npm - @nauth-toolkit/core - Versions diffs - 0.1.0 → 0.1.3 - Mend

@nauth-toolkit/core 0.1.0 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (184) hide show

package/LICENSE +90 -0
package/README.md +30 -0
package/package.json +7 -2
package/jest.config.js +0 -15
package/jest.setup.ts +0 -6
package/src/adapters/database-columns.ts +0 -165
package/src/adapters/express.adapter.ts +0 -385
package/src/adapters/fastify.adapter.ts +0 -416
package/src/adapters/index.ts +0 -16
package/src/adapters/storage.factory.ts +0 -143
package/src/bootstrap.ts +0 -374
package/src/dto/auth-challenge.dto.ts +0 -231
package/src/dto/auth-response.dto.ts +0 -253
package/src/dto/challenge-response.dto.ts +0 -234
package/src/dto/change-password-request.dto.ts +0 -50
package/src/dto/change-password-response.dto.ts +0 -29
package/src/dto/change-password.dto.ts +0 -57
package/src/dto/error-response.dto.ts +0 -136
package/src/dto/get-available-methods.dto.ts +0 -55
package/src/dto/get-challenge-data-response.dto.ts +0 -28
package/src/dto/get-challenge-data.dto.ts +0 -69
package/src/dto/get-client-info.dto.ts +0 -104
package/src/dto/get-device-token-response.dto.ts +0 -25
package/src/dto/get-events-by-type.dto.ts +0 -76
package/src/dto/get-ip-address-response.dto.ts +0 -24
package/src/dto/get-mfa-status.dto.ts +0 -94
package/src/dto/get-risk-assessment-history.dto.ts +0 -39
package/src/dto/get-session-id-response.dto.ts +0 -25
package/src/dto/get-setup-data-response.dto.ts +0 -31
package/src/dto/get-setup-data.dto.ts +0 -75
package/src/dto/get-suspicious-activity.dto.ts +0 -42
package/src/dto/get-user-agent-response.dto.ts +0 -23
package/src/dto/get-user-auth-history.dto.ts +0 -95
package/src/dto/get-user-by-email.dto.ts +0 -61
package/src/dto/get-user-by-id.dto.ts +0 -46
package/src/dto/get-user-devices.dto.ts +0 -53
package/src/dto/get-user-response.dto.ts +0 -17
package/src/dto/has-provider.dto.ts +0 -56
package/src/dto/index.ts +0 -57
package/src/dto/is-trusted-device-response.dto.ts +0 -34
package/src/dto/list-providers-response.dto.ts +0 -23
package/src/dto/login.dto.ts +0 -95
package/src/dto/logout-all-response.dto.ts +0 -24
package/src/dto/logout-all.dto.ts +0 -65
package/src/dto/logout-response.dto.ts +0 -25
package/src/dto/logout.dto.ts +0 -64
package/src/dto/refresh-token.dto.ts +0 -36
package/src/dto/remove-devices.dto.ts +0 -85
package/src/dto/resend-code-response.dto.ts +0 -32
package/src/dto/resend-code.dto.ts +0 -51
package/src/dto/reset-password.dto.ts +0 -115
package/src/dto/respond-challenge.dto.ts +0 -272
package/src/dto/set-mfa-exemption.dto.ts +0 -112
package/src/dto/set-must-change-password-response.dto.ts +0 -27
package/src/dto/set-must-change-password.dto.ts +0 -46
package/src/dto/set-preferred-method.dto.ts +0 -80
package/src/dto/setup-mfa.dto.ts +0 -98
package/src/dto/signup.dto.ts +0 -174
package/src/dto/social-auth.dto.ts +0 -422
package/src/dto/trust-device-response.dto.ts +0 -30
package/src/dto/trust-device.dto.ts +0 -9
package/src/dto/update-user-attributes-request.dto.ts +0 -51
package/src/dto/user-response.dto.ts +0 -138
package/src/dto/user-update.dto.ts +0 -222
package/src/dto/verify-email.dto.ts +0 -313
package/src/dto/verify-mfa-code.dto.ts +0 -103
package/src/dto/verify-phone-by-sub.dto.ts +0 -78
package/src/dto/verify-phone.dto.ts +0 -245
