npm - @jmlq/auth - Versions diffs - 0.0.1-alpha.29 → 0.0.1-alpha.30 - Mend

@jmlq/auth 0.0.1-alpha.29 → 0.0.1-alpha.30

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (43) hide show

package/dist/application/dtos/request/index.d.ts CHANGED Viewed

@@ -5,3 +5,5 @@ export * from "./register-user.request";
 export * from "./request-password-reset.request";
 export * from "./reset-password.request";
 export * from "./change-password.request";
+export * from "./verify-email.request";
+export * from "./me.request";

package/dist/application/dtos/request/index.js CHANGED Viewed

@@ -21,3 +21,5 @@ __exportStar(require("./register-user.request"), exports);
 __exportStar(require("./request-password-reset.request"), exports);
 __exportStar(require("./reset-password.request"), exports);
 __exportStar(require("./change-password.request"), exports);
+__exportStar(require("./verify-email.request"), exports);
+__exportStar(require("./me.request"), exports);

package/dist/application/dtos/request/me.request.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+export interface MeRequest {
+    userId: string;
+}

package/dist/application/dtos/request/me.request.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ "use strict";
2	+ Object.defineProperty(exports, "__esModule", { value: true });

package/dist/application/dtos/request/verify-email.request.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+export interface VerifyEmailRequest {
+    token: string;
+}

package/dist/application/dtos/request/verify-email.request.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ "use strict";
2	+ Object.defineProperty(exports, "__esModule", { value: true });

package/dist/application/dtos/response/index.d.ts CHANGED Viewed

@@ -5,3 +5,5 @@ export * from "./register-user.response";
 export * from "./reset-password.response";
 export * from "./request-password-reset.response";
 export * from "./change-password.response";
+export * from "./verify-email.response";
+export * from "./me.response";

package/dist/application/dtos/response/index.js CHANGED Viewed

@@ -21,3 +21,5 @@ __exportStar(require("./register-user.response"), exports);
 __exportStar(require("./reset-password.response"), exports);
 __exportStar(require("./request-password-reset.response"), exports);
 __exportStar(require("./change-password.response"), exports);
+__exportStar(require("./verify-email.response"), exports);
+__exportStar(require("./me.response"), exports);

package/dist/application/dtos/response/me.response.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+export interface MeResponse {
+    id: string;
+    email: string;
+    isActive: boolean;
+    isEmailVerified: boolean;
+    roles: {
+        role: string;
+    }[];
+    createdAt: string;
+    updatedAt: string;
+}

package/dist/application/dtos/response/me.response.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ "use strict";
2	+ Object.defineProperty(exports, "__esModule", { value: true });

package/dist/application/dtos/response/register-user.response.d.ts CHANGED Viewed

@@ -4,4 +4,13 @@ export interface RegisterUserResponse {
         role: string;
     }[];
     isActive: boolean;
+    /**
+     * Delivery interno para el host (API) para enviar email.
+     * NO recomendado devolver al cliente.
+     */
+    delivery?: {
+        email: string;
+        token: string;
+        expiresAt: string;
+    };
 }

package/dist/application/dtos/response/verify-email.response.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+export interface VerifyEmailResponse {
+    success: true;
+    message: string;
+}

package/dist/application/dtos/response/verify-email.response.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ "use strict";
2	+ Object.defineProperty(exports, "__esModule", { value: true });

