@lenne.tech/nest-server 11.10.4 → 11.10.5

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lenne.tech/nest-server",
-  "version": "11.10.4",
+  "version": "11.10.5",
   "description": "Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).",
   "keywords": [
     "node",

package/src/core/modules/better-auth/core-better-auth.controller.ts

@@ -20,6 +20,7 @@ import { Roles } from '../../common/decorators/roles.decorator';
 import { RoleEnum } from '../../common/enums/role.enum';
 import { maskEmail, maskToken } from '../../common/helpers/logging.helper';
 import { ConfigService } from '../../common/services/config.service';
+import { ErrorCode } from '../error-code/error-codes';
 import { BetterAuthSignInResponse, hasSession, hasUser, requires2FA } from './better-auth.types';
 import { BetterAuthSessionUser, CoreBetterAuthUserMapper } from './core-better-auth-user.mapper';
 import { sendWebResponse, toWebRequest } from './core-better-auth-web.helper';
@@ -227,7 +228,7 @@ export class CoreBetterAuthController {
 
     const api = this.betterAuthService.getApi();
     if (!api) {
-      throw new BadRequestException('Better-Auth API not available');
+      throw new BadRequestException(ErrorCode.BETTERAUTH_API_NOT_AVAILABLE);
     }
 
     // Step 1: Try legacy user migration BEFORE Better Auth handles the request
@@ -255,7 +256,7 @@ export class CoreBetterAuthController {
       })) as BetterAuthSignInResponse | null;
 
       if (!response) {
-        throw new UnauthorizedException('Invalid credentials');
+        throw new UnauthorizedException(ErrorCode.INVALID_CREDENTIALS);
       }
 
       // Check for 2FA requirement
@@ -268,7 +269,7 @@ export class CoreBetterAuthController {
         // We need to modify the request body to use the normalized password
         const authInstance = this.betterAuthService.getInstance();
         if (!authInstance) {
-          throw new InternalServerErrorException('Better-Auth not initialized');
+          throw new InternalServerErrorException(ErrorCode.BETTERAUTH_NOT_INITIALIZED);
         }
 
         // Create a modified request body with normalized password
@@ -311,7 +312,7 @@ export class CoreBetterAuthController {
       // Check if response indicates an error
       const responseAny = response as any;
       if (responseAny?.error || responseAny?.code === 'CREDENTIAL_ACCOUNT_NOT_FOUND') {
-        throw new UnauthorizedException('Invalid credentials');
+        throw new UnauthorizedException(ErrorCode.INVALID_CREDENTIALS);
       }
 
       if (hasUser(response)) {
@@ -334,7 +335,7 @@ export class CoreBetterAuthController {
         return this.processCookies(res, result);
       }
 
-      throw new UnauthorizedException('Invalid credentials');
+      throw new UnauthorizedException(ErrorCode.INVALID_CREDENTIALS);
     } catch (error) {
       const errorMessage = error instanceof Error ? error.message : 'Unknown error';
       this.logger.debug(`Sign-in error: ${errorMessage}`);
@@ -343,7 +344,7 @@ export class CoreBetterAuthController {
         throw error;
       }
 
-      throw new UnauthorizedException('Invalid credentials');
+      throw new UnauthorizedException(ErrorCode.INVALID_CREDENTIALS);
     }
   }
 
@@ -380,7 +381,7 @@ export class CoreBetterAuthController {
 
     const api = this.betterAuthService.getApi();
     if (!api) {
-      throw new BadRequestException('Better-Auth API not available');
+      throw new BadRequestException(ErrorCode.BETTERAUTH_API_NOT_AVAILABLE);
     }
 
     // Normalize password to SHA256 format for consistency with Legacy Auth
@@ -396,7 +397,7 @@ export class CoreBetterAuthController {
       });
 
       if (!response) {
-        throw new BadRequestException('Sign-up failed');
+        throw new BadRequestException(ErrorCode.SIGNUP_FAILED);
       }
 
       if (hasUser(response)) {
@@ -419,14 +420,14 @@ export class CoreBetterAuthController {
         return this.processCookies(res, result);
       }
 
