npm - @nauth-toolkit/core - Versions diffs - 0.1.0 → 0.1.3 - Mend

@nauth-toolkit/core 0.1.0 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (184) hide show

package/LICENSE +90 -0
package/README.md +30 -0
package/package.json +7 -2
package/jest.config.js +0 -15
package/jest.setup.ts +0 -6
package/src/adapters/database-columns.ts +0 -165
package/src/adapters/express.adapter.ts +0 -385
package/src/adapters/fastify.adapter.ts +0 -416
package/src/adapters/index.ts +0 -16
package/src/adapters/storage.factory.ts +0 -143
package/src/bootstrap.ts +0 -374
package/src/dto/auth-challenge.dto.ts +0 -231
package/src/dto/auth-response.dto.ts +0 -253
package/src/dto/challenge-response.dto.ts +0 -234
package/src/dto/change-password-request.dto.ts +0 -50
package/src/dto/change-password-response.dto.ts +0 -29
package/src/dto/change-password.dto.ts +0 -57
package/src/dto/error-response.dto.ts +0 -136
package/src/dto/get-available-methods.dto.ts +0 -55
package/src/dto/get-challenge-data-response.dto.ts +0 -28
package/src/dto/get-challenge-data.dto.ts +0 -69
package/src/dto/get-client-info.dto.ts +0 -104
package/src/dto/get-device-token-response.dto.ts +0 -25
package/src/dto/get-events-by-type.dto.ts +0 -76
package/src/dto/get-ip-address-response.dto.ts +0 -24
package/src/dto/get-mfa-status.dto.ts +0 -94
package/src/dto/get-risk-assessment-history.dto.ts +0 -39
package/src/dto/get-session-id-response.dto.ts +0 -25
package/src/dto/get-setup-data-response.dto.ts +0 -31
package/src/dto/get-setup-data.dto.ts +0 -75
package/src/dto/get-suspicious-activity.dto.ts +0 -42
package/src/dto/get-user-agent-response.dto.ts +0 -23
package/src/dto/get-user-auth-history.dto.ts +0 -95
package/src/dto/get-user-by-email.dto.ts +0 -61
package/src/dto/get-user-by-id.dto.ts +0 -46
package/src/dto/get-user-devices.dto.ts +0 -53
package/src/dto/get-user-response.dto.ts +0 -17
package/src/dto/has-provider.dto.ts +0 -56
package/src/dto/index.ts +0 -57
package/src/dto/is-trusted-device-response.dto.ts +0 -34
package/src/dto/list-providers-response.dto.ts +0 -23
package/src/dto/login.dto.ts +0 -95
package/src/dto/logout-all-response.dto.ts +0 -24
package/src/dto/logout-all.dto.ts +0 -65
package/src/dto/logout-response.dto.ts +0 -25
package/src/dto/logout.dto.ts +0 -64
package/src/dto/refresh-token.dto.ts +0 -36
package/src/dto/remove-devices.dto.ts +0 -85
package/src/dto/resend-code-response.dto.ts +0 -32
package/src/dto/resend-code.dto.ts +0 -51
package/src/dto/reset-password.dto.ts +0 -115
package/src/dto/respond-challenge.dto.ts +0 -272
package/src/dto/set-mfa-exemption.dto.ts +0 -112
package/src/dto/set-must-change-password-response.dto.ts +0 -27
package/src/dto/set-must-change-password.dto.ts +0 -46
package/src/dto/set-preferred-method.dto.ts +0 -80
package/src/dto/setup-mfa.dto.ts +0 -98
package/src/dto/signup.dto.ts +0 -174
package/src/dto/social-auth.dto.ts +0 -422
package/src/dto/trust-device-response.dto.ts +0 -30
package/src/dto/trust-device.dto.ts +0 -9
package/src/dto/update-user-attributes-request.dto.ts +0 -51
package/src/dto/user-response.dto.ts +0 -138
package/src/dto/user-update.dto.ts +0 -222
package/src/dto/verify-email.dto.ts +0 -313
package/src/dto/verify-mfa-code.dto.ts +0 -103
package/src/dto/verify-phone-by-sub.dto.ts +0 -78
package/src/dto/verify-phone.dto.ts +0 -245
package/src/entities/auth-audit.entity.ts +0 -232
package/src/entities/challenge-session.entity.ts +0 -116
package/src/entities/index.ts +0 -29
package/src/entities/login-attempt.entity.ts +0 -64
package/src/entities/mfa-device.entity.ts +0 -151
package/src/entities/rate-limit.entity.ts +0 -44
package/src/entities/session.entity.ts +0 -180
package/src/entities/social-account.entity.ts +0 -96
package/src/entities/storage-lock.entity.ts +0 -39
package/src/entities/trusted-device.entity.ts +0 -112
package/src/entities/user.entity.ts +0 -243
package/src/entities/verification-token.entity.ts +0 -141
package/src/enums/auth-audit-event-type.enum.ts +0 -360
package/src/enums/error-codes.enum.ts +0 -420
