npm - @jmlq/auth - Versions diffs - 0.0.1-alpha.10 → 0.0.1-alpha.12 - Mend

@jmlq/auth 0.0.1-alpha.10 → 0.0.1-alpha.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (85) hide show

package/dist/application/dtos/index.d.ts CHANGED Viewed

@@ -1,3 +1,3 @@
 export * from "./request";
 export * from "./response";
-export * from "./type";
+export * from "./types";

package/dist/application/dtos/index.js CHANGED Viewed

@@ -14,6 +14,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+//src/application/dtos/index.ts
 __exportStar(require("./request"), exports);
 __exportStar(require("./response"), exports);
-__exportStar(require("./type"), exports);
+__exportStar(require("./types"), exports);

package/dist/application/dtos/request/change-password.request.d.ts ADDED Viewed

@@ -0,0 +1,15 @@
+/**
+ * Cambiar password desde formulario
+ */
+export interface ChangePasswordRequest {
+    userId: string;
+    sessionId: string;
+    currentPassword: string;
+    newPassword: string;
+    confirmNewPassword: string;
+    /**
+     * Si es true, revoca todas las sesiones del usuario.
+     * Si es false, revoca solo la sesión actual (sessionId).
+     */
+    logoutAllDevices: boolean;
+}

package/dist/application/dtos/request/index.d.ts CHANGED Viewed

@@ -2,3 +2,6 @@ export * from "./login.request";
 export * from "./logout.request";
 export * from "./refresh-token.request";
 export * from "./register-user.request";
+export * from "./request-password-reset.request";
+export * from "./reset-password.request";
+export * from "./change-password.request";

package/dist/application/dtos/request/index.js CHANGED Viewed

@@ -14,7 +14,11 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+//src/application/dtos/request/index.ts
 __exportStar(require("./login.request"), exports);
 __exportStar(require("./logout.request"), exports);
 __exportStar(require("./refresh-token.request"), exports);
 __exportStar(require("./register-user.request"), exports);
+__exportStar(require("./request-password-reset.request"), exports);
+__exportStar(require("./reset-password.request"), exports);
+__exportStar(require("./change-password.request"), exports);

package/dist/application/dtos/request/register-user.request.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { UserRole } from "../type";
+import { UserRole } from "../types";
 export interface RegisterUserRequest {
     email: string;
     password: string;

package/dist/application/dtos/request/request-password-reset.request.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+/**
+ * Solicitar un cambio de password por medio del email (inicio)
+ */
+export interface RequestPasswordResetRequest {
+    email: string;
+}

package/dist/application/dtos/request/request-password-reset.request.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ "use strict";
2	+ Object.defineProperty(exports, "__esModule", { value: true });

package/dist/application/dtos/request/reset-password.request.d.ts ADDED Viewed

@@ -0,0 +1,14 @@
+/**
+ * Actualizar password usando un token una vez que se envía link a email
+ */
+export interface ResetPasswordRequest {
+    resetToken: string;
+    newPassword: string;
+    confirmNewPassword: string;
+    /**
+     * Política de sesiones post-reset:
+     * - true: logout global (recomendado)
+     * - false: mantener sesiones (si lo permites)
+     */
+    logoutAllDevices?: boolean;
+}

package/dist/application/dtos/request/reset-password.request.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ "use strict";
2	+ Object.defineProperty(exports, "__esModule", { value: true });

package/dist/application/dtos/response/change-password.response.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+/**
+ * Respuesta cambio de password desde formulario
+ */
+export interface ChangePasswordResponse {
+    success: true;
+    message: string;
+}

package/dist/application/dtos/response/change-password.response.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ "use strict";
2	+ Object.defineProperty(exports, "__esModule", { value: true });

package/dist/application/dtos/response/index.d.ts CHANGED Viewed

@@ -2,3 +2,6 @@ export * from "./login.response";
 export * from "./logout.response";
 export * from "./refresh-token.response";
 export * from "./register-user.response";
+export * from "./reset-password.response";
+export * from "./request-password-reset.response";
+export * from "./change-password.response";

