@lenne.tech/nest-server 11.7.0 → 11.7.2

package/src/core/modules/better-auth/core-better-auth.resolver.ts

@@ -1,12 +1,11 @@
-import { BadRequestException, Logger, UnauthorizedException, UseGuards } from '@nestjs/common';
+import { BadRequestException, Logger, UnauthorizedException } from '@nestjs/common';
 import { Args, Context, Mutation, Query, Resolver } from '@nestjs/graphql';
 import { Request, Response } from 'express';
 
 import { Roles } from '../../common/decorators/roles.decorator';
 import { RoleEnum } from '../../common/enums/role.enum';
-import { AuthGuardStrategy } from '../auth/auth-guard-strategy.enum';
-import { AuthGuard } from '../auth/guards/auth.guard';
 import { BetterAuthAuthModel } from './better-auth-auth.model';
+import { BetterAuthMigrationStatusModel } from './better-auth-migration-status.model';
 import {
   BetterAuth2FASetupModel,
   BetterAuthFeaturesModel,
@@ -82,7 +81,6 @@ export class CoreBetterAuthResolver {
     nullable: true,
   })
   @Roles(RoleEnum.S_USER)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   async betterAuthSession(@Context() ctx: { req: Request }): Promise<BetterAuthSessionModel | null> {
     if (!this.betterAuthService.isEnabled()) {
       return null;
@@ -130,6 +128,51 @@ export class CoreBetterAuthResolver {
     };
   }
 
+  /**
+   * Get a fresh JWT token for the current session.
+   *
+   * Use this when your JWT has expired but your session is still valid.
+   * The JWT can be used for stateless authentication with other services
+   * that verify tokens via JWKS (`/iam/jwks`).
+   *
+   * Returns null if:
+   * - Better-Auth is not enabled
+   * - JWT plugin is not enabled
+   * - No valid session exists
+   */
+  @Query(() => String, {
+    description: 'Get fresh JWT token for the current session (requires valid session)',
+    nullable: true,
+  })
+  @Roles(RoleEnum.S_USER)
+  async betterAuthToken(@Context() ctx: { req: Request }): Promise<null | string> {
+    return this.betterAuthService.getToken(ctx.req);
+  }
+
+  /**
+   * Get migration status from Legacy Auth to Better-Auth (IAM)
+   *
+   * This query provides administrators with information about how many users
+   * have been migrated to the IAM system. This helps determine when it might
+   * be safe to consider disabling Legacy Auth endpoints.
+   *
+   * A user is considered fully migrated when:
+   * 1. They have an `iamId` set (linked to Better-Auth)
+   * 2. They have a credential account in Better-Auth
+   *
+   * Note: Even when canDisableLegacyAuth returns true, Legacy Auth cannot
+   * currently be removed because CoreModule.forRoot requires AuthService
+   * for GraphQL Subscriptions authentication.
+   */
+  @Query(() => BetterAuthMigrationStatusModel, {
+    description: 'Get migration status from Legacy Auth to Better-Auth (IAM) - Admin only',
+  })
+  @Roles(RoleEnum.ADMIN)
+  async betterAuthMigrationStatus(): Promise<BetterAuthMigrationStatusModel> {
+    const status = await this.userMapper.getMigrationStatus();
+    return status;
+  }
+
   // ===========================================================================
   // Mutations
   // ===========================================================================
@@ -140,6 +183,9 @@ export class CoreBetterAuthResolver {
    * This mutation wraps Better-Auth's sign-in endpoint and returns a response
    * compatible with the existing auth system.
    *
+   * Features automatic legacy user migration: If a user exists in Legacy Auth
+   * but not in IAM, they will be automatically migrated on first IAM sign-in.
+   *
    * Override this method to add custom pre/post sign-in logic.
    */
   @Mutation(() => BetterAuthAuthModel, {
@@ -159,12 +205,38 @@ export class CoreBetterAuthResolver {
       throw new BadRequestException('Better-Auth API not available');
     }
 
