@ciscode/authentication-kit 1.1.6 → 1.2.0

package/dist/services/auth.service.js

@@ -0,0 +1,219 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthService = void 0;
+const common_1 = require("@nestjs/common");
+const bcryptjs_1 = __importDefault(require("bcryptjs"));
+const jwt = __importStar(require("jsonwebtoken"));
+const user_repository_1 = require("../repositories/user.repository");
+const mail_service_1 = require("./mail.service");
+const role_repository_1 = require("../repositories/role.repository");
+let AuthService = class AuthService {
+    constructor(users, mail, roles) {
+        this.users = users;
+        this.mail = mail;
+        this.roles = roles;
+    }
+    resolveExpiry(value, fallback) {
+        return (value || fallback);
+    }
+    signAccessToken(payload) {
+        const expiresIn = this.resolveExpiry(process.env.JWT_ACCESS_TOKEN_EXPIRES_IN, '15m');
+        return jwt.sign(payload, this.getEnv('JWT_SECRET'), { expiresIn });
+    }
+    signRefreshToken(payload) {
+        const expiresIn = this.resolveExpiry(process.env.JWT_REFRESH_TOKEN_EXPIRES_IN, '7d');
+        return jwt.sign(payload, this.getEnv('JWT_REFRESH_SECRET'), { expiresIn });
+    }
+    signEmailToken(payload) {
+        const expiresIn = this.resolveExpiry(process.env.JWT_EMAIL_TOKEN_EXPIRES_IN, '1d');
+        return jwt.sign(payload, this.getEnv('JWT_EMAIL_SECRET'), { expiresIn });
+    }
+    signResetToken(payload) {
+        const expiresIn = this.resolveExpiry(process.env.JWT_RESET_TOKEN_EXPIRES_IN, '1h');
+        return jwt.sign(payload, this.getEnv('JWT_RESET_SECRET'), { expiresIn });
+    }
+    async buildTokenPayload(userId) {
+        const user = await this.users.findByIdWithRolesAndPermissions(userId);
+        if (!user)
+            throw new Error('User not found.');
+        const roles = (user.roles || []).map((r) => r._id.toString());
+        const permissions = (user.roles || [])
+            .flatMap((r) => (r.permissions || []).map((p) => p.name))
+            .filter(Boolean);
+        return { sub: user._id.toString(), roles, permissions };
+    }
+    getEnv(name) {
+        const v = process.env[name];
+        if (!v)
+            throw new Error(`${name} is not set`);
+        return v;
+    }
+    async issueTokensForUser(userId) {
+        const payload = await this.buildTokenPayload(userId);
+        const accessToken = this.signAccessToken(payload);
+        const refreshToken = this.signRefreshToken({ sub: userId, purpose: 'refresh' });
+        return { accessToken, refreshToken };
+    }
+    async register(dto) {
+        if (await this.users.findByEmail(dto.email))
+            throw new Error('Email already in use.');
+        if (await this.users.findByUsername(dto.username))
+            throw new Error('Username already in use.');
+        if (dto.phoneNumber && (await this.users.findByPhone(dto.phoneNumber))) {
+            throw new Error('Phone already in use.');
+        }
+        const salt = await bcryptjs_1.default.genSalt(10);
+        const hashed = await bcryptjs_1.default.hash(dto.password, salt);
+        const userRole = await this.roles.findByName('user');
+        if (!userRole)
+            throw new Error('Default role not seeded.');
+        const user = await this.users.create({
+            fullname: dto.fullname,
+            username: dto.username,
+            email: dto.email,
+            phoneNumber: dto.phoneNumber,
+            avatar: dto.avatar,
+            password: hashed,
+            roles: [userRole._id],
+            isVerified: false,
+            isBanned: false,
+            passwordChangedAt: new Date()
+        });
+        const emailToken = this.signEmailToken({ sub: user._id.toString(), purpose: 'verify' });
+        await this.mail.sendVerificationEmail(user.email, emailToken);
+        return { id: user._id, email: user.email };
+    }
+    async verifyEmail(token) {
