npm - @lenne.tech/nest-server - Versions diffs - 11.6.2 → 11.7.1 - Mend

@lenne.tech/nest-server 11.6.2 → 11.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (136) hide show

package/src/core/common/services/crud.service.ts CHANGED Viewed

@@ -2,10 +2,10 @@ import { NotFoundException } from '@nestjs/common';
 import {
   AggregateOptions,
   Document,
-  FilterQuery,
   Model as MongooseModel,
   PipelineStage,
   Query,
+  QueryFilter,
   QueryOptions,
 } from 'mongoose';
@@ -147,7 +147,7 @@ export abstract class CrudService<
    * Get items via filter
    */
   async find(
-    filter?: FilterArgs | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions; samples?: number },
+    filter?: FilterArgs | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions; samples?: number },
     serviceOptions?: ServiceOptions,
   ): Promise<Model[]> {
     // If filter is not instance of FilterArgs a simple form with filterQuery and queryOptions is set
@@ -191,7 +191,7 @@ export abstract class CrudService<
    * Warning: Disables the handling of rights and restrictions!
    */
   async findForce(
-    filter?: FilterArgs | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions; samples?: number },
+    filter?: FilterArgs | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions; samples?: number },
     serviceOptions: ServiceOptions = {},
   ): Promise<Model[]> {
     serviceOptions = serviceOptions || {};
@@ -204,7 +204,7 @@ export abstract class CrudService<
    * Warning: Disables the handling of rights and restrictions! The raw data may contain secrets (such as passwords).
    */
   async findRaw(
-    filter?: FilterArgs | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions; samples?: number },
+    filter?: FilterArgs | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions; samples?: number },
     serviceOptions: ServiceOptions = {},
   ): Promise<Model[]> {
     serviceOptions = serviceOptions || {};
@@ -216,7 +216,7 @@ export abstract class CrudService<
    * Get items and total count via filter
    */
   async findAndCount(
-    filter?: FilterArgs | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions; samples?: number },
+    filter?: FilterArgs | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions; samples?: number },
     serviceOptions?: ServiceOptions,
   ): Promise<{ items: Model[]; totalCount: number }> {
     // If filter is not instance of FilterArgs a simple form with filterQuery and queryOptions is set
@@ -280,10 +280,10 @@ export abstract class CrudService<
         // Find and process db items
         const collation = serviceOptions?.collation || ConfigService.get('mongoose.collation');
-        const dbResult
-          = (await this.mainDbModel.aggregate(aggregation, collation ? { collation } : {}).exec())[0] || {};
+        const dbResult =
+          (await this.mainDbModel.aggregate(aggregation, collation ? { collation } : {}).exec())[0] || {};
         dbResult.totalCount = dbResult.totalCount?.[0]?.total || 0;
-        dbResult.items = dbResult.items?.map(item => this.mainDbModel.hydrate(item)) || [];
+        dbResult.items = dbResult.items?.map((item) => this.mainDbModel.hydrate(item)) || [];
         return dbResult;
       },
       { input: filter, outputPath: 'items', serviceOptions },
@@ -295,7 +295,7 @@ export abstract class CrudService<
    * Warning: Disables the handling of rights and restrictions!
    */
   async findAndCountForce(
-    filter?: FilterArgs | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions; samples?: number },
+    filter?: FilterArgs | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions; samples?: number },
     serviceOptions: ServiceOptions = {},
   ): Promise<{ items: Model[]; totalCount: number }> {
     serviceOptions.raw = true;
@@ -307,7 +307,7 @@ export abstract class CrudService<
    * Warning: Disables the handling of rights and restrictions! The raw data may contain secrets (such as passwords).
    */
   async findAndCountRaw(
-    filter?: FilterArgs | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions; samples?: number },
+    filter?: FilterArgs | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions; samples?: number },
     serviceOptions: ServiceOptions = {},
   ): Promise<{ items: Model[]; totalCount: number }> {
     serviceOptions = serviceOptions || {};
@@ -319,7 +319,7 @@ export abstract class CrudService<
    * Find and update
    */
   async findAndUpdate(
-    filter: FilterArgs | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions; samples?: number },
+    filter: FilterArgs | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions; samples?: number },
     update: PlainObject<UpdateInput>,
     serviceOptions?: ServiceOptions,
   ): Promise<Model[]> {
@@ -348,7 +348,7 @@ export abstract class CrudService<
