npm - @lenne.tech/nest-server - Versions diffs - 11.7.0 → 11.7.1 - Mend

@lenne.tech/nest-server 11.7.0 → 11.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (89) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@lenne.tech/nest-server",
-  "version": "11.7.0",
+  "version": "11.7.1",
   "description": "Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).",
   "keywords": [
     "node",

package/src/config.env.ts CHANGED Viewed

@@ -14,6 +14,16 @@ const config: { [env: string]: IServerOptions } = {
   // Development environment
   // ===========================================================================
   development: {
+    // Legacy Auth endpoint controls (for migration to BetterAuth)
+    // Set to false after all users have migrated to BetterAuth (IAM)
+    // See: .claude/rules/module-deprecation.md
+    auth: {
+      legacyEndpoints: {
+        enabled: true, // Set to false to disable legacy auth endpoints (returns HTTP 410)
+        // graphql: true, // Optionally disable only GraphQL endpoints
+        // rest: true,    // Optionally disable only REST endpoints
+      },
+    },
     automaticObjectIdFiltering: true,
     betterAuth: {
       basePath: '/iam',
@@ -162,11 +172,21 @@ const config: { [env: string]: IServerOptions } = {
   // Local environment
   // ===========================================================================
   local: {
+    // Legacy Auth endpoint controls (for migration to BetterAuth)
+    // Set to false after all users have migrated to BetterAuth (IAM)
+    // See: .claude/rules/module-deprecation.md
+    auth: {
+      legacyEndpoints: {
+        enabled: true, // Set to false to disable legacy auth endpoints (returns HTTP 410)
+        // graphql: true, // Optionally disable only GraphQL endpoints
+        // rest: true,    // Optionally disable only REST endpoints
+      },
+    },
     automaticObjectIdFiltering: true,
     betterAuth: {
       basePath: '/iam',
       baseUrl: 'http://localhost:3000',
-      // enabled: true by default - set false to explicitly disable
+      enabled: true, // Enable for Scenario 2 (Legacy + IAM) testing
       jwt: {
         enabled: true,
         expiresIn: '15m',
@@ -179,7 +199,7 @@ const config: { [env: string]: IServerOptions } = {
       },
       rateLimit: {
         enabled: true,
-        max: 20,
+        max: 100, // Higher limit for local testing
         message: 'Too many requests, please try again later.',
         skipEndpoints: ['/session', '/callback'],
         strictEndpoints: ['/sign-in', '/sign-up', '/forgot-password', '/reset-password'],
@@ -321,6 +341,16 @@ const config: { [env: string]: IServerOptions } = {
   // Production environment
   // ===========================================================================
   production: {
+    // Legacy Auth endpoint controls (for migration to BetterAuth)
+    // Set to false after all users have migrated to BetterAuth (IAM)
+    // See: .claude/rules/module-deprecation.md
+    auth: {
+      legacyEndpoints: {
+        enabled: process.env.LEGACY_AUTH_ENABLED !== 'false', // Disable via env var
+        // graphql: true, // Optionally disable only GraphQL endpoints
+        // rest: true,    // Optionally disable only REST endpoints
+      },
+    },
     automaticObjectIdFiltering: true,
     betterAuth: {
       basePath: '/iam',

