npm - @digitaldefiance/node-express-suite - Versions diffs - 3.7.3 → 3.7.5 - Mend

@digitaldefiance/node-express-suite 3.7.3 → 3.7.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (882) hide show

package/LICENSE +21 -0
package/package.json +4 -5
package/src/__tests__/fixtures/{index.d.ts → index.ts} +0 -1
package/src/__tests__/fixtures/model-mocks.mock.ts +164 -0
package/src/__tests__/helpers/application.mock.ts +89 -0
package/src/__tests__/helpers/{index.d.ts → index.ts} +0 -1
package/src/__tests__/helpers/setup-test-env.ts +202 -0
package/src/__tests__/{index.d.ts → index.ts} +0 -1
package/src/application-base.ts +548 -0
package/src/application-concrete.ts +62 -0
package/src/application.ts +330 -0
package/src/backup-code.ts +348 -0
package/src/builders/application-builder.ts +147 -0
package/src/builders/{index.d.ts → index.ts} +0 -1
package/src/constants.ts +89 -0
package/src/container/{index.d.ts → index.ts} +0 -1
package/src/container/service-container.ts +85 -0
package/src/container/service-definitions.ts +23 -0
package/src/controllers/base.ts +512 -0
package/src/controllers/{index.d.ts → index.ts} +0 -1
package/src/controllers/user.ts +1734 -0
package/src/database/database-initializer.ts +13 -0
package/src/database/{index.d.ts → index.ts} +0 -1
package/src/decorators/base-controller.ts +91 -0
package/src/decorators/controller.ts +152 -0
package/src/decorators/{index.d.ts → index.ts} +0 -1
package/src/decorators/zod-validation.ts +64 -0
package/src/defaults.ts +259 -0
package/src/documents/base.ts +17 -0
package/src/documents/email-token.ts +20 -0
package/src/documents/{index.d.ts → index.ts} +0 -1
package/src/documents/mnemonic.ts +20 -0
package/src/documents/role.ts +19 -0
package/src/documents/used-direct-login-token.ts +18 -0
package/src/documents/user-role.ts +20 -0
package/src/documents/user.ts +20 -0
package/src/enumerations/base-model-name.ts +47 -0
package/src/enumerations/{index.d.ts → index.ts} +0 -1
package/src/enumerations/length-encoding-type.ts +16 -0
package/src/enumerations/schema-collection.ts +39 -0
package/src/enumerations/symmetric-error-type.ts +13 -0
package/src/environment.ts +859 -0
package/src/errors/express-validation.ts +38 -0
package/src/errors/{index.d.ts → index.ts} +0 -1
package/src/errors/invalid-backup-code-version.ts +30 -0
package/src/errors/invalid-jwt-token.ts +24 -0
package/src/errors/invalid-model.ts +24 -0
package/src/errors/invalid-new-password.ts +33 -0
package/src/errors/invalid-password.ts +28 -0
package/src/errors/missing-validated-data.ts +55 -0
package/src/errors/mnemonic-or-password-required.ts +26 -0
package/src/errors/model-not-registered.ts +24 -0
package/src/errors/mongoose-validation.ts +56 -0
package/src/errors/symmetric.ts +53 -0
package/src/errors/token-expired.ts +24 -0
package/src/get-language.ts +64 -0
package/src/get-timezone.ts +76 -0
package/src/{index.d.ts → index.ts} +44 -2
package/src/interfaces/api-error-response.ts +15 -0
package/src/interfaces/api-express-validation-error-response.ts +17 -0
package/src/interfaces/api-message-response.ts +12 -0
package/src/interfaces/api-mongo-validation-error-response.ts +17 -0
package/src/interfaces/api-responses/backup-codes-response.ts +15 -0
package/src/interfaces/api-responses/challenge-response.ts +17 -0
package/src/interfaces/api-responses/code-count-response.ts +12 -0
package/src/interfaces/api-responses/{index.d.ts → index.ts} +0 -1
package/src/interfaces/api-responses/login-response.ts +18 -0
package/src/interfaces/api-responses/mnemonic-response.ts +15 -0
package/src/interfaces/api-responses/registration-response.ts +17 -0
package/src/interfaces/api-responses/request-user-response.ts +16 -0
package/src/interfaces/api-responses/user-settings-response.ts +19 -0
package/src/interfaces/application.ts +40 -0
package/src/interfaces/backend-objects/email-token.ts +18 -0
package/src/interfaces/backend-objects/{index.d.ts → index.ts} +0 -1
package/src/interfaces/backend-objects/request-user.ts +19 -0
package/src/interfaces/backend-objects/role.ts +18 -0
package/src/interfaces/backend-objects/user.ts +18 -0
package/src/interfaces/checksum-config.ts +15 -0
package/src/interfaces/checksum-consts.ts +23 -0
package/src/interfaces/constants.ts +114 -0
package/src/interfaces/controller-config.ts +54 -0
package/src/interfaces/create-user-basics.ts +24 -0
package/src/interfaces/csp-config.ts +32 -0
package/src/interfaces/csp-definition.ts +71 -0
package/src/interfaces/db-init-result.ts +17 -0
package/src/interfaces/deep-partial.ts +14 -0
package/src/interfaces/discriminator-collections.ts +21 -0
package/src/interfaces/email-service.ts +26 -0
package/src/interfaces/environment-mongo.ts +86 -0
package/src/interfaces/environment.ts +191 -0
package/src/interfaces/failable-result.ts +20 -0
package/src/interfaces/fec-consts.ts +14 -0
package/src/interfaces/flexible-csp.ts +35 -0
package/src/interfaces/handleable-error-options.ts +19 -0
package/src/interfaces/{index.d.ts → index.ts} +0 -1
package/src/interfaces/jwt-consts.ts +33 -0
package/src/interfaces/jwt-sign-response.ts +31 -0
package/src/interfaces/models/email-token.ts +13 -0
package/src/interfaces/models/{index.d.ts → index.ts} +0 -1
package/src/interfaces/models/mnemonic.ts +14 -0
package/src/interfaces/models/role.ts +13 -0
package/src/interfaces/models/token-role.ts +23 -0
package/src/interfaces/models/used-direct-login-token.ts +21 -0
package/src/interfaces/models/user-role.ts +23 -0
package/src/interfaces/models/user.ts +30 -0
package/src/interfaces/mongo-errors.ts +14 -0
package/src/interfaces/request-user.ts +80 -0
package/src/interfaces/required-string-keys.ts +33 -0
package/src/interfaces/schema.ts +43 -0
package/src/interfaces/server-init-result.ts +48 -0
package/src/interfaces/status-code-response.ts +20 -0
package/src/interfaces/symmetric-encryption-results.d.ts.map +1 -1
package/src/interfaces/symmetric-encryption-results.js.map +1 -1
package/src/interfaces/symmetric-encryption-results.ts +15 -0
package/src/interfaces/test-environment.ts +23 -0
package/src/interfaces/token-response.ts +16 -0
package/src/middleware-utils.ts +138 -0
package/src/middlewares/authenticate-crypto.ts +237 -0
package/src/middlewares/authenticate-token.ts +165 -0
package/src/middlewares/cleanup-crypto.ts +47 -0
package/src/middlewares/{index.d.ts → index.ts} +0 -1
package/src/middlewares/set-global-context-language.ts +38 -0
package/src/model-registry.ts +142 -0
package/src/models/email-token.ts +49 -0
package/src/models/{index.d.ts → index.ts} +0 -1
package/src/models/mnemonic.ts +42 -0
package/src/models/role.ts +38 -0
package/src/models/used-direct-login-token.ts +49 -0
package/src/models/user-role.ts +40 -0
package/src/models/user.ts +42 -0
package/src/pipeline/{index.d.ts → index.ts} +0 -1
package/src/pipeline/pipeline-builder.ts +27 -0
package/src/plugins/{index.d.ts → index.ts} +0 -1
package/src/plugins/plugin-interface.ts +19 -0
package/src/plugins/plugin-manager.ts +53 -0
package/src/registry/email-service-registry.ts +76 -0
package/src/registry/{index.d.ts → index.ts} +0 -1
package/src/responses/{index.d.ts → index.ts} +0 -1
package/src/responses/response-builder.ts +166 -0
package/src/routers/api.ts +233 -0
package/src/routers/app.ts +395 -0
package/src/routers/base.ts +34 -0
package/src/routers/{index.d.ts → index.ts} +0 -1
package/src/routers/router-config.ts +34 -0
package/src/routing/index.ts +1 -0
package/src/routing/route-builder.ts +214 -0
package/src/schemas/email-token.ts +112 -0
package/src/schemas/{index.d.ts → index.ts} +0 -1
package/src/schemas/mnemonic.ts +48 -0
package/src/schemas/role.ts +153 -0
package/src/schemas/schema.ts +185 -0
package/src/schemas/used-direct-login-token.ts +58 -0
package/src/schemas/user-role.ts +93 -0
package/src/schemas/user.ts +244 -0
package/src/services/backup-code.ts +327 -0
package/src/services/base.ts +46 -0
package/src/services/checksum.ts +189 -0
package/src/services/database-initialization.ts +1653 -0
package/src/services/db-init-cache.ts +28 -0
package/src/services/direct-login-token.ts +83 -0
package/src/services/dummy-email-service.ts +43 -0
package/src/services/fec-usage-example.ts +123 -0
package/src/services/fec.ts +399 -0
package/src/services/{index.d.ts → index.ts} +0 -2
package/src/services/jwt.ts +146 -0
package/src/services/key-wrapping.ts +528 -0
package/src/services/mnemonic.ts +174 -0
package/src/services/request-user.ts +127 -0
package/src/services/role.ts +417 -0
package/src/services/symmetric.ts +164 -0
package/src/services/system-user.ts +87 -0
package/src/services/user.ts +2324 -0
package/src/services/xor.ts +39 -0
package/src/testing.ts +9 -0
package/src/transactions/{index.d.ts → index.ts} +0 -1
package/src/transactions/transaction-manager.ts +63 -0
package/src/types/app-config.ts +36 -0
package/src/types/controller-config.ts +28 -0
package/src/types/{environment-variables.d.ts → environment-variables.ts} +32 -5
package/src/types/{index.d.ts → index.ts} +0 -1
package/src/types/{mongoose-helpers.d.ts → mongoose-helpers.ts} +8 -2
package/src/types/mongoose-override.d.ts +1 -0
package/src/types/mongoose.d.ts +1 -0
package/src/types.ts +189 -0
package/src/utils.ts +1116 -0
package/src/validation/{index.d.ts → index.ts} +0 -1
package/src/validation/validation-builder.ts +155 -0
package/src/__tests__/fixtures/index.d.ts.map +0 -1
package/src/__tests__/fixtures/index.js +0 -5
package/src/__tests__/fixtures/index.js.map +0 -1
package/src/__tests__/fixtures/model-mocks.mock.d.ts +0 -12
package/src/__tests__/fixtures/model-mocks.mock.d.ts.map +0 -1
package/src/__tests__/fixtures/model-mocks.mock.js +0 -102
package/src/__tests__/fixtures/model-mocks.mock.js.map +0 -1
package/src/__tests__/helpers/application.mock.d.ts +0 -8
package/src/__tests__/helpers/application.mock.d.ts.map +0 -1
package/src/__tests__/helpers/application.mock.js +0 -77
package/src/__tests__/helpers/application.mock.js.map +0 -1
package/src/__tests__/helpers/index.d.ts.map +0 -1
package/src/__tests__/helpers/index.js +0 -7
package/src/__tests__/helpers/index.js.map +0 -1
package/src/__tests__/helpers/setup-test-env.d.ts +0 -12
package/src/__tests__/helpers/setup-test-env.d.ts.map +0 -1
package/src/__tests__/helpers/setup-test-env.js +0 -121
package/src/__tests__/helpers/setup-test-env.js.map +0 -1
package/src/__tests__/index.d.ts.map +0 -1
package/src/__tests__/index.js +0 -6
package/src/__tests__/index.js.map +0 -1
package/src/application-base.d.ts +0 -123
package/src/application-base.d.ts.map +0 -1
package/src/application-base.js +0 -359
package/src/application-base.js.map +0 -1
package/src/application-concrete.d.ts +0 -13
package/src/application-concrete.d.ts.map +0 -1
package/src/application-concrete.js +0 -21
package/src/application-concrete.js.map +0 -1
package/src/application.d.ts +0 -29
package/src/application.d.ts.map +0 -1
package/src/application.js +0 -167
package/src/application.js.map +0 -1
package/src/backup-code.d.ts +0 -67
package/src/backup-code.d.ts.map +0 -1
package/src/backup-code.js +0 -238
package/src/backup-code.js.map +0 -1
package/src/builders/application-builder.d.ts +0 -35
package/src/builders/application-builder.d.ts.map +0 -1
package/src/builders/application-builder.js +0 -64
package/src/builders/application-builder.js.map +0 -1
package/src/builders/index.d.ts.map +0 -1
package/src/builders/index.js +0 -5
package/src/builders/index.js.map +0 -1
package/src/constants.d.ts +0 -16
package/src/constants.d.ts.map +0 -1
package/src/constants.js +0 -58
package/src/constants.js.map +0 -1
package/src/container/index.d.ts.map +0 -1
package/src/container/index.js +0 -6
package/src/container/index.js.map +0 -1
package/src/container/service-container.d.ts +0 -11
package/src/container/service-container.d.ts.map +0 -1
package/src/container/service-container.js +0 -38
package/src/container/service-container.js.map +0 -1
package/src/container/service-definitions.d.ts +0 -11
package/src/container/service-definitions.d.ts.map +0 -1
package/src/container/service-definitions.js +0 -13
package/src/container/service-definitions.js.map +0 -1
package/src/controllers/base.d.ts +0 -67
package/src/controllers/base.d.ts.map +0 -1
package/src/controllers/base.js +0 -305
package/src/controllers/base.js.map +0 -1
package/src/controllers/index.d.ts.map +0 -1
package/src/controllers/index.js +0 -6
package/src/controllers/index.js.map +0 -1
package/src/controllers/user.d.ts +0 -49
package/src/controllers/user.d.ts.map +0 -1
package/src/controllers/user.js +0 -919
package/src/controllers/user.js.map +0 -1
package/src/database/database-initializer.d.ts +0 -7
package/src/database/database-initializer.d.ts.map +0 -1
package/src/database/database-initializer.js +0 -3
package/src/database/database-initializer.js.map +0 -1
package/src/database/index.d.ts.map +0 -1
package/src/database/index.js +0 -5
package/src/database/index.js.map +0 -1
package/src/decorators/base-controller.d.ts +0 -11
package/src/decorators/base-controller.d.ts.map +0 -1
package/src/decorators/base-controller.js +0 -60
package/src/decorators/base-controller.js.map +0 -1
package/src/decorators/controller.d.ts +0 -38
package/src/decorators/controller.d.ts.map +0 -1
package/src/decorators/controller.js +0 -68
package/src/decorators/controller.js.map +0 -1
package/src/decorators/index.d.ts.map +0 -1
package/src/decorators/index.js +0 -7
package/src/decorators/index.js.map +0 -1
package/src/decorators/zod-validation.d.ts +0 -5
package/src/decorators/zod-validation.d.ts.map +0 -1
package/src/decorators/zod-validation.js +0 -48
package/src/decorators/zod-validation.js.map +0 -1
package/src/defaults.d.ts +0 -7
package/src/defaults.d.ts.map +0 -1
package/src/defaults.js +0 -205
package/src/defaults.js.map +0 -1
package/src/documents/base.d.ts +0 -4
package/src/documents/base.d.ts.map +0 -1
package/src/documents/base.js +0 -3
package/src/documents/base.js.map +0 -1
package/src/documents/email-token.d.ts +0 -8
package/src/documents/email-token.d.ts.map +0 -1
package/src/documents/email-token.js +0 -3
package/src/documents/email-token.js.map +0 -1
package/src/documents/index.d.ts.map +0 -1
package/src/documents/index.js +0 -3
package/src/documents/index.js.map +0 -1
package/src/documents/mnemonic.d.ts +0 -8
package/src/documents/mnemonic.d.ts.map +0 -1
package/src/documents/mnemonic.js +0 -3
package/src/documents/mnemonic.js.map +0 -1
