@meridianjs/auth 0.1.8 → 0.1.10

package/dist/index.d.mts

@@ -61,6 +61,31 @@ declare class AuthModuleService extends AuthModuleService_base {
      * 3. Create new user
      */
     loginOrRegisterWithGoogle(input: GoogleAuthInput): Promise<AuthResult>;
+    /**
+     * Restore a soft-deleted user via an invite link.
+     * Updates their name, password, and role, then issues a fresh session token.
+     * The user's ID — and all history tied to it — is preserved.
+     */
+    restoreFromInvite(userId: string, input: {
+        password: string;
+        first_name?: string;
+        last_name?: string;
+        role?: UserRole;
+    }): Promise<AuthResult>;
+    /** Set (or reset) password for a user. Used after OTP verification. */
+    setPassword(userId: string, newPassword: string): Promise<void>;
+    /**
+     * Generate a password reset token for the given email.
+     * Returns the token and user info so the caller can emit an event / send an email.
+     * Returns null (instead of throwing) when the email isn't found — prevents enumeration.
+     */
+    requestPasswordReset(email: string): Promise<{
+        token: string;
+        userId: string;
+        email: string;
+    } | null>;
+    /** Validate a password reset token and set the new password. */
+    resetPassword(token: string, newPassword: string): Promise<void>;
     /** Verify a JWT and return its decoded payload. Throws if invalid or expired. */
     verifyToken(token: string, secret: string): JwtPayload;
     /** Resolve permissions for a given app_role_id — gracefully degrades if module not loaded. */

package/dist/index.d.ts

@@ -61,6 +61,31 @@ declare class AuthModuleService extends AuthModuleService_base {
      * 3. Create new user
      */
     loginOrRegisterWithGoogle(input: GoogleAuthInput): Promise<AuthResult>;
+    /**
+     * Restore a soft-deleted user via an invite link.
+     * Updates their name, password, and role, then issues a fresh session token.
+     * The user's ID — and all history tied to it — is preserved.
+     */
+    restoreFromInvite(userId: string, input: {
+        password: string;
+        first_name?: string;
+        last_name?: string;
+        role?: UserRole;
+    }): Promise<AuthResult>;
+    /** Set (or reset) password for a user. Used after OTP verification. */
+    setPassword(userId: string, newPassword: string): Promise<void>;
+    /**
+     * Generate a password reset token for the given email.
+     * Returns the token and user info so the caller can emit an event / send an email.
+     * Returns null (instead of throwing) when the email isn't found — prevents enumeration.
+     */
+    requestPasswordReset(email: string): Promise<{
+        token: string;
+        userId: string;
+        email: string;
+    } | null>;
+    /** Validate a password reset token and set the new password. */
+    resetPassword(token: string, newPassword: string): Promise<void>;
     /** Verify a JWT and return its decoded payload. Throws if invalid or expired. */
     verifyToken(token: string, secret: string): JwtPayload;
     /** Resolve permissions for a given app_role_id — gracefully degrades if module not loaded. */

