npm - @lenne.tech/nest-server - Versions diffs - 11.6.1 → 11.7.0 - Mend

@lenne.tech/nest-server 11.6.1 → 11.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (120) hide show

package/src/core/modules/better-auth/better-auth.module.ts ADDED Viewed

@@ -0,0 +1,474 @@
+import {
+  DynamicModule,
+  Global,
+  Logger,
+  MiddlewareConsumer,
+  Module,
+  NestModule,
+  OnModuleInit,
+  Optional,
+  Type,
+} from '@nestjs/common';
+import { getConnectionToken } from '@nestjs/mongoose';
+import mongoose, { Connection } from 'mongoose';
+import { IBetterAuth } from '../../common/interfaces/server-options.interface';
+import { ConfigService } from '../../common/services/config.service';
+import { BetterAuthRateLimitMiddleware } from './better-auth-rate-limit.middleware';
+import { BetterAuthRateLimiter } from './better-auth-rate-limiter.service';
+import { BetterAuthUserMapper } from './better-auth-user.mapper';
+import { BetterAuthInstance, createBetterAuthInstance } from './better-auth.config';
+import { BetterAuthMiddleware } from './better-auth.middleware';
+import { BetterAuthResolver } from './better-auth.resolver';
+import { BetterAuthService } from './better-auth.service';
+import { CoreBetterAuthController } from './core-better-auth.controller';
+import { CoreBetterAuthResolver } from './core-better-auth.resolver';
+/**
+ * Token for injecting the better-auth instance
+ */
+export const BETTER_AUTH_INSTANCE = 'BETTER_AUTH_INSTANCE';
+/**
+ * Options for BetterAuthModule.forRoot()
+ */
+export interface BetterAuthModuleOptions {
+  /**
+   * Better-auth configuration
+   */
+  config: IBetterAuth;
+  /**
+   * Custom controller class to use instead of the default CoreBetterAuthController.
+   * The class must extend CoreBetterAuthController.
+   *
+   * @example
+   * ```typescript
+   * // Your custom controller
+   * @Controller('iam')
+   * export class MyBetterAuthController extends CoreBetterAuthController {
+   *   override async signUp(res: Response, input: BetterAuthSignUpInput) {
+   *     const result = await super.signUp(res, input);
+   *     await this.emailService.sendWelcomeEmail(result.user?.email);
+   *     return result;
+   *   }
+   * }
+   *
+   * // In your module
+   * BetterAuthModule.forRoot({
+   *   config: environment.betterAuth,
+   *   controller: MyBetterAuthController,
+   * })
+   * ```
+   */
+  controller?: Type<CoreBetterAuthController>;
+  /**
+   * Fallback secrets to try if no betterAuth.secret is configured.
+   * The array is iterated and the first valid secret (≥32 chars) is used.
+   *
+   * @example
+   * ```typescript
+   * fallbackSecrets: [config.jwt?.secret, config.jwt?.refresh?.secret]
+   * ```
+   */
+  fallbackSecrets?: (string | undefined)[];
+  /**
+   * Custom resolver class to use instead of the default BetterAuthResolver.
+   * The class must extend CoreBetterAuthResolver.
+   *
+   * @example
+   * ```typescript
+   * // Your custom resolver
+   * @Resolver(() => BetterAuthAuthModel)
+   * export class MyBetterAuthResolver extends CoreBetterAuthResolver {
+   *   override async betterAuthSignUp(...) {
+   *     const result = await super.betterAuthSignUp(...);
+   *     await this.sendWelcomeEmail(result.user);
+   *     return result;
+   *   }
+   * }
+   *
+   * // In your module
+   * BetterAuthModule.forRoot({
+   *   config: environment.betterAuth,
+   *   resolver: MyBetterAuthResolver,
+   * })
+   * ```
+   */
+  resolver?: Type<CoreBetterAuthResolver>;
+}
+/**
+ * BetterAuthModule provides integration with the better-auth authentication framework.