package/src/documents/role.d.ts +0 -8
package/src/documents/role.d.ts.map +0 -1
package/src/documents/role.js +0 -3
package/src/documents/role.js.map +0 -1
package/src/documents/used-direct-login-token.d.ts +0 -5
package/src/documents/used-direct-login-token.d.ts.map +0 -1
package/src/documents/used-direct-login-token.js +0 -3
package/src/documents/used-direct-login-token.js.map +0 -1
package/src/documents/user-role.d.ts +0 -8
package/src/documents/user-role.d.ts.map +0 -1
package/src/documents/user-role.js +0 -3
package/src/documents/user-role.js.map +0 -1
package/src/documents/user.d.ts +0 -8
package/src/documents/user.d.ts.map +0 -1
package/src/documents/user.js +0 -3
package/src/documents/user.js.map +0 -1
package/src/enumerations/base-model-name.d.ts +0 -38
package/src/enumerations/base-model-name.d.ts.map +0 -1
package/src/enumerations/base-model-name.js +0 -34
package/src/enumerations/base-model-name.js.map +0 -1
package/src/enumerations/index.d.ts.map +0 -1
package/src/enumerations/index.js +0 -8
package/src/enumerations/index.js.map +0 -1
package/src/enumerations/length-encoding-type.d.ts +0 -7
package/src/enumerations/length-encoding-type.d.ts.map +0 -1
package/src/enumerations/length-encoding-type.js +0 -11
package/src/enumerations/length-encoding-type.js.map +0 -1
package/src/enumerations/schema-collection.d.ts +0 -34
package/src/enumerations/schema-collection.d.ts.map +0 -1
package/src/enumerations/schema-collection.js +0 -38
package/src/enumerations/schema-collection.js.map +0 -1
package/src/enumerations/symmetric-error-type.d.ts +0 -5
package/src/enumerations/symmetric-error-type.d.ts.map +0 -1
package/src/enumerations/symmetric-error-type.js +0 -9
package/src/enumerations/symmetric-error-type.js.map +0 -1
package/src/environment.d.ts +0 -189
package/src/environment.d.ts.map +0 -1
package/src/environment.js +0 -641
package/src/environment.js.map +0 -1
package/src/errors/express-validation.d.ts +0 -9
package/src/errors/express-validation.d.ts.map +0 -1
package/src/errors/express-validation.js +0 -18
package/src/errors/express-validation.js.map +0 -1
package/src/errors/index.d.ts.map +0 -1
package/src/errors/index.js +0 -16
package/src/errors/index.js.map +0 -1
package/src/errors/invalid-backup-code-version.d.ts +0 -6
package/src/errors/invalid-backup-code-version.d.ts.map +0 -1
package/src/errors/invalid-backup-code-version.js +0 -16
package/src/errors/invalid-backup-code-version.js.map +0 -1
package/src/errors/invalid-jwt-token.d.ts +0 -5
package/src/errors/invalid-jwt-token.d.ts.map +0 -1
package/src/errors/invalid-jwt-token.js +0 -12
package/src/errors/invalid-jwt-token.js.map +0 -1
package/src/errors/invalid-model.d.ts +0 -6
package/src/errors/invalid-model.d.ts.map +0 -1
package/src/errors/invalid-model.js +0 -14
package/src/errors/invalid-model.js.map +0 -1
package/src/errors/invalid-new-password.d.ts +0 -5
package/src/errors/invalid-new-password.d.ts.map +0 -1
package/src/errors/invalid-new-password.js +0 -14
package/src/errors/invalid-new-password.js.map +0 -1
package/src/errors/invalid-password.d.ts +0 -5
package/src/errors/invalid-password.d.ts.map +0 -1
package/src/errors/invalid-password.js +0 -14
package/src/errors/invalid-password.js.map +0 -1
package/src/errors/missing-validated-data.d.ts +0 -7
package/src/errors/missing-validated-data.d.ts.map +0 -1
package/src/errors/missing-validated-data.js +0 -36
package/src/errors/missing-validated-data.js.map +0 -1
package/src/errors/mnemonic-or-password-required.d.ts +0 -5
package/src/errors/mnemonic-or-password-required.d.ts.map +0 -1
package/src/errors/mnemonic-or-password-required.js +0 -14
package/src/errors/mnemonic-or-password-required.js.map +0 -1
package/src/errors/model-not-registered.d.ts +0 -6
package/src/errors/model-not-registered.d.ts.map +0 -1
package/src/errors/model-not-registered.js +0 -14
package/src/errors/model-not-registered.js.map +0 -1
package/src/errors/mongoose-validation.d.ts +0 -12
package/src/errors/mongoose-validation.d.ts.map +0 -1
package/src/errors/mongoose-validation.js +0 -17
package/src/errors/mongoose-validation.js.map +0 -1
package/src/errors/symmetric.d.ts +0 -8
package/src/errors/symmetric.d.ts.map +0 -1
package/src/errors/symmetric.js +0 -22
package/src/errors/symmetric.js.map +0 -1
package/src/errors/token-expired.d.ts +0 -5
package/src/errors/token-expired.d.ts.map +0 -1
package/src/errors/token-expired.js +0 -12
package/src/errors/token-expired.js.map +0 -1
package/src/get-language.d.ts +0 -2
package/src/get-language.d.ts.map +0 -1
package/src/get-language.js +0 -30
package/src/get-language.js.map +0 -1
package/src/get-timezone.d.ts +0 -2
package/src/get-timezone.d.ts.map +0 -1
package/src/get-timezone.js +0 -39
package/src/get-timezone.js.map +0 -1
package/src/index.d.ts.map +0 -1
package/src/index.js +0 -80
package/src/index.js.map +0 -1
package/src/interfaces/api-error-response.d.ts +0 -5
package/src/interfaces/api-error-response.d.ts.map +0 -1
package/src/interfaces/api-error-response.js +0 -3
package/src/interfaces/api-error-response.js.map +0 -1
package/src/interfaces/api-express-validation-error-response.d.ts +0 -7
package/src/interfaces/api-express-validation-error-response.d.ts.map +0 -1
package/src/interfaces/api-express-validation-error-response.js +0 -3
package/src/interfaces/api-express-validation-error-response.js.map +0 -1
package/src/interfaces/api-message-response.d.ts +0 -4
package/src/interfaces/api-message-response.d.ts.map +0 -1
package/src/interfaces/api-message-response.js +0 -3
package/src/interfaces/api-message-response.js.map +0 -1
package/src/interfaces/api-mongo-validation-error-response.d.ts +0 -6
package/src/interfaces/api-mongo-validation-error-response.d.ts.map +0 -1
package/src/interfaces/api-mongo-validation-error-response.js +0 -3
package/src/interfaces/api-mongo-validation-error-response.js.map +0 -1
package/src/interfaces/api-responses/backup-codes-response.d.ts +0 -5
package/src/interfaces/api-responses/backup-codes-response.d.ts.map +0 -1
package/src/interfaces/api-responses/backup-codes-response.js +0 -3
package/src/interfaces/api-responses/backup-codes-response.js.map +0 -1
package/src/interfaces/api-responses/challenge-response.d.ts +0 -6
package/src/interfaces/api-responses/challenge-response.d.ts.map +0 -1
package/src/interfaces/api-responses/challenge-response.js +0 -3
package/src/interfaces/api-responses/challenge-response.js.map +0 -1
package/src/interfaces/api-responses/code-count-response.d.ts +0 -5
package/src/interfaces/api-responses/code-count-response.d.ts.map +0 -1
package/src/interfaces/api-responses/code-count-response.js +0 -3
package/src/interfaces/api-responses/code-count-response.js.map +0 -1
package/src/interfaces/api-responses/index.d.ts.map +0 -1
package/src/interfaces/api-responses/index.js +0 -12
package/src/interfaces/api-responses/index.js.map +0 -1
package/src/interfaces/api-responses/login-response.d.ts +0 -8
package/src/interfaces/api-responses/login-response.d.ts.map +0 -1
package/src/interfaces/api-responses/login-response.js +0 -3
package/src/interfaces/api-responses/login-response.js.map +0 -1
package/src/interfaces/api-responses/mnemonic-response.d.ts +0 -5
package/src/interfaces/api-responses/mnemonic-response.d.ts.map +0 -1
package/src/interfaces/api-responses/mnemonic-response.js +0 -3
package/src/interfaces/api-responses/mnemonic-response.js.map +0 -1
package/src/interfaces/api-responses/registration-response.d.ts +0 -6
package/src/interfaces/api-responses/registration-response.d.ts.map +0 -1
package/src/interfaces/api-responses/registration-response.js +0 -3
package/src/interfaces/api-responses/registration-response.js.map +0 -1
package/src/interfaces/api-responses/request-user-response.d.ts +0 -6
package/src/interfaces/api-responses/request-user-response.d.ts.map +0 -1
package/src/interfaces/api-responses/request-user-response.js +0 -3
package/src/interfaces/api-responses/request-user-response.js.map +0 -1
package/src/interfaces/api-responses/user-settings-response.d.ts +0 -12
package/src/interfaces/api-responses/user-settings-response.d.ts.map +0 -1
package/src/interfaces/api-responses/user-settings-response.js +0 -3
package/src/interfaces/api-responses/user-settings-response.js.map +0 -1
package/src/interfaces/application.d.ts +0 -17
package/src/interfaces/application.d.ts.map +0 -1
package/src/interfaces/application.js +0 -3
package/src/interfaces/application.js.map +0 -1
package/src/interfaces/backend-objects/email-token.d.ts +0 -4
package/src/interfaces/backend-objects/email-token.d.ts.map +0 -1
package/src/interfaces/backend-objects/email-token.js +0 -3
package/src/interfaces/backend-objects/email-token.js.map +0 -1
package/src/interfaces/backend-objects/index.d.ts.map +0 -1
package/src/interfaces/backend-objects/index.js +0 -8
package/src/interfaces/backend-objects/index.js.map +0 -1
package/src/interfaces/backend-objects/request-user.d.ts +0 -5
package/src/interfaces/backend-objects/request-user.d.ts.map +0 -1
package/src/interfaces/backend-objects/request-user.js +0 -3
package/src/interfaces/backend-objects/request-user.js.map +0 -1
package/src/interfaces/backend-objects/role.d.ts +0 -4
package/src/interfaces/backend-objects/role.d.ts.map +0 -1
package/src/interfaces/backend-objects/role.js +0 -3
package/src/interfaces/backend-objects/role.js.map +0 -1
package/src/interfaces/backend-objects/user.d.ts +0 -4
package/src/interfaces/backend-objects/user.d.ts.map +0 -1
package/src/interfaces/backend-objects/user.js +0 -3
package/src/interfaces/backend-objects/user.js.map +0 -1
package/src/interfaces/checksum-config.d.ts +0 -5
package/src/interfaces/checksum-config.d.ts.map +0 -1
package/src/interfaces/checksum-config.js +0 -3
package/src/interfaces/checksum-config.js.map +0 -1
package/src/interfaces/checksum-consts.d.ts +0 -11
package/src/interfaces/checksum-consts.d.ts.map +0 -1
package/src/interfaces/checksum-consts.js +0 -3
package/src/interfaces/checksum-consts.js.map +0 -1
package/src/interfaces/constants.d.ts +0 -102
package/src/interfaces/constants.d.ts.map +0 -1
package/src/interfaces/constants.js +0 -3
package/src/interfaces/constants.js.map +0 -1
package/src/interfaces/controller-config.d.ts +0 -21
package/src/interfaces/controller-config.d.ts.map +0 -1
package/src/interfaces/controller-config.js +0 -3
package/src/interfaces/controller-config.js.map +0 -1
package/src/interfaces/create-user-basics.d.ts +0 -18
package/src/interfaces/create-user-basics.d.ts.map +0 -1
package/src/interfaces/create-user-basics.js +0 -3
package/src/interfaces/create-user-basics.js.map +0 -1
package/src/interfaces/csp-config.d.ts +0 -7
package/src/interfaces/csp-config.d.ts.map +0 -1
package/src/interfaces/csp-config.js +0 -13
package/src/interfaces/csp-config.js.map +0 -1
package/src/interfaces/csp-definition.d.ts +0 -13
package/src/interfaces/csp-definition.d.ts.map +0 -1
package/src/interfaces/csp-definition.js +0 -22
package/src/interfaces/csp-definition.js.map +0 -1
package/src/interfaces/db-init-result.d.ts +0 -5
package/src/interfaces/db-init-result.d.ts.map +0 -1
package/src/interfaces/db-init-result.js +0 -3
package/src/interfaces/db-init-result.js.map +0 -1
package/src/interfaces/deep-partial.d.ts +0 -4
package/src/interfaces/deep-partial.d.ts.map +0 -1
package/src/interfaces/deep-partial.js +0 -3
package/src/interfaces/deep-partial.js.map +0 -1
package/src/interfaces/discriminator-collections.d.ts +0 -7
package/src/interfaces/discriminator-collections.d.ts.map +0 -1
package/src/interfaces/discriminator-collections.js +0 -3
package/src/interfaces/discriminator-collections.js.map +0 -1
package/src/interfaces/email-service.d.ts +0 -4
package/src/interfaces/email-service.d.ts.map +0 -1
package/src/interfaces/email-service.js +0 -3
package/src/interfaces/email-service.js.map +0 -1
package/src/interfaces/environment-mongo.d.ts +0 -76
package/src/interfaces/environment-mongo.d.ts.map +0 -1
package/src/interfaces/environment-mongo.js +0 -3
package/src/interfaces/environment-mongo.js.map +0 -1
package/src/interfaces/environment.d.ts +0 -180
package/src/interfaces/environment.d.ts.map +0 -1
package/src/interfaces/environment.js +0 -3
package/src/interfaces/environment.js.map +0 -1
package/src/interfaces/failable-result.d.ts +0 -7
package/src/interfaces/failable-result.d.ts.map +0 -1
package/src/interfaces/failable-result.js +0 -3
package/src/interfaces/failable-result.js.map +0 -1
package/src/interfaces/fec-consts.d.ts +0 -5
package/src/interfaces/fec-consts.d.ts.map +0 -1
package/src/interfaces/fec-consts.js +0 -3
package/src/interfaces/fec-consts.js.map +0 -1
package/src/interfaces/flexible-csp.d.ts +0 -8
package/src/interfaces/flexible-csp.d.ts.map +0 -1
package/src/interfaces/flexible-csp.js +0 -14
package/src/interfaces/flexible-csp.js.map +0 -1
package/src/interfaces/handleable-error-options.d.ts +0 -7
package/src/interfaces/handleable-error-options.d.ts.map +0 -1
package/src/interfaces/handleable-error-options.js +0 -3
package/src/interfaces/handleable-error-options.js.map +0 -1
package/src/interfaces/index.d.ts.map +0 -1
package/src/interfaces/index.js +0 -38
package/src/interfaces/index.js.map +0 -1
package/src/interfaces/jwt-consts.d.ts +0 -11
package/src/interfaces/jwt-consts.d.ts.map +0 -1
package/src/interfaces/jwt-consts.js +0 -3
package/src/interfaces/jwt-consts.js.map +0 -1
package/src/interfaces/jwt-sign-response.d.ts +0 -11
package/src/interfaces/jwt-sign-response.d.ts.map +0 -1
package/src/interfaces/jwt-sign-response.js +0 -3
package/src/interfaces/jwt-sign-response.js.map +0 -1
package/src/interfaces/models/email-token.d.ts +0 -6
package/src/interfaces/models/email-token.d.ts.map +0 -1
package/src/interfaces/models/email-token.js +0 -3
package/src/interfaces/models/email-token.js.map +0 -1
package/src/interfaces/models/index.d.ts.map +0 -1
package/src/interfaces/models/index.js +0 -11
package/src/interfaces/models/index.js.map +0 -1
package/src/interfaces/models/mnemonic.d.ts +0 -6
package/src/interfaces/models/mnemonic.d.ts.map +0 -1
package/src/interfaces/models/mnemonic.js +0 -3
package/src/interfaces/models/mnemonic.js.map +0 -1
package/src/interfaces/models/role.d.ts +0 -6
package/src/interfaces/models/role.d.ts.map +0 -1
package/src/interfaces/models/role.js +0 -3
package/src/interfaces/models/role.js.map +0 -1
package/src/interfaces/models/token-role.d.ts +0 -11