package/src/enums/mfa-method.enum.ts +0 -97
package/src/enums/risk-factor.enum.ts +0 -111
package/src/exceptions/nauth.exception.ts +0 -231
package/src/handlers/auth.handler.ts +0 -260
package/src/handlers/client-info.handler.ts +0 -101
package/src/handlers/csrf.handler.ts +0 -156
package/src/handlers/token-delivery.handler.ts +0 -118
package/src/index.ts +0 -118
package/src/interfaces/client-info.interface.ts +0 -85
package/src/interfaces/config.interface.ts +0 -2135
package/src/interfaces/entities.interface.ts +0 -226
package/src/interfaces/index.ts +0 -15
package/src/interfaces/logger.interface.ts +0 -283
package/src/interfaces/mfa-provider.interface.ts +0 -154
package/src/interfaces/oauth.interface.ts +0 -148
package/src/interfaces/provider.interface.ts +0 -47
package/src/interfaces/social-auth-provider.interface.ts +0 -131
package/src/interfaces/storage-adapter.interface.ts +0 -82
package/src/interfaces/template.interface.ts +0 -510
package/src/interfaces/token-verifier.interface.ts +0 -110
package/src/internal.ts +0 -178
package/src/platform/interfaces.ts +0 -299
package/src/schemas/auth-config.schema.ts +0 -646
package/src/services/adaptive-mfa-decision.service.spec.ts +0 -1058
package/src/services/adaptive-mfa-decision.service.ts +0 -457
package/src/services/auth-audit.service.spec.ts +0 -675
package/src/services/auth-audit.service.ts +0 -558
package/src/services/auth-challenge-helper.service.spec.ts +0 -3227
package/src/services/auth-challenge-helper.service.ts +0 -825
package/src/services/auth-flow-context-builder.service.ts +0 -520
package/src/services/auth-flow-rules.ts +0 -202
package/src/services/auth-flow-state-definitions.ts +0 -190
package/src/services/auth-flow-state-machine.service.ts +0 -207
package/src/services/auth-flow-state-machine.types.ts +0 -316
package/src/services/auth.service.spec.ts +0 -4195
package/src/services/auth.service.ts +0 -3727
package/src/services/challenge.service.spec.ts +0 -1363
package/src/services/challenge.service.ts +0 -696
package/src/services/client-info.service.spec.ts +0 -572
package/src/services/client-info.service.ts +0 -374
package/src/services/csrf.service.ts +0 -54
package/src/services/email-verification.service.spec.ts +0 -1229
package/src/services/email-verification.service.ts +0 -578
package/src/services/geo-location.service.spec.ts +0 -603
package/src/services/geo-location.service.ts +0 -599
package/src/services/index.ts +0 -13
package/src/services/jwt.service.spec.ts +0 -882
package/src/services/jwt.service.ts +0 -621
package/src/services/mfa-base.service.spec.ts +0 -246
package/src/services/mfa-base.service.ts +0 -611
package/src/services/mfa.service.spec.ts +0 -693
package/src/services/mfa.service.ts +0 -960
package/src/services/password.service.spec.ts +0 -166
package/src/services/password.service.ts +0 -309
package/src/services/phone-verification.service.spec.ts +0 -1120
package/src/services/phone-verification.service.ts +0 -751
package/src/services/risk-detection.service.spec.ts +0 -1292
package/src/services/risk-detection.service.ts +0 -1012
package/src/services/risk-scoring.service.spec.ts +0 -204
package/src/services/risk-scoring.service.ts +0 -131
package/src/services/session.service.spec.ts +0 -1293
package/src/services/session.service.ts +0 -803
package/src/services/social-account.service.spec.ts +0 -725
package/src/services/social-auth-base.service.spec.ts +0 -418
package/src/services/social-auth-base.service.ts +0 -581
package/src/services/social-auth.service.spec.ts +0 -238
package/src/services/social-auth.service.ts +0 -436
package/src/services/social-provider-registry.service.spec.ts +0 -238
package/src/services/social-provider-registry.service.ts +0 -122
package/src/services/trusted-device.service.spec.ts +0 -505
package/src/services/trusted-device.service.ts +0 -339
package/src/storage/account-lockout-storage.service.spec.ts +0 -310
package/src/storage/account-lockout-storage.service.ts +0 -89
package/src/storage/index.ts +0 -3
