@lenne.tech/nest-server 11.6.2 → 11.7.1

package/src/core/modules/better-auth/index.ts

@@ -8,11 +8,17 @@
  * - Two-Factor Authentication (TOTP)
  * - Passkey/WebAuthn authentication
  * - Social Login (Google, GitHub, Apple)
- * - Legacy password handling for migration
  * - Rate limiting for brute-force protection
+ * - Parallel operation with Legacy Auth (bcrypt compatible)
+ *
+ * Extension points:
+ * - CoreBetterAuthController: Abstract controller for REST extension
+ * - CoreBetterAuthResolver: Abstract resolver for GraphQL extension (isAbstract: true)
+ * - BetterAuthController/BetterAuthResolver: Default implementations
  */
 
 export * from './better-auth-auth.model';
+export * from './better-auth-migration-status.model';
 export * from './better-auth-models';
 export * from './better-auth-rate-limit.middleware';
 export * from './better-auth-rate-limiter.service';
@@ -23,3 +29,5 @@ export * from './better-auth.module';
 export * from './better-auth.resolver';
 export * from './better-auth.service';
 export * from './better-auth.types';
+export * from './core-better-auth.controller';
+export * from './core-better-auth.resolver';

package/src/core/modules/user/core-user.service.ts

@@ -1,4 +1,4 @@
-import { BadRequestException, NotFoundException, UnprocessableEntityException } from '@nestjs/common';
+import { BadRequestException, Logger, NotFoundException, UnprocessableEntityException } from '@nestjs/common';
 import bcrypt = require('bcrypt');
 import crypto = require('crypto');
 import { sha256 } from 'js-sha256';
@@ -13,20 +13,31 @@ import { CoreModelConstructor } from '../../common/types/core-model-constructor.
 import { CoreUserModel } from './core-user.model';
 import { CoreUserCreateInput } from './inputs/core-user-create.input';
 import { CoreUserInput } from './inputs/core-user.input';
+import { CoreUserServiceOptions } from './interfaces/core-user-service-options.interface';
 
 /**
  * User service
+ *
+ * Provides user management with automatic synchronization between
+ * Legacy Auth and Better-Auth (IAM) systems when both are enabled.
  */
 export abstract class CoreUserService<
   TUser extends CoreUserModel,
   TUserInput extends CoreUserInput,
   TUserCreateInput extends CoreUserCreateInput,
 > extends CrudService<TUser, TUserCreateInput, TUserInput> {
+  protected readonly userServiceLogger = new Logger(CoreUserService.name);
+
   protected constructor(
     protected override readonly configService: ConfigService,
     protected readonly emailService: EmailService,
     protected override readonly mainDbModel: Model<Document & TUser>,
     protected override readonly mainModelConstructor: CoreModelConstructor<TUser>,
+    /**
+     * Optional configuration for additional features like IAM sync.
+     * Using options object pattern for extensibility without breaking changes.
+     */
+    protected readonly options?: CoreUserServiceOptions,
   ) {
     super();
   }
@@ -125,6 +136,10 @@ export abstract class CoreUserService<
 
   /**
    * Set new password for user with token
+   *
+   * This method also syncs the password change to Better-Auth (IAM) if:
+   * - BetterAuthUserMapper is configured via options
+   * - User has an existing IAM credential account
    */
   async resetPassword(token: string, newPassword: string, serviceOptions?: ServiceOptions): Promise<TUser> {
     // Get user
@@ -133,6 +148,10 @@ export abstract class CoreUserService<
       throw new NotFoundException(`No user found with password reset token: ${token}`);
     }
 
+    // Store the original plain password for IAM sync before any hashing
+    // We need the plain password because IAM uses scrypt, not bcrypt+sha256
+    const plainPasswordForIamSync = /^[a-f0-9]{64}$/i.test(newPassword) ? undefined : newPassword;
+
     return this.process(
       async () => {
         // Check if the password was transmitted encrypted
@@ -141,11 +160,26 @@ export abstract class CoreUserService<
           newPassword = sha256(newPassword);
         }
 
