@ciscode/authentication-kit 1.1.1 → 1.1.3

package/README.md

@@ -1,14 +1,13 @@
-Auth Service (NestJS, JWT, Multi-tenant, RBAC)
+Auth Service (NestJS, JWT, RBAC)
 Internal package - private to the company.
 This package is not published on npmjs. Install it only from the company Azure Artifacts feed using a project or user-level .npmrc.
 
 Authentication and authorization module for NestJS apps.
-Provides local email/password auth with lockout, JWT access tokens and refresh, tenant scoping, RBAC, and optional OAuth (Microsoft Entra, Google, Facebook).
+Provides local email/password auth with lockout, JWT access tokens and refresh, RBAC, and optional OAuth (Microsoft Entra, Google, Facebook).
 
 Features
 Local auth (email/password) with account lockout policy.
 JWT access tokens (Bearer) and refresh endpoint (cookie or body).
-Multi-tenant scope on requests.
 RBAC (roles -> permission strings).
 Microsoft Entra (Azure AD), Google, Facebook OAuth (optional).
 MongoDB/Mongoose models.
@@ -47,7 +46,6 @@ MAX_FAILED_LOGIN_ATTEMPTS=5
 ACCOUNT_LOCK_TIME_MINUTES=15
 
 # (Optional) Microsoft Entra ID (Azure AD)
-MICROSOFT_TENANT_ID=common
 MICROSOFT_CLIENT_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
 MICROSOFT_CLIENT_SECRET=your-secret
 MICROSOFT_CALLBACK_URL=${BASE_URL}/api/auth/microsoft/callback
@@ -77,11 +75,11 @@ POST /api/auth/request-password-reset - Sends a reset token (e.g., by email).
 POST /api/auth/reset-password - Consumes the reset token and sets a new password.
 GET /api/auth/microsoft - GET /api/auth/microsoft/callback - Optional Microsoft Entra OAuth; issues first-party tokens.
 Users
-GET /api/users - List users (tenant-scoped, paginated).
+GET /api/users - List users (paginated).
 POST /api/users - Create a user.
 Additional CRUD endpoints as exposed by controllers.
 Roles and Permissions
-GET/POST /api/auth/roles - Manage roles (name, tenantId, permissions: string[]).
+GET/POST /api/auth/roles - Manage roles (name, permissions: string[]).
 GET /api/auth/permissions - List permission strings and metadata.
 
 Protecting your own routes (host app)
@@ -94,18 +92,16 @@ getReports() {
   return { ok: true };
 }
 
-Tenant scope comes from the JWT payload (e.g., tenantId) and is used inside controllers/guards to filter queries.
-
 Quick start (smoke tests)
 Start your host app, then create a user and log in:
 
 curl -X POST http://localhost:3000/api/users \
   -H 'Content-Type: application/json' \
-  -d '{"email":"a@b.com","password":"Secret123!","tenantId":"t-001","name":"Alice"}'
+  -d '{"email":"a@b.com","password":"Secret123!","name":"Alice"}'
 
 curl -X POST http://localhost:3000/api/auth/login \
   -H 'Content-Type: application/json' \
-  -d '{"email":"a@b.com","password":"Secret123!","tenantId":"t-001"}'
+  -d '{"email":"a@b.com","password":"Secret123!"}'
 # => { "accessToken": "...", "refreshToken": "..." }
 
 Call a protected route

package/dist/auth-kit.module.d.ts

@@ -0,0 +1,7 @@
+import 'dotenv/config';
+import { MiddlewareConsumer, NestModule, OnModuleDestroy, OnModuleInit } from '@nestjs/common';
+export declare class AuthKitModule implements NestModule, OnModuleInit, OnModuleDestroy {
+    onModuleInit(): Promise<void>;
+    onModuleDestroy(): Promise<void>;
+    configure(consumer: MiddlewareConsumer): void;
+}

