@flowerforce/flowerbase 1.2.0 → 1.2.1-beta.10

package/README.md

@@ -96,6 +96,13 @@ Ensure the following environment variables are set in your .env file or deployme
 | `APP_SECRET`           | Secret used to sign and verify JWT tokens (choose a strong secret).         | `supersecretkey123!`                               |
 | `HOST`                 | The host address the server binds to (usually `0.0.0.0` for public access). | `0.0.0.0`                                          |
 | `HTTPS_SCHEMA`         | The schema for your server requests (usually `https` or `http`).            | `http`                                             |
+| `RESET_PASSWORD_TTL_SECONDS` | Time-to-live for password reset tokens (in seconds).                  | `3600`                                             |
+| `AUTH_RATE_LIMIT_WINDOW_MS`  | Rate limit window for auth endpoints (in ms).                          | `900000`                                           |
+| `AUTH_LOGIN_MAX_ATTEMPTS`    | Max login attempts per window.                                         | `10`                                               |
+| `AUTH_RESET_MAX_ATTEMPTS`    | Max reset requests per window.                                         | `5`                                                |
+| `REFRESH_TOKEN_TTL_DAYS`     | Refresh token time-to-live (in days).                                  | `60`                                               |
+| `SWAGGER_UI_USER`      | Basic Auth username for Swagger UI (optional).                            | `admin`                                            |
+| `SWAGGER_UI_PASSWORD`  | Basic Auth password for Swagger UI (optional).                            | `change-me`                                        |
 
 
 Example:
@@ -106,6 +113,13 @@ DB_CONNECTION_STRING=mongodb+srv://username:password@cluster.mongodb.net/dbname
 APP_SECRET=your-jwt-secret
 HOST=0.0.0.0
 HTTPS_SCHEMA=http
+RESET_PASSWORD_TTL_SECONDS=3600
+AUTH_RATE_LIMIT_WINDOW_MS=900000
+AUTH_LOGIN_MAX_ATTEMPTS=10
+AUTH_RESET_MAX_ATTEMPTS=5
+REFRESH_TOKEN_TTL_DAYS=60
+SWAGGER_UI_USER=admin
+SWAGGER_UI_PASSWORD=change-me
 ```
 
 🛡️ Note: Never commit .env files to source control. Use a .gitignore file to exclude it.
@@ -406,6 +420,13 @@ Ensure the following environment variables are set in your .env file or deployme
 | `APP_SECRET`           | Secret used to sign and verify JWT tokens (choose a strong secret).         | `supersecretkey123!`                               |
 | `HOST`                 | The host address the server binds to (usually `0.0.0.0` for public access). | `0.0.0.0`                                          |
 | `HTTPS_SCHEMA`         | The schema for your server requests (usually `https` or `http`).            | `http`                                             |
+| `RESET_PASSWORD_TTL_SECONDS` | Time-to-live for password reset tokens (in seconds).                  | `3600`                                             |
+| `AUTH_RATE_LIMIT_WINDOW_MS`  | Rate limit window for auth endpoints (in ms).                          | `900000`                                           |
+| `AUTH_LOGIN_MAX_ATTEMPTS`    | Max login attempts per window.                                         | `10`                                               |
+| `AUTH_RESET_MAX_ATTEMPTS`    | Max reset requests per window.                                         | `5`                                                |
+| `REFRESH_TOKEN_TTL_DAYS`     | Refresh token time-to-live (in days).                                  | `60`                                               |
+| `SWAGGER_UI_USER`      | Basic Auth username for Swagger UI (optional).                            | `admin`                                            |
+| `SWAGGER_UI_PASSWORD`  | Basic Auth password for Swagger UI (optional).                            | `change-me`                                        |
 
 
 Example:
@@ -416,6 +437,13 @@ DB_CONNECTION_STRING=mongodb+srv://username:password@cluster.mongodb.net/dbname
 APP_SECRET=your-jwt-secret
 HOST=0.0.0.0
 HTTPS_SCHEMA=http
+RESET_PASSWORD_TTL_SECONDS=3600
+AUTH_RATE_LIMIT_WINDOW_MS=900000
+AUTH_LOGIN_MAX_ATTEMPTS=10
+AUTH_RESET_MAX_ATTEMPTS=5
+REFRESH_TOKEN_TTL_DAYS=60
+SWAGGER_UI_USER=admin
+SWAGGER_UI_PASSWORD=change-me
 ```
 