    * Warning: Disables the handling of rights and restrictions!
    */
   async findAndUpdateForce(
-    filter: FilterArgs | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions; samples?: number },
+    filter: FilterArgs | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions; samples?: number },
     update: PlainObject<UpdateInput>,
     serviceOptions: ServiceOptions = {},
   ): Promise<Model[]> {
@@ -362,7 +362,7 @@ export abstract class CrudService<
    * Warning: Disables the handling of rights and restrictions! The raw data may contain secrets (such as passwords).
    */
   async findAndUpdateRaw(
-    filter: FilterArgs | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions; samples?: number },
+    filter: FilterArgs | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions; samples?: number },
     update: PlainObject<UpdateInput>,
     serviceOptions: ServiceOptions = {},
   ): Promise<Model[]> {
@@ -375,7 +375,7 @@ export abstract class CrudService<
    * Find one item via filter
    */
   async findOne(
-    filter?: FilterArgs | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions },
+    filter?: FilterArgs | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions },
     serviceOptions?: ServiceOptions,
   ): Promise<Model> {
     // If filter is not instance of FilterArgs a simple form with filterQuery and queryOptions is set
@@ -414,7 +414,7 @@ export abstract class CrudService<
    * Warning: Disables the handling of rights and restrictions!
    */
   async findOneForce(
-    filter?: FilterArgs | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions; samples?: number },
+    filter?: FilterArgs | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions; samples?: number },
     serviceOptions: ServiceOptions = {},
   ): Promise<Model> {
     serviceOptions = serviceOptions || {};
@@ -427,7 +427,7 @@ export abstract class CrudService<
    * Warning: Disables the handling of rights and restrictions! The raw data may contain secrets (such as passwords).
    */
   async findOneRaw(
-    filter?: FilterArgs | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions; samples?: number },
+    filter?: FilterArgs | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions; samples?: number },
     serviceOptions: ServiceOptions = {},
   ): Promise<Model> {
     serviceOptions = serviceOptions || {};
@@ -452,7 +452,7 @@ export abstract class CrudService<
    * CRUD alias for find
    */
   async read(
-    filter: FilterArgs | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions },
+    filter: FilterArgs | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions },
     serviceOptions?: ServiceOptions,
   ): Promise<Model[]>;
@@ -460,7 +460,7 @@ export abstract class CrudService<
    * CRUD alias for get or find
    */
   async read(
-    input: FilterArgs | string | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions },
+    input: FilterArgs | string | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions },
     serviceOptions?: ServiceOptions,
   ): Promise<Model | Model[]> {
     if (typeof input === 'string') {
@@ -481,7 +481,7 @@ export abstract class CrudService<
    * Warning: Disables the handling of rights and restrictions!
    */
   async readForce(
-    filter: FilterArgs | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions },
+    filter: FilterArgs | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions },
     serviceOptions?: ServiceOptions,
   ): Promise<Model[]>;
@@ -490,7 +490,7 @@ export abstract class CrudService<
    * Warning: Disables the handling of rights and restrictions!
    */
   async readForce(
-    input: FilterArgs | string | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions },
+    input: FilterArgs | string | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions },
     serviceOptions?: ServiceOptions,
   ): Promise<Model | Model[]> {
     if (typeof input === 'string') {
@@ -511,7 +511,7 @@ export abstract class CrudService<
    * Warning: Disables the handling of rights and restrictions! The raw data may contain secrets (such as passwords).
    */
   async readRaw(
-    filter: FilterArgs | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions },
+    filter: FilterArgs | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions },
     serviceOptions?: ServiceOptions,
   ): Promise<Model[]>;
@@ -520,7 +520,7 @@ export abstract class CrudService<
    * Warning: Disables the handling of rights and restrictions! The raw data may contain secrets (such as passwords).
    */
   async readRaw(
-    input: FilterArgs | string | { filterQuery?: FilterQuery<any>; queryOptions?: QueryOptions },
+    input: FilterArgs | string | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions },
     serviceOptions?: ServiceOptions,
   ): Promise<Model | Model[]> {
     if (typeof input === 'string') {