package/src/interfaces/models/token-role.d.ts.map +0 -1
package/src/interfaces/models/token-role.js +0 -3
package/src/interfaces/models/token-role.js.map +0 -1
package/src/interfaces/models/used-direct-login-token.d.ts +0 -11
package/src/interfaces/models/used-direct-login-token.d.ts.map +0 -1
package/src/interfaces/models/used-direct-login-token.js +0 -3
package/src/interfaces/models/used-direct-login-token.js.map +0 -1
package/src/interfaces/models/user-role.d.ts +0 -11
package/src/interfaces/models/user-role.d.ts.map +0 -1
package/src/interfaces/models/user-role.js +0 -3
package/src/interfaces/models/user-role.js.map +0 -1
package/src/interfaces/models/user.d.ts +0 -11
package/src/interfaces/models/user.d.ts.map +0 -1
package/src/interfaces/models/user.js +0 -3
package/src/interfaces/models/user.js.map +0 -1
package/src/interfaces/mongo-errors.d.ts +0 -5
package/src/interfaces/mongo-errors.d.ts.map +0 -1
package/src/interfaces/mongo-errors.js +0 -3
package/src/interfaces/mongo-errors.js.map +0 -1
package/src/interfaces/request-user.d.ts +0 -58
package/src/interfaces/request-user.d.ts.map +0 -1
package/src/interfaces/request-user.js +0 -3
package/src/interfaces/request-user.js.map +0 -1
package/src/interfaces/required-string-keys.d.ts +0 -22
package/src/interfaces/required-string-keys.d.ts.map +0 -1
package/src/interfaces/required-string-keys.js +0 -3
package/src/interfaces/required-string-keys.js.map +0 -1
package/src/interfaces/schema.d.ts +0 -29
package/src/interfaces/schema.d.ts.map +0 -1
package/src/interfaces/schema.js +0 -3
package/src/interfaces/schema.js.map +0 -1
package/src/interfaces/server-init-result.d.ts +0 -35
package/src/interfaces/server-init-result.d.ts.map +0 -1
package/src/interfaces/server-init-result.js +0 -3
package/src/interfaces/server-init-result.js.map +0 -1
package/src/interfaces/status-code-response.d.ts +0 -7
package/src/interfaces/status-code-response.d.ts.map +0 -1
package/src/interfaces/status-code-response.js +0 -3
package/src/interfaces/status-code-response.js.map +0 -1
package/src/interfaces/symmetric-encryption-results.d.ts +0 -5
package/src/interfaces/test-environment.d.ts +0 -12
package/src/interfaces/test-environment.d.ts.map +0 -1
package/src/interfaces/test-environment.js +0 -3
package/src/interfaces/test-environment.js.map +0 -1
package/src/interfaces/token-response.d.ts +0 -5
package/src/interfaces/token-response.d.ts.map +0 -1
package/src/interfaces/token-response.js +0 -3
package/src/interfaces/token-response.js.map +0 -1
package/src/middleware-utils.d.ts +0 -8
package/src/middleware-utils.d.ts.map +0 -1
package/src/middleware-utils.js +0 -94
package/src/middleware-utils.js.map +0 -1
package/src/middlewares/authenticate-crypto.d.ts +0 -10
package/src/middlewares/authenticate-crypto.d.ts.map +0 -1
package/src/middlewares/authenticate-crypto.js +0 -126
package/src/middlewares/authenticate-crypto.js.map +0 -1
package/src/middlewares/authenticate-token.d.ts +0 -21
package/src/middlewares/authenticate-token.d.ts.map +0 -1
package/src/middlewares/authenticate-token.js +0 -104
package/src/middlewares/authenticate-token.js.map +0 -1
package/src/middlewares/cleanup-crypto.d.ts +0 -7
package/src/middlewares/cleanup-crypto.d.ts.map +0 -1
package/src/middlewares/cleanup-crypto.js +0 -32
package/src/middlewares/cleanup-crypto.js.map +0 -1
package/src/middlewares/index.d.ts.map +0 -1
package/src/middlewares/index.js +0 -8
package/src/middlewares/index.js.map +0 -1
package/src/middlewares/set-global-context-language.d.ts +0 -3
package/src/middlewares/set-global-context-language.d.ts.map +0 -1
package/src/middlewares/set-global-context-language.js +0 -14
package/src/middlewares/set-global-context-language.js.map +0 -1
package/src/model-registry.d.ts +0 -23
package/src/model-registry.d.ts.map +0 -1
package/src/model-registry.js +0 -47
package/src/model-registry.js.map +0 -1
package/src/models/email-token.d.ts +0 -8
package/src/models/email-token.d.ts.map +0 -1
package/src/models/email-token.js +0 -11
package/src/models/email-token.js.map +0 -1
package/src/models/index.d.ts.map +0 -1
package/src/models/index.js +0 -10
package/src/models/index.js.map +0 -1
package/src/models/mnemonic.d.ts +0 -8
package/src/models/mnemonic.d.ts.map +0 -1
package/src/models/mnemonic.js +0 -11
package/src/models/mnemonic.js.map +0 -1
package/src/models/role.d.ts +0 -8
package/src/models/role.d.ts.map +0 -1
package/src/models/role.js +0 -11
package/src/models/role.js.map +0 -1
package/src/models/used-direct-login-token.d.ts +0 -8
package/src/models/used-direct-login-token.d.ts.map +0 -1
package/src/models/used-direct-login-token.js +0 -11
package/src/models/used-direct-login-token.js.map +0 -1
package/src/models/user-role.d.ts +0 -7
package/src/models/user-role.d.ts.map +0 -1
package/src/models/user-role.js +0 -10
package/src/models/user-role.js.map +0 -1
package/src/models/user.d.ts +0 -8
package/src/models/user.d.ts.map +0 -1
package/src/models/user.js +0 -11
package/src/models/user.js.map +0 -1
package/src/pipeline/index.d.ts.map +0 -1
package/src/pipeline/index.js +0 -5
package/src/pipeline/index.js.map +0 -1
package/src/pipeline/pipeline-builder.d.ts +0 -8
package/src/pipeline/pipeline-builder.d.ts.map +0 -1
package/src/pipeline/pipeline-builder.js +0 -18
package/src/pipeline/pipeline-builder.js.map +0 -1
package/src/plugins/index.d.ts.map +0 -1
package/src/plugins/index.js +0 -6
package/src/plugins/index.js.map +0 -1
package/src/plugins/plugin-interface.d.ts +0 -9
package/src/plugins/plugin-interface.d.ts.map +0 -1
package/src/plugins/plugin-interface.js +0 -3
package/src/plugins/plugin-interface.js.map +0 -1
package/src/plugins/plugin-manager.d.ts +0 -13
package/src/plugins/plugin-manager.d.ts.map +0 -1
package/src/plugins/plugin-manager.js +0 -37
package/src/plugins/plugin-manager.js.map +0 -1
package/src/registry/email-service-registry.d.ts +0 -27
package/src/registry/email-service-registry.d.ts.map +0 -1
package/src/registry/email-service-registry.js +0 -42
package/src/registry/email-service-registry.js.map +0 -1
package/src/registry/index.d.ts.map +0 -1
package/src/registry/index.js +0 -6
package/src/registry/index.js.map +0 -1
package/src/responses/index.d.ts.map +0 -1
package/src/responses/index.js +0 -5
package/src/responses/index.js.map +0 -1
package/src/responses/response-builder.d.ts +0 -24
package/src/responses/response-builder.d.ts.map +0 -1
package/src/responses/response-builder.js +0 -63
package/src/responses/response-builder.js.map +0 -1
package/src/routers/api.d.ts +0 -28
package/src/routers/api.d.ts.map +0 -1
package/src/routers/api.js +0 -80
package/src/routers/api.js.map +0 -1
package/src/routers/app.d.ts +0 -33
package/src/routers/app.d.ts.map +0 -1
package/src/routers/app.js +0 -228
package/src/routers/app.js.map +0 -1
package/src/routers/base.d.ts +0 -9
package/src/routers/base.d.ts.map +0 -1
package/src/routers/base.js +0 -14
package/src/routers/base.js.map +0 -1
package/src/routers/index.d.ts.map +0 -1
package/src/routers/index.js +0 -7
package/src/routers/index.js.map +0 -1
package/src/routers/router-config.d.ts +0 -18
package/src/routers/router-config.d.ts.map +0 -1
package/src/routers/router-config.js +0 -8
package/src/routers/router-config.js.map +0 -1
package/src/routing/index.d.ts +0 -2
package/src/routing/index.d.ts.map +0 -1
package/src/routing/index.js +0 -5
package/src/routing/index.js.map +0 -1
package/src/routing/route-builder.d.ts +0 -36
package/src/routing/route-builder.d.ts.map +0 -1
package/src/routing/route-builder.js +0 -86
package/src/routing/route-builder.js.map +0 -1
package/src/schemas/email-token.d.ts +0 -49
package/src/schemas/email-token.d.ts.map +0 -1
package/src/schemas/email-token.js +0 -55
package/src/schemas/email-token.js.map +0 -1
package/src/schemas/index.d.ts.map +0 -1
package/src/schemas/index.js +0 -11
package/src/schemas/index.js.map +0 -1
package/src/schemas/mnemonic.d.ts +0 -27
package/src/schemas/mnemonic.d.ts.map +0 -1
package/src/schemas/mnemonic.js +0 -31
package/src/schemas/mnemonic.js.map +0 -1
package/src/schemas/role.d.ts +0 -42
package/src/schemas/role.d.ts.map +0 -1
package/src/schemas/role.js +0 -89
package/src/schemas/role.js.map +0 -1
package/src/schemas/schema.d.ts +0 -42
package/src/schemas/schema.d.ts.map +0 -1
package/src/schemas/schema.js +0 -70
package/src/schemas/schema.js.map +0 -1
package/src/schemas/used-direct-login-token.d.ts +0 -37
package/src/schemas/used-direct-login-token.d.ts.map +0 -1
package/src/schemas/used-direct-login-token.js +0 -24
package/src/schemas/used-direct-login-token.js.map +0 -1
package/src/schemas/user-role.d.ts +0 -39
package/src/schemas/user-role.d.ts.map +0 -1
package/src/schemas/user-role.js +0 -55
package/src/schemas/user-role.js.map +0 -1
package/src/schemas/user.d.ts +0 -24
package/src/schemas/user.d.ts.map +0 -1
package/src/schemas/user.js +0 -195
package/src/schemas/user.js.map +0 -1
package/src/services/backup-code.d.ts +0 -76
package/src/services/backup-code.d.ts.map +0 -1
package/src/services/backup-code.js +0 -185
package/src/services/backup-code.js.map +0 -1
package/src/services/base.d.ts +0 -11
package/src/services/base.d.ts.map +0 -1
package/src/services/base.js +0 -15
package/src/services/base.js.map +0 -1
package/src/services/checksum.d.ts +0 -69
package/src/services/checksum.d.ts.map +0 -1
package/src/services/checksum.js +0 -145
package/src/services/checksum.js.map +0 -1
package/src/services/crc.d.ts +0 -87
package/src/services/crc.d.ts.map +0 -1
package/src/services/crc.js +0 -198
package/src/services/crc.js.map +0 -1
package/src/services/database-initialization.d.ts +0 -111
package/src/services/database-initialization.d.ts.map +0 -1
package/src/services/database-initialization.js +0 -878
package/src/services/database-initialization.js.map +0 -1
package/src/services/db-init-cache.d.ts +0 -10
package/src/services/db-init-cache.d.ts.map +0 -1
package/src/services/db-init-cache.js +0 -3
package/src/services/db-init-cache.js.map +0 -1
package/src/services/direct-login-token.d.ts +0 -7
package/src/services/direct-login-token.d.ts.map +0 -1
package/src/services/direct-login-token.js +0 -41
package/src/services/direct-login-token.js.map +0 -1
package/src/services/dummy-email-service.d.ts +0 -11
package/src/services/dummy-email-service.d.ts.map +0 -1
package/src/services/dummy-email-service.js +0 -16
package/src/services/dummy-email-service.js.map +0 -1
package/src/services/fec-usage-example.d.ts +0 -38
package/src/services/fec-usage-example.d.ts.map +0 -1
package/src/services/fec-usage-example.js +0 -75
package/src/services/fec-usage-example.js.map +0 -1
package/src/services/fec.d.ts +0 -46
package/src/services/fec.d.ts.map +0 -1
package/src/services/fec.js +0 -214
package/src/services/fec.js.map +0 -1
package/src/services/index.d.ts.map +0 -1
package/src/services/index.js +0 -23
package/src/services/index.js.map +0 -1
package/src/services/jwt.d.ts +0 -30
package/src/services/jwt.d.ts.map +0 -1
package/src/services/jwt.js +0 -90
package/src/services/jwt.js.map +0 -1
package/src/services/key-wrapping.d.ts +0 -61
package/src/services/key-wrapping.d.ts.map +0 -1
package/src/services/key-wrapping.js +0 -307
package/src/services/key-wrapping.js.map +0 -1
package/src/services/mnemonic.d.ts +0 -62
package/src/services/mnemonic.d.ts.map +0 -1
package/src/services/mnemonic.js +0 -114
package/src/services/mnemonic.js.map +0 -1
package/src/services/request-user.d.ts +0 -23
package/src/services/request-user.d.ts.map +0 -1
package/src/services/request-user.js +0 -68
package/src/services/request-user.js.map +0 -1
package/src/services/role.d.ts +0 -87
package/src/services/role.d.ts.map +0 -1
package/src/services/role.js +0 -279
package/src/services/role.js.map +0 -1
package/src/services/symmetric.d.ts +0 -42
package/src/services/symmetric.d.ts.map +0 -1
package/src/services/symmetric.js +0 -101
package/src/services/symmetric.js.map +0 -1
package/src/services/system-user.d.ts +0 -16
package/src/services/system-user.d.ts.map +0 -1
package/src/services/system-user.js +0 -46
package/src/services/system-user.js.map +0 -1
package/src/services/user.d.ts +0 -345
package/src/services/user.d.ts.map +0 -1
package/src/services/user.js +0 -1447
package/src/services/user.js.map +0 -1
package/src/services/xor.d.ts +0 -24
package/src/services/xor.d.ts.map +0 -1
package/src/services/xor.js +0 -37
package/src/services/xor.js.map +0 -1
package/src/testing.d.ts +0 -3
package/src/testing.d.ts.map +0 -1
package/src/testing.js +0 -7
package/src/testing.js.map +0 -1
package/src/transactions/index.d.ts.map +0 -1
package/src/transactions/index.js +0 -5
package/src/transactions/index.js.map +0 -1
package/src/transactions/transaction-manager.d.ts +0 -12
package/src/transactions/transaction-manager.d.ts.map +0 -1
package/src/transactions/transaction-manager.js +0 -30
package/src/transactions/transaction-manager.js.map +0 -1
package/src/types/app-config.d.ts +0 -16
package/src/types/app-config.d.ts.map +0 -1
package/src/types/app-config.js +0 -3
package/src/types/app-config.js.map +0 -1
package/src/types/controller-config.d.ts +0 -14
package/src/types/controller-config.d.ts.map +0 -1
package/src/types/controller-config.js +0 -3
package/src/types/controller-config.js.map +0 -1
package/src/types/environment-variables.d.ts.map +0 -1
package/src/types/environment-variables.js +0 -39
package/src/types/environment-variables.js.map +0 -1
package/src/types/index.d.ts.map +0 -1
package/src/types/index.js +0 -6
package/src/types/index.js.map +0 -1
package/src/types/mongoose-helpers.d.ts.map +0 -1
package/src/types/mongoose-helpers.js +0 -6
package/src/types/mongoose-helpers.js.map +0 -1
package/src/types.d.ts +0 -104
package/src/types.d.ts.map +0 -1
package/src/types.js +0 -14
package/src/types.js.map +0 -1
package/src/utils.d.ts +0 -211
package/src/utils.d.ts.map +0 -1
package/src/utils.js +0 -818
package/src/utils.js.map +0 -1
package/src/validation/index.d.ts.map +0 -1
package/src/validation/index.js +0 -5
package/src/validation/index.js.map +0 -1
package/src/validation/validation-builder.d.ts +0 -32
package/src/validation/validation-builder.d.ts.map +0 -1
package/src/validation/validation-builder.js +0 -81
package/src/validation/validation-builder.js.map +0 -1

package/src/services/user.ts ADDED Viewed

@@ -0,0 +1,2324 @@
+/**
+ * @fileoverview Comprehensive user management service.