+ *
+ * This module:
+ * - Creates and configures a better-auth instance based on server configuration
+ * - Provides REST controller (CoreBetterAuthController) and GraphQL resolver (CoreBetterAuthResolver)
+ * - Supports JWT, 2FA, Passkey, and Social Login based on configuration
+ * - Enabled by default (zero-config) - set `enabled: false` to disable explicitly
+ * - Uses the global mongoose connection for MongoDB access
+ *
+ * @example
+ * ```typescript
+ * // In your AppModule - import after CoreModule so mongoose is connected
+ * @Module({
+ *   imports: [
+ *     CoreModule.forRoot(...),
+ *     BetterAuthModule.forRoot({ config: environment.betterAuth }),
+ *   ],
+ * })
+ * export class AppModule {}
+ * ```
+ */
+@Global()
+@Module({})
+export class BetterAuthModule implements NestModule, OnModuleInit {
+  private static logger = new Logger(BetterAuthModule.name);
+  private static authInstance: BetterAuthInstance | null = null;
+  private static initialized = false;
+  private static initLogged = false;
+  private static betterAuthEnabled = false;
+  private static currentConfig: IBetterAuth | null = null;
+  private static customController: null | Type<CoreBetterAuthController> = null;
+  private static customResolver: null | Type<CoreBetterAuthResolver> = null;
+  /**
+   * Gets the controller class to use (custom or default)
+   */
+  private static getControllerClass(): Type<CoreBetterAuthController> {
+    return this.customController || CoreBetterAuthController;
+  }
+  /**
+   * Gets the resolver class to use (custom or default)
+   */
+  private static getResolverClass(): Type<CoreBetterAuthResolver> {
+    return this.customResolver || BetterAuthResolver;
+  }
+  constructor(
+    @Optional() private readonly betterAuthService?: BetterAuthService,
+    @Optional() private readonly rateLimiter?: BetterAuthRateLimiter,
+  ) {}
+  onModuleInit() {
+    if (BetterAuthModule.authInstance && !BetterAuthModule.initialized) {
+      BetterAuthModule.initialized = true;
+      BetterAuthModule.logger.log('BetterAuthModule ready');
+    }
+    // Configure rate limiter with stored config
+    if (this.rateLimiter && BetterAuthModule.currentConfig?.rateLimit) {
+      this.rateLimiter.configure(BetterAuthModule.currentConfig.rateLimit);
+    }
+  }
+  /**
+   * Configure middleware for Better-Auth session handling and rate limiting
+   * The session middleware runs on all routes and maps Better-Auth sessions to users
+   * The rate limit middleware runs only on Better-Auth endpoints
+   */
+  configure(consumer: MiddlewareConsumer) {
+    // Only apply middleware if Better-Auth is enabled
+    if (BetterAuthModule.betterAuthEnabled && this.betterAuthService?.isEnabled()) {
+      const basePath = BetterAuthModule.currentConfig?.basePath || '/iam';
+      // Apply rate limiting to Better-Auth endpoints only
+      if (BetterAuthModule.currentConfig?.rateLimit?.enabled) {
+        consumer.apply(BetterAuthRateLimitMiddleware).forRoutes(`${basePath}/*path`);
+        BetterAuthModule.logger.log(`Rate limiting enabled for ${basePath}/*path endpoints`);
+      }
+      // Apply session middleware to all routes
+      consumer.apply(BetterAuthMiddleware).forRoutes('(.*)'); // New path-to-regexp syntax for wildcard
+      BetterAuthModule.logger.log('BetterAuthMiddleware registered for all routes');
+    }
+  }
+  /**
+   * Waits for mongoose connection to be ready using polling
+   * This is more reliable than event-based waiting in test environments
+   * @throws Error if connection times out or fails
+   */
+  private static async waitForMongoConnection(): Promise<void> {
+    const maxAttempts = 60; // 60 attempts * 500ms = 30 seconds max
+    const pollInterval = 500;
+    for (let attempt = 0; attempt < maxAttempts; attempt++) {
+      // Check if already connected
+      if (mongoose.connection.readyState === 1 && mongoose.connection.db) {
+        return;
+      }
+      // Check for error state
+      if (mongoose.connection.readyState === 0) {
+        // Disconnected - wait for reconnection
+        this.logger.debug(`MongoDB not connected (attempt ${attempt + 1}/${maxAttempts})`);
+      }
+      // Wait before next check
+      await new Promise((resolve) => setTimeout(resolve, pollInterval));
+    }
+    throw new Error('MongoDB connection timeout - ensure MongoDB is running and accessible');
+  }
+  /**
+   * Creates a dynamic module for BetterAuth (synchronous)
+   * Note: This requires mongoose connection to be already established.
+   * For async initialization, use forRootAsync.