package/src/core/modules/auth/core-auth.controller.ts CHANGED Viewed

@@ -1,9 +1,12 @@
 import { Body, Controller, Get, ParseBoolPipe, Post, Query, Res, UseGuards } from '@nestjs/common';
 import {
-  ApiBody, ApiCreatedResponse,
+  ApiBody,
+  ApiCreatedResponse,
+  ApiGoneResponse,
   ApiOkResponse,
   ApiOperation,
   ApiQuery,
+  ApiTooManyRequestsResponse,
 } from '@nestjs/swagger';
 import { Response as ResponseType } from 'express';
@@ -14,13 +17,38 @@ import { RoleEnum } from '../../common/enums/role.enum';
 import { ConfigService } from '../../common/services/config.service';
 import { AuthGuardStrategy } from './auth-guard-strategy.enum';
 import { CoreAuthModel } from './core-auth.model';
+import { LegacyAuthDisabledException } from './exceptions/legacy-auth-disabled.exception';
 import { AuthGuard } from './guards/auth.guard';
+import { LegacyAuthRateLimitGuard } from './guards/legacy-auth-rate-limit.guard';
 import { CoreAuthSignInInput } from './inputs/core-auth-sign-in.input';
 import { CoreAuthSignUpInput } from './inputs/core-auth-sign-up.input';
 import { ICoreAuthUser } from './interfaces/core-auth-user.interface';
 import { CoreAuthService } from './services/core-auth.service';
 import { Tokens } from './tokens.decorator';
+/**
+ * Authentication controller for REST endpoints
+ *
+ * This controller provides Legacy Auth endpoints via REST.
+ * In a future version, BetterAuth (IAM) will become the default.
+ *
+ * ## Disabling Legacy Endpoints
+ *
+ * After all users have migrated to BetterAuth (IAM), these endpoints
+ * can be disabled via configuration:
+ *
+ * ```typescript
+ * auth: {
+ *   legacyEndpoints: {
+ *     enabled: false, // Disable all legacy endpoints
+ *     // or
+ *     rest: false     // Disable only REST endpoints
+ *   }
+ * }
+ * ```
+ *
+ * @see https://github.com/lenneTech/nest-server/blob/develop/.claude/rules/module-deprecation.md
+ */
 @ApiCommonErrorResponses()
 @Controller('auth')
 @Roles(RoleEnum.ADMIN)
@@ -33,63 +61,123 @@ export class CoreAuthController {
     protected readonly configService: ConfigService,
   ) {}
+  // ===========================================================================
+  // Helper - Legacy Endpoint Check
+  // ===========================================================================
+  /**
+   * Check if legacy REST endpoints are enabled
+   *
+   * Throws LegacyAuthDisabledException if:
+   * - config.auth.legacyEndpoints.enabled is false
+   * - config.auth.legacyEndpoints.rest is false
+   *
+   * @throws LegacyAuthDisabledException
+   */
+  protected checkLegacyRESTEnabled(endpointName: string): void {
+    const authConfig = this.configService.getFastButReadOnly('auth');
+    const legacyConfig = authConfig?.legacyEndpoints;
+    // Check if legacy endpoints are globally disabled
+    if (legacyConfig?.enabled === false) {
+      throw new LegacyAuthDisabledException(endpointName);
+    }
+    // Check if REST endpoints specifically are disabled
+    if (legacyConfig?.rest === false) {
+      throw new LegacyAuthDisabledException(endpointName);
+    }
+  }
   /**
    * Logout user (from specific device)
+   *
+   * @deprecated Will be replaced by BetterAuth signOut in a future version
+   * @throws LegacyAuthDisabledException if legacy endpoints are disabled
    */
+  @ApiGoneResponse({ description: 'Legacy Auth endpoints are disabled' })
   @ApiOkResponse({ type: Boolean })
   @ApiOperation({ description: 'Logs a user out from a specific device' })
   @ApiQuery({ description: 'If all devices should be logged out,', name: 'allDevices', required: false, type: Boolean })
+  @ApiTooManyRequestsResponse({ description: 'Rate limit exceeded' })
   @Get('logout')
   @Roles(RoleEnum.S_EVERYONE)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
+  @UseGuards(LegacyAuthRateLimitGuard, AuthGuard(AuthGuardStrategy.JWT))
   async logout(
     @CurrentUser() currentUser: ICoreAuthUser,
     @Tokens('token') token: string,
     @Res({ passthrough: true }) res: ResponseType,
     @Query('allDevices', new ParseBoolPipe({ optional: true })) allDevices?: boolean,
   ): Promise<boolean> {
+    this.checkLegacyRESTEnabled('logout');
     const result = await this.authService.logout(token, { allDevices, currentUser });
     return this.processCookies(res, result);
   }
   /**
    * Refresh token (for specific device)
+   *
+   * @deprecated Will be replaced by BetterAuth session refresh in a future version
+   * @throws LegacyAuthDisabledException if legacy endpoints are disabled
    */
+  @ApiGoneResponse({ description: 'Legacy Auth endpoints are disabled' })
   @ApiOkResponse({ type: CoreAuthModel })
   @ApiOperation({ description: 'Refresh token (for specific device)' })
+  @ApiTooManyRequestsResponse({ description: 'Rate limit exceeded' })
   @Get('refresh-token')
   @Roles(RoleEnum.S_EVERYONE)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT_REFRESH))
+  @UseGuards(LegacyAuthRateLimitGuard, AuthGuard(AuthGuardStrategy.JWT_REFRESH))
   async refreshToken(
     @CurrentUser() user: ICoreAuthUser,
     @Tokens('refreshToken') refreshToken: string,
     @Res({ passthrough: true }) res: ResponseType,
   ): Promise<CoreAuthModel> {
+    this.checkLegacyRESTEnabled('refresh-token');
     const result = await this.authService.refreshTokens(user, refreshToken);
     return this.processCookies(res, result);
   }
   /**
    * Sign in user via email and password (on specific device)
+   *
+   * @deprecated Will be replaced by BetterAuth signIn in a future version
+   * @throws LegacyAuthDisabledException if legacy endpoints are disabled
    */
   @ApiCreatedResponse({ description: 'Signed in successfully', type: CoreAuthModel })
+  @ApiGoneResponse({ description: 'Legacy Auth endpoints are disabled' })
   @ApiOperation({ description: 'Sign in via email and password' })
+  @ApiTooManyRequestsResponse({ description: 'Rate limit exceeded' })
   @Post('signin')
   @Roles(RoleEnum.S_EVERYONE)
-  async signIn(@Res({ passthrough: true }) res: ResponseType, @Body() input: CoreAuthSignInInput): Promise<CoreAuthModel> {
+  @UseGuards(LegacyAuthRateLimitGuard)
+  async signIn(
+    @Res({ passthrough: true }) res: ResponseType,
+    @Body() input: CoreAuthSignInInput,
+  ): Promise<CoreAuthModel> {
+    this.checkLegacyRESTEnabled('signin');
     const result = await this.authService.signIn(input);
     return this.processCookies(res, result);
   }
   /**
    * Register a new user account (on specific device)
+   *
+   * @deprecated Will be replaced by BetterAuth signUp in a future version
+   * @throws LegacyAuthDisabledException if legacy endpoints are disabled
    */
   @ApiBody({ type: CoreAuthSignUpInput })
   @ApiCreatedResponse({ type: CoreAuthSignUpInput })
+  @ApiGoneResponse({ description: 'Legacy Auth endpoints are disabled' })
   @ApiOperation({ description: 'Sign up via email and password' })
+  @ApiTooManyRequestsResponse({ description: 'Rate limit exceeded' })
   @Post('signup')
   @Roles(RoleEnum.S_EVERYONE)
-  async signUp(@Res({ passthrough: true }) res: ResponseType, @Body() input: CoreAuthSignUpInput): Promise<CoreAuthModel> {
+  @UseGuards(LegacyAuthRateLimitGuard)
+  async signUp(
+    @Res({ passthrough: true }) res: ResponseType,
+    @Body() input: CoreAuthSignUpInput,
+  ): Promise<CoreAuthModel> {
+    this.checkLegacyRESTEnabled('signup');
     const result = await this.authService.signUp(input);
     return this.processCookies(res, result);
   }

