npm - @nauth-toolkit/core - Versions diffs - 0.1.0 → 0.1.3 - Mend

@nauth-toolkit/core 0.1.0 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (184) hide show

package/LICENSE +90 -0
package/README.md +30 -0
package/package.json +7 -2
package/jest.config.js +0 -15
package/jest.setup.ts +0 -6
package/src/adapters/database-columns.ts +0 -165
package/src/adapters/express.adapter.ts +0 -385
package/src/adapters/fastify.adapter.ts +0 -416
package/src/adapters/index.ts +0 -16
package/src/adapters/storage.factory.ts +0 -143
package/src/bootstrap.ts +0 -374
package/src/dto/auth-challenge.dto.ts +0 -231
package/src/dto/auth-response.dto.ts +0 -253
package/src/dto/challenge-response.dto.ts +0 -234
package/src/dto/change-password-request.dto.ts +0 -50
package/src/dto/change-password-response.dto.ts +0 -29
package/src/dto/change-password.dto.ts +0 -57
package/src/dto/error-response.dto.ts +0 -136
package/src/dto/get-available-methods.dto.ts +0 -55
package/src/dto/get-challenge-data-response.dto.ts +0 -28
package/src/dto/get-challenge-data.dto.ts +0 -69
package/src/dto/get-client-info.dto.ts +0 -104
package/src/dto/get-device-token-response.dto.ts +0 -25
package/src/dto/get-events-by-type.dto.ts +0 -76
package/src/dto/get-ip-address-response.dto.ts +0 -24
package/src/dto/get-mfa-status.dto.ts +0 -94
package/src/dto/get-risk-assessment-history.dto.ts +0 -39
package/src/dto/get-session-id-response.dto.ts +0 -25
package/src/dto/get-setup-data-response.dto.ts +0 -31
package/src/dto/get-setup-data.dto.ts +0 -75
package/src/dto/get-suspicious-activity.dto.ts +0 -42
package/src/dto/get-user-agent-response.dto.ts +0 -23
package/src/dto/get-user-auth-history.dto.ts +0 -95
package/src/dto/get-user-by-email.dto.ts +0 -61
package/src/dto/get-user-by-id.dto.ts +0 -46
package/src/dto/get-user-devices.dto.ts +0 -53
package/src/dto/get-user-response.dto.ts +0 -17
package/src/dto/has-provider.dto.ts +0 -56
package/src/dto/index.ts +0 -57
package/src/dto/is-trusted-device-response.dto.ts +0 -34
package/src/dto/list-providers-response.dto.ts +0 -23
package/src/dto/login.dto.ts +0 -95
package/src/dto/logout-all-response.dto.ts +0 -24
package/src/dto/logout-all.dto.ts +0 -65
package/src/dto/logout-response.dto.ts +0 -25
package/src/dto/logout.dto.ts +0 -64
package/src/dto/refresh-token.dto.ts +0 -36
package/src/dto/remove-devices.dto.ts +0 -85
package/src/dto/resend-code-response.dto.ts +0 -32
package/src/dto/resend-code.dto.ts +0 -51
package/src/dto/reset-password.dto.ts +0 -115
package/src/dto/respond-challenge.dto.ts +0 -272
package/src/dto/set-mfa-exemption.dto.ts +0 -112
package/src/dto/set-must-change-password-response.dto.ts +0 -27
package/src/dto/set-must-change-password.dto.ts +0 -46
package/src/dto/set-preferred-method.dto.ts +0 -80
package/src/dto/setup-mfa.dto.ts +0 -98
package/src/dto/signup.dto.ts +0 -174
package/src/dto/social-auth.dto.ts +0 -422
package/src/dto/trust-device-response.dto.ts +0 -30
package/src/dto/trust-device.dto.ts +0 -9
package/src/dto/update-user-attributes-request.dto.ts +0 -51
package/src/dto/user-response.dto.ts +0 -138
package/src/dto/user-update.dto.ts +0 -222
package/src/dto/verify-email.dto.ts +0 -313
package/src/dto/verify-mfa-code.dto.ts +0 -103
package/src/dto/verify-phone-by-sub.dto.ts +0 -78
package/src/dto/verify-phone.dto.ts +0 -245
package/src/entities/auth-audit.entity.ts +0 -232
package/src/entities/challenge-session.entity.ts +0 -116
package/src/entities/index.ts +0 -29
package/src/entities/login-attempt.entity.ts +0 -64
package/src/entities/mfa-device.entity.ts +0 -151
package/src/entities/rate-limit.entity.ts +0 -44
