@drax/identity-back 3.14.0 → 3.15.0

package/dist/config/PasswordPolicyConfig.js

@@ -0,0 +1,14 @@
+var PasswordPolicyConfig;
+(function (PasswordPolicyConfig) {
+    PasswordPolicyConfig["MinLength"] = "PASSWORD_POLICY_MIN_LENGTH";
+    PasswordPolicyConfig["MaxLength"] = "PASSWORD_POLICY_MAX_LENGTH";
+    PasswordPolicyConfig["RequireUppercase"] = "PASSWORD_POLICY_REQUIRE_UPPERCASE";
+    PasswordPolicyConfig["RequireLowercase"] = "PASSWORD_POLICY_REQUIRE_LOWERCASE";
+    PasswordPolicyConfig["RequireNumber"] = "PASSWORD_POLICY_REQUIRE_NUMBER";
+    PasswordPolicyConfig["RequireSpecialChar"] = "PASSWORD_POLICY_REQUIRE_SPECIAL_CHAR";
+    PasswordPolicyConfig["DisallowSpaces"] = "PASSWORD_POLICY_DISALLOW_SPACES";
+    PasswordPolicyConfig["PreventReuse"] = "PASSWORD_POLICY_PREVENT_REUSE";
+    PasswordPolicyConfig["ExpirationDays"] = "PASSWORD_POLICY_EXPIRATION_DAYS";
+})(PasswordPolicyConfig || (PasswordPolicyConfig = {}));
+export default PasswordPolicyConfig;
+export { PasswordPolicyConfig };

package/dist/controllers/UserController.js

@@ -9,6 +9,7 @@ import { join } from "path";
 import { IdentityConfig } from "../config/IdentityConfig.js";
 import UserEmailService from "../services/UserEmailService.js";
 import TenantServiceFactory from "../factory/TenantServiceFactory.js";
+import PasswordPolicyServiceFactory from "../factory/PasswordPolicyServiceFactory.js";
 const BASE_FILE_DIR = DraxConfig.getOrLoad(CommonConfig.FileDir) || 'files';
 const AVATAR_DIR = DraxConfig.getOrLoad(IdentityConfig.AvatarDir) || 'avatar';
 const BASE_URL = DraxConfig.getOrLoad(CommonConfig.BaseUrl) ? DraxConfig.get(CommonConfig.BaseUrl).replace(/\/$/, '') : '';
@@ -72,6 +73,15 @@ class UserController extends AbstractFastifyController {
             reply.send({ error: 'error.server' });
         }
     }
+    async passwordPolicy(request, reply) {
+        try {
+            const passwordPolicyService = PasswordPolicyServiceFactory();
+            return await passwordPolicyService.getFinalPolicy();
+        }
+        catch (e) {
+            this.handleError(e, reply);
+        }
+    }
     async me(request, reply) {
         try {
             if (request.authUser) {

package/dist/factory/PasswordPolicyResolverFactory.js

@@ -0,0 +1,9 @@
+import PasswordPolicyResolver from "../resolver/PasswordPolicyResolver.js";
+let passwordPolicyResolver;
+const PasswordPolicyResolverFactory = () => {
+    if (!passwordPolicyResolver) {
+        passwordPolicyResolver = new PasswordPolicyResolver();
+    }
+    return passwordPolicyResolver;
+};
+export default PasswordPolicyResolverFactory;

package/dist/factory/PasswordPolicyServiceFactory.js

@@ -0,0 +1,27 @@
+import PasswordPolicyService from "../services/PasswordPolicyService.js";
+import PasswordPolicyResolverFactory from "./PasswordPolicyResolverFactory.js";
+import UserPasswordHistoryServiceFactory from "./UserPasswordHistoryServiceFactory.js";
+import UserMongoRepository from "../repository/mongo/UserMongoRepository.js";
+import UserSqliteRepository from "../repository/sqlite/UserSqliteRepository.js";
+import { COMMON, CommonConfig, DraxConfig } from "@drax/common-back";
+let passwordPolicyService;
+const PasswordPolicyServiceFactory = (verbose = false) => {
+    if (!passwordPolicyService) {
+        let userRepository;
+        switch (DraxConfig.getOrLoad(CommonConfig.DbEngine)) {
+            case COMMON.DB_ENGINES.MONGODB:
+                userRepository = new UserMongoRepository();
+                break;
+            case COMMON.DB_ENGINES.SQLITE:
+                userRepository = new UserSqliteRepository(DraxConfig.getOrLoad(CommonConfig.SqliteDbFile), verbose);
+                userRepository.build();
+                break;
+            default:
+                throw new Error("DraxConfig.DB_ENGINE must be one of " + Object.values(COMMON.DB_ENGINES).join(", "));
+        }
+        const passwordPolicyResolver = PasswordPolicyResolverFactory();
+        passwordPolicyService = new PasswordPolicyService(passwordPolicyResolver, userRepository, UserPasswordHistoryServiceFactory(verbose));
+    }
+    return passwordPolicyService;
+};
+export default PasswordPolicyServiceFactory;