-        // Update and return user
-        return await assignPlain(dbObject, {
+        // Update Legacy Auth password
+        const updatedUser = await assignPlain(dbObject, {
           password: await bcrypt.hash(newPassword, 10),
           passwordResetToken: null,
         }).save();
+
+        // Sync password to Better-Auth (IAM) if mapper is available
+        // This ensures users can sign in via IAM after password reset
+        if (this.options?.betterAuthUserMapper && plainPasswordForIamSync && dbObject.email) {
+          try {
+            await this.options.betterAuthUserMapper.syncPasswordChangeToIam(dbObject.email, plainPasswordForIamSync);
+          } catch (error) {
+            // Log but don't fail - Legacy Auth password was updated successfully
+            this.userServiceLogger.warn(
+              `Failed to sync password reset to IAM for ${dbObject.email}: ${error instanceof Error ? error.message : 'Unknown error'}`,
+            );
+          }
+        }
+
+        return updatedUser;
       },
       { dbObject, serviceOptions },
     );
@@ -186,7 +220,7 @@ export abstract class CoreUserService<
     }
 
     // Check roles values
-    if (roles.some(role => typeof role !== 'string')) {
+    if (roles.some((role) => typeof role !== 'string')) {
       throw new BadRequestException('Roles contains invalid values');
     }
 
@@ -198,4 +232,97 @@ export abstract class CoreUserService<
       { serviceOptions },
     );
   }
+
+  // ===================================================================================================================
+  // Auth System Sync Methods
+  // ===================================================================================================================
+
+  /**
+   * Update user with automatic email and password sync between Legacy and IAM auth systems
+   *
+   * When the email changes and BetterAuthUserMapper is available, this method:
+   * - Invalidates all Better-Auth sessions (forces re-authentication)
+   * - The shared users collection is automatically updated
+   *
+   * When the password changes:
+   * - Updates the Legacy Auth password (bcrypt hash)
+   * - Syncs to Better-Auth (IAM) if the user has a credential account
+   */
+  override async update(id: string, input: TUserInput, serviceOptions?: ServiceOptions): Promise<TUser> {
+    // Get the current user before update to detect email changes
+    const oldUser = (await this.mainDbModel.findById(id).lean().exec()) as null | TUser;
+    const oldEmail = oldUser?.email;
+
+    // Store plain password for IAM sync before any hashing occurs
+    // We need to capture this before super.update() which may hash it
+    const inputPassword = (input as any).password;
+    const plainPasswordForIamSync = inputPassword && !/^[a-f0-9]{64}$/i.test(inputPassword) ? inputPassword : undefined;
+
+    // Perform the update
+    const updatedUser = await super.update(id, input, serviceOptions);
+
+    // Sync email change to IAM if email was changed and mapper is available
+    if (this.options?.betterAuthUserMapper && oldEmail && input.email && oldEmail !== input.email) {
+      try {
+        await this.options.betterAuthUserMapper.syncEmailChangeFromLegacy(oldEmail, input.email);
+        this.userServiceLogger.debug(`Synced email change from Legacy to IAM: ${oldEmail} → ${input.email}`);
+      } catch (error) {
+        this.userServiceLogger.error(
+          `Failed to sync email change to IAM: ${error instanceof Error ? error.message : 'Unknown error'}`,
+        );
+        // Don't throw - email sync failure shouldn't block the update
+      }
+    }
+
+    // Sync password change to IAM if password was changed and mapper is available
+    if (this.options?.betterAuthUserMapper && plainPasswordForIamSync && oldUser?.email) {
+      try {
+        await this.options.betterAuthUserMapper.syncPasswordChangeToIam(oldUser.email, plainPasswordForIamSync);
+        this.userServiceLogger.debug(`Synced password change to IAM for user ${oldUser.email}`);
+      } catch (error) {
+        this.userServiceLogger.warn(
+          `Failed to sync password change to IAM for ${oldUser.email}: ${error instanceof Error ? error.message : 'Unknown error'}`,
+        );
+        // Don't throw - password sync failure shouldn't block the update
+      }
+    }
+
+    return updatedUser;
+  }
+
+  /**
+   * Delete user with automatic cleanup of IAM auth data
+   *
+   * When BetterAuthUserMapper is available, this method also:
+   * - Deletes all Better-Auth accounts for this user
+   * - Deletes all Better-Auth sessions for this user
+   *
+   * This ensures no orphaned auth data remains after user deletion.
+   */
+  override async delete(id: string, serviceOptions?: ServiceOptions): Promise<TUser> {
+    // Get the user before deletion to cleanup IAM data
+    const user = (await this.mainDbModel.findById(id).lean().exec()) as null | (TUser & { _id: any });
+
+    // Perform the deletion
+    const deletedUser = await super.delete(id, serviceOptions);
+
+    // Cleanup IAM data if mapper is available
+    if (this.options?.betterAuthUserMapper && user?._id) {
+      try {
+        const result = await this.options.betterAuthUserMapper.cleanupIamDataForDeletedUser(user._id);
+        if (result.accountsDeleted > 0 || result.sessionsDeleted > 0) {
+          this.userServiceLogger.debug(
+            `Cleaned up IAM data for deleted user ${id}: accounts=${result.accountsDeleted}, sessions=${result.sessionsDeleted}`,
+          );
+        }
+      } catch (error) {
+        this.userServiceLogger.error(
+          `Failed to cleanup IAM data for deleted user: ${error instanceof Error ? error.message : 'Unknown error'}`,
+        );
+        // Don't throw - cleanup failure shouldn't block the delete response
+      }
+    }
+
+    return deletedUser;
+  }
 }

