@codecanva/nest-auth 0.1.0

package/README.md

@@ -0,0 +1,164 @@
+# @codecanva/nest-auth
+
+Reusable NestJS authentication module. JWT access + refresh-token rotation, multi-device sessions, replay detection, and pluggable persistence (no DB lock-in).
+
+## Features
+
+- Short-lived access JWT + long-lived refresh JWT
+- Refresh-token rotation on every refresh (with replay detection → `revokeAllForUser`)
+- Multi-device sessions (one row per session, hashed at rest)
+- Pluggable `RefreshTokenStore` and `UserValidator` — bring your own DB
+- `@CurrentUser()`, `@Public()` decorators
+- `JwtAuthGuard` (honours `@Public()`) and `RefreshAuthGuard`
+- Configurable issuer, audience, clock tolerance, optional hash pepper
+
+## Install
+
+```bash
+npm install @codecanva/nest-auth \
+  @nestjs/jwt @nestjs/passport passport passport-jwt \
+  class-validator class-transformer
+```
+
+## Usage
+
+### 1. Implement the two interfaces against your data layer
+
+```ts
+// users/user.validator.ts
+import { Injectable } from '@nestjs/common';
+import { AuthUser, UserValidator } from '@codecanva/nest-auth';
+
+@Injectable()
+export class MyUserValidator implements UserValidator {
+  async validateCredentials(email: string, password: string): Promise<AuthUser | null> {
+    // load user, bcrypt.compare, return { id, email, roles } or null
+  }
+  async findById(userId: string | number): Promise<AuthUser | null> {
+    // load by id, return AuthUser or null
+  }
+}
+```
+
+```ts
+// auth/refresh-token.store.ts — example with TypeORM
+import { Injectable } from '@nestjs/common';
+import {
+  CreateRefreshTokenInput,
+  RefreshTokenStore,
+  StoredRefreshToken,
+} from '@codecanva/nest-auth';
+
+@Injectable()
+export class MyRefreshTokenStore implements RefreshTokenStore {
+  // create / findById / consume / revokeById / revokeAllForUser
+  // IMPORTANT: `consume` must be atomic (single UPDATE ... WHERE revoked_at IS NULL
+  // AND token_hash = $hash RETURNING *). Non-atomic impls split sessions under load.
+}
+```
+
+### 2. Register the module
+
+```ts
+import { AuthModule } from '@codecanva/nest-auth';
+
+@Module({
+  imports: [
+    AuthModule.forRootAsync({
+      imports: [ConfigModule],
+      useFactory: (cfg: ConfigService) => ({
+        accessSecret: cfg.getOrThrow('JWT_ACCESS_SECRET'),
+        refreshSecret: cfg.getOrThrow('JWT_REFRESH_SECRET'),
+        accessTtl: '15m',
+        refreshTtl: '30d',
+        tokenHashPepper: cfg.get('TOKEN_HASH_PEPPER'),
+        issuer: 'my-app',
+      }),
+      inject: [ConfigService],
+      store: { useClass: MyRefreshTokenStore },
+      validator: { useClass: MyUserValidator },
+    }),
+  ],
+})
+export class AppModule {}
+```
+
+### 3. Apply the guard globally (optional)
+
+```ts
+import { APP_GUARD } from '@nestjs/core';
+import { JwtAuthGuard } from '@codecanva/nest-auth';
+
+providers: [{ provide: APP_GUARD, useClass: JwtAuthGuard }],
+```
+
+### 4. Use in controllers
+
+```ts
+import {
+  AuthService, CurrentUser, LoginDto, Public, RefreshTokenDto,
+} from '@codecanva/nest-auth';
+
+@Controller('auth')
+export class AuthController {
+  constructor(private readonly auth: AuthService) {}
+
+  @Public() @Post('login')
+  login(@Body() dto: LoginDto) { return this.auth.login(dto.email, dto.password); }
+
+  @Public() @Post('refresh')
+  refresh(@Body() dto: RefreshTokenDto) { return this.auth.refresh(dto.refreshToken); }
+
+  @Post('logout')
+  logout(@Body() dto: RefreshTokenDto) { return this.auth.logout(dto.refreshToken); }
+}
+
+@Controller('me')
+export class MeController {
+  @Get() me(@CurrentUser() user: AuthUser) { return user; }
+}
+```
+
+## API surface
+
+- `AuthModule.forRootAsync(opts)` — only entry point
+- `AuthService` — `login` / `refresh` / `logout` / `logoutAll`
+- Guards — `JwtAuthGuard`, `RefreshAuthGuard`
+- Decorators — `@Public()`, `@CurrentUser()`
+- DTOs — `LoginDto`, `RefreshTokenDto`
+- Errors — `AuthError`, `InvalidCredentialsError`, `InvalidRefreshTokenError`, `RefreshTokenExpiredError`, `RefreshTokenReuseDetectedError`, `UserNotFoundError`
+- Interfaces — `AuthModuleOptions`, `AuthModuleAsyncOptions`, `AuthUser`, `JwtPayload`, `RefreshTokenStore`, `StoredRefreshToken`, `CreateRefreshTokenInput`, `SessionMetadata`, `UserValidator`
+
+## Local development / publishing
+
+```bash
+npm install            # install deps
+npm run start:dev      # run the demo app at :3000 (uses in-memory store + validator)
+npm run build:lib      # compile lib → dist/
+npm publish            # publish (runs build:lib via prepublishOnly)
+```
+
+To consume from a sibling project before publishing:
+
+```bash
+# in this repo
+npm run build:lib && npm pack
+# in the consumer
+npm install /path/to/codecanva-nest-auth-0.1.0.tgz
+```
+
+## Demo endpoints (when running `start:dev`)
+
+```
+POST /auth/login         { "email": "demo@example.com", "password": "password123" }
+POST /auth/refresh       { "refreshToken": "..." }
+POST /auth/logout        { "refreshToken": "..." }   # 204
+GET  /me                 # bearer access token required
+```
+
+## Security notes
+
+- Refresh tokens are JWTs; the **hash** of the JWT (sha256 + optional pepper) is stored, never the raw token.
+- `consume` must be atomic — non-atomic impls split sessions under concurrent refresh.
+- On replay (token hash mismatch or already-revoked row), every active session for that user is revoked.
+- Always serve auth over HTTPS. Store the refresh token in an httpOnly cookie when possible.

