@codecanva/nest-auth 0.1.0

package/dist/errors/auth.errors.d.ts

@@ -0,0 +1,19 @@
+export declare class AuthError extends Error {
+    constructor(message: string);
+}
+export declare class InvalidCredentialsError extends AuthError {
+    constructor(message?: string);
+}
+export declare class InvalidRefreshTokenError extends AuthError {
+    constructor(message?: string);
+}
+export declare class RefreshTokenExpiredError extends AuthError {
+    constructor(message?: string);
+}
+export declare class RefreshTokenReuseDetectedError extends AuthError {
+    constructor(message?: string);
+}
+export declare class UserNotFoundError extends AuthError {
+    constructor(message?: string);
+}
+//# sourceMappingURL=auth.errors.d.ts.map

package/dist/errors/auth.errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.errors.d.ts","sourceRoot":"","sources":["../../src/lib/errors/auth.errors.ts"],"names":[],"mappings":"AAAA,qBAAa,SAAU,SAAQ,KAAK;gBACtB,OAAO,EAAE,MAAM;CAI5B;AAED,qBAAa,uBAAwB,SAAQ,SAAS;gBACxC,OAAO,SAAwB;CAG5C;AAED,qBAAa,wBAAyB,SAAQ,SAAS;gBACzC,OAAO,SAA0B;CAG9C;AAED,qBAAa,wBAAyB,SAAQ,SAAS;gBACzC,OAAO,SAA0B;CAG9C;AAED,qBAAa,8BAA+B,SAAQ,SAAS;gBAC/C,OAAO,SAAuD;CAG3E;AAED,qBAAa,iBAAkB,SAAQ,SAAS;gBAClC,OAAO,SAAmB;CAGvC"}

package/dist/errors/auth.errors.js

@@ -0,0 +1,41 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UserNotFoundError = exports.RefreshTokenReuseDetectedError = exports.RefreshTokenExpiredError = exports.InvalidRefreshTokenError = exports.InvalidCredentialsError = exports.AuthError = void 0;
+class AuthError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = this.constructor.name;
+    }
+}
+exports.AuthError = AuthError;
+class InvalidCredentialsError extends AuthError {
+    constructor(message = 'Invalid credentials') {
+        super(message);
+    }
+}
+exports.InvalidCredentialsError = InvalidCredentialsError;
+class InvalidRefreshTokenError extends AuthError {
+    constructor(message = 'Invalid refresh token') {
+        super(message);
+    }
+}
+exports.InvalidRefreshTokenError = InvalidRefreshTokenError;
+class RefreshTokenExpiredError extends AuthError {
+    constructor(message = 'Refresh token expired') {
+        super(message);
+    }
+}
+exports.RefreshTokenExpiredError = RefreshTokenExpiredError;
+class RefreshTokenReuseDetectedError extends AuthError {
+    constructor(message = 'Refresh token reuse detected; all sessions revoked') {
+        super(message);
+    }
+}
+exports.RefreshTokenReuseDetectedError = RefreshTokenReuseDetectedError;
+class UserNotFoundError extends AuthError {
+    constructor(message = 'User not found') {
+        super(message);
+    }
+}
+exports.UserNotFoundError = UserNotFoundError;
+//# sourceMappingURL=auth.errors.js.map