package/src/core/modules/auth/core-auth.module.ts CHANGED Viewed

@@ -5,9 +5,11 @@ import { PassportModule } from '@nestjs/passport';
 import { PubSub } from 'graphql-subscriptions';
 import { AuthGuardStrategy } from './auth-guard-strategy.enum';
+import { LegacyAuthRateLimitGuard } from './guards/legacy-auth-rate-limit.guard';
 import { RolesGuard } from './guards/roles.guard';
 import { CoreAuthUserService } from './services/core-auth-user.service';
 import { CoreAuthService } from './services/core-auth.service';
+import { LegacyAuthRateLimiter } from './services/legacy-auth-rate-limiter.service';
 import { JwtRefreshStrategy } from './strategies/jwt-refresh.strategy';
 import { JwtStrategy } from './strategies/jwt.strategy';
@@ -68,6 +70,9 @@ export class CoreAuthModule {
         provide: JwtRefreshStrategy,
         useClass: options.jwtRefreshStrategy || JwtRefreshStrategy,
       },
+      // Rate limiting for Legacy Auth endpoints (disabled by default, configure via auth.rateLimit)
+      LegacyAuthRateLimiter,
+      LegacyAuthRateLimitGuard,
     ];
     if (Array.isArray(options?.providers)) {
       providers = imports.concat(options.providers);
@@ -75,7 +80,16 @@ export class CoreAuthModule {
     // Return CoreAuthModule
     return {
-      exports: [CoreAuthService, JwtModule, JwtStrategy, JwtRefreshStrategy, PassportModule, UserModule],
+      exports: [
+        CoreAuthService,
+        JwtModule,
+        JwtStrategy,
+        JwtRefreshStrategy,
+        LegacyAuthRateLimiter,
+        LegacyAuthRateLimitGuard,
+        PassportModule,
+        UserModule,
+      ],
       imports,
       module: CoreAuthModule,
       providers,