-      throw new BadRequestException('Sign-up failed');
+      throw new BadRequestException(ErrorCode.SIGNUP_FAILED);
     } catch (error) {
       const errorMessage = error instanceof Error ? error.message : 'Unknown error';
       this.logger.debug(`Sign-up error: ${errorMessage}`);
       if (errorMessage.includes('already exists')) {
-        throw new BadRequestException('User with this email already exists');
+        throw new BadRequestException(ErrorCode.EMAIL_ALREADY_EXISTS);
       }
-      throw new BadRequestException('Sign-up failed');
+      throw new BadRequestException(ErrorCode.SIGNUP_FAILED);
     }
   }
 
@@ -557,7 +558,7 @@ export class CoreBetterAuthController {
    */
   protected ensureEnabled(): void {
     if (!this.betterAuthService.isEnabled()) {
-      throw new BadRequestException('Better-Auth is not enabled');
+      throw new BadRequestException(ErrorCode.BETTERAUTH_DISABLED);
     }
   }
 
@@ -735,7 +736,7 @@ export class CoreBetterAuthController {
 
     const authInstance = this.betterAuthService.getInstance();
     if (!authInstance) {
-      throw new InternalServerErrorException('Better-Auth not initialized');
+      throw new InternalServerErrorException(ErrorCode.BETTERAUTH_NOT_INITIALIZED);
     }
 
     this.logger.debug(`Forwarding to Better Auth: ${req.method} ${req.path}`);

package/src/core/modules/better-auth/core-better-auth.resolver.ts

@@ -5,6 +5,7 @@ import { Request, Response } from 'express';
 import { Roles } from '../../common/decorators/roles.decorator';
 import { RoleEnum } from '../../common/enums/role.enum';
 import { maskEmail } from '../../common/helpers/logging.helper';
+import { ErrorCode } from '../error-code/error-codes';
 import {
   BetterAuth2FAResponse,
   BetterAuthSignInResponse,
@@ -203,7 +204,7 @@ export class CoreBetterAuthResolver {
 
     const api = this.betterAuthService.getApi();
     if (!api) {
-      throw new BadRequestException('Better-Auth API not available');
+      throw new BadRequestException(ErrorCode.BETTERAUTH_API_NOT_AVAILABLE);
     }
 
     // Try to sign in, with automatic legacy user migration
@@ -239,7 +240,7 @@ export class CoreBetterAuthResolver {
       }
 
       if (!response) {
-        throw new UnauthorizedException('Invalid credentials');
+        throw new UnauthorizedException(ErrorCode.INVALID_CREDENTIALS);
       }
 
       // Check for 2FA requirement
@@ -271,7 +272,7 @@ export class CoreBetterAuthResolver {
         };
       }
 
-      throw new UnauthorizedException('Invalid credentials');
+      throw new UnauthorizedException(ErrorCode.INVALID_CREDENTIALS);
     } catch (error) {
       this.logger.debug(
         `[SignIn] Sign-in failed for ${maskEmail(email)}: ${error instanceof Error ? error.message : 'Unknown error'}`,
@@ -291,7 +292,7 @@ export class CoreBetterAuthResolver {
         }
       }
 
-      throw new UnauthorizedException('Invalid credentials');
+      throw new UnauthorizedException(ErrorCode.INVALID_CREDENTIALS);
     }
   }
 
@@ -308,7 +309,7 @@ export class CoreBetterAuthResolver {
     })) as BetterAuthSignInResponse | null;
 
     if (!response || !hasUser(response)) {
-      throw new UnauthorizedException('Invalid credentials');
+      throw new UnauthorizedException(ErrorCode.INVALID_CREDENTIALS);
     }
 
     if (requires2FA(response)) {
@@ -348,7 +349,7 @@ export class CoreBetterAuthResolver {
 
     const api = this.betterAuthService.getApi();
     if (!api) {
-      throw new BadRequestException('Better-Auth API not available');
+      throw new BadRequestException(ErrorCode.BETTERAUTH_API_NOT_AVAILABLE);
     }
 
     try {
@@ -361,7 +362,7 @@ export class CoreBetterAuthResolver {
       })) as BetterAuthSignUpResponse | null;
 
       if (!response) {
-        throw new BadRequestException('Sign-up failed');
+        throw new BadRequestException(ErrorCode.SIGNUP_FAILED);
       }
 
       if (hasUser(response)) {
@@ -379,14 +380,14 @@ export class CoreBetterAuthResolver {
         };
       }
 
