npm - @nauth-toolkit/core - Versions diffs - 0.1.0 → 0.1.3 - Mend

@nauth-toolkit/core 0.1.0 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (184) hide show

package/LICENSE +90 -0
package/README.md +30 -0
package/package.json +7 -2
package/jest.config.js +0 -15
package/jest.setup.ts +0 -6
package/src/adapters/database-columns.ts +0 -165
package/src/adapters/express.adapter.ts +0 -385
package/src/adapters/fastify.adapter.ts +0 -416
package/src/adapters/index.ts +0 -16
package/src/adapters/storage.factory.ts +0 -143
package/src/bootstrap.ts +0 -374
package/src/dto/auth-challenge.dto.ts +0 -231
package/src/dto/auth-response.dto.ts +0 -253
package/src/dto/challenge-response.dto.ts +0 -234
package/src/dto/change-password-request.dto.ts +0 -50
package/src/dto/change-password-response.dto.ts +0 -29
package/src/dto/change-password.dto.ts +0 -57
package/src/dto/error-response.dto.ts +0 -136
package/src/dto/get-available-methods.dto.ts +0 -55
package/src/dto/get-challenge-data-response.dto.ts +0 -28
package/src/dto/get-challenge-data.dto.ts +0 -69
package/src/dto/get-client-info.dto.ts +0 -104
package/src/dto/get-device-token-response.dto.ts +0 -25
package/src/dto/get-events-by-type.dto.ts +0 -76
package/src/dto/get-ip-address-response.dto.ts +0 -24
package/src/dto/get-mfa-status.dto.ts +0 -94
package/src/dto/get-risk-assessment-history.dto.ts +0 -39
package/src/dto/get-session-id-response.dto.ts +0 -25
package/src/dto/get-setup-data-response.dto.ts +0 -31
package/src/dto/get-setup-data.dto.ts +0 -75
package/src/dto/get-suspicious-activity.dto.ts +0 -42
package/src/dto/get-user-agent-response.dto.ts +0 -23
package/src/dto/get-user-auth-history.dto.ts +0 -95
package/src/dto/get-user-by-email.dto.ts +0 -61
package/src/dto/get-user-by-id.dto.ts +0 -46
package/src/dto/get-user-devices.dto.ts +0 -53
package/src/dto/get-user-response.dto.ts +0 -17
package/src/dto/has-provider.dto.ts +0 -56
package/src/dto/index.ts +0 -57
package/src/dto/is-trusted-device-response.dto.ts +0 -34
package/src/dto/list-providers-response.dto.ts +0 -23
package/src/dto/login.dto.ts +0 -95
package/src/dto/logout-all-response.dto.ts +0 -24
package/src/dto/logout-all.dto.ts +0 -65
package/src/dto/logout-response.dto.ts +0 -25
package/src/dto/logout.dto.ts +0 -64
package/src/dto/refresh-token.dto.ts +0 -36
package/src/dto/remove-devices.dto.ts +0 -85
package/src/dto/resend-code-response.dto.ts +0 -32
package/src/dto/resend-code.dto.ts +0 -51
package/src/dto/reset-password.dto.ts +0 -115
package/src/dto/respond-challenge.dto.ts +0 -272
package/src/dto/set-mfa-exemption.dto.ts +0 -112
package/src/dto/set-must-change-password-response.dto.ts +0 -27
package/src/dto/set-must-change-password.dto.ts +0 -46
package/src/dto/set-preferred-method.dto.ts +0 -80
package/src/dto/setup-mfa.dto.ts +0 -98
package/src/dto/signup.dto.ts +0 -174
package/src/dto/social-auth.dto.ts +0 -422
package/src/dto/trust-device-response.dto.ts +0 -30
package/src/dto/trust-device.dto.ts +0 -9
package/src/dto/update-user-attributes-request.dto.ts +0 -51
package/src/dto/user-response.dto.ts +0 -138
package/src/dto/user-update.dto.ts +0 -222
package/src/dto/verify-email.dto.ts +0 -313
package/src/dto/verify-mfa-code.dto.ts +0 -103
package/src/dto/verify-phone-by-sub.dto.ts +0 -78
package/src/dto/verify-phone.dto.ts +0 -245
package/src/entities/auth-audit.entity.ts +0 -232