package/dist/errors/auth.errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.errors.js","sourceRoot":"","sources":["../../src/lib/errors/auth.errors.ts"],"names":[],"mappings":";;;AAAA,MAAa,SAAU,SAAQ,KAAK;IAClC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC;IACpC,CAAC;CACF;AALD,8BAKC;AAED,MAAa,uBAAwB,SAAQ,SAAS;IACpD,YAAY,OAAO,GAAG,qBAAqB;QACzC,KAAK,CAAC,OAAO,CAAC,CAAC;IACjB,CAAC;CACF;AAJD,0DAIC;AAED,MAAa,wBAAyB,SAAQ,SAAS;IACrD,YAAY,OAAO,GAAG,uBAAuB;QAC3C,KAAK,CAAC,OAAO,CAAC,CAAC;IACjB,CAAC;CACF;AAJD,4DAIC;AAED,MAAa,wBAAyB,SAAQ,SAAS;IACrD,YAAY,OAAO,GAAG,uBAAuB;QAC3C,KAAK,CAAC,OAAO,CAAC,CAAC;IACjB,CAAC;CACF;AAJD,4DAIC;AAED,MAAa,8BAA+B,SAAQ,SAAS;IAC3D,YAAY,OAAO,GAAG,oDAAoD;QACxE,KAAK,CAAC,OAAO,CAAC,CAAC;IACjB,CAAC;CACF;AAJD,wEAIC;AAED,MAAa,iBAAkB,SAAQ,SAAS;IAC9C,YAAY,OAAO,GAAG,gBAAgB;QACpC,KAAK,CAAC,OAAO,CAAC,CAAC;IACjB,CAAC;CACF;AAJD,8CAIC"}

package/dist/guards/index.d.ts

@@ -0,0 +1,3 @@
+export * from './jwt-auth.guard';
+export * from './refresh-auth.guard';
+//# sourceMappingURL=index.d.ts.map

package/dist/guards/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/guards/index.ts"],"names":[],"mappings":"AAAA,cAAc,kBAAkB,CAAC;AACjC,cAAc,sBAAsB,CAAC"}

package/dist/guards/index.js

@@ -0,0 +1,19 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./jwt-auth.guard"), exports);
+__exportStar(require("./refresh-auth.guard"), exports);
+//# sourceMappingURL=index.js.map

package/dist/guards/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/lib/guards/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,mDAAiC;AACjC,uDAAqC"}

package/dist/guards/jwt-auth.guard.d.ts

@@ -0,0 +1,10 @@
+import { ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+declare const JwtAuthGuard_base: import("@nestjs/passport").Type<import("@nestjs/passport").IAuthGuard>;
+export declare class JwtAuthGuard extends JwtAuthGuard_base {
+    private readonly reflector;
+    constructor(reflector: Reflector);
+    canActivate(context: ExecutionContext): boolean | Promise<boolean> | import("rxjs").Observable<boolean>;
+}
+export {};
+//# sourceMappingURL=jwt-auth.guard.d.ts.map

package/dist/guards/jwt-auth.guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-auth.guard.d.ts","sourceRoot":"","sources":["../../src/lib/guards/jwt-auth.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAc,MAAM,gBAAgB,CAAC;AAC9D,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;;AAIzC,qBACa,YAAa,SAAQ,iBAA4B;IAChD,OAAO,CAAC,QAAQ,CAAC,SAAS;gBAAT,SAAS,EAAE,SAAS;IAIjD,WAAW,CAAC,OAAO,EAAE,gBAAgB;CAQtC"}

package/dist/guards/jwt-auth.guard.js

@@ -0,0 +1,38 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JwtAuthGuard = void 0;
+const common_1 = require("@nestjs/common");
+const core_1 = require("@nestjs/core");
+const passport_1 = require("@nestjs/passport");
+const auth_constants_1 = require("../auth.constants");
+let JwtAuthGuard = class JwtAuthGuard extends (0, passport_1.AuthGuard)(auth_constants_1.JWT_STRATEGY_NAME) {
+    reflector;
+    constructor(reflector) {
+        super();
+        this.reflector = reflector;
+    }
+    canActivate(context) {
+        const isPublic = this.reflector.getAllAndOverride(auth_constants_1.IS_PUBLIC_KEY, [
+            context.getHandler(),
+            context.getClass(),
+        ]);
+        if (isPublic)
+            return true;
+        return super.canActivate(context);
+    }
+};
+exports.JwtAuthGuard = JwtAuthGuard;
+exports.JwtAuthGuard = JwtAuthGuard = __decorate([
+    (0, common_1.Injectable)(),
+    __metadata("design:paramtypes", [core_1.Reflector])
+], JwtAuthGuard);
+//# sourceMappingURL=jwt-auth.guard.js.map