package/dist/factory/UserPasswordHistoryServiceFactory.js

@@ -0,0 +1,25 @@
+import { COMMON, CommonConfig, DraxConfig } from "@drax/common-back";
+import UserPasswordHistoryMongoRepository from "../repository/mongo/UserPasswordHistoryMongoRepository.js";
+import UserPasswordHistorySqliteRepository from "../repository/sqlite/UserPasswordHistorySqliteRepository.js";
+import UserPasswordHistoryService from "../services/UserPasswordHistoryService.js";
+let userPasswordHistoryService;
+const UserPasswordHistoryServiceFactory = (verbose = false) => {
+    if (!userPasswordHistoryService) {
+        let repository;
+        switch (DraxConfig.getOrLoad(CommonConfig.DbEngine)) {
+            case COMMON.DB_ENGINES.MONGODB:
+                repository = new UserPasswordHistoryMongoRepository();
+                break;
+            case COMMON.DB_ENGINES.SQLITE:
+                const sqliteRepository = new UserPasswordHistorySqliteRepository(DraxConfig.getOrLoad(CommonConfig.SqliteDbFile), verbose);
+                sqliteRepository.build();
+                repository = sqliteRepository;
+                break;
+            default:
+                throw new Error("DraxConfig.DB_ENGINE must be one of " + Object.values(COMMON.DB_ENGINES).join(", "));
+        }
+        userPasswordHistoryService = new UserPasswordHistoryService(repository);
+    }
+    return userPasswordHistoryService;
+};
+export default UserPasswordHistoryServiceFactory;

package/dist/factory/UserServiceFactory.js

@@ -2,6 +2,8 @@ import UserMongoRepository from "../repository/mongo/UserMongoRepository.js";
 import UserService from "../services/UserService.js";
 import UserSqliteRepository from "../repository/sqlite/UserSqliteRepository.js";
 import { COMMON, CommonConfig, DraxConfig } from "@drax/common-back";
+import PasswordPolicyServiceFactory from "./PasswordPolicyServiceFactory.js";
+import UserPasswordHistoryServiceFactory from "./UserPasswordHistoryServiceFactory.js";
 let userService;
 const UserServiceFactory = (verbose = false) => {
     if (!userService) {
@@ -18,7 +20,7 @@ const UserServiceFactory = (verbose = false) => {
             default:
                 throw new Error("DraxConfig.DB_ENGINE must be one of " + Object.values(COMMON.DB_ENGINES).join(", "));
         }
-        userService = new UserService(userRepository);
+        userService = new UserService(userRepository, PasswordPolicyServiceFactory(verbose), UserPasswordHistoryServiceFactory(verbose));
     }
     return userService;
 };