package/src/entities/auth-audit.entity.ts +0 -232
package/src/entities/challenge-session.entity.ts +0 -116
package/src/entities/index.ts +0 -29
package/src/entities/login-attempt.entity.ts +0 -64
package/src/entities/mfa-device.entity.ts +0 -151
package/src/entities/rate-limit.entity.ts +0 -44
package/src/entities/session.entity.ts +0 -180
package/src/entities/social-account.entity.ts +0 -96
package/src/entities/storage-lock.entity.ts +0 -39
package/src/entities/trusted-device.entity.ts +0 -112
package/src/entities/user.entity.ts +0 -243
package/src/entities/verification-token.entity.ts +0 -141
package/src/enums/auth-audit-event-type.enum.ts +0 -360
package/src/enums/error-codes.enum.ts +0 -420
package/src/enums/mfa-method.enum.ts +0 -97
package/src/enums/risk-factor.enum.ts +0 -111
package/src/exceptions/nauth.exception.ts +0 -231
package/src/handlers/auth.handler.ts +0 -260
package/src/handlers/client-info.handler.ts +0 -101
package/src/handlers/csrf.handler.ts +0 -156
package/src/handlers/token-delivery.handler.ts +0 -118
package/src/index.ts +0 -118
package/src/interfaces/client-info.interface.ts +0 -85
package/src/interfaces/config.interface.ts +0 -2135
package/src/interfaces/entities.interface.ts +0 -226
package/src/interfaces/index.ts +0 -15
package/src/interfaces/logger.interface.ts +0 -283
package/src/interfaces/mfa-provider.interface.ts +0 -154
package/src/interfaces/oauth.interface.ts +0 -148
package/src/interfaces/provider.interface.ts +0 -47
package/src/interfaces/social-auth-provider.interface.ts +0 -131
package/src/interfaces/storage-adapter.interface.ts +0 -82
package/src/interfaces/template.interface.ts +0 -510
package/src/interfaces/token-verifier.interface.ts +0 -110
package/src/internal.ts +0 -178
package/src/platform/interfaces.ts +0 -299
package/src/schemas/auth-config.schema.ts +0 -646
package/src/services/adaptive-mfa-decision.service.spec.ts +0 -1058
package/src/services/adaptive-mfa-decision.service.ts +0 -457
package/src/services/auth-audit.service.spec.ts +0 -675
package/src/services/auth-audit.service.ts +0 -558
package/src/services/auth-challenge-helper.service.spec.ts +0 -3227
package/src/services/auth-challenge-helper.service.ts +0 -825
package/src/services/auth-flow-context-builder.service.ts +0 -520
package/src/services/auth-flow-rules.ts +0 -202
package/src/services/auth-flow-state-definitions.ts +0 -190
package/src/services/auth-flow-state-machine.service.ts +0 -207
package/src/services/auth-flow-state-machine.types.ts +0 -316
package/src/services/auth.service.spec.ts +0 -4195
package/src/services/auth.service.ts +0 -3727
package/src/services/challenge.service.spec.ts +0 -1363
package/src/services/challenge.service.ts +0 -696
package/src/services/client-info.service.spec.ts +0 -572
package/src/services/client-info.service.ts +0 -374
package/src/services/csrf.service.ts +0 -54
package/src/services/email-verification.service.spec.ts +0 -1229
package/src/services/email-verification.service.ts +0 -578
package/src/services/geo-location.service.spec.ts +0 -603
package/src/services/geo-location.service.ts +0 -599
package/src/services/index.ts +0 -13
package/src/services/jwt.service.spec.ts +0 -882
package/src/services/jwt.service.ts +0 -621
package/src/services/mfa-base.service.spec.ts +0 -246
package/src/services/mfa-base.service.ts +0 -611