package/src/entities/challenge-session.entity.ts +0 -116
package/src/entities/index.ts +0 -29
package/src/entities/login-attempt.entity.ts +0 -64
package/src/entities/mfa-device.entity.ts +0 -151
package/src/entities/rate-limit.entity.ts +0 -44
package/src/entities/session.entity.ts +0 -180
package/src/entities/social-account.entity.ts +0 -96
package/src/entities/storage-lock.entity.ts +0 -39
package/src/entities/trusted-device.entity.ts +0 -112
package/src/entities/user.entity.ts +0 -243
package/src/entities/verification-token.entity.ts +0 -141
package/src/enums/auth-audit-event-type.enum.ts +0 -360
package/src/enums/error-codes.enum.ts +0 -420
package/src/enums/mfa-method.enum.ts +0 -97
package/src/enums/risk-factor.enum.ts +0 -111
package/src/exceptions/nauth.exception.ts +0 -231
package/src/handlers/auth.handler.ts +0 -260
package/src/handlers/client-info.handler.ts +0 -101
package/src/handlers/csrf.handler.ts +0 -156
package/src/handlers/token-delivery.handler.ts +0 -118
package/src/index.ts +0 -118
package/src/interfaces/client-info.interface.ts +0 -85
package/src/interfaces/config.interface.ts +0 -2135
package/src/interfaces/entities.interface.ts +0 -226
package/src/interfaces/index.ts +0 -15
package/src/interfaces/logger.interface.ts +0 -283
package/src/interfaces/mfa-provider.interface.ts +0 -154
package/src/interfaces/oauth.interface.ts +0 -148
package/src/interfaces/provider.interface.ts +0 -47
package/src/interfaces/social-auth-provider.interface.ts +0 -131
package/src/interfaces/storage-adapter.interface.ts +0 -82
package/src/interfaces/template.interface.ts +0 -510
package/src/interfaces/token-verifier.interface.ts +0 -110
package/src/internal.ts +0 -178
package/src/platform/interfaces.ts +0 -299
package/src/schemas/auth-config.schema.ts +0 -646
package/src/services/adaptive-mfa-decision.service.spec.ts +0 -1058
package/src/services/adaptive-mfa-decision.service.ts +0 -457
package/src/services/auth-audit.service.spec.ts +0 -675
package/src/services/auth-audit.service.ts +0 -558
package/src/services/auth-challenge-helper.service.spec.ts +0 -3227
package/src/services/auth-challenge-helper.service.ts +0 -825
package/src/services/auth-flow-context-builder.service.ts +0 -520
package/src/services/auth-flow-rules.ts +0 -202
package/src/services/auth-flow-state-definitions.ts +0 -190
package/src/services/auth-flow-state-machine.service.ts +0 -207
package/src/services/auth-flow-state-machine.types.ts +0 -316
package/src/services/auth.service.spec.ts +0 -4195
package/src/services/auth.service.ts +0 -3727
package/src/services/challenge.service.spec.ts +0 -1363
package/src/services/challenge.service.ts +0 -696
package/src/services/client-info.service.spec.ts +0 -572
package/src/services/client-info.service.ts +0 -374
package/src/services/csrf.service.ts +0 -54
package/src/services/email-verification.service.spec.ts +0 -1229
package/src/services/email-verification.service.ts +0 -578
package/src/services/geo-location.service.spec.ts +0 -603
package/src/services/geo-location.service.ts +0 -599
package/src/services/index.ts +0 -13
package/src/services/jwt.service.spec.ts +0 -882
package/src/services/jwt.service.ts +0 -621
package/src/services/mfa-base.service.spec.ts +0 -246
package/src/services/mfa-base.service.ts +0 -611
package/src/services/mfa.service.spec.ts +0 -693
package/src/services/mfa.service.ts +0 -960