package/dist/index.js

@@ -5,6 +5,8 @@ import TenantServiceFactory from "./factory/TenantServiceFactory.js";
 import UserApiKeyServiceFactory from "./factory/UserApiKeyServiceFactory.js";
 import UserLoginFailServiceFactory from "./factory/UserLoginFailServiceFactory.js";
 import UserSessionServiceFactory from "./factory/UserSessionServiceFactory.js";
+import PasswordPolicyServiceFactory from "./factory/PasswordPolicyServiceFactory.js";
+import UserPasswordHistoryServiceFactory from "./factory/UserPasswordHistoryServiceFactory.js";
 import RoleService from "./services/RoleService.js";
 import UserService from "./services/UserService.js";
 import TenantService from "./services/TenantService.js";
@@ -12,6 +14,9 @@ import PermissionService from "./services/PermissionService.js";
 import UserApiKeyService from "./services/UserApiKeyService.js";
 import UserSessionService from "./services/UserSessionService.js";
 import UserLoginFailService from "./services/UserLoginFailService.js";
+import UserPasswordHistoryService from "./services/UserPasswordHistoryService.js";
+import PasswordPolicyService from "./services/PasswordPolicyService.js";
+import PasswordPolicyResolver from "./resolver/PasswordPolicyResolver.js";
 import Rbac from "./rbac/Rbac.js";
 import { UserRoutes } from "./routes/UserRoutes.js";
 import { RoleRoutes } from "./routes/RoleRoutes.js";
@@ -24,6 +29,7 @@ import { jwtMiddleware } from "./middleware/jwtMiddleware.js";
 import { rbacMiddleware } from "./middleware/rbacMiddleware.js";
 import { apiKeyMiddleware } from "./middleware/apiKeyMiddleware.js";
 import IdentityConfig from "./config/IdentityConfig.js";
+import PasswordPolicyConfig from "./config/PasswordPolicyConfig.js";
 import BadCredentialsError from "./errors/BadCredentialsError.js";
 import CreateUserIfNotExist from "./setup/CreateUserIfNotExist.js";
 import CreateTenantIfNotExist from "./setup/CreateTenantIfNotExist.js";
@@ -31,24 +37,28 @@ import CreateOrUpdateRole from "./setup/CreateOrUpdateRole.js";
 import LoadPermissions from "./setup/LoadPermissions.js";
 import LoadIdentityConfigFromEnv from "./setup/LoadIdentityConfigFromEnv.js";
 import RecoveryUserPassword from "./setup/RecoveryUserPassword.js";
+import SetProjectPasswordPolicy from "./setup/SetProjectPasswordPolicy.js";
 import { RoleModel, RoleMongoSchema } from "./models/RoleModel.js";
 import { TenantModel, TenantMongoSchema } from "./models/TenantModel.js";
 import { UserModel, UserMongoSchema } from "./models/UserModel.js";
 import { UserApiKeyModel, UserApiKeyMongoSchema } from "./models/UserApiKeyModel.js";
 import { UserSessionModel, UserSessionMongoSchema } from "./models/UserSessionModel.js";
 import { UserLoginFailModel, UserLoginFailMongoSchema } from "./models/UserLoginFailModel.js";
+import { UserPasswordHistoryModel, UserPasswordHistoryMongoSchema } from "./models/UserPasswordHistoryModel.js";
 import RoleMongoRepository from "./repository/mongo/RoleMongoRepository.js";
 import TenantMongoRepository from "./repository/mongo/TenantMongoRepository.js";
 import UserMongoRepository from "./repository/mongo/UserMongoRepository.js";
 import UserApiKeyMongoRepository from "./repository/mongo/UserApiKeyMongoRepository.js";
 import UserSessionMongoRepository from "./repository/mongo/UserSessionMongoRepository.js";
 import UserLoginFailMongoRepository from "./repository/mongo/UserLoginFailMongoRepository.js";
+import UserPasswordHistoryMongoRepository from "./repository/mongo/UserPasswordHistoryMongoRepository.js";
 import RoleSqliteRepository from "./repository/sqlite/RoleSqliteRepository.js";
 import TenantSqliteRepository from "./repository/sqlite/TenantSqliteRepository.js";
 import UserSqliteRepository from "./repository/sqlite/UserSqliteRepository.js";
 import UserApiKeySqliteRepository from "./repository/sqlite/UserApiKeySqliteRepository.js";
 import UserLoginFailSqliteRepository from "./repository/sqlite/UserLoginFailSqliteRepository.js";