package/dist/guards/jwt-auth.guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-auth.guard.js","sourceRoot":"","sources":["../../src/lib/guards/jwt-auth.guard.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,2CAA8D;AAC9D,uCAAyC;AACzC,+CAA6C;AAC7C,sDAAqE;AAG9D,IAAM,YAAY,GAAlB,MAAM,YAAa,SAAQ,IAAA,oBAAS,EAAC,kCAAiB,CAAC;IAC/B;IAA7B,YAA6B,SAAoB;QAC/C,KAAK,EAAE,CAAC;QADmB,cAAS,GAAT,SAAS,CAAW;IAEjD,CAAC;IAED,WAAW,CAAC,OAAyB;QACnC,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAAU,8BAAa,EAAE;YACxE,OAAO,CAAC,UAAU,EAAE;YACpB,OAAO,CAAC,QAAQ,EAAE;SACnB,CAAC,CAAC;QACH,IAAI,QAAQ;YAAE,OAAO,IAAI,CAAC;QAC1B,OAAO,KAAK,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;IACpC,CAAC;CACF,CAAA;AAbY,oCAAY;uBAAZ,YAAY;IADxB,IAAA,mBAAU,GAAE;qCAE6B,gBAAS;GADtC,YAAY,CAaxB"}

package/dist/guards/refresh-auth.guard.d.ts

@@ -0,0 +1,5 @@
+declare const RefreshAuthGuard_base: import("@nestjs/passport").Type<import("@nestjs/passport").IAuthGuard>;
+export declare class RefreshAuthGuard extends RefreshAuthGuard_base {
+}
+export {};
+//# sourceMappingURL=refresh-auth.guard.d.ts.map

package/dist/guards/refresh-auth.guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh-auth.guard.d.ts","sourceRoot":"","sources":["../../src/lib/guards/refresh-auth.guard.ts"],"names":[],"mappings":";AAIA,qBACa,gBAAiB,SAAQ,qBAAgC;CAAG"}

package/dist/guards/refresh-auth.guard.js

@@ -0,0 +1,19 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RefreshAuthGuard = void 0;
+const common_1 = require("@nestjs/common");
+const passport_1 = require("@nestjs/passport");
+const auth_constants_1 = require("../auth.constants");
+let RefreshAuthGuard = class RefreshAuthGuard extends (0, passport_1.AuthGuard)(auth_constants_1.REFRESH_STRATEGY_NAME) {
+};
+exports.RefreshAuthGuard = RefreshAuthGuard;
+exports.RefreshAuthGuard = RefreshAuthGuard = __decorate([
+    (0, common_1.Injectable)()
+], RefreshAuthGuard);
+//# sourceMappingURL=refresh-auth.guard.js.map

package/dist/guards/refresh-auth.guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh-auth.guard.js","sourceRoot":"","sources":["../../src/lib/guards/refresh-auth.guard.ts"],"names":[],"mappings":";;;;;;;;;AAAA,2CAA4C;AAC5C,+CAA6C;AAC7C,sDAA0D;AAGnD,IAAM,gBAAgB,GAAtB,MAAM,gBAAiB,SAAQ,IAAA,oBAAS,EAAC,sCAAqB,CAAC;CAAG,CAAA;AAA5D,4CAAgB;2BAAhB,gBAAgB;IAD5B,IAAA,mBAAU,GAAE;GACA,gBAAgB,CAA4C"}

package/dist/index.d.ts

@@ -0,0 +1,11 @@
+export { AuthModule } from './auth.module';
+export { AuthService } from './auth.service';
+export type { AuthTokens, LoginResult } from './auth.service';
+export { JWT_STRATEGY_NAME, REFRESH_STRATEGY_NAME, REFRESH_TOKEN_STORE, USER_VALIDATOR, AUTH_MODULE_OPTIONS, IS_PUBLIC_KEY, } from './auth.constants';
+export * from './decorators';
+export * from './guards';
+export * from './dto';
+export * from './interfaces';
+export * from './errors/auth.errors';
+export type { RefreshRequestUser } from './strategies/refresh.strategy';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/lib/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,YAAY,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAE9D,OAAO,EACL,iBAAiB,EACjB,qBAAqB,EACrB,mBAAmB,EACnB,cAAc,EACd,mBAAmB,EACnB,aAAa,GACd,MAAM,kBAAkB,CAAC;AAE1B,cAAc,cAAc,CAAC;AAC7B,cAAc,UAAU,CAAC;AACzB,cAAc,OAAO,CAAC;AACtB,cAAc,cAAc,CAAC;AAC7B,cAAc,sBAAsB,CAAC;AACrC,YAAY,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC"}

