@drax/identity-back 3.14.0 → 3.15.0

package/dist/security/utils/PasswordPolicySchemaFactory.js

@@ -0,0 +1,36 @@
+import z from "zod";
+class PasswordPolicySchemaFactory {
+    static create(policy) {
+        const cacheKey = JSON.stringify(policy);
+        const cached = this.cache.get(cacheKey);
+        if (cached) {
+            return cached;
+        }
+        let schema = z.string({ error: "validation.required" })
+            .min(1, "validation.required")
+            .min(policy.minLength, "validation.password.minLength")
+            .max(policy.maxLength, "validation.password.maxLength");
+        if (policy.requireUppercase) {
+            schema = schema.regex(/[A-Z]/, "validation.password.requireUppercase");
+        }
+        if (policy.requireLowercase) {
+            schema = schema.regex(/[a-z]/, "validation.password.requireLowercase");
+        }
+        if (policy.requireNumber) {
+            schema = schema.regex(/[0-9]/, "validation.password.requireNumber");
+        }
+        if (policy.requireSpecialChar) {
+            schema = schema.regex(/[^A-Za-z0-9]/, "validation.password.requireSpecialChar");
+        }
+        if (policy.disallowSpaces) {
+            schema = schema.refine((value) => !/\s/.test(value), {
+                message: "validation.password.disallowSpaces"
+            });
+        }
+        this.cache.set(cacheKey, schema);
+        return schema;
+    }
+}
+PasswordPolicySchemaFactory.cache = new Map();
+export default PasswordPolicySchemaFactory;
+export { PasswordPolicySchemaFactory };

package/dist/security/utils/getPasswordEnvPolicy.js

@@ -0,0 +1,19 @@
+import { DraxConfig } from "@drax/common-back";
+import PasswordPolicyConfig from "../../config/PasswordPolicyConfig.js";
+import { PartialPasswordPolicySchema } from "../schemas/PasswordPolicySchema.js";
+function getPasswordEnvPolicy() {
+    const envPolicy = {
+        minLength: DraxConfig.getOrLoad(PasswordPolicyConfig.MinLength, "number"),
+        maxLength: DraxConfig.getOrLoad(PasswordPolicyConfig.MaxLength, "number"),
+        requireUppercase: DraxConfig.getOrLoad(PasswordPolicyConfig.RequireUppercase, "boolean"),
+        requireLowercase: DraxConfig.getOrLoad(PasswordPolicyConfig.RequireLowercase, "boolean"),
+        requireNumber: DraxConfig.getOrLoad(PasswordPolicyConfig.RequireNumber, "boolean"),
+        requireSpecialChar: DraxConfig.getOrLoad(PasswordPolicyConfig.RequireSpecialChar, "boolean"),
+        disallowSpaces: DraxConfig.getOrLoad(PasswordPolicyConfig.DisallowSpaces, "boolean"),
+        preventReuse: DraxConfig.getOrLoad(PasswordPolicyConfig.PreventReuse, "number"),
+        expirationDays: DraxConfig.getOrLoad(PasswordPolicyConfig.ExpirationDays, "number")
+    };
+    return PartialPasswordPolicySchema.parse(Object.fromEntries(Object.entries(envPolicy).filter(([, value]) => value !== undefined)));
+}
+export default getPasswordEnvPolicy;
+export { getPasswordEnvPolicy };

