npm - @nauth-toolkit/core - Versions diffs - 0.1.0 → 0.1.5 - Mend

@nauth-toolkit/core 0.1.0 → 0.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (184) hide show

package/LICENSE +90 -0
package/README.md +9 -0
package/package.json +8 -3
package/jest.config.js +0 -15
package/jest.setup.ts +0 -6
package/src/adapters/database-columns.ts +0 -165
package/src/adapters/express.adapter.ts +0 -385
package/src/adapters/fastify.adapter.ts +0 -416
package/src/adapters/index.ts +0 -16
package/src/adapters/storage.factory.ts +0 -143
package/src/bootstrap.ts +0 -374
package/src/dto/auth-challenge.dto.ts +0 -231
package/src/dto/auth-response.dto.ts +0 -253
package/src/dto/challenge-response.dto.ts +0 -234
package/src/dto/change-password-request.dto.ts +0 -50
package/src/dto/change-password-response.dto.ts +0 -29
package/src/dto/change-password.dto.ts +0 -57
package/src/dto/error-response.dto.ts +0 -136
package/src/dto/get-available-methods.dto.ts +0 -55
package/src/dto/get-challenge-data-response.dto.ts +0 -28
package/src/dto/get-challenge-data.dto.ts +0 -69
package/src/dto/get-client-info.dto.ts +0 -104
package/src/dto/get-device-token-response.dto.ts +0 -25
package/src/dto/get-events-by-type.dto.ts +0 -76
package/src/dto/get-ip-address-response.dto.ts +0 -24
package/src/dto/get-mfa-status.dto.ts +0 -94
package/src/dto/get-risk-assessment-history.dto.ts +0 -39
package/src/dto/get-session-id-response.dto.ts +0 -25
package/src/dto/get-setup-data-response.dto.ts +0 -31
package/src/dto/get-setup-data.dto.ts +0 -75
package/src/dto/get-suspicious-activity.dto.ts +0 -42
package/src/dto/get-user-agent-response.dto.ts +0 -23
package/src/dto/get-user-auth-history.dto.ts +0 -95
package/src/dto/get-user-by-email.dto.ts +0 -61
package/src/dto/get-user-by-id.dto.ts +0 -46
package/src/dto/get-user-devices.dto.ts +0 -53
package/src/dto/get-user-response.dto.ts +0 -17
package/src/dto/has-provider.dto.ts +0 -56
package/src/dto/index.ts +0 -57
package/src/dto/is-trusted-device-response.dto.ts +0 -34
package/src/dto/list-providers-response.dto.ts +0 -23
package/src/dto/login.dto.ts +0 -95
package/src/dto/logout-all-response.dto.ts +0 -24
package/src/dto/logout-all.dto.ts +0 -65
package/src/dto/logout-response.dto.ts +0 -25
package/src/dto/logout.dto.ts +0 -64
package/src/dto/refresh-token.dto.ts +0 -36
package/src/dto/remove-devices.dto.ts +0 -85
package/src/dto/resend-code-response.dto.ts +0 -32
package/src/dto/resend-code.dto.ts +0 -51
package/src/dto/reset-password.dto.ts +0 -115
package/src/dto/respond-challenge.dto.ts +0 -272
package/src/dto/set-mfa-exemption.dto.ts +0 -112
package/src/dto/set-must-change-password-response.dto.ts +0 -27
package/src/dto/set-must-change-password.dto.ts +0 -46
package/src/dto/set-preferred-method.dto.ts +0 -80
package/src/dto/setup-mfa.dto.ts +0 -98
package/src/dto/signup.dto.ts +0 -174
package/src/dto/social-auth.dto.ts +0 -422
package/src/dto/trust-device-response.dto.ts +0 -30
package/src/dto/trust-device.dto.ts +0 -9
package/src/dto/update-user-attributes-request.dto.ts +0 -51
package/src/dto/user-response.dto.ts +0 -138
package/src/dto/user-update.dto.ts +0 -222
package/src/dto/verify-email.dto.ts +0 -313
package/src/dto/verify-mfa-code.dto.ts +0 -103
package/src/dto/verify-phone-by-sub.dto.ts +0 -78
package/src/dto/verify-phone.dto.ts +0 -245
package/src/entities/auth-audit.entity.ts +0 -232
package/src/entities/challenge-session.entity.ts +0 -116
package/src/entities/index.ts +0 -29
package/src/entities/login-attempt.entity.ts +0 -64
package/src/entities/mfa-device.entity.ts +0 -151
package/src/entities/rate-limit.entity.ts +0 -44
package/src/entities/session.entity.ts +0 -180
package/src/entities/social-account.entity.ts +0 -96
package/src/entities/storage-lock.entity.ts +0 -39
package/src/entities/trusted-device.entity.ts +0 -112
package/src/entities/user.entity.ts +0 -243
package/src/entities/verification-token.entity.ts +0 -141