package/src/core/common/interfaces/server-options.interface.ts CHANGED Viewed

@@ -22,6 +22,170 @@ import { MailjetOptions } from './mailjet-options.interface';
  */
 export type BetterAuthFieldType = 'boolean' | 'date' | 'json' | 'number' | 'number[]' | 'string' | 'string[]';
+/**
+ * Interface for Auth configuration
+ *
+ * This configuration controls the authentication system behavior.
+ * In v11.x, Legacy Auth (CoreAuthService) is the default.
+ * In a future version, BetterAuth (IAM) will become the default.
+ *
+ * @since 11.7.1
+ *
+ * ## Migration Roadmap
+ *
+ * ### v11.x (Current)
+ * - Legacy Auth is the default and required for GraphQL Subscriptions
+ * - BetterAuth can be used alongside Legacy Auth
+ * - Use `legacyEndpoints.enabled: false` after all users migrated to IAM
+ *
+ * ### Future Version (Planned)
+ * - BetterAuth becomes the default
+ * - Legacy Auth becomes optional (must be explicitly enabled)
+ * - CoreModule.forRoot signature simplifies to `CoreModule.forRoot(options)`
+ *
+ * @see https://github.com/lenneTech/nest-server/blob/develop/.claude/rules/module-deprecation.md
+ */
+export interface IAuth {
+  /**
+   * Configuration for legacy auth endpoints
+   *
+   * Legacy endpoints include:
+   * - GraphQL: signIn, signUp, signOut, refreshToken mutations
+   * - REST: /api/auth/* endpoints
+   *
+   * These can be disabled once all users have migrated to BetterAuth (IAM).
+   *
+   * @example
+   * ```typescript
+   * auth: {
+   *   legacyEndpoints: {
+   *     enabled: false // Disable all legacy endpoints after migration
+   *   }
+   * }
+   * ```
+   */
+  legacyEndpoints?: IAuthLegacyEndpoints;
+  /**
+   * Prevent user enumeration via unified error messages
+   *
+   * When enabled, authentication errors return a generic "Invalid credentials"
+   * message instead of specific messages like "Unknown email" or "Wrong password".
+   *
+   * This prevents attackers from determining whether an email address exists
+   * in the system, but reduces UX clarity for legitimate users.
+   *
+   * @since 11.7.x
+   * @default false (backward compatible - specific error messages)
+   *
+   * @example
+   * ```typescript
+   * auth: {
+   *   preventUserEnumeration: true // Returns "Invalid credentials" for all auth errors
+   * }
+   * ```
+   */
+  preventUserEnumeration?: boolean;
+  /**
+   * Rate limiting configuration for Legacy Auth endpoints
+   *
+   * Protects against brute-force attacks on signIn, signUp, and other
+   * authentication endpoints.
+   *
+   * Follows the same pattern as `betterAuth.rateLimit`.
+   *
+   * @since 11.7.x
+   * @default { enabled: false }
+   *
+   * @example
+   * ```typescript
+   * auth: {
+   *   rateLimit: {
+   *     enabled: true,
+   *     max: 10,
+   *     windowSeconds: 60,
+   *     message: 'Too many login attempts, please try again later.',
+   *   }
+   * }
+   * ```
+   */
+  rateLimit?: IAuthRateLimit;
+}
+/**
+ * Interface for Legacy Auth endpoints configuration
+ *
+ * These endpoints are part of the Legacy Auth system (CoreAuthService).
+ * In a future version, BetterAuth (IAM) will become the default and these endpoints
+ * can be disabled once all users have migrated.
+ *
+ * @since 11.7.1
+ * @see https://github.com/lenneTech/nest-server/blob/develop/.claude/rules/module-deprecation.md
+ */
+export interface IAuthLegacyEndpoints {
+  /**
+   * Whether legacy auth endpoints are enabled.
+   *
+   * Set to false to disable all legacy auth endpoints (GraphQL and REST).
+   * Use this after all users have migrated to BetterAuth (IAM).
+   *
+   * Check migration status via the `betterAuthMigrationStatus` query.
+   *
+   * @default true
+   */
+  enabled?: boolean;
+  /**
+   * Whether legacy GraphQL auth endpoints are enabled.
+   * Affects: signIn, signUp, signOut, refreshToken mutations
+   *
+   * @default true (inherits from `enabled`)
+   */
+  graphql?: boolean;
+  /**
+   * Whether legacy REST auth endpoints are enabled.
+   * Affects: /api/auth/sign-in, /api/auth/sign-up, etc.
+   *
+   * @default true (inherits from `enabled`)
+   */
+  rest?: boolean;
+}
+/**
+ * Interface for Legacy Auth rate limiting configuration
+ *
+ * Same structure as IBetterAuthRateLimit for consistency.
+ *
+ * @since 11.7.x
+ */
+export interface IAuthRateLimit {
+  /**
+   * Whether rate limiting is enabled
+   * @default false
+   */
+  enabled?: boolean;
+  /**
+   * Maximum number of requests within the time window
+   * @default 10
+   */
+  max?: number;
+  /**
+   * Custom message when rate limit is exceeded
+   * @default 'Too many requests, please try again later.'
+   */
+  message?: string;
+  /**
+   * Time window in seconds
+   * @default 60
+   */
+  windowSeconds?: number;
+}
 /**
  * Interface for better-auth configuration
  */
@@ -413,6 +577,17 @@ export interface IJwt {
  * Options for the server
  */
 export interface IServerOptions {
+  /**
+   * Authentication system configuration
+   *
+   * Controls Legacy Auth endpoints and behavior.
+   * In a future version, this will also control BetterAuth as the default system.
+   *
+   * @since 11.7.1
+   * @see IAuth
+   */
+  auth?: IAuth;
   /**
    * Automatically detect ObjectIds in string values in FilterQueries
    * and expand them as OR query with string and ObjectId.