package/dist/auth.constants.d.ts

@@ -0,0 +1,8 @@
+export declare const AUTH_MODULE_OPTIONS: unique symbol;
+export declare const REFRESH_TOKEN_STORE: unique symbol;
+export declare const USER_VALIDATOR: unique symbol;
+export declare const JWT_STRATEGY_NAME = "nest-auth-jwt";
+export declare const REFRESH_STRATEGY_NAME = "nest-auth-refresh";
+export declare const IS_PUBLIC_KEY = "nest-auth:isPublic";
+export declare const REFRESH_TOKEN_TYPE: "refresh";
+//# sourceMappingURL=auth.constants.d.ts.map

package/dist/auth.constants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.constants.d.ts","sourceRoot":"","sources":["../src/lib/auth.constants.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,mBAAmB,eAAgC,CAAC;AACjE,eAAO,MAAM,mBAAmB,eAAgC,CAAC;AACjE,eAAO,MAAM,cAAc,eAA2B,CAAC;AAEvD,eAAO,MAAM,iBAAiB,kBAAkB,CAAC;AACjD,eAAO,MAAM,qBAAqB,sBAAsB,CAAC;AAEzD,eAAO,MAAM,aAAa,uBAAuB,CAAC;AAElD,eAAO,MAAM,kBAAkB,EAAG,SAAkB,CAAC"}

package/dist/auth.constants.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.REFRESH_TOKEN_TYPE = exports.IS_PUBLIC_KEY = exports.REFRESH_STRATEGY_NAME = exports.JWT_STRATEGY_NAME = exports.USER_VALIDATOR = exports.REFRESH_TOKEN_STORE = exports.AUTH_MODULE_OPTIONS = void 0;
+exports.AUTH_MODULE_OPTIONS = Symbol('AUTH_MODULE_OPTIONS');
+exports.REFRESH_TOKEN_STORE = Symbol('REFRESH_TOKEN_STORE');
+exports.USER_VALIDATOR = Symbol('USER_VALIDATOR');
+exports.JWT_STRATEGY_NAME = 'nest-auth-jwt';
+exports.REFRESH_STRATEGY_NAME = 'nest-auth-refresh';
+exports.IS_PUBLIC_KEY = 'nest-auth:isPublic';
+exports.REFRESH_TOKEN_TYPE = 'refresh';
+//# sourceMappingURL=auth.constants.js.map