package/src/core/modules/user/interfaces/core-user-service-options.interface.ts

@@ -0,0 +1,15 @@
+import { BetterAuthUserMapper } from '../../better-auth/better-auth-user.mapper';
+
+/**
+ * Optional configuration for CoreUserService
+ *
+ * Use this interface for optional dependencies that may not be available in all projects.
+ * This pattern allows adding new optional parameters without breaking existing implementations.
+ */
+export interface CoreUserServiceOptions {
+  /**
+   * Optional BetterAuthUserMapper for syncing between Legacy and IAM auth systems.
+   * When provided, email changes and user deletions are automatically synced.
+   */
+  betterAuthUserMapper?: BetterAuthUserMapper;
+}

package/src/core.module.ts

@@ -19,7 +19,9 @@ import { EmailService } from './core/common/services/email.service';
 import { MailjetService } from './core/common/services/mailjet.service';
 import { ModelDocService } from './core/common/services/model-doc.service';
 import { TemplateService } from './core/common/services/template.service';
+import { BetterAuthUserMapper } from './core/modules/better-auth/better-auth-user.mapper';
 import { BetterAuthModule } from './core/modules/better-auth/better-auth.module';
+import { BetterAuthService } from './core/modules/better-auth/better-auth.service';
 import { CoreHealthCheckModule } from './core/modules/health-check/core-health-check.module';
 