+ * Handles user authentication, registration, password management, email verification,
+ * mnemonic recovery, backup codes, and all user-related operations.
+ * @module services/user
+ */
+import {
+  EmailString,
+  IECIESConfig,
+  InvalidEmailErrorType,
+  MemberType,
+  SecureBuffer,
+  SecureString,
+} from '@digitaldefiance/ecies-lib';
+import {
+  ClientSession,
+  Document,
+  ProjectionType,
+} from '@digitaldefiance/mongoose-types';
+import {
+  Member as BackendMember,
+  ECIESService,
+  getEnhancedNodeIdProvider,
+  PlatformID,
+  SignatureBuffer,
+} from '@digitaldefiance/node-ecies-lib';
+import {
+  AccountLockedError,
+  AccountStatus,
+  AccountStatusError,
+  DirectChallengeNotEnabledError,
+  EmailInUseError,
+  EmailTokenExpiredError,
+  EmailTokenFailedToSendError,
+  EmailTokenSentTooRecentlyError,
+  EmailTokenType,
+  EmailTokenUsedOrInvalidError,
+  EmailVerifiedError,
+  getSuiteCoreTranslation,
+  IBackupCode,
+  InvalidChallengeResponseError,
+  InvalidCredentialsError,
+  InvalidEmailError,
+  InvalidUsernameError,
+  IRequestUserDTO,
+  ITokenRole,
+  IUserBase,
+  IUserDTO,
+  LoginChallengeExpiredError,
+  PasswordLoginNotEnabledError,
+  PendingEmailVerificationError,
+  PrivateKeyRequiredError,
+  Role,
+  SuiteCoreStringKey,
+  TranslatableSuiteError,
+  TranslatableSuiteHandleableError,
+  UsernameInUseError,
+  UsernameOrEmailRequiredError,
+  UserNotFoundError,
+} from '@digitaldefiance/suite-core-lib';
+import { Wallet } from '@ethereumjs/wallet';
+import { randomBytes } from 'crypto';
+import validator from 'validator';
+import { BackupCode } from '../backup-code';
+import { IBaseDocument } from '../documents';
+import { IEmailTokenDocument } from '../documents/email-token';
+import { IMnemonicDocument } from '../documents/mnemonic';
+import { IUserDocument } from '../documents/user';
+import { BaseModelName } from '../enumerations/base-model-name';
+import { Environment } from '../environment';
+import { InvalidNewPasswordError } from '../errors';
+import { MongooseValidationError } from '../errors/mongoose-validation';
+import { ICreateUserBasics } from '../interfaces';
+import { IApplication } from '../interfaces/application';
+import { IUserBackendObject } from '../interfaces/backend-objects/user';
+import { IConstants } from '../interfaces/constants';
+import { IEmailService } from '../interfaces/email-service';
+import { ModelRegistry } from '../model-registry';
+import { debugLog } from '../utils';
+import { BackupCodeService } from './backup-code';
+import { BaseService } from './base';
+import { DirectLoginTokenService } from './direct-login-token';
+import { KeyWrappingService } from './key-wrapping';
+import { MnemonicService } from './mnemonic';
+import { RequestUserService } from './request-user';
+import { RoleService } from './role';
+import { SystemUserService } from './system-user';
+type ProjectionObject = Record<string, 0 | 1 | -1 | boolean>;
+/**
+ * Comprehensive service for user management and authentication.
+ * Provides methods for user creation, authentication (mnemonic/password/challenge),
+ * email verification, password reset, backup code recovery, and settings management.
+ * @template T - User document type
+ * @template TID - Platform ID type
+ * @template TDate - Date type
+ * @template TLanguage - String type for site language
+ * @template TAccountStatus - String type for account status
+ * @template _TEnvironment - Environment type
+ * @template _TConstants - Constants type
+ * @template _TBaseDocument - Base document type
+ * @template TUser - User base interface type
+ * @template TTokenRole - Token role interface type
+ * @template TApplication - Application interface type
+ * @extends {BaseService<TID, TApplication>}
+ */
+export class UserService<
+  T,
+  TID extends PlatformID,
+  TDate extends Date,
+  TLanguage extends string,
+  TAccountStatus extends string,
+  _TEnvironment extends Environment<TID> = Environment<TID>,
+  _TConstants extends IConstants = IConstants,
+  _TBaseDocument extends IBaseDocument<T, TID> = IBaseDocument<T, TID>,
+  TUser extends IUserBase<TID, TDate, TLanguage, TAccountStatus> = IUserBase<
+    TID,
+    TDate,
+    TLanguage,
+    TAccountStatus
+  >,
+  TTokenRole extends ITokenRole<TID, TDate> = ITokenRole<TID, TDate>,
+  TApplication extends IApplication<TID> = IApplication<TID>,
+> extends BaseService<TID, TApplication> {
+  protected readonly roleService: RoleService<TID, TDate, TTokenRole>;
+  protected readonly eciesService: ECIESService<TID>;
+  protected readonly keyWrappingService: KeyWrappingService;
+  protected readonly mnemonicService: MnemonicService;
+  protected readonly emailService: IEmailService;
+  protected readonly backupCodeService: BackupCodeService<
+    TID,
+    TDate,
+    TTokenRole,
+    TApplication
+  >;
+  protected readonly serverUrl: string;
+  protected readonly disableEmailSend: boolean;
+  constructor(
+    application: TApplication,
+    roleService: RoleService<TID, TDate, TTokenRole>,
+    emailService: IEmailService,
+    keyWrappingService: KeyWrappingService,
+    backupCodeService: BackupCodeService<TID, TDate, TTokenRole, TApplication>,
+  ) {
+    super(application);
+    this.roleService = roleService;
+    this.emailService = emailService;
+    this.keyWrappingService = keyWrappingService;
+    this.backupCodeService = backupCodeService;
+    this.serverUrl = application.environment.serverUrl;
+    this.disableEmailSend = application.environment.disableEmailSend;
+    const config: IECIESConfig = {
+      curveName: this.application.constants.ECIES.CURVE_NAME,
+      primaryKeyDerivationPath:
+        this.application.constants.ECIES.PRIMARY_KEY_DERIVATION_PATH,
+      mnemonicStrength: this.application.constants.ECIES.MNEMONIC_STRENGTH,
+      symmetricAlgorithm:
+        this.application.constants.ECIES.SYMMETRIC_ALGORITHM_CONFIGURATION,
+      symmetricKeyBits: this.application.constants.ECIES.SYMMETRIC.KEY_BITS,
+      symmetricKeyMode: this.application.constants.ECIES.SYMMETRIC.MODE,
+    };
+    this.eciesService = new ECIESService(config);
+    const mnemonicModel =
+      ModelRegistry.instance.getTypedModel<IMnemonicDocument>(
+        BaseModelName.Mnemonic,
+      );
+    this.mnemonicService = new MnemonicService(
+      mnemonicModel,
+      application.environment.mnemonicHmacSecret,
+      this.application.constants,
+    );
+  }
+  /**
+   * Given a User Document, make a User DTO
+   * @param user a User Document
+   * @returns An IUserDTO
+   */
+  public static userToUserDTO<
+    TLanguage extends string,
+    TID extends PlatformID = Buffer,
+  >(user: IUserDocument<TLanguage, TID> | Record<string, unknown>): IUserDTO {
+    const provider = getEnhancedNodeIdProvider<TID>();
+    const userId = user._id as TID;
+    return {
+      ...(user instanceof Document ? user.toObject() : user),
+      _id:
+        provider.validate(provider.toBytes(userId)) &&
+        provider.idToString(userId),
+      createdAt: (user.createdAt instanceof Date
+        ? user.createdAt.toString()
+        : user.createdAt) as string,
+      createdBy:
+        provider.validate(provider.toBytes(user.createdBy as TID)) &&
+        provider.idToString(user.createdBy as TID),
+      updatedAt: (user.updatedAt instanceof Date
+        ? user.updatedAt.toString()
+        : user.updatedAt) as string,
+      updatedBy:
+        provider.validate(provider.toBytes(user.updatedBy as TID)) &&
+        provider.idToString(user.updatedBy as TID),
+      ...(user.lastLogin
+        ? {
+            lastLogin: (user.lastLogin instanceof Date
+              ? user.lastLogin.toString()
+              : user.lastLogin) as string,
+          }
+        : {}),
+      ...(user.deletedAt
+        ? {
+            deletedAt: (user.deletedAt instanceof Date
+              ? user.deletedAt.toString()
+              : user.deletedAt) as string,
+          }
+        : {}),
+      ...(user.deletedBy
+        ? {
+            deletedBy:
+              provider.validate(provider.toBytes(user.deletedBy as TID)) &&
+              provider.idToString(user.deletedBy as TID),
+          }
+        : {}),
+    } as IUserDTO;
+  }
+  /**
+   * Given a User DTO, reconstitute ids and dates
+   * @param user a User DTO
+   * @returns An IUserBackendObject
+   */
+  public hydrateUserDTOToBackend(
+    user: IUserDTO,
+  ): IUserBackendObject<TLanguage, TID> {
+    const provider = getEnhancedNodeIdProvider<TID>();
+    return {
+      ...user,
+      _id: provider.idFromString(user._id),
+      ...(user.lastLogin ? { lastLogin: new Date(user.lastLogin) } : {}),
+      createdAt: new Date(user.createdAt),
+      createdBy: provider.idFromString(user.createdBy),
+      updatedAt: new Date(user.updatedAt),
+      updatedBy: provider.idFromString(user.updatedBy),
+      ...(user.deletedAt ? { deletedAt: new Date(user.deletedAt) } : {}),
+      ...(user.deletedBy
+        ? {
+            deletedBy: provider.idFromString(user.deletedBy),
+          }
+        : {}),
+      ...(user.mnemonicId
+        ? { mnemonicId: provider.idFromString(user.mnemonicId) }
+        : {}),
+    } as IUserBackendObject<TLanguage, TID>;
+  }
+  /**
+   * Create a new email token to send to the user for email verification
+   * @param userDoc The user to create the email token for
+   * @param type The type of email token to create
+   * @param session The session to use for the query
+   * @returns The email token document
+   */
+  public async createEmailToken(
+    userDoc: IUserDocument<TLanguage, TID>,
+    type: EmailTokenType,
+    session?: ClientSession,
+  ): Promise<IEmailTokenDocument> {
+    const EmailTokenModel =
+      ModelRegistry.instance.getTypedModel<IEmailTokenDocument>(
+        BaseModelName.EmailToken,
+      );
+    // If we already have a session, use it directly to avoid nested transactions
+    if (session) {
+      const now = new Date();
+      const tokenData = {
+        userId: userDoc._id,
+        type: type,
+        email: userDoc.email,
+        token: randomBytes(
+          this.application.constants.EmailTokenLength,
+        ).toString('hex'),
+        createdAt: now,
+        updatedAt: now,
+        expiresAt: new Date(
+          now.getTime() + this.application.constants.EmailTokenExpiration,
+        ),
+      };
+      // Use findOneAndUpdate with upsert to avoid duplicate key errors
+      const emailToken = await EmailTokenModel.findOneAndUpdate(
+        {
+          userId: userDoc._id,
+          email: userDoc.email,
+          type: type,
+        },
+        tokenData,
+        {
+          upsert: true,
+          new: true,
+          session,
+        },
+      );
+      if (!emailToken) {
+        throw new TranslatableSuiteError(
+          SuiteCoreStringKey.Error_FailedToCreateEmailToken,
+        );
+      }
+      return emailToken;
+    }
+    // Only create a new transaction if no session is provided
+    return await this.withTransaction<IEmailTokenDocument>(
+      async (sess: ClientSession | undefined): Promise<IEmailTokenDocument> => {
+        const now = new Date();
+        const tokenData = {
+          userId: userDoc._id,
+          type: type,
+          email: userDoc.email,
+          token: randomBytes(
+            this.application.constants.EmailTokenLength,
+          ).toString('hex'),
+          createdAt: now,
+          updatedAt: now,
+          expiresAt: new Date(
+            now.getTime() + this.application.constants.EmailTokenExpiration,
+          ),
+        };
+        // Use findOneAndUpdate with upsert to avoid duplicate key errors
+        const emailToken = await EmailTokenModel.findOneAndUpdate(
+          {
+            userId: userDoc._id,
+            email: userDoc.email,
+            type: type,
+          },
+          tokenData,
+          {
+            upsert: true,
+            new: true,
+            session: sess,
+          },
+        );
+        if (!emailToken) {
+          throw new TranslatableSuiteError(
+            SuiteCoreStringKey.Error_FailedToCreateEmailToken,
+          );
+        }
+        return emailToken;
+      },
+      undefined,
+      {
+        timeoutMs: this.application.environment.mongo.transactionTimeout,
+        retryAttempts: 2,
+      },
+    );
+  }
+  /**
+   * Create and send an email token to the user for email verification
+   * @param user The user to send the email token to
+   * @param type The type of email token to send
+   * @param session The session to use for the query
+   * @returns The email token document
+   */
+  public async createAndSendEmailToken(
+    user:
+      | IUserDocument<TLanguage, TID>
+      | (Pick<
+          IUserDocument<TLanguage, TID>,
+          keyof IUserDocument<TLanguage, TID>
+        > & { _id: any }),
+    type: EmailTokenType = EmailTokenType.AccountVerification,
+    session?: ClientSession,
+    debug = false,
+  ): Promise<IEmailTokenDocument> {
+    const emailToken = await this.createEmailToken(user, type, session);
+    try {
+      await this.sendEmailToken(emailToken, session, debug);
+    } catch {
+      // keep parity with previous behavior: continue returning token even if email send fails
+    }
+    return emailToken;
+  }
+  /**
+   * Create and send an email token directly within an existing transaction
+   * @param user The user to send the email token to
+   * @param type The type of email token to send
+   * @param session The session to use for the query (required)
+   * @param debug Whether to enable debug logging
+   * @returns The email token document
+   */
+  public async createAndSendEmailTokenDirect(
+    user: IUserDocument<TLanguage, TID>,
+    type: EmailTokenType = EmailTokenType.AccountVerification,
+    session: ClientSession,
+    debug = false,
+  ): Promise<IEmailTokenDocument> {
+    const EmailTokenModel =
+      ModelRegistry.instance.getTypedModel<IEmailTokenDocument>(
+        BaseModelName.EmailToken,
+      );
+    // Create token directly within the existing session using upsert
+    const now = new Date();
+    const tokenData = {
+      userId: user._id,
+      type: type,
+      email: user.email,
+      token: randomBytes(this.application.constants.EmailTokenLength).toString(
+        'hex',
+      ),
+      createdAt: now,