package/dist/services/PasswordPolicyService.js

@@ -0,0 +1,147 @@
+import { randomInt } from "crypto";
+import { ZodError } from "zod";
+import { ValidationError, ZodErrorToValidationError } from "@drax/common-back";
+import AuthUtils from "../utils/AuthUtils.js";
+import PasswordPolicySchemaFactory from "../utils/PasswordPolicySchemaFactory.js";
+class PasswordPolicyService {
+    constructor(resolver, userRepository, userPasswordHistoryService) {
+        this.resolver = resolver;
+        this.userRepository = userRepository;
+        this.userPasswordHistoryService = userPasswordHistoryService;
+    }
+    async getFinalPolicy() {
+        return this.resolver.resolve();
+    }
+    async getPasswordSchema() {
+        const policy = await this.getFinalPolicy();
+        return PasswordPolicySchemaFactory.create(policy);
+    }
+    async validatePassword(password, options) {
+        const field = options?.field || "password";
+        try {
+            const schema = await this.getPasswordSchema();
+            await schema.parseAsync(password);
+        }
+        catch (e) {
+            if (e instanceof ZodError) {
+                const validationError = ZodErrorToValidationError(e, { [field]: password });
+                validationError.errors = validationError.errors.map((error) => ({ ...error, field }));
+                throw validationError;
+            }
+            throw e;
+        }
+        if (options?.userId) {
+            await this.validateReuse(password, options.userId, {
+                field,
+                currentPasswordHash: options.currentPasswordHash
+            });
+        }
+    }
+    async generateCompatiblePassword() {
+        const policy = await this.getFinalPolicy();
+        const uppercaseChars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+        const lowercaseChars = "abcdefghijkmnopqrstuvwxyz";
+        const numericChars = "0123456789";
+        const specialChars = "!@#$%&*_-+=";
+        const fallbackSpecial = policy.disallowSpaces ? "!" : " ";
+        const combinedChars = [
+            uppercaseChars,
+            lowercaseChars,
+            numericChars,
+            policy.requireSpecialChar ? specialChars : "",
+            policy.disallowSpaces ? "" : " "
+        ].join("") || `${uppercaseChars}${lowercaseChars}${numericChars}${fallbackSpecial}`;
+        const chars = [];
+        if (policy.requireUppercase) {
+            chars.push(this.randomChar(uppercaseChars));
+        }
+        if (policy.requireLowercase) {
+            chars.push(this.randomChar(lowercaseChars));
+        }
+        if (policy.requireNumber) {
+            chars.push(this.randomChar(numericChars));
+        }
+        if (policy.requireSpecialChar) {
+            chars.push(this.randomChar(specialChars));
+        }
+        if (!chars.length) {
+            chars.push(this.randomChar(`${uppercaseChars}${lowercaseChars}${numericChars}`));
+        }
+        while (chars.length < policy.minLength) {
+            chars.push(this.randomChar(combinedChars));
+        }
+        const password = this.shuffle(chars).join("").slice(0, policy.maxLength);
+        await this.validatePassword(password);
+        return password;
+    }
+    async getPasswordExpiration(user) {
+        const policy = await this.getFinalPolicy();
+        if (!policy.expirationDays) {
+            return { expired: false, expiresAt: null };
+        }
+        const lastPasswordChange = await this.getLastPasswordChangeDate(user);
+        if (!lastPasswordChange) {
+            return { expired: false, expiresAt: null };
+        }
+        const expiresAt = new Date(lastPasswordChange);
+        expiresAt.setDate(expiresAt.getDate() + policy.expirationDays);
+        return {
+            expired: expiresAt.getTime() <= Date.now(),
+            expiresAt
+        };
+    }
+    async recordPassword(userId, passwordHash) {
+        await this.userPasswordHistoryService?.create(userId, passwordHash);
+    }
+    async validateReuse(password, userId, options) {
+        const policy = await this.getFinalPolicy();
+        if (!policy.preventReuse) {
+            return;
+        }
+        const field = options?.field || "password";
+        const recentHashes = await this.getRecentPasswordHashes(userId, policy.preventReuse, options?.currentPasswordHash);
+        const reused = recentHashes.some((item) => AuthUtils.checkPassword(password, item.passwordHash));
+        if (reused) {
+            throw new ValidationError([{ field, reason: "validation.password.preventReuse" }]);
+        }
+    }
+    async getRecentPasswordHashes(userId, limit, currentPasswordHash) {
+        const recent = await this.userPasswordHistoryService?.findLatestByUserId(userId, limit) || [];
+        const hashes = [...recent];
+        if (currentPasswordHash && !hashes.some((item) => item.passwordHash === currentPasswordHash)) {
+            hashes.unshift({ user: userId, passwordHash: currentPasswordHash });
+        }
+        else if (!currentPasswordHash && this.userRepository) {
+            const user = await this.userRepository.findByIdWithPassword(userId);
+            if (user?.password && !hashes.some((item) => item.passwordHash === user.password)) {
+                hashes.unshift({ user: userId, passwordHash: user.password });
+            }
+        }
+        return hashes.slice(0, limit);
+    }
+    async getLastPasswordChangeDate(user) {
+        if (!user?._id || !this.userPasswordHistoryService) {
+            return user?.updatedAt ? new Date(user.updatedAt) : user?.createdAt ? new Date(user.createdAt) : null;
+        }
+        const latest = await this.userPasswordHistoryService.findLatestByUserId(user._id.toString(), 1);
+        if (latest[0]?.createdAt) {
+            return new Date(latest[0].createdAt);
+        }
+        return user?.updatedAt ? new Date(user.updatedAt) : user?.createdAt ? new Date(user.createdAt) : null;
+    }
+    randomChar(source) {
+        return source[randomInt(0, source.length)];
+    }
+    shuffle(chars) {
+        const items = [...chars];
+        for (let i = items.length - 1; i > 0; i -= 1) {
+            const j = randomInt(0, i + 1);
+            const temp = items[i];
+            items[i] = items[j];
+            items[j] = temp;
+        }
+        return items;
+    }
+}
+export default PasswordPolicyService;
+export { PasswordPolicyService };