 🛡️ Note: Never commit .env files to source control. Use a .gitignore file to exclude it.
@@ -472,6 +500,3 @@ export default app;
 
 >🔗 The baseUrl should point to the backend URL you deployed earlier using Flowerbase.
 This tells the frontend SDK where to send authentication and data requests.
-
-
-

package/dist/auth/controller.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../src/auth/controller.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAOzC;;;;GAIG;AACH,wBAAsB,cAAc,CAAC,GAAG,EAAE,eAAe,iBA2ExD"}
+{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../src/auth/controller.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAQzC;;;;GAIG;AACH,wBAAsB,cAAc,CAAC,GAAG,EAAE,eAAe,iBA4IxD"}

package/dist/auth/controller.js

@@ -13,6 +13,7 @@ exports.authController = authController;
 const bson_1 = require("bson");
 const constants_1 = require("../constants");
 const utils_1 = require("./utils");
+const crypto_1 = require("../utils/crypto");
 const HANDLER_TYPE = 'preHandler';
 /**
  * Controller for handling user authentication, profile retrieval, and session management.
@@ -21,8 +22,15 @@ const HANDLER_TYPE = 'preHandler';
  */
 function authController(app) {
     return __awaiter(this, void 0, void 0, function* () {
-        const { authCollection, userCollection } = constants_1.AUTH_CONFIG;
+        const { authCollection, userCollection, refreshTokensCollection } = constants_1.AUTH_CONFIG;
         const db = app.mongo.client.db(constants_1.DB_NAME);
+        const refreshTokenTtlMs = constants_1.DEFAULT_CONFIG.REFRESH_TOKEN_TTL_DAYS * 24 * 60 * 60 * 1000;
+        try {
+            yield db.collection(refreshTokensCollection).createIndex({ expiresAt: 1 }, { expireAfterSeconds: 0 });
+        }
+        catch (error) {
+            console.error('Failed to ensure refresh token TTL index', error);
+        }
         app.addHook(HANDLER_TYPE, app.jwtAuthentication);
         /**
          * Endpoint to retrieve the authenticated user's profile.
@@ -33,6 +41,9 @@ function authController(app) {
          */
         app.get(utils_1.AUTH_ENDPOINTS.PROFILE, function (req) {
             return __awaiter(this, void 0, void 0, function* () {
+                if (req.user.typ !== 'access') {
+                    throw new Error('Access token required');
+                }
                 const user = yield db
                     .collection(authCollection)
                     .findOne({ _id: bson_1.ObjectId.createFromHexString(req.user.id) });
@@ -61,6 +72,20 @@ function authController(app) {
                 if (req.user.typ !== 'refresh') {
                     throw new Error(utils_1.AUTH_ERRORS.INVALID_TOKEN);
                 }
+                const authHeader = req.headers.authorization;
+                if (!(authHeader === null || authHeader === void 0 ? void 0 : authHeader.startsWith('Bearer '))) {
+                    throw new Error(utils_1.AUTH_ERRORS.INVALID_TOKEN);
+                }
+                const refreshToken = authHeader.slice('Bearer '.length).trim();
+                const refreshTokenHash = (0, crypto_1.hashToken)(refreshToken);
+                const storedToken = yield db.collection(refreshTokensCollection).findOne({
+                    tokenHash: refreshTokenHash,
+                    revokedAt: null,
+                    expiresAt: { $gt: new Date() }
+                });
+                if (!storedToken) {
+                    throw new Error(utils_1.AUTH_ERRORS.INVALID_TOKEN);
+                }
                 const auth_user = yield (db === null || db === void 0 ? void 0 : db.collection(authCollection).findOne({ _id: new this.mongo.ObjectId(req.user.sub) }));
                 if (!auth_user) {
                     throw new Error(`User with ID ${req.user.sub} not found`);
@@ -77,9 +102,38 @@ function authController(app) {
         /**
            * Endpoint to destroy the existing session.
            */
-        app.delete(utils_1.AUTH_ENDPOINTS.SESSION, function () {
+        app.delete(utils_1.AUTH_ENDPOINTS.SESSION, function (req, res) {
             return __awaiter(this, void 0, void 0, function* () {
-                return { status: "ok" };
+                var _a, _b;
+                const authHeader = req.headers.authorization;
+                if (!(authHeader === null || authHeader === void 0 ? void 0 : authHeader.startsWith('Bearer '))) {
+                    res.status(204);
+                    return;
+                }
+                const refreshToken = authHeader.slice('Bearer '.length).trim();
+                const refreshTokenHash = (0, crypto_1.hashToken)(refreshToken);
+                const now = new Date();
+                const expiresAt = new Date(Date.now() + refreshTokenTtlMs);
+                const updateResult = yield db.collection(refreshTokensCollection).findOneAndUpdate({ tokenHash: refreshTokenHash }, {
+                    $set: {
+                        revokedAt: now,
+                        expiresAt
+                    }
+                }, { returnDocument: 'after' });
+                const fromToken = (_a = req.user) === null || _a === void 0 ? void 0 : _a.sub;
+                let userId = (_b = updateResult === null || updateResult === void 0 ? void 0 : updateResult.value) === null || _b === void 0 ? void 0 : _b.userId;
+                if (!userId && fromToken) {
+                    try {
+                        userId = new bson_1.ObjectId(fromToken);
+                    }
+                    catch (_c) {
+                        userId = fromToken;
+                    }
+                }
+                if (userId && authCollection) {
+                    yield db.collection(authCollection).updateOne({ _id: userId }, { $set: { lastLogoutAt: now } });
+                }
+                return { status: 'ok' };
             });
         });
     });

