@drax/identity-back 3.14.0 → 3.15.0

package/src/index.ts

@@ -5,6 +5,8 @@ import TenantServiceFactory from "./factory/TenantServiceFactory.js";
 import UserApiKeyServiceFactory from "./factory/UserApiKeyServiceFactory.js";
 import UserLoginFailServiceFactory from "./factory/UserLoginFailServiceFactory.js";
 import UserSessionServiceFactory from "./factory/UserSessionServiceFactory.js";
+import PasswordPolicyServiceFactory from "./factory/PasswordPolicyServiceFactory.js";
+import UserPasswordHistoryServiceFactory from "./factory/UserPasswordHistoryServiceFactory.js";
 
 import RoleService from "./services/RoleService.js";
 import UserService from "./services/UserService.js";
@@ -13,6 +15,9 @@ import PermissionService from "./services/PermissionService.js";
 import UserApiKeyService from "./services/UserApiKeyService.js";
 import UserSessionService from "./services/UserSessionService.js";
 import UserLoginFailService from "./services/UserLoginFailService.js";
+import UserPasswordHistoryService from "./services/UserPasswordHistoryService.js";
+import PasswordPolicyService from "./services/PasswordPolicyService.js";
+import PasswordPolicyResolver from "./resolver/PasswordPolicyResolver.js";
 
 import Rbac from "./rbac/Rbac.js";
 
@@ -29,6 +34,7 @@ import {rbacMiddleware} from "./middleware/rbacMiddleware.js";
 import {apiKeyMiddleware} from "./middleware/apiKeyMiddleware.js";
 
 import IdentityConfig from "./config/IdentityConfig.js";
+import PasswordPolicyConfig from "./config/PasswordPolicyConfig.js";
 import BadCredentialsError from "./errors/BadCredentialsError.js";
 
 import CreateUserIfNotExist from "./setup/CreateUserIfNotExist.js";
@@ -37,6 +43,7 @@ import CreateOrUpdateRole from "./setup/CreateOrUpdateRole.js";
 import LoadPermissions from "./setup/LoadPermissions.js";
 import LoadIdentityConfigFromEnv from "./setup/LoadIdentityConfigFromEnv.js";
 import RecoveryUserPassword from "./setup/RecoveryUserPassword.js";
+import SetProjectPasswordPolicy from "./setup/SetProjectPasswordPolicy.js";
 
 import type {IRoleRepository} from "./interfaces/IRoleRepository";
 import type {ITenantRepository} from "./interfaces/ITenantRepository";
@@ -44,6 +51,7 @@ import type {IUserRepository} from "./interfaces/IUserRepository";
 import type {IUserApiKeyRepository} from "./interfaces/IUserApiKeyRepository";
 import type {IUserLoginFailRepository} from "./interfaces/IUserLoginFailRepository";
 import type {IUserSessionRepository} from "./interfaces/IUserSessionRepository";
+import type {IUserPasswordHistoryRepository} from "./interfaces/IUserPasswordHistoryRepository";
 
 import {RoleModel, RoleMongoSchema} from "./models/RoleModel.js";
 import {TenantModel, TenantMongoSchema} from "./models/TenantModel.js";
@@ -51,6 +59,7 @@ import {UserModel, UserMongoSchema} from "./models/UserModel.js";
 import {UserApiKeyModel, UserApiKeyMongoSchema} from "./models/UserApiKeyModel.js";
 import {UserSessionModel,UserSessionMongoSchema} from "./models/UserSessionModel.js";
 import {UserLoginFailModel,UserLoginFailMongoSchema} from "./models/UserLoginFailModel.js";
+import {UserPasswordHistoryModel, UserPasswordHistoryMongoSchema} from "./models/UserPasswordHistoryModel.js";
 