 import UserSessionSqliteRepository from "./repository/sqlite/UserSessionSqliteRepository.js";
+import UserPasswordHistorySqliteRepository from "./repository/sqlite/UserPasswordHistorySqliteRepository.js";
 import { RolePermissions } from "./permissions/RolePermissions.js";
 import { TenantPermissions } from "./permissions/TenantPermissions.js";
 import { UserPermissions } from "./permissions/UserPermissions.js";
@@ -61,6 +71,8 @@ import { RoleSchema, RoleBaseSchema } from "./schemas/RoleSchema.js";
 import { UserApiKeySchema, UserApiKeyBaseSchema } from "./schemas/UserApiKeySchema.js";
 import { UserLoginFailBaseSchema } from "./schemas/UserLoginFailSchema.js";
 import { UserSessionBaseSchema } from "./schemas/UserSessionSchema.js";
+import { defaultPasswordPolicy } from "./policies/defaultPasswordPolicy.js";
+import { PasswordPolicySchema } from "./schemas/PasswordPolicySchema.js";
 const graphqlMergeResult = await GraphqlMerge();
 const identityTypeDefs = await graphqlMergeResult.typeDefs;
 const identityResolvers = await graphqlMergeResult.resolvers;
@@ -68,9 +80,9 @@ export {
 //Schemas
 UserSchema, UserBaseSchema, TenantSchema, TenantBaseSchema, RoleSchema, RoleBaseSchema, UserApiKeyBaseSchema, UserApiKeySchema, UserLoginFailBaseSchema, UserSessionBaseSchema, 
 //Service
-UserService, RoleService, TenantService, UserApiKeyService, UserSessionService, UserLoginFailService, PermissionService, Rbac, 
+UserService, RoleService, TenantService, UserApiKeyService, UserSessionService, UserLoginFailService, UserPasswordHistoryService, PasswordPolicyService, PasswordPolicyResolver, PermissionService, Rbac, 
 //Factories
-UserServiceFactory, RoleServiceFactory, TenantServiceFactory, UserApiKeyServiceFactory, UserSessionServiceFactory, UserLoginFailServiceFactory, 
+UserServiceFactory, RoleServiceFactory, TenantServiceFactory, UserApiKeyServiceFactory, UserSessionServiceFactory, UserLoginFailServiceFactory, UserPasswordHistoryServiceFactory, PasswordPolicyServiceFactory, 
 //GQL
 identityTypeDefs, identityResolvers, 
 //API REST
@@ -80,14 +92,14 @@ jwtMiddleware, rbacMiddleware, apiKeyMiddleware,
 //Permissions
 RolePermissions, TenantPermissions, UserPermissions, UserApiKeyPermissions, UserSessionPermissions, UserLoginFailPermissions, 
 //Mongo Repositories
-RoleMongoRepository, TenantMongoRepository, UserMongoRepository, UserApiKeyMongoRepository, UserSessionMongoRepository, UserLoginFailMongoRepository, 
+RoleMongoRepository, TenantMongoRepository, UserMongoRepository, UserApiKeyMongoRepository, UserSessionMongoRepository, UserLoginFailMongoRepository, UserPasswordHistoryMongoRepository, 
 //Mongo Models
-RoleModel, TenantModel, UserModel, UserApiKeyModel, UserSessionModel, UserLoginFailModel, RoleMongoSchema, TenantMongoSchema, UserMongoSchema, UserApiKeyMongoSchema, UserSessionMongoSchema, UserLoginFailMongoSchema, 
+RoleModel, TenantModel, UserModel, UserApiKeyModel, UserSessionModel, UserLoginFailModel, UserPasswordHistoryModel, RoleMongoSchema, TenantMongoSchema, UserMongoSchema, UserApiKeyMongoSchema, UserSessionMongoSchema, UserLoginFailMongoSchema, UserPasswordHistoryMongoSchema, 
 //Sqlite Repositories
-RoleSqliteRepository, TenantSqliteRepository, UserSqliteRepository, UserApiKeySqliteRepository, UserLoginFailSqliteRepository, UserSessionSqliteRepository, 
+RoleSqliteRepository, TenantSqliteRepository, UserSqliteRepository, UserApiKeySqliteRepository, UserLoginFailSqliteRepository, UserSessionSqliteRepository, UserPasswordHistorySqliteRepository, 
 //Config
-IdentityConfig, 
+IdentityConfig, PasswordPolicyConfig, 
 //Errors
-BadCredentialsError, 
+BadCredentialsError, defaultPasswordPolicy, PasswordPolicySchema, 
 //Setup
-LoadIdentityConfigFromEnv, LoadPermissions, CreateOrUpdateRole, CreateUserIfNotExist, CreateTenantIfNotExist, RecoveryUserPassword };
+LoadIdentityConfigFromEnv, LoadPermissions, CreateOrUpdateRole, CreateUserIfNotExist, CreateTenantIfNotExist, RecoveryUserPassword, SetProjectPasswordPolicy };