package/dist/application/facades/auth.facade.d.ts CHANGED Viewed

@@ -1,6 +1,6 @@
 import type { IAuthServiceContainer } from "../../infrastructure";
-import type { ChangePasswordRequest, LoginRequest, LogoutRequest, RefreshTokenRequest, RegisterUserRequest, RequestPasswordResetRequest, ResetPasswordRequest } from "../dtos/request";
-import type { ChangePasswordResponse, LoginResponse, LogoutResponse, RefreshTokenResponse, RegisterUserResponse, RequestPasswordResetResponse, ResetPasswordResponse } from "../dtos/response";
+import type { ChangePasswordRequest, LoginRequest, LogoutRequest, MeRequest, RefreshTokenRequest, RegisterUserRequest, RequestPasswordResetRequest, ResetPasswordRequest, VerifyEmailRequest } from "../dtos/request";
+import type { ChangePasswordResponse, LoginResponse, LogoutResponse, MeResponse, RefreshTokenResponse, RegisterUserResponse, RequestPasswordResetResponse, ResetPasswordResponse, VerifyEmailResponse } from "../dtos/response";
 /**
  * Facade delgada para integrar @jmlq/auth en hosts (APIs externas).
  *
@@ -28,4 +28,6 @@ export declare class AuthFacade {
     changePassword(request: ChangePasswordRequest): Promise<ChangePasswordResponse>;
     requestPasswordReset(request: RequestPasswordResetRequest): Promise<RequestPasswordResetResponse>;
     resetPassword(request: ResetPasswordRequest): Promise<ResetPasswordResponse>;
+    verifyEmail(request: VerifyEmailRequest): Promise<VerifyEmailResponse>;
+    me(request: MeRequest): Promise<MeResponse>;
 }

package/dist/application/facades/auth.facade.js CHANGED Viewed

@@ -50,5 +50,11 @@ class AuthFacade {
     resetPassword(request) {
         return this.container.resetPasswordUseCase.execute(request);
     }
+    verifyEmail(request) {
+        return this.container.verifyEmailUseCase.execute(request);
+    }
+    me(request) {
+        return this.container.meUseCase.execute(request);
+    }
 }
 exports.AuthFacade = AuthFacade;

package/dist/application/facades/create-auth-facade.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import { AuthFacade } from "./auth.facade";
-import type { IUserRepositoryPort, ICredentialRepositoryPort, ITokenServicePort, IPasswordResetTokenPort } from "../../domain";
+import type { IUserRepositoryPort, ICredentialRepositoryPort, ITokenServicePort, IPasswordResetTokenPort, IEmailVerificationTokenPort } from "../../domain";
 import type { AuthServiceFactoryOptions } from "../types";
 /**
  * Helper de integración para hosts (APIs externas).
@@ -16,6 +16,7 @@ export type CreateAuthFacadeDeps = Readonly<{
     credentialRepository: ICredentialRepositoryPort;
     tokenService: ITokenServicePort;
     passwordResetToken: IPasswordResetTokenPort;
+    emailVerificationToken: IEmailVerificationTokenPort;
     options?: AuthServiceFactoryOptions;
 }>;
 export declare function createAuthFacade(deps: CreateAuthFacadeDeps): AuthFacade;

package/dist/application/facades/create-auth-facade.js CHANGED Viewed

@@ -4,6 +4,6 @@ exports.createAuthFacade = createAuthFacade;
 const auth_facade_1 = require("./auth.facade");
 const factories_1 = require("../factories");
 function createAuthFacade(deps) {
-    const container = factories_1.AuthServiceFactory.create(deps.userRepository, deps.credentialRepository, deps.tokenService, deps.passwordResetToken, deps.options);
+    const container = factories_1.AuthServiceFactory.create(deps.userRepository, deps.credentialRepository, deps.tokenService, deps.passwordResetToken, deps.emailVerificationToken, deps.options);
     return new auth_facade_1.AuthFacade(container);
 }

package/dist/application/factories/auth-service.factory.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { ICredentialRepositoryPort, ITokenServicePort, IUserRepositoryPort, IPasswordResetTokenPort } from "../../domain";
+import { ICredentialRepositoryPort, ITokenServicePort, IUserRepositoryPort, IPasswordResetTokenPort, IEmailVerificationTokenPort } from "../../domain";
 import type { IAuthServiceContainer } from "../../infrastructure/types";
 import type { AuthServiceFactoryOptions } from "../types";
 /**
@@ -7,5 +7,5 @@ import type { AuthServiceFactoryOptions } from "../types";
  * - encapsula configuración para que NO se repita en cada API externa
  */
 export declare class AuthServiceFactory {
-    static create(userRepository: IUserRepositoryPort, credentialRepository: ICredentialRepositoryPort, tokenService: ITokenServicePort, passwordResetToken: IPasswordResetTokenPort, options?: AuthServiceFactoryOptions): IAuthServiceContainer;
+    static create(userRepository: IUserRepositoryPort, credentialRepository: ICredentialRepositoryPort, tokenService: ITokenServicePort, passwordResetToken: IPasswordResetTokenPort, emailVerificationToken: IEmailVerificationTokenPort, options?: AuthServiceFactoryOptions): IAuthServiceContainer;
 }