package/dist/auth/plugins/jwt.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../../src/auth/plugins/jwt.ts"],"names":[],"mappings":"AAIA,KAAK,OAAO,GAAG;IACb,MAAM,EAAE,MAAM,CAAA;CACf,CAAA;AAED;;;;;;;GAOG;iUAC8C,OAAO;AAAxD,wBAwDE"}
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../../src/auth/plugins/jwt.ts"],"names":[],"mappings":"AAKA,KAAK,OAAO,GAAG;IACb,MAAM,EAAE,MAAM,CAAA;CACf,CAAA;AAQD;;;;;;;GAOG;iUAC8C,OAAO;AAAxD,wBA4GE"}

package/dist/auth/plugins/jwt.js

@@ -15,6 +15,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const jwt_1 = __importDefault(require("@fastify/jwt"));
 const fastify_plugin_1 = __importDefault(require("fastify-plugin"));
 const mongodb_1 = require("mongodb");
+const constants_1 = require("../../constants");
 /**
  * This module is a Fastify plugin that sets up JWT-based authentication and token creation.
  * It registers JWT authentication, and provides methods to create access and refresh tokens.
@@ -31,12 +32,57 @@ exports.default = (0, fastify_plugin_1.default)(function (fastify, opts) {
         });
         fastify.decorate('jwtAuthentication', function (request, reply) {
             return __awaiter(this, void 0, void 0, function* () {
+                var _a, _b, _c;
                 try {
                     yield request.jwtVerify();
                 }
                 catch (err) {
-                    // TODO: handle error
-                    reply.send(err);
+                    fastify.log.warn({ err }, 'JWT authentication failed');
+                    reply.code(401).send({ message: 'Unauthorized' });
+                    return;
+                }
+                if (((_a = request.user) === null || _a === void 0 ? void 0 : _a.typ) !== 'access') {
+                    return;
+                }
+                const db = (_c = (_b = fastify.mongo) === null || _b === void 0 ? void 0 : _b.client) === null || _c === void 0 ? void 0 : _c.db(constants_1.DB_NAME);
+                if (!db) {
+                    fastify.log.warn('Mongo client unavailable while checking logout state');
+                    return;
+                }
+                if (!request.user.sub) {
+                    reply.code(401).send({ message: 'Unauthorized' });
+                    return;
+                }
+                let authUser;
+                try {
+                    authUser = yield db
+                        .collection(constants_1.AUTH_CONFIG.authCollection)
+                        .findOne({ _id: new mongodb_1.ObjectId(request.user.sub) });
+                }
+                catch (err) {
+                    fastify.log.warn({ err }, 'Failed to lookup user during JWT authentication');
+                    reply.code(401).send({ message: 'Unauthorized' });
+                    return;
+                }
+                if (!authUser) {
+                    reply.code(401).send({ message: 'Unauthorized' });
+                    return;
+                }
+                const lastLogoutAt = authUser.lastLogoutAt ? new Date(authUser.lastLogoutAt) : null;
+                const accessUser = request.user;
+                const rawIssuedAt = accessUser.iat;
+                const issuedAt = typeof rawIssuedAt === 'number'
+                    ? rawIssuedAt
+                    : typeof rawIssuedAt === 'string'
+                        ? Number(rawIssuedAt)
+                        : undefined;
+                if (lastLogoutAt &&
+                    !Number.isNaN(lastLogoutAt.getTime()) &&
+                    typeof issuedAt === 'number' &&
+                    !Number.isNaN(issuedAt) &&
+                    lastLogoutAt.getTime() >= issuedAt * 1000) {
+                    reply.code(401).send({ message: 'Unauthorized' });
+                    return;
                 }
             });
         });
@@ -63,7 +109,7 @@ exports.default = (0, fastify_plugin_1.default)(function (fastify, opts) {
                 baas_id: BAAS_ID
             }, {
                 sub: user._id.toJSON(),
-                expiresIn: '60d'
+                expiresIn: `${constants_1.DEFAULT_CONFIG.REFRESH_TOKEN_TTL_DAYS}d`
             });
         });
     });