package/dist/application/dtos/response/index.js CHANGED Viewed

@@ -14,7 +14,11 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+//src/application/dtos/response/index.ts
 __exportStar(require("./login.response"), exports);
 __exportStar(require("./logout.response"), exports);
 __exportStar(require("./refresh-token.response"), exports);
 __exportStar(require("./register-user.response"), exports);
+__exportStar(require("./reset-password.response"), exports);
+__exportStar(require("./request-password-reset.response"), exports);
+__exportStar(require("./change-password.response"), exports);

package/dist/application/dtos/response/request-password-reset.response.d.ts ADDED Viewed

@@ -0,0 +1,15 @@
+/**
+ * Respuesta del caso de uso.
+ * - `message` debe ser genérico para evitar enumeración de usuarios.
+ * - `delivery` es opcional y SOLO debe usarse internamente por el API para enviar email.
+ *   No se recomienda devolver `delivery` al cliente final.
+ */
+export interface RequestPasswordResetResponse {
+    success: true;
+    message: string;
+    delivery?: {
+        email: string;
+        resetToken: string;
+        expiresAt: string;
+    };
+}

package/dist/application/dtos/response/request-password-reset.response.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ "use strict";
2	+ Object.defineProperty(exports, "__esModule", { value: true });

package/dist/application/dtos/response/reset-password.response.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+/**
+ * Respuesta actualizar password por link cuando se solicita por email
+ */
+export interface ResetPasswordResponse {
+    success: true;
+    message: string;
+}

package/dist/application/dtos/response/reset-password.response.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ "use strict";
2	+ Object.defineProperty(exports, "__esModule", { value: true });

package/dist/application/dtos/{type → types}/index.js RENAMED Viewed

@@ -14,4 +14,5 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+//src/application/dtos/types/index.ts
 __exportStar(require("./user-role.type"), exports);

package/dist/application/dtos/types/user-role.type.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ "use strict";
2	+ Object.defineProperty(exports, "__esModule", { value: true });

package/dist/application/factories/auth-service.factory.d.ts CHANGED Viewed

@@ -1,11 +1,11 @@
-import { ICredentialRepositoryPort, ITokenServicePort, IUserRepositoryPort } from "../../domain";
-import { IAuthServiceContainer } from "../../infrastructure/types";
-import { AuthServiceFactoryOptions } from "../types";
+import { ICredentialRepositoryPort, ITokenServicePort, IUserRepositoryPort, IPasswordResetTokenPort } from "../../domain";
+import type { IAuthServiceContainer } from "../../infrastructure/types";
+import type { AuthServiceFactoryOptions } from "../types";
 /**
  * Factory principal:
  * - construye servicios e inyecta dependencias
  * - encapsula configuración para que NO se repita en cada API externa
  */
 export declare class AuthServiceFactory {
-    static create(userRepository: IUserRepositoryPort, credentialRepository: ICredentialRepositoryPort, tokenService: ITokenServicePort, options?: AuthServiceFactoryOptions): IAuthServiceContainer;
+    static create(userRepository: IUserRepositoryPort, credentialRepository: ICredentialRepositoryPort, tokenService: ITokenServicePort, passwordResetToken: IPasswordResetTokenPort, options?: AuthServiceFactoryOptions): IAuthServiceContainer;
 }