+      updatedAt: now,
+      expiresAt: new Date(
+        now.getTime() + this.application.constants.EmailTokenExpiration,
+      ),
+    };
+    // Use findOneAndUpdate with upsert to avoid duplicate key errors
+    const emailToken = await EmailTokenModel.findOneAndUpdate(
+      {
+        userId: user._id,
+        email: user.email,
+        type: type,
+      },
+      tokenData,
+      {
+        upsert: true,
+        new: true,
+        session,
+      },
+    );
+    if (!emailToken) {
+      throw new TranslatableSuiteError(
+        SuiteCoreStringKey.Error_FailedToCreateEmailToken,
+      );
+    }
+    try {
+      await this.sendEmailToken(emailToken, session, debug);
+    } catch {
+      // Ignore email send errors in direct token creation
+    }
+    return emailToken;
+  }
+  /**
+   * Send an email token to the user for email verification
+   * @param emailToken The email token to send
+   * @param session The session to use for the query
+   * @returns void
+   */
+  public async sendEmailToken(
+    emailToken: IEmailTokenDocument,
+    session?: ClientSession,
+    debug = false,
+  ): Promise<void> {
+    if (this.disableEmailSend) {
+      debugLog(debug, 'log', 'Email sending disabled for testing');
+      // Still update lastSent and expiration to keep token valid during tests
+      emailToken.lastSent = new Date();
+      emailToken.expiresAt = new Date(
+        Date.now() + this.application.constants.EmailTokenExpiration,
+      );
+      await emailToken.save({ session });
+      return;
+    }
+    if (
+      emailToken.lastSent &&
+      emailToken.lastSent.getTime() +
+        this.application.constants.EmailTokenResendInterval >
+        Date.now()
+    ) {
+      throw new EmailTokenSentTooRecentlyError(emailToken.lastSent);
+    }
+    let subjectString: SuiteCoreStringKey;
+    let bodyString: SuiteCoreStringKey;
+    let url: string;
+    switch (emailToken.type) {
+      case EmailTokenType.AccountVerification:
+        subjectString = SuiteCoreStringKey.Email_ConfirmationSubjectTemplate;
+        bodyString = SuiteCoreStringKey.Email_ConfirmationBody;
+        url = `${this.serverUrl}/verify-email?token=${emailToken.token}`;
+        break;
+      case EmailTokenType.PasswordReset:
+        subjectString = SuiteCoreStringKey.Email_ResetPasswordSubjectTemplate;
+        bodyString = SuiteCoreStringKey.Email_ResetPasswordBody;
+        url = `${this.serverUrl}/forgot-password?token=${emailToken.token}`;
+        break;
+      case EmailTokenType.LoginRequest:
+        subjectString = SuiteCoreStringKey.Email_LoginRequestSubjectTemplate;
+        bodyString = SuiteCoreStringKey.Email_LoginRequestBody;
+        url = `${this.serverUrl}/challenge?token=${emailToken.token}`;
+        break;
+      case EmailTokenType.MnemonicRecoveryRequest:
+      case EmailTokenType.PrivateKeyRequest:
+      default:
+        throw new TranslatableSuiteError(
+          SuiteCoreStringKey.Error_InvalidEmailTokenType,
+        );
+    }
+    const emailSubject = getSuiteCoreTranslation(subjectString);
+    const emailText = `${getSuiteCoreTranslation(bodyString)}\r\n\r\n${url}`;
+    const emailHtml = `<p>${getSuiteCoreTranslation(
+      bodyString,
+    )}</p><br/><p><a href="${url}">${url}</a></p><p>${getSuiteCoreTranslation(
+      SuiteCoreStringKey.Email_LinkExpiresInTemplate,
+    )}</p>`;
+    try {
+      // Use the EmailService to send the email
+      await this.emailService.sendEmail(
+        emailToken.email,
+        emailSubject,
+        emailText,
+        emailHtml,
+      );
+      // update last sent/expiration
+      emailToken.lastSent = new Date();
+      emailToken.expiresAt = new Date(
+        Date.now() + this.application.constants.EmailTokenExpiration,
+      );
+      await emailToken.save({ session });
+    } catch {
+      throw new EmailTokenFailedToSendError(emailToken.type);
+    }
+  }
+  /**
+   * Find a user by email or username and enforce account status checks
+   * @param email Optional email
+   * @param username Optional username
+   * @param session Optional mongoose session
+   * @throws UsernameOrEmailRequiredError if neither provided
+   * @throws InvalidCredentialsError if not found or deleted
+   * @throws AccountLockedError | PendingEmailVerificationError | AccountStatusError per status
+   */
+  public async findUser(
+    email?: string,
+    username?: string,
+    session?: ClientSession,
+  ): Promise<IUserDocument<TLanguage, TID>> {
+    if (!email && !username) {
+      throw new UsernameOrEmailRequiredError();
+    }
+    const UserModel = ModelRegistry.instance.getTypedModel<
+      IUserDocument<TLanguage, TID>
+    >(BaseModelName.User);
+    let userDoc: IUserDocument<TLanguage, TID> | null = null;
+    try {
+      if (email) {
+        userDoc = await UserModel.findOne({
+          email: email.toLowerCase(),
+        })
+          .session(session ?? null)
+          .exec();
+      } else if (username) {
+        userDoc = await UserModel.findOne({ username })
+          .collation({ locale: 'en', strength: 2 })
+          .session(session ?? null)
+          .exec();
+      }
+    } catch {
+      // Database error in findUser - convert to InvalidCredentialsError for security
+      throw new InvalidCredentialsError();
+    }
+    if (!userDoc || userDoc.deletedAt) {
+      if (email) {
+        throw new InvalidEmailError(InvalidEmailErrorType.Missing);
+      }
+      throw new InvalidUsernameError();
+    }
+    switch (userDoc.accountStatus) {
+      case AccountStatus.Active:
+        break;
+      case AccountStatus.AdminLock:
+        throw new AccountLockedError();
+      case AccountStatus.PendingEmailVerification:
+        throw new PendingEmailVerificationError();
+      default:
+        throw new AccountStatusError(userDoc.accountStatus);
+    }
+    return userDoc as IUserDocument<TLanguage, TID>;
+  }
+  /**
+   * Finds a user record by ID
+   * @param userId The user ID
+   * @param throwIfNotActive Whether to throw if the user is inactive
+   * @param session The active session, if present
+   * @returns The user document
+   */
+  public async findUserById(
+    userId: TID,
+    throwIfNotActive: boolean,
+    session?: ClientSession,
+    select?: ProjectionType<IUserDocument<TLanguage, TID>>,
+  ): Promise<IUserDocument<TLanguage, TID>> {
+    const UserModel = ModelRegistry.instance.getTypedModel<
+      IUserDocument<TLanguage, TID>
+    >(BaseModelName.User);
+    const baseQuery = UserModel.findById(userId).session(session ?? null);
+    if (select) {
+      // Always include fields needed for status checks
+      const merged = this.ensureRequiredFieldsInProjection(select, [
+        'deletedAt',
+        'accountStatus',
+      ]);
+      baseQuery.select(merged);
+    }
+    const userDoc = (await baseQuery.exec()) as IUserDocument<
+      TLanguage,
+      TID
+    > | null;
+    if (!userDoc || userDoc.deletedAt) {
+      throw new UserNotFoundError();
+    }
+    if (throwIfNotActive) {
+      switch (userDoc.accountStatus) {
+        case AccountStatus.Active:
+          break;
+        case AccountStatus.AdminLock:
+          throw new AccountLockedError();
+        case AccountStatus.PendingEmailVerification:
+          throw new PendingEmailVerificationError();
+        default:
+          throw new AccountStatusError(userDoc.accountStatus);
+      }
+    }
+    return userDoc;
+  }
+  /**
+   * Ensure required fields are present in a projection for queries that rely on them.
+   * Supports string and object-style projections. For inclusion projections, adds fields.
+   * For exclusion projections, ensures required fields are not excluded.
+   */
+  private ensureRequiredFieldsInProjection(
+    select: ProjectionType<IUserDocument<TLanguage, TID>>,
+    required: string[],
+  ): ProjectionType<IUserDocument<TLanguage, TID>> {
+    if (typeof select === 'string') {
+      const parts = select
+        .split(/\s+/)
+        .map((s) => s.trim())
+        .filter(Boolean);
+      const exclusions = new Set(
+        parts.filter((p) => p.startsWith('-')).map((p) => p.slice(1)),
+      );
+      // Remove exclusions on required fields
+      for (const r of required) {
+        exclusions.delete(r);
+      }
+      const cleaned = parts.filter((p) => !p.startsWith('-'));
+      for (const r of required) {
+        if (!cleaned.includes(r)) cleaned.push(r);
+      }
+      const result = [...cleaned, ...[...exclusions].map((r) => `-${r}`)];
+      return result.join(' ');
+    }
+    if (select && typeof select === 'object') {
+      const proj: ProjectionObject = { ...(select as ProjectionObject) };
+      const values = Object.values(proj);
+      const hasInclusions = values.some((v) => v === 1 || v === true);
+      if (hasInclusions) {
+        for (const r of required) {
+          proj[r] = 1;
+        }
+      } else {
+        const keysToRemove = required.filter(
+          (r) => proj[r] === 0 || proj[r] === false || proj[r] === -1,
+        );
+        keysToRemove.forEach((key) => delete proj[key]);
+      }
+      return proj as ProjectionType<IUserDocument<TLanguage, TID>>;
+    }
+    return select;
+  }
+  /**
+   * Fill in the default values to a user object
+   * @param newUser The user object to fill in
+   * @param createdBy The user ID of the user creating the new user
+   * @returns The filled in user
+   */
+  public fillUserDefaults(
+    newUser: ICreateUserBasics,
+    createdBy: TID,
+    backupCodes: Array<IBackupCode>,
+    encryptedMnemonic: string,
+    userId?: TID,
+  ): IUserBackendObject<TLanguage, TID> {
+    return {
+      ...(userId ? { _id: userId } : {}),
+      timezone: 'UTC',
+      ...newUser,
+      email: newUser.email.toLowerCase(),
+      emailVerified: false,
+      darkMode: false,
+      accountStatus: AccountStatus.PendingEmailVerification,
+      siteLanguage: 'en-US' as TLanguage,
+      duressPasswords: [],
+      publicKey: '',
+      backupCodes,
+      mnemonicRecovery: encryptedMnemonic,
+      currency: 'USD',
+      directChallenge: true,
+      createdAt: new Date(),
+      createdBy: createdBy,
+      updatedAt: new Date(),
+      updatedBy: createdBy,
+    } as IUserBackendObject<TLanguage, TID>;
+  }
+  /**
+   * Create a new user document from an IUser and unhashed password
+   * @param newUser The user object
+   * @returns The new user document
+   */
+  public async makeUserDoc(
+    newUser: TUser,
+  ): Promise<IUserDocument<TLanguage, TID>> {
+    const UserModel = ModelRegistry.instance.getTypedModel<
+      IUserDocument<TLanguage, TID>
+    >(BaseModelName.User);
+    const newUserDoc: IUserDocument<TLanguage, TID> = new UserModel(newUser);
+    const validationError = newUserDoc.validateSync();
+    if (validationError) {
+      throw new MongooseValidationError(validationError.errors);
+    }
+    return newUserDoc;
+  }
+  /**
+   * Create a new user.
+   * Do not set createdBy to a new (non-existing) ObjectId unless you also set newUserId to it.
+   * If newUserId is not set, one will be generated.
+   * @param systemUser The system user performing the operation
+   * @param userData Username, email, password in a ICreateUserBasics object
+   * @param createdBy The user id of the user creating the user
+   * @param newUserId the user id of the new user object- usually the createdBy user id.
+   * @param session The session to use for the query
+   * @param debug Whether to log debug information
+   * @param password The password to use for the new user (optional, if not provided, mnemonic will be used)
+   * @returns The new user document
+   */
+  public async newUser(
+    systemUser: BackendMember<TID>,
+    userData: ICreateUserBasics,
+    createdBy?: TID,
+    newUserId?: TID,
+    session?: ClientSession,
+    debug = false,
+    password?: string,
+  ): Promise<{
+    user: IUserDocument<TLanguage, TID>;
+    mnemonic: string;
+    backupCodes: Array<string>;
+    password?: string;
+  }> {
+    const provider = getEnhancedNodeIdProvider<TID>();
+    const _newUserId = newUserId ?? provider.generateTyped();
+    if (!this.application.constants.UsernameRegex.test(userData.username)) {
+      throw new InvalidUsernameError();
+    }
+    if (password && !this.application.constants.PasswordRegex.test(password)) {
+      throw new InvalidNewPasswordError();
+    }
+    const UserModel = ModelRegistry.instance.getTypedModel<
+      IUserDocument<TLanguage, TID>
+    >(BaseModelName.User);
+    return await this.withTransaction<{
+      user: IUserDocument<TLanguage, TID>;
+      backupCodes: Array<string>;
+      mnemonic: string;
+    }>(
+      async (sess: ClientSession | undefined) => {
+        const existingEmail: IUserDocument<TLanguage, TID> | null =
+          await UserModel.findOne({
+            email: userData.email.toLowerCase(),
+          }).session(sess ?? null);
+        if (existingEmail) {
+          throw new EmailInUseError();
+        }
+        const existingUsername: IUserDocument<TLanguage, TID> | null =
+          await UserModel.findOne({
+            username: { $regex: new RegExp(`^${userData.username}$`, 'i') },
+          }).session(sess ?? null);
+        if (existingUsername) {
+          throw new UsernameInUseError();
+        }
+        let mnemonic: SecureString | undefined;
+        let member: BackendMember<TID> | undefined;
+        while (!mnemonic || !member) {
+          try {
+            const { member: newMember, mnemonic: newMnemonic } =
+              BackendMember.newMember<TID>(
+                this.eciesService,
+                MemberType.User,
+                userData.username,
+                new EmailString(userData.email),
+                undefined,
+                createdBy,
+              );
+            // make sure the new mnemonic is not already in the database
+            const mnemonicExists = await this.mnemonicService.mnemonicExists(
+              newMnemonic,
+              sess,
+            );
+            if (!mnemonicExists) {
+              member = newMember;
+              mnemonic = newMnemonic;
+            }
+          } catch {
+            // If we fail to create a new member, we will retry until we succeed.
+            // This is to ensure that we do not end up with duplicate mnemonics.