package/dist/auth/providers/custom-function/controller.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../../../src/auth/providers/custom-function/controller.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAezC;;;;GAIG;AACH,wBAAsB,wBAAwB,CAAC,GAAG,EAAE,eAAe,iBA8ElE"}
+{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../../../src/auth/providers/custom-function/controller.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAgBzC;;;;GAIG;AACH,wBAAsB,wBAAwB,CAAC,GAAG,EAAE,eAAe,iBA8FlE"}

package/dist/auth/providers/custom-function/controller.js

@@ -18,6 +18,7 @@ const handleUserRegistration_1 = __importDefault(require("../../../shared/handle
 const handleUserRegistration_model_1 = require("../../../shared/models/handleUserRegistration.model");
 const state_1 = require("../../../state");
 const context_1 = require("../../../utils/context");
+const crypto_1 = require("../../../utils/crypto");
 const utils_1 = require("../../utils");
 const schema_1 = require("./schema");
 /**
@@ -29,6 +30,9 @@ function customFunctionController(app) {
     return __awaiter(this, void 0, void 0, function* () {
         const functionsList = state_1.StateManager.select('functions');
         const services = state_1.StateManager.select('services');
+        const db = app.mongo.client.db(constants_1.DB_NAME);
+        const { refreshTokensCollection } = constants_1.AUTH_CONFIG;
+        const refreshTokenTtlMs = constants_1.DEFAULT_CONFIG.REFRESH_TOKEN_TTL_DAYS * 24 * 60 * 60 * 1000;
         /**
          * Endpoint for user login.
          *
@@ -68,17 +72,29 @@ function customFunctionController(app) {
                 });
                 if (res.id) {
                     const user = yield (0, handleUserRegistration_1.default)(app, { run_as_system: true, skipUserCheck: true, provider: handleUserRegistration_model_1.PROVIDER.CUSTOM_FUNCTION })({ email: res.id, password: (0, utils_1.generatePassword)() });
+                    if (!(user === null || user === void 0 ? void 0 : user.insertedId)) {
+                        throw new Error('Failed to register custom user');
+                    }
                     const currentUserData = {
                         _id: user.insertedId,
                         user_data: {
-                            _id: user.insertedId,
+                            _id: user.insertedId
                         }
                     };
+                    const refreshToken = this.createRefreshToken(currentUserData);
+                    const refreshTokenHash = (0, crypto_1.hashToken)(refreshToken);
+                    yield db.collection(refreshTokensCollection).insertOne({
+                        userId: user.insertedId,
+                        tokenHash: refreshTokenHash,
+                        createdAt: new Date(),
+                        expiresAt: new Date(Date.now() + refreshTokenTtlMs),
+                        revokedAt: null
+                    });
                     return {
                         access_token: this.createAccessToken(currentUserData),
-                        refresh_token: this.createRefreshToken(currentUserData),
+                        refresh_token: refreshToken,
                         device_id: '',
-                        user_id: user.insertedId.toString(),
+                        user_id: user.insertedId.toString()
                     };
                 }
                 throw new Error("Authentication Failed");

package/dist/auth/providers/local-userpass/controller.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../../../src/auth/providers/local-userpass/controller.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAuBzC;;;;GAIG;AACH,wBAAsB,uBAAuB,CAAC,GAAG,EAAE,eAAe,iBAkOjE"}
+{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../../../src/auth/providers/local-userpass/controller.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAmCzC;;;;GAIG;AACH,wBAAsB,uBAAuB,CAAC,GAAG,EAAE,eAAe,iBA+RjE"}