package/src/core/modules/auth/core-auth.controller.ts CHANGED Viewed

@@ -1,9 +1,12 @@
 import { Body, Controller, Get, ParseBoolPipe, Post, Query, Res, UseGuards } from '@nestjs/common';
 import {
-  ApiBody, ApiCreatedResponse,
+  ApiBody,
+  ApiCreatedResponse,
+  ApiGoneResponse,
   ApiOkResponse,
   ApiOperation,
   ApiQuery,
+  ApiTooManyRequestsResponse,
 } from '@nestjs/swagger';
 import { Response as ResponseType } from 'express';
@@ -14,13 +17,38 @@ import { RoleEnum } from '../../common/enums/role.enum';
 import { ConfigService } from '../../common/services/config.service';
 import { AuthGuardStrategy } from './auth-guard-strategy.enum';
 import { CoreAuthModel } from './core-auth.model';
+import { LegacyAuthDisabledException } from './exceptions/legacy-auth-disabled.exception';
 import { AuthGuard } from './guards/auth.guard';
+import { LegacyAuthRateLimitGuard } from './guards/legacy-auth-rate-limit.guard';
 import { CoreAuthSignInInput } from './inputs/core-auth-sign-in.input';
 import { CoreAuthSignUpInput } from './inputs/core-auth-sign-up.input';
 import { ICoreAuthUser } from './interfaces/core-auth-user.interface';
 import { CoreAuthService } from './services/core-auth.service';
 import { Tokens } from './tokens.decorator';
+/**
+ * Authentication controller for REST endpoints
+ *
+ * This controller provides Legacy Auth endpoints via REST.
+ * In a future version, BetterAuth (IAM) will become the default.
+ *
+ * ## Disabling Legacy Endpoints
+ *
+ * After all users have migrated to BetterAuth (IAM), these endpoints
+ * can be disabled via configuration:
+ *
+ * ```typescript
+ * auth: {
+ *   legacyEndpoints: {
+ *     enabled: false, // Disable all legacy endpoints
+ *     // or
+ *     rest: false     // Disable only REST endpoints
+ *   }
+ * }
+ * ```
+ *
+ * @see https://github.com/lenneTech/nest-server/blob/develop/.claude/rules/module-deprecation.md
+ */
 @ApiCommonErrorResponses()
 @Controller('auth')
 @Roles(RoleEnum.ADMIN)
@@ -33,63 +61,123 @@ export class CoreAuthController {
     protected readonly configService: ConfigService,
   ) {}
+  // ===========================================================================
+  // Helper - Legacy Endpoint Check
+  // ===========================================================================
+  /**
+   * Check if legacy REST endpoints are enabled
+   *
+   * Throws LegacyAuthDisabledException if:
+   * - config.auth.legacyEndpoints.enabled is false
+   * - config.auth.legacyEndpoints.rest is false
+   *
+   * @throws LegacyAuthDisabledException
+   */
+  protected checkLegacyRESTEnabled(endpointName: string): void {
+    const authConfig = this.configService.getFastButReadOnly('auth');
+    const legacyConfig = authConfig?.legacyEndpoints;
+    // Check if legacy endpoints are globally disabled
+    if (legacyConfig?.enabled === false) {
+      throw new LegacyAuthDisabledException(endpointName);
+    }
+    // Check if REST endpoints specifically are disabled
+    if (legacyConfig?.rest === false) {
+      throw new LegacyAuthDisabledException(endpointName);
+    }
+  }
   /**
    * Logout user (from specific device)
+   *
+   * @deprecated Will be replaced by BetterAuth signOut in a future version
+   * @throws LegacyAuthDisabledException if legacy endpoints are disabled
    */
+  @ApiGoneResponse({ description: 'Legacy Auth endpoints are disabled' })
   @ApiOkResponse({ type: Boolean })
   @ApiOperation({ description: 'Logs a user out from a specific device' })
   @ApiQuery({ description: 'If all devices should be logged out,', name: 'allDevices', required: false, type: Boolean })
+  @ApiTooManyRequestsResponse({ description: 'Rate limit exceeded' })
   @Get('logout')