package/dist/application/factories/auth-service.factory.js CHANGED Viewed

@@ -1,7 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.AuthServiceFactory = void 0;
-// src/application/factories/auth-service.factory.ts
+//src/application/factories/auth-service.factory.ts
 const services_1 = require("../../domain/services");
 const use_cases_1 = require("../use-cases");
 const security_1 = require("../../infrastructure/security");
@@ -12,7 +12,7 @@ const services_2 = require("../../infrastructure/services");
  * - encapsula configuración para que NO se repita en cada API externa
  */
 class AuthServiceFactory {
-    static create(userRepository, credentialRepository, tokenService, options) {
+    static create(userRepository, credentialRepository, tokenService, passwordResetToken, options) {
         // 1) Policy + hasher
         const passwordPolicy = new services_1.DefaultPasswordPolicy();
         const passwordHasher = new security_1.BcryptPasswordHasher(options?.bcryptSaltRounds);
@@ -23,6 +23,10 @@ class AuthServiceFactory {
         const loginWithPasswordUseCase = new use_cases_1.LoginWithPasswordUseCase(userRepository, passwordHasher, tokenSession);
         const refreshTokenUseCase = new use_cases_1.RefreshTokenUseCase(tokenSession);
         const logoutUseCase = new use_cases_1.LogoutUseCase(tokenSession);
+        // 4) Use cases nuevos (password flows)
+        const requestPasswordResetUseCase = new use_cases_1.RequestPasswordResetUseCase(userRepository, passwordResetToken, { resetTokenTtl: options?.passwordResetTokenTtl });
+        const resetPasswordUseCase = new use_cases_1.ResetPasswordUseCase(userRepository, credentialRepository, passwordHasher, passwordPolicy, passwordResetToken);
+        const changePasswordUseCase = new use_cases_1.ChangePasswordUseCase(userRepository, credentialRepository, passwordHasher, passwordPolicy);
         return {
             userRepository,
             credentialRepository,
@@ -30,10 +34,14 @@ class AuthServiceFactory {
             tokenService,
             passwordPolicy,
             tokenSession,
+            passwordResetToken,
             registerUserUseCase,
             loginWithPasswordUseCase,
             refreshTokenUseCase,
             logoutUseCase,
+            requestPasswordResetUseCase,
+            resetPasswordUseCase,
+            changePasswordUseCase,
         };
     }
 }

package/dist/application/factories/index.js CHANGED Viewed

@@ -14,4 +14,5 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+//src/application/factories/index.ts
 __exportStar(require("./auth-service.factory"), exports);

package/dist/application/index.js CHANGED Viewed

@@ -14,6 +14,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+//src/application/index.ts
 __exportStar(require("./dtos"), exports);
 __exportStar(require("./factories"), exports);
 __exportStar(require("./use-cases"), exports);

package/dist/application/types/auth-service-factory-options.type.d.ts CHANGED Viewed

@@ -1,5 +1,41 @@
+/**
+ * Permite ajustar parámetros operativos de Auth sin conocer ni tocar la construcción interna del core.
+ * Es decir: configura “políticas” y “valores por defecto” que la factory usará al armar el container.
+ */
 export interface AuthServiceFactoryOptions {
+    /**
+     * Controla el costo computacional del hashing con bcrypt
+     * - Qué hace: define cuántas rondas (work factor) usa bcrypt al generar hashes.
+     * - Impacto:
+     *   - Mayor valor ⇒ más seguro contra ataques de fuerza bruta, pero más CPU/latencia en register/login/change/reset password.
+     *   - Menor valor ⇒ más rápido, pero menos robusto.
+     */
     bcryptSaltRounds?: number;
+    /**
+     * Define el tiempo de vida por defecto de los access tokens.
+     * - Qué hace: determina el exp (expiración) con el que se generan access tokens (si tu tokenSession/token service usa este default).
+     * - Formato: string “humana” (ej. "15m", "1h"), que el core normaliza.
+     * - Impacto:
+     *   - Más corto ⇒ más seguridad, más refresh frecuente.
+     *   - Más largo ⇒ mejor UX, más riesgo si el token se filtra.
+     */
     accessTokenTtl?: string;
+    /**
+     * Define el tiempo de vida por defecto de los refresh tokens.
+     * - Qué hace: determina la expiración del refresh token (el que permite rotar/renovar access tokens).
+     * - Formato: "7d", "30d", etc.
+     * - Impacto:
+     *   - Más corto ⇒ limita ventana de secuestro de sesión, pero obliga re-login más seguido.
+     *   - Más largo ⇒ sesiones persistentes, más riesgo si el refresh token se compromete.
+     */
     refreshTokenTtl?: string;
+    /**
+     * Define el tiempo de vida del token de recuperación de contraseña (RememberPassword).
+     * - Qué hace: controla cuánto dura el token que se entrega en el email de “reset password”.
+     * - Formato: "15m", "30m", "1h", etc
+     * - Impacto:
+     *  - Más corto ⇒ más seguro (menos ventana), pero el usuario puede no alcanzar a usarlo.
+     *  - Más largo ⇒ mejor conveniencia, pero incrementa exposición.
+     */
+    passwordResetTokenTtl?: string;
 }