package/dist/auth.constants.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.constants.js","sourceRoot":"","sources":["../src/lib/auth.constants.ts"],"names":[],"mappings":";;;AAAa,QAAA,mBAAmB,GAAG,MAAM,CAAC,qBAAqB,CAAC,CAAC;AACpD,QAAA,mBAAmB,GAAG,MAAM,CAAC,qBAAqB,CAAC,CAAC;AACpD,QAAA,cAAc,GAAG,MAAM,CAAC,gBAAgB,CAAC,CAAC;AAE1C,QAAA,iBAAiB,GAAG,eAAe,CAAC;AACpC,QAAA,qBAAqB,GAAG,mBAAmB,CAAC;AAE5C,QAAA,aAAa,GAAG,oBAAoB,CAAC;AAErC,QAAA,kBAAkB,GAAG,SAAkB,CAAC"}

package/dist/auth.module.d.ts

@@ -0,0 +1,6 @@
+import { DynamicModule } from '@nestjs/common';
+import type { AuthModuleAsyncOptions } from './interfaces/auth-module-options.interface';
+export declare class AuthModule {
+    static forRootAsync(options: AuthModuleAsyncOptions): DynamicModule;
+}
+//# sourceMappingURL=auth.module.d.ts.map

package/dist/auth.module.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.module.d.ts","sourceRoot":"","sources":["../src/lib/auth.module.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAoB,MAAM,gBAAgB,CAAC;AASjE,OAAO,KAAK,EACV,sBAAsB,EAGvB,MAAM,4CAA4C,CAAC;AAKpD,qBACa,UAAU;IACrB,MAAM,CAAC,YAAY,CAAC,OAAO,EAAE,sBAAsB,GAAG,aAAa;CAoCpE"}

package/dist/auth.module.js

@@ -0,0 +1,75 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var AuthModule_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthModule = void 0;
+const common_1 = require("@nestjs/common");
+const jwt_1 = require("@nestjs/jwt");
+const passport_1 = require("@nestjs/passport");
+const auth_constants_1 = require("./auth.constants");
+const auth_service_1 = require("./auth.service");
+const token_service_1 = require("./services/token.service");
+const jwt_strategy_1 = require("./strategies/jwt.strategy");
+const refresh_strategy_1 = require("./strategies/refresh.strategy");
+let AuthModule = AuthModule_1 = class AuthModule {
+    static forRootAsync(options) {
+        const optionsProvider = {
+            provide: auth_constants_1.AUTH_MODULE_OPTIONS,
+            useFactory: options.useFactory,
+            inject: options.inject ?? [],
+        };
+        const storeProvider = buildProvider(auth_constants_1.REFRESH_TOKEN_STORE, options.store);
+        const validatorProvider = buildProvider(auth_constants_1.USER_VALIDATOR, options.validator);
+        return {
+            module: AuthModule_1,
+            imports: [
+                ...(options.imports ?? []),
+                passport_1.PassportModule,
+                jwt_1.JwtModule.register({}),
+            ],
+            providers: [
+                optionsProvider,
+                storeProvider,
+                validatorProvider,
+                token_service_1.TokenService,
+                jwt_strategy_1.JwtStrategy,
+                refresh_strategy_1.RefreshStrategy,
+                auth_service_1.AuthService,
+            ],
+            exports: [
+                auth_service_1.AuthService,
+                auth_constants_1.AUTH_MODULE_OPTIONS,
+                auth_constants_1.REFRESH_TOKEN_STORE,
+                auth_constants_1.USER_VALIDATOR,
+                jwt_1.JwtModule,
+                passport_1.PassportModule,
+            ],
+        };
+    }
+};
+exports.AuthModule = AuthModule;
+exports.AuthModule = AuthModule = AuthModule_1 = __decorate([
+    (0, common_1.Module)({})
+], AuthModule);
+function buildProvider(token, cfg) {
+    if (cfg.useFactory) {
+        return {
+            provide: token,
+            useFactory: cfg.useFactory,
+            inject: cfg.inject ?? [],
+        };
+    }
+    if (cfg.useExisting) {
+        return { provide: token, useExisting: cfg.useExisting };
+    }
+    if (cfg.useClass) {
+        return { provide: token, useClass: cfg.useClass };
+    }
+    throw new Error(`AuthModule: provider for ${token.toString()} requires useFactory, useExisting, or useClass`);
+}
+//# sourceMappingURL=auth.module.js.map