package/src/core/modules/auth/core-auth.resolver.ts CHANGED Viewed

@@ -10,7 +10,9 @@ import { ServiceOptions } from '../../common/interfaces/service-options.interfac
 import { ConfigService } from '../../common/services/config.service';
 import { AuthGuardStrategy } from './auth-guard-strategy.enum';
 import { CoreAuthModel } from './core-auth.model';
+import { LegacyAuthDisabledException } from './exceptions/legacy-auth-disabled.exception';
 import { AuthGuard } from './guards/auth.guard';
+import { LegacyAuthRateLimitGuard } from './guards/legacy-auth-rate-limit.guard';
 import { CoreAuthSignInInput } from './inputs/core-auth-sign-in.input';
 import { CoreAuthSignUpInput } from './inputs/core-auth-sign-up.input';
 import { ICoreAuthUser } from './interfaces/core-auth-user.interface';
@@ -19,6 +21,26 @@ import { Tokens } from './tokens.decorator';
 /**
  * Authentication resolver for the sign in
+ *
+ * This resolver provides Legacy Auth endpoints via GraphQL.
+ * In a future version, BetterAuth (IAM) will become the default.
+ *
+ * ## Disabling Legacy Endpoints
+ *
+ * After all users have migrated to BetterAuth (IAM), these endpoints
+ * can be disabled via configuration:
+ *
+ * ```typescript
+ * auth: {
+ *   legacyEndpoints: {
+ *     enabled: false, // Disable all legacy endpoints
+ *     // or
+ *     graphql: false  // Disable only GraphQL endpoints
+ *   }
+ * }
+ * ```
+ *
+ * @see https://github.com/lenneTech/nest-server/blob/develop/.claude/rules/module-deprecation.md
  */
 @Resolver(() => CoreAuthModel, { isAbstract: true })
 @Roles(RoleEnum.ADMIN)
@@ -31,67 +53,113 @@ export class CoreAuthResolver {
     protected readonly configService: ConfigService,
   ) {}
+  // ===========================================================================
+  // Helper - Legacy Endpoint Check
+  // ===========================================================================
+  /**
+   * Check if legacy GraphQL endpoints are enabled
+   *
+   * Throws LegacyAuthDisabledException if:
+   * - config.auth.legacyEndpoints.enabled is false
+   * - config.auth.legacyEndpoints.graphql is false
+   *
+   * @throws LegacyAuthDisabledException
+   */
+  protected checkLegacyGraphQLEnabled(endpointName: string): void {
+    const authConfig = this.configService.getFastButReadOnly('auth');
+    const legacyConfig = authConfig?.legacyEndpoints;
+    // Check if legacy endpoints are globally disabled
+    if (legacyConfig?.enabled === false) {
+      throw new LegacyAuthDisabledException(endpointName);
+    }
+    // Check if GraphQL endpoints specifically are disabled
+    if (legacyConfig?.graphql === false) {
+      throw new LegacyAuthDisabledException(endpointName);
+    }
+  }
   // ===========================================================================
   // Mutations
   // ===========================================================================
   /**
    * Logout user (from specific device)
+   *
+   * @deprecated Will be replaced by BetterAuth signOut in a future version
+   * @throws LegacyAuthDisabledException if legacy endpoints are disabled
    */
   @Mutation(() => Boolean, { description: 'Logout user (from specific device)' })
   @Roles(RoleEnum.S_EVERYONE)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
+  @UseGuards(LegacyAuthRateLimitGuard, AuthGuard(AuthGuardStrategy.JWT))
   async logout(
     @CurrentUser() currentUser: ICoreAuthUser,
     @Context() ctx: { res: ResponseType },
     @Tokens('token') token: string,
     @Args('allDevices', { nullable: true }) allDevices?: boolean,
   ): Promise<boolean> {
+    this.checkLegacyGraphQLEnabled('logout');
     const result = await this.authService.logout(token, { allDevices, currentUser });
     return this.processCookies(ctx, result);
   }
   /**
    * Refresh token (for specific device)
+   *
+   * @deprecated Will be replaced by BetterAuth session refresh in a future version
+   * @throws LegacyAuthDisabledException if legacy endpoints are disabled
    */
   @Mutation(() => CoreAuthModel, { description: 'Refresh tokens (for specific device)' })
   @Roles(RoleEnum.S_EVERYONE)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT_REFRESH))
+  @UseGuards(LegacyAuthRateLimitGuard, AuthGuard(AuthGuardStrategy.JWT_REFRESH))
   async refreshToken(
     @CurrentUser() user: ICoreAuthUser,
     @Tokens('refreshToken') refreshToken: string,
     @Context() ctx: { res: ResponseType },
   ): Promise<CoreAuthModel> {
+    this.checkLegacyGraphQLEnabled('refreshToken');
     const result = await this.authService.refreshTokens(user, refreshToken);
     return this.processCookies(ctx, result);
   }
   /**
    * Sign in user via email and password (on specific device)
+   *
+   * @deprecated Will be replaced by BetterAuth signIn in a future version
+   * @throws LegacyAuthDisabledException if legacy endpoints are disabled
    */
   @Mutation(() => CoreAuthModel, {
     description: 'Sign in user via email and password and get JWT tokens (for specific device)',
   })
   @Roles(RoleEnum.S_EVERYONE)
+  @UseGuards(LegacyAuthRateLimitGuard)
   async signIn(
     @GraphQLServiceOptions({ gqlPath: 'signIn.user' }) serviceOptions: ServiceOptions,
     @Context() ctx: { res: ResponseType },
     @Args('input') input: CoreAuthSignInInput,
   ): Promise<CoreAuthModel> {
+    this.checkLegacyGraphQLEnabled('signIn');
     const result = await this.authService.signIn(input, serviceOptions);
     return this.processCookies(ctx, result);
   }
   /**
    * Register a new user account (on specific device)
+   *
+   * @deprecated Will be replaced by BetterAuth signUp in a future version
+   * @throws LegacyAuthDisabledException if legacy endpoints are disabled
    */
   @Mutation(() => CoreAuthModel, { description: 'Register a new user account (on specific device)' })
   @Roles(RoleEnum.S_EVERYONE)
+  @UseGuards(LegacyAuthRateLimitGuard)
   async signUp(
     @GraphQLServiceOptions({ gqlPath: 'signUp.user' }) serviceOptions: ServiceOptions,
     @Context() ctx: { res: ResponseType },
     @Args('input') input: CoreAuthSignUpInput,
   ): Promise<CoreAuthModel> {
+    this.checkLegacyGraphQLEnabled('signUp');
     const result = await this.authService.signUp(input, serviceOptions);
     return this.processCookies(ctx, result);
   }

