@meridianjs/auth 0.1.9 → 0.1.10

package/dist/index.d.mts

@@ -72,6 +72,20 @@ declare class AuthModuleService extends AuthModuleService_base {
         last_name?: string;
         role?: UserRole;
     }): Promise<AuthResult>;
+    /** Set (or reset) password for a user. Used after OTP verification. */
+    setPassword(userId: string, newPassword: string): Promise<void>;
+    /**
+     * Generate a password reset token for the given email.
+     * Returns the token and user info so the caller can emit an event / send an email.
+     * Returns null (instead of throwing) when the email isn't found — prevents enumeration.
+     */
+    requestPasswordReset(email: string): Promise<{
+        token: string;
+        userId: string;
+        email: string;
+    } | null>;
+    /** Validate a password reset token and set the new password. */
+    resetPassword(token: string, newPassword: string): Promise<void>;
     /** Verify a JWT and return its decoded payload. Throws if invalid or expired. */
     verifyToken(token: string, secret: string): JwtPayload;
     /** Resolve permissions for a given app_role_id — gracefully degrades if module not loaded. */

package/dist/index.d.ts

@@ -72,6 +72,20 @@ declare class AuthModuleService extends AuthModuleService_base {
         last_name?: string;
         role?: UserRole;
     }): Promise<AuthResult>;
+    /** Set (or reset) password for a user. Used after OTP verification. */
+    setPassword(userId: string, newPassword: string): Promise<void>;
+    /**
+     * Generate a password reset token for the given email.
+     * Returns the token and user info so the caller can emit an event / send an email.
+     * Returns null (instead of throwing) when the email isn't found — prevents enumeration.
+     */
+    requestPasswordReset(email: string): Promise<{
+        token: string;
+        userId: string;
+        email: string;
+    } | null>;
+    /** Validate a password reset token and set the new password. */
+    resetPassword(token: string, newPassword: string): Promise<void>;
     /** Verify a JWT and return its decoded payload. Throws if invalid or expired. */
     verifyToken(token: string, secret: string): JwtPayload;
     /** Resolve permissions for a given app_role_id — gracefully degrades if module not loaded. */

