npm - @lenne.tech/nest-server - Versions diffs - 11.7.0 → 11.7.1 - Mend

@lenne.tech/nest-server 11.7.0 → 11.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (89) hide show

package/src/core/modules/better-auth/core-better-auth.controller.ts CHANGED Viewed

@@ -211,9 +211,30 @@ export class CoreBetterAuthController {
       throw new BadRequestException('Better-Auth API not available');
     }
+    // Try to sign in, with automatic legacy user migration
+    return this.attemptSignIn(res, input, api, true);
+  }
+  /**
+   * Attempt sign-in with optional legacy user migration
+   * @param res - Response object
+   * @param input - Sign-in credentials
+   * @param api - Better-Auth API instance
+   * @param allowMigration - Whether to attempt legacy migration on failure
+   */
+  private async attemptSignIn(
+    res: Response,
+    input: BetterAuthSignInInput,
+    api: ReturnType<BetterAuthService['getApi']>,
+    allowMigration: boolean,
+  ): Promise<BetterAuthResponse> {
+    // Normalize password to SHA256 format for consistency with Legacy Auth
+    // This ensures users can sign in with either plain password or SHA256 hash
+    const normalizedPassword = this.userMapper.normalizePasswordForIam(input.password);
     try {
-      const response = await api.signInEmail({
-        body: { email: input.email, password: input.password },
+      const response = await api!.signInEmail({
+        body: { email: input.email, password: normalizedPassword },
       });
       if (!response) {
@@ -244,6 +265,18 @@ export class CoreBetterAuthController {
       throw new UnauthorizedException('Invalid credentials');
     } catch (error) {
       this.logger.debug(`Sign-in error: ${error instanceof Error ? error.message : 'Unknown error'}`);
+      // If migration is allowed, try to migrate legacy user and retry
+      if (allowMigration) {
+        // Pass the original password for legacy verification, but migration uses normalized password
+        const migrated = await this.userMapper.migrateAccountToIam(input.email, input.password);
+        if (migrated) {
+          this.logger.debug(`Migrated legacy user ${input.email} to IAM, retrying sign-in`);
+          // Retry sign-in after migration (without allowing another migration to prevent loops)
+          return this.attemptSignIn(res, input, api, false);
+        }
+      }
       throw new UnauthorizedException('Invalid credentials');
     }
   }
@@ -267,12 +300,15 @@ export class CoreBetterAuthController {
       throw new BadRequestException('Better-Auth API not available');
     }
+    // Normalize password to SHA256 format for consistency with Legacy Auth
+    const normalizedPassword = this.userMapper.normalizePasswordForIam(input.password);
     try {
       const response = await api.signUpEmail({
         body: {
           email: input.email,
           name: input.name || input.email.split('@')[0],
-          password: input.password,
+          password: normalizedPassword,
         },
       });
@@ -283,6 +319,11 @@ export class CoreBetterAuthController {
       if (hasUser(response)) {
         // Link or create user in our database
         await this.userMapper.linkOrCreateUser(response.user);
+        // Sync password to legacy (enables IAM Sign-Up → Legacy Sign-In)
+        // Pass the plain password so it can be hashed with bcrypt for Legacy Auth
+        await this.userMapper.syncPasswordToLegacy(response.user.id, response.user.email, input.password);
         const mappedUser = await this.userMapper.mapSessionUser(response.user);
         const result: BetterAuthResponse = {

package/src/core/modules/better-auth/core-better-auth.resolver.ts CHANGED Viewed

@@ -7,6 +7,7 @@ import { RoleEnum } from '../../common/enums/role.enum';
 import { AuthGuardStrategy } from '../auth/auth-guard-strategy.enum';
 import { AuthGuard } from '../auth/guards/auth.guard';
 import { BetterAuthAuthModel } from './better-auth-auth.model';
+import { BetterAuthMigrationStatusModel } from './better-auth-migration-status.model';
 import {
   BetterAuth2FASetupModel,
   BetterAuthFeaturesModel,
@@ -130,6 +131,30 @@ export class CoreBetterAuthResolver {
     };
   }
+  /**
+   * Get migration status from Legacy Auth to Better-Auth (IAM)
+   *
+   * This query provides administrators with information about how many users
+   * have been migrated to the IAM system. This helps determine when it might
+   * be safe to consider disabling Legacy Auth endpoints.
+   *
+   * A user is considered fully migrated when:
+   * 1. They have an `iamId` set (linked to Better-Auth)
+   * 2. They have a credential account in Better-Auth
+   *
+   * Note: Even when canDisableLegacyAuth returns true, Legacy Auth cannot
+   * currently be removed because CoreModule.forRoot requires AuthService
+   * for GraphQL Subscriptions authentication.
+   */
+  @Query(() => BetterAuthMigrationStatusModel, {
+    description: 'Get migration status from Legacy Auth to Better-Auth (IAM) - Admin only',
+  })
+  @Roles(RoleEnum.ADMIN)
+  async betterAuthMigrationStatus(): Promise<BetterAuthMigrationStatusModel> {
+    const status = await this.userMapper.getMigrationStatus();
+    return status;
+  }
   // ===========================================================================
   // Mutations
   // ===========================================================================