package/dist/application/factories/auth-service.factory.js CHANGED Viewed

@@ -11,15 +11,17 @@ const services_2 = require("../../infrastructure/services");
  * - encapsula configuración para que NO se repita en cada API externa
  */
 class AuthServiceFactory {
-    static create(userRepository, credentialRepository, tokenService, passwordResetToken, options) {
+    static create(userRepository, credentialRepository, tokenService, passwordResetToken, emailVerificationToken, options) {
         // 1) Policy + hasher
         const passwordPolicy = options?.passwordPolicy ?? new services_1.DefaultPasswordPolicy();
         const passwordHasher = new security_1.BcryptPasswordHasher(options?.bcryptSaltRounds);
         // 2) Session service (rotación/revocación)
         const tokenSession = new services_2.TokenSessionService(tokenService, userRepository, credentialRepository, options?.accessTokenTtl ?? "15m", options?.refreshTokenTtl ?? "7d");
         // 3) Use cases
-        const registerUserUseCase = new use_cases_1.RegisterUserUseCase(userRepository, passwordHasher, passwordPolicy);
+        const registerUserUseCase = new use_cases_1.RegisterUserUseCase(userRepository, passwordHasher, passwordPolicy, emailVerificationToken, { verifyTokenTtl: options?.emailVerificationTokenTtl });
+        const verifyEmailUseCase = new use_cases_1.VerifyEmailUseCase(userRepository, emailVerificationToken);
         const loginWithPasswordUseCase = new use_cases_1.LoginWithPasswordUseCase(userRepository, passwordHasher, tokenSession);
+        const meUseCase = new use_cases_1.MeUseCase(userRepository);
         const refreshTokenUseCase = new use_cases_1.RefreshTokenUseCase(tokenSession);
         const logoutUseCase = new use_cases_1.LogoutUseCase(tokenSession);
         // 4) Use cases nuevos (password flows)
@@ -41,6 +43,9 @@ class AuthServiceFactory {
             requestPasswordResetUseCase,
             resetPasswordUseCase,
             changePasswordUseCase,
+            verifyEmailUseCase,
+            emailVerificationToken,
+            meUseCase,
         };
     }
 }

package/dist/application/types/auth-service-factory-options.type.d.ts CHANGED Viewed

@@ -45,4 +45,5 @@ export interface AuthServiceFactoryOptions {
      *  - Más largo ⇒ mejor conveniencia, pero incrementa exposición.
      */
     passwordResetTokenTtl?: string;
+    emailVerificationTokenTtl?: string;
 }

package/dist/application/use-cases/index.d.ts CHANGED Viewed

@@ -5,3 +5,5 @@ export * from "./register-user.use-case";
 export * from "./change-password.use-case";
 export * from "./request-password-reset.use-case";
 export * from "./reset-password.use-case";
+export * from "./verify-email.use-case";
+export * from "./me.use-case";

package/dist/application/use-cases/index.js CHANGED Viewed

@@ -21,3 +21,5 @@ __exportStar(require("./register-user.use-case"), exports);
 __exportStar(require("./change-password.use-case"), exports);
 __exportStar(require("./request-password-reset.use-case"), exports);
 __exportStar(require("./reset-password.use-case"), exports);
+__exportStar(require("./verify-email.use-case"), exports);
+__exportStar(require("./me.use-case"), exports);

package/dist/application/use-cases/login-with-password.use-case.js CHANGED Viewed