+   *
+   * @param options - Configuration options
+   * @returns Dynamic module configuration
+   */
+  static forRoot(options: BetterAuthModuleOptions): DynamicModule {
+    const { config, controller, fallbackSecrets, resolver } = options;
+    // Store config for middleware configuration
+    this.currentConfig = config;
+    // Store custom controller if provided
+    this.customController = controller || null;
+    // Store custom resolver if provided
+    this.customResolver = resolver || null;
+    // If better-auth is explicitly disabled, return minimal module
+    // Note: We don't provide middleware classes when disabled because they depend on BetterAuthService
+    // and won't be used anyway (middleware is only applied when enabled)
+    // BetterAuth is enabled by default unless explicitly set to false
+    if (config?.enabled === false) {
+      this.logger.debug('BetterAuth is explicitly disabled - skipping initialization');
+      this.betterAuthEnabled = false;
+      return {
+        exports: [BETTER_AUTH_INSTANCE, BetterAuthService, BetterAuthUserMapper, BetterAuthRateLimiter],
+        module: BetterAuthModule,
+        providers: [
+          {
+            provide: BETTER_AUTH_INSTANCE,
+            useValue: null,
+          },
+          // Note: ConfigService is provided globally by CoreModule
+          // Tests need to provide their own ConfigService
+          BetterAuthService,
+          BetterAuthUserMapper,
+          BetterAuthRateLimiter,
+        ],
+      };
+    }
+    // Enable middleware registration
+    this.betterAuthEnabled = true;
+    // Note: Secret validation is now handled in createBetterAuthInstance
+    // with fallback to jwt.secret, jwt.refresh.secret, or auto-generation
+    // Always use deferred initialization to ensure MongoDB is ready
+    // This prevents timing issues during application startup
+    return this.createDeferredModule(config, fallbackSecrets);
+  }
+  /**
+   * Creates an async dynamic module for BetterAuth
+   * This is the preferred method as it properly waits for mongoose connection.
+   *
+   * @returns Dynamic module configuration
+   */
+  static forRootAsync(): DynamicModule {
+    return {
+      controllers: [this.getControllerClass()],
+      exports: [BETTER_AUTH_INSTANCE, BetterAuthService, BetterAuthUserMapper, BetterAuthRateLimiter],
+      imports: [],
+      module: BetterAuthModule,
+      providers: [
+        {
+          inject: [ConfigService],
+          provide: BETTER_AUTH_INSTANCE,
+          useFactory: async (configService: ConfigService) => {
+            const config = configService.get<IBetterAuth>('betterAuth');
+            // Store config for middleware configuration
+            this.currentConfig = config || null;
+            // BetterAuth is enabled by default unless explicitly set to false
+            if (config?.enabled === false) {
+              this.logger.debug('BetterAuth is explicitly disabled');
+              this.betterAuthEnabled = false;
+              return null;
+            }
+            // Enable middleware registration
+            this.betterAuthEnabled = true;
+            await this.waitForMongoConnection();
+            const db = mongoose.connection.db;
+            if (!db) {
+              throw new Error('MongoDB database not available');
+            }
+            // Get JWT secrets from config for backwards compatibility fallback
+            const jwtConfig = configService.get<{ refresh?: { secret?: string }; secret?: string }>('jwt');
+            const fallbackSecrets = [jwtConfig?.secret, jwtConfig?.refresh?.secret];
+            // Note: Secret validation is now handled in createBetterAuthInstance
+            // with fallback to jwt.secret, jwt.refresh.secret, or auto-generation
+            this.authInstance = createBetterAuthInstance({ config, db, fallbackSecrets });
+            if (this.authInstance) {
+              this.logger.log('BetterAuth initialized successfully');