package/dist/auth-kit.module.js

@@ -0,0 +1,50 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthKitModule = void 0;
+require("dotenv/config");
+const common_1 = require("@nestjs/common");
+const passport_config_1 = __importDefault(require("./config/passport.config"));
+const cookie_parser_1 = __importDefault(require("cookie-parser"));
+const mongoose_1 = __importDefault(require("mongoose"));
+const db_config_1 = require("./config/db.config");
+const auth_controller_1 = require("./controllers/auth.controller");
+const password_reset_controller_1 = require("./controllers/password-reset.controller");
+const users_controller_1 = require("./controllers/users.controller");
+const roles_controller_1 = require("./controllers/roles.controller");
+const permissions_controller_1 = require("./controllers/permissions.controller");
+const admin_controller_1 = require("./controllers/admin.controller");
+let AuthKitModule = class AuthKitModule {
+    async onModuleInit() {
+        await (0, db_config_1.connectDB)();
+    }
+    async onModuleDestroy() {
+        await mongoose_1.default.disconnect();
+    }
+    configure(consumer) {
+        consumer
+            .apply((0, cookie_parser_1.default)(), passport_config_1.default.initialize())
+            .forRoutes({ path: '*', method: common_1.RequestMethod.ALL });
+    }
+};
+exports.AuthKitModule = AuthKitModule;
+exports.AuthKitModule = AuthKitModule = __decorate([
+    (0, common_1.Module)({
+        controllers: [
+            auth_controller_1.AuthController,
+            password_reset_controller_1.PasswordResetController,
+            users_controller_1.UsersController,
+            roles_controller_1.RolesController,
+            permissions_controller_1.PermissionsController,
+            admin_controller_1.AdminController,
+        ],
+    })
+], AuthKitModule);

package/dist/config/db.config.d.ts

@@ -0,0 +1 @@
+export declare function connectDB(): Promise<void>;

package/dist/config/db.config.js

@@ -0,0 +1,22 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.connectDB = connectDB;
+const mongoose_1 = __importDefault(require("mongoose"));
+mongoose_1.default.set('strictQuery', false);
+async function connectDB() {
+    try {
+        const mongoURI = process.env.MONGO_URI_T;
+        if (!mongoURI) {
+            throw new Error('MONGO_URI is not defined in the environment variables.');
+        }
+        await mongoose_1.default.connect(mongoURI);
+        console.log('MongoDB Connected...');
+    }
+    catch (error) {
+        console.error('MongoDB Connection Error:', error);
+        process.exit(1);
+    }
+}

package/dist/config/passport.config.d.ts

@@ -0,0 +1,3 @@
+import passport from 'passport';
+import 'dotenv/config';
+export default passport;