@@ -16,8 +16,11 @@ class LoginWithPasswordUseCase {
         if (!user) {
             throw new errors_1.UserNotFoundError("Invalid credentials");
         }
+        if (!user.isEmailVerified) {
+            throw new errors_1.EmailNotVerifiedError();
+        }
         // Verificar que el usuario esté activo
-        if (!user.canLogin()) {
+        if (!user.isActive) {
             throw new errors_1.UserDisabledError("User account is not active");
         }
         // Verificar contraseña

package/dist/application/use-cases/me.use-case.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import type { IUserRepositoryPort } from "../../domain/ports";
+import { MeRequest, MeResponse } from "../dtos";
+export declare class MeUseCase {
+    private readonly userRepository;
+    constructor(userRepository: IUserRepositoryPort);
+    execute(request: MeRequest): Promise<MeResponse>;
+}

package/dist/application/use-cases/me.use-case.js ADDED Viewed

@@ -0,0 +1,28 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MeUseCase = void 0;
+const object_values_1 = require("../../domain/object-values");
+const domain_1 = require("../../domain");
+class MeUseCase {
+    constructor(userRepository) {
+        this.userRepository = userRepository;
+    }
+    async execute(request) {
+        const userId = String(request.userId ?? "").trim();
+        if (!userId)
+            throw new Error("userId is required");
+        const user = await this.userRepository.findById(new object_values_1.Id(userId));
+        if (!user)
+            throw new domain_1.UserNotFoundError();
+        return {
+            id: user.id.getValue(),
+            email: user.email.getValue(),
+            isActive: user.isActive,
+            isEmailVerified: user.isEmailVerified,
+            roles: user.roles.map((r) => r.getValuePublic()),
+            createdAt: user.createdAt.toISOString(),
+            updatedAt: user.updatedAt.toISOString(),
+        };
+    }
+}
+exports.MeUseCase = MeUseCase;

package/dist/application/use-cases/register-user.use-case.d.ts CHANGED Viewed

@@ -1,12 +1,17 @@
 import { IPasswordHasherPort, IPasswordPolicyPort } from "../../domain";
 import { IUserRepositoryPort } from "../../domain/ports/repository";
 import { RegisterUserRequest, RegisterUserResponse } from "../dtos";
+import type { IEmailVerificationTokenPort } from "../../domain/ports/auth";
 export declare class RegisterUserUseCase {
     private readonly userRepository;
     private readonly passwordHasher;
     private readonly passwordPolicy;
+    private readonly emailVerificationToken;
     private static readonly DEFAULT_ROLE;
-    constructor(userRepository: IUserRepositoryPort, passwordHasher: IPasswordHasherPort, passwordPolicy: IPasswordPolicyPort);
+    private readonly verifyTokenTtl;
+    constructor(userRepository: IUserRepositoryPort, passwordHasher: IPasswordHasherPort, passwordPolicy: IPasswordPolicyPort, emailVerificationToken: IEmailVerificationTokenPort, opts?: {
+        verifyTokenTtl?: string;
+    });
     private static normalizeRoles;
     execute(request: RegisterUserRequest): Promise<RegisterUserResponse>;
 }

package/dist/application/use-cases/register-user.use-case.js CHANGED Viewed

@@ -3,11 +3,14 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.RegisterUserUseCase = void 0;
 const domain_1 = require("../../domain");
 const internal_1 = require("./internal");
+const utils_1 = require("../../shared/utils");
 class RegisterUserUseCase {
-    constructor(userRepository, passwordHasher, passwordPolicy) {
+    constructor(userRepository, passwordHasher, passwordPolicy, emailVerificationToken, opts) {
         this.userRepository = userRepository;
         this.passwordHasher = passwordHasher;
         this.passwordPolicy = passwordPolicy;
+        this.emailVerificationToken = emailVerificationToken;
+        this.verifyTokenTtl = opts?.verifyTokenTtl ?? "30m";
     }
     // ---------------------------------------------------------------------------
     // Helpers
@@ -49,11 +52,19 @@ class RegisterUserUseCase {
         const user = domain_1.User.create(request.email, roles, hashedPassword);
         // Guardar en repositorio
         await this.userRepository.save(user);
+        // Emitir token de verificación (delivery interno)
+        const ttlMs = utils_1.TimeParser.parseToMilliseconds(this.verifyTokenTtl);
+        const issued = await this.emailVerificationToken.issue(user.id, ttlMs);
         // Retornar respuesta
         return {
             id: user.id.getValue(),
             roles: user.roles.map((role) => role.getValuePublic()),
             isActive: user.isActive,
+            delivery: {
+                email: user.email.getValue(),
+                token: issued.token,
+                expiresAt: issued.expiresAt.toISOString(),
+            },
         };
     }
 }