package/src/services/mfa.service.spec.ts +0 -693
package/src/services/mfa.service.ts +0 -960
package/src/services/password.service.spec.ts +0 -166
package/src/services/password.service.ts +0 -309
package/src/services/phone-verification.service.spec.ts +0 -1120
package/src/services/phone-verification.service.ts +0 -751
package/src/services/risk-detection.service.spec.ts +0 -1292
package/src/services/risk-detection.service.ts +0 -1012
package/src/services/risk-scoring.service.spec.ts +0 -204
package/src/services/risk-scoring.service.ts +0 -131
package/src/services/session.service.spec.ts +0 -1293
package/src/services/session.service.ts +0 -803
package/src/services/social-account.service.spec.ts +0 -725
package/src/services/social-auth-base.service.spec.ts +0 -418
package/src/services/social-auth-base.service.ts +0 -581
package/src/services/social-auth.service.spec.ts +0 -238
package/src/services/social-auth.service.ts +0 -436
package/src/services/social-provider-registry.service.spec.ts +0 -238
package/src/services/social-provider-registry.service.ts +0 -122
package/src/services/trusted-device.service.spec.ts +0 -505
package/src/services/trusted-device.service.ts +0 -339
package/src/storage/account-lockout-storage.service.spec.ts +0 -310
package/src/storage/account-lockout-storage.service.ts +0 -89
package/src/storage/index.ts +0 -3
package/src/storage/memory-storage.adapter.ts +0 -443
package/src/storage/rate-limit-storage.service.spec.ts +0 -247
package/src/storage/rate-limit-storage.service.ts +0 -38
package/src/templates/html-template.engine.spec.ts +0 -161
package/src/templates/html-template.engine.ts +0 -688
package/src/templates/index.ts +0 -7
package/src/utils/common-passwords.spec.ts +0 -230
package/src/utils/common-passwords.ts +0 -170
package/src/utils/context-storage.ts +0 -188
package/src/utils/cookie-names.util.ts +0 -67
package/src/utils/cookies.util.ts +0 -94
package/src/utils/index.ts +0 -12
package/src/utils/ip-extractor.spec.ts +0 -330
package/src/utils/ip-extractor.ts +0 -220
package/src/utils/nauth-logger.spec.ts +0 -388
package/src/utils/nauth-logger.ts +0 -215
package/src/utils/pii-redactor.spec.ts +0 -130
package/src/utils/pii-redactor.ts +0 -288
package/src/utils/setup/get-repositories.ts +0 -140
package/src/utils/setup/init-services.ts +0 -422
package/src/utils/setup/init-social.ts +0 -189
package/src/utils/setup/init-storage.ts +0 -94
package/src/utils/setup/register-mfa.ts +0 -165
package/src/utils/setup/run-nauth-migrations.ts +0 -61
package/src/utils/token-delivery-policy.ts +0 -38
package/src/validators/template.validator.ts +0 -219
package/tsconfig.json +0 -37
package/tsconfig.lint.json +0 -6

package/src/services/trusted-device.service.spec.ts DELETED Viewed

@@ -1,505 +0,0 @@
-import { Repository } from 'typeorm';
-import { TrustedDeviceService } from './trusted-device.service';
-import { BaseTrustedDevice } from '../entities/trusted-device.entity';
-import { NAuthConfig } from '../interfaces/config.interface';
-import { NAuthLogger } from '../utils/nauth-logger';
-/**
- * Trusted Device Service Unit Tests
- *
- * Tests device trust management for "remember device" feature.
- * Covers device creation, validation, revocation, and expiration handling.
- *
- * Platform-agnostic: Uses direct instantiation, no NestJS dependencies.