 
 import RoleMongoRepository from "./repository/mongo/RoleMongoRepository.js";
@@ -59,6 +68,7 @@ import UserMongoRepository from "./repository/mongo/UserMongoRepository.js";
 import UserApiKeyMongoRepository from "./repository/mongo/UserApiKeyMongoRepository.js";
 import UserSessionMongoRepository from "./repository/mongo/UserSessionMongoRepository.js";
 import UserLoginFailMongoRepository from "./repository/mongo/UserLoginFailMongoRepository.js";
+import UserPasswordHistoryMongoRepository from "./repository/mongo/UserPasswordHistoryMongoRepository.js";
 
 import RoleSqliteRepository from "./repository/sqlite/RoleSqliteRepository.js";
 import TenantSqliteRepository from "./repository/sqlite/TenantSqliteRepository.js";
@@ -66,6 +76,7 @@ import UserSqliteRepository from "./repository/sqlite/UserSqliteRepository.js";
 import UserApiKeySqliteRepository from "./repository/sqlite/UserApiKeySqliteRepository.js";
 import UserLoginFailSqliteRepository from "./repository/sqlite/UserLoginFailSqliteRepository.js";
 import UserSessionSqliteRepository from "./repository/sqlite/UserSessionSqliteRepository.js";
+import UserPasswordHistorySqliteRepository from "./repository/sqlite/UserPasswordHistorySqliteRepository.js";
 
 
 import {RolePermissions} from "./permissions/RolePermissions.js";
@@ -81,6 +92,8 @@ import {RoleSchema, RoleBaseSchema} from "./schemas/RoleSchema.js";
 import {UserApiKeySchema, UserApiKeyBaseSchema} from "./schemas/UserApiKeySchema.js";
 import {UserLoginFailBaseSchema, UserLoginFailSchema} from "./schemas/UserLoginFailSchema.js";
 import {UserSessionBaseSchema, UserSessionSchema} from "./schemas/UserSessionSchema.js";
+import {defaultPasswordPolicy} from "./policies/defaultPasswordPolicy.js";
+import {PasswordPolicySchema} from "./schemas/PasswordPolicySchema.js";
 
 
 const graphqlMergeResult = await GraphqlMerge()
@@ -95,6 +108,7 @@ export type {
     IUserApiKeyRepository,
     IUserLoginFailRepository,
     IUserSessionRepository,
+    IUserPasswordHistoryRepository,
 }
 
 export {
@@ -118,6 +132,9 @@ export {
     UserApiKeyService,
     UserSessionService,
     UserLoginFailService,
+    UserPasswordHistoryService,
+    PasswordPolicyService,
+    PasswordPolicyResolver,
     PermissionService,
     Rbac,
 
@@ -128,6 +145,8 @@ export {
     UserApiKeyServiceFactory,
     UserSessionServiceFactory,
     UserLoginFailServiceFactory,
+    UserPasswordHistoryServiceFactory,
+    PasswordPolicyServiceFactory,
 
     //GQL
     identityTypeDefs,
@@ -163,6 +182,7 @@ export {
     UserApiKeyMongoRepository,
     UserSessionMongoRepository,
     UserLoginFailMongoRepository,
+    UserPasswordHistoryMongoRepository,
 
     //Mongo Models
     RoleModel,
@@ -171,6 +191,7 @@ export {
     UserApiKeyModel,
     UserSessionModel,
     UserLoginFailModel,
+    UserPasswordHistoryModel,
 
     RoleMongoSchema,
     TenantMongoSchema,
@@ -178,6 +199,7 @@ export {
     UserApiKeyMongoSchema,
     UserSessionMongoSchema,
     UserLoginFailMongoSchema,
+    UserPasswordHistoryMongoSchema,
 
     //Sqlite Repositories
     RoleSqliteRepository,
@@ -186,12 +208,16 @@ export {
     UserApiKeySqliteRepository,
     UserLoginFailSqliteRepository,
     UserSessionSqliteRepository,
+    UserPasswordHistorySqliteRepository,
 
     //Config
     IdentityConfig,
+    PasswordPolicyConfig,
 
     //Errors
     BadCredentialsError,
+    defaultPasswordPolicy,
+    PasswordPolicySchema,
 