package/dist/auth.module.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.module.js","sourceRoot":"","sources":["../src/lib/auth.module.ts"],"names":[],"mappings":";;;;;;;;;;AAAA,2CAAiE;AACjE,qCAAwC;AACxC,+CAAkD;AAClD,qDAI0B;AAC1B,iDAA6C;AAM7C,4DAAwD;AACxD,4DAAwD;AACxD,oEAAgE;AAGzD,IAAM,UAAU,kBAAhB,MAAM,UAAU;IACrB,MAAM,CAAC,YAAY,CAAC,OAA+B;QACjD,MAAM,eAAe,GAAa;YAChC,OAAO,EAAE,oCAAmB;YAC5B,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,EAAE;SAC7B,CAAC;QAEF,MAAM,aAAa,GAAG,aAAa,CAAC,oCAAmB,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QACxE,MAAM,iBAAiB,GAAG,aAAa,CAAC,+BAAc,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;QAE3E,OAAO;YACL,MAAM,EAAE,YAAU;YAClB,OAAO,EAAE;gBACP,GAAG,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,CAAC;gBAC1B,yBAAc;gBACd,eAAS,CAAC,QAAQ,CAAC,EAAE,CAAC;aACvB;YACD,SAAS,EAAE;gBACT,eAAe;gBACf,aAAa;gBACb,iBAAiB;gBACjB,4BAAY;gBACZ,0BAAW;gBACX,kCAAe;gBACf,0BAAW;aACZ;YACD,OAAO,EAAE;gBACP,0BAAW;gBACX,oCAAmB;gBACnB,oCAAmB;gBACnB,+BAAc;gBACd,eAAS;gBACT,yBAAc;aACf;SACF,CAAC;IACJ,CAAC;CACF,CAAA;AArCY,gCAAU;qBAAV,UAAU;IADtB,IAAA,eAAM,EAAC,EAAE,CAAC;GACE,UAAU,CAqCtB;AAED,SAAS,aAAa,CACpB,KAAa,EACb,GAAsD;IAEtD,IAAI,GAAG,CAAC,UAAU,EAAE,CAAC;QACnB,OAAO;YACL,OAAO,EAAE,KAAK;YACd,UAAU,EAAE,GAAG,CAAC,UAAU;YAC1B,MAAM,EAAE,GAAG,CAAC,MAAM,IAAI,EAAE;SACzB,CAAC;IACJ,CAAC;IACD,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;QACpB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,GAAG,CAAC,WAAW,EAAE,CAAC;IAC1D,CAAC;IACD,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,CAAC;IACpD,CAAC;IACD,MAAM,IAAI,KAAK,CACb,4BAA4B,KAAK,CAAC,QAAQ,EAAE,gDAAgD,CAC7F,CAAC;AACJ,CAAC"}

package/dist/auth.service.d.ts

@@ -0,0 +1,25 @@
+import type { AuthModuleOptions } from './interfaces/auth-module-options.interface';
+import type { AuthUser } from './interfaces/auth-user.interface';
+import type { RefreshTokenStore, SessionMetadata } from './interfaces/refresh-token-store.interface';
+import type { UserValidator } from './interfaces/user-validator.interface';
+import { TokenService } from './services/token.service';
+export interface AuthTokens {
+    accessToken: string;
+    refreshToken: string;
+}
+export interface LoginResult extends AuthTokens {
+    user: AuthUser;
+}
+export declare class AuthService {
+    private readonly tokenService;
+    private readonly validator;
+    private readonly store;
+    private readonly options;
+    constructor(tokenService: TokenService, validator: UserValidator, store: RefreshTokenStore, options: AuthModuleOptions);
+    login(email: string, password: string, metadata?: SessionMetadata): Promise<LoginResult>;
+    refresh(refreshToken: string, metadata?: SessionMetadata): Promise<AuthTokens>;
+    logout(refreshToken: string): Promise<void>;
+    logoutAll(userId: string | number): Promise<void>;
+    private issueTokenPair;
+}
+//# sourceMappingURL=auth.service.d.ts.map