+    // Try to sign in, with automatic legacy user migration
+    return this.attemptSignIn(email, password, api, true);
+  }
+
+  /**
+   * Attempt sign-in with optional legacy user migration
+   * @param email - User email
+   * @param password - User password (plain or SHA256)
+   * @param api - Better-Auth API instance
+   * @param allowMigration - Whether to attempt legacy migration on failure
+   */
+  protected async attemptSignIn(
+    email: string,
+    password: string,
+    api: ReturnType<BetterAuthService['getApi']>,
+    allowMigration: boolean,
+  ): Promise<BetterAuthAuthModel> {
     try {
-      // Call Better-Auth's sign-in endpoint
-      const response = (await api.signInEmail({
+      // Try sign-in with original password first (for native IAM users)
+      const response = (await api!.signInEmail({
         body: { email, password },
       })) as BetterAuthSignInResponse | null;
 
+      this.logger.debug(`[SignIn] API response for ${email}: ${JSON.stringify(response)?.substring(0, 200)}`);
+
+      // Check if response indicates an error (Better-Auth returns error objects, not throws)
+      const responseAny = response as any;
+      if (responseAny?.error || responseAny?.code === 'CREDENTIAL_ACCOUNT_NOT_FOUND') {
+        this.logger.debug(`[SignIn] API returned error for ${email}: ${responseAny?.error || responseAny?.code}`);
+        throw new Error(responseAny?.error || responseAny?.code || 'Credential account not found');
+      }
+
       if (!response) {
         throw new UnauthorizedException('Invalid credentials');
       }
@@ -183,8 +255,11 @@ export class CoreBetterAuthResolver {
         const sessionUser: BetterAuthSessionUser = response.user;
         const mappedUser = await this.userMapper.mapSessionUser(sessionUser);
 
-        // Get token if JWT plugin is enabled
-        const token = this.betterAuthService.isJwtEnabled() ? response.token : undefined;
+        // Return the session token for session-based authentication
+        // Note: If JWT plugin is enabled, accessToken may be in response or in set-auth-jwt header
+        // For GraphQL responses, we return the session token and let clients use it for session auth
+        const responseAny = response as any;
+        const token = responseAny.accessToken || responseAny.token;
 
         return {
           requiresTwoFactor: false,
@@ -197,9 +272,61 @@ export class CoreBetterAuthResolver {
 
       throw new UnauthorizedException('Invalid credentials');
     } catch (error) {
-      this.logger.debug(`Sign-in error: ${error instanceof Error ? error.message : 'Unknown error'}`);
+      this.logger.debug(
+        `[SignIn] Sign-in failed for ${email}: ${error instanceof Error ? error.message : 'Unknown error'}`,
+      );
+
+      // If migration is allowed, try to migrate legacy user and retry
+      if (allowMigration) {
+        this.logger.debug(`[SignIn] Attempting migration for ${email}...`);
+        // Pass the original password for legacy verification
+        const migrated = await this.userMapper.migrateAccountToIam(email, password);
+        this.logger.debug(`[SignIn] Migration result for ${email}: ${migrated}`);
+        if (migrated) {
+          this.logger.debug(`[SignIn] Migrated legacy user ${email} to IAM, retrying sign-in`);
+          // Retry sign-in after migration with normalized password (as migrateAccountToIam stores it)
+          const normalizedPassword = this.userMapper.normalizePasswordForIam(password);
+          return this.attemptSignInDirect(email, normalizedPassword, api);
+        }
+      }
+
+      throw new UnauthorizedException('Invalid credentials');
+    }
+  }
+
+  /**
+   * Direct sign-in attempt without migration logic (used after migration)
+   */
+  private async attemptSignInDirect(
+    email: string,
+    password: string,
+    api: ReturnType<BetterAuthService['getApi']>,
+  ): Promise<BetterAuthAuthModel> {
+    const response = (await api!.signInEmail({
+      body: { email, password },
+    })) as BetterAuthSignInResponse | null;
+
+    if (!response || !hasUser(response)) {
       throw new UnauthorizedException('Invalid credentials');
     }
+
+    if (requires2FA(response)) {
+      return { requiresTwoFactor: true, success: false, user: null };
+    }
+
+    const sessionUser: BetterAuthSessionUser = response.user;
+    const mappedUser = await this.userMapper.mapSessionUser(sessionUser);
+    // Return accessToken if available (JWT), otherwise fall back to session token
+    const responseAny = response as any;
+    const token = responseAny.accessToken || responseAny.token;
+
+    return {
+      requiresTwoFactor: false,
+      session: hasSession(response) ? this.mapSessionInfo(response.session) : null,
+      success: true,
+      token,
+      user: mappedUser ? this.mapToUserModel(mappedUser) : null,
+    };
   }
 