     //Setup
     LoadIdentityConfigFromEnv,
@@ -199,7 +225,6 @@ export {
     CreateOrUpdateRole,
     CreateUserIfNotExist,
     CreateTenantIfNotExist,
-    RecoveryUserPassword
+    RecoveryUserPassword,
+    SetProjectPasswordPolicy
 }
-
-

package/src/interfaces/IUserPasswordHistory.ts

@@ -0,0 +1,21 @@
+interface IUserPasswordHistory {
+    _id?: string
+    id?: string
+    user: string
+    passwordHash: string
+    createdAt?: string | Date
+    updatedAt?: string | Date
+}
+
+interface IUserPasswordHistoryCreate {
+    _id?: string
+    id?: string
+    user: string
+    passwordHash: string
+    createdAt?: string | Date
+}
+
+export type {
+    IUserPasswordHistory,
+    IUserPasswordHistoryCreate
+}

package/src/interfaces/IUserPasswordHistoryRepository.ts

@@ -0,0 +1,8 @@
+import type {IUserPasswordHistory, IUserPasswordHistoryCreate} from "./IUserPasswordHistory.js";
+
+interface IUserPasswordHistoryRepository {
+    create(data: IUserPasswordHistoryCreate): Promise<IUserPasswordHistory>
+    findLatestByUserId(userId: string, limit: number): Promise<IUserPasswordHistory[]>
+}
+
+export type {IUserPasswordHistoryRepository}

package/src/models/UserPasswordHistoryModel.ts

@@ -0,0 +1,42 @@
+import {mongoose} from "@drax/common-back";
+import {PaginateModel} from "mongoose";
+import uniqueValidator from "mongoose-unique-validator";
+import mongoosePaginate from "mongoose-paginate-v2";
+import type {IUserPasswordHistory} from "../interfaces/IUserPasswordHistory.js";
+
+const UserPasswordHistoryMongoSchema = new mongoose.Schema<IUserPasswordHistory>({
+    user: {type: String, required: true, index: true},
+    passwordHash: {type: String, required: true, index: false}
+}, {timestamps: true});
+
+UserPasswordHistoryMongoSchema.plugin(uniqueValidator, {message: "validation.unique"});
+UserPasswordHistoryMongoSchema.plugin(mongoosePaginate);
+
+UserPasswordHistoryMongoSchema.virtual("id").get(function () {
+    return this._id.toString();
+});
+
+UserPasswordHistoryMongoSchema.set("toJSON", {getters: true, virtuals: true});
+UserPasswordHistoryMongoSchema.set("toObject", {getters: true, virtuals: true});
+
+const MODEL_NAME = "UserPasswordHistory";
+const COLLECTION_NAME = "user_password_history";
+
+let UserPasswordHistoryModel;
+
+try {
+    UserPasswordHistoryModel = mongoose.model<IUserPasswordHistory, PaginateModel<IUserPasswordHistory>>(MODEL_NAME, UserPasswordHistoryMongoSchema, COLLECTION_NAME);
+} catch (e) {
+    if (e.name === "OverwriteModelError") {
+        UserPasswordHistoryModel = mongoose.model<IUserPasswordHistory, PaginateModel<IUserPasswordHistory>>(MODEL_NAME);
+    } else {
+        throw e;
+    }
+}
+
+export {
+    UserPasswordHistoryMongoSchema,
+    UserPasswordHistoryModel
+}
+
+export default UserPasswordHistoryModel

package/src/policies/defaultPasswordPolicy.ts

@@ -0,0 +1,17 @@
+import type {IPasswordPolicy} from "@drax/identity-share/dist";
+
+const defaultPasswordPolicy: IPasswordPolicy = {
+    minLength: 8,
+    maxLength: 64,
+    requireUppercase: true,
+    requireLowercase: true,
+    requireNumber: true,
+    requireSpecialChar: false,
+    disallowSpaces: true,
+    preventReuse: 3,
+    expirationDays: null
+}
+
+export {
+    defaultPasswordPolicy
+}

