: NextFunction): void;
+    facebookClientLogin(req: Request, res: Response, next: NextFunction): any;
+    facebookClientCallback(req: Request, res: Response, next: NextFunction): void;
+    microsoftClientLogin(req: Request, res: Response, next: NextFunction): any;
+    microsoftClientCallback(req: Request, res: Response, next: NextFunction): void;
+    refreshToken(req: Request, res: Response): Promise<Response<any, Record<string, any>>>;
+}