package/dist/interfaces/IUserPasswordHistory.js

@@ -0,0 +1 @@
+export {};

package/dist/interfaces/IUserPasswordHistoryRepository.js

@@ -0,0 +1 @@
+export {};

package/dist/models/UserPasswordHistoryModel.js

@@ -0,0 +1,30 @@
+import { mongoose } from "@drax/common-back";
+import uniqueValidator from "mongoose-unique-validator";
+import mongoosePaginate from "mongoose-paginate-v2";
+const UserPasswordHistoryMongoSchema = new mongoose.Schema({
+    user: { type: String, required: true, index: true },
+    passwordHash: { type: String, required: true, index: false }
+}, { timestamps: true });
+UserPasswordHistoryMongoSchema.plugin(uniqueValidator, { message: "validation.unique" });
+UserPasswordHistoryMongoSchema.plugin(mongoosePaginate);
+UserPasswordHistoryMongoSchema.virtual("id").get(function () {
+    return this._id.toString();
+});
+UserPasswordHistoryMongoSchema.set("toJSON", { getters: true, virtuals: true });
+UserPasswordHistoryMongoSchema.set("toObject", { getters: true, virtuals: true });
+const MODEL_NAME = "UserPasswordHistory";
+const COLLECTION_NAME = "user_password_history";
+let UserPasswordHistoryModel;
+try {
+    UserPasswordHistoryModel = mongoose.model(MODEL_NAME, UserPasswordHistoryMongoSchema, COLLECTION_NAME);
+}
+catch (e) {
+    if (e.name === "OverwriteModelError") {
+        UserPasswordHistoryModel = mongoose.model(MODEL_NAME);
+    }
+    else {
+        throw e;
+    }
+}
+export { UserPasswordHistoryMongoSchema, UserPasswordHistoryModel };
+export default UserPasswordHistoryModel;

package/dist/policies/defaultPasswordPolicy.js

@@ -0,0 +1,12 @@
+const defaultPasswordPolicy = {
+    minLength: 8,
+    maxLength: 64,
+    requireUppercase: true,
+    requireLowercase: true,
+    requireNumber: true,
+    requireSpecialChar: false,
+    disallowSpaces: true,
+    preventReuse: 3,
+    expirationDays: null
+};
+export { defaultPasswordPolicy };

package/dist/repository/mongo/UserPasswordHistoryMongoRepository.js

@@ -0,0 +1,20 @@
+import { AbstractMongoRepository } from "@drax/crud-back";
+import { UserPasswordHistoryModel } from "../../models/UserPasswordHistoryModel.js";
+class UserPasswordHistoryMongoRepository extends AbstractMongoRepository {
+    constructor() {
+        super();
+        this._model = UserPasswordHistoryModel;
+        this._searchFields = ["user"];
+        this._populateFields = ["user"];
+    }
+    async findLatestByUserId(userId, limit) {
+        return UserPasswordHistoryModel
+            .find({ user: userId })
+            .sort({ createdAt: -1 })
+            .limit(limit)
+            .lean(true)
+            .exec();
+    }
+}
+export default UserPasswordHistoryMongoRepository;
+export { UserPasswordHistoryMongoRepository };

package/dist/repository/sqlite/UserPasswordHistorySqliteRepository.js

@@ -0,0 +1,38 @@
+import { AbstractSqliteRepository } from "@drax/crud-back";
+class UserPasswordHistorySqliteRepository extends AbstractSqliteRepository {
+    constructor() {
+        super(...arguments);
+        this.tableName = "user_password_history";
+        this.searchFields = [];
+        this.booleanFields = [];
+        this.identifier = "_id";
+        this.populateFields = [
+            { field: "user", table: "users", identifier: "_id" }
+        ];
+        this.tableFields = [
+            { name: "user", type: "TEXT", unique: false, primary: false },
+            { name: "passwordHash", type: "TEXT", unique: false, primary: false },
+            { name: "createdAt", type: "TEXT", unique: false, primary: false },
+            { name: "updatedAt", type: "TEXT", unique: false, primary: false },
+        ];
+    }
+    async prepareData() {
+    }
+    async prepareItem(item) {
+        if (item.createdAt && typeof item.createdAt === "string") {
+            item.createdAt = new Date(item.createdAt);
+        }
+        if (item.updatedAt && typeof item.updatedAt === "string") {
+            item.updatedAt = new Date(item.updatedAt);
+        }
+    }
+    async findLatestByUserId(userId, limit) {
+        const rows = this.db.prepare(`SELECT * FROM ${this.tableName} WHERE user = ? ORDER BY createdAt DESC LIMIT ?`).all(userId, limit);
+        for (const row of rows) {
+            await this.decorate(row);
+        }
+        return rows;
+    }
+}
+export default UserPasswordHistorySqliteRepository;
+export { UserPasswordHistorySqliteRepository };