package/dist/application/types/index.js CHANGED Viewed

@@ -14,4 +14,5 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+//src/application/types/index.ts
 __exportStar(require("./auth-service-factory-options.type"), exports);

package/dist/application/use-cases/change-password.use-case.d.ts ADDED Viewed

@@ -0,0 +1,21 @@
+import type { ICredentialRepositoryPort, IPasswordHasherPort, IPasswordPolicyPort, IUserRepositoryPort } from "../../domain/ports";
+import { ChangePasswordRequest, ChangePasswordResponse } from "../dtos";
+/**
+ * Cambia contraseña con validación de password actual.
+ *
+ * - Valida confirmación
+ * - Valida policy
+ * - Verifica password actual
+ * - Cambia hash
+ * - Revoca sesiones:
+ *   - logoutAllDevices=true => revoca todas
+ *   - false => revoca solo la sesión actual (sessionId)
+ */
+export declare class ChangePasswordUseCase {
+    private readonly userRepository;
+    private readonly credentialRepository;
+    private readonly passwordHasher;
+    private readonly passwordPolicy;
+    constructor(userRepository: IUserRepositoryPort, credentialRepository: ICredentialRepositoryPort, passwordHasher: IPasswordHasherPort, passwordPolicy: IPasswordPolicyPort);
+    execute(request: ChangePasswordRequest): Promise<ChangePasswordResponse>;
+}

package/dist/application/use-cases/change-password.use-case.js ADDED Viewed

@@ -0,0 +1,49 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ChangePasswordUseCase = void 0;
+const object_values_1 = require("../../domain/object-values");
+const errors_1 = require("../../domain/errors");
+const internal_1 = require("./internal");
+/**
+ * Cambia contraseña con validación de password actual.
+ *
+ * - Valida confirmación
+ * - Valida policy
+ * - Verifica password actual
+ * - Cambia hash
+ * - Revoca sesiones:
+ *   - logoutAllDevices=true => revoca todas
+ *   - false => revoca solo la sesión actual (sessionId)
+ */
+class ChangePasswordUseCase {
+    constructor(userRepository, credentialRepository, passwordHasher, passwordPolicy) {
+        this.userRepository = userRepository;
+        this.credentialRepository = credentialRepository;
+        this.passwordHasher = passwordHasher;
+        this.passwordPolicy = passwordPolicy;
+    }
+    async execute(request) {
+        (0, internal_1.assertPasswordsMatch)(request.newPassword, request.confirmNewPassword);
+        (0, internal_1.assertPasswordPolicy)(this.passwordPolicy, request.newPassword);
+        const user = await this.userRepository.findById(new object_values_1.Id(request.userId));
+        if (!user)
+            throw new errors_1.UserNotFoundError("User not found");
+        const currentHash = user.password.serialize();
+        const ok = await this.passwordHasher.compare(request.currentPassword, currentHash);
+        if (!ok) {
+            throw new errors_1.PasswordMismatchError("Current password is invalid");
+        }
+        const newHash = await this.passwordHasher.hash(request.newPassword);
+        user.changePassword(new object_values_1.HashedPassword(newHash));
+        await this.userRepository.update(user);
+        const userId = user.id;
+        if (request.logoutAllDevices) {
+            await this.credentialRepository.deleteByUserId(userId);
+        }
+        else {
+            await this.credentialRepository.deleteBySessionId(new object_values_1.Id(request.sessionId));
+        }
+        return { success: true, message: "Password changed successfully" };
+    }
+}
+exports.ChangePasswordUseCase = ChangePasswordUseCase;