package/dist/application/use-cases/verify-email.use-case.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+import { VerifyEmailRequest, VerifyEmailResponse } from "../dtos";
+import { IEmailVerificationTokenPort, IUserRepositoryPort } from "../../domain/ports";
+export declare class VerifyEmailUseCase {
+    private readonly userRepository;
+    private readonly emailVerificationToken;
+    constructor(userRepository: IUserRepositoryPort, emailVerificationToken: IEmailVerificationTokenPort);
+    execute(request: VerifyEmailRequest): Promise<VerifyEmailResponse>;
+}

package/dist/application/use-cases/verify-email.use-case.js ADDED Viewed

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.VerifyEmailUseCase = void 0;
+const object_values_1 = require("../../domain/object-values");
+const errors_1 = require("../../domain/errors");
+class VerifyEmailUseCase {
+    constructor(userRepository, emailVerificationToken) {
+        this.userRepository = userRepository;
+        this.emailVerificationToken = emailVerificationToken;
+    }
+    async execute(request) {
+        const token = String(request.token ?? "").trim();
+        if (!token) {
+            // Conservador: si prefieres un error de dominio, puedes crear uno específico.
+            throw new Error("Email verification token is required");
+        }
+        const consumed = await this.emailVerificationToken.consume(token);
+        const user = await this.userRepository.findById(new object_values_1.Id(consumed.userId.getValue()));
+        if (!user)
+            throw new errors_1.UserNotFoundError();
+        user.verifyEmail();
+        await this.userRepository.update(user);
+        return { success: true, message: "Email verified successfully" };
+    }
+}
+exports.VerifyEmailUseCase = VerifyEmailUseCase;

package/dist/domain/entities/user.entity.d.ts CHANGED Viewed

@@ -25,6 +25,10 @@ export declare class User {
      * Indica si el usuario está activo o inactivo
      */
     private _isActive;
+    /**
+     * Nuevo: estado de verificación de email.
+     */
+    private _isEmailVerified;
     /**
      * Fecha de creación del usuario
      */
@@ -58,6 +62,10 @@ export declare class User {
      * Indica si el usuario está activo o inactivo
      */
     get isActive(): boolean;
+    /**
+     * Indica si el correo fue verificado.
+     */
+    get isEmailVerified(): boolean;
     /**
      * Obtiene la fecha de creación del usuario
      */
@@ -76,9 +84,13 @@ export declare class User {
     deactivate(): void;
     /**
      * Evalúa si el usuario puede iniciar sesión
+     * Política de login:
+     * - activo
+     * - email verificado
      * @returns Verdadero si el usuario puede iniciar sesión, falso en caso contrario
      */
     canLogin(): boolean;
+    verifyEmail(): void;
     /**
      * Cambia la contraseña del usuario.
      * Responsabilidad: el agregado actualiza su estado de forma consistente.