 /**
@@ -66,10 +68,65 @@ export class CoreModule implements NestModule {
   }
 
   /**
-   * Dynamic module
-   * see https://docs.nestjs.com/modules#dynamic-modules
+   * Dynamic module initialization
+   *
+   * @see https://docs.nestjs.com/modules#dynamic-modules
+   *
+   * ## Signatures
+   *
+   * ### IAM-Only Signature (Recommended for new projects)
+   *
+   * ```typescript
+   * CoreModule.forRoot(envConfig)
+   * ```
+   *
+   * Use this for new projects that only use BetterAuth (IAM) for authentication.
+   * GraphQL Subscription authentication uses BetterAuth JWT tokens.
+   *
+   * **Requirements:**
+   * - Configure `betterAuth` in your config (enabled by default)
+   * - Create BetterAuthModule, Resolver, and Controller in your project
+   * - Inject BetterAuthUserMapper in UserService
+   *
+   * ### Legacy + IAM Signature (For existing projects)
+   *
+   * ```typescript
+   * CoreModule.forRoot(CoreAuthService, AuthModule.forRoot(envConfig.jwt), envConfig)
+   * ```
+   *
+   * @deprecated This 3-parameter signature is deprecated for new projects.
+   * Use the single-parameter signature `CoreModule.forRoot(envConfig)` instead.
+   * Existing projects can continue using this signature during migration.
+   *
+   * Use this for existing projects that need Legacy Auth for backwards compatibility.
+   * Both Legacy Auth and BetterAuth (IAM) can run in parallel.
+   *
+   * ## Migration Path
+   *
+   * 1. **Existing projects**: Use the 3-parameter signature, run Legacy + IAM in parallel
+   * 2. **Monitor**: Use `betterAuthMigrationStatus` query to track user migration
+   * 3. **Disable Legacy**: Set `auth.legacyEndpoints.enabled: false` after all users migrated
+   * 4. **New projects**: Use the single-parameter signature with IAM only
+   *
+   * @see https://github.com/lenneTech/nest-server/blob/develop/.claude/rules/module-deprecation.md
    */
-  static forRoot(AuthService: any, AuthModule: any, options: Partial<IServerOptions>): DynamicModule {
+  static forRoot(options: Partial<IServerOptions>): DynamicModule;
+  /**
+   * @deprecated Use the single-parameter signature `CoreModule.forRoot(envConfig)` for new projects.
+   * This 3-parameter signature is for existing projects during migration to IAM.
+   */
+  static forRoot(AuthService: any, AuthModule: any, options: Partial<IServerOptions>): DynamicModule;
+  static forRoot(
+    authServiceOrOptions: any,
+    authModuleOrUndefined?: any,
+    optionsOrUndefined?: Partial<IServerOptions>,
+  ): DynamicModule {
+    // Detect which signature was used
+    const isIamOnlyMode = authModuleOrUndefined === undefined && optionsOrUndefined === undefined;
+    const AuthService = isIamOnlyMode ? null : authServiceOrOptions;
+    const AuthModule = isIamOnlyMode ? null : authModuleOrUndefined;
+    const options: Partial<IServerOptions> = isIamOnlyMode ? authServiceOrOptions : optionsOrUndefined;
+
     // Process config
     let cors = {};
     if (options?.cookies) {
@@ -78,73 +135,17 @@ export class CoreModule implements NestModule {
         origin: true,
       };
     }
+
+    // Build GraphQL driver configuration based on auth mode
+    const graphQlDriverConfig = isIamOnlyMode
+      ? this.buildIamOnlyGraphQlDriver(cors, options)
+      : this.buildLegacyGraphQlDriver(AuthService, AuthModule, cors, options);
+
     const config: IServerOptions = merge(
       {
         env: 'develop',
         graphQl: {
-          driver: {
-            imports: [AuthModule],
-            inject: [AuthService],
-            useFactory: async (authService: any) =>
-              Object.assign(
-                {
-                  autoSchemaFile: 'schema.gql',
-                  context: ({ req, res }) => ({ req, res }),
-                  cors,
-                  installSubscriptionHandlers: true,
-                  subscriptions: {
-                    'graphql-ws': {
-                      context: ({ extra }) => extra,
-                      onConnect: async (context: Context<any>) => {
-                        const { connectionParams, extra } = context;
-                        if (config.graphQl.enableSubscriptionAuth) {
-                          // get authToken from authorization header
-                          const headers = this.getHeaderFromArray(extra.request?.rawHeaders);
-                          const authToken: string =
-                            connectionParams?.Authorization?.split(' ')[1] ?? headers.Authorization?.split(' ')[1];
-                          if (authToken) {
-                            // verify authToken/getJwtPayLoad
-                            const payload = authService.decodeJwt(authToken);
-                            const user = await authService.validateUser(payload);
-                            if (!user) {
-                              throw new UnauthorizedException('No user found for token');
-                            }
-                            // the user/jwtPayload object found will be available as context.currentUser/jwtPayload in your GraphQL resolvers
-                            extra.user = user;
-                            extra.headers = connectionParams ?? headers;
-                            return extra;
-                          }
-
-                          throw new UnauthorizedException('Missing authentication token');
-                        }
-                      },
-                    },
-                    'subscriptions-transport-ws': {
-                      onConnect: async (connectionParams) => {
-                        if (config.graphQl.enableSubscriptionAuth) {
-                          // get authToken from authorization header
-                          const authToken: string = connectionParams?.Authorization?.split(' ')[1];
-
-                          if (authToken) {
-                            // verify authToken/getJwtPayLoad
-                            const payload = authService.decodeJwt(authToken);
-                            const user = await authService.validateUser(payload);
-                            if (!user) {
-                              throw new UnauthorizedException('No user found for token');
-                            }
-                            // the user/jwtPayload object found will be available as context.currentUser/jwtPayload in your GraphQL resolvers
-                            return { headers: connectionParams, user };
-                          }
-
-                          throw new UnauthorizedException('Missing authentication token');
-                        }
-                      },
-                    },
-                  },
-                },
-                options?.graphQl?.driver,
-              ),
-          },
+          driver: graphQlDriverConfig,
           enableSubscriptionAuth: true,
         },
         mongoose: {
@@ -229,15 +230,19 @@ export class CoreModule implements NestModule {
       imports.push(CoreHealthCheckModule);
     }
 