package/src/repository/mongo/UserPasswordHistoryMongoRepository.ts

@@ -0,0 +1,25 @@
+import {AbstractMongoRepository} from "@drax/crud-back";
+import type {IUserPasswordHistoryRepository} from "../../interfaces/IUserPasswordHistoryRepository.js";
+import type {IUserPasswordHistory, IUserPasswordHistoryCreate} from "../../interfaces/IUserPasswordHistory.js";
+import {UserPasswordHistoryModel} from "../../models/UserPasswordHistoryModel.js";
+
+class UserPasswordHistoryMongoRepository extends AbstractMongoRepository<IUserPasswordHistory, IUserPasswordHistoryCreate, IUserPasswordHistoryCreate> implements IUserPasswordHistoryRepository {
+    constructor() {
+        super();
+        this._model = UserPasswordHistoryModel;
+        this._searchFields = ["user"];
+        this._populateFields = ["user"];
+    }
+
+    async findLatestByUserId(userId: string, limit: number): Promise<IUserPasswordHistory[]> {
+        return UserPasswordHistoryModel
+            .find({user: userId})
+            .sort({createdAt: -1})
+            .limit(limit)
+            .lean(true)
+            .exec() as Promise<IUserPasswordHistory[]>
+    }
+}
+
+export default UserPasswordHistoryMongoRepository
+export {UserPasswordHistoryMongoRepository}

package/src/repository/sqlite/UserPasswordHistorySqliteRepository.ts

@@ -0,0 +1,47 @@
+import type {SqliteTableField} from "@drax/common-back";
+import {AbstractSqliteRepository} from "@drax/crud-back";
+import type {IUserPasswordHistoryRepository} from "../../interfaces/IUserPasswordHistoryRepository.js";
+import type {IUserPasswordHistory, IUserPasswordHistoryCreate} from "../../interfaces/IUserPasswordHistory.js";
+
+class UserPasswordHistorySqliteRepository extends AbstractSqliteRepository<IUserPasswordHistory, IUserPasswordHistoryCreate, IUserPasswordHistoryCreate> implements IUserPasswordHistoryRepository {
+    protected db: any;
+    protected tableName: string = "user_password_history";
+    protected dataBaseFile: string;
+    protected searchFields: string[] = [];
+    protected booleanFields: string[] = [];
+    protected identifier: string = "_id";
+    protected populateFields = [
+        {field: "user", table: "users", identifier: "_id"}
+    ]
+    protected tableFields: SqliteTableField[] = [
+        {name: "user", type: "TEXT", unique: false, primary: false},
+        {name: "passwordHash", type: "TEXT", unique: false, primary: false},
+        {name: "createdAt", type: "TEXT", unique: false, primary: false},
+        {name: "updatedAt", type: "TEXT", unique: false, primary: false},
+    ]
+    protected verbose: boolean;
+
+    async prepareData(): Promise<void> {
+    }
+
+    async prepareItem(item: IUserPasswordHistory): Promise<void> {
+        if (item.createdAt && typeof item.createdAt === "string") {
+            item.createdAt = new Date(item.createdAt)
+        }
+
+        if (item.updatedAt && typeof item.updatedAt === "string") {
+            item.updatedAt = new Date(item.updatedAt)
+        }
+    }
+
+    async findLatestByUserId(userId: string, limit: number): Promise<IUserPasswordHistory[]> {
+        const rows = this.db.prepare(`SELECT * FROM ${this.tableName} WHERE user = ? ORDER BY createdAt DESC LIMIT ?`).all(userId, limit);
+        for (const row of rows) {
+            await this.decorate(row)
+        }
+        return rows
+    }
+}
+
+export default UserPasswordHistorySqliteRepository
+export {UserPasswordHistorySqliteRepository}