package/dist/resolver/PasswordPolicyResolver.js

@@ -0,0 +1,27 @@
+import { defaultPasswordPolicy } from "../policies/defaultPasswordPolicy.js";
+import { PartialPasswordPolicySchema, PasswordPolicySchema } from "../schemas/PasswordPolicySchema.js";
+import getPasswordEnvPolicy from "../utils/getPasswordEnvPolicy.js";
+class PasswordPolicyResolver {
+    constructor() {
+        this.projectPolicy = {};
+    }
+    setProjectPolicy(projectPolicy) {
+        this.projectPolicy = projectPolicy;
+    }
+    async resolve() {
+        const projectPolicy = await this.getProjectPolicy();
+        const envPolicy = getPasswordEnvPolicy();
+        return PasswordPolicySchema.parse({
+            ...defaultPasswordPolicy,
+            ...projectPolicy,
+            ...envPolicy
+        });
+    }
+    async getProjectPolicy() {
+        return this.projectPolicy
+            ? PartialPasswordPolicySchema.parse(this.projectPolicy)
+            : {};
+    }
+}
+export default PasswordPolicyResolver;
+export { PasswordPolicyResolver };

package/dist/routes/UserRoutes.js

@@ -6,6 +6,7 @@ import { RegisterBodyRequestSchema, RegisterBodyResponseSchema } from "../schema
 import { MyPasswordBodyRequestSchema, PasswordBodyRequestSchema, PasswordBodyResponseSchema } from "../schemas/PasswordSchema.js";
 import { SwitchTenantBodyRequestSchema, SwitchTenantBodyResponseSchema } from "../schemas/SwitchTenantSchema.js";
 import zod from "zod";
+import { PasswordPolicySchema } from "../schemas/PasswordPolicySchema.js";
 async function UserRoutes(fastify, options) {
     const controller = new UserController();
     const schemas = new CrudSchemaBuilder(UserSchema, UserCreateSchema, UserUpdateSchema, 'tenant', 'openapi-3.0', ['Identity']);
@@ -26,6 +27,15 @@ async function UserRoutes(fastify, options) {
             },
         },
     }, (req, rep) => controller.auth(req, rep));
+    fastify.get('/api/auth/password-policy', {
+        schema: {
+            tags: ['Auth'],
+            response: {
+                200: zod.toJSONSchema(PasswordPolicySchema),
+                500: schemas.jsonErrorBodyResponse,
+            },
+        },
+    }, (req, rep) => controller.passwordPolicy(req, rep));
     fastify.get('/api/auth/me', {
         schema: {
             tags: ['Auth'],

package/dist/schemas/PasswordPolicySchema.js

@@ -0,0 +1,18 @@
+import z from "zod";
+const PasswordPolicySchemaBase = z.object({
+    minLength: z.number().int().min(1),
+    maxLength: z.number().int().min(1),
+    requireUppercase: z.boolean(),
+    requireLowercase: z.boolean(),
+    requireNumber: z.boolean(),
+    requireSpecialChar: z.boolean(),
+    disallowSpaces: z.boolean(),
+    preventReuse: z.number().int().min(0),
+    expirationDays: z.number().int().min(1).nullable(),
+});
+const PasswordPolicySchema = PasswordPolicySchemaBase.refine((policy) => policy.maxLength >= policy.minLength, {
+    message: "validation.password.maxLength",
+    path: ["maxLength"]
+});
+const PartialPasswordPolicySchema = PasswordPolicySchemaBase.partial();
+export { PasswordPolicySchema, PartialPasswordPolicySchema };

package/dist/schemas/RegisterSchema.js

@@ -7,9 +7,7 @@ const RegisterBodyRequestSchema = z.object({
     email: email("validation.email.invalid"),
     phone: string({ error: "validation.required" }).optional(),
     password: string({ error: "validation.required" })
-        .min(1, "validation.required")
-        .min(8, "validation.password.min8")
-        .max(64, "validation.password.max64"),
+        .min(1, "validation.required"),
 });
 const RegisterBodyResponseSchema = z.object({
     success: z.boolean(),

package/dist/schemas/UserSchema.js

@@ -13,9 +13,7 @@ const UserBaseSchema = object({
 });
 const UserCreateSchema = UserBaseSchema.extend({
     password: string({ error: "validation.required" })
-        .min(1, "validation.required")
-        .min(8, "validation.password.min8")
-        .max(64, "validation.password.max64"),
+        .min(1, "validation.required"),
 });
 const UserUpdateSchema = UserBaseSchema.extend({});
 const UserSchema = UserBaseSchema