+            debugLog(
+              debug,
+              'warn',
+              'Failed to create a new member, retrying...',
+            );
+          }
+        }
+        const backupCodes = BackupCode.generateBackupCodes();
+        const encryptedBackupCodes = await BackupCode.encryptBackupCodes(
+          member,
+          systemUser,
+          backupCodes,
+        );
+        const encryptedMnemonic = member
+          .encryptData(Buffer.from(mnemonic.value ?? '', 'utf-8'))
+          .toString('hex');
+        const newUserDoc = new UserModel({
+          ...this.fillUserDefaults(
+            userData,
+            createdBy ?? _newUserId,
+            encryptedBackupCodes,
+            encryptedMnemonic,
+            _newUserId,
+          ),
+          publicKey: member.publicKey.toString('hex'),
+        });
+        const validationError = newUserDoc.validateSync();
+        if (validationError) {
+          throw new MongooseValidationError(validationError.errors);
+        }
+        // Always add HMAC-only mnemonic doc
+        const newMnemonicDoc = await this.mnemonicService.addMnemonic(
+          mnemonic,
+          sess,
+        );
+        if (newMnemonicDoc) {
+          newUserDoc.mnemonicId = newMnemonicDoc._id as TID;
+        }
+        // If password provided, wrap the ECIES private key with the password (Option B)
+        if (password) {
+          const passwordSecure = new SecureString(password);
+          try {
+            const priv = new SecureBuffer(member.privateKey!.value);
+            try {
+              const wrapped = this.keyWrappingService.wrapSecret(
+                priv,
+                passwordSecure,
+                this.application.constants,
+              );
+              newUserDoc.passwordWrappedPrivateKey = wrapped;
+            } finally {
+              priv.dispose();
+            }
+          } finally {
+            passwordSecure.dispose();
+          }
+        }
+        const savedUserDoc = await newUserDoc.save({ session: sess });
+        const memberRoleId = await this.roleService.getRoleIdByName(
+          this.application.constants.MemberRole as Role,
+          sess,
+        );
+        if (!memberRoleId) {
+          throw new TranslatableSuiteError(
+            SuiteCoreStringKey.Error_FailedToLookupRoleTemplate,
+            {
+              ROLE: getSuiteCoreTranslation(SuiteCoreStringKey.Common_Member),
+            },
+          );
+        }
+        await this.roleService.addUserToRole(
+          memberRoleId,
+          savedUserDoc._id,
+          _newUserId,
+          sess,
+        );
+        return {
+          user: savedUserDoc,
+          mnemonic: mnemonic.value ?? '',
+          backupCodes: backupCodes.map((code: BackupCode) => code.value ?? ''),
+          ...(password ? { password } : {}),
+        };
+      },
+      session,
+      {
+        timeoutMs: this.application.environment.mongo.transactionTimeout * 10,
+      },
+    );
+  }
+  /**
+   * Get the backup codes for a user.
+   * Requires the user not be deleted or inactive
+   */
+  public async getEncryptedUserBackupCodes(
+    userId: TID,
+    session?: ClientSession,
+  ): Promise<Array<IBackupCode>> {
+    const userWithCodes = await this.findUserById(userId, true, session);
+    return userWithCodes.backupCodes;
+  }
+  /**
+   * Resets the given user's backup codes
+   * @param backupUser The user to generate codes for
+   * @param session The current session, if any
+   * @returns A promise of an array of backup codes
+   */
+  public async resetUserBackupCodes(
+    backupUser: BackendMember<TID>,
+    systemUser: BackendMember<TID>,
+    session?: ClientSession,
+  ): Promise<Array<BackupCode>> {
+    if (!backupUser.hasPrivateKey) {
+      throw new PrivateKeyRequiredError();
+    }
+    const backupCodes = BackupCode.generateBackupCodes();
+    const encryptedBackupCodes = await BackupCode.encryptBackupCodes(
+      backupUser,
+      systemUser,
+      backupCodes,
+    );
+    const UserModel = ModelRegistry.instance.get('User')?.model;
+    return await this.withTransaction<Array<BackupCode>>(
+      async (sess: ClientSession | undefined) => {
+        await UserModel.updateOne(
+          { _id: backupUser.id },
+          { $set: { backupCodes: encryptedBackupCodes } },
+          { session: sess },
+        );
+        return backupCodes;
+      },
+      session,
+      {
+        timeoutMs: this.application.environment.mongo.transactionTimeout,
+      },
+    );
+  }
+  /**
+   * Recover a user's mnemonic from an encrypted mnemonic
+   * @param user The user whose mnemonic to recover
+   * @param encryptedMnemonic The encrypted mnemonic
+   * @returns The recovered mnemonic
+   */
+  public recoverMnemonic(
+    user: BackendMember<any>,
+    encryptedMnemonic: string,
+  ): SecureString {
+    if (!encryptedMnemonic) {
+      throw new TranslatableSuiteHandleableError(
+        SuiteCoreStringKey.MnemonicRecovery_Missing,
+        undefined,
+        undefined,
+        {
+          statusCode: 400,
+        },
+      );
+    }
+    return new SecureString(
+      user.decryptData(Buffer.from(encryptedMnemonic, 'hex')).toString('utf-8'),
+    );
+  }
+  /**
+   * Make a Member from a user document and optional private key
+   * @param userDoc The user document
+   * @param privateKey Optional private key to load the wallet
+   * @param publicKey Optional public key to override the userDoc public key
+   * @param session The current session, if any
+   * @returns A promise containing the created Member
+   */
+  public async makeUserFromUserDoc(
+    userDoc: IUserDocument<TLanguage, TID>,
+    privateKey?: SecureBuffer,
+    publicKey?: Buffer,
+    mnemonic?: SecureString,
+    wallet?: Wallet,
+    session?: ClientSession,
+  ): Promise<BackendMember<TID>> {
+    const memberType = await this.roleService.getMemberType(userDoc, session);
+    const user = new BackendMember<TID>(
+      this.eciesService,
+      memberType,
+      userDoc.username,
+      new EmailString(userDoc.email),
+      publicKey ?? Buffer.from(userDoc.publicKey, 'hex'),
+      privateKey,
+      wallet,
+      userDoc._id,
+      new Date(userDoc.createdAt),
+      new Date(userDoc.updatedAt),
+      userDoc.createdBy,
+    );
+    if (
+      (privateKey?.originalLength ?? -1) > 0 &&
+      user.hasPrivateKey &&
+      !wallet
+    ) {
+      user.loadWallet(
+        mnemonic ?? this.recoverMnemonic(user, userDoc.mnemonicRecovery),
+      );
+    }
+    return user;
+  }
+  /**
+   * Challenges a given userDoc with a given mnemonic, returns a system and user Member
+   * @param userDoc The userDoc in question
+   * @param mnemonic The mnemonic to challenge against
+   * @returns A promise containing the user and system Members
+   * @throws InvalidCredentialsError if the challenge fails
+   * @throws AccountLockedError if the account is locked
+   * @throws PendingEmailVerificationError if the email is not verified
+   * @throws AccountStatusError if the account status is invalid
+   */
+  public async challengeUserWithMnemonic(
+    userDoc: IUserDocument<TLanguage, TID>,
+    mnemonic: SecureString,
+    session?: ClientSession,
+  ): Promise<{
+    userMember: BackendMember<TID>;
+    adminMember: BackendMember<TID>;
+  }> {
+    try {
+      // Verify provided mnemonic corresponds to the stored mnemonic HMAC (no password required)
+      // This prevents any valid mnemonic from authenticating as another user.
+      const MnemonicModel =
+        ModelRegistry.instance.getTypedModel<IMnemonicDocument>(
+          BaseModelName.Mnemonic,
+        );
+      if (!userDoc.mnemonicId) {
+        throw new InvalidCredentialsError();
+      }
+      const mnemonicDoc = await MnemonicModel.findById(userDoc.mnemonicId)
+        .select('hmac')
+        .session(session ?? null)
+        .lean()
+        .exec();
+      if (!mnemonicDoc) {
+        throw new InvalidCredentialsError();
+      }
+      const computedHmac = this.mnemonicService.getMnemonicHmac(mnemonic);
+      if (computedHmac !== mnemonicDoc.hmac) {
+        throw new InvalidCredentialsError();
+      }
+      // Create a Member from the provided mnemonic to get the keys
+      const { wallet } = this.eciesService.walletAndSeedFromMnemonic(mnemonic);
+      const privateKey = wallet.getPrivateKey();
+      // Get compressed public key (already includes prefix)
+      const publicKeyWithPrefix = this.eciesService.getPublicKey(
+        Buffer.from(privateKey),
+      );
+      const userMember = await this.makeUserFromUserDoc(
+        userDoc,
+        new SecureBuffer(privateKey),
+        publicKeyWithPrefix,
+        mnemonic,
+        wallet,
+        session,
+      );
+      // Verify the public key matches the stored userDoc public key
+      if (userMember.publicKey.toString('hex') !== userDoc.publicKey) {
+        throw new InvalidCredentialsError();
+      }
+      // Generate a nonce challenge to verify they can decrypt with their key
+      const adminMember = SystemUserService.getSystemUser<TID>(
+        this.application.environment,
+        this.application.constants,
+      );
+      const nonce = randomBytes(32);
+      const signature = adminMember.sign(nonce);
+      const payload = Buffer.concat([nonce, signature]);
+      const encryptedPayload = userMember.encryptData(payload);
+      const decryptedPayload = userMember.decryptData(encryptedPayload);
+      // Verify the server's signature on the nonce
+      const decryptedNonce = decryptedPayload.subarray(0, 32);
+      const decryptedSignature = decryptedPayload.subarray(32);
+      const isSignatureValid = adminMember.verify(
+        decryptedSignature as SignatureBuffer,
+        decryptedNonce,
+      );
+      if (!isSignatureValid || !nonce.equals(decryptedNonce)) {
+        throw new InvalidCredentialsError();
+      }
+      return {
+        userMember,
+        adminMember: adminMember,
+      };
+    } catch (error) {
+      if (
+        error instanceof InvalidCredentialsError ||
+        error instanceof AccountLockedError ||
+        error instanceof PendingEmailVerificationError ||
+        error instanceof AccountStatusError
+      ) {
+        throw error;
+      }
+      throw new InvalidCredentialsError();
+    }
+  }
+  /**
+   * Validates a login challenge response
+   * @param challengeResponse The challenge response bytes in hex
+   * @param email The email address of the user
+   * @param username The username of the user
+   * @param session The mongo session for the query
+   * @returns A promise that resolves to the user document, user member, and system member
+   */
+  public async loginWithChallengeResponse(
+    challengeResponse: string,
+    email?: string,
+    username?: string,
+    session?: ClientSession,
+  ): Promise<{
+    userDoc: IUserDocument<TLanguage, TID>;
+    userMember: BackendMember<TID>;
+    adminMember: BackendMember<TID>;
+  }> {
+    const challengeBuffer = Buffer.from(challengeResponse, 'hex');
+    // validate the expected challenge response length (8 + 32 + 64 = 104 bytes)
+    if (
+      challengeBuffer.length !=
+      this.application.constants.DirectLoginChallengeLength
+    ) {
+      throw new InvalidChallengeResponseError();
+    }
+    // disassemble the challengeResponse into time, nonce, signature
+    const time = challengeBuffer.subarray(0, 8); // 16 hex characters
+    const nonce = challengeBuffer.subarray(8, 40); // 64 hex characters
+    const signature = challengeBuffer.subarray(40); // 65 * 2 hex characters
+    const timeMs = parseInt(time.toString('hex'), 16);
+    if (
+      new Date().getTime() - timeMs >
+      this.application.constants.LoginChallengeExpiration
+    ) {
+      throw new LoginChallengeExpiredError();
+    }
+    const userDoc = await this.findUser(email, username, session);
+    if (!userDoc && email) {
+      throw new InvalidEmailError(InvalidEmailErrorType.Missing);
+    } else if (!userDoc) {
+      throw new InvalidUsernameError();
+    }
+    // re-sign the time + nonce and check if the signature matches
+    const adminMember = SystemUserService.getSystemUser<TID>(
+      this.application.environment,
+      this.application.constants,
+    );
+    const timeAndNonce = Buffer.concat([time, nonce]);
+    const expectedSignature = adminMember.sign(timeAndNonce);
+    if (expectedSignature.toString('hex') !== signature.toString('hex')) {
+      throw new InvalidChallengeResponseError();
+    }
+    const userMember = await this.makeUserFromUserDoc(
+      userDoc,
+      undefined,
+      undefined,
+      undefined,
+      undefined,
+      session,
+    );
+    return {
+      userDoc,
+      userMember,
+      adminMember: adminMember,
+    };
+  }
+  /**
+   * Authenticate a user with client-verified challenge (skips server-side challenge)
+   * @returns The authenticated user document.
+   */
+  public async loginWithClientVerifiedChallenge(
+    usernameOrEmail: string,
+    mnemonic: SecureString,
+    session?: ClientSession,
+  ): Promise<{
+    userDoc: IUserDocument<TLanguage, TID>;
+    userMember: BackendMember<TID>;
+    adminMember: BackendMember<TID>;
+  }> {
+    const UserModel = this.application.getModel<IUserDocument<TLanguage, TID>>(
+      BaseModelName.User,
+    );
+    const userQuery = validator.isEmail(usernameOrEmail)
+      ? UserModel.findOne({ email: usernameOrEmail.toLowerCase() }).select(
+          '_id username email accountStatus deletedAt mnemonicId publicKey passwordWrappedPrivateKey',
+        )
+      : UserModel.findOne({ username: usernameOrEmail })
+          .collation({ locale: 'en', strength: 2 })
+          .select(
+            '_id username email accountStatus deletedAt mnemonicId publicKey passwordWrappedPrivateKey',
+          );
+    const userDoc = await userQuery.session(session ?? null);
+    if (!userDoc || userDoc.deletedAt) {
+      throw new InvalidCredentialsError();
+    }
+    // Check account status
+    switch (userDoc.accountStatus) {
+      case AccountStatus.Active:
+        break;
+      case AccountStatus.AdminLock:
+        throw new AccountLockedError();
+      case AccountStatus.PendingEmailVerification:
+        throw new PendingEmailVerificationError();
+      default:
+        throw new AccountStatusError(userDoc.accountStatus);
+    }
+    // Verify mnemonic matches user (simplified verification)
+    try {
+      const MnemonicModel = this.application.getModel<IMnemonicDocument>(
+        BaseModelName.Mnemonic,
+      );
+      if (!userDoc.mnemonicId) {
+        throw new InvalidCredentialsError();
+      }
+      const mnemonicDoc = await MnemonicModel.findById(userDoc.mnemonicId)
+        .select('hmac')
+        .session(session ?? null)
+        .lean()
+        .exec();
+      if (!mnemonicDoc) {
+        throw new InvalidCredentialsError();
+      }
+      const computedHmac = this.mnemonicService.getMnemonicHmac(mnemonic);
+      if (computedHmac !== mnemonicDoc.hmac) {
+        throw new InvalidCredentialsError();
+      }
+      // Create Member from mnemonic
+      const { wallet } = this.eciesService.walletAndSeedFromMnemonic(mnemonic);
+      const privateKey = wallet.getPrivateKey();
+      // Get compressed public key (already includes prefix)
+      const publicKeyWithPrefix = this.eciesService.getPublicKey(
+        Buffer.from(privateKey),
+      );
+      const userMember = await this.makeUserFromUserDoc(
+        userDoc,
+        new SecureBuffer(privateKey),
+        publicKeyWithPrefix,
+        mnemonic,
+        wallet,
+        session,
+      );
+      // Verify public key matches
+      if (userMember.publicKey.toString('hex') !== userDoc.publicKey) {
+        throw new InvalidCredentialsError();
+      }
+      const adminMember = SystemUserService.getSystemUser<TID>(
+        this.application.environment,
+        this.application.constants,
+      );
+      return {
+        userMember,
+        adminMember,
+        userDoc,
+      };
+    } catch (error) {
+      if (
+        error instanceof InvalidCredentialsError ||
+        error instanceof AccountLockedError ||
+        error instanceof PendingEmailVerificationError ||
+        error instanceof AccountStatusError
+      ) {
+        throw error;
+      }
+      throw new InvalidCredentialsError();
+    }
+  }
+  /**
+   * Authenticate a user with their mnemonic.