-    // Add BetterAuthModule - enabled by default unless explicitly disabled
+    // Add BetterAuthModule based on mode
+    // IAM-only mode: Always register BetterAuthModule (required for subscription auth)
+    // Legacy mode: Only register if autoRegister is explicitly true
     if (config.betterAuth?.enabled !== false) {
-      imports.push(
-        BetterAuthModule.forRoot({
-          config: config.betterAuth || {},
-          // Pass JWT secrets for backwards compatibility fallback
-          fallbackSecrets: [config.jwt?.secret, config.jwt?.refresh?.secret],
-        }),
-      );
+      if (isIamOnlyMode || config.betterAuth?.autoRegister === true) {
+        imports.push(
+          BetterAuthModule.forRoot({
+            config: config.betterAuth || {},
+            // Pass JWT secrets for backwards compatibility fallback
+            fallbackSecrets: [config.jwt?.secret, config.jwt?.refresh?.secret],
+          }),
+        );
+      }
     }
 
     // Set exports
@@ -254,4 +259,182 @@ export class CoreModule implements NestModule {
       providers,
     };
   }
+
+  // =============================================================================
+  // GraphQL Driver Configuration Helpers
+  // =============================================================================
+
+  /**
+   * Build GraphQL driver configuration for IAM-only mode
+   *
+   * Uses BetterAuthService for subscription authentication via JWT tokens.
+   * This is the recommended mode for new projects.
+   */
+  private static buildIamOnlyGraphQlDriver(cors: object, options: Partial<IServerOptions>) {
+    return {
+      imports: [BetterAuthModule],
+      inject: [BetterAuthService, BetterAuthUserMapper],
+      useFactory: async (betterAuthService: BetterAuthService, userMapper: BetterAuthUserMapper) =>
+        Object.assign(
+          {
+            autoSchemaFile: 'schema.gql',
+            context: ({ req, res }) => ({ req, res }),
+            cors,
+            installSubscriptionHandlers: true,
+            subscriptions: {
+              'graphql-ws': {
+                context: ({ extra }) => extra,
+                onConnect: async (context: Context<any>) => {
+                  const { connectionParams, extra } = context;
+                  const enableAuth = options?.graphQl?.enableSubscriptionAuth ?? true;
+
+                  if (enableAuth) {
+                    // Get headers from raw headers or connection params
+                    const headers = CoreModule.getHeaderFromArray(extra.request?.rawHeaders);
+                    const authToken: string =
+                      connectionParams?.Authorization?.split(' ')[1] ?? headers.Authorization?.split(' ')[1];
+
+                    if (authToken) {
+                      // Validate via BetterAuth session
+                      const { session, user: sessionUser } = await betterAuthService.getSession({
+                        headers: { authorization: `Bearer ${authToken}` },
+                      });
+
+                      if (!session || !sessionUser) {
+                        throw new UnauthorizedException('Invalid or expired session');
+                      }
+
+                      // Map to full user with roles
+                      const user = await userMapper.mapSessionUser(sessionUser);
+                      if (!user) {
+                        throw new UnauthorizedException('User not found');
+                      }
+
+                      extra.user = user;
+                      extra.headers = connectionParams ?? headers;
+                      return extra;
+                    }
+
+                    throw new UnauthorizedException('Missing authentication token');
+                  }
+                },
+              },
+              'subscriptions-transport-ws': {
+                onConnect: async (connectionParams) => {
+                  const enableAuth = options?.graphQl?.enableSubscriptionAuth ?? true;
+
+                  if (enableAuth) {
+                    const authToken: string = connectionParams?.Authorization?.split(' ')[1];
+
+                    if (authToken) {
+                      // Validate via BetterAuth session
+                      const { session, user: sessionUser } = await betterAuthService.getSession({
+                        headers: { authorization: `Bearer ${authToken}` },