package/dist/domain/entities/user.entity.js CHANGED Viewed

@@ -16,6 +16,7 @@ class User {
         this._roles = props.roles;
         this._password = props.password;
         this._isActive = props.isActive;
+        this._isEmailVerified = props.isEmailVerified;
         this._createdAt = props.createdAt;
         this._updatedAt = props.updatedAt;
     }
@@ -50,6 +51,12 @@ class User {
     get isActive() {
         return this._isActive;
     }
+    /**
+     * Indica si el correo fue verificado.
+     */
+    get isEmailVerified() {
+        return this._isEmailVerified;
+    }
     /**
      * Obtiene la fecha de creación del usuario
      */
@@ -79,10 +86,19 @@ class User {
     }
     /**
      * Evalúa si el usuario puede iniciar sesión
+     * Política de login:
+     * - activo
+     * - email verificado
      * @returns Verdadero si el usuario puede iniciar sesión, falso en caso contrario
      */
     canLogin() {
-        return this._isActive;
+        return this._isActive && this._isEmailVerified;
+    }
+    verifyEmail() {
+        if (this._isEmailVerified)
+            return;
+        this._isEmailVerified = true;
+        this._updatedAt = new Date();
     }
     /**
      * Cambia la contraseña del usuario.
@@ -107,6 +123,7 @@ class User {
             roles: roles,
             password: new object_values_1.HashedPassword(hashedPassword),
             isActive: true,
+            isEmailVerified: false,
             createdAt: new Date(),
             updatedAt: new Date(),
         });
@@ -136,7 +153,7 @@ class User {
         const roles = [];
         const permissions = [];
         for (const role of this.roles) {
-            const value = role.getValue(); // ✅ canónico (incluye permissions)
+            const value = role.getValue(); // canónico (incluye permissions)
             roles.push(value.role);
             permissions.push(...value.permissions);
         }

package/dist/domain/errors/auth-error-code.d.ts CHANGED Viewed

@@ -9,4 +9,4 @@
  * - Mantén este catálogo pequeño y estable.
  * - Si agregas un error nuevo, agrega aquí su código.
  */
-export type AuthErrorCode = "TOKEN_INVALID" | "TOKEN_EXPIRED" | "TOKEN_MALFORMED" | "SIGNATURE_INVALID" | "AUTHENTICATION_FAILED" | "JWT_ERROR" | "KEY_MISMATCH" | "KEY_NOT_FOUND" | "KEY_MISMATCH" | "CLAIMS_VALIDATION_ERROR" | "JWT_PAYLOAD_INVALID" | "TOKEN_NOT_YET_VALID" | "ALGORITHM_UNSUPPORTED" | "KEY_MISMATCH" | "KEY_NOT_FOUND" | "INVALID_EMAIL" | "INVALID_HASHED_PASSWORD" | "PASSWORD_POLICY_VIOLATION" | "PASSWORD_MISMATCH" | "USER_NOT_FOUND" | "USER_DISABLED" | "EMAIL_ALREADY_IN_USE" | "INVALID_PERMISSION" | "INVALID_ROLE" | "INVALID_ID" | "LOGOUT_FAILED" | "PASSWORD_RESET_TOKEN_INVALID" | "PASSWORD_RESET_TOKEN_EXPIRED" | "PASSWORD_RESET_TOKEN_ALREADY_USED";
+export type AuthErrorCode = "TOKEN_INVALID" | "TOKEN_EXPIRED" | "TOKEN_MALFORMED" | "SIGNATURE_INVALID" | "AUTHENTICATION_FAILED" | "JWT_ERROR" | "KEY_MISMATCH" | "KEY_NOT_FOUND" | "KEY_MISMATCH" | "CLAIMS_VALIDATION_ERROR" | "JWT_PAYLOAD_INVALID" | "TOKEN_NOT_YET_VALID" | "ALGORITHM_UNSUPPORTED" | "KEY_MISMATCH" | "KEY_NOT_FOUND" | "INVALID_EMAIL" | "INVALID_HASHED_PASSWORD" | "PASSWORD_POLICY_VIOLATION" | "PASSWORD_MISMATCH" | "USER_NOT_FOUND" | "USER_DISABLED" | "EMAIL_ALREADY_IN_USE" | "INVALID_PERMISSION" | "INVALID_ROLE" | "INVALID_ID" | "LOGOUT_FAILED" | "EMAIL_NOT_VERIFIED" | "PASSWORD_RESET_TOKEN_INVALID" | "PASSWORD_RESET_TOKEN_EXPIRED" | "PASSWORD_RESET_TOKEN_ALREADY_USED";