package/src/storage/memory-storage.adapter.ts +0 -443
package/src/storage/rate-limit-storage.service.spec.ts +0 -247
package/src/storage/rate-limit-storage.service.ts +0 -38
package/src/templates/html-template.engine.spec.ts +0 -161
package/src/templates/html-template.engine.ts +0 -688
package/src/templates/index.ts +0 -7
package/src/utils/common-passwords.spec.ts +0 -230
package/src/utils/common-passwords.ts +0 -170
package/src/utils/context-storage.ts +0 -188
package/src/utils/cookie-names.util.ts +0 -67
package/src/utils/cookies.util.ts +0 -94
package/src/utils/index.ts +0 -12
package/src/utils/ip-extractor.spec.ts +0 -330
package/src/utils/ip-extractor.ts +0 -220
package/src/utils/nauth-logger.spec.ts +0 -388
package/src/utils/nauth-logger.ts +0 -215
package/src/utils/pii-redactor.spec.ts +0 -130
package/src/utils/pii-redactor.ts +0 -288
package/src/utils/setup/get-repositories.ts +0 -140
package/src/utils/setup/init-services.ts +0 -422
package/src/utils/setup/init-social.ts +0 -189
package/src/utils/setup/init-storage.ts +0 -94
package/src/utils/setup/register-mfa.ts +0 -165
package/src/utils/setup/run-nauth-migrations.ts +0 -61
package/src/utils/token-delivery-policy.ts +0 -38
package/src/validators/template.validator.ts +0 -219
package/tsconfig.json +0 -37
package/tsconfig.lint.json +0 -6

package/src/bootstrap.ts DELETED Viewed

@@ -1,374 +0,0 @@
-/**
- * NAuth Bootstrap
- *
- * Entry point for initializing NAuth with platform adapters.
- *
- * **Usage:**
- * ```typescript
- * import { NAuth, ExpressAdapter } from '@nauth-toolkit/core';
- *
- * const nauth = await NAuth.create({
- *   config: authConfig,
- *   dataSource: dataSource,
- *   adapter: new ExpressAdapter(),
- * });
- *
- * // Mount middleware
- * app.use(nauth.middleware.clientInfo);
- * app.use(nauth.middleware.csrf);
- * app.use(nauth.middleware.auth);
- * app.use(nauth.middleware.tokenDelivery);
- *
- * // Protected routes
- * app.get('/profile', nauth.helpers.requireAuth(), (req, res) => {
- *   const user = nauth.helpers.getCurrentUser();
- *   res.json({ user });
- * });
- * ```
- */
-import { DataSource } from 'typeorm';
-import { NAuthConfig } from './interfaces/config.interface';
-import { NAuthLogger } from './utils/nauth-logger';
-import { NAuthException } from './exceptions/nauth.exception';
-import { AuthErrorCode } from './enums/error-codes.enum';
-import { NAuthAdapter, NAuthRequest, NAuthResponse } from './platform/interfaces';
-import { ExpressAdapter } from './adapters/express.adapter';
-import { ContextStorage } from './utils/context-storage';
-// Handlers
-import { ClientInfoHandler } from './handlers/client-info.handler';
-import { AuthHandler } from './handlers/auth.handler';
-import { TokenDeliveryHandler } from './handlers/token-delivery.handler';
-import { CsrfHandler } from './handlers/csrf.handler';
-import { CsrfService } from './services/csrf.service';
-// Setup Helpers
-import { getRepositories } from './utils/setup/get-repositories';
-import { initStorage } from './utils/setup/init-storage';
-import { initServices, NAuthServices } from './utils/setup/init-services';
-import { registerMFAProviders } from './utils/setup/register-mfa';
-import { initSocialAuth, NAuthSocialProviders } from './utils/setup/init-social';
-import { runNAuthMigrationsOnStartup } from './utils/setup/run-nauth-migrations';
-import { AuthFlowContextBuilder, AuthFlowStateMachineService } from './internal';
-import { ClientInfo } from './interfaces/client-info.interface';
-import { IUser } from './interfaces/entities.interface';
-// ============================================================================
-// Types
-// ============================================================================
-/**
- * Options for NAuth initialization
- */
-export interface NAuthOptions {
-  /** NAuth configuration */
-  config: NAuthConfig;
-  /** TypeORM DataSource */
-  dataSource: DataSource;
-  /**
-   * Platform adapter (Express, Fastify, etc.)