package/src/services/password.service.spec.ts +0 -166
package/src/services/password.service.ts +0 -309
package/src/services/phone-verification.service.spec.ts +0 -1120
package/src/services/phone-verification.service.ts +0 -751
package/src/services/risk-detection.service.spec.ts +0 -1292
package/src/services/risk-detection.service.ts +0 -1012
package/src/services/risk-scoring.service.spec.ts +0 -204
package/src/services/risk-scoring.service.ts +0 -131
package/src/services/session.service.spec.ts +0 -1293
package/src/services/session.service.ts +0 -803
package/src/services/social-account.service.spec.ts +0 -725
package/src/services/social-auth-base.service.spec.ts +0 -418
package/src/services/social-auth-base.service.ts +0 -581
package/src/services/social-auth.service.spec.ts +0 -238
package/src/services/social-auth.service.ts +0 -436
package/src/services/social-provider-registry.service.spec.ts +0 -238
package/src/services/social-provider-registry.service.ts +0 -122
package/src/services/trusted-device.service.spec.ts +0 -505
package/src/services/trusted-device.service.ts +0 -339
package/src/storage/account-lockout-storage.service.spec.ts +0 -310
package/src/storage/account-lockout-storage.service.ts +0 -89
package/src/storage/index.ts +0 -3
package/src/storage/memory-storage.adapter.ts +0 -443
package/src/storage/rate-limit-storage.service.spec.ts +0 -247
package/src/storage/rate-limit-storage.service.ts +0 -38
package/src/templates/html-template.engine.spec.ts +0 -161
package/src/templates/html-template.engine.ts +0 -688
package/src/templates/index.ts +0 -7
package/src/utils/common-passwords.spec.ts +0 -230
package/src/utils/common-passwords.ts +0 -170
package/src/utils/context-storage.ts +0 -188
package/src/utils/cookie-names.util.ts +0 -67
package/src/utils/cookies.util.ts +0 -94
package/src/utils/index.ts +0 -12
package/src/utils/ip-extractor.spec.ts +0 -330
package/src/utils/ip-extractor.ts +0 -220
package/src/utils/nauth-logger.spec.ts +0 -388
package/src/utils/nauth-logger.ts +0 -215
package/src/utils/pii-redactor.spec.ts +0 -130
package/src/utils/pii-redactor.ts +0 -288
package/src/utils/setup/get-repositories.ts +0 -140
package/src/utils/setup/init-services.ts +0 -422
package/src/utils/setup/init-social.ts +0 -189
package/src/utils/setup/init-storage.ts +0 -94
package/src/utils/setup/register-mfa.ts +0 -165
package/src/utils/setup/run-nauth-migrations.ts +0 -61
package/src/utils/token-delivery-policy.ts +0 -38
package/src/validators/template.validator.ts +0 -219
package/tsconfig.json +0 -37
package/tsconfig.lint.json +0 -6

package/src/services/auth-flow-context-builder.service.ts DELETED Viewed

@@ -1,520 +0,0 @@
-import { IUser } from '../interfaces/entities.interface';
-import { NAuthConfig } from '../interfaces/config.interface';
-import { TrustedDeviceService } from './trusted-device.service';
-import { AdaptiveMFADecisionService } from './adaptive-mfa-decision.service';
-import { ClientInfoService } from './client-info.service';
-import { NAuthLogger } from '../utils/nauth-logger';
-import { AuthFlowContext } from './auth-flow-state-machine.types';
-/**
- * Authentication Flow Context Builder
- *
- * Pre-computes all derived values needed for state machine rule evaluation.
- * This optimization ensures values are calculated once at the beginning of the flow,
- * rather than repeatedly during rule evaluation.