+              this.logEnabledFeatures(config);
+            }
+            return this.authInstance;
+          },
+        },
+        // BetterAuthService needs to be a factory that explicitly depends on BETTER_AUTH_INSTANCE
+        // to ensure proper initialization order
+        {
+          inject: [BETTER_AUTH_INSTANCE, ConfigService],
+          provide: BetterAuthService,
+          useFactory: (authInstance: BetterAuthInstance | null, configService: ConfigService) => {
+            return new BetterAuthService(authInstance, configService);
+          },
+        },
+        BetterAuthUserMapper,
+        BetterAuthMiddleware,
+        BetterAuthRateLimiter,
+        BetterAuthRateLimitMiddleware,
+        this.getResolverClass(),
+      ],
+    };
+  }
+  /**
+   * Gets the current better-auth instance
+   * Useful for accessing the auth API directly
+   */
+  static getInstance(): BetterAuthInstance | null {
+    return this.authInstance;
+  }
+  /**
+   * Resets the static state of BetterAuthModule
+   * This is primarily useful for testing to ensure clean state between tests
+   *
+   * @example
+   * ```typescript
+   * afterEach(() => {
+   *   BetterAuthModule.reset();
+   * });
+   * ```
+   */
+  static reset(): void {
+    this.authInstance = null;
+    this.initialized = false;
+    this.initLogged = false;
+    this.betterAuthEnabled = false;
+    this.currentConfig = null;
+    this.customController = null;
+    this.customResolver = null;
+  }
+  /**
+   * Creates a deferred initialization module that waits for mongoose connection
+   * By injecting the Connection token, NestJS ensures Mongoose is ready first
+   */
+  private static createDeferredModule(config: IBetterAuth, fallbackSecrets?: (string | undefined)[]): DynamicModule {
+    return {
+      controllers: [this.getControllerClass()],
+      exports: [BETTER_AUTH_INSTANCE, BetterAuthService, BetterAuthUserMapper, BetterAuthRateLimiter],
+      module: BetterAuthModule,
+      providers: [
+        {
+          // Inject Mongoose Connection to ensure NestJS waits for it to be ready
+          inject: [getConnectionToken()],
+          provide: BETTER_AUTH_INSTANCE,
+          useFactory: async (connection: Connection) => {
+            // Connection is now guaranteed to be established
+            const db = connection.db;
+            if (!db) {
+              // Fallback to global mongoose if connection.db is not yet available
+              await this.waitForMongoConnection();
+              const globalDb = mongoose.connection.db;
+              if (!globalDb) {
+                throw new Error('MongoDB database not available');
+              }
+              this.authInstance = createBetterAuthInstance({ config, db: globalDb, fallbackSecrets });
+            } else {
+              this.authInstance = createBetterAuthInstance({ config, db, fallbackSecrets });
+            }
+            if (this.authInstance && !this.initLogged) {
+              this.initLogged = true;
+              this.logger.log('BetterAuth initialized');
+              this.logEnabledFeatures(config);
+            }
+            return this.authInstance;
+          },
+        },
+        // BetterAuthService needs to be a factory that explicitly depends on BETTER_AUTH_INSTANCE
+        // to ensure proper initialization order
+        {
+          inject: [BETTER_AUTH_INSTANCE, ConfigService],
+          provide: BetterAuthService,
+          useFactory: (authInstance: BetterAuthInstance | null, configService: ConfigService) => {
+            return new BetterAuthService(authInstance, configService);
+          },
+        },
+        BetterAuthUserMapper,
+        BetterAuthMiddleware,
+        BetterAuthRateLimiter,
+        BetterAuthRateLimitMiddleware,
+        this.getResolverClass(),
+      ],
+    };
+  }
+  /**
+   * Logs which features are enabled.
+   * Features are enabled by default when their config block is present,
+   * unless explicitly disabled with enabled: false.