package/src/enums/auth-audit-event-type.enum.ts +0 -360
package/src/enums/error-codes.enum.ts +0 -420
package/src/enums/mfa-method.enum.ts +0 -97
package/src/enums/risk-factor.enum.ts +0 -111
package/src/exceptions/nauth.exception.ts +0 -231
package/src/handlers/auth.handler.ts +0 -260
package/src/handlers/client-info.handler.ts +0 -101
package/src/handlers/csrf.handler.ts +0 -156
package/src/handlers/token-delivery.handler.ts +0 -118
package/src/index.ts +0 -118
package/src/interfaces/client-info.interface.ts +0 -85
package/src/interfaces/config.interface.ts +0 -2135
package/src/interfaces/entities.interface.ts +0 -226
package/src/interfaces/index.ts +0 -15
package/src/interfaces/logger.interface.ts +0 -283
package/src/interfaces/mfa-provider.interface.ts +0 -154
package/src/interfaces/oauth.interface.ts +0 -148
package/src/interfaces/provider.interface.ts +0 -47
package/src/interfaces/social-auth-provider.interface.ts +0 -131
package/src/interfaces/storage-adapter.interface.ts +0 -82
package/src/interfaces/template.interface.ts +0 -510
package/src/interfaces/token-verifier.interface.ts +0 -110
package/src/internal.ts +0 -178
package/src/platform/interfaces.ts +0 -299
package/src/schemas/auth-config.schema.ts +0 -646
package/src/services/adaptive-mfa-decision.service.spec.ts +0 -1058
package/src/services/adaptive-mfa-decision.service.ts +0 -457
package/src/services/auth-audit.service.spec.ts +0 -675
package/src/services/auth-audit.service.ts +0 -558
package/src/services/auth-challenge-helper.service.spec.ts +0 -3227
package/src/services/auth-challenge-helper.service.ts +0 -825
package/src/services/auth-flow-context-builder.service.ts +0 -520
package/src/services/auth-flow-rules.ts +0 -202
package/src/services/auth-flow-state-definitions.ts +0 -190
package/src/services/auth-flow-state-machine.service.ts +0 -207
package/src/services/auth-flow-state-machine.types.ts +0 -316
package/src/services/auth.service.spec.ts +0 -4195
package/src/services/auth.service.ts +0 -3727
package/src/services/challenge.service.spec.ts +0 -1363
package/src/services/challenge.service.ts +0 -696
package/src/services/client-info.service.spec.ts +0 -572
package/src/services/client-info.service.ts +0 -374
package/src/services/csrf.service.ts +0 -54
package/src/services/email-verification.service.spec.ts +0 -1229
package/src/services/email-verification.service.ts +0 -578
package/src/services/geo-location.service.spec.ts +0 -603
package/src/services/geo-location.service.ts +0 -599
package/src/services/index.ts +0 -13
package/src/services/jwt.service.spec.ts +0 -882
package/src/services/jwt.service.ts +0 -621
package/src/services/mfa-base.service.spec.ts +0 -246
package/src/services/mfa-base.service.ts +0 -611
package/src/services/mfa.service.spec.ts +0 -693
package/src/services/mfa.service.ts +0 -960
package/src/services/password.service.spec.ts +0 -166
package/src/services/password.service.ts +0 -309
package/src/services/phone-verification.service.spec.ts +0 -1120
package/src/services/phone-verification.service.ts +0 -751
package/src/services/risk-detection.service.spec.ts +0 -1292
package/src/services/risk-detection.service.ts +0 -1012
package/src/services/risk-scoring.service.spec.ts +0 -204
package/src/services/risk-scoring.service.ts +0 -131
package/src/services/session.service.spec.ts +0 -1293
package/src/services/session.service.ts +0 -803
package/src/services/social-account.service.spec.ts +0 -725
package/src/services/social-auth-base.service.spec.ts +0 -418
package/src/services/social-auth-base.service.ts +0 -581
package/src/services/social-auth.service.spec.ts +0 -238
package/src/services/social-auth.service.ts +0 -436
package/src/services/social-provider-registry.service.spec.ts +0 -238
package/src/services/social-provider-registry.service.ts +0 -122
package/src/services/trusted-device.service.spec.ts +0 -505
package/src/services/trusted-device.service.ts +0 -339