package/dist/auth.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.service.d.ts","sourceRoot":"","sources":["../src/lib/auth.service.ts"],"names":[],"mappings":"AAaA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,4CAA4C,CAAC;AACpF,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,kCAAkC,CAAC;AACjE,OAAO,KAAK,EACV,iBAAiB,EACjB,eAAe,EAChB,MAAM,4CAA4C,CAAC;AACpD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,uCAAuC,CAAC;AAC3E,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAGxD,MAAM,WAAW,UAAU;IACzB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,WAAY,SAAQ,UAAU;IAC7C,IAAI,EAAE,QAAQ,CAAC;CAChB;AAED,qBACa,WAAW;IAEpB,OAAO,CAAC,QAAQ,CAAC,YAAY;IACL,OAAO,CAAC,QAAQ,CAAC,SAAS;IACrB,OAAO,CAAC,QAAQ,CAAC,KAAK;IAEnD,OAAO,CAAC,QAAQ,CAAC,OAAO;gBAJP,YAAY,EAAE,YAAY,EACF,SAAS,EAAE,aAAa,EACnB,KAAK,EAAE,iBAAiB,EAErD,OAAO,EAAE,iBAAiB;IAGvC,KAAK,CACT,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,QAAQ,CAAC,EAAE,eAAe,GACzB,OAAO,CAAC,WAAW,CAAC;IAOjB,OAAO,CACX,YAAY,EAAE,MAAM,EACpB,QAAQ,CAAC,EAAE,eAAe,GACzB,OAAO,CAAC,UAAU,CAAC;IA+BhB,MAAM,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAU3C,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;YAIzC,cAAc;CAuB7B"}

package/dist/auth.service.js

@@ -0,0 +1,108 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthService = void 0;
+const common_1 = require("@nestjs/common");
+const auth_constants_1 = require("./auth.constants");
+const auth_errors_1 = require("./errors/auth.errors");
+const token_service_1 = require("./services/token.service");
+const hash_token_1 = require("./utils/hash-token");
+let AuthService = class AuthService {
+    tokenService;
+    validator;
+    store;
+    options;
+    constructor(tokenService, validator, store, options) {
+        this.tokenService = tokenService;
+        this.validator = validator;
+        this.store = store;
+        this.options = options;
+    }
+    async login(email, password, metadata) {
+        const user = await this.validator.validateCredentials(email, password);
+        if (!user)
+            throw new auth_errors_1.InvalidCredentialsError();
+        const tokens = await this.issueTokenPair(user, metadata);
+        return { ...tokens, user };
+    }
+    async refresh(refreshToken, metadata) {
+        let payload;
+        try {
+            payload = await this.tokenService.verifyRefreshToken(refreshToken);
+        }
+        catch {
+            throw new auth_errors_1.InvalidRefreshTokenError();
+        }
+        const incomingHash = (0, hash_token_1.hashToken)(refreshToken, this.options.tokenHashPepper);
+        const consumed = await this.store.consume(payload.jti, incomingHash);
+        if (!consumed) {
+            // Either already revoked (replay) or hash mismatch — both indicate compromise.
+            // Defensive: revoke every active session for this user.
+            const existing = await this.store.findById(payload.jti);
+            if (existing) {
+                await this.store.revokeAllForUser(existing.userId);
+            }
+            throw new auth_errors_1.RefreshTokenReuseDetectedError();
+        }
+        if (consumed.expiresAt.getTime() < Date.now()) {
+            throw new auth_errors_1.RefreshTokenExpiredError();
+        }
+        const user = await this.validator.findById(consumed.userId);
+        if (!user)
+            throw new auth_errors_1.UserNotFoundError();
+        return this.issueTokenPair(user, metadata);
+    }
+    async logout(refreshToken) {
+        let payload;
+        try {
+            payload = await this.tokenService.verifyRefreshToken(refreshToken);
+        }
+        catch {
+            throw new auth_errors_1.InvalidRefreshTokenError();
+        }
+        await this.store.revokeById(payload.jti);
+    }
+    async logoutAll(userId) {
+        await this.store.revokeAllForUser(userId);
+    }
+    async issueTokenPair(user, metadata) {
+        const jti = (0, hash_token_1.generateTokenId)();
+        const accessToken = await this.tokenService.signAccessToken({
+            sub: user.id,
+            email: user.email,
+            roles: user.roles,
+        });
+        const refreshToken = await this.tokenService.signRefreshToken({
+            sub: user.id,
+            jti,
+        });
+        await this.store.create({
+            id: jti,
+            userId: user.id,
+            tokenHash: (0, hash_token_1.hashToken)(refreshToken, this.options.tokenHashPepper),
+            expiresAt: this.tokenService.refreshExpiresAt(),
+            metadata,
+        });
+        return { accessToken, refreshToken };
+    }
+};
+exports.AuthService = AuthService;
+exports.AuthService = AuthService = __decorate([
+    (0, common_1.Injectable)(),
+    __param(1, (0, common_1.Inject)(auth_constants_1.USER_VALIDATOR)),
+    __param(2, (0, common_1.Inject)(auth_constants_1.REFRESH_TOKEN_STORE)),
+    __param(3, (0, common_1.Inject)(auth_constants_1.AUTH_MODULE_OPTIONS)),
+    __metadata("design:paramtypes", [token_service_1.TokenService, Object, Object, Object])
+], AuthService);
+//# sourceMappingURL=auth.service.js.map