- *
- * @example
- * ```typescript
- * const context = await contextBuilder.build({
- *   user,
- *   config,
- *   authMethod: 'password',
- *   deviceToken: 'abc123'
- * });
- * ```
- */
-export class AuthFlowContextBuilder {
-  constructor(
-    private readonly trustedDeviceService?: TrustedDeviceService,
-    private readonly adaptiveMFADecisionService?: AdaptiveMFADecisionService,
-    _clientInfoService?: ClientInfoService, // Reserved for future use (not stored as property)
-    private readonly logger?: NAuthLogger,
-  ) {}
-  /**
-   * Build authentication flow context with pre-computed values
-   *
-   * @param params - Context parameters
-   * @param params.user - User attempting authentication
-   * @param params.config - Authentication configuration
-   * @param params.authMethod - Authentication method ('password' or 'social')
-   * @param params.authProvider - Social auth provider name (e.g., 'google', 'apple')
-   * @param params.deviceToken - Device token for trusted device check
-   * @param params.skipMFAVerification - Skip MFA verification flag
-   * @returns Authentication flow context with computed values
-   *
-   * @example
-   * ```typescript
-   * const context = await contextBuilder.build({
-   *   user,
-   *   config,
-   *   authMethod: 'password',
-   *   deviceToken: 'abc123'
-   * });
-   * ```
-   */
-  async build(params: {
-    user: IUser;
-    config: NAuthConfig;
-    authMethod?: 'password' | 'social';
-    authProvider?: string;
-    deviceToken?: string;
-    skipMFAVerification?: boolean;
-  }): Promise<AuthFlowContext> {
-    const { user, config, authMethod, authProvider, deviceToken, skipMFAVerification } = params;
-    this.logger?.debug?.(
-      `[ContextBuilder] Building context for user ${user.sub} (authMethod=${authMethod || 'password'}, mfaEnabled=${user.mfaEnabled}, mfaExempt=${user.mfaExempt || false})`,
-    );
-    // ============================================================================
-    // Pre-compute all derived values
-    // ============================================================================
-    const isEmailVerificationRequired = this.isEmailVerificationRequired(user, config, authMethod);
-    const isPhoneVerificationRequired = this.isPhoneVerificationRequired(user, config, authMethod);
-    const isPhoneCollectionNeeded = this.isPhoneCollectionNeeded(user, config, authMethod);
-    const isMFAExempt = this.checkMFAExempt(user);
-    const isMFASetupRequired = this.isMFASetupRequired(user, config, authMethod);
-    const isDeviceTrusted = await this.checkDeviceTrust(user, deviceToken, config);
-    const gracePeriodData = this.calculateGracePeriod(user, config);
-    const blockData = await this.checkBlocked(user);
-    const mfaVerificationData = await this.checkMFAVerification(
-      user,
-      config,
-      authMethod,
-      deviceToken,
-      isDeviceTrusted,
-      skipMFAVerification,
-    );
-    // Merge block status from existing storage and adaptive MFA decision
-    const isBlocked = blockData.blocked || (mfaVerificationData.isBlocked ?? false);
-    const blockedUntil = blockData.until; // From existing block
-    const blockReason = blockData.reason || (mfaVerificationData.isBlocked ? 'Sign in blocked due to suspicious activity' : undefined);
-    const computed = {
-      isEmailVerificationRequired,
-      isPhoneVerificationRequired,
-      isPhoneCollectionNeeded,
-      isMFAExempt,
-      isMFASetupRequired,
-      isMFAVerificationRequired: mfaVerificationData.required,
-      isDeviceTrusted,
-      isGracePeriodActive: gracePeriodData.isActive,
-      gracePeriodEndsAt: gracePeriodData.endsAt,
-      isBlocked,
-      blockedUntil,
-      blockReason,
-      riskScore: mfaVerificationData.riskScore,
-      riskLevel: mfaVerificationData.riskLevel,
-    };
-    this.logger?.debug?.(
-      `[ContextBuilder] Computed values: emailReq=${computed.isEmailVerificationRequired}, phoneReq=${computed.isPhoneVerificationRequired}, phoneCollect=${computed.isPhoneCollectionNeeded}, mfaExempt=${computed.isMFAExempt}, mfaSetupReq=${computed.isMFASetupRequired}, mfaVerifyReq=${computed.isMFAVerificationRequired}, trusted=${computed.isDeviceTrusted}, gracePeriod=${computed.isGracePeriodActive}, blocked=${computed.isBlocked}`,
-    );
-    return {
-      user,
-      config,
-      authMethod,
-      authProvider,