package/src/storage/account-lockout-storage.service.spec.ts +0 -310
package/src/storage/account-lockout-storage.service.ts +0 -89
package/src/storage/index.ts +0 -3
package/src/storage/memory-storage.adapter.ts +0 -443
package/src/storage/rate-limit-storage.service.spec.ts +0 -247
package/src/storage/rate-limit-storage.service.ts +0 -38
package/src/templates/html-template.engine.spec.ts +0 -161
package/src/templates/html-template.engine.ts +0 -688
package/src/templates/index.ts +0 -7
package/src/utils/common-passwords.spec.ts +0 -230
package/src/utils/common-passwords.ts +0 -170
package/src/utils/context-storage.ts +0 -188
package/src/utils/cookie-names.util.ts +0 -67
package/src/utils/cookies.util.ts +0 -94
package/src/utils/index.ts +0 -12
package/src/utils/ip-extractor.spec.ts +0 -330
package/src/utils/ip-extractor.ts +0 -220
package/src/utils/nauth-logger.spec.ts +0 -388
package/src/utils/nauth-logger.ts +0 -215
package/src/utils/pii-redactor.spec.ts +0 -130
package/src/utils/pii-redactor.ts +0 -288
package/src/utils/setup/get-repositories.ts +0 -140
package/src/utils/setup/init-services.ts +0 -422
package/src/utils/setup/init-social.ts +0 -189
package/src/utils/setup/init-storage.ts +0 -94
package/src/utils/setup/register-mfa.ts +0 -165
package/src/utils/setup/run-nauth-migrations.ts +0 -61
package/src/utils/token-delivery-policy.ts +0 -38
package/src/validators/template.validator.ts +0 -219
package/tsconfig.json +0 -37
package/tsconfig.lint.json +0 -6

package/src/interfaces/entities.interface.ts DELETED Viewed

@@ -1,226 +0,0 @@
-/**
- * Entity Interface Contracts
- *
- * These interfaces define the shape of entities without importing concrete implementations.
- * Database packages must implement these interfaces to ensure type safety across the modular architecture.
- *
- * This allows core to maintain strict typing while entities live in separate packages.
- */
-/**
- * User Entity Interface
- *
- * Core user authentication record
- */
-export interface IUser {
-  id: number;
-  sub: string;
-  email: string;
-  username: string | null;
-  phone: string | null;
-  firstName: string | null;
-  lastName: string | null;
-  passwordHash: string | null;
-  passwordChangedAt: Date | null;
-  passwordHistory: string[] | null;
-  isEmailVerified: boolean;
-  isPhoneVerified: boolean;
-  isActive: boolean;
-  mustChangePassword: boolean;
-  isLocked: boolean;
-  lockReason: string | null;
-  lockedAt: Date | null;
-  lockedUntil: Date | null;
-  failedLoginAttempts: number;
-  lastFailedLoginAt: Date | null;
-  lastLoginAt: Date | null;
-  lastLoginIp: string | null;
-  hasSocialAuth: boolean;
-  socialProviders: string[] | null;
-  mfaEnabled: boolean;
-  mfaMethods: string[] | null;
-  preferredMfaMethod: string | null;
-  mfaExempt?: boolean;
-  mfaExemptReason?: string | null;
-  mfaExemptGrantedAt?: Date | null;
-  mfaExemptGrantedBy?: string | null;
-  backupCodes: string[] | null;
-  metadata: Record<string, unknown> | null;
-  createdAt: Date;
-  updatedAt: Date;
-  deletedAt: Date | null;
-}
-/**
- * Session Entity Interface
- *
- * JWT session tracking
- */
-export interface ISession {
-  id: number;
-  userId: number;
-  accessTokenHash: string;
-  refreshTokenHash: string;
-  tokenFamily: string;
-  deviceId: string | null;
-  deviceName: string | null;
-  deviceType: string | null;
-  deviceFingerprint: string | null;
-  ipAddress: string | null;
-  ipCountry: string | null;
-  ipCity: string | null;
-  ipIsp: string | null;
-  userAgent: string | null;
-  platform: string | null;
-  browser: string | null;
-  authMethod: string | null;
-  isRemembered: boolean;
-  isTrustedDevice: boolean;
-  expiresAt: Date;
-  lastActivityAt: Date | null;
-  isRevoked: boolean;
-  revokedAt: Date | null;
-  revokeReason: string | null;
-  version: number;
-  metadata: Record<string, unknown> | null;
-  createdAt: Date;
-}
-/**