-      throw new BadRequestException('Sign-up failed');
+      throw new BadRequestException(ErrorCode.SIGNUP_FAILED);
     } catch (error) {
       const errorMessage = error instanceof Error ? error.message : 'Unknown error';
       this.logger.debug(`Sign-up error: ${errorMessage}`);
       if (errorMessage.includes('already exists')) {
-        throw new BadRequestException('User with this email already exists');
+        throw new BadRequestException(ErrorCode.EMAIL_ALREADY_EXISTS);
       }
-      throw new BadRequestException('Sign-up failed');
+      throw new BadRequestException(ErrorCode.SIGNUP_FAILED);
     }
   }
 
@@ -429,12 +430,12 @@ export class CoreBetterAuthResolver {
     this.ensureEnabled();
 
     if (!this.betterAuthService.isTwoFactorEnabled()) {
-      throw new BadRequestException('Two-factor authentication is not enabled');
+      throw new BadRequestException(ErrorCode.TWO_FACTOR_NOT_ENABLED_SERVER);
     }
 
     const api = this.betterAuthService.getApi();
     if (!api) {
-      throw new BadRequestException('Better-Auth API not available');
+      throw new BadRequestException(ErrorCode.BETTERAUTH_API_NOT_AVAILABLE);
     }
 
     try {
@@ -450,7 +451,7 @@ export class CoreBetterAuthResolver {
           };
 
       if (!twoFactorApi?.verifyTotp) {
-        throw new BadRequestException('2FA verification method not available');
+        throw new BadRequestException(ErrorCode.TWO_FACTOR_METHOD_NOT_AVAILABLE);
       }
 
       const response = await twoFactorApi.verifyTotp({
@@ -469,10 +470,10 @@ export class CoreBetterAuthResolver {
         };
       }
 
-      throw new UnauthorizedException('Invalid 2FA code');
+      throw new UnauthorizedException(ErrorCode.INVALID_2FA_CODE);
     } catch (error) {
       this.logger.debug(`2FA verification error: ${error instanceof Error ? error.message : 'Unknown error'}`);
-      throw new UnauthorizedException('Invalid 2FA code');
+      throw new UnauthorizedException(ErrorCode.INVALID_2FA_CODE);
     }
   }
 
@@ -546,7 +547,7 @@ export class CoreBetterAuthResolver {
     this.ensureEnabled();
 
     if (!this.betterAuthService.isTwoFactorEnabled()) {
-      throw new BadRequestException('Two-factor authentication is not enabled on this server');
+      throw new BadRequestException(ErrorCode.TWO_FACTOR_NOT_ENABLED_SERVER);
     }
 
     const api = this.betterAuthService.getApi();
@@ -564,7 +565,7 @@ export class CoreBetterAuthResolver {
           };
 
       if (!twoFactorApi?.disable) {
-        throw new BadRequestException('2FA disable method not available');
+        throw new BadRequestException(ErrorCode.TWO_FACTOR_METHOD_NOT_AVAILABLE);
       }
 
       const response = await twoFactorApi.disable({
@@ -591,7 +592,7 @@ export class CoreBetterAuthResolver {
     this.ensureEnabled();
 
     if (!this.betterAuthService.isTwoFactorEnabled()) {
-      throw new BadRequestException('Two-factor authentication is not enabled on this server');
+      throw new BadRequestException(ErrorCode.TWO_FACTOR_NOT_ENABLED_SERVER);
     }
 
     const api = this.betterAuthService.getApi();
@@ -609,7 +610,7 @@ export class CoreBetterAuthResolver {
           };
 
       if (!twoFactorApi?.generateBackupCodes) {
-        throw new BadRequestException('Generate backup codes method not available');
+        throw new BadRequestException(ErrorCode.TWO_FACTOR_METHOD_NOT_AVAILABLE);
       }
 
       const response = await twoFactorApi.generateBackupCodes({ headers });
@@ -731,7 +732,7 @@ export class CoreBetterAuthResolver {
     this.ensureEnabled();
 
     if (!this.betterAuthService.isPasskeyEnabled()) {
-      throw new BadRequestException('Passkey authentication is not enabled on this server');
+      throw new BadRequestException(ErrorCode.PASSKEY_NOT_ENABLED_SERVER);
     }
 
     const api = this.betterAuthService.getApi();
@@ -749,7 +750,7 @@ export class CoreBetterAuthResolver {
           };
 