package/dist/index.js

@@ -49,6 +49,7 @@ var import_crypto = require("crypto");
 var BCRYPT_ROUNDS = 12;
 var JWT_EXPIRES_IN = "7d";
 var JWT_EXPIRES_MS = 7 * 24 * 60 * 60 * 1e3;
+var RESET_TOKEN_EXPIRES_MS = 30 * 60 * 1e3;
 var AuthModuleService = class extends (0, import_framework_utils.MeridianService)({}) {
   container;
   constructor(container) {
@@ -99,6 +100,9 @@ var AuthModuleService = class extends (0, import_framework_utils.MeridianService
     if (!user) {
       throw Object.assign(new Error("Invalid credentials"), { status: 401 });
     }
+    if (user.deleted_at) {
+      throw Object.assign(new Error("Invalid credentials"), { status: 401 });
+    }
     if (!user.is_active) {
       throw Object.assign(new Error("Account deactivated"), { status: 403 });
     }
@@ -137,16 +141,23 @@ var AuthModuleService = class extends (0, import_framework_utils.MeridianService
       if (existingByEmail) {
         throw Object.assign(
           new Error(
-            "An account with this email already exists. Please sign in with your password. You can link Google sign-in from your account settings afterwards."
+            "GOOGLE_NOT_LINKED: Your Google account is not connected yet. Please sign in with your email and password, then connect Google from your Profile settings to use Google sign-in."
           ),
           { status: 409 }
         );
       }
     }
     if (user) {
+      if (user.deleted_at) {
+        throw Object.assign(new Error("Invalid credentials"), { status: 401 });
+      }
       if (!user.is_active) {
         throw Object.assign(new Error("Account deactivated"), { status: 403 });
       }
+      if (!user.avatar_url && input.picture) {
+        await userService.updateUser(user.id, { avatar_url: input.picture }).catch(() => {
+        });
+      }
       await userService.recordLogin(user.id).catch(() => {
       });
       const permissions2 = await this.resolvePermissions(user.app_role_id);
@@ -181,7 +192,9 @@ var AuthModuleService = class extends (0, import_framework_utils.MeridianService
       last_name: input.lastName ?? null,
       role,
       is_active: true,
+      has_password: false,
       google_id: input.googleId,
+      avatar_url: input.picture ?? null,
       ...invite?.app_role_id ? { app_role_id: invite.app_role_id } : {}
     });
     if (invite) {
@@ -201,6 +214,81 @@ var AuthModuleService = class extends (0, import_framework_utils.MeridianService
       token
     };
   }
+  /**
+   * Restore a soft-deleted user via an invite link.
+   * Updates their name, password, and role, then issues a fresh session token.
+   * The user's ID — and all history tied to it — is preserved.
+   */
+  async restoreFromInvite(userId, input) {
+    const userService = this.container.resolve("userModuleService");
+    const config = this.container.resolve("config");
+    const password_hash = await import_bcrypt.default.hash(input.password, BCRYPT_ROUNDS);
+    const user = await userService.restoreUser(userId, {
+      password_hash,
+      first_name: input.first_name ?? null,
+      last_name: input.last_name ?? null,
+      role: input.role ?? "member"
+    });
+    const permissions = await this.resolvePermissions(user.app_role_id);
+    const { token, jti, expiresAt } = this.signToken(user.id, null, [user.role], permissions, config.projectConfig.jwtSecret);
+    await userService.createSession(jti, user.id, expiresAt).catch(() => {
+    });
+    return {
+      user: {
+        id: user.id,
+        email: user.email,
+        first_name: user.first_name ?? null,
+        last_name: user.last_name ?? null
+      },
+      token
+    };
+  }
+  /** Set (or reset) password for a user. Used after OTP verification. */
+  async setPassword(userId, newPassword) {
+    const userService = this.container.resolve("userModuleService");
+    const password_hash = await import_bcrypt.default.hash(newPassword, BCRYPT_ROUNDS);
+    await userService.updateUser(userId, { password_hash, has_password: true });
+  }
+  /**
+   * Generate a password reset token for the given email.
+   * Returns the token and user info so the caller can emit an event / send an email.
+   * Returns null (instead of throwing) when the email isn't found — prevents enumeration.
+   */
+  async requestPasswordReset(email) {
+    const userService = this.container.resolve("userModuleService");
+    const config = this.container.resolve("config");
+    const user = await userService.retrieveUserByEmail(email.toLowerCase().trim());
+    if (!user || user.deleted_at || !user.is_active) return null;
+    const resetToken = (0, import_crypto.randomBytes)(32).toString("hex");
+    const payload = { sub: user.id, purpose: "password_reset", jti: resetToken };
+    const signedToken = import_jsonwebtoken.default.sign(payload, config.projectConfig.jwtSecret, { expiresIn: "30m" });
+    return { token: signedToken, userId: user.id, email: user.email };
+  }
+  /** Validate a password reset token and set the new password. */
+  async resetPassword(token, newPassword) {
+    const config = this.container.resolve("config");
+    const userService = this.container.resolve("userModuleService");
+    let payload;
+    try {
+      payload = import_jsonwebtoken.default.verify(token, config.projectConfig.jwtSecret, { algorithms: ["HS256"] });
+    } catch (err) {
+      if (err.name === "TokenExpiredError") {
+        throw Object.assign(new Error("Reset link has expired. Please request a new one."), { status: 400 });
+      }
+      throw Object.assign(new Error("Invalid reset link"), { status: 400 });
+    }
+    if (payload.purpose !== "password_reset") {
+      throw Object.assign(new Error("Invalid reset link"), { status: 400 });
+    }
+    const user = await userService.retrieveUser(payload.sub);
+    if (!user || user.deleted_at || !user.is_active) {
+      throw Object.assign(new Error("Account not found or inactive"), { status: 400 });
+    }
+    const password_hash = await import_bcrypt.default.hash(newPassword, BCRYPT_ROUNDS);
+    await userService.updateUser(payload.sub, { password_hash });
+    await userService.revokeAllUserSessions(payload.sub).catch(() => {
+    });
+  }
   /** Verify a JWT and return its decoded payload. Throws if invalid or expired. */
   verifyToken(token, secret) {
     return import_jsonwebtoken.default.verify(token, secret, { algorithms: ["HS256"] });