+   * @returns The authenticated user document.
+   */
+  public async loginWithMnemonic(
+    usernameOrEmail: string,
+    mnemonic: SecureString,
+    session?: ClientSession,
+  ): Promise<{
+    userDoc: IUserDocument<TLanguage, TID>;
+    userMember: BackendMember<TID>;
+    adminMember: BackendMember<TID>;
+  }> {
+    const UserModel = ModelRegistry.instance.getTypedModel<
+      IUserDocument<TLanguage, TID>
+    >(BaseModelName.User);
+    const userQuery = validator.isEmail(usernameOrEmail)
+      ? UserModel.findOne({ email: usernameOrEmail.toLowerCase() }).select(
+          '_id username email accountStatus deletedAt mnemonicId publicKey passwordWrappedPrivateKey',
+        )
+      : UserModel.findOne({ username: usernameOrEmail })
+          .collation({ locale: 'en', strength: 2 })
+          .select(
+            '_id username email accountStatus deletedAt mnemonicId publicKey passwordWrappedPrivateKey',
+          );
+    const userDoc = await userQuery.session(session ?? null);
+    if (!userDoc || userDoc.deletedAt) {
+      throw new InvalidCredentialsError();
+    }
+    // Check account status
+    switch (userDoc.accountStatus) {
+      case AccountStatus.Active:
+        break;
+      case AccountStatus.AdminLock:
+        throw new AccountLockedError();
+      case AccountStatus.PendingEmailVerification:
+        throw new PendingEmailVerificationError();
+      default:
+        throw new AccountStatusError(userDoc.accountStatus);
+    }
+    const challengeResponse = await this.challengeUserWithMnemonic(
+      userDoc,
+      mnemonic,
+      session,
+    );
+    return { ...challengeResponse, userDoc };
+  }
+  /**
+   * Authenticate a user with their password (for key-wrapped accounts).
+   * @returns The authenticated user document.
+   */
+  public async loginWithPassword(
+    usernameOrEmail: string,
+    password: string,
+    session?: ClientSession,
+  ): Promise<{
+    userDoc: IUserDocument<TLanguage, TID>;
+    userMember: BackendMember<TID>;
+    adminMember: BackendMember<TID>;
+  }> {
+    const UserModel = this.application.getModel<IUserDocument<TLanguage, TID>>(
+      BaseModelName.User,
+    );
+    const query = validator.isEmail(usernameOrEmail)
+      ? UserModel.findOne({ email: usernameOrEmail.toLowerCase() })
+      : UserModel.findOne({ username: usernameOrEmail }).collation({
+          locale: 'en',
+          strength: 2,
+        });
+    const userDoc: IUserDocument<TLanguage, TID> | null = await query
+      .session(session ?? null)
+      .exec();
+    if (!userDoc || userDoc.deletedAt) {
+      throw new InvalidCredentialsError();
+    }
+    // Check account status
+    switch (userDoc.accountStatus) {
+      case AccountStatus.Active:
+        break;
+      case AccountStatus.AdminLock:
+        throw new AccountLockedError();
+      case AccountStatus.PendingEmailVerification:
+        throw new PendingEmailVerificationError();
+      default:
+        throw new AccountStatusError(userDoc.accountStatus);
+    }
+    // Check if user has password-based authentication set up (Option B requires passwordWrappedPrivateKey)
+    if (!userDoc.passwordWrappedPrivateKey || !userDoc.mnemonicId) {
+      throw new PasswordLoginNotEnabledError();
+    }
+    // Unwrap password-wrapped private key and complete challenge with possession of private key
+    const unwrapped = await this.keyWrappingService.unwrapSecretAsync(
+      userDoc.passwordWrappedPrivateKey!,
+      password,
+      this.application.constants,
+    );
+    // Build user member with unwrapped private key to decrypt challenge
+    // Note: userMember now owns the unwrapped SecureBuffer, so we don't dispose it here
+    const userMember = await this.makeUserFromUserDoc(
+      userDoc,
+      unwrapped,
+      undefined,
+      undefined,
+      undefined,
+      session,
+    );
+    // Generate a nonce challenge signed by system
+    const adminMember = SystemUserService.getSystemUser<TID>(
+      this.application.environment,
+      this.application.constants,
+    );
+    const nonce = randomBytes(32);
+    const signature = adminMember.sign(nonce);
+    const payload = Buffer.concat([nonce, signature]);
+    const encryptedPayload = userMember.encryptData(payload);
+    const decryptedPayload = userMember.decryptData(encryptedPayload);
+    const decryptedNonce = decryptedPayload.subarray(0, 32);
+    const decryptedSignature = decryptedPayload.subarray(32);
+    const isSignatureValid = adminMember.verify(
+      decryptedSignature as SignatureBuffer,
+      decryptedNonce,
+    );
+    if (!isSignatureValid || !nonce.equals(decryptedNonce)) {
+      throw new InvalidCredentialsError();
+    }
+    return { userDoc, userMember, adminMember: adminMember };
+  }
+  /**
+   * Re-send a previously sent email token
+   * @param userId The user id
+   * @param session The session to use for the query
+   * @returns void
+   * @throws EmailTokenUsedOrInvalidError
+   */
+  public async resendEmailToken(
+    userId: string,
+    type: EmailTokenType,
+    session?: ClientSession,
+    debug = false,
+  ): Promise<void> {
+    const EmailTokenModel =
+      ModelRegistry.instance.getTypedModel<IEmailTokenDocument>(
+        BaseModelName.EmailToken,
+      );
+    return await this.withTransaction<void>(
+      async (sess: ClientSession | undefined) => {
+        // look up the most recent email token for a given user, then send it
+        const emailToken: IEmailTokenDocument | null =
+          await EmailTokenModel.findOne({
+            userId,
+            type,
+            expiresAt: { $gt: new Date() },
+          })
+            .session(sess ?? null)
+            .sort({ createdAt: -1 })
+            .limit(1);
+        if (!emailToken) {
+          throw new EmailTokenUsedOrInvalidError();
+        }
+        await this.sendEmailToken(emailToken, sess, debug);
+      },
+      session,
+      {
+        timeoutMs: this.application.environment.mongo.transactionTimeout * 5,
+      },
+    );
+  }
+  /**
+   * Verify the email token and update the user's account status
+   * @param emailToken The email token to verify
+   * @param session The session to use for the query
+   * @returns void
+   * @throws EmailTokenUsedOrInvalidError
+   * @throws EmailTokenExpiredError
+   * @throws EmailVerifiedError
+   * @throws UserNotFoundError
+   */
+  public async verifyAccountTokenAndComplete(
+    emailToken: string,
+    session?: ClientSession,
+  ): Promise<void> {
+    let alreadyVerified = false;
+    await this.withTransaction<void>(
+      async (sess: ClientSession | undefined) => {
+        const EmailTokenModel =
+          ModelRegistry.instance.getTypedModel<IEmailTokenDocument>(
+            BaseModelName.EmailToken,
+          );
+        const UserModel = ModelRegistry.instance.getTypedModel<
+          IUserDocument<TLanguage, TID>
+        >(BaseModelName.User);
+        const token: IEmailTokenDocument | null = await this.findEmailToken(
+          emailToken,
+          EmailTokenType.AccountVerification,
+          sess,
+        );
+        if (!token) {
+          throw new EmailTokenUsedOrInvalidError();
+        }
+        if (token.expiresAt < new Date()) {
+          await EmailTokenModel.deleteOne({ _id: token._id }).session(
+            sess ?? null,
+          );
+          throw new EmailTokenExpiredError();
+        }
+        const user: IUserDocument<TLanguage, TID> | null =
+          await UserModel.findById(token.userId).session(sess ?? null);
+        if (!user || user.deletedAt) {
+          throw new UserNotFoundError();
+        }
+        if (user.emailVerified) {
+          // Delete the token and mark to throw error after transaction commits
+          await EmailTokenModel.deleteOne({ _id: token._id }).session(
+            sess ?? null,
+          );
+          alreadyVerified = true;
+          return;
+        }
+        // set user email to token email and mark as verified
+        user.email = token.email;
+        user.emailVerified = true;
+        user.accountStatus = AccountStatus.Active;
+        user.updatedBy = user._id;
+        await user.save({ session: sess });
+        // Delete the token after successful verification
+        await EmailTokenModel.deleteOne({ _id: token._id }).session(
+          sess ?? null,
+        );
+        // add the user to the member role
+        const memberRoleId = await this.roleService.getRoleIdByName(
+          this.application.constants.MemberRole as Role,
+          sess,
+        );
+        if (memberRoleId) {
+          await this.roleService.addUserToRole(
+            memberRoleId,
+            user._id,
+            user._id,
+            sess,
+          );
+        } else {
+          throw new Error('Member role not found');
+        }
+      },
+      session,
+      {
+        timeoutMs: this.application.environment.mongo.transactionTimeout * 5,
+      },
+    );
+    if (alreadyVerified) {
+      throw new EmailVerifiedError(409);
+    }
+  }
+  /**
+   * Validate the email token
+   * @param token The token to validate
+   * @param restrictType The type of email token to validate (or throw)
+   * @param session The session to use for the query
+   * @returns void
+   * @throws EmailTokenUsedOrInvalidError
+   */
+  public async validateEmailToken(
+    token: string,
+    restrictType?: EmailTokenType,
+    session?: ClientSession,
+  ): Promise<void> {
+    return await this.withTransaction<void>(
+      async (ses: ClientSession | undefined) => {
+        const EmailTokenModel = this.application.getModel<IEmailTokenDocument>(
+          BaseModelName.EmailToken,
+        );
+        const emailToken = await EmailTokenModel.findOne({
+          token,
+          ...(restrictType ? { type: EmailTokenType.PasswordReset } : {}),
+        }).session(ses ?? null);
+        if (!emailToken) {
+          throw new EmailTokenUsedOrInvalidError();
+        } else if (emailToken.expiresAt < new Date()) {
+          await EmailTokenModel.deleteOne({ _id: emailToken._id }).session(
+            ses ?? null,
+          );
+          throw new EmailTokenExpiredError();
+        }
+        // nothing else to do here, token is valid
+      },
+      session,
+      {
+        timeoutMs: this.application.environment.mongo.transactionTimeout * 5,
+      },
+    );
+  }
+  /**
+   * Updates the user's language
+   * @param userId - The ID of the user
+   * @param newLanguage - The new language
+   * @param session - The session to use for the query
+   * @returns The updated user
+   */
+  public async updateSiteLanguage(
+    userId: string,
+    newLanguage: string,
+    session?: ClientSession,
+  ): Promise<IRequestUserDTO> {
+    const provider = getEnhancedNodeIdProvider<TID>();
+    return await this.withTransaction<IRequestUserDTO>(
+      async (sess: ClientSession | undefined) => {
+        const UserModel = ModelRegistry.instance.getTypedModel<
+          IUserDocument<TLanguage, TID>
+        >(BaseModelName.User);
+        const userDoc = await UserModel.findByIdAndUpdate(
+          provider.idFromString(userId),
+          {
+            siteLanguage: newLanguage,
+          },
+          { new: true },
+        ).session(sess ?? null);
+        if (!userDoc) {
+          throw new UserNotFoundError();
+        }
+        const roles = await this.roleService.getUserRoles(userDoc._id);
+        const tokenRoles = this.roleService.rolesToTokenRoles(roles);
+        return RequestUserService.makeRequestUserDTO(userDoc, tokenRoles);
+      },
+      session,
+      {
+        timeoutMs: this.application.environment.mongo.transactionTimeout * 5,
+      },
+    );
+  }
+  /**
+   * Updates the user's Dark Mode preference
+   * @param userId - The ID of the user
+   * @param newDarkMode - The new Dark Mode preference
+   * @param session - The session to use for the query
+   * @returns The updated user
+   */
+  public async updateDarkMode(
+    userId: string,
+    newDarkMode: boolean,
+    session?: ClientSession,
+  ): Promise<IRequestUserDTO> {
+    const provider = getEnhancedNodeIdProvider<TID>();
+    return await this.withTransaction<IRequestUserDTO>(
+      async (sess: ClientSession | undefined) => {
+        const UserModel = ModelRegistry.instance.getTypedModel<
+          IUserDocument<TLanguage, TID>
+        >(BaseModelName.User);
+        const userDoc = await UserModel.findByIdAndUpdate(
+          provider.idFromString(userId),
+          {
+            darkMode: newDarkMode,
+          },
+          { new: true },
+        ).session(sess ?? null);
+        if (!userDoc) {
+          throw new UserNotFoundError();
+        }
+        const roles = await this.roleService.getUserRoles(userDoc._id);
+        const tokenRoles = this.roleService.rolesToTokenRoles(roles);
+        return RequestUserService.makeRequestUserDTO(userDoc, tokenRoles);
+      },
+      session,
+      {
+        timeoutMs: this.application.environment.mongo.transactionTimeout * 5,
+      },
+    );
+  }
+  /**
+   * Updates multiple user settings at once
+   * @param userId - The ID of the user
+   * @param settings - Object containing settings to update
+   * @param session - The session to use for the query
+   * @returns The updated user
+   */
+  public async updateUserSettings(
+    userId: string,
+    settings: {
+      email?: string;
+      timezone?: string;
+      siteLanguage?: string;
+      currency?: string;
+      darkMode?: boolean;
+      directChallenge?: boolean;
+    },
+    session?: ClientSession,
+  ): Promise<IRequestUserDTO> {
+    const provider = getEnhancedNodeIdProvider<TID>();
+    return await this.withTransaction<IRequestUserDTO>(
+      async (sess: ClientSession | undefined) => {
+        const UserModel = ModelRegistry.instance.getTypedModel<
+          IUserDocument<TLanguage, TID>
+        >(BaseModelName.User);
+        const userDoc = await UserModel.findById(
+          provider.idFromString(userId),
+        ).session(sess ?? null);
+        if (!userDoc) {
+          throw new UserNotFoundError();
+        }
+        // Check if email is changing and if it's already in use
+        if (
+          settings.email &&
+          settings.email.toLowerCase() !== userDoc.email.toLowerCase()
+        ) {
+          const existingUser = await UserModel.findOne({
+            email: settings.email.toLowerCase(),
+            _id: { $ne: userDoc._id },
+          }).session(sess ?? null);
+          if (existingUser) {
+            throw new EmailInUseError();
+          }
+          // Send verification email for new address
+          userDoc.email = settings.email.toLowerCase();
+          await this.createAndSendEmailTokenDirect(
+            userDoc,
+            EmailTokenType.AccountVerification,
+            sess!,
+            this.application.environment.debug,
+          );
+        }
+        // Update other settings
+        if (settings.timezone !== undefined)
+          userDoc.timezone = settings.timezone;
+        if (settings.siteLanguage !== undefined)
+          userDoc.siteLanguage = settings.siteLanguage as TLanguage;
+        if (settings.darkMode !== undefined)
+          userDoc.darkMode = settings.darkMode;
+        if (settings.currency !== undefined)
+          userDoc.currency = settings.currency;
+        if (settings.directChallenge !== undefined)
+          userDoc.directChallenge = settings.directChallenge;
+        await userDoc.save({ session: sess });
+        const roles = await this.roleService.getUserRoles(userDoc._id);
+        const tokenRoles = this.roleService.rolesToTokenRoles(roles);
+        return RequestUserService.makeRequestUserDTO(userDoc, tokenRoles);
+      },
+      session,
+      {
+        timeoutMs: this.application.environment.mongo.transactionTimeout * 5,
+      },
+    );
+  }
+  /**
+   * Changes the user's password by re-wrapping their master key
+   * @param userId - The ID of the user
+   * @param currentPassword - The current password
+   * @param newPassword - The new password
+   * @param session - The session to use for the query
+   * @returns void
+   */
+  public async changePassword(
+    userId: string,
+    currentPassword: string,
+    newPassword: string,
+    session?: ClientSession,
+  ): Promise<void> {
+    const provider = getEnhancedNodeIdProvider<TID>();
+    return await this.withTransaction<void>(
+      async (sess: ClientSession | undefined) => {
+        const UserModel = ModelRegistry.instance.getTypedModel<