package/src/resolver/PasswordPolicyResolver.ts

@@ -0,0 +1,33 @@
+import type {IPasswordPolicy, IPasswordPolicyProject} from "@drax/identity-share";
+import {defaultPasswordPolicy} from "../policies/defaultPasswordPolicy.js";
+import {PartialPasswordPolicySchema, PasswordPolicySchema} from "../schemas/PasswordPolicySchema.js";
+import getPasswordEnvPolicy from "../utils/getPasswordEnvPolicy.js";
+
+class PasswordPolicyResolver {
+
+    private projectPolicy : IPasswordPolicyProject = {};
+
+    setProjectPolicy (projectPolicy : IPasswordPolicyProject){
+        this.projectPolicy = projectPolicy;
+    }
+
+    async resolve(): Promise<IPasswordPolicy> {
+        const projectPolicy = await this.getProjectPolicy()
+        const envPolicy = getPasswordEnvPolicy()
+
+        return PasswordPolicySchema.parse({
+            ...defaultPasswordPolicy,
+            ...projectPolicy,
+            ...envPolicy
+        }) as IPasswordPolicy
+    }
+
+    private async getProjectPolicy(): Promise<Partial<IPasswordPolicy>> {
+        return this.projectPolicy
+            ? PartialPasswordPolicySchema.parse(this.projectPolicy)
+            : {}
+    }
+}
+
+export default PasswordPolicyResolver
+export {PasswordPolicyResolver}

package/src/routes/UserRoutes.ts

@@ -10,6 +10,7 @@ import {
 } from "../schemas/PasswordSchema.js";
 import {SwitchTenantBodyRequestSchema, SwitchTenantBodyResponseSchema} from "../schemas/SwitchTenantSchema.js";
 import zod from "zod"
+import {PasswordPolicySchema} from "../schemas/PasswordPolicySchema.js";
 
 async function UserRoutes(fastify, options) {
 
@@ -44,6 +45,16 @@ async function UserRoutes(fastify, options) {
         },
         (req, rep) => controller.auth(req, rep))
 
+    fastify.get('/api/auth/password-policy', {
+        schema: {
+            tags: ['Auth'],
+            response: {
+                200: zod.toJSONSchema(PasswordPolicySchema),
+                500: schemas.jsonErrorBodyResponse,
+            },
+        },
+    }, (req, rep) => controller.passwordPolicy(req, rep))
+
     fastify.get('/api/auth/me', {
         schema: {
             tags: ['Auth'],

package/src/schemas/PasswordPolicySchema.ts

@@ -0,0 +1,29 @@
+import z from "zod";
+
+const PasswordPolicySchemaBase = z.object({
+    minLength: z.number().int().min(1),
+    maxLength: z.number().int().min(1),
+    requireUppercase: z.boolean(),
+    requireLowercase: z.boolean(),
+    requireNumber: z.boolean(),
+    requireSpecialChar: z.boolean(),
+    disallowSpaces: z.boolean(),
+    preventReuse: z.number().int().min(0),
+    expirationDays: z.number().int().min(1).nullable(),
+})
+
+const PasswordPolicySchema = PasswordPolicySchemaBase.refine((
+        policy) =>
+        policy.maxLength >= policy.minLength,
+    {
+        message: "validation.password.maxLength",
+        path: ["maxLength"]
+    }
+);
+
+const PartialPasswordPolicySchema = PasswordPolicySchemaBase.partial();
+
+export {
+    PasswordPolicySchema,
+    PartialPasswordPolicySchema
+}

package/src/schemas/RegisterSchema.ts

@@ -8,9 +8,7 @@ const RegisterBodyRequestSchema = z.object({
     email: email("validation.email.invalid"),
     phone: string({ error: "validation.required" }).optional(),
     password: string({ error: "validation.required" })
-        .min(1, "validation.required")
-        .min(8, "validation.password.min8")
-        .max(64, "validation.password.max64"),
+        .min(1, "validation.required"),
 });
 
 const RegisterBodyResponseSchema = z.object({

package/src/schemas/UserSchema.ts

@@ -17,9 +17,7 @@ const UserBaseSchema = object({
 
 const UserCreateSchema = UserBaseSchema.extend({
     password: string({error: "validation.required"})
-        .min(1, "validation.required")
-        .min(8, "validation.password.min8")
-        .max(64, "validation.password.max64"),
+        .min(1, "validation.required"),
 });
 