package/dist/application/use-cases/index.d.ts CHANGED Viewed

@@ -2,3 +2,6 @@ export * from "./login-with-password.use-case";
 export * from "./logout.use-case";
 export * from "./refresh-token.use-case";
 export * from "./register-user.use-case";
+export * from "./change-password.use-case";
+export * from "./request-password-reset.use-case";
+export * from "./reset-password.use-case";

package/dist/application/use-cases/index.js CHANGED Viewed

@@ -14,7 +14,11 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+//src/application/use-cases/index.ts
 __exportStar(require("./login-with-password.use-case"), exports);
 __exportStar(require("./logout.use-case"), exports);
 __exportStar(require("./refresh-token.use-case"), exports);
 __exportStar(require("./register-user.use-case"), exports);
+__exportStar(require("./change-password.use-case"), exports);
+__exportStar(require("./request-password-reset.use-case"), exports);
+__exportStar(require("./reset-password.use-case"), exports);

package/dist/application/use-cases/internal/index.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export * from "./password-assertions";

package/dist/application/use-cases/internal/index.js ADDED Viewed

@@ -0,0 +1,18 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+//src/application/use-cases/internal/index.ts
+__exportStar(require("./password-assertions"), exports);

package/dist/application/use-cases/internal/password-assertions.d.ts ADDED Viewed

@@ -0,0 +1,13 @@
+import type { IPasswordPolicyPort } from "../../../domain/ports";
+/**
+ * Asserts that `newPassword` equals `confirmPassword`.
+ *
+ * Application-level validation to keep use cases small and consistent.
+ */
+export declare function assertPasswordsMatch(newPassword: string, confirmPassword: string): void;
+/**
+ * Asserts that `password` satisfies the configured password policy.
+ *
+ * This runs BEFORE hashing to fail fast and reduce CPU cost.
+ */
+export declare function assertPasswordPolicy(passwordPolicy: IPasswordPolicyPort, password: string): void;

package/dist/application/use-cases/internal/password-assertions.js ADDED Viewed

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.assertPasswordsMatch = assertPasswordsMatch;
+exports.assertPasswordPolicy = assertPasswordPolicy;
+const errors_1 = require("../../../domain/errors");
+/**
+ * Asserts that `newPassword` equals `confirmPassword`.
+ *
+ * Application-level validation to keep use cases small and consistent.
+ */
+function assertPasswordsMatch(newPassword, confirmPassword) {
+    if (newPassword !== confirmPassword) {
+        throw new errors_1.PasswordMismatchError("Passwords do not match");
+    }
+}
+/**
+ * Asserts that `password` satisfies the configured password policy.
+ *
+ * This runs BEFORE hashing to fail fast and reduce CPU cost.
+ */
+function assertPasswordPolicy(passwordPolicy, password) {
+    const strength = passwordPolicy.validateStrength(password);
+    if (!strength.isValid) {
+        throw new errors_1.PasswordPolicyViolationError(strength.errors);
+    }
+}

package/dist/application/use-cases/refresh-token.use-case.js CHANGED Viewed

@@ -17,7 +17,7 @@ class RefreshTokenUseCase {
             };
         }
         catch (error) {
-            throw new errors_1.InvalidOrExpiredRefreshTokenError();
+            throw new errors_1.TokenExpiredError();
         }
     }
 }