package/dist/services/UserPasswordHistoryService.js

@@ -0,0 +1,18 @@
+class UserPasswordHistoryService {
+    constructor(repository) {
+        this.repository = repository;
+    }
+    async create(userId, passwordHash) {
+        return this.repository.create({
+            user: userId,
+            passwordHash
+        });
+    }
+    async findLatestByUserId(userId, limit) {
+        if (limit <= 0) {
+            return [];
+        }
+        return this.repository.findLatestByUserId(userId, limit);
+    }
+}
+export default UserPasswordHistoryService;

package/dist/services/UserService.js

@@ -7,9 +7,13 @@ import { AbstractService } from "@drax/crud-back";
 import { randomUUID } from "crypto";
 import UserLoginFailServiceFactory from "../factory/UserLoginFailServiceFactory.js";
 import UserSessionServiceFactory from "../factory/UserSessionServiceFactory.js";
+import PasswordPolicyServiceFactory from "../factory/PasswordPolicyServiceFactory.js";
+import UserPasswordHistoryServiceFactory from "../factory/UserPasswordHistoryServiceFactory.js";
 class UserService extends AbstractService {
-    constructor(userRepository) {
+    constructor(userRepository, passwordPolicyService = PasswordPolicyServiceFactory(), userPasswordHistoryService = UserPasswordHistoryServiceFactory()) {
         super(userRepository, UserBaseSchema);
+        this.passwordPolicyService = passwordPolicyService;
+        this.userPasswordHistoryService = userPasswordHistoryService;
         this._repository = userRepository;
     }
     async auth(username, password, { userAgent, ip }) {
@@ -60,7 +64,7 @@ class UserService extends AbstractService {
         console.log("auth email", email);
         user = await this.findByEmail(email);
         if (!user && createIfNotFound) {
-            userData.password = userData.password ? userData.password : randomUUID();
+            userData.password = userData.password ? userData.password : await this.passwordPolicyService.generateCompatiblePassword();
             userData.active = userData.active === undefined ? true : userData.active;
             user = await this.create(userData);
         }
@@ -85,8 +89,14 @@ class UserService extends AbstractService {
     async changeUserPassword(userId, newPassword) {
         const user = await this._repository.findByIdWithPassword(userId);
         if (user) {
-            newPassword = AuthUtils.hashPassword(newPassword);
-            await this._repository.changePassword(userId, newPassword);
+            await this.passwordPolicyService.validatePassword(newPassword, {
+                field: 'newPassword',
+                userId,
+                currentPasswordHash: user.password
+            });
+            const newPasswordHash = AuthUtils.hashPassword(newPassword);
+            await this._repository.changePassword(userId, newPasswordHash);
+            await this.userPasswordHistoryService.create(userId, newPasswordHash);
             delete user.password;
             return user;
         }
@@ -101,8 +111,14 @@ class UserService extends AbstractService {
                 throw new ValidationError([{ field: 'newPassword', reason: 'validation.password.currentDifferent' }]);
             }
             if (AuthUtils.checkPassword(currentPassword, user.password)) {
-                newPassword = AuthUtils.hashPassword(newPassword);
-                await this._repository.changePassword(userId, newPassword);
+                await this.passwordPolicyService.validatePassword(newPassword, {
+                    field: 'newPassword',
+                    userId,
+                    currentPasswordHash: user.password
+                });
+                const newPasswordHash = AuthUtils.hashPassword(newPassword);
+                await this._repository.changePassword(userId, newPasswordHash);
+                await this.userPasswordHistoryService.create(userId, newPasswordHash);
                 delete user.password;
                 return user;
             }
@@ -145,8 +161,14 @@ class UserService extends AbstractService {
         try {
             const user = await this._repository.findByRecoveryCode(recoveryCode);
             if (user && user.active) {
-                newPassword = AuthUtils.hashPassword(newPassword);
-                await this._repository.changePassword(user._id, newPassword);
+                await this.passwordPolicyService.validatePassword(newPassword, {
+                    field: 'newPassword',
+                    userId: user._id.toString(),
+                    currentPasswordHash: user.password
+                });
+                const newPasswordHash = AuthUtils.hashPassword(newPassword);
+                await this._repository.changePassword(user._id, newPasswordHash);
+                await this.userPasswordHistoryService.create(user._id.toString(), newPasswordHash);
                 await this._repository.updatePartial(user._id, { recoveryCode: null });
                 return user;
             }
@@ -210,8 +232,11 @@ class UserService extends AbstractService {
             userData.password = userData?.password.trim();
             userData.tenant = userData.tenant === "" ? null : userData.tenant;
             await UserCreateSchema.parseAsync(userData);
-            userData.password = AuthUtils.hashPassword(userData.password.trim());
+            await this.passwordPolicyService.validatePassword(userData.password);
+            const passwordHash = AuthUtils.hashPassword(userData.password.trim());
+            userData.password = passwordHash;
             const user = await this._repository.create(userData);
+            await this.userPasswordHistoryService.create(user._id.toString(), passwordHash);
             return user;
         }
         catch (e) {