+          IUserDocument<TLanguage, TID>
+        >(BaseModelName.User);
+        const userDoc = await UserModel.findById(
+          provider.idFromString(userId),
+        ).session(sess ?? null);
+        if (!userDoc || !userDoc.passwordWrappedPrivateKey) {
+          throw new UserNotFoundError();
+        }
+        if (!this.application.constants.PasswordRegex.test(newPassword)) {
+          throw new InvalidNewPasswordError();
+        }
+        const currentPasswordSecure = new SecureString(currentPassword);
+        const newPasswordSecure = new SecureString(newPassword);
+        try {
+          // Unwrap existing private key and rewrap under new password
+          const priv = this.keyWrappingService.unwrapSecret(
+            userDoc.passwordWrappedPrivateKey,
+            currentPasswordSecure,
+          );
+          try {
+            const wrapped = this.keyWrappingService.wrapSecret(
+              priv,
+              newPasswordSecure,
+              this.application.constants,
+            );
+            userDoc.passwordWrappedPrivateKey = wrapped;
+            await userDoc.save({ session: sess });
+          } finally {
+            priv.dispose();
+          }
+        } catch (error: unknown) {
+          // Re-throw original error so controller can map it properly
+          // Re-throw original error so controller can map it properly
+          throw error as Error;
+        } finally {
+          currentPasswordSecure.dispose();
+          newPasswordSecure.dispose();
+        }
+      },
+      session,
+      {
+        timeoutMs: this.application.environment.mongo.transactionTimeout * 5,
+      },
+    );
+  }
+  /**
+   * Retrieve an email token by its token string and type
+   * @param token - The token string
+   * @param type - The type of the email token
+   * @param session - The session to use for the query
+   * @returns The email token document or null if not found
+   */
+  public async findEmailToken(
+    token: string,
+    type?: EmailTokenType,
+    session?: ClientSession,
+  ): Promise<IEmailTokenDocument | null> {
+    const EmailTokenModel =
+      ModelRegistry.instance.getTypedModel<IEmailTokenDocument>(
+        BaseModelName.EmailToken,
+      );
+    return await EmailTokenModel.findOne({
+      token: token.toLowerCase().trim(),
+      ...(type ? { type } : {}),
+      expiresAt: { $gt: new Date() },
+    }).session(session ?? null);
+  }
+  /**
+   * Verify email token is valid
+   * @param token - The email token
+   * @param session - The session to use for the query
+   * @returns void
+   */
+  public async verifyEmailToken(
+    token: string,
+    type: EmailTokenType,
+    session?: ClientSession,
+  ): Promise<void> {
+    return await this.withTransaction<void>(
+      async (sess: ClientSession | undefined) => {
+        // Find and validate the token
+        const emailToken = await this.findEmailToken(token, type, sess);
+        if (!emailToken) {
+          throw new EmailTokenUsedOrInvalidError();
+        }
+      },
+      session,
+      {
+        timeoutMs: this.application.environment.mongo.transactionTimeout * 5,
+      },
+    );
+  }
+  /**
+   * Reset password using email token
+   * @param token - The email token
+   * @param newPassword - The new password
+   * @param session - The session to use for the query
+   * @returns void
+   */
+  public async resetPasswordWithToken(
+    token: string,
+    newPassword: string,
+    credential?: string, // either mnemonic or current password; required
+    session?: ClientSession,
+  ): Promise<void> {
+    if (!this.application.constants.PasswordRegex.test(newPassword)) {
+      throw new InvalidNewPasswordError();
+    }
+    if (!credential) {
+      throw new EmailTokenUsedOrInvalidError();
+    }
+    return await this.withTransaction<void>(
+      async (sess: ClientSession | undefined) => {
+        const EmailTokenModel =
+          ModelRegistry.instance.getTypedModel<IEmailTokenDocument>(
+            BaseModelName.EmailToken,
+          );
+        const UserModel = ModelRegistry.instance.getTypedModel<
+          IUserDocument<TLanguage, TID>
+        >(BaseModelName.User);
+        // Find and validate the token
+        const emailToken = await this.findEmailToken(
+          token,
+          EmailTokenType.PasswordReset,
+          sess,
+        );
+        if (!emailToken) {
+          throw new EmailTokenUsedOrInvalidError();
+        }
+        // Find the user
+        const userDoc = await UserModel.findById(emailToken.userId).session(
+          sess ?? null,
+        );
+        if (!userDoc) {
+          throw new UserNotFoundError();
+        }
+        // Update password-wrapped secrets based on credential type (Option B)
+        const newPasswordSecure = new SecureString(newPassword);
+        try {
+          if (this.application.constants.MnemonicRegex.test(credential)) {
+            // Credential is mnemonic: verify it belongs to this user via public key
+            const providedMnemonic = new SecureString(credential);
+            try {
+              const { wallet } =
+                this.eciesService.walletAndSeedFromMnemonic(providedMnemonic);
+              const privateKey = wallet.getPrivateKey();
+              // Get compressed public key (already includes prefix)
+              const pub = this.eciesService.getPublicKey(
+                Buffer.from(privateKey),
+              );
+              if (pub.toString('hex') !== userDoc.publicKey) {
+                throw new InvalidCredentialsError();
+              }
+              // Wrap private key with new password
+              const priv = new SecureBuffer(privateKey);
+              try {
+                const wrappedPriv = this.keyWrappingService.wrapSecret(
+                  priv,
+                  newPasswordSecure,
+                  this.application.constants,
+                );
+                userDoc.passwordWrappedPrivateKey = wrappedPriv;
+                await userDoc.save({ session: sess });
+              } finally {
+                priv.dispose();
+              }
+            } finally {
+              providedMnemonic.dispose();
+            }
+          } else {
+            // Credential is current password: unwrap existing master key
+            if (!userDoc.passwordWrappedPrivateKey) {
+              throw new InvalidCredentialsError();
+            }
+            const privateKeyBuf =
+              await this.keyWrappingService.unwrapSecretAsync(
+                userDoc.passwordWrappedPrivateKey!,
+                credential,
+                this.application.constants,
+              );
+            try {
+              // Re-wrap the existing private key under the new password
+              const wrappedPriv = this.keyWrappingService.wrapSecret(
+                privateKeyBuf,
+                newPasswordSecure,
+                this.application.constants,
+              );
+              userDoc.passwordWrappedPrivateKey = wrappedPriv;
+              await userDoc.save({ session: sess });
+            } finally {
+              privateKeyBuf.dispose();
+            }
+          }
+          // Delete the used token
+          await EmailTokenModel.deleteOne({ _id: emailToken._id }).session(
+            sess ?? null,
+          );
+          // Dispose temporary master key
+        } finally {
+          newPasswordSecure.dispose();
+        }
+      },
+      session,
+      {
+        timeoutMs: this.application.environment.mongo.transactionTimeout * 5,
+      },
+    );
+  }
+  /**
+   * Generate a login challenge for the client to sign
+   * @returns The login challenge in hex
+   */
+  public generateDirectLoginChallenge(): string {
+    const adminMember = SystemUserService.getSystemUser<TID>(
+      this.application.environment,
+      this.application.constants,
+    );
+    const time = Buffer.alloc(8);
+    time.writeBigUInt64BE(BigInt(new Date().getTime()));
+    const nonce = randomBytes(32);
+    const signature = adminMember.sign(Buffer.concat([time, nonce]));
+    return Buffer.concat([time, nonce, signature]).toString('hex');
+  }
+  /**
+   * Verifies a direct login challenge response
+   * @param serverSignedRequest The login challenge response in hex
+   * @param session The mongoose session, if provided
+   * @returns A promise with the user document and user member object
+   */
+  public async verifyDirectLoginChallenge(
+    serverSignedRequest: string,
+    signature: string,
+    username?: string,
+    email?: string,
+    session?: ClientSession,
+  ): Promise<{
+    userDoc: IUserDocument<TLanguage, TID>;
+    userMember: BackendMember<TID>;
+  }> {
+    return await this.withTransaction<{
+      userDoc: IUserDocument<TLanguage, TID>;
+      userMember: BackendMember<TID>;
+    }>(
+      async (sess: ClientSession | undefined) => {
+        // serverSignedRequest is:
+        // time (8) +
+        // nonce (32) +
+        // server signature (64) +
+        // signature (64)
+        if (
+          serverSignedRequest.length <
+          (8 + 32 + this.application.constants.ECIES.SIGNATURE_SIZE) * 2
+        ) {
+          throw new InvalidChallengeResponseError();
+        }
+        // get signed request into a buffer
+        const requestBuffer = Buffer.from(serverSignedRequest, 'hex');
+        // start tracking offset
+        let offset = 0;
+        // get the time
+        const time = requestBuffer.subarray(offset, 8);
+        offset += 8;
+        // get the nonce
+        const nonce = requestBuffer.subarray(offset, 40);
+        offset += 32;
+        // get the server signature
+        const serverSignature = requestBuffer.subarray(
+          offset,
+          this.application.constants.ECIES.SIGNATURE_SIZE + 40,
+        );
+        offset += this.application.constants.ECIES.SIGNATURE_SIZE;
+        const signedDataLength = offset;
+        if (offset !== requestBuffer.length) {
+          throw new InvalidChallengeResponseError();
+        }
+        // validate time is within acceptable range
+        const timeMs = time.readBigUInt64BE();
+        if (
+          new Date().getTime() - Number(timeMs) >
+          this.application.constants.LoginChallengeExpiration
+        ) {
+          throw new LoginChallengeExpiredError();
+        }
+        // validate the server's signature on the time + nonce portion
+        const adminMember = SystemUserService.getSystemUser<TID>(
+          this.application.environment,
+          this.application.constants,
+        );
+        if (
+          !adminMember.verify(
+            serverSignature as SignatureBuffer,
+            Buffer.concat([time, nonce]),
+          )
+        ) {
+          throw new InvalidChallengeResponseError();
+        }
+        // locate the user by email or username
+        const userDoc = await this.findUser(email, username, sess);
+        if (!userDoc) {
+          throw new InvalidChallengeResponseError();
+        }
+        // get the user's member object
+        const user = await this.makeUserFromUserDoc(
+          userDoc,
+          undefined,
+          undefined,
+          undefined,
+          undefined,
+          sess,
+        );
+        // get the signed portion of the response
+        const signedData = requestBuffer.subarray(0, signedDataLength);
+        // verify the user's signature on the signed portion
+        if (
+          !user.verify(
+            Buffer.from(signature, 'hex') as SignatureBuffer,
+            signedData,
+          )
+        ) {
+          throw new InvalidChallengeResponseError();
+        }
+        if (userDoc.directChallenge !== true) {
+          throw new DirectChallengeNotEnabledError();
+        }
+        // if the user is valid, try to use the token (prevents replay attacks)
+        await DirectLoginTokenService.useToken<TID>(
+          this.application,
+          userDoc._id,
+          nonce.toString('hex'),
+        );
+        // if successful, update lastLogin
+        await this.updateLastLogin(userDoc._id);
+        // return the user document and member object
+        return { userDoc, userMember: user };
+      },
+      session,
+      { timeoutMs: this.application.environment.mongo.transactionTimeout },
+    );
+  }
+  /**
+   * Request a login link via email
+   * @param email Email address
+   * @param username Username
+   * @param session Existing session, if any
+   * @returns void
+   */
+  public async requestEmailLogin(
+    email?: string,
+    username?: string,
+    session?: ClientSession,
+  ): Promise<void> {
+    return this.withTransaction<void>(
+      async (sess: ClientSession | undefined) => {
+        const userDoc = await this.findUser(email, username, sess);
+        if (!userDoc) {
+          return;
+        }
+        await this.createAndSendEmailToken(
+          userDoc,
+          EmailTokenType.LoginRequest,
+          sess,
+          this.application.environment.debug,
+        );
+      },
+      session,
+      {
+        timeoutMs: this.application.environment.mongo.transactionTimeout,
+      },
+    );
+  }
+  /**
+   * Validate an email login token challenge
+   * @param token The token to challenge
+   * @param signature The signature of the token by the user's private key
+   * @param session The session to use for the query
+   * @returns The user document if the challenge is valid
+   */
+  public async validateEmailLoginTokenChallenge(
+    token: string,
+    signature: string,
+    session?: ClientSession,
+  ): Promise<IUserDocument<TLanguage, TID>> {
+    return this.withTransaction<IUserDocument<TLanguage, TID>>(
+      async (sess: ClientSession | undefined) => {
+        const emailToken = await this.findEmailToken(
+          token,
+          EmailTokenType.LoginRequest,
+          sess,
+        );
+        if (!emailToken) {
+          throw new EmailTokenUsedOrInvalidError();
+        }
+        const userDoc = await this.findUser(emailToken.email, undefined, sess);
+        if (!userDoc) {
+          throw new UserNotFoundError();
+        }
+        const user = await this.makeUserFromUserDoc(
+          userDoc,
+          undefined,
+          undefined,
+          undefined,
+          undefined,
+          sess,
+        );
+        const result = user.verify(
+          Buffer.from(signature, 'hex') as SignatureBuffer,
+          Buffer.from(token, 'hex'),
+        );
+        if (!result) {
+          throw new InvalidChallengeResponseError();
+        }
+        await emailToken.deleteOne({ session: sess ?? null });
+        await this.updateLastLogin(userDoc._id);
+        return userDoc;
+      },
+      session,
+      {
+        timeoutMs: this.application.environment.mongo.transactionTimeout,
+      },
+    );
+  }
+  /**
+   * Updates the user's last login time atomically
+   * @param userId - The ID of the user
+   * @returns void
+   */
+  public async updateLastLogin(userId: TID): Promise<void> {
+    const UserModel = ModelRegistry.instance.get('User')?.model;
+    try {
+      // Check if the database connection is still open
+      const connection = this.application.db.connection;
+      if (connection.readyState !== 1) {
+        // Connection is not open (0 = disconnected, 1 = connected, 2 = connecting, 3 = disconnecting)
+        return; // Silently return if connection is not available
+      }
+      // Use atomic update to avoid conflicts and ensure we only update lastLogin
+      // Use a separate session to avoid interfering with any ongoing transactions
+      await UserModel.updateOne(
+        { _id: userId },
+        {
+          $set: { lastLogin: new Date() },
+          $setOnInsert: {}, // Prevent any unintended document creation
+        },
+        {
+          upsert: false, // Never create a new document
+          runValidators: false, // Skip validation for performance since we're only updating lastLogin
+          // Don't use any session to avoid transaction conflicts
+        },
+      );
+    } catch (error) {
+      // Check if the error is due to client being closed
+      if (
+        error instanceof Error &&
+        (error.message.includes('client was closed') ||
+          error.message.includes('MongoClientClosedError') ||
+          error.name === 'MongoClientClosedError')
+      ) {
+        // This is expected during shutdown, don't log it as an error
+        return;
+      }
+      // If this fails, it's not critical for login functionality. Ignore and move on.
+    }
+  }
+}