package/src/entities/session.entity.ts +0 -180
package/src/entities/social-account.entity.ts +0 -96
package/src/entities/storage-lock.entity.ts +0 -39
package/src/entities/trusted-device.entity.ts +0 -112
package/src/entities/user.entity.ts +0 -243
package/src/entities/verification-token.entity.ts +0 -141
package/src/enums/auth-audit-event-type.enum.ts +0 -360
package/src/enums/error-codes.enum.ts +0 -420
package/src/enums/mfa-method.enum.ts +0 -97
package/src/enums/risk-factor.enum.ts +0 -111
package/src/exceptions/nauth.exception.ts +0 -231
package/src/handlers/auth.handler.ts +0 -260
package/src/handlers/client-info.handler.ts +0 -101
package/src/handlers/csrf.handler.ts +0 -156
package/src/handlers/token-delivery.handler.ts +0 -118
package/src/index.ts +0 -118
package/src/interfaces/client-info.interface.ts +0 -85
package/src/interfaces/config.interface.ts +0 -2135
package/src/interfaces/entities.interface.ts +0 -226
package/src/interfaces/index.ts +0 -15
package/src/interfaces/logger.interface.ts +0 -283
package/src/interfaces/mfa-provider.interface.ts +0 -154
package/src/interfaces/oauth.interface.ts +0 -148
package/src/interfaces/provider.interface.ts +0 -47
package/src/interfaces/social-auth-provider.interface.ts +0 -131
package/src/interfaces/storage-adapter.interface.ts +0 -82
package/src/interfaces/template.interface.ts +0 -510
package/src/interfaces/token-verifier.interface.ts +0 -110
package/src/internal.ts +0 -178
package/src/platform/interfaces.ts +0 -299
package/src/schemas/auth-config.schema.ts +0 -646
package/src/services/adaptive-mfa-decision.service.spec.ts +0 -1058
package/src/services/adaptive-mfa-decision.service.ts +0 -457
package/src/services/auth-audit.service.spec.ts +0 -675
package/src/services/auth-audit.service.ts +0 -558
package/src/services/auth-challenge-helper.service.spec.ts +0 -3227
package/src/services/auth-challenge-helper.service.ts +0 -825
package/src/services/auth-flow-context-builder.service.ts +0 -520
package/src/services/auth-flow-rules.ts +0 -202
package/src/services/auth-flow-state-definitions.ts +0 -190
package/src/services/auth-flow-state-machine.service.ts +0 -207
package/src/services/auth-flow-state-machine.types.ts +0 -316
package/src/services/auth.service.spec.ts +0 -4195
package/src/services/auth.service.ts +0 -3727
package/src/services/challenge.service.spec.ts +0 -1363
package/src/services/challenge.service.ts +0 -696
package/src/services/client-info.service.spec.ts +0 -572
package/src/services/client-info.service.ts +0 -374
package/src/services/csrf.service.ts +0 -54
package/src/services/email-verification.service.spec.ts +0 -1229
package/src/services/email-verification.service.ts +0 -578
package/src/services/geo-location.service.spec.ts +0 -603
package/src/services/geo-location.service.ts +0 -599
package/src/services/index.ts +0 -13
package/src/services/jwt.service.spec.ts +0 -882
package/src/services/jwt.service.ts +0 -621
package/src/services/mfa-base.service.spec.ts +0 -246
package/src/services/mfa-base.service.ts +0 -611
package/src/services/mfa.service.spec.ts +0 -693
package/src/services/mfa.service.ts +0 -960
package/src/services/password.service.spec.ts +0 -166
package/src/services/password.service.ts +0 -309
package/src/services/phone-verification.service.spec.ts +0 -1120
package/src/services/phone-verification.service.ts +0 -751
package/src/services/risk-detection.service.spec.ts +0 -1292
package/src/services/risk-detection.service.ts +0 -1012
package/src/services/risk-scoring.service.spec.ts +0 -204
package/src/services/risk-scoring.service.ts +0 -131
