npm - @lenne.tech/nest-server - Versions diffs - 11.7.1 → 11.7.2 - Mend

@lenne.tech/nest-server 11.7.1 → 11.7.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (60) hide show

package/src/core/modules/better-auth/core-better-auth.resolver.ts CHANGED Viewed

@@ -1,11 +1,9 @@
-import { BadRequestException, Logger, UnauthorizedException, UseGuards } from '@nestjs/common';
+import { BadRequestException, Logger, UnauthorizedException } from '@nestjs/common';
 import { Args, Context, Mutation, Query, Resolver } from '@nestjs/graphql';
 import { Request, Response } from 'express';
 import { Roles } from '../../common/decorators/roles.decorator';
 import { RoleEnum } from '../../common/enums/role.enum';
-import { AuthGuardStrategy } from '../auth/auth-guard-strategy.enum';
-import { AuthGuard } from '../auth/guards/auth.guard';
 import { BetterAuthAuthModel } from './better-auth-auth.model';
 import { BetterAuthMigrationStatusModel } from './better-auth-migration-status.model';
 import {
@@ -83,7 +81,6 @@ export class CoreBetterAuthResolver {
     nullable: true,
   })
   @Roles(RoleEnum.S_USER)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   async betterAuthSession(@Context() ctx: { req: Request }): Promise<BetterAuthSessionModel | null> {
     if (!this.betterAuthService.isEnabled()) {
       return null;
@@ -131,6 +128,27 @@ export class CoreBetterAuthResolver {
     };
   }
+  /**
+   * Get a fresh JWT token for the current session.
+   *
+   * Use this when your JWT has expired but your session is still valid.
+   * The JWT can be used for stateless authentication with other services
+   * that verify tokens via JWKS (`/iam/jwks`).
+   *
+   * Returns null if:
+   * - Better-Auth is not enabled
+   * - JWT plugin is not enabled
+   * - No valid session exists
+   */
+  @Query(() => String, {
+    description: 'Get fresh JWT token for the current session (requires valid session)',
+    nullable: true,
+  })
+  @Roles(RoleEnum.S_USER)
+  async betterAuthToken(@Context() ctx: { req: Request }): Promise<null | string> {
+    return this.betterAuthService.getToken(ctx.req);
+  }
   /**
    * Get migration status from Legacy Auth to Better-Auth (IAM)
    *
@@ -165,6 +183,9 @@ export class CoreBetterAuthResolver {
    * This mutation wraps Better-Auth's sign-in endpoint and returns a response
    * compatible with the existing auth system.
    *
+   * Features automatic legacy user migration: If a user exists in Legacy Auth
+   * but not in IAM, they will be automatically migrated on first IAM sign-in.
+   *
    * Override this method to add custom pre/post sign-in logic.
    */
   @Mutation(() => BetterAuthAuthModel, {
@@ -184,12 +205,38 @@ export class CoreBetterAuthResolver {
       throw new BadRequestException('Better-Auth API not available');
     }
+    // Try to sign in, with automatic legacy user migration
+    return this.attemptSignIn(email, password, api, true);
+  }
+  /**
+   * Attempt sign-in with optional legacy user migration
+   * @param email - User email
+   * @param password - User password (plain or SHA256)
+   * @param api - Better-Auth API instance
+   * @param allowMigration - Whether to attempt legacy migration on failure
+   */
+  protected async attemptSignIn(
+    email: string,
+    password: string,
+    api: ReturnType<BetterAuthService['getApi']>,
+    allowMigration: boolean,
+  ): Promise<BetterAuthAuthModel> {
     try {
-      // Call Better-Auth's sign-in endpoint
-      const response = (await api.signInEmail({
+      // Try sign-in with original password first (for native IAM users)
+      const response = (await api!.signInEmail({
         body: { email, password },
       })) as BetterAuthSignInResponse | null;
+      this.logger.debug(`[SignIn] API response for ${email}: ${JSON.stringify(response)?.substring(0, 200)}`);
+      // Check if response indicates an error (Better-Auth returns error objects, not throws)
+      const responseAny = response as any;
+      if (responseAny?.error || responseAny?.code === 'CREDENTIAL_ACCOUNT_NOT_FOUND') {
+        this.logger.debug(`[SignIn] API returned error for ${email}: ${responseAny?.error || responseAny?.code}`);
+        throw new Error(responseAny?.error || responseAny?.code || 'Credential account not found');
+      }
       if (!response) {
         throw new UnauthorizedException('Invalid credentials');
       }
@@ -208,8 +255,11 @@ export class CoreBetterAuthResolver {
         const sessionUser: BetterAuthSessionUser = response.user;
         const mappedUser = await this.userMapper.mapSessionUser(sessionUser);
-        // Get token if JWT plugin is enabled
-        const token = this.betterAuthService.isJwtEnabled() ? response.token : undefined;
+        // Return the session token for session-based authentication
+        // Note: If JWT plugin is enabled, accessToken may be in response or in set-auth-jwt header
+        // For GraphQL responses, we return the session token and let clients use it for session auth