   @Roles(RoleEnum.S_EVERYONE)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
+  @UseGuards(LegacyAuthRateLimitGuard, AuthGuard(AuthGuardStrategy.JWT))
   async logout(
     @CurrentUser() currentUser: ICoreAuthUser,
     @Tokens('token') token: string,
     @Res({ passthrough: true }) res: ResponseType,
     @Query('allDevices', new ParseBoolPipe({ optional: true })) allDevices?: boolean,
   ): Promise<boolean> {
+    this.checkLegacyRESTEnabled('logout');
     const result = await this.authService.logout(token, { allDevices, currentUser });
     return this.processCookies(res, result);
   }
   /**
    * Refresh token (for specific device)
+   *
+   * @deprecated Will be replaced by BetterAuth session refresh in a future version
+   * @throws LegacyAuthDisabledException if legacy endpoints are disabled
    */
+  @ApiGoneResponse({ description: 'Legacy Auth endpoints are disabled' })
   @ApiOkResponse({ type: CoreAuthModel })
   @ApiOperation({ description: 'Refresh token (for specific device)' })
+  @ApiTooManyRequestsResponse({ description: 'Rate limit exceeded' })
   @Get('refresh-token')
   @Roles(RoleEnum.S_EVERYONE)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT_REFRESH))
+  @UseGuards(LegacyAuthRateLimitGuard, AuthGuard(AuthGuardStrategy.JWT_REFRESH))
   async refreshToken(
     @CurrentUser() user: ICoreAuthUser,
     @Tokens('refreshToken') refreshToken: string,
     @Res({ passthrough: true }) res: ResponseType,
   ): Promise<CoreAuthModel> {
+    this.checkLegacyRESTEnabled('refresh-token');
     const result = await this.authService.refreshTokens(user, refreshToken);
     return this.processCookies(res, result);
   }
   /**
    * Sign in user via email and password (on specific device)
+   *
+   * @deprecated Will be replaced by BetterAuth signIn in a future version
+   * @throws LegacyAuthDisabledException if legacy endpoints are disabled
    */
   @ApiCreatedResponse({ description: 'Signed in successfully', type: CoreAuthModel })
+  @ApiGoneResponse({ description: 'Legacy Auth endpoints are disabled' })
   @ApiOperation({ description: 'Sign in via email and password' })
+  @ApiTooManyRequestsResponse({ description: 'Rate limit exceeded' })
   @Post('signin')
   @Roles(RoleEnum.S_EVERYONE)
-  async signIn(@Res({ passthrough: true }) res: ResponseType, @Body() input: CoreAuthSignInInput): Promise<CoreAuthModel> {
+  @UseGuards(LegacyAuthRateLimitGuard)
+  async signIn(
+    @Res({ passthrough: true }) res: ResponseType,
+    @Body() input: CoreAuthSignInInput,
+  ): Promise<CoreAuthModel> {
+    this.checkLegacyRESTEnabled('signin');
     const result = await this.authService.signIn(input);
     return this.processCookies(res, result);
   }
   /**
    * Register a new user account (on specific device)
+   *
+   * @deprecated Will be replaced by BetterAuth signUp in a future version
+   * @throws LegacyAuthDisabledException if legacy endpoints are disabled
    */
   @ApiBody({ type: CoreAuthSignUpInput })
   @ApiCreatedResponse({ type: CoreAuthSignUpInput })
+  @ApiGoneResponse({ description: 'Legacy Auth endpoints are disabled' })
   @ApiOperation({ description: 'Sign up via email and password' })
+  @ApiTooManyRequestsResponse({ description: 'Rate limit exceeded' })
   @Post('signup')
   @Roles(RoleEnum.S_EVERYONE)
-  async signUp(@Res({ passthrough: true }) res: ResponseType, @Body() input: CoreAuthSignUpInput): Promise<CoreAuthModel> {
+  @UseGuards(LegacyAuthRateLimitGuard)
+  async signUp(
+    @Res({ passthrough: true }) res: ResponseType,
+    @Body() input: CoreAuthSignUpInput,
+  ): Promise<CoreAuthModel> {
+    this.checkLegacyRESTEnabled('signup');
     const result = await this.authService.signUp(input);
     return this.processCookies(res, result);
   }