package/dist/index.js

@@ -0,0 +1,34 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.IS_PUBLIC_KEY = exports.AUTH_MODULE_OPTIONS = exports.USER_VALIDATOR = exports.REFRESH_TOKEN_STORE = exports.REFRESH_STRATEGY_NAME = exports.JWT_STRATEGY_NAME = exports.AuthService = exports.AuthModule = void 0;
+var auth_module_1 = require("./auth.module");
+Object.defineProperty(exports, "AuthModule", { enumerable: true, get: function () { return auth_module_1.AuthModule; } });
+var auth_service_1 = require("./auth.service");
+Object.defineProperty(exports, "AuthService", { enumerable: true, get: function () { return auth_service_1.AuthService; } });
+var auth_constants_1 = require("./auth.constants");
+Object.defineProperty(exports, "JWT_STRATEGY_NAME", { enumerable: true, get: function () { return auth_constants_1.JWT_STRATEGY_NAME; } });
+Object.defineProperty(exports, "REFRESH_STRATEGY_NAME", { enumerable: true, get: function () { return auth_constants_1.REFRESH_STRATEGY_NAME; } });
+Object.defineProperty(exports, "REFRESH_TOKEN_STORE", { enumerable: true, get: function () { return auth_constants_1.REFRESH_TOKEN_STORE; } });
+Object.defineProperty(exports, "USER_VALIDATOR", { enumerable: true, get: function () { return auth_constants_1.USER_VALIDATOR; } });
+Object.defineProperty(exports, "AUTH_MODULE_OPTIONS", { enumerable: true, get: function () { return auth_constants_1.AUTH_MODULE_OPTIONS; } });
+Object.defineProperty(exports, "IS_PUBLIC_KEY", { enumerable: true, get: function () { return auth_constants_1.IS_PUBLIC_KEY; } });
+__exportStar(require("./decorators"), exports);
+__exportStar(require("./guards"), exports);
+__exportStar(require("./dto"), exports);
+__exportStar(require("./interfaces"), exports);
+__exportStar(require("./errors/auth.errors"), exports);
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/lib/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAAA,6CAA2C;AAAlC,yGAAA,UAAU,OAAA;AACnB,+CAA6C;AAApC,2GAAA,WAAW,OAAA;AAGpB,mDAO0B;AANxB,mHAAA,iBAAiB,OAAA;AACjB,uHAAA,qBAAqB,OAAA;AACrB,qHAAA,mBAAmB,OAAA;AACnB,gHAAA,cAAc,OAAA;AACd,qHAAA,mBAAmB,OAAA;AACnB,+GAAA,aAAa,OAAA;AAGf,+CAA6B;AAC7B,2CAAyB;AACzB,wCAAsB;AACtB,+CAA6B;AAC7B,uDAAqC"}