package/src/core/modules/better-auth/index.ts CHANGED Viewed

@@ -18,6 +18,7 @@
  */
 export * from './better-auth-auth.model';
+export * from './better-auth-migration-status.model';
 export * from './better-auth-models';
 export * from './better-auth-rate-limit.middleware';
 export * from './better-auth-rate-limiter.service';

package/src/core/modules/user/core-user.service.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { BadRequestException, NotFoundException, UnprocessableEntityException } from '@nestjs/common';
+import { BadRequestException, Logger, NotFoundException, UnprocessableEntityException } from '@nestjs/common';
 import bcrypt = require('bcrypt');
 import crypto = require('crypto');
 import { sha256 } from 'js-sha256';
@@ -13,20 +13,31 @@ import { CoreModelConstructor } from '../../common/types/core-model-constructor.
 import { CoreUserModel } from './core-user.model';
 import { CoreUserCreateInput } from './inputs/core-user-create.input';
 import { CoreUserInput } from './inputs/core-user.input';
+import { CoreUserServiceOptions } from './interfaces/core-user-service-options.interface';
 /**
  * User service
+ *
+ * Provides user management with automatic synchronization between
+ * Legacy Auth and Better-Auth (IAM) systems when both are enabled.
  */
 export abstract class CoreUserService<
   TUser extends CoreUserModel,
   TUserInput extends CoreUserInput,
   TUserCreateInput extends CoreUserCreateInput,
 > extends CrudService<TUser, TUserCreateInput, TUserInput> {
+  protected readonly userServiceLogger = new Logger(CoreUserService.name);
   protected constructor(
     protected override readonly configService: ConfigService,
     protected readonly emailService: EmailService,
     protected override readonly mainDbModel: Model<Document & TUser>,
     protected override readonly mainModelConstructor: CoreModelConstructor<TUser>,
+    /**
+     * Optional configuration for additional features like IAM sync.
+     * Using options object pattern for extensibility without breaking changes.
+     */
+    protected readonly options?: CoreUserServiceOptions,
   ) {
     super();
   }
@@ -125,6 +136,10 @@ export abstract class CoreUserService<
   /**
    * Set new password for user with token
+   *
+   * This method also syncs the password change to Better-Auth (IAM) if:
+   * - BetterAuthUserMapper is configured via options
+   * - User has an existing IAM credential account
    */
   async resetPassword(token: string, newPassword: string, serviceOptions?: ServiceOptions): Promise<TUser> {
     // Get user
@@ -133,6 +148,10 @@ export abstract class CoreUserService<
       throw new NotFoundException(`No user found with password reset token: ${token}`);
     }
+    // Store the original plain password for IAM sync before any hashing
+    // We need the plain password because IAM uses scrypt, not bcrypt+sha256
+    const plainPasswordForIamSync = /^[a-f0-9]{64}$/i.test(newPassword) ? undefined : newPassword;
     return this.process(
       async () => {
         // Check if the password was transmitted encrypted
@@ -141,11 +160,26 @@ export abstract class CoreUserService<
           newPassword = sha256(newPassword);
         }
-        // Update and return user
-        return await assignPlain(dbObject, {
+        // Update Legacy Auth password
+        const updatedUser = await assignPlain(dbObject, {
           password: await bcrypt.hash(newPassword, 10),
           passwordResetToken: null,
         }).save();
+        // Sync password to Better-Auth (IAM) if mapper is available
+        // This ensures users can sign in via IAM after password reset
+        if (this.options?.betterAuthUserMapper && plainPasswordForIamSync && dbObject.email) {
+          try {
+            await this.options.betterAuthUserMapper.syncPasswordChangeToIam(dbObject.email, plainPasswordForIamSync);
+          } catch (error) {
+            // Log but don't fail - Legacy Auth password was updated successfully
+            this.userServiceLogger.warn(
+              `Failed to sync password reset to IAM for ${dbObject.email}: ${error instanceof Error ? error.message : 'Unknown error'}`,
+            );
+          }
+        }
+        return updatedUser;
       },
       { dbObject, serviceOptions },
     );
@@ -186,7 +220,7 @@ export abstract class CoreUserService<
     }
     // Check roles values
-    if (roles.some(role => typeof role !== 'string')) {
+    if (roles.some((role) => typeof role !== 'string')) {
       throw new BadRequestException('Roles contains invalid values');
     }
@@ -198,4 +232,97 @@ export abstract class CoreUserService<
       { serviceOptions },
     );
   }
+  // ===================================================================================================================
+  // Auth System Sync Methods