package/src/core/modules/auth/core-auth.module.ts CHANGED Viewed

@@ -5,9 +5,11 @@ import { PassportModule } from '@nestjs/passport';
 import { PubSub } from 'graphql-subscriptions';
 import { AuthGuardStrategy } from './auth-guard-strategy.enum';
+import { LegacyAuthRateLimitGuard } from './guards/legacy-auth-rate-limit.guard';
 import { RolesGuard } from './guards/roles.guard';
 import { CoreAuthUserService } from './services/core-auth-user.service';
 import { CoreAuthService } from './services/core-auth.service';
+import { LegacyAuthRateLimiter } from './services/legacy-auth-rate-limiter.service';
 import { JwtRefreshStrategy } from './strategies/jwt-refresh.strategy';
 import { JwtStrategy } from './strategies/jwt.strategy';
@@ -68,6 +70,9 @@ export class CoreAuthModule {
         provide: JwtRefreshStrategy,
         useClass: options.jwtRefreshStrategy || JwtRefreshStrategy,
       },
+      // Rate limiting for Legacy Auth endpoints (disabled by default, configure via auth.rateLimit)
+      LegacyAuthRateLimiter,
+      LegacyAuthRateLimitGuard,
     ];
     if (Array.isArray(options?.providers)) {
       providers = imports.concat(options.providers);
@@ -75,7 +80,16 @@ export class CoreAuthModule {
     // Return CoreAuthModule
     return {
-      exports: [CoreAuthService, JwtModule, JwtStrategy, JwtRefreshStrategy, PassportModule, UserModule],
+      exports: [
+        CoreAuthService,
+        JwtModule,
+        JwtStrategy,
+        JwtRefreshStrategy,
+        LegacyAuthRateLimiter,
+        LegacyAuthRateLimitGuard,
+        PassportModule,
+        UserModule,
+      ],
       imports,
       module: CoreAuthModule,
       providers,