package/dist/interfaces/auth-module-options.interface.d.ts

@@ -0,0 +1,38 @@
+import { ModuleMetadata, Type } from '@nestjs/common';
+import { RefreshTokenStore } from './refresh-token-store.interface';
+import { UserValidator } from './user-validator.interface';
+export interface AuthModuleOptions {
+    accessSecret: string;
+    refreshSecret: string;
+    /** e.g. '15m', '1h', or seconds as a number. Default: '15m' */
+    accessTtl?: string | number;
+    /** e.g. '30d', '7d'. Default: '30d' */
+    refreshTtl?: string | number;
+    /** Optional pepper mixed into the token hash so a DB leak alone is not replayable. */
+    tokenHashPepper?: string;
+    /** JWT clock skew tolerance in seconds. Default: 5 */
+    clockTolerance?: number;
+    /** JWT issuer claim. Optional. */
+    issuer?: string;
+    /** JWT audience claim. Optional. */
+    audience?: string;
+}
+export interface RefreshTokenStoreProvider {
+    useExisting?: Type<RefreshTokenStore>;
+    useClass?: Type<RefreshTokenStore>;
+    useFactory?: (...args: any[]) => RefreshTokenStore | Promise<RefreshTokenStore>;
+    inject?: any[];
+}
+export interface UserValidatorProvider {
+    useExisting?: Type<UserValidator>;
+    useClass?: Type<UserValidator>;
+    useFactory?: (...args: any[]) => UserValidator | Promise<UserValidator>;
+    inject?: any[];
+}
+export interface AuthModuleAsyncOptions extends Pick<ModuleMetadata, 'imports'> {
+    useFactory: (...args: any[]) => AuthModuleOptions | Promise<AuthModuleOptions>;
+    inject?: any[];
+    store: RefreshTokenStoreProvider;
+    validator: UserValidatorProvider;
+}
+//# sourceMappingURL=auth-module-options.interface.d.ts.map

package/dist/interfaces/auth-module-options.interface.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-module-options.interface.d.ts","sourceRoot":"","sources":["../../src/lib/interfaces/auth-module-options.interface.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC;AACpE,OAAO,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAE3D,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,+DAA+D;IAC/D,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAC5B,uCAAuC;IACvC,UAAU,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAC7B,sFAAsF;IACtF,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,sDAAsD;IACtD,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,kCAAkC;IAClC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,oCAAoC;IACpC,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,yBAAyB;IACxC,WAAW,CAAC,EAAE,IAAI,CAAC,iBAAiB,CAAC,CAAC;IACtC,QAAQ,CAAC,EAAE,IAAI,CAAC,iBAAiB,CAAC,CAAC;IACnC,UAAU,CAAC,EAAE,CACX,GAAG,IAAI,EAAE,GAAG,EAAE,KACX,iBAAiB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;IACpD,MAAM,CAAC,EAAE,GAAG,EAAE,CAAC;CAChB;AAED,MAAM,WAAW,qBAAqB;IACpC,WAAW,CAAC,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC;IAClC,QAAQ,CAAC,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC;IAC/B,UAAU,CAAC,EAAE,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IACxE,MAAM,CAAC,EAAE,GAAG,EAAE,CAAC;CAChB;AAED,MAAM,WAAW,sBACf,SAAQ,IAAI,CAAC,cAAc,EAAE,SAAS,CAAC;IACvC,UAAU,EAAE,CACV,GAAG,IAAI,EAAE,GAAG,EAAE,KACX,iBAAiB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;IACpD,MAAM,CAAC,EAAE,GAAG,EAAE,CAAC;IACf,KAAK,EAAE,yBAAyB,CAAC;IACjC,SAAS,EAAE,qBAAqB,CAAC;CAClC"}

package/dist/interfaces/auth-module-options.interface.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=auth-module-options.interface.js.map

package/dist/interfaces/auth-module-options.interface.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-module-options.interface.js","sourceRoot":"","sources":["../../src/lib/interfaces/auth-module-options.interface.ts"],"names":[],"mappings":""}

package/dist/interfaces/auth-user.interface.d.ts

@@ -0,0 +1,8 @@
+export interface AuthUser {
+    id: string | number;
+    email?: string;
+    roles?: string[];
+    permissions?: string[];
+    [key: string]: unknown;
+}
+//# sourceMappingURL=auth-user.interface.d.ts.map

package/dist/interfaces/auth-user.interface.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-user.interface.d.ts","sourceRoot":"","sources":["../../src/lib/interfaces/auth-user.interface.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,GAAG,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB"}

package/dist/interfaces/auth-user.interface.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=auth-user.interface.js.map

package/dist/interfaces/auth-user.interface.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-user.interface.js","sourceRoot":"","sources":["../../src/lib/interfaces/auth-user.interface.ts"],"names":[],"mappings":""}