-   * @default ExpressAdapter
-   */
-  adapter?: NAuthAdapter;
-}
-/**
- * NAuth instance returned by NAuth.create()
- *
- * Contains services, middleware, and helpers for authentication.
- *
- * @typeParam TMiddleware - Type for middleware (framework-specific)
- * @typeParam THelper - Type for route helpers (framework-specific)
- */
-export interface NAuthInstance<TMiddleware = unknown, THelper = unknown>
-  extends Omit<NAuthServices, 'challengeService' | 'authChallengeHelperService'>, NAuthSocialProviders {
-  /** Framework-specific middleware/hooks */
-  middleware: {
-    /** Client info extraction (MUST BE FIRST) */
-    clientInfo: TMiddleware;
-    /** JWT authentication */
-    auth: TMiddleware;
-    /** CSRF protection */
-    csrf: TMiddleware;
-    /** Token delivery (response interceptor) */
-    tokenDelivery: TMiddleware;
-  };
-  /** Route helpers */
-  helpers: {
-    /** Mark route as public (bypasses CSRF) */
-    public: () => THelper;
-    /** Require authentication (with optional CSRF bypass) */
-    requireAuth: (options?: { csrf?: boolean }) => THelper;
-    /** Optional authentication marker */
-    optionalAuth: () => THelper;
-    /** Override token delivery mode */
-    tokenDelivery: (mode: 'json' | 'cookies') => THelper;
-    /** Get current authenticated user */
-    getCurrentUser: () => IUser | undefined;
-    /** Get current session ID */
-    getCurrentSession: () => string | number | undefined;
-    /** Get client info */
-    getClientInfo: () => ClientInfo | undefined;
-  };
-  /** The adapter being used */
-  adapter: NAuthAdapter;
-  /** Configuration */
-  config: NAuthConfig;
-  /** Logger instance */
-  logger: NAuthLogger;
-  /** CSRF service (if enabled) */
-  csrfService?: CsrfService;
-}
-// ============================================================================
-// NAuth Bootstrap Class
-// ============================================================================
-/**
- * NAuth Bootstrap
- *
- * Main entry point for initializing NAuth.
- */
-export class NAuth {
-  /**
-   * Create NAuth instance
-   *
-   * @param options - Configuration options
-   * @returns Initialized NAuth instance
-   *
-   * @example
-   * ```typescript
-   * const nauth = await NAuth.create({
-   *   config: authConfig,
-   *   dataSource: dataSource,
-   *   adapter: new ExpressAdapter(),
-   * });
-   * ```
-   */
-  static async create(options: NAuthOptions): Promise<NAuthInstance> {
-    const { config, dataSource } = options;
-    const adapter = options.adapter || new ExpressAdapter();
-    const logger = new NAuthLogger(config.logger);
-    logger.log(`Initializing NAuth with ${adapter.name}...`);
-    // ========================================================================
-    // 0. Run database migrations (adapter-owned, auto-run, no consumer burden)
-    // ========================================================================
-    await runNAuthMigrationsOnStartup(config, dataSource, logger);
-    // ========================================================================
-    // 1. Initialize Repositories & Storage
-    // ========================================================================
-    const repos = getRepositories(dataSource);
-    const storage = await initStorage(config, repos.rateLimitRepository, repos.storageLockRepository, logger);
-    // ========================================================================
-    // 2. Initialize Services
-    // ========================================================================
-    const emailProvider = config.emailProvider;
-    const smsProvider = config.smsProvider;
-    const services: NAuthServices = initServices(config, repos, storage, logger, emailProvider, smsProvider);
-    // ========================================================================
-    // 3. Initialize Auth Flow State Machine
-    // ========================================================================
-    const contextBuilder = new AuthFlowContextBuilder(
-      services.trustedDeviceService,
-      services.adaptiveMFADecisionService,
-      services.clientInfoService,
-      logger,
-    );
-    const stateMachine = new AuthFlowStateMachineService(contextBuilder, logger);
-    if (services.authChallengeHelperService) {
-      (services.authChallengeHelperService as unknown as Record<string, unknown>).stateMachine = stateMachine;
-      (services.authChallengeHelperService as unknown as Record<string, unknown>).contextBuilder = contextBuilder;
-    } else {
-      throw new NAuthException(AuthErrorCode.INTERNAL_ERROR, 'AuthChallengeHelperService not initialized.');
-    }
-    // ========================================================================