package/src/core/modules/auth/core-auth.resolver.ts CHANGED Viewed

@@ -10,7 +10,9 @@ import { ServiceOptions } from '../../common/interfaces/service-options.interfac
 import { ConfigService } from '../../common/services/config.service';
 import { AuthGuardStrategy } from './auth-guard-strategy.enum';
 import { CoreAuthModel } from './core-auth.model';
+import { LegacyAuthDisabledException } from './exceptions/legacy-auth-disabled.exception';
 import { AuthGuard } from './guards/auth.guard';
+import { LegacyAuthRateLimitGuard } from './guards/legacy-auth-rate-limit.guard';
 import { CoreAuthSignInInput } from './inputs/core-auth-sign-in.input';
 import { CoreAuthSignUpInput } from './inputs/core-auth-sign-up.input';
 import { ICoreAuthUser } from './interfaces/core-auth-user.interface';
@@ -19,6 +21,26 @@ import { Tokens } from './tokens.decorator';
 /**
  * Authentication resolver for the sign in
+ *
+ * This resolver provides Legacy Auth endpoints via GraphQL.
+ * In a future version, BetterAuth (IAM) will become the default.
+ *
+ * ## Disabling Legacy Endpoints
+ *
+ * After all users have migrated to BetterAuth (IAM), these endpoints
+ * can be disabled via configuration:
+ *
+ * ```typescript
+ * auth: {
+ *   legacyEndpoints: {
+ *     enabled: false, // Disable all legacy endpoints
+ *     // or
+ *     graphql: false  // Disable only GraphQL endpoints
+ *   }
+ * }
+ * ```
+ *
+ * @see https://github.com/lenneTech/nest-server/blob/develop/.claude/rules/module-deprecation.md
  */
 @Resolver(() => CoreAuthModel, { isAbstract: true })
 @Roles(RoleEnum.ADMIN)
@@ -31,67 +53,113 @@ export class CoreAuthResolver {
     protected readonly configService: ConfigService,
   ) {}
+  // ===========================================================================
+  // Helper - Legacy Endpoint Check
+  // ===========================================================================
+  /**
+   * Check if legacy GraphQL endpoints are enabled
+   *
+   * Throws LegacyAuthDisabledException if:
+   * - config.auth.legacyEndpoints.enabled is false
+   * - config.auth.legacyEndpoints.graphql is false
+   *
+   * @throws LegacyAuthDisabledException
+   */
+  protected checkLegacyGraphQLEnabled(endpointName: string): void {
+    const authConfig = this.configService.getFastButReadOnly('auth');
+    const legacyConfig = authConfig?.legacyEndpoints;
+    // Check if legacy endpoints are globally disabled
+    if (legacyConfig?.enabled === false) {
+      throw new LegacyAuthDisabledException(endpointName);
+    }
+    // Check if GraphQL endpoints specifically are disabled
+    if (legacyConfig?.graphql === false) {
+      throw new LegacyAuthDisabledException(endpointName);
+    }
+  }
   // ===========================================================================
   // Mutations
   // ===========================================================================
   /**
    * Logout user (from specific device)
+   *
+   * @deprecated Will be replaced by BetterAuth signOut in a future version
+   * @throws LegacyAuthDisabledException if legacy endpoints are disabled
    */
   @Mutation(() => Boolean, { description: 'Logout user (from specific device)' })
   @Roles(RoleEnum.S_EVERYONE)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
+  @UseGuards(LegacyAuthRateLimitGuard, AuthGuard(AuthGuardStrategy.JWT))
   async logout(
     @CurrentUser() currentUser: ICoreAuthUser,
     @Context() ctx: { res: ResponseType },
     @Tokens('token') token: string,
     @Args('allDevices', { nullable: true }) allDevices?: boolean,
   ): Promise<boolean> {
+    this.checkLegacyGraphQLEnabled('logout');
     const result = await this.authService.logout(token, { allDevices, currentUser });
     return this.processCookies(ctx, result);
   }
   /**
    * Refresh token (for specific device)
+   *
+   * @deprecated Will be replaced by BetterAuth session refresh in a future version
+   * @throws LegacyAuthDisabledException if legacy endpoints are disabled
    */
   @Mutation(() => CoreAuthModel, { description: 'Refresh tokens (for specific device)' })
   @Roles(RoleEnum.S_EVERYONE)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT_REFRESH))
+  @UseGuards(LegacyAuthRateLimitGuard, AuthGuard(AuthGuardStrategy.JWT_REFRESH))
   async refreshToken(
     @CurrentUser() user: ICoreAuthUser,
     @Tokens('refreshToken') refreshToken: string,
     @Context() ctx: { res: ResponseType },
   ): Promise<CoreAuthModel> {
+    this.checkLegacyGraphQLEnabled('refreshToken');
     const result = await this.authService.refreshTokens(user, refreshToken);
     return this.processCookies(ctx, result);
   }
   /**
    * Sign in user via email and password (on specific device)
+   *
+   * @deprecated Will be replaced by BetterAuth signIn in a future version
+   * @throws LegacyAuthDisabledException if legacy endpoints are disabled
    */
   @Mutation(() => CoreAuthModel, {
     description: 'Sign in user via email and password and get JWT tokens (for specific device)',
   })
   @Roles(RoleEnum.S_EVERYONE)
+  @UseGuards(LegacyAuthRateLimitGuard)
   async signIn(
     @GraphQLServiceOptions({ gqlPath: 'signIn.user' }) serviceOptions: ServiceOptions,
     @Context() ctx: { res: ResponseType },
     @Args('input') input: CoreAuthSignInInput,
   ): Promise<CoreAuthModel> {
+    this.checkLegacyGraphQLEnabled('signIn');
     const result = await this.authService.signIn(input, serviceOptions);
     return this.processCookies(ctx, result);
   }
   /**
    * Register a new user account (on specific device)
+   *
+   * @deprecated Will be replaced by BetterAuth signUp in a future version
+   * @throws LegacyAuthDisabledException if legacy endpoints are disabled
    */
   @Mutation(() => CoreAuthModel, { description: 'Register a new user account (on specific device)' })
   @Roles(RoleEnum.S_EVERYONE)
+  @UseGuards(LegacyAuthRateLimitGuard)
   async signUp(
     @GraphQLServiceOptions({ gqlPath: 'signUp.user' }) serviceOptions: ServiceOptions,
     @Context() ctx: { res: ResponseType },
     @Args('input') input: CoreAuthSignUpInput,
   ): Promise<CoreAuthModel> {
+    this.checkLegacyGraphQLEnabled('signUp');
     const result = await this.authService.signUp(input, serviceOptions);
     return this.processCookies(ctx, result);
   }