package/dist/interfaces/index.d.ts

@@ -0,0 +1,6 @@
+export * from './auth-user.interface';
+export * from './jwt-payload.interface';
+export * from './refresh-token-store.interface';
+export * from './user-validator.interface';
+export * from './auth-module-options.interface';
+//# sourceMappingURL=index.d.ts.map

package/dist/interfaces/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/interfaces/index.ts"],"names":[],"mappings":"AAAA,cAAc,uBAAuB,CAAC;AACtC,cAAc,yBAAyB,CAAC;AACxC,cAAc,iCAAiC,CAAC;AAChD,cAAc,4BAA4B,CAAC;AAC3C,cAAc,iCAAiC,CAAC"}

package/dist/interfaces/index.js

@@ -0,0 +1,22 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./auth-user.interface"), exports);
+__exportStar(require("./jwt-payload.interface"), exports);
+__exportStar(require("./refresh-token-store.interface"), exports);
+__exportStar(require("./user-validator.interface"), exports);
+__exportStar(require("./auth-module-options.interface"), exports);
+//# sourceMappingURL=index.js.map

package/dist/interfaces/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/lib/interfaces/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,wDAAsC;AACtC,0DAAwC;AACxC,kEAAgD;AAChD,6DAA2C;AAC3C,kEAAgD"}

package/dist/interfaces/jwt-payload.interface.d.ts

@@ -0,0 +1,14 @@
+export interface JwtPayload {
+    sub: string | number;
+    email?: string;
+    roles?: string[];
+    [key: string]: unknown;
+}
+export interface RefreshJwtPayload {
+    sub: string | number;
+    jti: string;
+    typ: 'refresh';
+    iat?: number;
+    exp?: number;
+}
+//# sourceMappingURL=jwt-payload.interface.d.ts.map

package/dist/interfaces/jwt-payload.interface.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-payload.interface.d.ts","sourceRoot":"","sources":["../../src/lib/interfaces/jwt-payload.interface.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,MAAM,GAAG,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,iBAAiB;IAChC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAC;IACrB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,SAAS,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;CACd"}

package/dist/interfaces/jwt-payload.interface.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=jwt-payload.interface.js.map

package/dist/interfaces/jwt-payload.interface.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-payload.interface.js","sourceRoot":"","sources":["../../src/lib/interfaces/jwt-payload.interface.ts"],"names":[],"mappings":""}

package/dist/interfaces/refresh-token-store.interface.d.ts

@@ -0,0 +1,34 @@
+export type SessionMetadata = Record<string, unknown>;
+export interface StoredRefreshToken {
+    id: string;
+    userId: string | number;
+    tokenHash: string;
+    metadata?: SessionMetadata;
+    expiresAt: Date;
+    revokedAt?: Date | null;
+    createdAt: Date;
+}
+export interface CreateRefreshTokenInput {
+    id: string;
+    userId: string | number;
+    tokenHash: string;
+    expiresAt: Date;
+    metadata?: SessionMetadata;
+}
+/**
+ * Pluggable persistence contract for refresh-token sessions. Consumers provide
+ * the implementation (TypeORM, Prisma, Mongoose, Redis, etc.).
+ *
+ * `consume` MUST be atomic: it should mark the row revoked and return it ONLY
+ * if it was previously unrevoked AND the supplied hash matches. Implementing
+ * this non-atomically opens a window where two concurrent refresh calls both
+ * succeed and split the session.
+ */
+export interface RefreshTokenStore {
+    create(input: CreateRefreshTokenInput): Promise<StoredRefreshToken>;
+    findById(id: string): Promise<StoredRefreshToken | null>;
+    consume(id: string, expectedHash: string): Promise<StoredRefreshToken | null>;
+    revokeById(id: string): Promise<void>;
+    revokeAllForUser(userId: string | number): Promise<void>;
+}
+//# sourceMappingURL=refresh-token-store.interface.d.ts.map