package/dist/auth/providers/local-userpass/controller.js

@@ -13,15 +13,23 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.localUserPassController = localUserPassController;
-const mail_1 = __importDefault(require("@sendgrid/mail"));
 const constants_1 = require("../../../constants");
-const services_1 = require("../../../services");
 const handleUserRegistration_1 = __importDefault(require("../../../shared/handleUserRegistration"));
 const handleUserRegistration_model_1 = require("../../../shared/models/handleUserRegistration.model");
 const state_1 = require("../../../state");
 const context_1 = require("../../../utils/context");
 const crypto_1 = require("../../../utils/crypto");
 const utils_1 = require("../../utils");
+const rateLimitStore = new Map();
+const isRateLimited = (key, maxAttempts, windowMs) => {
+    var _a;
+    const now = Date.now();
+    const existing = (_a = rateLimitStore.get(key)) !== null && _a !== void 0 ? _a : [];
+    const recent = existing.filter((timestamp) => now - timestamp < windowMs);
+    recent.push(now);
+    rateLimitStore.set(key, recent);
+    return recent.length > maxAttempts;
+};
 /**
  * Controller for handling local user registration and login.
  * @testable
@@ -29,9 +37,59 @@ const utils_1 = require("../../utils");
  */
 function localUserPassController(app) {
     return __awaiter(this, void 0, void 0, function* () {
-        const functionsList = state_1.StateManager.select('functions');
-        const { authCollection, userCollection, user_id_field, on_user_creation_function_name } = constants_1.AUTH_CONFIG;
+        const { authCollection, userCollection, user_id_field } = constants_1.AUTH_CONFIG;
+        const { resetPasswordCollection } = constants_1.AUTH_CONFIG;
+        const { refreshTokensCollection } = constants_1.AUTH_CONFIG;
         const db = app.mongo.client.db(constants_1.DB_NAME);
+        const resetPasswordTtlSeconds = constants_1.DEFAULT_CONFIG.RESET_PASSWORD_TTL_SECONDS;
+        const rateLimitWindowMs = constants_1.DEFAULT_CONFIG.AUTH_RATE_LIMIT_WINDOW_MS;
+        const loginMaxAttempts = constants_1.DEFAULT_CONFIG.AUTH_LOGIN_MAX_ATTEMPTS;
+        const resetMaxAttempts = constants_1.DEFAULT_CONFIG.AUTH_RESET_MAX_ATTEMPTS;
+        const refreshTokenTtlMs = constants_1.DEFAULT_CONFIG.REFRESH_TOKEN_TTL_DAYS * 24 * 60 * 60 * 1000;
+        try {
+            yield db.collection(resetPasswordCollection).createIndex({ createdAt: 1 }, { expireAfterSeconds: resetPasswordTtlSeconds });
+        }
+        catch (error) {
+            console.error('Failed to ensure reset password TTL index', error);
+        }
+        try {
+            yield db.collection(refreshTokensCollection).createIndex({ expiresAt: 1 }, { expireAfterSeconds: 0 });
+        }
+        catch (error) {
+            console.error('Failed to ensure refresh token TTL index', error);
+        }
+        const handleResetPasswordRequest = (email, password, extraArguments) => __awaiter(this, void 0, void 0, function* () {
+            const { resetPasswordConfig } = constants_1.AUTH_CONFIG;
+            const authUser = yield db.collection(authCollection).findOne({
+                email
+            });
+            if (!authUser) {
+                return;
+            }
+            const token = (0, crypto_1.generateToken)();
+            const tokenId = (0, crypto_1.generateToken)();
+            yield (db === null || db === void 0 ? void 0 : db.collection(resetPasswordCollection).updateOne({ email }, { $set: { token, tokenId, email, createdAt: new Date() } }, { upsert: true }));
+            if (!resetPasswordConfig.runResetFunction && !resetPasswordConfig.resetFunctionName) {
+                throw new Error(utils_1.AUTH_ERRORS.MISSING_RESET_FUNCTION);
+            }
+            if (resetPasswordConfig.runResetFunction && resetPasswordConfig.resetFunctionName) {
+                const functionsList = state_1.StateManager.select('functions');
+                const services = state_1.StateManager.select('services');
+                const currentFunction = functionsList[resetPasswordConfig.resetFunctionName];
+                const baseArgs = { token, tokenId, email, password, username: email };
+                const args = Array.isArray(extraArguments) ? [baseArgs, ...extraArguments] : [baseArgs];
+                yield (0, context_1.GenerateContext)({
+                    args,
+                    app,
+                    rules: {},
+                    user: {},
+                    currentFunction,
+                    functionsList,
+                    services
+                });
+                return;
+            }
+        });
         /**
          * Endpoint for user registration.
          *
@@ -44,8 +102,12 @@ function localUserPassController(app) {
             schema: utils_1.REGISTRATION_SCHEMA
         }, (req, res) => __awaiter(this, void 0, void 0, function* () {