   /**
@@ -267,7 +394,6 @@ export class CoreBetterAuthResolver {
    */
   @Mutation(() => Boolean, { description: 'Sign out via Better-Auth' })
   @Roles(RoleEnum.S_USER)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   async betterAuthSignOut(@Context() ctx: { req: Request }): Promise<boolean> {
     if (!this.betterAuthService.isEnabled()) {
       return false;
@@ -361,7 +487,6 @@ export class CoreBetterAuthResolver {
     description: 'Enable 2FA for the current user',
   })
   @Roles(RoleEnum.S_USER)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   async betterAuthEnable2FA(
     @Args('password') password: string,
     @Context() ctx: { req: Request },
@@ -416,7 +541,6 @@ export class CoreBetterAuthResolver {
     description: 'Disable 2FA for the current user',
   })
   @Roles(RoleEnum.S_USER)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   async betterAuthDisable2FA(@Args('password') password: string, @Context() ctx: { req: Request }): Promise<boolean> {
     this.ensureEnabled();
 
@@ -462,7 +586,6 @@ export class CoreBetterAuthResolver {
     nullable: true,
   })
   @Roles(RoleEnum.S_USER)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   async betterAuthGenerateBackupCodes(@Context() ctx: { req: Request }): Promise<null | string[]> {
     this.ensureEnabled();
 
@@ -509,7 +632,6 @@ export class CoreBetterAuthResolver {
     description: 'Get passkey registration challenge for WebAuthn',
   })
   @Roles(RoleEnum.S_USER)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   async betterAuthGetPasskeyChallenge(@Context() ctx: { req: Request }): Promise<BetterAuthPasskeyChallengeModel> {
     this.ensureEnabled();
 
@@ -555,7 +677,6 @@ export class CoreBetterAuthResolver {
     nullable: true,
   })
   @Roles(RoleEnum.S_USER)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   async betterAuthListPasskeys(@Context() ctx: { req: Request }): Promise<BetterAuthPasskeyModel[] | null> {
     if (!this.betterAuthService.isEnabled() || !this.betterAuthService.isPasskeyEnabled()) {
       return null;
@@ -602,7 +723,6 @@ export class CoreBetterAuthResolver {
     description: 'Delete a passkey by ID',
   })
   @Roles(RoleEnum.S_USER)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   async betterAuthDeletePasskey(
     @Args('passkeyId') passkeyId: string,
     @Context() ctx: { req: Request },

package/src/core/modules/better-auth/index.ts

@@ -18,6 +18,7 @@
  */
 
 export * from './better-auth-auth.model';
+export * from './better-auth-migration-status.model';
 export * from './better-auth-models';
 export * from './better-auth-rate-limit.middleware';
 export * from './better-auth-rate-limiter.service';

package/src/core/modules/user/core-user.service.ts

@@ -1,4 +1,4 @@
-import { BadRequestException, NotFoundException, UnprocessableEntityException } from '@nestjs/common';
+import { BadRequestException, Logger, NotFoundException, UnprocessableEntityException } from '@nestjs/common';
 import bcrypt = require('bcrypt');
 import crypto = require('crypto');
 import { sha256 } from 'js-sha256';
@@ -13,20 +13,31 @@ import { CoreModelConstructor } from '../../common/types/core-model-constructor.
 import { CoreUserModel } from './core-user.model';
 import { CoreUserCreateInput } from './inputs/core-user-create.input';
 import { CoreUserInput } from './inputs/core-user.input';
+import { CoreUserServiceOptions } from './interfaces/core-user-service-options.interface';
 