-      deviceToken,
-      skipMFAVerification,
-      computed,
-    };
-  }
-  /**
-   * Check if email verification is required
-   *
-   * @param user - User to check
-   * @param config - Auth configuration
-   * @param authMethod - Authentication method
-   * @returns True if email verification is required
-   */
-  private isEmailVerificationRequired(user: IUser, config: NAuthConfig, authMethod?: 'password' | 'social'): boolean {
-    const verificationMethod = config.signup?.verificationMethod || 'email';
-    // Email verification not required if verification is disabled
-    if (verificationMethod === 'none' || verificationMethod === 'phone') {
-      return false;
-    }
-    // Social auth users have email pre-verified by OAuth provider
-    if (authMethod === 'social') {
-      return false;
-    }
-    // Check if email is already verified
-    if (user.isEmailVerified) {
-      return false;
-    }
-    // Email verification required for 'email' or 'both' methods
-    return verificationMethod === 'email' || verificationMethod === 'both';
-  }
-  /**
-   * Check if phone verification is required
-   *
-   * @param user - User to check
-   * @param config - Auth configuration
-   * @param authMethod - Authentication method
-   * @returns True if phone verification is required
-   */
-  private isPhoneVerificationRequired(user: IUser, config: NAuthConfig, _authMethod?: 'password' | 'social'): boolean {
-    const verificationMethod = config.signup?.verificationMethod || 'email';
-    // Phone verification not required if verification is disabled or email-only
-    if (verificationMethod === 'none' || verificationMethod === 'email') {
-      return false;
-    }
-    // Phone verification required for 'phone' or 'both' methods
-    // But only if user has a phone number
-    if (verificationMethod === 'phone' || verificationMethod === 'both') {
-      // If user has no phone, phone collection is needed first (handled separately)
-      if (!user.phone) {
-        return false; // Phone collection needed, not verification
-      }
-      // Check if phone is already verified
-      return !user.isPhoneVerified;
-    }
-    return false;
-  }
-  /**
-   * Check if phone collection is needed
-   *
-   * Phone collection is the step where we ask users to provide their phone number.
-   * This should NOT be triggered if:
-   * - User already has a verified phone (e.g., from prior signup or account linking)
-   * - Phone verification is not required by config
-   *
-   * **Bug Fix (2025-12-08):**
-   * Previously didn't check `isPhoneVerified`, causing social login users with
-   * verified phones to be asked for phone collection again after account linking.
-   *
-   * @param user - User to check
-   * @param config - Auth configuration
-   * @param _authMethod - Authentication method (unused, kept for API consistency)
-   * @returns True if phone collection is needed
-   */
-  private isPhoneCollectionNeeded(user: IUser, config: NAuthConfig, _authMethod?: 'password' | 'social'): boolean {
-    const verificationMethod = config.signup?.verificationMethod || 'email';
-    // Phone collection not needed if verification is disabled or email-only
-    if (verificationMethod === 'none' || verificationMethod === 'email') {
-      return false;
-    }
-    // ============================================================================
-    // Skip phone collection if phone is already verified
-    // ============================================================================
-    // This handles cases like:
-    // - User signs up with password + phone verification, then later links social account
-    // - Account linking where existing account has verified phone
-    // - Any scenario where phone is already verified (we trust it)
-    if (user.isPhoneVerified) {
-      return false;
-    }
-    // Phone collection needed for 'phone' or 'both' methods if user has no phone
-    if ((verificationMethod === 'phone' || verificationMethod === 'both') && !user.phone) {
-      return true;
-    }
-    return false;
-  }
-  /**
-   * Check if user is exempt from MFA
-   *
-   * @param user - User to check
-   * @returns True if user is exempt from MFA
-   */
-  private checkMFAExempt(user: IUser): boolean {
-    const mfaExempt = user.mfaExempt;
-    // Handle different database representations (boolean true, MySQL tinyint 1, etc.)