+        const responseAny = response as any;
+        const token = responseAny.accessToken || responseAny.token;
         return {
           requiresTwoFactor: false,
@@ -222,9 +272,61 @@ export class CoreBetterAuthResolver {
       throw new UnauthorizedException('Invalid credentials');
     } catch (error) {
-      this.logger.debug(`Sign-in error: ${error instanceof Error ? error.message : 'Unknown error'}`);
+      this.logger.debug(
+        `[SignIn] Sign-in failed for ${email}: ${error instanceof Error ? error.message : 'Unknown error'}`,
+      );
+      // If migration is allowed, try to migrate legacy user and retry
+      if (allowMigration) {
+        this.logger.debug(`[SignIn] Attempting migration for ${email}...`);
+        // Pass the original password for legacy verification
+        const migrated = await this.userMapper.migrateAccountToIam(email, password);
+        this.logger.debug(`[SignIn] Migration result for ${email}: ${migrated}`);
+        if (migrated) {
+          this.logger.debug(`[SignIn] Migrated legacy user ${email} to IAM, retrying sign-in`);
+          // Retry sign-in after migration with normalized password (as migrateAccountToIam stores it)
+          const normalizedPassword = this.userMapper.normalizePasswordForIam(password);
+          return this.attemptSignInDirect(email, normalizedPassword, api);
+        }
+      }
+      throw new UnauthorizedException('Invalid credentials');
+    }
+  }
+  /**
+   * Direct sign-in attempt without migration logic (used after migration)
+   */
+  private async attemptSignInDirect(
+    email: string,
+    password: string,
+    api: ReturnType<BetterAuthService['getApi']>,
+  ): Promise<BetterAuthAuthModel> {
+    const response = (await api!.signInEmail({
+      body: { email, password },
+    })) as BetterAuthSignInResponse | null;
+    if (!response || !hasUser(response)) {
       throw new UnauthorizedException('Invalid credentials');
     }
+    if (requires2FA(response)) {
+      return { requiresTwoFactor: true, success: false, user: null };
+    }
+    const sessionUser: BetterAuthSessionUser = response.user;
+    const mappedUser = await this.userMapper.mapSessionUser(sessionUser);
+    // Return accessToken if available (JWT), otherwise fall back to session token
+    const responseAny = response as any;
+    const token = responseAny.accessToken || responseAny.token;
+    return {
+      requiresTwoFactor: false,
+      session: hasSession(response) ? this.mapSessionInfo(response.session) : null,
+      success: true,
+      token,
+      user: mappedUser ? this.mapToUserModel(mappedUser) : null,
+    };
   }
   /**
@@ -292,7 +394,6 @@ export class CoreBetterAuthResolver {
    */
   @Mutation(() => Boolean, { description: 'Sign out via Better-Auth' })
   @Roles(RoleEnum.S_USER)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   async betterAuthSignOut(@Context() ctx: { req: Request }): Promise<boolean> {
     if (!this.betterAuthService.isEnabled()) {
       return false;
@@ -386,7 +487,6 @@ export class CoreBetterAuthResolver {
     description: 'Enable 2FA for the current user',
   })
   @Roles(RoleEnum.S_USER)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   async betterAuthEnable2FA(
     @Args('password') password: string,
     @Context() ctx: { req: Request },
@@ -441,7 +541,6 @@ export class CoreBetterAuthResolver {
     description: 'Disable 2FA for the current user',
   })
   @Roles(RoleEnum.S_USER)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   async betterAuthDisable2FA(@Args('password') password: string, @Context() ctx: { req: Request }): Promise<boolean> {
     this.ensureEnabled();
@@ -487,7 +586,6 @@ export class CoreBetterAuthResolver {
     nullable: true,
   })
   @Roles(RoleEnum.S_USER)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   async betterAuthGenerateBackupCodes(@Context() ctx: { req: Request }): Promise<null | string[]> {
     this.ensureEnabled();
@@ -534,7 +632,6 @@ export class CoreBetterAuthResolver {
     description: 'Get passkey registration challenge for WebAuthn',
   })
   @Roles(RoleEnum.S_USER)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   async betterAuthGetPasskeyChallenge(@Context() ctx: { req: Request }): Promise<BetterAuthPasskeyChallengeModel> {
     this.ensureEnabled();
@@ -580,7 +677,6 @@ export class CoreBetterAuthResolver {
     nullable: true,
   })
   @Roles(RoleEnum.S_USER)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   async betterAuthListPasskeys(@Context() ctx: { req: Request }): Promise<BetterAuthPasskeyModel[] | null> {
     if (!this.betterAuthService.isEnabled() || !this.betterAuthService.isPasskeyEnabled()) {
       return null;
@@ -627,7 +723,6 @@ export class CoreBetterAuthResolver {
     description: 'Delete a passkey by ID',
   })
   @Roles(RoleEnum.S_USER)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   async betterAuthDeletePasskey(
     @Args('passkeyId') passkeyId: string,
     @Context() ctx: { req: Request },