package/src/core/modules/auth/exceptions/legacy-auth-disabled.exception.ts ADDED Viewed

@@ -0,0 +1,35 @@
+import { GoneException } from '@nestjs/common';
+/**
+ * Exception thrown when Legacy Auth endpoints are accessed but disabled
+ *
+ * This exception is thrown when:
+ * - config.auth.legacyEndpoints.enabled is false
+ * - config.auth.legacyEndpoints.graphql is false (for GraphQL endpoints)
+ * - config.auth.legacyEndpoints.rest is false (for REST endpoints)
+ *
+ * HTTP Status: 410 Gone
+ *
+ * This status code indicates that the resource is no longer available
+ * and will not be available again - appropriate for deprecated endpoints.
+ *
+ * @since 11.7.1
+ *
+ * @example
+ * ```typescript
+ * if (!this.isLegacyEndpointEnabled()) {
+ *   throw new LegacyAuthDisabledException();
+ * }
+ * ```
+ */
+export class LegacyAuthDisabledException extends GoneException {
+  constructor(endpoint?: string) {
+    super({
+      error: 'Legacy Auth Disabled',
+      message: endpoint
+        ? `Legacy Auth endpoint '${endpoint}' is disabled. Use BetterAuth (IAM) endpoints instead.`
+        : 'Legacy Auth endpoints are disabled. Use BetterAuth (IAM) endpoints instead.',
+      statusCode: 410,
+    });
+  }
+}