- */
-describe('TrustedDeviceService', () => {
-  let service: TrustedDeviceService;
-  let mockRepository: jest.Mocked<Repository<BaseTrustedDevice>>;
-  let mockLogger: jest.Mocked<NAuthLogger>;
-  const mockConfig: Partial<NAuthConfig> = {
-    mfa: {
-      enabled: true,
-      rememberDevices: 'user_opt_in',
-      rememberDeviceDays: 30,
-    },
-  };
-  const mockTrustedDevice: Partial<BaseTrustedDevice> = {
-    id: 1,
-    userId: 1,
-    deviceTokenHash: 'hashed-token-123',
-    deviceName: 'My Device',
-    deviceType: 'desktop',
-    ipAddress: '1.2.3.4',
-    userAgent: 'test-user-agent',
-    platform: 'Windows',
-    browser: 'Chrome',
-    trustedUntil: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000), // 30 days from now
-    lastUsedAt: new Date(),
-    createdAt: new Date(),
-  };
-  beforeEach(() => {
-    // Create mock repository
-    mockRepository = {
-      findOne: jest.fn(),
-      create: jest.fn(),
-      save: jest.fn(),
-      update: jest.fn(),
-      delete: jest.fn(),
-      find: jest.fn(),
-    } as any;
-    // Create mock logger
-    mockLogger = {
-      log: jest.fn(),
-      error: jest.fn(),
-      warn: jest.fn(),
-      debug: jest.fn(),
-    } as any;
-    // Instantiate service directly
-    service = new TrustedDeviceService(mockConfig as NAuthConfig, mockLogger, mockRepository);
-  });
-  afterEach(() => {
-    jest.clearAllMocks();
-    // Restore crypto.randomUUID if it was mocked
-    jest.restoreAllMocks();
-  });
-  // ============================================================================
-  // Service Initialization
-  // ============================================================================
-  it('should be defined', () => {
-    expect(service).toBeDefined();
-  });
-  // ============================================================================
-  // createTrustedDevice() Method
-  // ============================================================================
-  describe('createTrustedDevice', () => {
-    it('should create trusted device successfully', async () => {
-      mockRepository.findOne.mockResolvedValue(null);
-      mockRepository.create.mockReturnValue(mockTrustedDevice as any);
-      mockRepository.save.mockResolvedValue(mockTrustedDevice as any);
-      const result = await service.createTrustedDevice(
-        1,
-        'My Device',
-        'desktop',
-        '1.2.3.4',
-        'test-user-agent',
-        'Windows',
-        'Chrome',
-      );
-      // Verify result is a valid UUID format
-      expect(result).toMatch(/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i);
-      expect(mockRepository.create).toHaveBeenCalled();
-      expect(mockRepository.save).toHaveBeenCalled();
-    });
-    it('should throw error when rememberDevices is not enabled', async () => {
-      const configDisabled: Partial<NAuthConfig> = {
-        mfa: {
-          enabled: true,
-          rememberDevices: 'never',
-        },
-      };
-      const serviceDisabled = new TrustedDeviceService(configDisabled as NAuthConfig, mockLogger, mockRepository);
-      try {
-        await serviceDisabled.createTrustedDevice(1);
-        fail('Should have thrown Error');
-      } catch (error: any) {
-        expect(error.message).toContain('rememberDevices is not enabled');
-      }
-    });
-    it('should throw error when repository not available', async () => {
-      const serviceWithoutRepo = new TrustedDeviceService(mockConfig as NAuthConfig, mockLogger, undefined);
-      try {
-        await serviceWithoutRepo.createTrustedDevice(1);
-        fail('Should have thrown Error');
-      } catch (error: any) {
-        expect(error.message).toContain('TrustedDeviceRepository not available');
-      }
-    });
-    it('should update existing device if already trusted', async () => {
-      const existingDevice = { ...mockTrustedDevice };
-      // Calculate hash for the device token that will be generated
-      const createHash = (await import('crypto')).createHash;
-      // We'll verify the hash was calculated correctly by checking the update was called
-      mockRepository.findOne.mockResolvedValue(existingDevice as any);
-      mockRepository.update.mockResolvedValue({ affected: 1 } as any);
-      const result = await service.createTrustedDevice(1, 'Updated Device Name');