package/dist/domain/errors/auth.errors.d.ts CHANGED Viewed

@@ -37,3 +37,6 @@ export declare class AuthenticationError extends AuthDomainError {
 export declare class SessionAuthError extends AuthDomainError {
     constructor(message?: string, details?: unknown);
 }
+export declare class EmailNotVerifiedError extends AuthDomainError {
+    constructor(message?: string, details?: unknown);
+}

package/dist/domain/errors/auth.errors.js CHANGED Viewed

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.SessionAuthError = exports.AuthenticationError = exports.InvalidSignatureError = exports.InvalidTokenFormatError = exports.TokenExpiredError = exports.AuthDomainError = void 0;
+exports.EmailNotVerifiedError = exports.SessionAuthError = exports.AuthenticationError = exports.InvalidSignatureError = exports.InvalidTokenFormatError = exports.TokenExpiredError = exports.AuthDomainError = void 0;
 class AuthDomainError extends Error {
     constructor(message, code, details) {
         super(message);
@@ -59,3 +59,9 @@ class SessionAuthError extends AuthDomainError {
     }
 }
 exports.SessionAuthError = SessionAuthError;
+class EmailNotVerifiedError extends AuthDomainError {
+    constructor(message = "Email is not verified", details) {
+        super(message, "EMAIL_NOT_VERIFIED", details);
+    }
+}
+exports.EmailNotVerifiedError = EmailNotVerifiedError;

package/dist/domain/ports/auth/email-verification-token.port.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+import type { Id } from "../../object-values";
+/**
+ * Token de verificación de email (single-use, TTL).
+ * Implementación fuera del core (DB/Redis).
+ */
+export interface IEmailVerificationTokenPort {
+    issue(userId: Id, ttlMs: number): Promise<{
+        token: string;
+        expiresAt: Date;
+    }>;
+    verify(token: string): Promise<{
+        userId: Id;
+        expiresAt: Date;
+    }>;
+    consume(token: string): Promise<{
+        userId: Id;
+        expiresAt: Date;
+    }>;
+}

package/dist/domain/ports/auth/email-verification-token.port.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ "use strict";
2	+ Object.defineProperty(exports, "__esModule", { value: true });

package/dist/domain/ports/auth/index.d.ts CHANGED Viewed

@@ -1,3 +1,4 @@
 export * from "./password-hasher.port";
 export * from "./password-policy.port";
 export * from "./password-reset-token.port";
+export * from "./email-verification-token.port";

package/dist/domain/ports/auth/index.js CHANGED Viewed

@@ -17,3 +17,4 @@ Object.defineProperty(exports, "__esModule", { value: true });
 __exportStar(require("./password-hasher.port"), exports);
 __exportStar(require("./password-policy.port"), exports);
 __exportStar(require("./password-reset-token.port"), exports);
+__exportStar(require("./email-verification-token.port"), exports);

package/dist/domain/props/entities/user.props.d.ts CHANGED Viewed

@@ -5,6 +5,7 @@ export interface IUserProps {
     roles: Role[];
     password: HashedPassword;
     isActive: boolean;
+    isEmailVerified: boolean;
     createdAt: Date;
     updatedAt: Date;
 }

package/dist/domain/props/jwt/jwt-user.d.ts CHANGED Viewed

@@ -1,7 +1,16 @@
 export interface JwtUser {
+    /**
+     * Identificador único del usuario (claim `sub`).
+     */
     id: string;
-    email: string;
-    roles: {
+    /**
+     * Opcional: algunas apps pueden incluirlo, pero no es requerido por el core.
+     */
+    email?: string;
+    /**
+     * Opcional: JWT delgado (RBAC en BDD).
+     */
+    roles?: {
         role: string;
     }[];
 }