package/src/core.module.ts CHANGED Viewed

@@ -233,11 +233,17 @@ export class CoreModule implements NestModule {
     // Add BetterAuthModule based on mode
     // IAM-only mode: Always register BetterAuthModule (required for subscription auth)
     // Legacy mode: Only register if autoRegister is explicitly true
-    if (config.betterAuth?.enabled !== false) {
-      if (isIamOnlyMode || config.betterAuth?.autoRegister === true) {
+    // betterAuth can be: boolean | IBetterAuth | undefined
+    const betterAuthConfig = config.betterAuth;
+    const isBetterAuthEnabled =
+      betterAuthConfig === true || (typeof betterAuthConfig === 'object' && betterAuthConfig?.enabled !== false);
+    const isAutoRegister = typeof betterAuthConfig === 'object' && betterAuthConfig?.autoRegister === true;
+    if (isBetterAuthEnabled) {
+      if (isIamOnlyMode || isAutoRegister) {
         imports.push(
           BetterAuthModule.forRoot({
-            config: config.betterAuth || {},
+            config: betterAuthConfig === true ? {} : betterAuthConfig || {},
             // Pass JWT secrets for backwards compatibility fallback
             fallbackSecrets: [config.jwt?.secret, config.jwt?.refresh?.secret],
           }),

package/src/server/modules/better-auth/better-auth.module.ts CHANGED Viewed

@@ -10,9 +10,13 @@ import { BetterAuthResolver } from './better-auth.resolver';
  */
 export interface ServerBetterAuthModuleOptions {
   /**
-   * Better-auth configuration from environment
+   * Better-auth configuration.
+   * Accepts:
+   * - `true`: Enable with all defaults (including JWT)
+   * - `false`: Disable BetterAuth
+   * - `{ ... }`: Enable with custom configuration
    */
-  config: IBetterAuth;
+  config: boolean | IBetterAuth;
   /**
    * Fallback secrets for backwards compatibility with JWT config.
@@ -63,7 +67,9 @@ export class BetterAuthModule {
     const { config, fallbackSecrets } = options;
     // If better-auth is explicitly disabled, return minimal module
-    if (config?.enabled === false) {
+    // Supports: false, { enabled: false }, or undefined/null
+    const isDisabled = config === false || (typeof config === 'object' && config?.enabled === false);
+    if (isDisabled) {
       return {
         exports: [],
         module: BetterAuthModule,