-    // 4. Register MFA & Social Providers
-    // ========================================================================
-    const socialAuthStateStore = new Map<string, { timestamp: number; provider: string }>();
-    if (config.mfa?.enabled && services.mfaService) {
-      await registerMFAProviders(
-        config,
-        services.mfaService,
-        repos.mfaDeviceRepository!,
-        repos.userRepository,
-        logger,
-        services.passwordService,
-        services.emailVerificationService,
-        services.phoneVerificationService,
-        services.challengeService,
-        services.auditService,
-        services.clientInfoService,
-      );
-    }
-    const socialProviders: NAuthSocialProviders = await initSocialAuth(
-      config,
-      services.socialProviderRegistry,
-      services.authService,
-      services.socialAuthService,
-      services.jwtService,
-      services.sessionService,
-      services.authChallengeHelperService,
-      services.clientInfoService,
-      logger,
-      socialAuthStateStore,
-      repos.userRepository,
-      services.phoneVerificationService,
-      services.auditService,
-      services.trustedDeviceService,
-    );
-    // ========================================================================
-    // 5. Create Handlers
-    // ========================================================================
-    const clientInfoHandler = new ClientInfoHandler(services.clientInfoService, services.geoLocationService, logger);
-    const authHandler = new AuthHandler(
-      services.jwtService,
-      services.sessionService,
-      repos.userRepository,
-      config,
-      logger,
-    );
-    const tokenDeliveryHandler = new TokenDeliveryHandler(config, logger);
-    // CSRF service (only for cookies/hybrid delivery)
-    const csrfService =
-      config.tokenDelivery?.method === 'cookies' || config.tokenDelivery?.method === 'hybrid'
-        ? new CsrfService(config)
-        : undefined;
-    const csrfHandler = csrfService ? new CsrfHandler(csrfService, config, logger) : null;
-    // ========================================================================
-    // 6. Register Middleware with Adapter
-    // ========================================================================
-    const middleware = {
-      // ClientInfo MUST be first - initializes context
-      clientInfo: adapter.registerMiddleware('clientInfo', clientInfoHandler.handle.bind(clientInfoHandler), {
-        initializesContext: true,
-      }),
-      // Auth handler
-      auth: adapter.registerMiddleware('auth', authHandler.handle.bind(authHandler)),
-      // CSRF handler (no-op if disabled)
-      csrf: csrfHandler
-        ? adapter.registerMiddleware('csrf', csrfHandler.handle.bind(csrfHandler))
-        : adapter.registerMiddleware('noop', async (_req: NAuthRequest, _res: NAuthResponse, next: () => void) => {
-            await next();
-          }),
-      // Token delivery (response interceptor)
-      tokenDelivery: adapter.registerResponseInterceptor(
-        tokenDeliveryHandler.handleResponse.bind(tokenDeliveryHandler),
-      ),
-    };
-    // ========================================================================
-    // 7. Create Helpers
-    // ========================================================================
-    const helpers = {
-      /**
-       * Mark route as public - bypasses CSRF validation
-       */
-      public: () =>
-        adapter.registerMiddleware('public', (req: NAuthRequest, _res: NAuthResponse, next: () => void) => {
-          req.attributes.nauthPublic = true;
-          return next();
-        }),
-      /**
-       * Require authentication
-       *
-       * @param options.csrf - Set to false to bypass CSRF check (e.g., for logout)
-       */
-      requireAuth: (options?: { csrf?: boolean }) =>
-        adapter.registerMiddleware('requireAuth', (req: NAuthRequest, res: NAuthResponse, next: () => void) => {
-          // Enforce deferred CSRF check (unless disabled)
-          if (options?.csrf !== false && req.attributes.nauthCsrfError) {
-            throw req.attributes.nauthCsrfError;
-          }
-          // Enforce authentication
-          if (!req.attributes.user) {
-            res.status(401).json({
-              statusCode: 401,
-              error: 'Unauthorized',
-              message: 'Authentication required',
-              code: 'AUTH_REQUIRED',
-            });
-            return;
-          }
-          return next();
-        }),
-      /**
-       * Optional authentication marker
-       *
-       * Auth middleware already does optional auth by default.