-      // Verify result is a valid UUID format
-      expect(result).toMatch(/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i);
-      expect(mockRepository.update).toHaveBeenCalled();
-      expect(mockRepository.create).not.toHaveBeenCalled();
-    });
-    it('should calculate expiry based on rememberDeviceDays', async () => {
-      const configWithDays: Partial<NAuthConfig> = {
-        mfa: {
-          enabled: true,
-          rememberDevices: 'user_opt_in',
-          rememberDeviceDays: 60,
-        },
-      };
-      const serviceWithDays = new TrustedDeviceService(configWithDays as NAuthConfig, mockLogger, mockRepository);
-      mockRepository.findOne.mockResolvedValue(null);
-      mockRepository.create.mockReturnValue(mockTrustedDevice as any);
-      mockRepository.save.mockResolvedValue(mockTrustedDevice as any);
-      await serviceWithDays.createTrustedDevice(1);
-      // Verify trustedUntil is set correctly (60 days from now)
-      const createCall = mockRepository.create.mock.calls[0][0] as any;
-      const expectedDate = new Date();
-      expectedDate.setDate(expectedDate.getDate() + 60);
-      expect(new Date(createCall.trustedUntil).getTime()).toBeCloseTo(expectedDate.getTime(), -3); // Within 1 second
-    });
-    it('should store all device information', async () => {
-      mockRepository.findOne.mockResolvedValue(null);
-      mockRepository.create.mockReturnValue(mockTrustedDevice as any);
-      mockRepository.save.mockResolvedValue(mockTrustedDevice as any);
-      await service.createTrustedDevice(1, 'My Device', 'desktop', '1.2.3.4', 'test-user-agent', 'Windows', 'Chrome');
-      expect(mockRepository.create).toHaveBeenCalledWith(
-        (expect as any).objectContaining({
-          userId: 1,
-          deviceName: 'My Device',
-          deviceType: 'desktop',
-          ipAddress: '1.2.3.4',
-          userAgent: 'test-user-agent',
-          platform: 'Windows',
-          browser: 'Chrome',
-        }),
-      );
-    });
-    it('should handle null/undefined device information', async () => {
-      mockRepository.findOne.mockResolvedValue(null);
-      mockRepository.create.mockReturnValue(mockTrustedDevice as any);
-      mockRepository.save.mockResolvedValue(mockTrustedDevice as any);
-      await service.createTrustedDevice(1, null, null, null, null, null, null);
-      expect(mockRepository.create).toHaveBeenCalledWith(
-        (expect as any).objectContaining({
-          deviceName: null,
-          deviceType: null,
-          ipAddress: null,
-          userAgent: null,
-          platform: null,
-          browser: null,
-        }),
-      );
-    });
-  });
-  // ============================================================================
-  // isDeviceTrusted() Method
-  // ============================================================================
-  describe('isDeviceTrusted', () => {
-    it('should return false when deviceToken is null', async () => {
-      const result = await service.isDeviceTrusted(null, 1);
-      expect(result).toBe(false);
-    });
-    it('should return false when deviceToken is undefined', async () => {
-      const result = await service.isDeviceTrusted(undefined, 1);
-      expect(result).toBe(false);
-    });
-    it('should return false when repository not available', async () => {
-      const serviceWithoutRepo = new TrustedDeviceService(mockConfig as NAuthConfig, mockLogger, undefined);
-      const result = await serviceWithoutRepo.isDeviceTrusted('token', 1);
-      expect(result).toBe(false);
-    });
-    it('should return false when rememberDevices is not enabled', async () => {
-      const configDisabled: Partial<NAuthConfig> = {
-        mfa: {
-          enabled: true,
-          rememberDevices: 'never',
-        },
-      };
-      const serviceDisabled = new TrustedDeviceService(configDisabled as NAuthConfig, mockLogger, mockRepository);
-      const result = await serviceDisabled.isDeviceTrusted('token', 1);
-      expect(result).toBe(false);
-    });
-    it('should return true when device is trusted and not expired', async () => {
-      const deviceToken = 'device-token-uuid-123';
-      const trustedDevice = {
-        ...mockTrustedDevice,
-        trustedUntil: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000), // Future date
-      };