- * Login Attempt Entity Interface
- *
- * Failed login tracking
- */
-export interface ILoginAttempt {
-  id: number;
-  email: string | null;
-  userId: number | null;
-  ipAddress: string | null;
-  userAgent: string | null;
-  success: boolean;
-  failureReason: string | null;
-  mfaRequired: boolean;
-  metadata: Record<string, unknown> | null;
-  createdAt: Date;
-}
-/**
- * Verification Token Entity Interface
- *
- * Email/phone/password reset tokens
- */
-export interface IVerificationToken {
-  id: number;
-  userId: number;
-  challengeSessionId?: number | null;
-  type: 'email' | 'phone' | 'password_reset';
-  token: string;
-  code: string | null;
-  expiresAt: Date;
-  attempts: number;
-  usedAt: Date | null;
-  ipAddress: string | null;
-  userAgent: string | null;
-  createdAt: Date;
-  // Helper methods (if entity implements them)
-  isExpired?: () => boolean;
-  maxAttemptsExceeded?: (max: number) => boolean;
-}
-/**
- * Social Account Entity Interface
- *
- * OAuth provider linkage
- */
-export interface ISocialAccount {
-  id: number;
-  userId: number;
-  provider: string;
-  providerId: string;
-  providerEmail: string | null;
-  linkedAt: Date;
-  lastUsedAt: Date | null;
-  metadata: Record<string, unknown> | null;
-  createdAt: Date;
-  updatedAt: Date;
-}
-/**
- * Challenge Session Entity Interface
- *
- * Temporary sessions for challenge-response flows
- */
-export interface IChallengeSession {
-  id: number;
-  userId: number;
-  user?: IUser; // Optional relation
-  sessionToken: string;
-  challengeName: string;
-  challengeParameters: Record<string, unknown> | null;
-  metadata?: Record<string, unknown> | null;
-  attempts: number;
-  maxAttempts: number;
-  expiresAt: Date;
-  isCompleted?: boolean;
-  completedAt?: Date | null;
-  ipAddress: string | null;
-  userAgent: string | null;
-  createdAt: Date;
-}
-/**
- * MFA Device Entity Interface
- *
- * Multi-factor authentication device registrations
- */
-import { MFADeviceMethod } from '../enums/mfa-method.enum';
-export interface IMFADevice {
-  id: number;
-  userId: number;
-  type: MFADeviceMethod;
-  name: string;
-  secret: string | null;
-  credentialId: string | null;
-  publicKey: string | null;
-  counter: number | null;
-  transports: string[] | null;
-  phoneNumber?: string | null; // For SMS MFA
-  email?: string | null; // For Email MFA
-  isPrimary?: boolean; // Primary device flag
-  isActive: boolean;
-  lastUsedAt: Date | null;
-  createdAt: Date;
-}
-/**
- * Authentication Audit Entity Interface
- *
- * Audit trail record for authentication and security events
- */
-export interface IAuthAudit {
-  id: number;
-  userId: number;
-  eventType: string;
-  eventStatus: 'SUCCESS' | 'FAILURE' | 'INFO' | 'SUSPICIOUS';
-  riskFactor?: number | null;
-  riskFactors?: string[] | null; // Stored as string[] in DB, but should use RiskFactor enum values
-  adaptiveMfaTriggered?: boolean | null;
-  ipAddress?: string | null;
-  ipCountry?: string | null;
-  ipCity?: string | null;
-  userAgent?: string | null;
-  platform?: string | null;
-  browser?: string | null;
-  deviceId?: string | null;
-  deviceName?: string | null;
-  deviceType?: string | null;
-  sessionId?: number | null;
-  challengeSessionId?: number | null;
-  authMethod?: string | null;
-  performedBy?: string | null;
-  reason?: string | null;
-  description?: string | null;
-  metadata?: Record<string, unknown> | null;
-  createdAt: Date;
-}

package/src/interfaces/index.ts DELETED Viewed

@@ -1,15 +0,0 @@
-export * from './config.interface';
-export * from './entities.interface';
-export * from './logger.interface';
-export * from './mfa-provider.interface';
-export * from './oauth.interface';
-export * from './provider.interface';
-// NOTE: SMS provider configurations moved to their respective packages
-// Import from @nauth-toolkit/sms-aws-sns, @nauth-toolkit/sms-twilio, etc.