-       * This helper is a semantic marker for documentation purposes.
-       */
-      optionalAuth: () =>
-        adapter.registerMiddleware('optionalAuth', (_req: NAuthRequest, _res: NAuthResponse, next: () => void) => {
-          return next();
-        }),
-      /**
-       * Override token delivery mode for this route
-       */
-      tokenDelivery: (mode: 'json' | 'cookies') =>
-        adapter.registerMiddleware(
-          'tokenDeliveryConfig',
-          (req: NAuthRequest, _res: NAuthResponse, next: () => void) => {
-            req.attributes.nauthTokenDelivery = mode;
-            return next();
-          },
-        ),
-      // Context helpers (read from ContextStorage)
-      getCurrentUser: () => ContextStorage.get<IUser>('CURRENT_USER'),
-      getCurrentSession: () => ContextStorage.get<string | number>('CURRENT_SESSION'),
-      getClientInfo: () => ContextStorage.get<ClientInfo>('CLIENT_INFO'),
-    };
-    // ========================================================================
-    // 8. Build and Return Instance
-    // ========================================================================
-    // Exclude internal services from public API
-    const { challengeService, authChallengeHelperService, ...publicServices } = services;
-    logger.log(`NAuth initialized successfully with ${adapter.name}`);
-    return {
-      ...publicServices,
-      ...socialProviders,
-      middleware,
-      helpers,
-      adapter,
-      config,
-      logger,
-      socialAuthService: services.socialAuthService,
-      csrfService,
-    };
-  }
-}

package/src/dto/auth-challenge.dto.ts DELETED Viewed

@@ -1,231 +0,0 @@
-import { IsEnum, IsUUID, IsObject } from 'class-validator';
-import { Transform } from 'class-transformer';
-/**
- * Authentication Challenge Types
- *
- * Represents different challenges that must be completed before
- * a user can gain full access to the system. This is similar to
- * AWS Cognito's challenge system.
- *
- * @example
- * ```typescript
- * // After login, check for challenges
- * const result = await authService.login(credentials);
- * if (result.challengeName) {
- *   // User must complete challenge before accessing system
- *   console.log('Challenge required:', result.challengeName);
- * }
- * ```
- */
-export enum AuthChallenge {
-  /**
-   * Email verification required
-   * User must verify their email address before proceeding
-   */
-  VERIFY_EMAIL = 'VERIFY_EMAIL',
-  /**
-   * Phone verification required
-   * User must verify their phone number before proceeding
-   */
-  VERIFY_PHONE = 'VERIFY_PHONE',
-  /**
-   * Multi-factor authentication required
-   * User must complete MFA verification (TOTP, SMS, etc.)
-   * This challenge is used when user already has MFA enabled and needs to verify
-   */
-  MFA_REQUIRED = 'MFA_REQUIRED',
-  /**
-   * MFA setup required
-   * User must set up multi-factor authentication before being allowed to login.
-   * This occurs when enforcement is 'REQUIRED' and grace period has expired or is disabled.
-   */
-  MFA_SETUP_REQUIRED = 'MFA_SETUP_REQUIRED',
-  /**
-   * Password change required
-   * User must change their password before proceeding
-   * (e.g., admin-forced password reset, expired password)
-   */
-  FORCE_CHANGE_PASSWORD = 'FORCE_CHANGE_PASSWORD',
-}
-/**
- * Challenge Response DTO
- *
- * Used when a user's authentication is incomplete due to pending challenges.
- * Contains minimal information about the user and what challenges they must complete.
- *
- * Note: This is primarily a response DTO, but validation is included for completeness.