package/dist/security/constants/defaultPasswordPolicy.js

@@ -0,0 +1,12 @@
+const defaultPasswordPolicy = {
+    minLength: 8,
+    maxLength: 64,
+    requireUppercase: true,
+    requireLowercase: true,
+    requireNumber: true,
+    requireSpecialChar: false,
+    disallowSpaces: true,
+    preventReuse: 3,
+    expirationDays: null
+};
+export { defaultPasswordPolicy };

package/dist/security/interfaces/IPasswordPolicy.js

@@ -0,0 +1 @@
+export {};

package/dist/security/interfaces/IPasswordPolicyProjectContext.js

@@ -0,0 +1 @@
+export {};

package/dist/security/schemas/PasswordPolicySchema.js

@@ -0,0 +1,18 @@
+import z from "zod";
+const PasswordPolicySchemaBase = z.object({
+    minLength: z.number().int().min(1),
+    maxLength: z.number().int().min(1),
+    requireUppercase: z.boolean(),
+    requireLowercase: z.boolean(),
+    requireNumber: z.boolean(),
+    requireSpecialChar: z.boolean(),
+    disallowSpaces: z.boolean(),
+    preventReuse: z.number().int().min(0),
+    expirationDays: z.number().int().min(1).nullable(),
+});
+const PasswordPolicySchema = PasswordPolicySchemaBase.refine((policy) => policy.maxLength >= policy.minLength, {
+    message: "validation.password.maxLength",
+    path: ["maxLength"]
+});
+const PartialPasswordPolicySchema = PasswordPolicySchemaBase.partial();
+export { PasswordPolicySchema, PartialPasswordPolicySchema };

package/dist/security/services/PasswordPolicyResolver.js

@@ -0,0 +1,21 @@
+import { defaultPasswordPolicy } from "../constants/defaultPasswordPolicy.js";
+import { PartialPasswordPolicySchema, PasswordPolicySchema } from "../schemas/PasswordPolicySchema.js";
+import getPasswordEnvPolicy from "../utils/getPasswordEnvPolicy.js";
+class PasswordPolicyResolver {
+    async resolve(projectContext) {
+        const projectPolicy = await this.getProjectPolicy(projectContext);
+        const envPolicy = getPasswordEnvPolicy();
+        return PasswordPolicySchema.parse({
+            ...defaultPasswordPolicy,
+            ...projectPolicy,
+            ...envPolicy
+        });
+    }
+    async getProjectPolicy(projectContext) {
+        return projectContext?.projectPolicy
+            ? PartialPasswordPolicySchema.parse(projectContext.projectPolicy)
+            : {};
+    }
+}
+export default PasswordPolicyResolver;
+export { PasswordPolicyResolver };