-    return mfaExempt === true || (mfaExempt as unknown) === 1;
-  }
-  /**
-   * Check if MFA setup is required
-   *
-   * @param user - User to check
-   * @param config - Auth configuration
-   * @param authMethod - Authentication method
-   * @returns True if MFA setup is required
-   */
-  private isMFASetupRequired(user: IUser, config: NAuthConfig, authMethod?: 'password' | 'social'): boolean {
-    // Check exemption first
-    if (this.checkMFAExempt(user)) {
-      return false;
-    }
-    // MFA not enabled in config
-    if (!config.mfa?.enabled) {
-      return false;
-    }
-    // User already has MFA enabled
-    if (user.mfaEnabled) {
-      return false;
-    }
-    // Social login exemption
-    if (authMethod === 'social' && config.mfa.requireForSocialLogin === false) {
-      return false;
-    }
-    // Check enforcement policy
-    const enforcement = config.mfa.enforcement || 'OPTIONAL';
-    if (enforcement === 'OPTIONAL') {
-      return false;
-    }
-    // REQUIRED or ADAPTIVE: Check grace period
-    const gracePeriod = config.mfa.gracePeriod ?? 7;
-    const gracePeriodData = this.calculateGracePeriod(user, config);
-    // If grace period is 0, MFA setup is required immediately
-    if (gracePeriod === 0) {
-      return true;
-    }
-    // If grace period is active, MFA setup is optional
-    if (gracePeriodData.isActive) {
-      return false;
-    }
-    // Grace period expired - MFA setup required
-    return true;
-  }
-  /**
-   * Check if device is trusted
-   *
-   * @param user - User to check
-   * @param deviceToken - Device token
-   * @param config - Auth configuration
-   * @returns True if device is trusted
-   */
-  private async checkDeviceTrust(user: IUser, deviceToken?: string, config?: NAuthConfig): Promise<boolean> {
-    if (
-      !deviceToken ||
-      !config?.mfa?.rememberDevices ||
-      config.mfa.rememberDevices === 'never' ||
-      !this.trustedDeviceService
-    ) {
-      return false;
-    }
-    try {
-      const validation = await this.trustedDeviceService.validateDeviceToken(deviceToken, user.id);
-      return validation.isValid;
-    } catch (error) {
-      const errorMessage = error instanceof Error ? error.message : 'Unknown error';
-      this.logger?.warn?.(`Failed to check device trust: ${errorMessage}`, { error, userId: user.id });
-      return false;
-    }
-  }
-  /**
-   * Calculate grace period status
-   *
-   * @param user - User to check
-   * @param config - Auth configuration
-   * @returns Grace period status
-   */
-  private calculateGracePeriod(user: IUser, config: NAuthConfig): { isActive: boolean; endsAt?: Date } {
-    const gracePeriod = config.mfa?.gracePeriod ?? 7;
-    // No grace period
-    if (gracePeriod === 0) {
-      return { isActive: false };
-    }
-    // Access createdAt from user interface
-    const userWithDates = user as IUser & { createdAt: Date };
-    const createdAt = userWithDates.createdAt;
-    if (!createdAt) {
-      // No creation date - grace period not active
-      return { isActive: false };
-    }
-    const gracePeriodEnd = new Date(createdAt);
-    gracePeriodEnd.setDate(gracePeriodEnd.getDate() + gracePeriod);
-    const now = new Date();
-    const isActive = now < gracePeriodEnd;
-    return {
-      isActive,
-      endsAt: isActive ? gracePeriodEnd : undefined,
-    };
-  }
-  /**
-   * Check if user is blocked
-   *
-   * @param user - User to check
-   * @returns Block status
-   */
-  private async checkBlocked(user: IUser): Promise<{ blocked: boolean; until?: Date; reason?: string }> {
-    if (!this.adaptiveMFADecisionService) {
-      return { blocked: false };
-    }
-    try {
-      const blockStatus = await this.adaptiveMFADecisionService.isUserBlocked(user.id);
-      return {
-        blocked: blockStatus.blocked,
-        until: blockStatus.expiresAt,
-        reason: blockStatus.message,
-      };
-    } catch (error) {
-      const errorMessage = error instanceof Error ? error.message : 'Unknown error';
-      this.logger?.warn?.(`Failed to check user block status: ${errorMessage}`, { error, userId: user.id });
-      return { blocked: false };
-    }
-  }
-  /**
-   * Check if MFA verification is required
-   *
-   * @param user - User to check
-   * @param config - Auth configuration
-   * @param authMethod - Authentication method
-   * @param deviceToken - Device token
-   * @param isDeviceTrusted - Whether device is trusted