             const result = yield (0, handleUserRegistration_1.default)(app, { run_as_system: true, provider: handleUserRegistration_model_1.PROVIDER.LOCAL_USERPASS })({ email: req.body.email.toLowerCase(), password: req.body.password });
+            if (!(result === null || result === void 0 ? void 0 : result.insertedId)) {
+                res === null || res === void 0 ? void 0 : res.status(500);
+                throw new Error('Failed to register user');
+            }
             res === null || res === void 0 ? void 0 : res.status(201);
-            return { userId: result === null || result === void 0 ? void 0 : result.insertedId.toString() };
+            return { userId: result.insertedId.toString() };
         }));
         /**
          * Endpoint for user login.
@@ -56,8 +118,13 @@ function localUserPassController(app) {
          */
         app.post(utils_1.AUTH_ENDPOINTS.LOGIN, {
             schema: utils_1.LOGIN_SCHEMA
-        }, function (req) {
+        }, function (req, res) {
             return __awaiter(this, void 0, void 0, function* () {
+                const key = `login:${req.ip}`;
+                if (isRateLimited(key, loginMaxAttempts, rateLimitWindowMs)) {
+                    res.status(429).send({ message: 'Too many requests' });
+                    return;
+                }
                 const authUser = yield db.collection(authCollection).findOne({
                     email: req.body.username
                 });
@@ -74,7 +141,7 @@ function localUserPassController(app) {
                         .findOne({ [user_id_field]: authUser._id.toString() })
                     : {};
                 authUser === null || authUser === void 0 ? true : delete authUser.password;
-                const userWithCustomData = Object.assign(Object.assign({}, authUser), { user_data: user, id: authUser._id.toString() });
+                const userWithCustomData = Object.assign(Object.assign({}, authUser), { user_data: Object.assign(Object.assign({}, (user || {})), { _id: authUser._id }), data: { email: authUser.email }, id: authUser._id.toString() });
                 if (authUser && authUser.status === 'pending') {
                     try {
                         yield (db === null || db === void 0 ? void 0 : db.collection(authCollection).updateOne({ _id: authUser._id }, {
@@ -87,35 +154,18 @@ function localUserPassController(app) {
                         console.log('>>> 🚀 ~ localUserPassController ~ error:', error);
                     }
                 }
-                if (authUser &&
-                    authUser.status === 'pending' &&
-                    on_user_creation_function_name &&
-                    functionsList[on_user_creation_function_name]) {
-                    try {
-                        yield (0, context_1.GenerateContext)({
-                            args: [
-                                {
-                                    operationType: 'CREATE',
-                                    providers: 'local-userpass',
-                                    user: userWithCustomData,
-                                    time: new Date().getTime()
-                                }
-                            ],
-                            app,
-                            rules: {},
-                            user: userWithCustomData,
-                            currentFunction: functionsList[on_user_creation_function_name],
-                            functionsList,
-                            services: services_1.services
-                        });
-                    }
-                    catch (error) {
-                        console.log('localUserPassController - /login - GenerateContext - CATCH:', error);
-                    }
-                }
+                const refreshToken = this.createRefreshToken(userWithCustomData);
+                const refreshTokenHash = (0, crypto_1.hashToken)(refreshToken);
+                yield db.collection(refreshTokensCollection).insertOne({
+                    userId: authUser._id,
+                    tokenHash: refreshTokenHash,
+                    createdAt: new Date(),
+                    expiresAt: new Date(Date.now() + refreshTokenTtlMs),
+                    revokedAt: null
+                });
                 return {
                     access_token: this.createAccessToken(userWithCustomData),
-                    refresh_token: this.createRefreshToken(userWithCustomData),
+                    refresh_token: refreshToken,
                     device_id: '',
                     user_id: authUser._id.toString()
                 };
@@ -124,48 +174,40 @@ function localUserPassController(app) {
         /**
          * Endpoint for reset password.
          *
-         * @route {POST} /reset/call
+         * @route {POST} /reset/send
          * @param {ResetPasswordDto} req - The request object with th reset request.
          * @returns {Promise<void>}
          */
         app.post(utils_1.AUTH_ENDPOINTS.RESET, {