-// export * from './sms-config.interface'; // Deprecated - kept for backward compatibility notes only
-export * from './social-auth-provider.interface';
-export * from './storage-adapter.interface';
-export * from './template.interface';
-export * from './token-verifier.interface';
-// Note: ClientInfo interface is exported directly from core/index.ts as IClientInfo
-// to avoid naming conflict with ClientInfo decorator

package/src/interfaces/logger.interface.ts DELETED Viewed

@@ -1,283 +0,0 @@
-/**
- * Logging Provider Interface
- *
- * Allows users to plug in their own logging solution (Winston, Pino, etc.)
- * while nauth-toolkit automatically redacts PII (Personally Identifiable Information).
- *
- * Key features:
- * - Standard log levels (debug, log, warn, error)
- * - Automatic PII redaction (emails, passwords, tokens, IPs)
- * - Structured logging support
- * - Contextual logging with metadata
- *
- * @example
- * ```typescript
- * // Use default NestJS logger
- * AuthModule.forRoot({
- *   logger: new NestJsLoggerAdapter(),
- * })
- *
- * // Use Winston
- * AuthModule.forRoot({
- *   logger: new WinstonLoggerAdapter(winstonInstance),
- * })
- *
- * // Use Pino
- * AuthModule.forRoot({
- *   logger: new PinoLoggerAdapter(pinoInstance),
- * })
- * ```
- */
-/**
- * Log Level
- *
- * Standard logging levels in order of severity
- */
-export enum LogLevel {
-  DEBUG = 'debug',
-  LOG = 'log',
-  INFO = 'info',
-  WARN = 'warn',
-  ERROR = 'error',
-}
-/**
- * Log Metadata
- *
- * Additional context for log entries.
- * All values are automatically redacted if they contain PII.
- */
-export interface LogMetadata {
-  /**
-   * User ID (non-PII, safe to log)
-   */
-  userId?: string;
-  /**
-   * Session ID (non-PII, safe to log)
-   */
-  sessionId?: string;
-  /**
-   * Request ID for tracing
-   */
-  requestId?: string;
-  /**
-   * Event type (e.g., 'login', 'signup', 'password_change')
-   */
-  event?: string;
-  /**
-   * IP address (will be redacted to first 3 octets)
-   */
-  ipAddress?: string;
-  /**
-   * Device information (non-PII)
-   */
-  deviceType?: string;
-  /**
-   * Error details
-   */
-  error?: Error | string;
-  /**
-   * Duration in milliseconds (for performance tracking)
-   */
-  duration?: number;
-  /**
-   * Additional custom metadata
-   */
-  [key: string]: unknown;
-}
-/**
- * Logger Provider Interface
- *
- * Contract that all logging providers must implement.
- * nauth-toolkit will call these methods and automatically redact PII.
- *
- * @example
- * ```typescript
- * class CustomLogger implements LoggerProvider {
- *   debug(message: string, metadata?: LogMetadata): void {
- *     myLogger.debug(message, metadata);
- *   }
- *
- *   log(message: string, metadata?: LogMetadata): void {
- *     myLogger.info(message, metadata);
- *   }
- *
- *   warn(message: string, metadata?: LogMetadata): void {
- *     myLogger.warn(message, metadata);
- *   }
- *
- *   error(message: string, metadata?: LogMetadata): void {
- *     myLogger.error(message, metadata);
- *   }
- * }
- * ```
- */
-export interface LoggerProvider {
-  /**
-   * Log debug message (lowest priority)
-   *
-   * Used for detailed debugging information.
-   *
-   * @param message - Log message
-   * @param metadata - Additional context (PII will be redacted)
-   */
-  debug(message: string, metadata?: LogMetadata): void;
-  /**
-   * Log informational message
-   *
-   * Used for general informational messages about system operation.
-   *
-   * @param message - Log message
-   * @param metadata - Additional context (PII will be redacted)
-   */
-  log(message: string, metadata?: LogMetadata): void;
-  /**
-   * Log warning message
-   *
-   * Used for potentially harmful situations.
-   *
-   * @param message - Log message
-   * @param metadata - Additional context (PII will be redacted)
-   */
-  warn(message: string, metadata?: LogMetadata): void;
-  /**
-   * Log error message (highest priority)
-   *
-   * Used for error events that might still allow the application to continue.