package/dist/index.js

@@ -49,6 +49,7 @@ var import_crypto = require("crypto");
 var BCRYPT_ROUNDS = 12;
 var JWT_EXPIRES_IN = "7d";
 var JWT_EXPIRES_MS = 7 * 24 * 60 * 60 * 1e3;
+var RESET_TOKEN_EXPIRES_MS = 30 * 60 * 1e3;
 var AuthModuleService = class extends (0, import_framework_utils.MeridianService)({}) {
   container;
   constructor(container) {
@@ -140,7 +141,7 @@ var AuthModuleService = class extends (0, import_framework_utils.MeridianService
       if (existingByEmail) {
         throw Object.assign(
           new Error(
-            "An account with this email already exists. Please sign in with your password. You can link Google sign-in from your account settings afterwards."
+            "GOOGLE_NOT_LINKED: Your Google account is not connected yet. Please sign in with your email and password, then connect Google from your Profile settings to use Google sign-in."
           ),
           { status: 409 }
         );
@@ -153,6 +154,10 @@ var AuthModuleService = class extends (0, import_framework_utils.MeridianService
       if (!user.is_active) {
         throw Object.assign(new Error("Account deactivated"), { status: 403 });
       }
+      if (!user.avatar_url && input.picture) {
+        await userService.updateUser(user.id, { avatar_url: input.picture }).catch(() => {
+        });
+      }
       await userService.recordLogin(user.id).catch(() => {
       });
       const permissions2 = await this.resolvePermissions(user.app_role_id);
@@ -187,7 +192,9 @@ var AuthModuleService = class extends (0, import_framework_utils.MeridianService
       last_name: input.lastName ?? null,
       role,
       is_active: true,
+      has_password: false,
       google_id: input.googleId,
+      avatar_url: input.picture ?? null,
       ...invite?.app_role_id ? { app_role_id: invite.app_role_id } : {}
     });
     if (invite) {
@@ -236,6 +243,52 @@ var AuthModuleService = class extends (0, import_framework_utils.MeridianService
       token
     };
   }
+  /** Set (or reset) password for a user. Used after OTP verification. */
+  async setPassword(userId, newPassword) {
+    const userService = this.container.resolve("userModuleService");
+    const password_hash = await import_bcrypt.default.hash(newPassword, BCRYPT_ROUNDS);
+    await userService.updateUser(userId, { password_hash, has_password: true });
+  }
+  /**
+   * Generate a password reset token for the given email.
+   * Returns the token and user info so the caller can emit an event / send an email.
+   * Returns null (instead of throwing) when the email isn't found — prevents enumeration.
+   */
+  async requestPasswordReset(email) {
+    const userService = this.container.resolve("userModuleService");
+    const config = this.container.resolve("config");
+    const user = await userService.retrieveUserByEmail(email.toLowerCase().trim());
+    if (!user || user.deleted_at || !user.is_active) return null;
+    const resetToken = (0, import_crypto.randomBytes)(32).toString("hex");
+    const payload = { sub: user.id, purpose: "password_reset", jti: resetToken };
+    const signedToken = import_jsonwebtoken.default.sign(payload, config.projectConfig.jwtSecret, { expiresIn: "30m" });
+    return { token: signedToken, userId: user.id, email: user.email };
+  }
+  /** Validate a password reset token and set the new password. */
+  async resetPassword(token, newPassword) {
+    const config = this.container.resolve("config");
+    const userService = this.container.resolve("userModuleService");
+    let payload;
+    try {
+      payload = import_jsonwebtoken.default.verify(token, config.projectConfig.jwtSecret, { algorithms: ["HS256"] });
+    } catch (err) {
+      if (err.name === "TokenExpiredError") {
+        throw Object.assign(new Error("Reset link has expired. Please request a new one."), { status: 400 });
+      }
+      throw Object.assign(new Error("Invalid reset link"), { status: 400 });
+    }
+    if (payload.purpose !== "password_reset") {
+      throw Object.assign(new Error("Invalid reset link"), { status: 400 });
+    }
+    const user = await userService.retrieveUser(payload.sub);
+    if (!user || user.deleted_at || !user.is_active) {
+      throw Object.assign(new Error("Account not found or inactive"), { status: 400 });
+    }
+    const password_hash = await import_bcrypt.default.hash(newPassword, BCRYPT_ROUNDS);
+    await userService.updateUser(payload.sub, { password_hash });
+    await userService.revokeAllUserSessions(payload.sub).catch(() => {
+    });
+  }
   /** Verify a JWT and return its decoded payload. Throws if invalid or expired. */
   verifyToken(token, secret) {
     return import_jsonwebtoken.default.verify(token, secret, { algorithms: ["HS256"] });