 /**
  * User service
+ *
+ * Provides user management with automatic synchronization between
+ * Legacy Auth and Better-Auth (IAM) systems when both are enabled.
  */
 export abstract class CoreUserService<
   TUser extends CoreUserModel,
   TUserInput extends CoreUserInput,
   TUserCreateInput extends CoreUserCreateInput,
 > extends CrudService<TUser, TUserCreateInput, TUserInput> {
+  protected readonly userServiceLogger = new Logger(CoreUserService.name);
+
   protected constructor(
     protected override readonly configService: ConfigService,
     protected readonly emailService: EmailService,
     protected override readonly mainDbModel: Model<Document & TUser>,
     protected override readonly mainModelConstructor: CoreModelConstructor<TUser>,
+    /**
+     * Optional configuration for additional features like IAM sync.
+     * Using options object pattern for extensibility without breaking changes.
+     */
+    protected readonly options?: CoreUserServiceOptions,
   ) {
     super();
   }
@@ -125,6 +136,10 @@ export abstract class CoreUserService<
 
   /**
    * Set new password for user with token
+   *
+   * This method also syncs the password change to Better-Auth (IAM) if:
+   * - BetterAuthUserMapper is configured via options
+   * - User has an existing IAM credential account
    */
   async resetPassword(token: string, newPassword: string, serviceOptions?: ServiceOptions): Promise<TUser> {
     // Get user
@@ -133,6 +148,10 @@ export abstract class CoreUserService<
       throw new NotFoundException(`No user found with password reset token: ${token}`);
     }
 
+    // Store the original plain password for IAM sync before any hashing
+    // We need the plain password because IAM uses scrypt, not bcrypt+sha256
+    const plainPasswordForIamSync = /^[a-f0-9]{64}$/i.test(newPassword) ? undefined : newPassword;
+
     return this.process(
       async () => {
         // Check if the password was transmitted encrypted
@@ -141,11 +160,26 @@ export abstract class CoreUserService<
           newPassword = sha256(newPassword);
         }
 
-        // Update and return user
-        return await assignPlain(dbObject, {
+        // Update Legacy Auth password
+        const updatedUser = await assignPlain(dbObject, {
           password: await bcrypt.hash(newPassword, 10),
           passwordResetToken: null,
         }).save();
+
+        // Sync password to Better-Auth (IAM) if mapper is available
+        // This ensures users can sign in via IAM after password reset
+        if (this.options?.betterAuthUserMapper && plainPasswordForIamSync && dbObject.email) {
+          try {
+            await this.options.betterAuthUserMapper.syncPasswordChangeToIam(dbObject.email, plainPasswordForIamSync);
+          } catch (error) {
+            // Log but don't fail - Legacy Auth password was updated successfully
+            this.userServiceLogger.warn(
+              `Failed to sync password reset to IAM for ${dbObject.email}: ${error instanceof Error ? error.message : 'Unknown error'}`,
+            );
+          }
+        }
+
+        return updatedUser;
       },
       { dbObject, serviceOptions },
     );
@@ -186,7 +220,7 @@ export abstract class CoreUserService<
     }
 
     // Check roles values
-    if (roles.some(role => typeof role !== 'string')) {
+    if (roles.some((role) => typeof role !== 'string')) {
       throw new BadRequestException('Roles contains invalid values');
     }
 