+        const decoded = jwt.verify(token, this.getEnv('JWT_EMAIL_SECRET'));
+        if (decoded.purpose !== 'verify')
+            throw new Error('Invalid token purpose.');
+        const user = await this.users.findById(decoded.sub);
+        if (!user)
+            throw new Error('User not found.');
+        if (user.isVerified)
+            return { ok: true };
+        user.isVerified = true;
+        await user.save();
+        return { ok: true };
+    }
+    async resendVerification(email) {
+        const user = await this.users.findByEmail(email);
+        if (!user || user.isVerified)
+            return { ok: true };
+        const emailToken = this.signEmailToken({ sub: user._id.toString(), purpose: 'verify' });
+        await this.mail.sendVerificationEmail(user.email, emailToken);
+        return { ok: true };
+    }
+    async login(dto) {
+        const user = await this.users.findByEmailWithPassword(dto.email);
+        if (!user)
+            throw new Error('Invalid credentials.');
+        if (user.isBanned)
+            throw new Error('Account banned.');
+        if (!user.isVerified)
+            throw new Error('Email not verified.');
+        const ok = await bcryptjs_1.default.compare(dto.password, user.password);
+        if (!ok)
+            throw new Error('Invalid credentials.');
+        const payload = await this.buildTokenPayload(user._id.toString());
+        const accessToken = this.signAccessToken(payload);
+        const refreshToken = this.signRefreshToken({ sub: user._id.toString(), purpose: 'refresh' });
+        return { accessToken, refreshToken };
+    }
+    async refresh(refreshToken) {
+        const decoded = jwt.verify(refreshToken, this.getEnv('JWT_REFRESH_SECRET'));
+        if (decoded.purpose !== 'refresh')
+            throw new Error('Invalid token purpose.');
+        const user = await this.users.findById(decoded.sub);
+        if (!user)
+            throw new Error('User not found.');
+        if (user.isBanned)
+            throw new Error('Account banned.');
+        if (!user.isVerified)
+            throw new Error('Email not verified.');
+        if (user.passwordChangedAt && decoded.iat * 1000 < user.passwordChangedAt.getTime()) {
+            throw new Error('Token expired.');
+        }
+        const payload = await this.buildTokenPayload(user._id.toString());
+        const accessToken = this.signAccessToken(payload);
+        const newRefreshToken = this.signRefreshToken({ sub: user._id.toString(), purpose: 'refresh' });
+        return { accessToken, refreshToken: newRefreshToken };
+    }
+    async forgotPassword(email) {
+        const user = await this.users.findByEmail(email);
+        if (!user)
+            return { ok: true };
+        const resetToken = this.signResetToken({ sub: user._id.toString(), purpose: 'reset' });
+        await this.mail.sendPasswordResetEmail(user.email, resetToken);
+        return { ok: true };
+    }
+    async resetPassword(token, newPassword) {
+        const decoded = jwt.verify(token, this.getEnv('JWT_RESET_SECRET'));
+        if (decoded.purpose !== 'reset')
+            throw new Error('Invalid token purpose.');
+        const user = await this.users.findById(decoded.sub);
+        if (!user)
+            throw new Error('User not found.');
+        const salt = await bcryptjs_1.default.genSalt(10);
+        user.password = await bcryptjs_1.default.hash(newPassword, salt);
+        user.passwordChangedAt = new Date();
+        await user.save();
+        return { ok: true };
+    }
+    async deleteAccount(userId) {
+        await this.users.deleteById(userId);
+        return { ok: true };
+    }
+};
+exports.AuthService = AuthService;
+exports.AuthService = AuthService = __decorate([
+    (0, common_1.Injectable)(),
+    __metadata("design:paramtypes", [user_repository_1.UserRepository,
+        mail_service_1.MailService,
+        role_repository_1.RoleRepository])
+], AuthService);