package/dist/auth.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.service.js","sourceRoot":"","sources":["../src/lib/auth.service.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,2CAAoD;AACpD,qDAI0B;AAC1B,sDAM8B;AAQ9B,4DAAwD;AACxD,mDAAgE;AAYzD,IAAM,WAAW,GAAjB,MAAM,WAAW;IAEH;IACwB;IACK;IAE7B;IALnB,YACmB,YAA0B,EACF,SAAwB,EACnB,KAAwB,EAErD,OAA0B;QAJ1B,iBAAY,GAAZ,YAAY,CAAc;QACF,cAAS,GAAT,SAAS,CAAe;QACnB,UAAK,GAAL,KAAK,CAAmB;QAErD,YAAO,GAAP,OAAO,CAAmB;IAC1C,CAAC;IAEJ,KAAK,CAAC,KAAK,CACT,KAAa,EACb,QAAgB,EAChB,QAA0B;QAE1B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,mBAAmB,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;QACvE,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,qCAAuB,EAAE,CAAC;QAC/C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QACzD,OAAO,EAAE,GAAG,MAAM,EAAE,IAAI,EAAE,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,OAAO,CACX,YAAoB,EACpB,QAA0B;QAE1B,IAAI,OAAO,CAAC;QACZ,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,kBAAkB,CAAC,YAAY,CAAC,CAAC;QACrE,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,sCAAwB,EAAE,CAAC;QACvC,CAAC;QAED,MAAM,YAAY,GAAG,IAAA,sBAAS,EAAC,YAAY,EAAE,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAE3E,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;QACrE,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,+EAA+E;YAC/E,wDAAwD;YACxD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YACxD,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YACrD,CAAC;YACD,MAAM,IAAI,4CAA8B,EAAE,CAAC;QAC7C,CAAC;QAED,IAAI,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAC9C,MAAM,IAAI,sCAAwB,EAAE,CAAC;QACvC,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC5D,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,+BAAiB,EAAE,CAAC;QAEzC,OAAO,IAAI,CAAC,cAAc,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAC7C,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,YAAoB;QAC/B,IAAI,OAAO,CAAC;QACZ,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,kBAAkB,CAAC,YAAY,CAAC,CAAC;QACrE,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,sCAAwB,EAAE,CAAC;QACvC,CAAC;QACD,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC3C,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,MAAuB;QACrC,MAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAC5C,CAAC;IAEO,KAAK,CAAC,cAAc,CAC1B,IAAc,EACd,QAA0B;QAE1B,MAAM,GAAG,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC9B,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,eAAe,CAAC;YAC1D,GAAG,EAAE,IAAI,CAAC,EAAE;YACZ,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,KAAK,EAAE,IAAI,CAAC,KAAK;SAClB,CAAC,CAAC;QACH,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,gBAAgB,CAAC;YAC5D,GAAG,EAAE,IAAI,CAAC,EAAE;YACZ,GAAG;SACJ,CAAC,CAAC;QACH,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC;YACtB,EAAE,EAAE,GAAG;YACP,MAAM,EAAE,IAAI,CAAC,EAAE;YACf,SAAS,EAAE,IAAA,sBAAS,EAAC,YAAY,EAAE,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC;YAChE,SAAS,EAAE,IAAI,CAAC,YAAY,CAAC,gBAAgB,EAAE;YAC/C,QAAQ;SACT,CAAC,CAAC;QACH,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,CAAC;IACvC,CAAC;CACF,CAAA;AA3FY,kCAAW;sBAAX,WAAW;IADvB,IAAA,mBAAU,GAAE;IAIR,WAAA,IAAA,eAAM,EAAC,+BAAc,CAAC,CAAA;IACtB,WAAA,IAAA,eAAM,EAAC,oCAAmB,CAAC,CAAA;IAC3B,WAAA,IAAA,eAAM,EAAC,oCAAmB,CAAC,CAAA;qCAHG,4BAAY;GAFlC,WAAW,CA2FvB"}