+   */
+  private static logEnabledFeatures(config: IBetterAuth): void {
+    const features: string[] = [];
+    // Plugins are enabled by default when config block is present
+    if (config.jwt && config.jwt.enabled !== false) {
+      features.push('JWT');
+    }
+    if (config.twoFactor && config.twoFactor.enabled !== false) {
+      features.push('2FA/TOTP');
+    }
+    if (config.passkey && config.passkey.enabled !== false) {
+      features.push('Passkey/WebAuthn');
+    }
+    // Dynamically collect enabled social providers
+    // Providers are enabled by default if they have credentials configured
+    // Only disabled when explicitly set to enabled: false
+    const socialProviders: string[] = [];
+    if (config.socialProviders) {
+      for (const [name, provider] of Object.entries(config.socialProviders)) {
+        if (provider?.clientId && provider?.clientSecret && provider?.enabled !== false) {
+          // Capitalize first letter for display
+          socialProviders.push(name.charAt(0).toUpperCase() + name.slice(1));
+        }
+      }
+    }
+    if (socialProviders.length > 0) {
+      features.push(`Social Login (${socialProviders.join(', ')})`);
+    }
+    // Rate limiting still requires explicit enabled: true
+    if (config.rateLimit?.enabled) {
+      features.push(`Rate Limiting (${config.rateLimit.max || 10}/${config.rateLimit.windowSeconds || 60}s)`);
+    }
+    if (features.length > 0) {
+      this.logger.log(`Enabled features: ${features.join(', ')}`);
+    }
+  }
+}

package/src/core/modules/better-auth/better-auth.resolver.ts ADDED Viewed

@@ -0,0 +1,213 @@
+import { UseGuards } from '@nestjs/common';
+import { Args, Context, Mutation, Query, Resolver } from '@nestjs/graphql';
+import { Request, Response } from 'express';
+import { Roles } from '../../common/decorators/roles.decorator';
+import { RoleEnum } from '../../common/enums/role.enum';
+import { AuthGuardStrategy } from '../auth/auth-guard-strategy.enum';
+import { AuthGuard } from '../auth/guards/auth.guard';
+import { BetterAuthAuthModel } from './better-auth-auth.model';
+import {
+  BetterAuth2FASetupModel,
+  BetterAuthFeaturesModel,
+  BetterAuthPasskeyChallengeModel,
+  BetterAuthPasskeyModel,
+  BetterAuthSessionModel,
+} from './better-auth-models';
+import { BetterAuthUserMapper } from './better-auth-user.mapper';
+import { BetterAuthService } from './better-auth.service';
+import { CoreBetterAuthResolver } from './core-better-auth.resolver';
+/**
+ * Default BetterAuth GraphQL Resolver
+ *
+ * This resolver extends CoreBetterAuthResolver and provides the default
+ * Better-Auth GraphQL operations. It re-declares all methods with decorators
+ * because CoreBetterAuthResolver uses `isAbstract: true`, which means its
+ * methods are not registered in the GraphQL schema.
+ *
+ * Override in your project if you need custom behavior (e.g., sending emails after sign-up).
+ *
+ * @example
+ * ```typescript
+ * // In your project - src/server/modules/better-auth/better-auth.resolver.ts
+ * @Resolver(() => BetterAuthAuthModel)
+ * export class BetterAuthResolver extends CoreBetterAuthResolver {
+ *   constructor(
+ *     betterAuthService: BetterAuthService,
+ *     userMapper: BetterAuthUserMapper,
+ *     private readonly emailService: EmailService,
+ *   ) {
+ *     super(betterAuthService, userMapper);
+ *   }
+ *
+ *   override async betterAuthSignUp(email: string, password: string, name?: string) {
+ *     const result = await super.betterAuthSignUp(email, password, name);
+ *
+ *     // Send welcome email after successful sign-up
+ *     if (result.success && result.user) {
+ *       await this.emailService.sendWelcomeEmail(result.user.email);
+ *     }
+ *
+ *     return result;
+ *   }
+ * }
+ * ```
+ */
+@Resolver(() => BetterAuthAuthModel)
+@Roles(RoleEnum.ADMIN)
+export class BetterAuthResolver extends CoreBetterAuthResolver {
+  constructor(
+    protected override readonly betterAuthService: BetterAuthService,
+    protected override readonly userMapper: BetterAuthUserMapper,
+  ) {
+    super(betterAuthService, userMapper);
+  }
+  // ===========================================================================
+  // Queries
+  // ===========================================================================
+  @Query(() => BetterAuthSessionModel, {
+    description: 'Get current Better-Auth session',
+    nullable: true,
+  })
+  @Roles(RoleEnum.S_USER)
+  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
+  override async betterAuthSession(@Context() ctx: { req: Request }): Promise<BetterAuthSessionModel | null> {
+    return super.betterAuthSession(ctx);
+  }
+  @Query(() => Boolean, { description: 'Check if Better-Auth is enabled' })