package/dist/security/services/PasswordPolicyService.js

@@ -0,0 +1,147 @@
+import { randomInt } from "crypto";
+import { ZodError } from "zod";
+import { ValidationError, ZodErrorToValidationError } from "@drax/common-back";
+import AuthUtils from "../../utils/AuthUtils.js";
+import PasswordPolicySchemaFactory from "../utils/PasswordPolicySchemaFactory.js";
+class PasswordPolicyService {
+    constructor(resolver, userRepository, userPasswordHistoryService) {
+        this.resolver = resolver;
+        this.userRepository = userRepository;
+        this.userPasswordHistoryService = userPasswordHistoryService;
+    }
+    async getFinalPolicy(projectContext) {
+        return this.resolver.resolve(projectContext);
+    }
+    async getPasswordSchema(projectContext) {
+        const policy = await this.getFinalPolicy(projectContext);
+        return PasswordPolicySchemaFactory.create(policy);
+    }
+    async validatePassword(password, projectContext, options) {
+        const field = options?.field || "password";
+        try {
+            const schema = await this.getPasswordSchema(projectContext);
+            await schema.parseAsync(password);
+        }
+        catch (e) {
+            if (e instanceof ZodError) {
+                const validationError = ZodErrorToValidationError(e, { [field]: password });
+                validationError.errors = validationError.errors.map((error) => ({ ...error, field }));
+                throw validationError;
+            }
+            throw e;
+        }
+        if (options?.userId) {
+            await this.validateBusinessRules(password, options.userId, projectContext, {
+                field,
+                currentPasswordHash: options.currentPasswordHash
+            });
+        }
+    }
+    async generateCompatiblePassword(projectContext) {
+        const policy = await this.getFinalPolicy(projectContext);
+        const uppercaseChars = "ABCDEFGHJKLMNPQRSTUVWXYZ";
+        const lowercaseChars = "abcdefghijkmnopqrstuvwxyz";
+        const numericChars = "23456789";
+        const specialChars = "!@#$%&*_-+=";
+        const fallbackSpecial = policy.disallowSpaces ? "!" : " ";
+        const combinedChars = [
+            uppercaseChars,
+            lowercaseChars,
+            numericChars,
+            policy.requireSpecialChar ? specialChars : "",
+            policy.disallowSpaces ? "" : " "
+        ].join("") || `${uppercaseChars}${lowercaseChars}${numericChars}${fallbackSpecial}`;
+        const chars = [];
+        if (policy.requireUppercase) {
+            chars.push(this.randomChar(uppercaseChars));
+        }
+        if (policy.requireLowercase) {
+            chars.push(this.randomChar(lowercaseChars));
+        }
+        if (policy.requireNumber) {
+            chars.push(this.randomChar(numericChars));
+        }
+        if (policy.requireSpecialChar) {
+            chars.push(this.randomChar(specialChars));
+        }
+        if (!chars.length) {
+            chars.push(this.randomChar(`${uppercaseChars}${lowercaseChars}${numericChars}`));
+        }
+        while (chars.length < policy.minLength) {
+            chars.push(this.randomChar(combinedChars));
+        }
+        const password = this.shuffle(chars).join("").slice(0, policy.maxLength);
+        await this.validatePassword(password, projectContext);
+        return password;
+    }
+    async getPasswordStatus(user, projectContext) {
+        const policy = await this.getFinalPolicy(projectContext);
+        if (!policy.expirationDays) {
+            return { expired: false, expiresAt: null };
+        }
+        const lastPasswordChange = await this.getLastPasswordChangeDate(user);
+        if (!lastPasswordChange) {
+            return { expired: false, expiresAt: null };
+        }
+        const expiresAt = new Date(lastPasswordChange);
+        expiresAt.setDate(expiresAt.getDate() + policy.expirationDays);
+        return {
+            expired: expiresAt.getTime() <= Date.now(),
+            expiresAt
+        };
+    }
+    async recordPassword(userId, passwordHash) {
+        await this.userPasswordHistoryService?.create(userId, passwordHash);
+    }
+    async validateBusinessRules(password, userId, projectContext, options) {
+        const policy = await this.getFinalPolicy(projectContext);
+        if (!policy.preventReuse) {
+            return;
+        }
+        const field = options?.field || "password";
+        const recentHashes = await this.getRecentPasswordHashes(userId, policy.preventReuse, options?.currentPasswordHash);
+        const reused = recentHashes.some((item) => AuthUtils.checkPassword(password, item.passwordHash));
+        if (reused) {
+            throw new ValidationError([{ field, reason: "validation.password.preventReuse" }]);
+        }
+    }
+    async getRecentPasswordHashes(userId, limit, currentPasswordHash) {
+        const recent = await this.userPasswordHistoryService?.findLatestByUserId(userId, limit) || [];
+        const hashes = [...recent];
+        if (currentPasswordHash && !hashes.some((item) => item.passwordHash === currentPasswordHash)) {
+            hashes.unshift({ user: userId, passwordHash: currentPasswordHash });
+        }
+        else if (!currentPasswordHash && this.userRepository) {
+            const user = await this.userRepository.findByIdWithPassword(userId);
+            if (user?.password && !hashes.some((item) => item.passwordHash === user.password)) {
+                hashes.unshift({ user: userId, passwordHash: user.password });
+            }
+        }
+        return hashes.slice(0, limit);
+    }
+    async getLastPasswordChangeDate(user) {
+        if (!user?._id || !this.userPasswordHistoryService) {
+            return user?.updatedAt ? new Date(user.updatedAt) : user?.createdAt ? new Date(user.createdAt) : null;
+        }
+        const latest = await this.userPasswordHistoryService.findLatestByUserId(user._id.toString(), 1);
+        if (latest[0]?.createdAt) {
+            return new Date(latest[0].createdAt);
+        }
+        return user?.updatedAt ? new Date(user.updatedAt) : user?.createdAt ? new Date(user.createdAt) : null;
+    }
+    randomChar(source) {
+        return source[randomInt(0, source.length)];
+    }
+    shuffle(chars) {
+        const items = [...chars];
+        for (let i = items.length - 1; i > 0; i -= 1) {
+            const j = randomInt(0, i + 1);
+            const temp = items[i];
+            items[i] = items[j];
+            items[j] = temp;
+        }
+        return items;
+    }
+}
+export default PasswordPolicyService;
+export { PasswordPolicyService };