package/dist/services/mail.service.d.ts

@@ -0,0 +1,5 @@
+export declare class MailService {
+    private transporter;
+    sendVerificationEmail(email: string, token: string): Promise<void>;
+    sendPasswordResetEmail(email: string, token: string): Promise<void>;
+}

package/dist/services/mail.service.js

@@ -0,0 +1,39 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MailService = void 0;
+const nodemailer_1 = __importDefault(require("nodemailer"));
+class MailService {
+    constructor() {
+        this.transporter = nodemailer_1.default.createTransport({
+            host: process.env.SMTP_HOST,
+            port: parseInt(process.env.SMTP_PORT, 10),
+            secure: process.env.SMTP_SECURE === 'true',
+            auth: {
+                user: process.env.SMTP_USER,
+                pass: process.env.SMTP_PASS
+            }
+        });
+    }
+    async sendVerificationEmail(email, token) {
+        const url = `${process.env.FRONTEND_URL}/confirm-email?token=${token}`;
+        await this.transporter.sendMail({
+            from: process.env.FROM_EMAIL,
+            to: email,
+            subject: 'Verify your email',
+            text: `Click to verify your email: ${url}`
+        });
+    }
+    async sendPasswordResetEmail(email, token) {
+        const url = `${process.env.FRONTEND_URL}/reset-password?token=${token}`;
+        await this.transporter.sendMail({
+            from: process.env.FROM_EMAIL,
+            to: email,
+            subject: 'Reset your password',
+            text: `Reset your password: ${url}`
+        });
+    }
+}
+exports.MailService = MailService;

package/dist/services/oauth.service.d.ts

@@ -0,0 +1,32 @@
+import { UserRepository } from '../repositories/user.repository';
+import { RoleRepository } from '../repositories/role.repository';
+import { AuthService } from './auth.service';
+export declare class OAuthService {
+    private readonly users;
+    private readonly roles;
+    private readonly auth;
+    private msJwks;
+    constructor(users: UserRepository, roles: RoleRepository, auth: AuthService);
+    private getDefaultRoleId;
+    private verifyMicrosoftIdToken;
+    loginWithMicrosoft(idToken: string): Promise<{
+        accessToken: string;
+        refreshToken: string;
+    }>;
+    loginWithGoogleIdToken(idToken: string): Promise<{
+        accessToken: string;
+        refreshToken: string;
+    }>;
+    loginWithGoogleCode(code: string): Promise<{
+        accessToken: string;
+        refreshToken: string;
+    }>;
+    loginWithFacebook(accessToken: string): Promise<{
+        accessToken: string;
+        refreshToken: string;
+    }>;
+    findOrCreateOAuthUser(email: string, name?: string): Promise<{
+        accessToken: string;
+        refreshToken: string;
+    }>;
+}