+  @Roles(RoleEnum.S_EVERYONE)
+  override betterAuthEnabled(): boolean {
+    return super.betterAuthEnabled();
+  }
+  @Query(() => BetterAuthFeaturesModel, { description: 'Get enabled Better-Auth features' })
+  @Roles(RoleEnum.S_EVERYONE)
+  override betterAuthFeatures(): BetterAuthFeaturesModel {
+    return super.betterAuthFeatures();
+  }
+  @Query(() => [BetterAuthPasskeyModel], {
+    description: 'List passkeys for the current user',
+    nullable: true,
+  })
+  @Roles(RoleEnum.S_USER)
+  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
+  override async betterAuthListPasskeys(@Context() ctx: { req: Request }): Promise<BetterAuthPasskeyModel[] | null> {
+    return super.betterAuthListPasskeys(ctx);
+  }
+  // ===========================================================================
+  // Authentication Mutations
+  // ===========================================================================
+  @Mutation(() => BetterAuthAuthModel, {
+    description: 'Sign in via Better-Auth (email/password)',
+  })
+  @Roles(RoleEnum.S_EVERYONE)
+  override async betterAuthSignIn(
+    @Args('email') email: string,
+    @Args('password') password: string,
+    @Context() ctx: { req: Request; res: Response },
+  ): Promise<BetterAuthAuthModel> {
+    return super.betterAuthSignIn(email, password, ctx);
+  }
+  @Mutation(() => BetterAuthAuthModel, {
+    description: 'Sign up via Better-Auth (email/password)',
+  })
+  @Roles(RoleEnum.S_EVERYONE)
+  override async betterAuthSignUp(
+    @Args('email') email: string,
+    @Args('password') password: string,
+    @Args('name', { nullable: true }) name?: string,
+  ): Promise<BetterAuthAuthModel> {
+    return super.betterAuthSignUp(email, password, name);
+  }
+  @Mutation(() => Boolean, { description: 'Sign out via Better-Auth' })
+  @Roles(RoleEnum.S_USER)
+  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
+  override async betterAuthSignOut(@Context() ctx: { req: Request }): Promise<boolean> {
+    return super.betterAuthSignOut(ctx);
+  }
+  // ===========================================================================
+  // 2FA Mutations
+  // ===========================================================================
+  @Mutation(() => BetterAuthAuthModel, {
+    description: 'Verify 2FA code during sign-in',
+  })
+  @Roles(RoleEnum.S_EVERYONE)
+  override async betterAuthVerify2FA(
+    @Args('code') code: string,
+    @Context() ctx: { req: Request },
+  ): Promise<BetterAuthAuthModel> {
+    return super.betterAuthVerify2FA(code, ctx);
+  }
+  @Mutation(() => BetterAuth2FASetupModel, {
+    description: 'Enable 2FA for the current user',
+  })
+  @Roles(RoleEnum.S_USER)
+  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
+  override async betterAuthEnable2FA(
+    @Args('password') password: string,
+    @Context() ctx: { req: Request },
+  ): Promise<BetterAuth2FASetupModel> {
+    return super.betterAuthEnable2FA(password, ctx);
+  }
+  @Mutation(() => Boolean, {
+    description: 'Disable 2FA for the current user',
+  })
+  @Roles(RoleEnum.S_USER)
+  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
+  override async betterAuthDisable2FA(
+    @Args('password') password: string,
+    @Context() ctx: { req: Request },
+  ): Promise<boolean> {
+    return super.betterAuthDisable2FA(password, ctx);
+  }
+  @Mutation(() => [String], {
+    description: 'Generate new backup codes for 2FA',
+    nullable: true,
+  })
+  @Roles(RoleEnum.S_USER)
+  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
+  override async betterAuthGenerateBackupCodes(@Context() ctx: { req: Request }): Promise<null | string[]> {
+    return super.betterAuthGenerateBackupCodes(ctx);
+  }
+  // ===========================================================================
+  // Passkey Mutations
+  // ===========================================================================
+  @Mutation(() => BetterAuthPasskeyChallengeModel, {
+    description: 'Get passkey registration challenge for WebAuthn',
+  })
+  @Roles(RoleEnum.S_USER)
+  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
+  override async betterAuthGetPasskeyChallenge(
+    @Context() ctx: { req: Request },
+  ): Promise<BetterAuthPasskeyChallengeModel> {
+    return super.betterAuthGetPasskeyChallenge(ctx);
+  }
+  @Mutation(() => Boolean, {
+    description: 'Delete a passkey by ID',
+  })
+  @Roles(RoleEnum.S_USER)
+  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
+  override async betterAuthDeletePasskey(
+    @Args('passkeyId') passkeyId: string,
+    @Context() ctx: { req: Request },
+  ): Promise<boolean> {
+    return super.betterAuthDeletePasskey(passkeyId, ctx);
+  }
+}