package/src/core/modules/auth/exceptions/legacy-auth-disabled.exception.ts ADDED Viewed

@@ -0,0 +1,35 @@
+import { GoneException } from '@nestjs/common';
+/**
+ * Exception thrown when Legacy Auth endpoints are accessed but disabled
+ *
+ * This exception is thrown when:
+ * - config.auth.legacyEndpoints.enabled is false
+ * - config.auth.legacyEndpoints.graphql is false (for GraphQL endpoints)
+ * - config.auth.legacyEndpoints.rest is false (for REST endpoints)
+ *
+ * HTTP Status: 410 Gone
+ *
+ * This status code indicates that the resource is no longer available
+ * and will not be available again - appropriate for deprecated endpoints.
+ *
+ * @since 11.7.1
+ *
+ * @example
+ * ```typescript
+ * if (!this.isLegacyEndpointEnabled()) {
+ *   throw new LegacyAuthDisabledException();
+ * }
+ * ```
+ */
+export class LegacyAuthDisabledException extends GoneException {
+  constructor(endpoint?: string) {
+    super({
+      error: 'Legacy Auth Disabled',
+      message: endpoint
+        ? `Legacy Auth endpoint '${endpoint}' is disabled. Use BetterAuth (IAM) endpoints instead.`
+        : 'Legacy Auth endpoints are disabled. Use BetterAuth (IAM) endpoints instead.',
+      statusCode: 410,
+    });
+  }
+}