package/dist/index.mjs

@@ -5,10 +5,11 @@ import { Module } from "@meridianjs/framework-utils";
 import { MeridianService } from "@meridianjs/framework-utils";
 import bcrypt from "bcrypt";
 import jwt from "jsonwebtoken";
-import { randomUUID } from "crypto";
+import { randomBytes, randomUUID } from "crypto";
 var BCRYPT_ROUNDS = 12;
 var JWT_EXPIRES_IN = "7d";
 var JWT_EXPIRES_MS = 7 * 24 * 60 * 60 * 1e3;
+var RESET_TOKEN_EXPIRES_MS = 30 * 60 * 1e3;
 var AuthModuleService = class extends MeridianService({}) {
   container;
   constructor(container) {
@@ -100,7 +101,7 @@ var AuthModuleService = class extends MeridianService({}) {
       if (existingByEmail) {
         throw Object.assign(
           new Error(
-            "An account with this email already exists. Please sign in with your password. You can link Google sign-in from your account settings afterwards."
+            "GOOGLE_NOT_LINKED: Your Google account is not connected yet. Please sign in with your email and password, then connect Google from your Profile settings to use Google sign-in."
           ),
           { status: 409 }
         );
@@ -113,6 +114,10 @@ var AuthModuleService = class extends MeridianService({}) {
       if (!user.is_active) {
         throw Object.assign(new Error("Account deactivated"), { status: 403 });
       }
+      if (!user.avatar_url && input.picture) {
+        await userService.updateUser(user.id, { avatar_url: input.picture }).catch(() => {
+        });
+      }
       await userService.recordLogin(user.id).catch(() => {
       });
       const permissions2 = await this.resolvePermissions(user.app_role_id);
@@ -147,7 +152,9 @@ var AuthModuleService = class extends MeridianService({}) {
       last_name: input.lastName ?? null,
       role,
       is_active: true,
+      has_password: false,
       google_id: input.googleId,
+      avatar_url: input.picture ?? null,
       ...invite?.app_role_id ? { app_role_id: invite.app_role_id } : {}
     });
     if (invite) {
@@ -196,6 +203,52 @@ var AuthModuleService = class extends MeridianService({}) {
       token
     };
   }
+  /** Set (or reset) password for a user. Used after OTP verification. */
+  async setPassword(userId, newPassword) {
+    const userService = this.container.resolve("userModuleService");
+    const password_hash = await bcrypt.hash(newPassword, BCRYPT_ROUNDS);
+    await userService.updateUser(userId, { password_hash, has_password: true });
+  }
+  /**
+   * Generate a password reset token for the given email.
+   * Returns the token and user info so the caller can emit an event / send an email.
+   * Returns null (instead of throwing) when the email isn't found — prevents enumeration.
+   */
+  async requestPasswordReset(email) {
+    const userService = this.container.resolve("userModuleService");
+    const config = this.container.resolve("config");
+    const user = await userService.retrieveUserByEmail(email.toLowerCase().trim());
+    if (!user || user.deleted_at || !user.is_active) return null;
+    const resetToken = randomBytes(32).toString("hex");
+    const payload = { sub: user.id, purpose: "password_reset", jti: resetToken };
+    const signedToken = jwt.sign(payload, config.projectConfig.jwtSecret, { expiresIn: "30m" });
+    return { token: signedToken, userId: user.id, email: user.email };
+  }
+  /** Validate a password reset token and set the new password. */
+  async resetPassword(token, newPassword) {
+    const config = this.container.resolve("config");
+    const userService = this.container.resolve("userModuleService");
+    let payload;
+    try {
+      payload = jwt.verify(token, config.projectConfig.jwtSecret, { algorithms: ["HS256"] });
+    } catch (err) {
+      if (err.name === "TokenExpiredError") {
+        throw Object.assign(new Error("Reset link has expired. Please request a new one."), { status: 400 });
+      }
+      throw Object.assign(new Error("Invalid reset link"), { status: 400 });
+    }
+    if (payload.purpose !== "password_reset") {
+      throw Object.assign(new Error("Invalid reset link"), { status: 400 });
+    }
+    const user = await userService.retrieveUser(payload.sub);
+    if (!user || user.deleted_at || !user.is_active) {
+      throw Object.assign(new Error("Account not found or inactive"), { status: 400 });
+    }
+    const password_hash = await bcrypt.hash(newPassword, BCRYPT_ROUNDS);
+    await userService.updateUser(payload.sub, { password_hash });
+    await userService.revokeAllUserSessions(payload.sub).catch(() => {
+    });
+  }
   /** Verify a JWT and return its decoded payload. Throws if invalid or expired. */
   verifyToken(token, secret) {
     return jwt.verify(token, secret, { algorithms: ["HS256"] });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@meridianjs/auth",
-  "version": "0.1.9",
+  "version": "0.1.10",
   "description": "Meridian auth module — JWT authentication and middleware",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",