package/dist/interfaces/refresh-token-store.interface.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh-token-store.interface.d.ts","sourceRoot":"","sources":["../../src/lib/interfaces/refresh-token-store.interface.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,eAAe,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAEtD,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,eAAe,CAAC;IAC3B,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,uBAAuB;IACtC,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,IAAI,CAAC;IAChB,QAAQ,CAAC,EAAE,eAAe,CAAC;CAC5B;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,iBAAiB;IAChC,MAAM,CAAC,KAAK,EAAE,uBAAuB,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;IACpE,QAAQ,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IACzD,OAAO,CACL,EAAE,EAAE,MAAM,EACV,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IACtC,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACtC,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC1D"}

package/dist/interfaces/refresh-token-store.interface.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=refresh-token-store.interface.js.map

package/dist/interfaces/refresh-token-store.interface.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh-token-store.interface.js","sourceRoot":"","sources":["../../src/lib/interfaces/refresh-token-store.interface.ts"],"names":[],"mappings":""}

package/dist/interfaces/user-validator.interface.d.ts

@@ -0,0 +1,11 @@
+import { AuthUser } from './auth-user.interface';
+/**
+ * Pluggable identity contract. Consumers implement this against their own
+ * user store (DB, identity provider, etc.) — the library never reads users
+ * directly.
+ */
+export interface UserValidator {
+    validateCredentials(email: string, password: string): Promise<AuthUser | null>;
+    findById(userId: string | number): Promise<AuthUser | null>;
+}
+//# sourceMappingURL=user-validator.interface.d.ts.map

package/dist/interfaces/user-validator.interface.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-validator.interface.d.ts","sourceRoot":"","sources":["../../src/lib/interfaces/user-validator.interface.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AAEjD;;;;GAIG;AACH,MAAM,WAAW,aAAa;IAC5B,mBAAmB,CACjB,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;IAC5B,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;CAC7D"}

package/dist/interfaces/user-validator.interface.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=user-validator.interface.js.map

package/dist/interfaces/user-validator.interface.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-validator.interface.js","sourceRoot":"","sources":["../../src/lib/interfaces/user-validator.interface.ts"],"names":[],"mappings":""}

package/dist/services/index.d.ts

@@ -0,0 +1,2 @@
+export * from './token.service';
+//# sourceMappingURL=index.d.ts.map

package/dist/services/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/services/index.ts"],"names":[],"mappings":"AAAA,cAAc,iBAAiB,CAAC"}

package/dist/services/index.js

@@ -0,0 +1,18 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./token.service"), exports);
+//# sourceMappingURL=index.js.map

package/dist/services/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/lib/services/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,kDAAgC"}

package/dist/services/token.service.d.ts

@@ -0,0 +1,23 @@
+import { JwtService } from '@nestjs/jwt';
+import type { AuthModuleOptions } from '../interfaces/auth-module-options.interface';
+import type { JwtPayload, RefreshJwtPayload } from '../interfaces/jwt-payload.interface';
+export declare class TokenService {
+    private readonly jwt;
+    private readonly options;
+    constructor(jwt: JwtService, options: AuthModuleOptions);
+    signAccessToken(payload: JwtPayload): Promise<string>;
+    signRefreshToken(payload: {
+        sub: string | number;
+        jti: string;
+    }): Promise<string>;
+    verifyAccessToken(token: string): Promise<JwtPayload>;
+    verifyRefreshToken(token: string): Promise<RefreshJwtPayload>;
+    /**
+     * Resolve the configured refresh-token TTL into an absolute Date for store rows.
+     * Mirrors `expiresIn` semantics from `jsonwebtoken`: number = seconds, string = vercel/ms.
+     */
+    refreshExpiresAt(now?: Date): Date;
+    private signOpts;
+    private verifyOpts;
+}
+//# sourceMappingURL=token.service.d.ts.map