 

package/src/services/PasswordPolicyService.ts

@@ -0,0 +1,184 @@
+import {randomInt} from "crypto";
+import {ZodError, ZodType} from "zod";
+import {ValidationError, ZodErrorToValidationError} from "@drax/common-back";
+import type {IUser} from "@drax/identity-share";
+import type {IUserPasswordHistory} from "../interfaces/IUserPasswordHistory";
+import type {IPasswordPolicy} from "@drax/identity-share";
+import type UserPasswordHistoryService from "./UserPasswordHistoryService";
+import type {IUserRepository} from "../interfaces/IUserRepository";
+import AuthUtils from "../utils/AuthUtils.js";
+import PasswordPolicyResolver from "../resolver/PasswordPolicyResolver.js";
+import PasswordPolicySchemaFactory from "../utils/PasswordPolicySchemaFactory.js";
+
+interface IValidatePasswordOptions {
+    field?: string
+    userId?: string
+    currentPasswordHash?: string
+}
+
+class PasswordPolicyService {
+    constructor(
+        private readonly resolver: PasswordPolicyResolver,
+        private readonly userRepository?: IUserRepository,
+        private readonly userPasswordHistoryService?: UserPasswordHistoryService
+    ) {
+    }
+
+    async getFinalPolicy(): Promise<IPasswordPolicy> {
+        return this.resolver.resolve()
+    }
+
+    async getPasswordSchema(): Promise<ZodType<string>> {
+        const policy = await this.getFinalPolicy()
+        return PasswordPolicySchemaFactory.create(policy)
+    }
+
+    async validatePassword(password: string,  options?: IValidatePasswordOptions): Promise<void> {
+        const field = options?.field || "password"
+        try {
+            const schema = await this.getPasswordSchema()
+            await schema.parseAsync(password)
+        } catch (e) {
+            if (e instanceof ZodError) {
+                const validationError = ZodErrorToValidationError(e, {[field]: password})
+                validationError.errors = validationError.errors.map((error) => ({...error, field}))
+                throw validationError
+            }
+            throw e
+        }
+
+        if (options?.userId) {
+            await this.validateReuse(password, options.userId, {
+                field,
+                currentPasswordHash: options.currentPasswordHash
+            })
+        }
+    }
+
+    async generateCompatiblePassword(): Promise<string> {
+        const policy = await this.getFinalPolicy()
+        const uppercaseChars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+        const lowercaseChars = "abcdefghijkmnopqrstuvwxyz"
+        const numericChars = "0123456789"
+        const specialChars = "!@#$%&*_-+="
+        const fallbackSpecial = policy.disallowSpaces ? "!" : " "
+        const combinedChars = [
+            uppercaseChars,
+            lowercaseChars,
+            numericChars,
+            policy.requireSpecialChar ? specialChars : "",
+            policy.disallowSpaces ? "" : " "
+        ].join("") || `${uppercaseChars}${lowercaseChars}${numericChars}${fallbackSpecial}`
+
+        const chars: string[] = []
+
+        if (policy.requireUppercase) {
+            chars.push(this.randomChar(uppercaseChars))
+        }
+        if (policy.requireLowercase) {
+            chars.push(this.randomChar(lowercaseChars))
+        }
+        if (policy.requireNumber) {
+            chars.push(this.randomChar(numericChars))
+        }
+        if (policy.requireSpecialChar) {
+            chars.push(this.randomChar(specialChars))
+        }
+        if (!chars.length) {
+            chars.push(this.randomChar(`${uppercaseChars}${lowercaseChars}${numericChars}`))
+        }
+
+        while (chars.length < policy.minLength) {
+            chars.push(this.randomChar(combinedChars))
+        }
+
+        const password = this.shuffle(chars).join("").slice(0, policy.maxLength)
+        await this.validatePassword(password)
+        return password
+    }
+
+    async getPasswordExpiration(user: IUser): Promise<{expired: boolean, expiresAt: Date | null}> {
+        const policy = await this.getFinalPolicy()
+        if (!policy.expirationDays) {
+            return {expired: false, expiresAt: null}