package/src/services/session.service.spec.ts +0 -1293
package/src/services/session.service.ts +0 -803
package/src/services/social-account.service.spec.ts +0 -725
package/src/services/social-auth-base.service.spec.ts +0 -418
package/src/services/social-auth-base.service.ts +0 -581
package/src/services/social-auth.service.spec.ts +0 -238
package/src/services/social-auth.service.ts +0 -436
package/src/services/social-provider-registry.service.spec.ts +0 -238
package/src/services/social-provider-registry.service.ts +0 -122
package/src/services/trusted-device.service.spec.ts +0 -505
package/src/services/trusted-device.service.ts +0 -339
package/src/storage/account-lockout-storage.service.spec.ts +0 -310
package/src/storage/account-lockout-storage.service.ts +0 -89
package/src/storage/index.ts +0 -3
package/src/storage/memory-storage.adapter.ts +0 -443
package/src/storage/rate-limit-storage.service.spec.ts +0 -247
package/src/storage/rate-limit-storage.service.ts +0 -38
package/src/templates/html-template.engine.spec.ts +0 -161
package/src/templates/html-template.engine.ts +0 -688
package/src/templates/index.ts +0 -7
package/src/utils/common-passwords.spec.ts +0 -230
package/src/utils/common-passwords.ts +0 -170
package/src/utils/context-storage.ts +0 -188
package/src/utils/cookie-names.util.ts +0 -67
package/src/utils/cookies.util.ts +0 -94
package/src/utils/index.ts +0 -12
package/src/utils/ip-extractor.spec.ts +0 -330
package/src/utils/ip-extractor.ts +0 -220
package/src/utils/nauth-logger.spec.ts +0 -388
package/src/utils/nauth-logger.ts +0 -215
package/src/utils/pii-redactor.spec.ts +0 -130
package/src/utils/pii-redactor.ts +0 -288
package/src/utils/setup/get-repositories.ts +0 -140
package/src/utils/setup/init-services.ts +0 -422
package/src/utils/setup/init-social.ts +0 -189
package/src/utils/setup/init-storage.ts +0 -94
package/src/utils/setup/register-mfa.ts +0 -165
package/src/utils/setup/run-nauth-migrations.ts +0 -61
package/src/utils/token-delivery-policy.ts +0 -38
package/src/validators/template.validator.ts +0 -219
package/tsconfig.json +0 -37
package/tsconfig.lint.json +0 -6

package/src/services/social-auth-base.service.ts DELETED Viewed

@@ -1,581 +0,0 @@
-import * as crypto from 'crypto';
-import { Repository } from 'typeorm';
-import { BaseUser } from '../entities';
-import { IUser } from '../interfaces/entities.interface';
-import { AuthService } from './auth.service';
-import { SocialAuthService } from './social-auth.service';
-import { TrustedDeviceService } from './trusted-device.service';
-import { JwtService } from './jwt.service';
-import { SessionService } from './session.service';
-import { AuthChallengeHelperService } from './auth-challenge-helper.service';
-import { ClientInfoService } from './client-info.service';
-import { PhoneVerificationService } from './phone-verification.service';
-import { InternalAuthAuditService as AuthAuditService } from './auth-audit.service';
-import { AuthAuditEventType } from '../enums/auth-audit-event-type.enum';
-import { NAuthConfig } from '../interfaces/config.interface';
-import { NAuthLogger } from '../utils/nauth-logger';
-import { AuthResponseDTO } from '../dto';
-import { OAuthUserProfile } from '../interfaces/oauth.interface';
-import { ISocialAuthProviderService } from '../interfaces/social-auth-provider.interface';
-import { NAuthException } from '../exceptions/nauth.exception';
-import { AuthErrorCode } from '../enums/error-codes.enum';
-/**
- * Base Social Auth Provider Service
- *
- * Abstract base class that provides common functionality for all social auth providers.