package/dist/services/oauth.service.js

@@ -0,0 +1,138 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthService = void 0;
+const common_1 = require("@nestjs/common");
+const axios_1 = __importDefault(require("axios"));
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+const jwks_rsa_1 = __importDefault(require("jwks-rsa"));
+const user_repository_1 = require("../repositories/user.repository");
+const role_repository_1 = require("../repositories/role.repository");
+const auth_service_1 = require("./auth.service");
+let OAuthService = class OAuthService {
+    constructor(users, roles, auth) {
+        this.users = users;
+        this.roles = roles;
+        this.auth = auth;
+        this.msJwks = (0, jwks_rsa_1.default)({
+            jwksUri: 'https://login.microsoftonline.com/common/discovery/v2.0/keys',
+            cache: true,
+            rateLimit: true,
+            jwksRequestsPerMinute: 5,
+        });
+    }
+    async getDefaultRoleId() {
+        const role = await this.roles.findByName('user');
+        if (!role)
+            throw new Error('Default role not seeded.');
+        return role._id;
+    }
+    verifyMicrosoftIdToken(idToken) {
+        return new Promise((resolve, reject) => {
+            const getKey = (header, cb) => {
+                this.msJwks
+                    .getSigningKey(header.kid)
+                    .then((k) => cb(null, k.getPublicKey()))
+                    .catch(cb);
+            };
+            jsonwebtoken_1.default.verify(idToken, getKey, { algorithms: ['RS256'], audience: process.env.MICROSOFT_CLIENT_ID }, (err, payload) => (err ? reject(err) : resolve(payload)));
+        });
+    }
+    async loginWithMicrosoft(idToken) {
+        const ms = await this.verifyMicrosoftIdToken(idToken);
+        const email = ms.preferred_username || ms.email;
+        if (!email)
+            throw new Error('Email missing');
+        return this.findOrCreateOAuthUser(email, ms.name);
+    }
+    async loginWithGoogleIdToken(idToken) {
+        var _a, _b;
+        const verifyResp = await axios_1.default.get('https://oauth2.googleapis.com/tokeninfo', {
+            params: { id_token: idToken },
+        });
+        const email = (_a = verifyResp.data) === null || _a === void 0 ? void 0 : _a.email;
+        if (!email)
+            throw new Error('Email missing');
+        return this.findOrCreateOAuthUser(email, (_b = verifyResp.data) === null || _b === void 0 ? void 0 : _b.name);
+    }
+    async loginWithGoogleCode(code) {
+        var _a, _b;
+        const tokenResp = await axios_1.default.post('https://oauth2.googleapis.com/token', {
+            code,
+            client_id: process.env.GOOGLE_CLIENT_ID,
+            client_secret: process.env.GOOGLE_CLIENT_SECRET,
+            redirect_uri: 'postmessage',
+            grant_type: 'authorization_code',
+        });
+        const { access_token } = tokenResp.data || {};
+        if (!access_token)
+            throw new Error('Failed to exchange code');
+        const profileResp = await axios_1.default.get('https://www.googleapis.com/oauth2/v2/userinfo', {
+            headers: { Authorization: `Bearer ${access_token}` },
+        });
+        const email = (_a = profileResp.data) === null || _a === void 0 ? void 0 : _a.email;
+        if (!email)
+            throw new Error('Email missing');
+        return this.findOrCreateOAuthUser(email, (_b = profileResp.data) === null || _b === void 0 ? void 0 : _b.name);
+    }
+    async loginWithFacebook(accessToken) {
+        var _a, _b, _c, _d, _e;
+        const appTokenResp = await axios_1.default.get('https://graph.facebook.com/oauth/access_token', {
+            params: {
+                client_id: process.env.FB_CLIENT_ID,
+                client_secret: process.env.FB_CLIENT_SECRET,
+                grant_type: 'client_credentials',
+            },
+        });
+        const appAccessToken = (_a = appTokenResp.data) === null || _a === void 0 ? void 0 : _a.access_token;
+        const debug = await axios_1.default.get('https://graph.facebook.com/debug_token', {
+            params: { input_token: accessToken, access_token: appAccessToken },
+        });
+        if (!((_c = (_b = debug.data) === null || _b === void 0 ? void 0 : _b.data) === null || _c === void 0 ? void 0 : _c.is_valid))
+            throw new Error('Invalid Facebook token');
+        const me = await axios_1.default.get('https://graph.facebook.com/me', {
+            params: { access_token: accessToken, fields: 'id,name,email' },
+        });
+        const email = (_d = me.data) === null || _d === void 0 ? void 0 : _d.email;
+        if (!email)
+            throw new Error('Email missing');
+        return this.findOrCreateOAuthUser(email, (_e = me.data) === null || _e === void 0 ? void 0 : _e.name);
+    }
+    async findOrCreateOAuthUser(email, name) {
+        let user = await this.users.findByEmail(email);
+        if (!user) {
+            const [fname, ...rest] = (name || 'User OAuth').split(' ');
+            const lname = rest.join(' ') || 'OAuth';
+            const defaultRoleId = await this.getDefaultRoleId();
+            user = await this.users.create({
+                fullname: { fname, lname },
+                username: email.split('@')[0],
+                email,
+                roles: [defaultRoleId],
+                isVerified: true,
+                isBanned: false,
+                passwordChangedAt: new Date()
+            });
+        }
+        const { accessToken, refreshToken } = await this.auth.issueTokensForUser(user._id.toString());
+        return { accessToken, refreshToken };
+    }
+};
+exports.OAuthService = OAuthService;
+exports.OAuthService = OAuthService = __decorate([
+    (0, common_1.Injectable)(),
+    __metadata("design:paramtypes", [user_repository_1.UserRepository,
+        role_repository_1.RoleRepository,
+        auth_service_1.AuthService])
+], OAuthService);