package/dist/config/passport.config.js

@@ -0,0 +1,253 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const passport_1 = __importDefault(require("passport"));
+const passport_local_1 = require("passport-local");
+const passport_azure_ad_oauth2_1 = require("passport-azure-ad-oauth2");
+const passport_google_oauth20_1 = require("passport-google-oauth20");
+const passport_facebook_1 = require("passport-facebook");
+const bcryptjs_1 = __importDefault(require("bcryptjs"));
+const jsonwebtoken_1 = require("jsonwebtoken");
+const user_model_1 = __importDefault(require("../models/user.model"));
+const client_model_1 = __importDefault(require("../models/client.model"));
+require("dotenv/config");
+const MAX_FAILED = parseInt(process.env.MAX_FAILED_LOGIN_ATTEMPTS || '', 10) || 3;
+const LOCK_TIME_MIN = parseInt(process.env.ACCOUNT_LOCK_TIME_MINUTES || '', 10) || 15;
+const LOCK_TIME_MS = LOCK_TIME_MIN * 60 * 1000;
+passport_1.default.use(new passport_local_1.Strategy({ usernameField: 'email', passwordField: 'password', passReqToCallback: true }, async (req, email, password, done) => {
+    try {
+        const user = await user_model_1.default.findOne({ email });
+        if (!user)
+            return done(null, false, { message: 'Incorrect email.' });
+        if (user.lockUntil && user.lockUntil > Date.now()) {
+            return done(null, false, { message: `Account locked until ${new Date(user.lockUntil).toLocaleString()}.` });
+        }
+        const ok = await bcryptjs_1.default.compare(password, user.password);
+        if (!ok) {
+            user.failedLoginAttempts += 1;
+            if (user.failedLoginAttempts >= MAX_FAILED)
+                user.lockUntil = Date.now() + LOCK_TIME_MS;
+            await user.save();
+            return done(null, false, { message: 'Incorrect password.' });
+        }
+        user.failedLoginAttempts = 0;
+        user.lockUntil = undefined;
+        await user.save();
+        return done(null, user);
+    }
+    catch (err) {
+        return done(err);
+    }
+}));
+passport_1.default.use(new passport_azure_ad_oauth2_1.Strategy({
+    clientID: process.env.MICROSOFT_CLIENT_ID,
+    clientSecret: process.env.MICROSOFT_CLIENT_SECRET,
+    callbackURL: process.env.MICROSOFT_CALLBACK_URL,
+}, async (_at, _rt, params, _profile, done) => {
+    try {
+        const decoded = (0, jsonwebtoken_1.decode)(params.id_token);
+        const microsoftId = decoded.oid;
+        const email = decoded.preferred_username;
+        const name = decoded.name;
+        let user = await user_model_1.default.findOne({ $or: [{ microsoftId }, { email }] });
+        if (!user) {
+            user = new user_model_1.default({ email, name, microsoftId, roles: [], status: 'active' });
+            await user.save();
+        }
+        else {
+            let changed = false;
+            if (!user.microsoftId) {
+                user.microsoftId = microsoftId;
+                changed = true;
+            }
+            if (changed)
+                await user.save();
+        }
+        return done(null, user);
+    }
+    catch (err) {
+        return done(err);
+    }
+}));
+passport_1.default.use('azure_ad_oauth2_client', new passport_azure_ad_oauth2_1.Strategy({
+    clientID: process.env.MICROSOFT_CLIENT_ID_CLIENT || process.env.MICROSOFT_CLIENT_ID,
+    clientSecret: process.env.MICROSOFT_CLIENT_SECRET_CLIENT || process.env.MICROSOFT_CLIENT_SECRET,
+    callbackURL: process.env.MICROSOFT_CALLBACK_URL_CLIENT,
+}, async (_at, _rt, params, _profile, done) => {
+    try {
+        const decoded = (0, jsonwebtoken_1.decode)(params.id_token);
+        const microsoftId = decoded.oid;
+        const email = decoded.preferred_username;
+        const name = decoded.name;
+        let client = await client_model_1.default.findOne({ $or: [{ microsoftId }, { email }] });
+        if (!client) {
+            client = new client_model_1.default({ email, name, microsoftId, roles: [] });
+            await client.save();
+        }
+        else if (!client.microsoftId) {
+            client.microsoftId = microsoftId;
+            await client.save();
+        }
+        return done(null, client);
+    }
+    catch (err) {
+        return done(err);
+    }
+}));
+if (process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET && process.env.GOOGLE_CALLBACK_URL_USER) {
+    passport_1.default.use('google-user', new passport_google_oauth20_1.Strategy({
+        clientID: process.env.GOOGLE_CLIENT_ID,
+        clientSecret: process.env.GOOGLE_CLIENT_SECRET,
+        callbackURL: process.env.GOOGLE_CALLBACK_URL_USER
+    }, async (_at, _rt, profile, done) => {
+        var _a;
+        try {
+            const email = profile.emails && ((_a = profile.emails[0]) === null || _a === void 0 ? void 0 : _a.value);
+            if (!email)
+                return done(null, false);
+            let user = await user_model_1.default.findOne({ email });
+            if (!user) {
+                user = new user_model_1.default({
+                    email,
+                    name: profile.displayName,