- *
- * @example
- * ```typescript
- * // Login response with challenge
- * {
- *   challengeName: 'VERIFY_EMAIL',
- *   session: 'a21b654c-2746-4168-acee-c175083a65cd',
- *   challengeParameters: {
- *     email: 'user@example.com',
- *     codeDeliveryDestination: 'u***@example.com'
- *   },
- *   userSub: 'a21b654c-2746-4168-acee-c175083a65cd'
- * }
- * ```
- */
-export class AuthChallengeResponseDTO {
-  /**
-   * The challenge that must be completed
-   *
-   * Validation:
-   * - Must be a valid AuthChallenge enum value
-   */
-  @IsEnum(AuthChallenge, {
-    message: 'Challenge name must be a valid AuthChallenge enum value',
-  })
-  challengeName!: AuthChallenge;
-  /**
-   * Temporary session identifier for challenge completion (UUID v4)
-   * This is NOT a full JWT token - only used for challenge verification
-   *
-   * Validation:
-   * - Must be a valid UUID v4 format
-   * - Generated using randomUUID() in challenge service
-   *
-   * @example "a21b654c-2746-4168-acee-c175083a65cd"
-   */
-  @IsUUID('4', { message: 'Session token must be a valid UUID v4 format' })
-  @Transform(({ value }) => {
-    if (typeof value === 'string') {
-      return value.trim().toLowerCase();
-    }
-    return value;
-  })
-  session!: string;
-  /**
-   * Challenge-specific parameters
-   * Contains information needed to complete the challenge
-   *
-   * Validation:
-   * - Must be an object
-   *
-   * @example
-   * ```typescript
-   * // For VERIFY_EMAIL
-   * {
-   *   email: 'user@example.com',
-   *   codeDeliveryDestination: 'u***@example.com'
-   * }
-   *
-   * // For VERIFY_PHONE
-   * {
-   *   phone: '+1234567890',
-   *   codeDeliveryDestination: '***-***-7890'
-   * }
-   * ```
-   */
-  @IsObject({ message: 'Challenge parameters must be an object' })
-  challengeParameters!: Record<string, unknown>;
-  /**
-   * User's unique identifier (UUID v4)
-   * Provided so the client knows which user is completing challenges
-   *
-   * Validation:
-   * - Must be a valid UUID v4 format
-   * - Matches DB constraint: char(36) or uuid
-   *
-   * @example "a21b654c-2746-4168-acee-c175083a65cd"
-   */
-  @IsUUID('4', { message: 'User sub must be a valid UUID v4 format' })
-  @Transform(({ value }) => {
-    if (typeof value === 'string') {
-      return value.trim().toLowerCase();
-    }
-    return value;
-  })
-  userSub!: string;
-}
-/**
- * Challenge Completion Request DTO
- *
- * Used to submit a response to an authentication challenge.
- *
- * Note: This is a legacy DTO. The codebase now uses RespondChallengeDTO for the unified API.
- * This DTO is kept for backwards compatibility.
- *
- * Security:
- * - Session token validated as UUID v4 format
- * - Challenge name validated against enum
- * - Challenge responses validated as object
- *
- * @example
- * ```typescript
- * // Verify email challenge
- * const request: ChallengeResponseRequestDTO = {
- *   session: 'a21b654c-2746-4168-acee-c175083a65cd',
- *   challengeName: 'VERIFY_EMAIL',
- *   challengeResponses: {
- *     code: '123456'
- *   }
- * };
- * ```
- */
-export class ChallengeResponseRequestDTO {
-  /**
-   * Temporary session from initial auth response (UUID v4)
-   *
-   * Validation:
-   * - Must be a valid UUID v4 format
-   * - Generated using randomUUID() in challenge service
-   *
-   * Sanitization:
-   * - Trimmed
-   * - Lowercased for consistency
-   *
-   * @example "a21b654c-2746-4168-acee-c175083a65cd"
-   */
-  @IsUUID('4', { message: 'Session token must be a valid UUID v4 format' })
-  @Transform(({ value }) => {
-    if (typeof value === 'string') {
-      return value.trim().toLowerCase();
-    }
-    return value;
-  })
-  session!: string;
-  /**
-   * The challenge being responded to
-   *
-   * Validation:
-   * - Must be a valid AuthChallenge enum value
-   */
-  @IsEnum(AuthChallenge, {
-    message: 'Challenge name must be a valid AuthChallenge enum value',
-  })
-  challengeName!: AuthChallenge;
-  /**
-   * Challenge-specific responses
-   *
-   * Validation:
-   * - Must be an object
-   * - Structure validated in service layer based on challenge type
-   *
-   * @example
-   * ```typescript
-   * // For VERIFY_EMAIL or VERIFY_PHONE
-   * { code: '123456' }
-   *
-   * // For FORCE_CHANGE_PASSWORD
-   * { newPassword: 'NewSecure123!' }
-   * ```
-   */
-  @IsObject({ message: 'Challenge responses must be an object' })
-  challengeResponses!: Record<string, unknown>;
-}