-            schema: utils_1.RESET_SCHEMA
-        }, function (req) {
+            schema: utils_1.RESET_SEND_SCHEMA
+        }, function (req, res) {
             return __awaiter(this, void 0, void 0, function* () {
-                const { resetPasswordCollection, resetPasswordConfig } = constants_1.AUTH_CONFIG;
-                const email = req.body.email;
-                const authUser = yield db.collection(authCollection).findOne({
-                    email
-                });
-                if (!authUser) {
-                    throw new Error(utils_1.AUTH_ERRORS.INVALID_CREDENTIALS);
+                const key = `reset:${req.ip}`;
+                if (isRateLimited(key, resetMaxAttempts, rateLimitWindowMs)) {
+                    res.status(429);
+                    return { message: 'Too many requests' };
                 }
-                const token = (0, crypto_1.generateToken)();
-                const tokenId = (0, crypto_1.generateToken)();
-                yield (db === null || db === void 0 ? void 0 : db.collection(resetPasswordCollection).updateOne({ email }, { $set: { token, tokenId, email, createdAt: new Date() } }, { upsert: true }));
-                if (resetPasswordConfig.runResetFunction && resetPasswordConfig.resetFunctionName) {
-                    const functionsList = state_1.StateManager.select('functions');
-                    const services = state_1.StateManager.select('services');
-                    const currentFunction = functionsList[resetPasswordConfig.resetFunctionName];
-                    yield (0, context_1.GenerateContext)({
-                        args: [{ token, tokenId, email }],
-                        app,
-                        rules: {},
-                        user: {},
-                        currentFunction,
-                        functionsList,
-                        services
-                    });
-                    return;
+                yield handleResetPasswordRequest(req.body.email);
+                res.status(202);
+                return {
+                    status: 'ok'
+                };
+            });
+        });
+        app.post(utils_1.AUTH_ENDPOINTS.RESET_CALL, {
+            schema: utils_1.RESET_CALL_SCHEMA
+        }, function (req, res) {
+            return __awaiter(this, void 0, void 0, function* () {
+                const key = `reset:${req.ip}`;
+                if (isRateLimited(key, resetMaxAttempts, rateLimitWindowMs)) {
+                    res.status(429);
+                    return { message: 'Too many requests' };
                 }
-                const { from, subject, mailToken, body } = (0, utils_1.getMailConfig)(resetPasswordConfig, token, tokenId);
-                mail_1.default.setApiKey(mailToken);
-                yield mail_1.default.send({
-                    to: email,
-                    from,
-                    subject,
-                    html: body
-                });
+                yield handleResetPasswordRequest(req.body.email, req.body.password, req.body.arguments);
+                res.status(202);
+                return {
+                    status: 'ok'
+                };
             });
         });
         /**
@@ -177,14 +219,26 @@ function localUserPassController(app) {
          */
         app.post(utils_1.AUTH_ENDPOINTS.CONFIRM_RESET, {
             schema: utils_1.CONFIRM_RESET_SCHEMA
-        }, function (req) {
+        }, function (req, res) {
             return __awaiter(this, void 0, void 0, function* () {
-                const { resetPasswordCollection } = constants_1.AUTH_CONFIG;
+                const key = `reset-confirm:${req.ip}`;
+                if (isRateLimited(key, resetMaxAttempts, rateLimitWindowMs)) {
+                    res.status(429);
+                    return { message: 'Too many requests' };
+                }
                 const { token, tokenId, password } = req.body;
                 const resetRequest = yield (db === null || db === void 0 ? void 0 : db.collection(resetPasswordCollection).findOne({ token, tokenId }));
                 if (!resetRequest) {
                     throw new Error(utils_1.AUTH_ERRORS.INVALID_RESET_PARAMS);
                 }
+                const createdAt = resetRequest.createdAt ? new Date(resetRequest.createdAt) : null;
+                const isExpired = !createdAt ||
+                    Number.isNaN(createdAt.getTime()) ||
+                    Date.now() - createdAt.getTime() > resetPasswordTtlSeconds * 1000;
+                if (isExpired) {
+                    yield (db === null || db === void 0 ? void 0 : db.collection(resetPasswordCollection).deleteOne({ _id: resetRequest._id }));
+                    throw new Error(utils_1.AUTH_ERRORS.INVALID_RESET_PARAMS);
+                }
                 const hashedPassword = yield (0, crypto_1.hashPassword)(password);
                 yield db.collection(authCollection).updateOne({ email: resetRequest.email }, {
                     $set: {