@@ -198,4 +232,97 @@ export abstract class CoreUserService<
       { serviceOptions },
     );
   }
+
+  // ===================================================================================================================
+  // Auth System Sync Methods
+  // ===================================================================================================================
+
+  /**
+   * Update user with automatic email and password sync between Legacy and IAM auth systems
+   *
+   * When the email changes and BetterAuthUserMapper is available, this method:
+   * - Invalidates all Better-Auth sessions (forces re-authentication)
+   * - The shared users collection is automatically updated
+   *
+   * When the password changes:
+   * - Updates the Legacy Auth password (bcrypt hash)
+   * - Syncs to Better-Auth (IAM) if the user has a credential account
+   */
+  override async update(id: string, input: TUserInput, serviceOptions?: ServiceOptions): Promise<TUser> {
+    // Get the current user before update to detect email changes
+    const oldUser = (await this.mainDbModel.findById(id).lean().exec()) as null | TUser;
+    const oldEmail = oldUser?.email;
+
+    // Store plain password for IAM sync before any hashing occurs
+    // We need to capture this before super.update() which may hash it
+    const inputPassword = (input as any).password;
+    const plainPasswordForIamSync = inputPassword && !/^[a-f0-9]{64}$/i.test(inputPassword) ? inputPassword : undefined;
+
+    // Perform the update
+    const updatedUser = await super.update(id, input, serviceOptions);
+
+    // Sync email change to IAM if email was changed and mapper is available
+    if (this.options?.betterAuthUserMapper && oldEmail && input.email && oldEmail !== input.email) {
+      try {
+        await this.options.betterAuthUserMapper.syncEmailChangeFromLegacy(oldEmail, input.email);
+        this.userServiceLogger.debug(`Synced email change from Legacy to IAM: ${oldEmail} → ${input.email}`);
+      } catch (error) {
+        this.userServiceLogger.error(
+          `Failed to sync email change to IAM: ${error instanceof Error ? error.message : 'Unknown error'}`,
+        );
+        // Don't throw - email sync failure shouldn't block the update
+      }
+    }
+
+    // Sync password change to IAM if password was changed and mapper is available
+    if (this.options?.betterAuthUserMapper && plainPasswordForIamSync && oldUser?.email) {
+      try {
+        await this.options.betterAuthUserMapper.syncPasswordChangeToIam(oldUser.email, plainPasswordForIamSync);
+        this.userServiceLogger.debug(`Synced password change to IAM for user ${oldUser.email}`);
+      } catch (error) {
+        this.userServiceLogger.warn(
+          `Failed to sync password change to IAM for ${oldUser.email}: ${error instanceof Error ? error.message : 'Unknown error'}`,
+        );
+        // Don't throw - password sync failure shouldn't block the update
+      }
+    }
+
+    return updatedUser;
+  }
+
+  /**
+   * Delete user with automatic cleanup of IAM auth data
+   *
+   * When BetterAuthUserMapper is available, this method also:
+   * - Deletes all Better-Auth accounts for this user
+   * - Deletes all Better-Auth sessions for this user
+   *
+   * This ensures no orphaned auth data remains after user deletion.
+   */
+  override async delete(id: string, serviceOptions?: ServiceOptions): Promise<TUser> {
+    // Get the user before deletion to cleanup IAM data
+    const user = (await this.mainDbModel.findById(id).lean().exec()) as null | (TUser & { _id: any });
+
+    // Perform the deletion
+    const deletedUser = await super.delete(id, serviceOptions);
+
+    // Cleanup IAM data if mapper is available
+    if (this.options?.betterAuthUserMapper && user?._id) {
+      try {
+        const result = await this.options.betterAuthUserMapper.cleanupIamDataForDeletedUser(user._id);
+        if (result.accountsDeleted > 0 || result.sessionsDeleted > 0) {
+          this.userServiceLogger.debug(
+            `Cleaned up IAM data for deleted user ${id}: accounts=${result.accountsDeleted}, sessions=${result.sessionsDeleted}`,
+          );
+        }
+      } catch (error) {
+        this.userServiceLogger.error(
+          `Failed to cleanup IAM data for deleted user: ${error instanceof Error ? error.message : 'Unknown error'}`,
+        );
+        // Don't throw - cleanup failure shouldn't block the delete response
+      }
+    }
+
+    return deletedUser;
+  }
 }

package/src/core/modules/user/interfaces/core-user-service-options.interface.ts

@@ -0,0 +1,15 @@
+import { BetterAuthUserMapper } from '../../better-auth/better-auth-user.mapper';
+
+/**
+ * Optional configuration for CoreUserService
+ *
+ * Use this interface for optional dependencies that may not be available in all projects.
+ * This pattern allows adding new optional parameters without breaking existing implementations.
+ */
+export interface CoreUserServiceOptions {
+  /**
+   * Optional BetterAuthUserMapper for syncing between Legacy and IAM auth systems.
+   * When provided, email changes and user deletions are automatically synced.
+   */
+  betterAuthUserMapper?: BetterAuthUserMapper;
+}