- * Provider-specific services (Google, Apple, Facebook, GitHub, etc.) should extend this class
- * and implement provider-specific OAuth client logic.
- *
- * This base class handles:
- * - User creation/lookup
- * - Social account linking
- * - JWT token generation
- * - Session management
- * - Challenge system integration
- *
- * **Key Design:**
- * - No hardcoded provider names - works with any provider
- * - Provider config accessed dynamically via `providerName`
- * - Future developers can add new providers without modifying this class
- *
- * @example
- * ```typescript
- * @Injectable()
- * export class GitHubSocialAuthService extends BaseSocialAuthProviderService {
- *   readonly providerName = 'github';
- *
- *   constructor(
- *     // ... dependencies
- *     private readonly githubOAuthClient: GitHubOAuthClient,
- *   ) {
- *     super(/* ... base dependencies *\/);
- *   }
- *
- *   protected async getOAuthProfile(code: string, state: string): Promise<OAuthUserProfile> {
- *     // Provider-specific implementation
- *   }
- * }
- * ```
- */
-export abstract class BaseSocialAuthProviderService implements ISocialAuthProviderService {
-  abstract readonly providerName: string;
-  constructor(
-    protected readonly config: NAuthConfig,
-    protected readonly logger: NAuthLogger,
-    protected readonly authService: AuthService,
-    protected readonly socialAuthService: SocialAuthService,
-    protected readonly jwtService: JwtService,
-    protected readonly sessionService: SessionService,
-    protected readonly challengeHelper: AuthChallengeHelperService,
-    protected readonly clientInfoService: ClientInfoService,
-    // State store for CSRF protection - shared across all providers
-    protected readonly stateStore: Map<string, { timestamp: number; provider: string }>,
-    // User repository for creating social users
-    protected readonly userRepository: Repository<BaseUser>,
-    // Phone verification service (optional - only available when SMS provider is configured)
-    protected readonly phoneVerificationService?: PhoneVerificationService,
-    protected readonly auditService?: AuthAuditService, // Optional - audit trail service (enabled via config.auditLogs.enabled)
-    protected readonly trustedDeviceService?: TrustedDeviceService, // Optional - only available when rememberDevices is not 'never'
-  ) {}
-  /**
-   * Get provider configuration dynamically
-   *
-   * Accesses config.social[providerName] without hardcoding provider names.
-   * This allows any provider to work without modifying core code.
-   *
-   * @returns Provider configuration from NAuthConfig
-   * @protected
-   */
-  protected getProviderConfig(): any {
-    const socialConfig = this.config.social;
-    if (!socialConfig) return null;
-    // Access config dynamically using providerName (no hardcoding)
-    return (socialConfig as Record<string, unknown>)[this.providerName] || null;
-  }
-  /**
-   * Generate OAuth authorization URL for this provider
-   *
-   * Must be implemented by provider-specific services to generate the OAuth URL.
-   *
-   * @param state - Optional state parameter for CSRF protection
-   * @returns Authorization URL to redirect user to
-   * @throws {BadRequestException} When provider is not properly configured
-   */
-  abstract getAuthUrl(state?: string): Promise<string>;
-  /**
-   * Get user profile from OAuth callback
-   *
-   * Must be implemented by provider-specific services to exchange code for tokens
-   * and fetch user profile.
-   *
-   * @param code - Authorization code from OAuth callback
-   * @param state - State parameter from OAuth callback
-   * @returns OAuth user profile
-   * @protected
-   */
-  protected abstract getOAuthProfile(code: string, state: string): Promise<OAuthUserProfile>;
-  /**
-   * Verify social authentication token from native mobile apps
-   *
-   * Must be implemented by provider-specific services to verify ID tokens.