package/dist/index.mjs

@@ -5,10 +5,11 @@ import { Module } from "@meridianjs/framework-utils";
 import { MeridianService } from "@meridianjs/framework-utils";
 import bcrypt from "bcrypt";
 import jwt from "jsonwebtoken";
-import { randomUUID } from "crypto";
+import { randomBytes, randomUUID } from "crypto";
 var BCRYPT_ROUNDS = 12;
 var JWT_EXPIRES_IN = "7d";
 var JWT_EXPIRES_MS = 7 * 24 * 60 * 60 * 1e3;
+var RESET_TOKEN_EXPIRES_MS = 30 * 60 * 1e3;
 var AuthModuleService = class extends MeridianService({}) {
   container;
   constructor(container) {
@@ -59,6 +60,9 @@ var AuthModuleService = class extends MeridianService({}) {
     if (!user) {
       throw Object.assign(new Error("Invalid credentials"), { status: 401 });
     }
+    if (user.deleted_at) {
+      throw Object.assign(new Error("Invalid credentials"), { status: 401 });
+    }
     if (!user.is_active) {
       throw Object.assign(new Error("Account deactivated"), { status: 403 });
     }
@@ -97,16 +101,23 @@ var AuthModuleService = class extends MeridianService({}) {
       if (existingByEmail) {
         throw Object.assign(
           new Error(
-            "An account with this email already exists. Please sign in with your password. You can link Google sign-in from your account settings afterwards."
+            "GOOGLE_NOT_LINKED: Your Google account is not connected yet. Please sign in with your email and password, then connect Google from your Profile settings to use Google sign-in."
           ),
           { status: 409 }
         );
       }
     }
     if (user) {
+      if (user.deleted_at) {
+        throw Object.assign(new Error("Invalid credentials"), { status: 401 });
+      }
       if (!user.is_active) {
         throw Object.assign(new Error("Account deactivated"), { status: 403 });
       }
+      if (!user.avatar_url && input.picture) {
+        await userService.updateUser(user.id, { avatar_url: input.picture }).catch(() => {
+        });
+      }
       await userService.recordLogin(user.id).catch(() => {
       });
       const permissions2 = await this.resolvePermissions(user.app_role_id);
@@ -141,7 +152,9 @@ var AuthModuleService = class extends MeridianService({}) {
       last_name: input.lastName ?? null,
       role,
       is_active: true,
+      has_password: false,
       google_id: input.googleId,
+      avatar_url: input.picture ?? null,
       ...invite?.app_role_id ? { app_role_id: invite.app_role_id } : {}
     });
     if (invite) {
@@ -161,6 +174,81 @@ var AuthModuleService = class extends MeridianService({}) {
       token
     };
   }
+  /**
+   * Restore a soft-deleted user via an invite link.
+   * Updates their name, password, and role, then issues a fresh session token.
+   * The user's ID — and all history tied to it — is preserved.
+   */
+  async restoreFromInvite(userId, input) {
+    const userService = this.container.resolve("userModuleService");
+    const config = this.container.resolve("config");
+    const password_hash = await bcrypt.hash(input.password, BCRYPT_ROUNDS);
+    const user = await userService.restoreUser(userId, {
+      password_hash,
+      first_name: input.first_name ?? null,
+      last_name: input.last_name ?? null,
+      role: input.role ?? "member"
+    });
+    const permissions = await this.resolvePermissions(user.app_role_id);