+  // ===================================================================================================================
+  /**
+   * Update user with automatic email and password sync between Legacy and IAM auth systems
+   *
+   * When the email changes and BetterAuthUserMapper is available, this method:
+   * - Invalidates all Better-Auth sessions (forces re-authentication)
+   * - The shared users collection is automatically updated
+   *
+   * When the password changes:
+   * - Updates the Legacy Auth password (bcrypt hash)
+   * - Syncs to Better-Auth (IAM) if the user has a credential account
+   */
+  override async update(id: string, input: TUserInput, serviceOptions?: ServiceOptions): Promise<TUser> {
+    // Get the current user before update to detect email changes
+    const oldUser = (await this.mainDbModel.findById(id).lean().exec()) as null | TUser;
+    const oldEmail = oldUser?.email;
+    // Store plain password for IAM sync before any hashing occurs
+    // We need to capture this before super.update() which may hash it
+    const inputPassword = (input as any).password;
+    const plainPasswordForIamSync = inputPassword && !/^[a-f0-9]{64}$/i.test(inputPassword) ? inputPassword : undefined;
+    // Perform the update
+    const updatedUser = await super.update(id, input, serviceOptions);
+    // Sync email change to IAM if email was changed and mapper is available
+    if (this.options?.betterAuthUserMapper && oldEmail && input.email && oldEmail !== input.email) {
+      try {
+        await this.options.betterAuthUserMapper.syncEmailChangeFromLegacy(oldEmail, input.email);
+        this.userServiceLogger.debug(`Synced email change from Legacy to IAM: ${oldEmail} → ${input.email}`);
+      } catch (error) {
+        this.userServiceLogger.error(
+          `Failed to sync email change to IAM: ${error instanceof Error ? error.message : 'Unknown error'}`,
+        );
+        // Don't throw - email sync failure shouldn't block the update
+      }
+    }
+    // Sync password change to IAM if password was changed and mapper is available
+    if (this.options?.betterAuthUserMapper && plainPasswordForIamSync && oldUser?.email) {
+      try {
+        await this.options.betterAuthUserMapper.syncPasswordChangeToIam(oldUser.email, plainPasswordForIamSync);
+        this.userServiceLogger.debug(`Synced password change to IAM for user ${oldUser.email}`);
+      } catch (error) {
+        this.userServiceLogger.warn(
+          `Failed to sync password change to IAM for ${oldUser.email}: ${error instanceof Error ? error.message : 'Unknown error'}`,
+        );
+        // Don't throw - password sync failure shouldn't block the update
+      }
+    }
+    return updatedUser;
+  }
+  /**
+   * Delete user with automatic cleanup of IAM auth data
+   *
+   * When BetterAuthUserMapper is available, this method also:
+   * - Deletes all Better-Auth accounts for this user
+   * - Deletes all Better-Auth sessions for this user
+   *
+   * This ensures no orphaned auth data remains after user deletion.
+   */
+  override async delete(id: string, serviceOptions?: ServiceOptions): Promise<TUser> {
+    // Get the user before deletion to cleanup IAM data
+    const user = (await this.mainDbModel.findById(id).lean().exec()) as null | (TUser & { _id: any });
+    // Perform the deletion
+    const deletedUser = await super.delete(id, serviceOptions);
+    // Cleanup IAM data if mapper is available
+    if (this.options?.betterAuthUserMapper && user?._id) {
+      try {
+        const result = await this.options.betterAuthUserMapper.cleanupIamDataForDeletedUser(user._id);
+        if (result.accountsDeleted > 0 || result.sessionsDeleted > 0) {
+          this.userServiceLogger.debug(
+            `Cleaned up IAM data for deleted user ${id}: accounts=${result.accountsDeleted}, sessions=${result.sessionsDeleted}`,
+          );
+        }
+      } catch (error) {
+        this.userServiceLogger.error(
+          `Failed to cleanup IAM data for deleted user: ${error instanceof Error ? error.message : 'Unknown error'}`,
+        );
+        // Don't throw - cleanup failure shouldn't block the delete response
+      }
+    }
+    return deletedUser;
+  }
 }

package/src/core/modules/user/interfaces/core-user-service-options.interface.ts ADDED Viewed

@@ -0,0 +1,15 @@
+import { BetterAuthUserMapper } from '../../better-auth/better-auth-user.mapper';
+/**
+ * Optional configuration for CoreUserService
+ *
+ * Use this interface for optional dependencies that may not be available in all projects.
+ * This pattern allows adding new optional parameters without breaking existing implementations.
+ */
+export interface CoreUserServiceOptions {
+  /**
+   * Optional BetterAuthUserMapper for syncing between Legacy and IAM auth systems.
+   * When provided, email changes and user deletions are automatically synced.
+   */
+  betterAuthUserMapper?: BetterAuthUserMapper;
+}