-   *
-   * @param idToken - ID token from native SDK
-   * @param accessToken - Optional access token from native SDK
-   * @param profileData - Optional profile data from native SDK
-   * @returns OAuth user profile
-   * @protected
-   */
-  protected abstract verifyNativeToken(
-    idToken: string,
-    accessToken?: string,
-    profileData?: any,
-  ): Promise<OAuthUserProfile>;
-  /**
-   * Handle OAuth callback and authenticate user
-   *
-   * Uses the provider-specific getOAuthProfile method and then handles
-   * user creation, session management, and token generation.
-   */
-  async handleCallback(code: string, state: string): Promise<AuthResponseDTO> {
-    const providerConfig = this.getProviderConfig();
-    if (!providerConfig) {
-      throw new NAuthException(
-        AuthErrorCode.SOCIAL_CONFIG_MISSING,
-        `Provider configuration not found: ${this.providerName}`,
-      );
-    }
-    // Validate state (basic CSRF protection)
-    this.validateState(state);
-    try {
-      // Get user profile from provider
-      const profile = await this.getOAuthProfile(code, state);
-      this.logger?.log?.(`[SocialAuth] ${this.providerName} callback verified (secure): ${profile.email}`);
-      // Find or create user
-      const user = await this.findOrCreateUser(profile, providerConfig);
-      // Create or update social account
-      await this.createOrUpdateSocialAccount(user, profile);
-      // Generate JWT tokens and session
-      return await this.createAuthResponse(user, 'web');
-    } catch (error) {
-      if (error instanceof NAuthException) {
-        throw error;
-      }
-      if (error instanceof Error) {
-        throw new NAuthException(AuthErrorCode.SOCIAL_TOKEN_INVALID, `Social authentication failed: ${error.message}`);
-      }
-      throw new NAuthException(AuthErrorCode.SOCIAL_TOKEN_INVALID, 'Social authentication failed: Unknown error');
-    }
-  }
-  /**
-   * Verify social authentication token from native mobile apps
-   */
-  async verifyToken(idToken: string, accessToken?: string, profileData?: any): Promise<AuthResponseDTO> {
-    const providerConfig = this.getProviderConfig();
-    if (!providerConfig || !providerConfig.enabled) {
-      throw new NAuthException(
-        AuthErrorCode.SOCIAL_CONFIG_MISSING,
-        `Provider '${this.providerName}' is not configured or not enabled`,
-      );
-    }
-    try {
-      // Verify token and get profile
-      const profile = await this.verifyNativeToken(idToken, accessToken, profileData);
-      // Find or create user
-      const user = await this.findOrCreateUser(profile, providerConfig);
-      // Create or update social account
-      await this.createOrUpdateSocialAccount(user, profile);
-      // Generate JWT tokens and session
-      return await this.createAuthResponse(user, 'mobile');
-    } catch (error) {
-      const errorMessage = error instanceof Error ? error.message : 'Unknown error';
-      this.logger?.error?.(`Native token verification failed for ${this.providerName}: ${errorMessage}`);
-      throw new NAuthException(AuthErrorCode.SOCIAL_TOKEN_INVALID, `Token verification failed: ${errorMessage}`);
-    }
-  }
-  /**
-   * Link social account to existing user
-   */
-  async linkAccount(userId: string, code: string, state: string): Promise<{ message: string }> {
-    // Get full user entity (need internal id for foreign keys)
-    const user = (await this.userRepository.findOne({ where: { sub: userId } })) as IUser | null;
-    if (!user) {
-      throw new NAuthException(AuthErrorCode.NOT_FOUND, 'User not found');
-    }
-    const providerConfig = this.getProviderConfig();