+    const { token, jti, expiresAt } = this.signToken(user.id, null, [user.role], permissions, config.projectConfig.jwtSecret);
+    await userService.createSession(jti, user.id, expiresAt).catch(() => {
+    });
+    return {
+      user: {
+        id: user.id,
+        email: user.email,
+        first_name: user.first_name ?? null,
+        last_name: user.last_name ?? null
+      },
+      token
+    };
+  }
+  /** Set (or reset) password for a user. Used after OTP verification. */
+  async setPassword(userId, newPassword) {
+    const userService = this.container.resolve("userModuleService");
+    const password_hash = await bcrypt.hash(newPassword, BCRYPT_ROUNDS);
+    await userService.updateUser(userId, { password_hash, has_password: true });
+  }
+  /**
+   * Generate a password reset token for the given email.
+   * Returns the token and user info so the caller can emit an event / send an email.
+   * Returns null (instead of throwing) when the email isn't found — prevents enumeration.
+   */
+  async requestPasswordReset(email) {
+    const userService = this.container.resolve("userModuleService");
+    const config = this.container.resolve("config");
+    const user = await userService.retrieveUserByEmail(email.toLowerCase().trim());
+    if (!user || user.deleted_at || !user.is_active) return null;
+    const resetToken = randomBytes(32).toString("hex");
+    const payload = { sub: user.id, purpose: "password_reset", jti: resetToken };
+    const signedToken = jwt.sign(payload, config.projectConfig.jwtSecret, { expiresIn: "30m" });
+    return { token: signedToken, userId: user.id, email: user.email };
+  }
+  /** Validate a password reset token and set the new password. */
+  async resetPassword(token, newPassword) {
+    const config = this.container.resolve("config");
+    const userService = this.container.resolve("userModuleService");
+    let payload;
+    try {
+      payload = jwt.verify(token, config.projectConfig.jwtSecret, { algorithms: ["HS256"] });
+    } catch (err) {
+      if (err.name === "TokenExpiredError") {
+        throw Object.assign(new Error("Reset link has expired. Please request a new one."), { status: 400 });
+      }
+      throw Object.assign(new Error("Invalid reset link"), { status: 400 });
+    }
+    if (payload.purpose !== "password_reset") {
+      throw Object.assign(new Error("Invalid reset link"), { status: 400 });
+    }
+    const user = await userService.retrieveUser(payload.sub);
+    if (!user || user.deleted_at || !user.is_active) {
+      throw Object.assign(new Error("Account not found or inactive"), { status: 400 });
+    }
+    const password_hash = await bcrypt.hash(newPassword, BCRYPT_ROUNDS);
+    await userService.updateUser(payload.sub, { password_hash });
+    await userService.revokeAllUserSessions(payload.sub).catch(() => {
+    });
+  }
   /** Verify a JWT and return its decoded payload. Throws if invalid or expired. */
   verifyToken(token, secret) {
     return jwt.verify(token, secret, { algorithms: ["HS256"] });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@meridianjs/auth",
-  "version": "0.1.8",
+  "version": "0.1.10",
   "description": "Meridian auth module — JWT authentication and middleware",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",