package/dist/setup/LoadIdentityConfigFromEnv.js

@@ -1,5 +1,6 @@
 import { DraxConfig } from "@drax/common-back";
 import IdentityConfig from "../config/IdentityConfig.js";
+import PasswordPolicyConfig from "../config/PasswordPolicyConfig.js";
 function LoadIdentityConfigFromEnv() {
     DraxConfig.set(IdentityConfig.JwtSecret, process.env[IdentityConfig.JwtSecret]);
     DraxConfig.set(IdentityConfig.JwtExpiration, process.env[IdentityConfig.JwtExpiration]);
@@ -7,6 +8,15 @@ function LoadIdentityConfigFromEnv() {
     DraxConfig.set(IdentityConfig.ApiKeySecret, process.env[IdentityConfig.ApiKeySecret]);
     DraxConfig.set(IdentityConfig.RbacCacheTTL, process.env[IdentityConfig.RbacCacheTTL]);
     DraxConfig.set(IdentityConfig.AvatarDir, process.env[IdentityConfig.AvatarDir]);
+    DraxConfig.set(PasswordPolicyConfig.MinLength, process.env[PasswordPolicyConfig.MinLength]);
+    DraxConfig.set(PasswordPolicyConfig.MaxLength, process.env[PasswordPolicyConfig.MaxLength]);
+    DraxConfig.set(PasswordPolicyConfig.RequireUppercase, process.env[PasswordPolicyConfig.RequireUppercase]);
+    DraxConfig.set(PasswordPolicyConfig.RequireLowercase, process.env[PasswordPolicyConfig.RequireLowercase]);
+    DraxConfig.set(PasswordPolicyConfig.RequireNumber, process.env[PasswordPolicyConfig.RequireNumber]);
+    DraxConfig.set(PasswordPolicyConfig.RequireSpecialChar, process.env[PasswordPolicyConfig.RequireSpecialChar]);
+    DraxConfig.set(PasswordPolicyConfig.DisallowSpaces, process.env[PasswordPolicyConfig.DisallowSpaces]);
+    DraxConfig.set(PasswordPolicyConfig.PreventReuse, process.env[PasswordPolicyConfig.PreventReuse]);
+    DraxConfig.set(PasswordPolicyConfig.ExpirationDays, process.env[PasswordPolicyConfig.ExpirationDays]);
 }
 export default LoadIdentityConfigFromEnv;
 export { LoadIdentityConfigFromEnv };

package/dist/setup/SetProjectPasswordPolicy.js

@@ -0,0 +1,7 @@
+import PasswordPolicyResolverFactory from "../factory/PasswordPolicyResolverFactory.js";
+function SetProjectPasswordPolicy(projectPasswordPolicy) {
+    const passwordPolicyResolver = PasswordPolicyResolverFactory();
+    passwordPolicyResolver.setProjectPolicy(projectPasswordPolicy);
+}
+export default SetProjectPasswordPolicy;
+export { SetProjectPasswordPolicy };