package/dist/services/token.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.service.d.ts","sourceRoot":"","sources":["../../src/lib/services/token.service.ts"],"names":[],"mappings":"AACA,OAAO,EACL,UAAU,EAGX,MAAM,aAAa,CAAC;AAErB,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,6CAA6C,CAAC;AACrF,OAAO,KAAK,EACV,UAAU,EACV,iBAAiB,EAClB,MAAM,qCAAqC,CAAC;AAI7C,qBACa,YAAY;IAErB,OAAO,CAAC,QAAQ,CAAC,GAAG;IAEpB,OAAO,CAAC,QAAQ,CAAC,OAAO;gBAFP,GAAG,EAAE,UAAU,EAEf,OAAO,EAAE,iBAAiB;IAG7C,eAAe,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC;IAIrD,gBAAgB,CAAC,OAAO,EAAE;QACxB,GAAG,EAAE,MAAM,GAAG,MAAM,CAAC;QACrB,GAAG,EAAE,MAAM,CAAC;KACb,GAAG,OAAO,CAAC,MAAM,CAAC;IAOnB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAIrD,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAI7D;;;OAGG;IACH,gBAAgB,CAAC,GAAG,GAAE,IAAiB,GAAG,IAAI;IAM9C,OAAO,CAAC,QAAQ;IAUhB,OAAO,CAAC,UAAU;CASnB"}

package/dist/services/token.service.js

@@ -0,0 +1,94 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenService = void 0;
+const common_1 = require("@nestjs/common");
+const jwt_1 = require("@nestjs/jwt");
+const auth_constants_1 = require("../auth.constants");
+let TokenService = class TokenService {
+    jwt;
+    options;
+    constructor(jwt, options) {
+        this.jwt = jwt;
+        this.options = options;
+    }
+    signAccessToken(payload) {
+        return this.jwt.signAsync(payload, this.signOpts(this.options.accessSecret, this.options.accessTtl ?? '15m'));
+    }
+    signRefreshToken(payload) {
+        return this.jwt.signAsync({ ...payload, typ: auth_constants_1.REFRESH_TOKEN_TYPE }, this.signOpts(this.options.refreshSecret, this.options.refreshTtl ?? '30d'));
+    }
+    verifyAccessToken(token) {
+        return this.jwt.verifyAsync(token, this.verifyOpts(this.options.accessSecret));
+    }
+    verifyRefreshToken(token) {
+        return this.jwt.verifyAsync(token, this.verifyOpts(this.options.refreshSecret));
+    }
+    /**
+     * Resolve the configured refresh-token TTL into an absolute Date for store rows.
+     * Mirrors `expiresIn` semantics from `jsonwebtoken`: number = seconds, string = vercel/ms.
+     */
+    refreshExpiresAt(now = new Date()) {
+        const ttl = this.options.refreshTtl ?? '30d';
+        const seconds = ttlToSeconds(ttl);
+        return new Date(now.getTime() + seconds * 1000);
+    }
+    signOpts(secret, ttl) {
+        const opts = {
+            secret,
+            expiresIn: ttl,
+        };
+        if (this.options.issuer)
+            opts.issuer = this.options.issuer;
+        if (this.options.audience)
+            opts.audience = this.options.audience;
+        return opts;
+    }
+    verifyOpts(secret) {
+        const opts = {
+            secret,
+            clockTolerance: this.options.clockTolerance ?? 5,
+        };
+        if (this.options.issuer)
+            opts.issuer = this.options.issuer;
+        if (this.options.audience)
+            opts.audience = this.options.audience;
+        return opts;
+    }
+};
+exports.TokenService = TokenService;
+exports.TokenService = TokenService = __decorate([
+    (0, common_1.Injectable)(),
+    __param(1, (0, common_1.Inject)(auth_constants_1.AUTH_MODULE_OPTIONS)),
+    __metadata("design:paramtypes", [jwt_1.JwtService, Object])
+], TokenService);
+function ttlToSeconds(ttl) {
+    if (typeof ttl === 'number')
+        return ttl;
+    const match = /^(\d+)\s*(s|m|h|d|w)?$/i.exec(ttl.trim());
+    if (!match) {
+        throw new Error(`Invalid TTL: ${ttl}`);
+    }
+    const value = parseInt(match[1], 10);
+    const unit = (match[2] || 's').toLowerCase();
+    const multipliers = {
+        s: 1,
+        m: 60,
+        h: 3600,
+        d: 86400,
+        w: 604800,
+    };
+    return value * multipliers[unit];
+}
+//# sourceMappingURL=token.service.js.map