package/dist/decorators/current-user.decorator.d.ts

@@ -0,0 +1,3 @@
+import { AuthUser } from '../interfaces/auth-user.interface';
+export declare const CurrentUser: (...dataOrPipes: (keyof AuthUser | import("@nestjs/common").PipeTransform<any, any> | import("@nestjs/common").Type<import("@nestjs/common").PipeTransform<any, any>> | undefined)[]) => ParameterDecorator;
+//# sourceMappingURL=current-user.decorator.d.ts.map

package/dist/decorators/current-user.decorator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"current-user.decorator.d.ts","sourceRoot":"","sources":["../../src/lib/decorators/current-user.decorator.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,mCAAmC,CAAC;AAE7D,eAAO,MAAM,WAAW,6MAOvB,CAAC"}

package/dist/decorators/current-user.decorator.js

@@ -0,0 +1,12 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CurrentUser = void 0;
+const common_1 = require("@nestjs/common");
+exports.CurrentUser = (0, common_1.createParamDecorator)((data, ctx) => {
+    const req = ctx.switchToHttp().getRequest();
+    const user = req.user;
+    if (!user)
+        return undefined;
+    return data ? user[data] : user;
+});
+//# sourceMappingURL=current-user.decorator.js.map

package/dist/decorators/current-user.decorator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"current-user.decorator.js","sourceRoot":"","sources":["../../src/lib/decorators/current-user.decorator.ts"],"names":[],"mappings":";;;AAAA,2CAAwE;AAG3D,QAAA,WAAW,GAAG,IAAA,6BAAoB,EAC7C,CAAC,IAAgC,EAAE,GAAqB,EAAE,EAAE;IAC1D,MAAM,GAAG,GAAG,GAAG,CAAC,YAAY,EAAE,CAAC,UAAU,EAAuB,CAAC;IACjE,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;IACtB,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAC5B,OAAO,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AAClC,CAAC,CACF,CAAC"}

package/dist/decorators/index.d.ts

@@ -0,0 +1,3 @@
+export * from './public.decorator';
+export * from './current-user.decorator';
+//# sourceMappingURL=index.d.ts.map

package/dist/decorators/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/decorators/index.ts"],"names":[],"mappings":"AAAA,cAAc,oBAAoB,CAAC;AACnC,cAAc,0BAA0B,CAAC"}

package/dist/decorators/index.js

@@ -0,0 +1,19 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./public.decorator"), exports);
+__exportStar(require("./current-user.decorator"), exports);
+//# sourceMappingURL=index.js.map

package/dist/decorators/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/lib/decorators/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,qDAAmC;AACnC,2DAAyC"}

package/dist/decorators/public.decorator.d.ts

@@ -0,0 +1,2 @@
+export declare const Public: () => MethodDecorator & ClassDecorator;
+//# sourceMappingURL=public.decorator.d.ts.map

package/dist/decorators/public.decorator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"public.decorator.d.ts","sourceRoot":"","sources":["../../src/lib/decorators/public.decorator.ts"],"names":[],"mappings":"AAGA,eAAO,MAAM,MAAM,QAAO,eAAe,GAAG,cACV,CAAC"}

package/dist/decorators/public.decorator.js

@@ -0,0 +1,8 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Public = void 0;
+const common_1 = require("@nestjs/common");
+const auth_constants_1 = require("../auth.constants");
+const Public = () => (0, common_1.SetMetadata)(auth_constants_1.IS_PUBLIC_KEY, true);
+exports.Public = Public;
+//# sourceMappingURL=public.decorator.js.map