+                    googleId: profile.id,
+                    roles: [],
+                    status: 'active'
+                });
+                await user.save();
+            }
+            else {
+                let changed = false;
+                if (!user.googleId) {
+                    user.googleId = profile.id;
+                    changed = true;
+                }
+                if (changed)
+                    await user.save();
+            }
+            return done(null, user);
+        }
+        catch (err) {
+            return done(err);
+        }
+    }));
+}
+if (process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET && process.env.GOOGLE_CALLBACK_URL_CLIENT) {
+    passport_1.default.use('google-client', new passport_google_oauth20_1.Strategy({
+        clientID: process.env.GOOGLE_CLIENT_ID,
+        clientSecret: process.env.GOOGLE_CLIENT_SECRET,
+        callbackURL: process.env.GOOGLE_CALLBACK_URL_CLIENT
+    }, async (_at, _rt, profile, done) => {
+        var _a;
+        try {
+            const email = profile.emails && ((_a = profile.emails[0]) === null || _a === void 0 ? void 0 : _a.value);
+            if (!email)
+                return done(null, false);
+            let client = await client_model_1.default.findOne({ email });
+            if (!client) {
+                client = new client_model_1.default({
+                    email,
+                    name: profile.displayName,
+                    googleId: profile.id,
+                    roles: []
+                });
+                await client.save();
+            }
+            else if (!client.googleId) {
+                client.googleId = profile.id;
+                await client.save();
+            }
+            return done(null, client);
+        }
+        catch (err) {
+            return done(err);
+        }
+    }));
+}
+if (process.env.FB_CLIENT_ID && process.env.FB_CLIENT_SECRET && process.env.FB_CALLBACK_URL_USER) {
+    passport_1.default.use('facebook-user', new passport_facebook_1.Strategy({
+        clientID: process.env.FB_CLIENT_ID,
+        clientSecret: process.env.FB_CLIENT_SECRET,
+        callbackURL: process.env.FB_CALLBACK_URL_USER,
+        profileFields: ['id', 'displayName', 'emails']
+    }, async (_at, _rt, profile, done) => {
+        var _a;
+        try {
+            const email = profile.emails && ((_a = profile.emails[0]) === null || _a === void 0 ? void 0 : _a.value);
+            if (!email)
+                return done(null, false);
+            let user = await user_model_1.default.findOne({ email });
+            if (!user) {
+                user = new user_model_1.default({
+                    email,
+                    name: profile.displayName,
+                    facebookId: profile.id,
+                    roles: [],
+                    status: 'active'
+                });
+                await user.save();
+            }
+            else {
+                let changed = false;
+                if (!user.facebookId) {
+                    user.facebookId = profile.id;
+                    changed = true;
+                }
+                if (changed)
+                    await user.save();
+            }
+            return done(null, user);
+        }
+        catch (err) {
+            return done(err);
+        }
+    }));
+}
+if (process.env.FB_CLIENT_ID && process.env.FB_CLIENT_SECRET && process.env.FB_CALLBACK_URL_CLIENT) {
+    passport_1.default.use('facebook-client', new passport_facebook_1.Strategy({
+        clientID: process.env.FB_CLIENT_ID,
+        clientSecret: process.env.FB_CLIENT_SECRET,
+        callbackURL: process.env.FB_CALLBACK_URL_CLIENT,
+        profileFields: ['id', 'displayName', 'emails']
+    }, async (_at, _rt, profile, done) => {
+        var _a;
+        try {
+            const email = profile.emails && ((_a = profile.emails[0]) === null || _a === void 0 ? void 0 : _a.value);
+            if (!email)
+                return done(null, false);
+            let client = await client_model_1.default.findOne({ email });
+            if (!client) {
+                client = new client_model_1.default({
+                    email,
+                    name: profile.displayName,
+                    facebookId: profile.id,
+                    roles: []
+                });
+                await client.save();
+            }
+            else if (!client.facebookId) {
+                client.facebookId = profile.id;
+                await client.save();
+            }
+            return done(null, client);
+        }
+        catch (err) {
+            return done(err);
+        }
+    }));
+}
+passport_1.default.serializeUser((principal, done) => done(null, principal.id));
+passport_1.default.deserializeUser(async (id, done) => {
+    try {
+        let principal = await user_model_1.default.findById(id);
+        if (!principal)
+            principal = await client_model_1.default.findById(id);
+        done(null, principal);
+    }
+    catch (err) {
+        done(err);
+    }
+});
+exports.default = passport_1.default;