-    if (!providerConfig) {
-      throw new NAuthException(
-        AuthErrorCode.SOCIAL_CONFIG_MISSING,
-        `Provider configuration not found: ${this.providerName}`,
-      );
-    }
-    // Validate state
-    this.validateState(state);
-    try {
-      // Get user profile from provider
-      const profile = await this.getOAuthProfile(code, state);
-      // Check if account is already linked
-      const existingAccount = await this.socialAuthService.findSocialAccountByProvider(this.providerName, profile.id);
-      if (existingAccount) {
-        throw new NAuthException(
-          AuthErrorCode.SOCIAL_ACCOUNT_LINKED,
-          'This social account is already linked to another user',
-        );
-      }
-      // Create social account using service
-      await this.socialAuthService.createOrUpdateSocialAccount(
-        user.id as number,
-        this.providerName,
-        profile.id,
-        profile.email,
-        profile.raw,
-      );
-      // ============================================================================
-      // Audit: Record social account link
-      // ============================================================================
-      try {
-        await this.auditService?.recordEvent({
-          userId: user.id,
-          eventType: AuthAuditEventType.SOCIAL_ACCOUNT_LINKED,
-          eventStatus: 'INFO',
-          authMethod: this.providerName,
-          // Client info automatically included from context
-          metadata: {
-            provider: this.providerName,
-            providerEmail: profile.email || null,
-          },
-        });
-      } catch (auditError) {
-        // Non-blocking: Log but continue
-        const errorMessage = auditError instanceof Error ? auditError.message : 'Unknown error';
-        this.logger?.error?.(`Failed to record SOCIAL_ACCOUNT_LINKED audit event: ${errorMessage}`, {
-          error: auditError,
-          userId: user.id,
-          provider: this.providerName,
-        });
-      }
-      // ============================================================================
-      // Audit: Record social account link
-      // ============================================================================
-      try {
-        await this.auditService?.recordEvent({
-          userId: user.id,
-          eventType: AuthAuditEventType.SOCIAL_ACCOUNT_LINKED,
-          eventStatus: 'SUCCESS',
-          authMethod: this.providerName.toLowerCase(),
-          // Client info automatically included from context
-          metadata: {
-            provider: this.providerName.toLowerCase(),
-            providerEmail: profile.email || null,
-          },
-        });
-      } catch (auditError) {
-        // Non-blocking: Log but continue
-        const errorMessage = auditError instanceof Error ? auditError.message : 'Unknown error';
-        this.logger?.error?.(`Failed to record SOCIAL_ACCOUNT_LINKED audit event: ${errorMessage}`, {
-          error: auditError,
-          userId: user.id,
-          provider: this.providerName,
-        });
-      }
-      return { message: `${this.providerName} account linked successfully` };
-    } catch (error) {
-      if (error instanceof NAuthException) {
-        throw error;
-      }
-      if (error instanceof Error) {
-        throw new NAuthException(AuthErrorCode.SOCIAL_TOKEN_INVALID, `Social account linking failed: ${error.message}`);
-      }
-      throw new NAuthException(AuthErrorCode.SOCIAL_TOKEN_INVALID, 'Social account linking failed: Unknown error');
-    }
-  }
-  /**
-   * Get OAuth user profile from callback
-   *
-   * Alias for getOAuthProfile for interface compliance.