package/dist/application/use-cases/register-user.use-case.js CHANGED Viewed

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.RegisterUserUseCase = void 0;
 //src/application/use-cases/register-user.use-case.ts
 const domain_1 = require("../../domain");
+const internal_1 = require("./internal");
 class RegisterUserUseCase {
     constructor(userRepository, passwordHasher, passwordPolicy) {
         this.userRepository = userRepository;
@@ -33,11 +34,8 @@ class RegisterUserUseCase {
     // Use case
     // ---------------------------------------------------------------------------
     async execute(request) {
-        // Validar política de contraseñas
-        const passwordValidation = this.passwordPolicy.validateStrength(request.password);
-        if (!passwordValidation.isValid) {
-            throw new domain_1.PasswordPolicyViolationError(passwordValidation.errors);
-        }
+        // Validar policy antes de hacer trabajo costoso (hash)
+        (0, internal_1.assertPasswordPolicy)(this.passwordPolicy, request.password);
         // Verificar que el email no esté en uso
         const email = new domain_1.Email(request.email);
         const exists = await this.userRepository.findByEmail(email);

package/dist/application/use-cases/request-password-reset.use-case.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+import type { IUserRepositoryPort } from "../../domain/ports";
+import type { IPasswordResetTokenPort } from "../../domain/ports/auth/password-reset-token.port";
+import { RequestPasswordResetRequest, RequestPasswordResetResponse } from "../dtos";
+/**
+ * Solicita reset de contraseña.
+ *
+ * - Anti-enumeración: siempre retorna el mismo mensaje de éxito.
+ * - Si el usuario existe, retorna `delivery` para que el API envíe el email.
+ * - NO envía emails (el API lo hace con @jmlq/mailer).
+ */
+export declare class RequestPasswordResetUseCase {
+    private readonly userRepository;
+    private readonly passwordResetToken;
+    private readonly resetTokenTtl;
+    constructor(userRepository: IUserRepositoryPort, passwordResetToken: IPasswordResetTokenPort, opts?: {
+        resetTokenTtl?: string;
+    });
+    execute(request: RequestPasswordResetRequest): Promise<RequestPasswordResetResponse>;
+}

package/dist/application/use-cases/request-password-reset.use-case.js ADDED Viewed

@@ -0,0 +1,43 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RequestPasswordResetUseCase = void 0;
+const object_values_1 = require("../../domain/object-values");
+const time_parser_1 = require("../../shared/utils/time-parser");
+/**
+ * Solicita reset de contraseña.
+ *
+ * - Anti-enumeración: siempre retorna el mismo mensaje de éxito.
+ * - Si el usuario existe, retorna `delivery` para que el API envíe el email.
+ * - NO envía emails (el API lo hace con @jmlq/mailer).
+ */
+class RequestPasswordResetUseCase {
+    constructor(userRepository, passwordResetToken, opts) {
+        this.userRepository = userRepository;
+        this.passwordResetToken = passwordResetToken;
+        // Default conservador: 15 minutos
+        this.resetTokenTtl = opts?.resetTokenTtl ?? "15m";
+    }
+    async execute(request) {
+        const message = "A link to reset your password has been sent to your email address.";
+        // Normaliza y valida el email vía VO
+        const email = new object_values_1.Email(request.email);
+        // Buscar usuario (no revelar resultado al cliente final)
+        const user = await this.userRepository.findByEmail(email);
+        if (!user) {
+            return { success: true, message };
+        }
+        // Emite token con TTL (reutiliza utility existente)
+        const ttlMs = time_parser_1.TimeParser.parseToMilliseconds(this.resetTokenTtl);
+        const issued = await this.passwordResetToken.issue(user.id, ttlMs);
+        return {
+            success: true,
+            message,
+            delivery: {
+                email: user.email.getValue(),
+                resetToken: issued.token,
+                expiresAt: issued.expiresAt.toISOString(),
+            },
+        };
+    }
+}
+exports.RequestPasswordResetUseCase = RequestPasswordResetUseCase;