       if (!passkeyApi?.deletePasskey) {
-        throw new BadRequestException('Delete passkey method not available');
+        throw new BadRequestException(ErrorCode.TWO_FACTOR_METHOD_NOT_AVAILABLE);
       }
 
       const response = await passkeyApi.deletePasskey({
@@ -773,9 +774,7 @@ export class CoreBetterAuthResolver {
    */
   protected ensureEnabled(): void {
     if (!this.betterAuthService.isEnabled()) {
-      throw new BadRequestException(
-        'Better-Auth is not enabled. Check that betterAuth.enabled is not set to false in your environment.',
-      );
+      throw new BadRequestException(ErrorCode.BETTERAUTH_DISABLED);
     }
   }
 

package/src/core/modules/error-code/error-codes.ts

@@ -133,6 +133,106 @@ export const LtnsErrors = {
     },
   },
 
+  // BetterAuth specific errors (LTNS_0010-LTNS_0049)
+  INVALID_CREDENTIALS: {
+    code: 'LTNS_0010',
+    message: 'Invalid credentials',
+    translations: {
+      de: 'Ungültige Anmeldedaten.',
+      en: 'Invalid credentials.',
+    },
+  },
+
+  INVALID_2FA_CODE: {
+    code: 'LTNS_0011',
+    message: 'Invalid 2FA code',
+    translations: {
+      de: 'Der 2FA-Code ist ungültig.',
+      en: 'The 2FA code is invalid.',
+    },
+  },
+
+  TWO_FACTOR_NOT_ENABLED: {
+    code: 'LTNS_0012',
+    message: 'Two-factor authentication is not enabled',
+    translations: {
+      de: 'Zwei-Faktor-Authentifizierung ist nicht aktiviert.',
+      en: 'Two-factor authentication is not enabled.',
+    },
+  },
+
+  TWO_FACTOR_NOT_ENABLED_SERVER: {
+    code: 'LTNS_0013',
+    message: 'Two-factor authentication is not enabled on this server',
+    translations: {
+      de: 'Zwei-Faktor-Authentifizierung ist auf diesem Server nicht aktiviert.',
+      en: 'Two-factor authentication is not enabled on this server.',
+    },
+  },
+
+  PASSKEY_NOT_ENABLED_SERVER: {
+    code: 'LTNS_0014',
+    message: 'Passkey authentication is not enabled on this server',
+    translations: {
+      de: 'Passkey-Authentifizierung ist auf diesem Server nicht aktiviert.',
+      en: 'Passkey authentication is not enabled on this server.',
+    },
+  },
+
+  SIGNUP_FAILED: {
+    code: 'LTNS_0015',
+    message: 'Sign-up failed',
+    translations: {
+      de: 'Die Registrierung ist fehlgeschlagen.',
+      en: 'Sign-up failed.',
+    },
+  },
+
+  BETTERAUTH_NOT_INITIALIZED: {
+    code: 'LTNS_0016',
+    message: 'Better-Auth not initialized',
+    translations: {
+      de: 'Better-Auth ist nicht initialisiert.',
+      en: 'Better-Auth is not initialized.',
+    },
+  },
+
+  BETTERAUTH_DISABLED: {
+    code: 'LTNS_0017',
+    message: 'Better-Auth is disabled',
+    translations: {
+      de: 'Better-Auth ist deaktiviert.',
+      en: 'Better-Auth is disabled.',
+    },
+  },
+
+  BETTERAUTH_API_NOT_AVAILABLE: {
+    code: 'LTNS_0018',
+    message: 'Better-Auth API not available',
+    translations: {
+      de: 'Better-Auth API ist nicht verfügbar.',
+      en: 'Better-Auth API is not available.',
+    },
+  },
+
+  TWO_FACTOR_METHOD_NOT_AVAILABLE: {
+    code: 'LTNS_0019',
+    message: '2FA verification method not available',
+    translations: {
+      de: '2FA-Verifizierungsmethode ist nicht verfügbar.',
+      en: '2FA verification method is not available.',
+    },
+  },
+
+  RATE_LIMIT_EXCEEDED: {
+    code: 'LTNS_0020',
+    message: 'Too many requests',
+    translations: {
+      de: 'Zu viele Anfragen. Bitte versuchen Sie es später erneut.',
+      en: 'Too many requests. Please try again later.',
+    },
+  },
+
   // =====================================================
   // Authorization Errors (LTNS_0100-LTNS_0199)
   // =====================================================