-   */
-  async getUserProfileFromCallback(code: string, state: string): Promise<OAuthUserProfile> {
-    return this.getOAuthProfile(code, state);
-  }
-  // ============================================================================
-  // Protected Helper Methods
-  // ============================================================================
-  /**
-   * Validate state parameter for CSRF protection
-   */
-  protected validateState(state: string): void {
-    const stateData = this.stateStore.get(state);
-    if (!stateData) {
-      throw new NAuthException(AuthErrorCode.VALIDATION_FAILED, 'Invalid state parameter', { field: 'state' });
-    }
-    if (stateData.provider !== this.providerName) {
-      throw new NAuthException(AuthErrorCode.VALIDATION_FAILED, 'State provider mismatch', { field: 'state' });
-    }
-    // Check if state is not too old (5 minutes)
-    if (Date.now() - stateData.timestamp > 5 * 60 * 1000) {
-      this.stateStore.delete(state);
-      throw new NAuthException(AuthErrorCode.CHALLENGE_EXPIRED, 'State parameter expired');
-    }
-    // Clean up used state
-    this.stateStore.delete(state);
-  }
-  /**
-   * Generate random state for CSRF protection
-   */
-  protected generateState(): string {
-    const state = crypto.randomBytes(32).toString('hex');
-    this.stateStore.set(state, {
-      timestamp: Date.now(),
-      provider: this.providerName,
-    });
-    return state;
-  }
-  /**
-   * Find existing user or create new one
-   */
-  protected async findOrCreateUser(profile: OAuthUserProfile, providerConfig: any): Promise<IUser> {
-    // First, try to find user by social account
-    const socialAccount = await this.socialAuthService.findSocialAccountByProvider(this.providerName, profile.id);
-    if (socialAccount) {
-      return (socialAccount as unknown as { user?: IUser }).user as IUser;
-    }
-    // If auto-link is enabled, try to find by email
-    if (providerConfig.autoLink && profile.email) {
-      // Get full user entity (need internal id for foreign keys)
-      const existingUser = (await this.userRepository.findOne({
-        where: { email: profile.email, isEmailVerified: true },
-      })) as IUser | null;
-      if (existingUser) {
-        return existingUser;
-      }
-    }
-    // Create new user if allowSignup is enabled
-    if (providerConfig.allowSignup) {
-      this.logger?.log?.(
-        `[SocialAuth] Creating user: email=${profile.email}, isEmailVerified=${profile.verified || false}`,
-      );
-      const savedUser = await this.createSocialUser(
-        profile.email || '',
-        profile.firstName,
-        profile.lastName,
-        profile.verified || false,
-        this.providerName,
-      );
-      this.logger?.log?.(
-        `[SocialAuth] User created: email=${savedUser.email}, isEmailVerified=${savedUser.isEmailVerified}`,
-      );
-      return savedUser;
-    }
-    throw new NAuthException(AuthErrorCode.SIGNUP_DISABLED, 'User not found and signup is disabled');
-  }
-  /**
-   * Create a social-only user (no password)
-   *
-   * @param email - User email
-   * @param firstName - Optional first name
-   * @param lastName - Optional last name
-   * @param isEmailVerified - Whether email is verified (default: true)
-   * @param socialProvider - Initial social provider name
-   * @returns Created user
-   * @protected
-   */
-  protected async createSocialUser(
-    email: string,
-    firstName?: string | null,
-    lastName?: string | null,
-    isEmailVerified: boolean = true,
-    socialProvider?: string,
-  ): Promise<IUser> {
-    const user = this.userRepository.create({
-      email,
-      firstName: firstName || null,
-      lastName: lastName || null,
-      isEmailVerified,
-      hasSocialAuth: true,
-      socialProviders: socialProvider ? [socialProvider] : null,
-      isActive: true,
-    });
-    const savedUser = (await this.userRepository.save(user)) as unknown as IUser;
-    this.logger?.log?.(`Social user created: ${email} (sub: ${savedUser.sub})`);
-    return savedUser;
-  }
-  /**
-   * Create or update social account
-   */
-  protected async createOrUpdateSocialAccount(user: IUser, profile: OAuthUserProfile): Promise<void> {
-    await this.socialAuthService.createOrUpdateSocialAccount(
-      user.id as number,
-      this.providerName,
-      profile.id,
-      profile.email,
-      profile.raw,
-    );
-  }
-  /**
-   * Create authentication response with tokens and user info
-   */
-  protected async createAuthResponse(user: IUser, _deviceType: 'web' | 'mobile'): Promise<AuthResponseDTO> {
-    // Get actual client info from context (IP, userAgent, etc.)