package/dist/services/permissions.service.d.ts

@@ -0,0 +1,19 @@
+import { PermissionRepository } from '../repositories/permission.repository';
+import { CreatePermissionDto } from '../dtos/permission/create-permission.dto';
+import { UpdatePermissionDto } from '../dtos/permission/update-permission.dto';
+export declare class PermissionsService {
+    private readonly perms;
+    constructor(perms: PermissionRepository);
+    create(dto: CreatePermissionDto): Promise<import("mongoose").Document<unknown, {}, import("../models/permission.model").PermissionDocument> & import("../models/permission.model").Permission & import("mongoose").Document<any, any, any> & {
+        _id: import("mongoose").Types.ObjectId;
+    }>;
+    list(): Promise<(import("mongoose").FlattenMaps<import("../models/permission.model").PermissionDocument> & {
+        _id: import("mongoose").Types.ObjectId;
+    })[]>;
+    update(id: string, dto: UpdatePermissionDto): Promise<import("mongoose").Document<unknown, {}, import("../models/permission.model").PermissionDocument> & import("../models/permission.model").Permission & import("mongoose").Document<any, any, any> & {
+        _id: import("mongoose").Types.ObjectId;
+    }>;
+    delete(id: string): Promise<{
+        ok: boolean;
+    }>;
+}

package/dist/services/permissions.service.js

@@ -0,0 +1,44 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PermissionsService = void 0;
+const common_1 = require("@nestjs/common");
+const permission_repository_1 = require("../repositories/permission.repository");
+let PermissionsService = class PermissionsService {
+    constructor(perms) {
+        this.perms = perms;
+    }
+    async create(dto) {
+        if (await this.perms.findByName(dto.name))
+            throw new Error('Permission already exists.');
+        return this.perms.create(dto);
+    }
+    async list() {
+        return this.perms.list();
+    }
+    async update(id, dto) {
+        const perm = await this.perms.updateById(id, dto);
+        if (!perm)
+            throw new Error('Permission not found.');
+        return perm;
+    }
+    async delete(id) {
+        const perm = await this.perms.deleteById(id);
+        if (!perm)
+            throw new Error('Permission not found.');
+        return { ok: true };
+    }
+};
+exports.PermissionsService = PermissionsService;
+exports.PermissionsService = PermissionsService = __decorate([
+    (0, common_1.Injectable)(),
+    __metadata("design:paramtypes", [permission_repository_1.PermissionRepository])
+], PermissionsService);

package/dist/services/roles.service.d.ts

@@ -0,0 +1,23 @@
+import { RoleRepository } from '../repositories/role.repository';
+import { CreateRoleDto } from '../dtos/role/create-role.dto';
+import { UpdateRoleDto } from '../dtos/role/update-role.dto';
+import { Types } from 'mongoose';
+export declare class RolesService {
+    private readonly roles;
+    constructor(roles: RoleRepository);
+    create(dto: CreateRoleDto): Promise<import("mongoose").Document<unknown, {}, import("../models/role.model").RoleDocument> & import("../models/role.model").Role & import("mongoose").Document<any, any, any> & {
+        _id: Types.ObjectId;
+    }>;
+    list(): Promise<(import("mongoose").FlattenMaps<import("../models/role.model").RoleDocument> & {
+        _id: Types.ObjectId;
+    })[]>;
+    update(id: string, dto: UpdateRoleDto): Promise<import("mongoose").Document<unknown, {}, import("../models/role.model").RoleDocument> & import("../models/role.model").Role & import("mongoose").Document<any, any, any> & {
+        _id: Types.ObjectId;
+    }>;
+    delete(id: string): Promise<{
+        ok: boolean;
+    }>;
+    setPermissions(roleId: string, permissionIds: string[]): Promise<import("mongoose").Document<unknown, {}, import("../models/role.model").RoleDocument> & import("../models/role.model").Role & import("mongoose").Document<any, any, any> & {
+        _id: Types.ObjectId;
+    }>;
+}