-   * @param skipMFAVerification - Skip MFA verification flag
-   * @returns MFA verification requirement and risk data
-   */
-  private async checkMFAVerification(
-    user: IUser,
-    config: NAuthConfig,
-    authMethod?: 'password' | 'social',
-    _deviceToken?: string, // Reserved for future use
-    isDeviceTrusted?: boolean,
-    skipMFAVerification?: boolean,
-  ): Promise<{ required: boolean; riskScore?: number; riskLevel?: 'low' | 'medium' | 'high'; isBlocked?: boolean }> {
-    // Skip if flag is set
-    if (skipMFAVerification) {
-      return { required: false };
-    }
-    // Check exemption first
-    if (this.checkMFAExempt(user)) {
-      return { required: false };
-    }
-    // MFA not enabled in config
-    if (!config.mfa?.enabled) {
-      return { required: false };
-    }
-    // User doesn't have MFA enabled
-    if (!user.mfaEnabled) {
-      return { required: false };
-    }
-    // Social login exemption
-    if (authMethod === 'social' && config.mfa.requireForSocialLogin === false) {
-      return { required: false };
-    }
-    // Check enforcement policy
-    const enforcement = config.mfa.enforcement || 'OPTIONAL';
-    // ============================================================================
-    // OPTIONAL Enforcement: Setup is optional, but if user has MFA enabled,
-    // it must be used (unless trusted device bypass applies)
-    // ============================================================================
-    if (enforcement === 'OPTIONAL') {
-      // OPTIONAL means setup is optional, but once enabled, MFA is required
-      // Check if trusted device bypass applies
-      if (
-        isDeviceTrusted &&
-        config.mfa.rememberDevices &&
-        config.mfa.rememberDevices !== 'never' &&
-        config.mfa.bypassMFAForTrustedDevices === true
-      ) {
-        return { required: false };
-      }
-      // User has MFA enabled - require it
-      return { required: true };
-    }
-    // Trusted device bypass (for REQUIRED enforcement, not ADAPTIVE)
-    if (
-      enforcement === 'REQUIRED' &&
-      isDeviceTrusted &&
-      config.mfa.rememberDevices &&
-      config.mfa.rememberDevices !== 'never' &&
-      config.mfa.bypassMFAForTrustedDevices === true
-    ) {
-      return { required: false };
-    }
-    // ADAPTIVE enforcement
-    if (enforcement === 'ADAPTIVE') {
-      if (!this.adaptiveMFADecisionService) {
-        // Service not available - fall back to REQUIRED behavior
-        this.logger?.warn?.(
-          `ADAPTIVE enforcement enabled but AdaptiveMFADecisionService not available - falling back to REQUIRED behavior for user ${user.sub}`,
-        );
-        return { required: true };
-      }
-      // Always evaluate adaptive MFA for complete risk assessment (trusted or untrusted)
-      try {
-        const decision = await this.adaptiveMFADecisionService.evaluateAdaptiveMFA(user, authMethod || 'password');
-        // Handle block_signin action - block user and store in storage
-        if (decision.action === 'block_signin') {
-          if (decision.payload) {
-            await this.adaptiveMFADecisionService.blockUserSignIn(user, decision.payload);
-          }
-          // Mark as blocked so state machine will transition to BLOCKED state
-          return {
-            required: false, // Not relevant - will be blocked
-            riskScore: decision.riskScore,
-            riskLevel: decision.riskLevel,
-            isBlocked: true,
-          };
-        }
-        // For untrusted devices, always require MFA regardless of risk score
-        // (new devices are inherently riskier and should verify)
-        if (!isDeviceTrusted) {
-          return {
-            required: true,
-            riskScore: decision.riskScore,
-            riskLevel: decision.riskLevel,
-          };
-        }
-        // For trusted devices, use risk-based decision
-        return {
-          required: decision.action === 'require_mfa',
-          riskScore: decision.riskScore,
-          riskLevel: decision.riskLevel,
-        };
-      } catch (error) {
-        const errorMessage = error instanceof Error ? error.message : 'Unknown error';
-        this.logger?.warn?.(`Failed to evaluate adaptive MFA: ${errorMessage}`, { error, userId: user.id });
-        // Fall back to requiring MFA on error (safer)
-        return { required: true };
-      }
-    }
-    // REQUIRED enforcement
-    return { required: true };
-  }
-}