package/dist/utils/PasswordPolicySchemaFactory.js

@@ -0,0 +1,36 @@
+import z from "zod";
+class PasswordPolicySchemaFactory {
+    static create(policy) {
+        const cacheKey = JSON.stringify(policy);
+        const cached = this.cache.get(cacheKey);
+        if (cached) {
+            return cached;
+        }
+        let schema = z.string({ error: "validation.required" })
+            .min(1, "validation.required")
+            .min(policy.minLength, "validation.password.minLength")
+            .max(policy.maxLength, "validation.password.maxLength");
+        if (policy.requireUppercase) {
+            schema = schema.regex(/[A-Z]/, "validation.password.requireUppercase");
+        }
+        if (policy.requireLowercase) {
+            schema = schema.regex(/[a-z]/, "validation.password.requireLowercase");
+        }
+        if (policy.requireNumber) {
+            schema = schema.regex(/[0-9]/, "validation.password.requireNumber");
+        }
+        if (policy.requireSpecialChar) {
+            schema = schema.regex(/[^A-Za-z0-9]/, "validation.password.requireSpecialChar");
+        }
+        if (policy.disallowSpaces) {
+            schema = schema.refine((value) => !/\s/.test(value), {
+                message: "validation.password.disallowSpaces"
+            });
+        }
+        this.cache.set(cacheKey, schema);
+        return schema;
+    }
+}
+PasswordPolicySchemaFactory.cache = new Map();
+export default PasswordPolicySchemaFactory;
+export { PasswordPolicySchemaFactory };

package/dist/utils/getPasswordEnvPolicy.js

@@ -0,0 +1,19 @@
+import { DraxConfig } from "@drax/common-back";
+import PasswordPolicyConfig from "../config/PasswordPolicyConfig.js";
+import { PartialPasswordPolicySchema } from "../schemas/PasswordPolicySchema.js";
+function getPasswordEnvPolicy() {
+    const envPolicy = {
+        minLength: DraxConfig.getOrLoad(PasswordPolicyConfig.MinLength, "number"),
+        maxLength: DraxConfig.getOrLoad(PasswordPolicyConfig.MaxLength, "number"),
+        requireUppercase: DraxConfig.getOrLoad(PasswordPolicyConfig.RequireUppercase, "boolean"),
+        requireLowercase: DraxConfig.getOrLoad(PasswordPolicyConfig.RequireLowercase, "boolean"),
+        requireNumber: DraxConfig.getOrLoad(PasswordPolicyConfig.RequireNumber, "boolean"),
+        requireSpecialChar: DraxConfig.getOrLoad(PasswordPolicyConfig.RequireSpecialChar, "boolean"),
+        disallowSpaces: DraxConfig.getOrLoad(PasswordPolicyConfig.DisallowSpaces, "boolean"),
+        preventReuse: DraxConfig.getOrLoad(PasswordPolicyConfig.PreventReuse, "number"),
+        expirationDays: DraxConfig.getOrLoad(PasswordPolicyConfig.ExpirationDays, "number")
+    };
+    return PartialPasswordPolicySchema.parse(Object.fromEntries(Object.entries(envPolicy).filter(([, value]) => value !== undefined)));
+}
+export default getPasswordEnvPolicy;
+export { getPasswordEnvPolicy };

package/docs/password-policy.md

@@ -0,0 +1,33 @@
+# Password Policy
+
+La policy efectiva se resuelve con esta prioridad:
+
+```ts
+const finalPolicy = {
+  ...defaultPasswordPolicy,
+  ...projectPolicy,
+  ...envPolicy
+}
+```
+
+## Fuentes
+
+- `defaultPasswordPolicy`: `src/security/constants/defaultPasswordPolicy.ts`
+- `projectPolicy`: override opcional in-memory vía `projectContext`
+- `envPolicy`: variables declaradas en `src/config/PasswordPolicyConfig.ts`
+
+## Endpoint
+
+- `GET /api/auth/password-policy`
+
+Devuelve la policy efectiva para que frontend pueda mostrar requisitos de password antes de enviar formularios.
+
+## Validación
+
+- Formato: `PasswordPolicySchemaFactory` genera un `ZodType<string>` dinámico
+- Negocio: `PasswordPolicyService` aplica `preventReuse` y expone base para `expirationDays`
+
+## Notas
+
+- `preventReuse` usa persistencia en `user_password_history`
+- `expirationDays` ya forma parte de la policy efectiva y del servicio, pero en esta primera versión queda informativo; no bloquea login todavía