package/dist/auth/providers/local-userpass/dtos.d.ts

@@ -12,17 +12,26 @@ export type LoginSuccessDto = {
     refresh_token: string;
     user_id: string;
 };
+export type ErrorResponseDto = {
+    message: string;
+};
 export interface RegistrationDto {
     Body: RegisterUserDto;
 }
 export interface LoginDto {
     Body: LoginUserDto;
-    Reply: LoginSuccessDto;
+    Reply: LoginSuccessDto | ErrorResponseDto;
+}
+export interface ResetPasswordSendDto {
+    Body: {
+        email: string;
+    };
 }
-export interface ResetPasswordDto {
+export interface ResetPasswordCallDto {
     Body: {
         email: string;
         password: string;
+        arguments?: unknown[];
     };
 }
 export interface ConfirmResetPasswordDto {

package/dist/auth/providers/local-userpass/dtos.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"dtos.d.ts","sourceRoot":"","sources":["../../../../src/auth/providers/local-userpass/dtos.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,eAAe,GAAG;IAC5B,KAAK,EAAE,MAAM,CAAA;IACb,QAAQ,EAAE,MAAM,CAAA;CACjB,CAAA;AAED,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,EAAE,MAAM,CAAA;IAChB,QAAQ,EAAE,MAAM,CAAA;CACjB,CAAA;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,YAAY,EAAE,MAAM,CAAA;IACpB,SAAS,EAAE,MAAM,CAAA;IACjB,aAAa,EAAE,MAAM,CAAA;IACrB,OAAO,EAAE,MAAM,CAAA;CAChB,CAAA;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,eAAe,CAAA;CACtB;AAED,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,YAAY,CAAA;IAClB,KAAK,EAAE,eAAe,CAAA;CACvB;AAED,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE;QACJ,KAAK,EAAE,MAAM,CAAA;QACb,QAAQ,EAAE,MAAM,CAAA;KACjB,CAAA;CACF;AAED,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE;QACJ,KAAK,EAAE,MAAM,CAAA;QACb,OAAO,EAAE,MAAM,CAAA;QACf,QAAQ,EAAE,MAAM,CAAA;KACjB,CAAA;CACF"}
+{"version":3,"file":"dtos.d.ts","sourceRoot":"","sources":["../../../../src/auth/providers/local-userpass/dtos.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,eAAe,GAAG;IAC5B,KAAK,EAAE,MAAM,CAAA;IACb,QAAQ,EAAE,MAAM,CAAA;CACjB,CAAA;AAED,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,EAAE,MAAM,CAAA;IAChB,QAAQ,EAAE,MAAM,CAAA;CACjB,CAAA;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,YAAY,EAAE,MAAM,CAAA;IACpB,SAAS,EAAE,MAAM,CAAA;IACjB,aAAa,EAAE,MAAM,CAAA;IACrB,OAAO,EAAE,MAAM,CAAA;CAChB,CAAA;AAED,MAAM,MAAM,gBAAgB,GAAG;IAC7B,OAAO,EAAE,MAAM,CAAA;CAChB,CAAA;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,eAAe,CAAA;CACtB;AAED,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,YAAY,CAAA;IAClB,KAAK,EAAE,eAAe,GAAG,gBAAgB,CAAA;CAC1C;AAED,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE;QACJ,KAAK,EAAE,MAAM,CAAA;KACd,CAAA;CACF;AAED,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE;QACJ,KAAK,EAAE,MAAM,CAAA;QACb,QAAQ,EAAE,MAAM,CAAA;QAChB,SAAS,CAAC,EAAE,OAAO,EAAE,CAAA;KACtB,CAAA;CACF;AAED,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE;QACJ,KAAK,EAAE,MAAM,CAAA;QACb,OAAO,EAAE,MAAM,CAAA;QACf,QAAQ,EAAE,MAAM,CAAA;KACjB,CAAA;CACF"}