-      mockRepository.findOne.mockResolvedValue(trustedDevice as any);
-      const result = await service.isDeviceTrusted(deviceToken, 1);
-      expect(result).toBe(true);
-    });
-    it('should return false when device not found', async () => {
-      const deviceToken = 'device-token-uuid-123';
-      mockRepository.findOne.mockResolvedValue(null);
-      const result = await service.isDeviceTrusted(deviceToken, 1);
-      expect(result).toBe(false);
-    });
-    it('should return false and delete when device expired', async () => {
-      const deviceToken = 'device-token-uuid-123';
-      const expiredDevice = {
-        ...mockTrustedDevice,
-        trustedUntil: new Date(Date.now() - 1000), // Past date
-      };
-      mockRepository.findOne.mockResolvedValue(expiredDevice as any);
-      mockRepository.delete.mockResolvedValue({ affected: 1 } as any);
-      const result = await service.isDeviceTrusted(deviceToken, 1);
-      expect(result).toBe(false);
-      expect(mockRepository.delete).toHaveBeenCalled();
-      expect(mockLogger.debug).toHaveBeenCalledWith((expect as any).stringContaining('Trusted device expired'));
-    });
-    it('should update lastUsedAt when device is trusted', async () => {
-      const deviceToken = 'device-token-uuid-123';
-      const trustedDevice = {
-        ...mockTrustedDevice,
-        trustedUntil: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000),
-        lastUsedAt: new Date(Date.now() - 20 * 60 * 1000), // 20 minutes ago
-      };
-      mockRepository.findOne.mockResolvedValue(trustedDevice as any);
-      mockRepository.update.mockResolvedValue({ affected: 1 } as any);
-      await service.isDeviceTrusted(deviceToken, 1);
-      expect(mockRepository.update).toHaveBeenCalled();
-    });
-    it('should throttle lastUsedAt updates to once per 15 minutes', async () => {
-      const deviceToken = 'device-token-uuid-123';
-      const trustedDevice = {
-        ...mockTrustedDevice,
-        trustedUntil: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000),
-        lastUsedAt: new Date(), // Just now
-      };
-      mockRepository.findOne.mockResolvedValue(trustedDevice as any);
-      await service.isDeviceTrusted(deviceToken, 1);
-      // Should not update if lastUsedAt is recent
-      expect(mockRepository.update).not.toHaveBeenCalled();
-    });
-  });
-  // ============================================================================
-  // validateDeviceToken() Method
-  // ============================================================================
-  describe('validateDeviceToken', () => {
-    it('should return not suspicious when token is null', async () => {
-      const result = await service.validateDeviceToken(null, 1);
-      expect(result).toEqual({ isValid: false, isSuspicious: false });
-    });
-    it('should return not suspicious when token is undefined', async () => {
-      const result = await service.validateDeviceToken(undefined, 1);
-      expect(result).toEqual({ isValid: false, isSuspicious: false });
-    });
-    it('should return valid and not suspicious when device is trusted', async () => {
-      const deviceToken = 'device-token-uuid-123';
-      const trustedDevice = {
-        ...mockTrustedDevice,
-        trustedUntil: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000),
-      };
-      mockRepository.findOne.mockResolvedValue(trustedDevice as any);
-      const result = await service.validateDeviceToken(deviceToken, 1);
-      expect(result).toEqual({ isValid: true, isSuspicious: false });
-    });
-    it('should return suspicious when token provided but not trusted', async () => {
-      const deviceToken = 'device-token-uuid-123';
-      mockRepository.findOne.mockResolvedValue(null);
-      const result = await service.validateDeviceToken(deviceToken, 1);
-      expect(result).toEqual({ isValid: false, isSuspicious: true });
-    });
-    it('should return suspicious when token provided but expired', async () => {
-      const deviceToken = 'device-token-uuid-123';
-      const expiredDevice = {
-        ...mockTrustedDevice,
-        trustedUntil: new Date(Date.now() - 1000),
-      };
-      mockRepository.findOne.mockResolvedValue(expiredDevice as any);
-      mockRepository.delete.mockResolvedValue({ affected: 1 } as any);