package/dist/services/roles.service.js

@@ -0,0 +1,57 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RolesService = void 0;
+const common_1 = require("@nestjs/common");
+const role_repository_1 = require("../repositories/role.repository");
+const mongoose_1 = require("mongoose");
+let RolesService = class RolesService {
+    constructor(roles) {
+        this.roles = roles;
+    }
+    async create(dto) {
+        if (await this.roles.findByName(dto.name))
+            throw new Error('Role already exists.');
+        const permIds = (dto.permissions || []).map((p) => new mongoose_1.Types.ObjectId(p));
+        return this.roles.create({ name: dto.name, permissions: permIds });
+    }
+    async list() {
+        return this.roles.list();
+    }
+    async update(id, dto) {
+        const data = { ...dto };
+        if (dto.permissions) {
+            data.permissions = dto.permissions.map((p) => new mongoose_1.Types.ObjectId(p));
+        }
+        const role = await this.roles.updateById(id, data);
+        if (!role)
+            throw new Error('Role not found.');
+        return role;
+    }
+    async delete(id) {
+        const role = await this.roles.deleteById(id);
+        if (!role)
+            throw new Error('Role not found.');
+        return { ok: true };
+    }
+    async setPermissions(roleId, permissionIds) {
+        const permIds = permissionIds.map((p) => new mongoose_1.Types.ObjectId(p));
+        const role = await this.roles.updateById(roleId, { permissions: permIds });
+        if (!role)
+            throw new Error('Role not found.');
+        return role;
+    }
+};
+exports.RolesService = RolesService;
+exports.RolesService = RolesService = __decorate([
+    (0, common_1.Injectable)(),
+    __metadata("design:paramtypes", [role_repository_1.RoleRepository])
+], RolesService);

package/dist/services/seed.service.d.ts

@@ -0,0 +1,11 @@
+import { RoleRepository } from '../repositories/role.repository';
+import { PermissionRepository } from '../repositories/permission.repository';
+export declare class SeedService {
+    private readonly roles;
+    private readonly perms;
+    constructor(roles: RoleRepository, perms: PermissionRepository);
+    seedDefaults(): Promise<{
+        adminRoleId: any;
+        userRoleId: any;
+    }>;
+}

package/dist/services/seed.service.js

@@ -0,0 +1,50 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SeedService = void 0;
+const common_1 = require("@nestjs/common");
+const role_repository_1 = require("../repositories/role.repository");
+const permission_repository_1 = require("../repositories/permission.repository");
+const mongoose_1 = require("mongoose");
+let SeedService = class SeedService {
+    constructor(roles, perms) {
+        this.roles = roles;
+        this.perms = perms;
+    }
+    async seedDefaults() {
+        const permNames = ['users:manage', 'roles:manage', 'permissions:manage'];
+        const permIds = [];
+        for (const name of permNames) {
+            let p = await this.perms.findByName(name);
+            if (!p)
+                p = await this.perms.create({ name });
+            permIds.push(p._id.toString());
+        }
+        let admin = await this.roles.findByName('admin');
+        const permissions = permIds.map((p) => new mongoose_1.Types.ObjectId(p));
+        if (!admin)
+            admin = await this.roles.create({ name: 'admin', permissions: permissions });
+        let user = await this.roles.findByName('user');
+        if (!user)
+            user = await this.roles.create({ name: 'user', permissions: [] });
+        console.log('[AuthKit] Seeded roles:', { adminRoleId: admin._id.toString(), userRoleId: user._id.toString() });
+        return {
+            adminRoleId: admin._id.toString(),
+            userRoleId: user._id.toString()
+        };
+    }
+};
+exports.SeedService = SeedService;
+exports.SeedService = SeedService = __decorate([
+    (0, common_1.Injectable)(),
+    __metadata("design:paramtypes", [role_repository_1.RoleRepository,
+        permission_repository_1.PermissionRepository])
+], SeedService);