package/src/server/modules/better-auth/better-auth.resolver.ts CHANGED Viewed

@@ -1,11 +1,8 @@
-import { UseGuards } from '@nestjs/common';
 import { Args, Context, Mutation, Query, Resolver } from '@nestjs/graphql';
 import { Request, Response } from 'express';
 import { Roles } from '../../../core/common/decorators/roles.decorator';
 import { RoleEnum } from '../../../core/common/enums/role.enum';
-import { AuthGuardStrategy } from '../../../core/modules/auth/auth-guard-strategy.enum';
-import { AuthGuard } from '../../../core/modules/auth/guards/auth.guard';
 import { BetterAuthAuthModel } from '../../../core/modules/better-auth/better-auth-auth.model';
 import { BetterAuthMigrationStatusModel } from '../../../core/modules/better-auth/better-auth-migration-status.model';
 import {
@@ -62,7 +59,6 @@ export class BetterAuthResolver extends CoreBetterAuthResolver {
     nullable: true,
   })
   @Roles(RoleEnum.S_USER)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   override async betterAuthSession(@Context() ctx: { req: Request }): Promise<BetterAuthSessionModel | null> {
     return super.betterAuthSession(ctx);
   }
@@ -87,12 +83,20 @@ export class BetterAuthResolver extends CoreBetterAuthResolver {
     return super.betterAuthMigrationStatus();
   }
+  @Query(() => String, {
+    description: 'Get fresh JWT token for the current session (requires valid session)',
+    nullable: true,
+  })
+  @Roles(RoleEnum.S_USER)
+  override async betterAuthToken(@Context() ctx: { req: Request }): Promise<null | string> {
+    return super.betterAuthToken(ctx);
+  }
   @Query(() => [BetterAuthPasskeyModel], {
     description: 'List passkeys for the current user',
     nullable: true,
   })
   @Roles(RoleEnum.S_USER)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   override async betterAuthListPasskeys(@Context() ctx: { req: Request }): Promise<BetterAuthPasskeyModel[] | null> {
     return super.betterAuthListPasskeys(ctx);
   }
@@ -127,7 +131,6 @@ export class BetterAuthResolver extends CoreBetterAuthResolver {
   @Mutation(() => Boolean, { description: 'Sign out via Better-Auth' })
   @Roles(RoleEnum.S_USER)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   override async betterAuthSignOut(@Context() ctx: { req: Request }): Promise<boolean> {
     return super.betterAuthSignOut(ctx);
   }
@@ -151,7 +154,6 @@ export class BetterAuthResolver extends CoreBetterAuthResolver {
     description: 'Enable 2FA for the current user',
   })
   @Roles(RoleEnum.S_USER)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   override async betterAuthEnable2FA(
     @Args('password') password: string,
     @Context() ctx: { req: Request },
@@ -163,7 +165,6 @@ export class BetterAuthResolver extends CoreBetterAuthResolver {
     description: 'Disable 2FA for the current user',
   })
   @Roles(RoleEnum.S_USER)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   override async betterAuthDisable2FA(
     @Args('password') password: string,
     @Context() ctx: { req: Request },
@@ -176,7 +177,6 @@ export class BetterAuthResolver extends CoreBetterAuthResolver {
     nullable: true,
   })
   @Roles(RoleEnum.S_USER)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   override async betterAuthGenerateBackupCodes(@Context() ctx: { req: Request }): Promise<null | string[]> {
     return super.betterAuthGenerateBackupCodes(ctx);
   }
@@ -189,7 +189,6 @@ export class BetterAuthResolver extends CoreBetterAuthResolver {
     description: 'Get passkey registration challenge for WebAuthn',
   })
   @Roles(RoleEnum.S_USER)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   override async betterAuthGetPasskeyChallenge(
     @Context() ctx: { req: Request },
   ): Promise<BetterAuthPasskeyChallengeModel> {
@@ -200,7 +199,6 @@ export class BetterAuthResolver extends CoreBetterAuthResolver {
     description: 'Delete a passkey by ID',
   })
   @Roles(RoleEnum.S_USER)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   override async betterAuthDeletePasskey(
     @Args('passkeyId') passkeyId: string,
     @Context() ctx: { req: Request },