package/dist/decorators/public.decorator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"public.decorator.js","sourceRoot":"","sources":["../../src/lib/decorators/public.decorator.ts"],"names":[],"mappings":";;;AAAA,2CAA6C;AAC7C,sDAAkD;AAE3C,MAAM,MAAM,GAAG,GAAqC,EAAE,CAC3D,IAAA,oBAAW,EAAC,8BAAa,EAAE,IAAI,CAAC,CAAC;AADtB,QAAA,MAAM,UACgB"}

package/dist/dto/index.d.ts

@@ -0,0 +1,3 @@
+export * from './login.dto';
+export * from './refresh-token.dto';
+//# sourceMappingURL=index.d.ts.map

package/dist/dto/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/dto/index.ts"],"names":[],"mappings":"AAAA,cAAc,aAAa,CAAC;AAC5B,cAAc,qBAAqB,CAAC"}

package/dist/dto/index.js

@@ -0,0 +1,19 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./login.dto"), exports);
+__exportStar(require("./refresh-token.dto"), exports);
+//# sourceMappingURL=index.js.map

package/dist/dto/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/lib/dto/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,8CAA4B;AAC5B,sDAAoC"}

package/dist/dto/login.dto.d.ts

@@ -0,0 +1,5 @@
+export declare class LoginDto {
+    email: string;
+    password: string;
+}
+//# sourceMappingURL=login.dto.d.ts.map

package/dist/dto/login.dto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"login.dto.d.ts","sourceRoot":"","sources":["../../src/lib/dto/login.dto.ts"],"names":[],"mappings":"AAEA,qBAAa,QAAQ;IAEnB,KAAK,EAAG,MAAM,CAAC;IAIf,QAAQ,EAAG,MAAM,CAAC;CACnB"}

package/dist/dto/login.dto.js

@@ -0,0 +1,28 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LoginDto = void 0;
+const class_validator_1 = require("class-validator");
+class LoginDto {
+    email;
+    password;
+}
+exports.LoginDto = LoginDto;
+__decorate([
+    (0, class_validator_1.IsEmail)(),
+    __metadata("design:type", String)
+], LoginDto.prototype, "email", void 0);
+__decorate([
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(1),
+    __metadata("design:type", String)
+], LoginDto.prototype, "password", void 0);
+//# sourceMappingURL=login.dto.js.map

package/dist/dto/login.dto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"login.dto.js","sourceRoot":"","sources":["../../src/lib/dto/login.dto.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,qDAA+D;AAE/D,MAAa,QAAQ;IAEnB,KAAK,CAAU;IAIf,QAAQ,CAAU;CACnB;AAPD,4BAOC;AALC;IADC,IAAA,yBAAO,GAAE;;uCACK;AAIf;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,2BAAS,EAAC,CAAC,CAAC;;0CACK"}

package/dist/dto/refresh-token.dto.d.ts

@@ -0,0 +1,4 @@
+export declare class RefreshTokenDto {
+    refreshToken: string;
+}
+//# sourceMappingURL=refresh-token.dto.d.ts.map

package/dist/dto/refresh-token.dto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh-token.dto.d.ts","sourceRoot":"","sources":["../../src/lib/dto/refresh-token.dto.ts"],"names":[],"mappings":"AAEA,qBAAa,eAAe;IAG1B,YAAY,EAAG,MAAM,CAAC;CACvB"}

package/dist/dto/refresh-token.dto.js

@@ -0,0 +1,23 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RefreshTokenDto = void 0;
+const class_validator_1 = require("class-validator");
+class RefreshTokenDto {
+    refreshToken;
+}
+exports.RefreshTokenDto = RefreshTokenDto;
+__decorate([
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.IsNotEmpty)(),
+    __metadata("design:type", String)
+], RefreshTokenDto.prototype, "refreshToken", void 0);
+//# sourceMappingURL=refresh-token.dto.js.map

package/dist/dto/refresh-token.dto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh-token.dto.js","sourceRoot":"","sources":["../../src/lib/dto/refresh-token.dto.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,qDAAuD;AAEvD,MAAa,eAAe;IAG1B,YAAY,CAAU;CACvB;AAJD,0CAIC;AADC;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,4BAAU,GAAE;;qDACS"}