package/package.json

@@ -3,7 +3,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "3.14.0",
+  "version": "3.15.0",
   "description": "Identity module for user management, authentication and authorization.",
   "main": "dist/index.js",
   "types": "types/index.d.ts",
@@ -29,10 +29,10 @@
   "license": "ISC",
   "dependencies": {
     "@drax/common-back": "^3.14.0",
-    "@drax/crud-back": "^3.14.0",
+    "@drax/crud-back": "^3.15.0",
     "@drax/crud-share": "^3.14.0",
     "@drax/email-back": "^3.1.0",
-    "@drax/identity-share": "^3.0.0",
+    "@drax/identity-share": "^3.15.0",
     "bcryptjs": "^2.4.3",
     "graphql": "^16.8.2",
     "jsonwebtoken": "^9.0.2"
@@ -63,5 +63,5 @@
       "debug": "0"
     }
   },
-  "gitHead": "cec0f824be0bfff0965d7bc7b95241406c53c04d"
+  "gitHead": "a3bd3419f580b111b26da9e6be2e1cc4c75a056e"
 }

package/src/config/PasswordPolicyConfig.ts

@@ -0,0 +1,14 @@
+enum PasswordPolicyConfig {
+    MinLength = "PASSWORD_POLICY_MIN_LENGTH",
+    MaxLength = "PASSWORD_POLICY_MAX_LENGTH",
+    RequireUppercase = "PASSWORD_POLICY_REQUIRE_UPPERCASE",
+    RequireLowercase = "PASSWORD_POLICY_REQUIRE_LOWERCASE",
+    RequireNumber = "PASSWORD_POLICY_REQUIRE_NUMBER",
+    RequireSpecialChar = "PASSWORD_POLICY_REQUIRE_SPECIAL_CHAR",
+    DisallowSpaces = "PASSWORD_POLICY_DISALLOW_SPACES",
+    PreventReuse = "PASSWORD_POLICY_PREVENT_REUSE",
+    ExpirationDays = "PASSWORD_POLICY_EXPIRATION_DAYS",
+}
+
+export default PasswordPolicyConfig;
+export {PasswordPolicyConfig};

package/src/controllers/UserController.ts

@@ -20,6 +20,7 @@ import UserEmailService from "../services/UserEmailService.js";
 import {IDraxCrudEvent, IDraxFieldFilter} from "@drax/crud-share";
 import TenantServiceFactory from "../factory/TenantServiceFactory.js";
 import {CustomRequest} from "@drax/crud-back/dist";
+import PasswordPolicyServiceFactory from "../factory/PasswordPolicyServiceFactory.js";
 
 const BASE_FILE_DIR = DraxConfig.getOrLoad(CommonConfig.FileDir) || 'files';
 const AVATAR_DIR = DraxConfig.getOrLoad(IdentityConfig.AvatarDir) || 'avatar';
@@ -91,6 +92,15 @@ class UserController extends AbstractFastifyController<IUser, IUserCreate, IUser
         }
     }
 
+    async passwordPolicy(request, reply) {
+        try {
+            const passwordPolicyService = PasswordPolicyServiceFactory()
+            return await passwordPolicyService.getFinalPolicy()
+        } catch (e) {
+            this.handleError(e, reply)
+        }
+    }
+
     async me(request, reply) {
         try {
             if (request.authUser) {
@@ -504,4 +514,3 @@ export default UserController;
 export {
     UserController
 }
-

package/src/factory/PasswordPolicyResolverFactory.ts

@@ -0,0 +1,14 @@
+import PasswordPolicyResolver from "../resolver/PasswordPolicyResolver.js";
+
+let passwordPolicyResolver: PasswordPolicyResolver
+
+const PasswordPolicyResolverFactory = (): PasswordPolicyResolver => {
+    if (!passwordPolicyResolver) {
+
+        passwordPolicyResolver = new PasswordPolicyResolver()
+    }
+
+    return passwordPolicyResolver
+}
+
+export default PasswordPolicyResolverFactory