package/dist/infrastructure/services/token-session.service.js CHANGED Viewed

@@ -97,31 +97,18 @@ class TokenSessionService {
      * @param sessionId Identificador de sesión/dispositivo.
      */
     async issueTokens(user, sessionId) {
-        const snapshot = user.getAccessSnapshot();
         /**
-         * Custom claims mínimos que necesita el API para requirePermissions().
-         *
-         * Decisión:
-         * - Si no hay permissions => customClaims vacío (JWT más limpio).
-         * - Si hay permissions => { permissions: string[] }.
-         *
-         * Esto hace que requirePermissions() pueda operar solo con JWT,
-         * sin requerir llamadas extra al resolver en cada request.
-         */
-        const customClaims = snapshot.permissions.length > 0
-            ? { permissions: snapshot.permissions }
-            : {};
-        /**
-         * userClaims:
-         * - Shape mínimo de usuario que el tokenService necesita
-         * - Evita pasar la entidad User completa (no serializable y con lógica)
+         * Política:
+         * - JWT delgado: NO roles, NO permissions.
+         * - Authorization se resuelve en el host (BDD) por middleware/servicio.
          */
         const userClaims = {
             id: user.id.getValue(),
-            email: user.email.getValue(),
-            // Mantienes el shape actual requerido por IJWTPayload.roles: Array<{role:string}>
-            roles: snapshot.roles.map((role) => ({ role })),
+            // email/roles son opcionales y NO se incluyen por defecto.
         };
+        // Custom claims: no forzamos nada desde el core.
+        // Si el host quiere customClaims, debe hacerlo en su propio flujo/política.
+        const customClaims = {};
         /**
          * Generar access token:
          * - sessionId se coloca en "sid"

package/dist/infrastructure/types/auth-service-container.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
-import { ICredentialRepositoryPort, IPasswordHasherPort, IPasswordPolicyPort, ITokenServicePort, ITokenSessionPort, IUserRepositoryPort, IPasswordResetTokenPort } from "../../domain/ports";
-import { ChangePasswordUseCase, LoginWithPasswordUseCase, LogoutUseCase, RefreshTokenUseCase, RegisterUserUseCase, RequestPasswordResetUseCase, ResetPasswordUseCase } from "../../application/use-cases";
+import { ICredentialRepositoryPort, IPasswordHasherPort, IPasswordPolicyPort, ITokenServicePort, ITokenSessionPort, IUserRepositoryPort, IPasswordResetTokenPort, IEmailVerificationTokenPort } from "../../domain/ports";
+import { ChangePasswordUseCase, LoginWithPasswordUseCase, LogoutUseCase, MeUseCase, RefreshTokenUseCase, RegisterUserUseCase, RequestPasswordResetUseCase, ResetPasswordUseCase, VerifyEmailUseCase } from "../../application/use-cases";
 /**
  * IAuthServiceContainer es el punto de composición del módulo de autenticación
  * Es un contrato que agrupa todas las dependencias y casos de uso de Auth ya construidos,
@@ -13,6 +13,14 @@ export interface IAuthServiceContainer {
     passwordPolicy: IPasswordPolicyPort;
     tokenSession: ITokenSessionPort;
     passwordResetToken: IPasswordResetTokenPort;
+    /**
+     * Puerto para la gestión de tokens de verificación de email.
+     *
+     * Responsabilidad:
+     * - Emitir tokens temporales (single-use) asociados a un usuario.
+     * - Validar y consumir el token cuando el usuario accede al enlace de verificación.
+     */
+    emailVerificationToken: IEmailVerificationTokenPort;
     registerUserUseCase: RegisterUserUseCase;
     loginWithPasswordUseCase: LoginWithPasswordUseCase;
     refreshTokenUseCase: RefreshTokenUseCase;
@@ -20,4 +28,6 @@ export interface IAuthServiceContainer {
     requestPasswordResetUseCase: RequestPasswordResetUseCase;
     resetPasswordUseCase: ResetPasswordUseCase;
     changePasswordUseCase: ChangePasswordUseCase;
+    verifyEmailUseCase: VerifyEmailUseCase;
+    meUseCase: MeUseCase;
 }

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@jmlq/auth",
   "description": "JWT authentication package with clean architecture",
-  "version": "0.0.1-alpha.29",
+  "version": "0.0.1-alpha.30",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "scripts": {