-      const result = await service.validateDeviceToken(deviceToken, 1);
-      expect(result).toEqual({ isValid: false, isSuspicious: true });
-    });
-  });
-  // ============================================================================
-  // revokeTrustedDevice() Method
-  // ============================================================================
-  describe('revokeTrustedDevice', () => {
-    it('should revoke trusted device successfully', async () => {
-      const deviceToken = 'device-token-uuid-123';
-      mockRepository.delete.mockResolvedValue({ affected: 1 } as any);
-      await service.revokeTrustedDevice(deviceToken, 1);
-      expect(mockRepository.delete).toHaveBeenCalled();
-      expect(mockLogger.debug).toHaveBeenCalledWith((expect as any).stringContaining('Revoked trusted device'));
-    });
-    it('should return early when repository not available', async () => {
-      const serviceWithoutRepo = new TrustedDeviceService(mockConfig as NAuthConfig, mockLogger, undefined);
-      await serviceWithoutRepo.revokeTrustedDevice('token', 1);
-      // Should not throw, just return early
-      expect(mockLogger.debug).not.toHaveBeenCalled();
-    });
-    it('should delete device by hash', async () => {
-      const deviceToken = 'device-token-uuid-123';
-      const createHash = (await import('crypto')).createHash;
-      const hash = createHash('sha256').update(deviceToken).digest('hex');
-      mockRepository.delete.mockResolvedValue({ affected: 1 } as any);
-      await service.revokeTrustedDevice(deviceToken, 1);
-      expect(mockRepository.delete).toHaveBeenCalledWith({
-        userId: 1,
-        deviceTokenHash: hash,
-      });
-    });
-  });
-  // ============================================================================
-  // getUserTrustedDevices() Method
-  // ============================================================================
-  describe('getUserTrustedDevices', () => {
-    it('should return user trusted devices', async () => {
-      const devices = [
-        { ...mockTrustedDevice, id: 1 },
-        { ...mockTrustedDevice, id: 2 },
-      ];
-      mockRepository.find.mockResolvedValue(devices as any);
-      const result = await service.getUserTrustedDevices(1);
-      expect(result.length).toBe(2);
-      expect('deviceTokenHash' in result[0]).toBe(false);
-      expect('deviceTokenHash' in result[1]).toBe(false);
-    });
-    it('should return empty array when repository not available', async () => {
-      const serviceWithoutRepo = new TrustedDeviceService(mockConfig as NAuthConfig, mockLogger, undefined);
-      const result = await serviceWithoutRepo.getUserTrustedDevices(1);
-      expect(result).toEqual([]);
-    });
-    it('should filter out expired devices', async () => {
-      const devices = [
-        { ...mockTrustedDevice, id: 1, trustedUntil: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000) },
-        { ...mockTrustedDevice, id: 2, trustedUntil: new Date(Date.now() - 1000) }, // Expired
-      ];
-      mockRepository.find.mockResolvedValue(devices as any);
-      const result = await service.getUserTrustedDevices(1);
-      expect(result.length).toBe(1);
-      expect(result[0].id).toBe(1);
-    });
-    it('should order devices by lastUsedAt DESC', async () => {
-      const devices = [
-        { ...mockTrustedDevice, id: 1, lastUsedAt: new Date('2025-01-01') },
-        { ...mockTrustedDevice, id: 2, lastUsedAt: new Date('2025-01-02') },
-      ];
-      mockRepository.find.mockResolvedValue(devices as any);
-      await service.getUserTrustedDevices(1);
-      expect(mockRepository.find).toHaveBeenCalledWith({
-        where: { userId: 1 },
-        order: { lastUsedAt: 'DESC' },
-      });
-    });
-    it('should exclude deviceTokenHash from results', async () => {
-      const devices = [
-        {
-          ...mockTrustedDevice,
-          id: 1,
-          deviceTokenHash: 'hash-123',
-          trustedUntil: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000),
-        },
-      ];
-      mockRepository.find.mockResolvedValue(devices as any);
-      const result = await service.getUserTrustedDevices(1);
-      expect('deviceTokenHash' in result[0]).toBe(false);
-      expect('id' in result[0]).toBe(true);
-      expect('userId' in result[0]).toBe(true);
-    });
-  });
-});