package/dist/application/use-cases/reset-password.use-case.d.ts ADDED Viewed

@@ -0,0 +1,20 @@
+import type { ICredentialRepositoryPort, IPasswordHasherPort, IPasswordPolicyPort, IUserRepositoryPort } from "../../domain/ports";
+import type { IPasswordResetTokenPort } from "../../domain/ports/auth/password-reset-token.port";
+import { ResetPasswordRequest, ResetPasswordResponse } from "../dtos";
+/**
+ * Confirma el reseteo de contraseña usando token (single-use).
+ *
+ * - Verifica y consume token
+ * - Aplica policy
+ * - Cambia hash del usuario
+ * - Revoca sesiones según política (por defecto: logout global recomendado)
+ */
+export declare class ResetPasswordUseCase {
+    private readonly userRepository;
+    private readonly credentialRepository;
+    private readonly passwordHasher;
+    private readonly passwordPolicy;
+    private readonly passwordResetToken;
+    constructor(userRepository: IUserRepositoryPort, credentialRepository: ICredentialRepositoryPort, passwordHasher: IPasswordHasherPort, passwordPolicy: IPasswordPolicyPort, passwordResetToken: IPasswordResetTokenPort);
+    execute(request: ResetPasswordRequest): Promise<ResetPasswordResponse>;
+}

package/dist/application/use-cases/reset-password.use-case.js ADDED Viewed

@@ -0,0 +1,59 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ResetPasswordUseCase = void 0;
+const object_values_1 = require("../../domain/object-values");
+const errors_1 = require("../../domain/errors");
+const password_reset_errors_1 = require("../../domain/errors/password-reset.errors");
+const internal_1 = require("./internal");
+/**
+ * Confirma el reseteo de contraseña usando token (single-use).
+ *
+ * - Verifica y consume token
+ * - Aplica policy
+ * - Cambia hash del usuario
+ * - Revoca sesiones según política (por defecto: logout global recomendado)
+ */
+class ResetPasswordUseCase {
+    constructor(userRepository, credentialRepository, passwordHasher, passwordPolicy, passwordResetToken) {
+        this.userRepository = userRepository;
+        this.credentialRepository = credentialRepository;
+        this.passwordHasher = passwordHasher;
+        this.passwordPolicy = passwordPolicy;
+        this.passwordResetToken = passwordResetToken;
+    }
+    async execute(request) {
+        // Validación de request (application)
+        (0, internal_1.assertPasswordsMatch)(request.newPassword, request.confirmNewPassword);
+        (0, internal_1.assertPasswordPolicy)(this.passwordPolicy, request.newPassword);
+        // Consumir token (single-use). La implementación debe asegurar atomicidad.
+        const consumed = await this.passwordResetToken
+            .consume(request.resetToken)
+            .catch((e) => {
+            // Mantener errores estables: no filtrar detalles del storage
+            // Nota: si quieres distinguir invalid vs used, puedes mapear en el adapter.
+            throw new password_reset_errors_1.PasswordResetTokenInvalidError(e instanceof Error ? e.message : "Password reset token is invalid");
+        });
+        // Verificar expiración por seguridad adicional (aunque el adapter debería hacerlo)
+        if (new Date() > consumed.expiresAt) {
+            throw new password_reset_errors_1.PasswordResetTokenExpiredError();
+        }
+        const userId = consumed.userId;
+        const user = await this.userRepository.findById(userId);
+        if (!user) {
+            // No debería pasar si token fue emitido correctamente, pero es seguro.
+            throw new errors_1.UserNotFoundError("User not found");
+        }
+        // Hash + cambio de password en el agregado
+        const newHash = await this.passwordHasher.hash(request.newPassword);
+        user.changePassword(new object_values_1.HashedPassword(newHash));
+        await this.userRepository.update(user);
+        // Política de sesiones:
+        // - default: logout global (recomendación de seguridad)
+        const logoutAll = request.logoutAllDevices ?? true;
+        if (logoutAll) {
+            await this.credentialRepository.deleteByUserId(userId);
+        }
+        return { success: true, message: "Password has been reset successfully" };
+    }
+}
+exports.ResetPasswordUseCase = ResetPasswordUseCase;