-    const clientInfo = this.clientInfoService.get();
-    // ============================================================================
-    // Audit: Record login attempt for social authentication
-    // ============================================================================
-    try {
-      await this.auditService?.recordEvent({
-        userId: user.id,
-        eventType: AuthAuditEventType.LOGIN_ATTEMPT,
-        eventStatus: 'INFO',
-        authMethod: this.providerName.toLowerCase(),
-        description: `${this.providerName} OAuth token validated`,
-      });
-    } catch (auditError) {
-      // Non-blocking: Log but continue
-      const errorMessage = auditError instanceof Error ? auditError.message : 'Unknown error';
-      this.logger?.error?.(`Failed to record LOGIN_ATTEMPT audit event for social login: ${errorMessage}`, {
-        error: auditError,
-        userId: user.id,
-        provider: this.providerName,
-      });
-    }
-    // ============================================================================
-    // Check for Required Challenges BEFORE creating session
-    // ============================================================================
-    const response = await this.challengeHelper.determineAuthResponse({
-      user,
-      config: this.config,
-      deviceToken: clientInfo.deviceToken,
-      isSocialLogin: true,
-      skipMFAVerification: false,
-      authProvider: this.providerName.toLowerCase(), // e.g., 'google', 'facebook', 'apple'
-    });
-    if (response.challengeName) {
-      this.logger?.log?.(`Challenge required for social auth user ${user.sub}: ${response.challengeName}`);
-      // Record SOCIAL_LOGIN event even when challenge is required
-      try {
-        await this.auditService?.recordEvent({
-          userId: user.id,
-          eventType: AuthAuditEventType.SOCIAL_LOGIN,
-          eventStatus: 'INFO',
-          authMethod: this.providerName.toLowerCase(),
-          metadata: {
-            provider: this.providerName.toLowerCase(),
-            challengeRequired: response.challengeName,
-          },
-        });
-      } catch (auditError) {
-        const errorMessage = auditError instanceof Error ? auditError.message : 'Unknown error';
-        this.logger?.error?.(`Failed to record SOCIAL_LOGIN audit event (challenge): ${errorMessage}`, {
-          error: auditError,
-          userId: user.id,
-          provider: this.providerName,
-        });
-      }
-      return response;
-    }
-    // ============================================================================
-    // No challenges - determineAuthResponse already created session and tokens
-    // Just record SOCIAL_LOGIN audit event and return the response
-    // ============================================================================
-    // ============================================================================
-    // No challenges - determineAuthResponse already created session and tokens
-    // Just record SOCIAL_LOGIN audit event and return the response
-    // ============================================================================
-    // Check trusted device status (for audit metadata)
-    let isTrustedDevice = false;
-    if (
-      this.config.mfa?.rememberDevices &&
-      this.config.mfa?.rememberDevices !== 'never' &&
-      this.trustedDeviceService &&
-      clientInfo.deviceToken
-    ) {
-      try {
-        isTrustedDevice = await this.trustedDeviceService.isDeviceTrusted(clientInfo.deviceToken, user.id);
-      } catch (error) {
-        // Non-blocking: Log but continue
-        const errorMessage = error instanceof Error ? error.message : 'Unknown error';
-        this.logger?.warn?.(`Failed to check trusted device for social login: ${errorMessage}`, {
-          error,
-          userId: user.id,
-          provider: this.providerName,
-        });
-      }
-    }
-    // Record SOCIAL_LOGIN audit event
-    try {
-      await this.auditService?.recordEvent({
-        userId: user.id,
-        eventType: AuthAuditEventType.SOCIAL_LOGIN,
-        eventStatus: 'SUCCESS',
-        authMethod: this.providerName.toLowerCase(),
-        metadata: {
-          provider: this.providerName.toLowerCase(),
-          trustedDevice: isTrustedDevice,
-        },
-      });
-    } catch (auditError) {
-      // Non-blocking: Log but continue
-      const errorMessage = auditError instanceof Error ? auditError.message : 'Unknown error';
-      this.logger?.error?.(`Failed to record SOCIAL_LOGIN audit event: ${errorMessage}`, {
-        error: auditError,
-        userId: user.id,
-        provider: this.providerName,
-      });
-    }
-    // Return the response with session and tokens already created by determineAuthResponse
-    return response;
-  }
-}