+                      });
+
+                      if (!session || !sessionUser) {
+                        throw new UnauthorizedException('Invalid or expired session');
+                      }
+
+                      // Map to full user with roles
+                      const user = await userMapper.mapSessionUser(sessionUser);
+                      if (!user) {
+                        throw new UnauthorizedException('User not found');
+                      }
+
+                      return { headers: connectionParams, user };
+                    }
+
+                    throw new UnauthorizedException('Missing authentication token');
+                  }
+                },
+              },
+            },
+          },
+          options?.graphQl?.driver,
+        ),
+    };
+  }
+
+  /**
+   * Build GraphQL driver configuration for Legacy Auth mode
+   *
+   * Uses the provided AuthService for subscription authentication via JWT tokens.
+   * This is for existing projects that need backwards compatibility.
+   *
+   * @deprecated Use IAM-only mode (single-parameter forRoot) for new projects
+   */
+  private static buildLegacyGraphQlDriver(
+    AuthService: any,
+    AuthModule: any,
+    cors: object,
+    options: Partial<IServerOptions>,
+  ) {
+    // Store config reference for use in callbacks
+    const enableSubscriptionAuth = options?.graphQl?.enableSubscriptionAuth ?? true;
+
+    return {
+      imports: [AuthModule],
+      inject: [AuthService],
+      useFactory: async (authService: any) =>
+        Object.assign(
+          {
+            autoSchemaFile: 'schema.gql',
+            context: ({ req, res }) => ({ req, res }),
+            cors,
+            installSubscriptionHandlers: true,
+            subscriptions: {
+              'graphql-ws': {
+                context: ({ extra }) => extra,
+                onConnect: async (context: Context<any>) => {
+                  const { connectionParams, extra } = context;
+                  if (enableSubscriptionAuth) {
+                    // get authToken from authorization header
+                    const headers = CoreModule.getHeaderFromArray(extra.request?.rawHeaders);
+                    const authToken: string =
+                      connectionParams?.Authorization?.split(' ')[1] ?? headers.Authorization?.split(' ')[1];
+                    if (authToken) {
+                      // verify authToken/getJwtPayLoad
+                      const payload = authService.decodeJwt(authToken);
+                      const user = await authService.validateUser(payload);
+                      if (!user) {
+                        throw new UnauthorizedException('No user found for token');
+                      }
+                      // the user/jwtPayload object found will be available as context.currentUser/jwtPayload in your GraphQL resolvers
+                      extra.user = user;
+                      extra.headers = connectionParams ?? headers;
+                      return extra;
+                    }
+
+                    throw new UnauthorizedException('Missing authentication token');
+                  }
+                },
+              },
+              'subscriptions-transport-ws': {
+                onConnect: async (connectionParams) => {
+                  if (enableSubscriptionAuth) {
+                    // get authToken from authorization header
+                    const authToken: string = connectionParams?.Authorization?.split(' ')[1];
+
+                    if (authToken) {
+                      // verify authToken/getJwtPayLoad
+                      const payload = authService.decodeJwt(authToken);
+                      const user = await authService.validateUser(payload);
+                      if (!user) {
+                        throw new UnauthorizedException('No user found for token');
+                      }
+                      // the user/jwtPayload object found will be available as context.currentUser/jwtPayload in your GraphQL resolvers
+                      return { headers: connectionParams, user };
+                    }
+
+                    throw new UnauthorizedException('Missing authentication token');
+                  }
+                },
+              },
+            },
+          },
+          options?.graphQl?.driver,
+        ),
+    };
+  }
 }