package/dist/controllers/admin.controller.d.ts

@@ -0,0 +1,4 @@
+import type { Request, Response } from 'express';
+export declare class AdminController {
+    suspendUser(req: Request, res: Response): Promise<Response<any, Record<string, any>>>;
+}

package/dist/controllers/admin.controller.js

@@ -0,0 +1,59 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AdminController = void 0;
+const common_1 = require("@nestjs/common");
+const user_model_1 = __importDefault(require("../models/user.model"));
+const authenticate_guard_1 = require("../middleware/authenticate.guard");
+let AdminController = class AdminController {
+    async suspendUser(req, res) {
+        try {
+            if (!req.user || !req.user.roles) {
+                return res.status(403).json({ message: 'Access denied. Superadmin privileges required.' });
+            }
+            if (!req.user.roles.includes('superadmin')) {
+                return res.status(403).json({ message: 'Access denied. Superadmin privileges required.' });
+            }
+            const { id } = req.params;
+            if (!id) {
+                return res.status(400).json({ message: 'User ID is required in the URL.' });
+            }
+            const updatedUser = await user_model_1.default.findByIdAndUpdate(id, { status: 'suspended' }, { new: true });
+            if (!updatedUser) {
+                return res.status(404).json({ message: 'User not found.' });
+            }
+            return res.status(200).json({ message: 'User suspended successfully.', user: updatedUser });
+        }
+        catch (error) {
+            console.error('Error suspending user:', error);
+            return res.status(500).json({ message: 'Server error', error: error.message });
+        }
+    }
+};
+exports.AdminController = AdminController;
+__decorate([
+    (0, common_1.Put)(':id/suspend'),
+    __param(0, (0, common_1.Req)()),
+    __param(1, (0, common_1.Res)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [Object, Object]),
+    __metadata("design:returntype", Promise)
+], AdminController.prototype, "suspendUser", null);
+exports.AdminController = AdminController = __decorate([
+    (0, common_1.UseGuards)(authenticate_guard_1.AuthenticateGuard),
+    (0, common_1.Controller)('api/admin')
+], AdminController);

package/dist/controllers/auth.controller.d.ts

@@ -0,0 +1,23 @@
+import type { Request, Response, NextFunction } from 'express';
+export declare class AuthController {
+    private issueTokensAndRespond;
+    private respondWebOrMobile;
+    registerClient(req: Request, res: Response): Promise<Response<any, Record<string, any>>>;
+    clientLogin(req: Request, res: Response): Promise<Response<any, Record<string, any>>>;
+    localLogin(req: Request, res: Response, next: NextFunction): any;
+    microsoftLogin(req: Request, res: Response, next: NextFunction): any;
+    microsoftCallback(req: Request, res: Response, next: NextFunction): void;
+    microsoftExchange(req: Request, res: Response): Promise<Response<any, Record<string, any>>>;
+    googleUserLogin(req: Request, res: Response, next: NextFunction): any;
+    googleUserCallback(req: Request, res: Response, next: NextFunction): void;
+    googleClientLogin(req: Request, res: Response, next: NextFunction): any;
+    googleClientCallback(req: Request, res: Response, next: NextFunction): void;
+    googleExchange(req: Request, res: Response): Promise<Response<any, Record<string, any>>>;
+    facebookUserLogin(req: Request, res: Response, next: NextFunction): any;
+    facebookUserCallback(req: Request, res: Response, next: NextFunction): void;
+    facebookClientLogin(req: Request, res: Response, next: NextFunction): any;
+    facebookClientCallback(req: Request, res: Response, next: NextFunction): void;
+    microsoftClientLogin(req: Request, res: Response, next: NextFunction): any;
+    microsoftClientCallback(req: Request, res: Response, next: NextFunction): void;
+    refreshToken(req: Request, res: Response): Promise<Response<any, Record<string, any>>>;
+}