package/src/factory/PasswordPolicyServiceFactory.ts

@@ -0,0 +1,38 @@
+import PasswordPolicyService from "../services/PasswordPolicyService.js";
+import PasswordPolicyResolverFactory from "./PasswordPolicyResolverFactory.js";
+import UserPasswordHistoryServiceFactory from "./UserPasswordHistoryServiceFactory.js";
+import UserMongoRepository from "../repository/mongo/UserMongoRepository.js";
+import UserSqliteRepository from "../repository/sqlite/UserSqliteRepository.js";
+import {COMMON, CommonConfig, DraxConfig} from "@drax/common-back";
+import type {IUserRepository} from "../interfaces/IUserRepository.js";
+
+let passwordPolicyService: PasswordPolicyService
+
+const PasswordPolicyServiceFactory = (verbose: boolean = false): PasswordPolicyService => {
+    if (!passwordPolicyService) {
+        let userRepository: IUserRepository
+
+        switch (DraxConfig.getOrLoad(CommonConfig.DbEngine)) {
+            case COMMON.DB_ENGINES.MONGODB:
+                userRepository = new UserMongoRepository()
+                break;
+            case COMMON.DB_ENGINES.SQLITE:
+                userRepository = new UserSqliteRepository(DraxConfig.getOrLoad(CommonConfig.SqliteDbFile), verbose)
+                userRepository.build()
+                break;
+            default:
+                throw new Error("DraxConfig.DB_ENGINE must be one of " + Object.values(COMMON.DB_ENGINES).join(", "));
+        }
+
+        const passwordPolicyResolver = PasswordPolicyResolverFactory()
+        passwordPolicyService = new PasswordPolicyService(
+            passwordPolicyResolver,
+            userRepository,
+            UserPasswordHistoryServiceFactory(verbose)
+        )
+    }
+
+    return passwordPolicyService
+}
+
+export default PasswordPolicyServiceFactory

package/src/factory/UserPasswordHistoryServiceFactory.ts

@@ -0,0 +1,31 @@
+import {COMMON, CommonConfig, DraxConfig} from "@drax/common-back";
+import type {IUserPasswordHistoryRepository} from "../interfaces/IUserPasswordHistoryRepository.js";
+import UserPasswordHistoryMongoRepository from "../repository/mongo/UserPasswordHistoryMongoRepository.js";
+import UserPasswordHistorySqliteRepository from "../repository/sqlite/UserPasswordHistorySqliteRepository.js";
+import UserPasswordHistoryService from "../services/UserPasswordHistoryService.js";
+
+let userPasswordHistoryService: UserPasswordHistoryService
+
+const UserPasswordHistoryServiceFactory = (verbose: boolean = false): UserPasswordHistoryService => {
+    if (!userPasswordHistoryService) {
+        let repository: IUserPasswordHistoryRepository
+        switch (DraxConfig.getOrLoad(CommonConfig.DbEngine)) {
+            case COMMON.DB_ENGINES.MONGODB:
+                repository = new UserPasswordHistoryMongoRepository()
+                break;
+            case COMMON.DB_ENGINES.SQLITE:
+                const sqliteRepository = new UserPasswordHistorySqliteRepository(DraxConfig.getOrLoad(CommonConfig.SqliteDbFile), verbose)
+                sqliteRepository.build()
+                repository = sqliteRepository
+                break;
+            default:
+                throw new Error("DraxConfig.DB_ENGINE must be one of " + Object.values(COMMON.DB_ENGINES).join(", "));
+        }
+
+        userPasswordHistoryService = new UserPasswordHistoryService(repository)
+    }
+
+    return userPasswordHistoryService
+}
+
+export default UserPasswordHistoryServiceFactory

package/src/factory/UserServiceFactory.ts

@@ -3,6 +3,8 @@ import UserService from "../services/UserService.js";
 import UserSqliteRepository from "../repository/sqlite/UserSqliteRepository.js";
 import {IUserRepository} from "../interfaces/IUserRepository";
 import {COMMON, CommonConfig, DraxConfig} from "@drax/common-back";
+import PasswordPolicyServiceFactory from "./PasswordPolicyServiceFactory.js";
+import UserPasswordHistoryServiceFactory from "./UserPasswordHistoryServiceFactory.js";
 
 let userService: UserService
 
@@ -22,7 +24,11 @@ const UserServiceFactory = (verbose:boolean = false) : UserService => {
                 throw new Error("DraxConfig.DB_ENGINE must be one of " + Object.values(COMMON.DB_ENGINES).join(", "));
         }
 
-        userService = new UserService(userRepository)
+        userService = new UserService(
+            userRepository,
+            PasswordPolicyServiceFactory(verbose),
+            UserPasswordHistoryServiceFactory(verbose)
+        )
     }
 
     return userService