+        }
+
+        const lastPasswordChange = await this.getLastPasswordChangeDate(user)
+        if (!lastPasswordChange) {
+            return {expired: false, expiresAt: null}
+        }
+
+        const expiresAt = new Date(lastPasswordChange)
+        expiresAt.setDate(expiresAt.getDate() + policy.expirationDays)
+
+        return {
+            expired: expiresAt.getTime() <= Date.now(),
+            expiresAt
+        }
+    }
+
+    async recordPassword(userId: string, passwordHash: string): Promise<void> {
+        await this.userPasswordHistoryService?.create(userId, passwordHash)
+    }
+
+    private async validateReuse(password: string, userId: string, options?: {field: string, currentPasswordHash?: string}): Promise<void> {
+        const policy = await this.getFinalPolicy()
+        if (!policy.preventReuse) {
+            return
+        }
+
+        const field = options?.field || "password"
+        const recentHashes = await this.getRecentPasswordHashes(userId, policy.preventReuse, options?.currentPasswordHash)
+        const reused = recentHashes.some((item) => AuthUtils.checkPassword(password, item.passwordHash))
+        if (reused) {
+            throw new ValidationError([{field, reason: "validation.password.preventReuse"}])
+        }
+    }
+
+    private async getRecentPasswordHashes(userId: string, limit: number, currentPasswordHash?: string): Promise<IUserPasswordHistory[]> {
+        const recent = await this.userPasswordHistoryService?.findLatestByUserId(userId, limit) || []
+        const hashes = [...recent]
+
+        if (currentPasswordHash && !hashes.some((item) => item.passwordHash === currentPasswordHash)) {
+            hashes.unshift({user: userId, passwordHash: currentPasswordHash})
+        } else if (!currentPasswordHash && this.userRepository) {
+            const user = await this.userRepository.findByIdWithPassword(userId)
+            if (user?.password && !hashes.some((item) => item.passwordHash === user.password)) {
+                hashes.unshift({user: userId, passwordHash: user.password})
+            }
+        }
+
+        return hashes.slice(0, limit)
+    }
+
+    private async getLastPasswordChangeDate(user: IUser): Promise<Date | null> {
+        if (!user?._id || !this.userPasswordHistoryService) {
+            return user?.updatedAt ? new Date(user.updatedAt) : user?.createdAt ? new Date(user.createdAt) : null
+        }
+
+        const latest = await this.userPasswordHistoryService.findLatestByUserId(user._id.toString(), 1)
+        if (latest[0]?.createdAt) {
+            return new Date(latest[0].createdAt)
+        }
+
+        return user?.updatedAt ? new Date(user.updatedAt) : user?.createdAt ? new Date(user.createdAt) : null
+    }
+
+    private randomChar(source: string): string {
+        return source[randomInt(0, source.length)]
+    }
+
+    private shuffle(chars: string[]): string[] {
+        const items = [...chars]
+        for (let i = items.length - 1; i > 0; i -= 1) {
+            const j = randomInt(0, i + 1)
+            const temp = items[i]
+            items[i] = items[j]
+            items[j] = temp
+        }
+        return items
+    }
+}
+
+export default PasswordPolicyService
+export {PasswordPolicyService}

package/src/services/UserPasswordHistoryService.ts

@@ -0,0 +1,23 @@
+import type {IUserPasswordHistoryRepository} from "../interfaces/IUserPasswordHistoryRepository.js";
+import type {IUserPasswordHistory} from "../interfaces/IUserPasswordHistory.js";
+
+class UserPasswordHistoryService {
+    constructor(private readonly repository: IUserPasswordHistoryRepository) {
+    }
+
+    async create(userId: string, passwordHash: string): Promise<IUserPasswordHistory> {
+        return this.repository.create({
+            user: userId,
+            passwordHash
+        })
+    }
+
+    async findLatestByUserId(userId: string, limit: number): Promise<IUserPasswordHistory[]> {
+        if (limit <= 0) {
+            return []
+        }
+        return this.repository.findLatestByUserId(userId, limit)
+    }
+}
+
+export default UserPasswordHistoryService