package/src/server/modules/user/user.controller.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { Body, Controller, Delete, Get, Param, Patch, Post, Query, UseGuards } from '@nestjs/common';
+import { Body, Controller, Delete, Get, Param, Patch, Post, Query } from '@nestjs/common';
 import {
   ApiBearerAuth,
   ApiBody,
@@ -15,8 +15,6 @@ import { CurrentUser } from '../../../core/common/decorators/current-user.decora
 import { Roles } from '../../../core/common/decorators/roles.decorator';
 import { RoleEnum } from '../../../core/common/enums/role.enum';
 import { ServiceOptions } from '../../../core/common/interfaces/service-options.interface';
-import { AuthGuardStrategy } from '../../../core/modules/auth/auth-guard-strategy.enum';
-import { AuthGuard } from '../../../core/modules/auth/guards/auth.guard';
 import { UserCreateInput } from './inputs/user-create.input';
 import { UserInput } from './inputs/user.input';
 import { FindAndCountUsersResult } from './outputs/find-and-count-users-result.output';
@@ -48,7 +46,6 @@ export class UserController {
   @ApiOperation({ description: 'Find users (via filter)', summary: 'Get all users' })
   @Get()
   @Roles(RoleEnum.ADMIN)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   async findUsers(@CurrentUser() currentUser: User): Promise<User[]> {
     const serviceOptions: ServiceOptions = {
       currentUser,
@@ -67,7 +64,6 @@ export class UserController {
   })
   @Get('count')
   @Roles(RoleEnum.ADMIN)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   async findAndCountUsers(@CurrentUser() currentUser: User): Promise<FindAndCountUsersResult> {
     const serviceOptions: ServiceOptions = {
       currentUser,
@@ -99,7 +95,6 @@ export class UserController {
   @ApiParam({ description: 'User ID', name: 'id', type: String })
   @Get(':id')
   @Roles(RoleEnum.S_USER)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   async getUser(@CurrentUser() currentUser: User, @Param('id') id: string): Promise<User> {
     const serviceOptions: ServiceOptions = {
       currentUser,
@@ -121,7 +116,6 @@ export class UserController {
   @ApiOperation({ description: 'Create a new user', summary: 'Create user' })
   @Post()
   @Roles(RoleEnum.ADMIN)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   async createUser(@CurrentUser() currentUser: User, @Body() input: UserCreateInput): Promise<User> {
     const serviceOptions: ServiceOptions = {
       currentUser,
@@ -208,7 +202,6 @@ export class UserController {
   @ApiParam({ description: 'User ID', name: 'id', type: String })
   @Patch(':id')
   @Roles(RoleEnum.S_USER)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   async updateUser(@CurrentUser() currentUser: User, @Param('id') id: string, @Body() input: UserInput): Promise<User> {
     const serviceOptions: ServiceOptions = {
       currentUser,
@@ -231,7 +224,6 @@ export class UserController {
   @ApiParam({ description: 'User ID', name: 'id', type: String })
   @Delete(':id')
   @Roles(RoleEnum.S_USER)
-  @UseGuards(AuthGuard(AuthGuardStrategy.JWT))
   async deleteUser(@CurrentUser() currentUser: User, @Param('id') id: string): Promise<User> {
     const serviceOptions: ServiceOptions = {
       currentUser,