package/src/index.ts

@@ -108,15 +108,19 @@ export * from './core/modules/auth/core-auth.resolver';
 export * from './core/modules/auth/exceptions/expired-refresh-token.exception';
 export * from './core/modules/auth/exceptions/expired-token.exception';
 export * from './core/modules/auth/exceptions/invalid-token.exception';
+export * from './core/modules/auth/exceptions/legacy-auth-disabled.exception';
 export * from './core/modules/auth/guards/auth.guard';
+export * from './core/modules/auth/guards/legacy-auth-rate-limit.guard';
 export * from './core/modules/auth/guards/roles.guard';
 export * from './core/modules/auth/inputs/core-auth-sign-in.input';
 export * from './core/modules/auth/inputs/core-auth-sign-up.input';
+export * from './core/modules/auth/interfaces/auth-provider.interface';
 export * from './core/modules/auth/interfaces/core-auth-user.interface';
 export * from './core/modules/auth/interfaces/core-token-data.interface';
 export * from './core/modules/auth/interfaces/jwt-payload.interface';
 export * from './core/modules/auth/services/core-auth-user.service';
 export * from './core/modules/auth/services/core-auth.service';
+export * from './core/modules/auth/services/legacy-auth-rate-limiter.service';
 export * from './core/modules/auth/strategies/jwt-refresh.strategy';
 export * from './core/modules/auth/strategies/jwt.strategy';
 export * from './core/modules/auth/tokens.decorator';
@@ -162,6 +166,7 @@ export * from './core/modules/user/core-user.model';
 export * from './core/modules/user/core-user.service';
 export * from './core/modules/user/inputs/core-user-create.input';
 export * from './core/modules/user/inputs/core-user.input';
+export * from './core/modules/user/interfaces/core-user-service-options.interface';
 
 // =====================================================================================================================
 // Tests

package/src/server/modules/auth/auth.resolver.ts

@@ -30,6 +30,8 @@ export class AuthResolver extends CoreAuthResolver {
 
   /**
    * SignIn for User
+   *
+   * @throws LegacyAuthDisabledException if legacy endpoints are disabled
    */
   @Mutation(() => Auth, { description: 'Sign in and get JWT token' })
   @Roles(RoleEnum.S_EVERYONE)
@@ -38,6 +40,8 @@ export class AuthResolver extends CoreAuthResolver {
     @Context() ctx: { res: ResponseType },
     @Args('input') input: AuthSignInInput,
   ): Promise<Auth> {
+    // Check if legacy endpoints are enabled before proceeding
+    this.checkLegacyGraphQLEnabled('signIn');
     const result = await this.authService.signIn(input, {
       ...serviceOptions,
       inputType: AuthSignInInput,
@@ -47,6 +51,8 @@ export class AuthResolver extends CoreAuthResolver {
 
   /**
    * Sign up for user
+   *
+   * @throws LegacyAuthDisabledException if legacy endpoints are disabled
    */
   @Mutation(() => Auth, {
     description: 'Sign up user and get JWT token',
@@ -57,6 +63,8 @@ export class AuthResolver extends CoreAuthResolver {
     @Context() ctx: { res: ResponseType },
     @Args('input') input: AuthSignUpInput,
   ): Promise<Auth> {
+    // Check if legacy endpoints are enabled before proceeding
+    this.checkLegacyGraphQLEnabled('signUp');
     const result = await this.authService.signUp(input, serviceOptions);
     return this.processCookies(ctx, result);
   }