-   *
-   * @param message - Log message
-   * @param metadata - Additional context (PII will be redacted)
-   */
-  error(message: string, metadata?: LogMetadata): void;
-}
-/**
- * PII Redaction Options
- *
- * Configure what PII should be redacted from logs
- */
-export interface PiiRedactionOptions {
-  /**
-   * Redact email addresses
-   * @default true
-   *
-   * Example: `user@example.com` → `u***@***.com`
-   */
-  redactEmails?: boolean;
-  /**
-   * Redact full IP addresses (keep first 3 octets)
-   * @default true
-   *
-   * Example: `192.168.1.100` → `192.168.1.***`
-   */
-  redactIpAddresses?: boolean;
-  /**
-   * Redact tokens and secrets
-   * @default true
-   *
-   * Example: `eyJhbGciOiJIUzI1...` → `eyJ***...***`
-   */
-  redactTokens?: boolean;
-  /**
-   * Redact passwords and password hashes
-   * @default true
-   *
-   * Never log passwords! Always redacted.
-   */
-  redactPasswords?: boolean;
-  /**
-   * Redact phone numbers
-   * @default true
-   *
-   * Example: `+1234567890` → `+123***7890`
-   */
-  redactPhoneNumbers?: boolean;
-  /**
-   * Redact names (firstName, lastName)
-   * @default true
-   *
-   * Example: `John Doe` → `J*** D***`
-   */
-  redactNames?: boolean;
-  /**
-   * Custom fields to redact
-   *
-   * Field names that should be fully redacted if present in metadata.
-   *
-   * @default ['ssn', 'creditCard', 'bankAccount']
-   */
-  customRedactionFields?: string[];
-}
-/**
- * Logger Configuration
- *
- * Configuration for the logging system
- */
-export interface LoggerConfig {
-  /**
-   * Logger provider instance
-   *
-   * @default NestJsLoggerAdapter (built-in)
-   */
-  provider?: LoggerProvider;
-  /**
-   * Minimum log level to output
-   *
-   * @default LogLevel.LOG
-   */
-  level?: LogLevel;
-  /**
-   * Enable PII redaction
-   *
-   * @default true (always enabled in production)
-   */
-  enablePiiRedaction?: boolean;
-  /**
-   * PII redaction options
-   */
-  piiRedactionOptions?: PiiRedactionOptions;
-  /**
-   * Log authentication events
-   *
-   * @default true
-   */
-  logAuthEvents?: boolean;
-  /**
-   * Log security events (lockouts, suspicious activity)
-   *
-   * @default true
-   */
-  logSecurityEvents?: boolean;
-  /**
-   * Log performance metrics
-   *
-   * @default false
-   */
-  logPerformance?: boolean;
-}

package/src/interfaces/mfa-provider.interface.ts DELETED Viewed

@@ -1,154 +0,0 @@
-import { IUser } from './entities.interface';
-/**
- * MFA Provider Service Interface
- *
- * Defines the contract that all MFA provider services must implement.
- * Each MFA method (TOTP, SMS, Passkey) is a separate provider that extends
- * the base class and implements this interface.
- *
- * Provider-specific types (e.g., SetupTOTPResponseDTO) are defined in each
- * provider package, not in core, to maintain proper separation of concerns.
- *
- * @example
- * ```typescript
- * @Injectable()
- * export class TOTPMFAProviderService extends BaseMFAProviderService implements IMFAProviderService {
- *   readonly methodName = 'totp';
- *
- *   async setup(user: IUser): Promise<unknown> {
- *     // TOTP-specific setup logic
- *   }
- *
- *   async verify(user: IUser, code: string, deviceId?: number): Promise<boolean> {
- *     // TOTP verification logic
- *   }
- * }
- * ```
- */
-export interface IMFAProviderService {
-  /**
-   * Unique method name for this MFA provider
-   * Examples: 'totp', 'sms', 'passkey'
-   */
-  readonly methodName: string;
-  /**
-   * Check if this MFA method is allowed by configuration
-   *
-   * @returns True if method is allowed
-   */
-  isMethodAllowed(): boolean;
-  /**
-   * Setup MFA device for user
-   *
-   * Initiates the setup process for this MFA method.
-   * Provider-specific setup data is returned.
-   *
-   * @param user - User setting up MFA
-   * @returns Provider-specific setup data (e.g., QR code for TOTP, options for Passkey)
-   * @throws {NAuthException} If method is not allowed or setup fails
-   *
-   * @example
-   * ```typescript
-   * // TOTP provider returns { secret, qrCode, manualEntryKey }
-   * const setupData = await totpProvider.setup(user);
-   *
-   * // Passkey provider returns WebAuthn registration options
-   * const options = await passkeyProvider.setup(user);
-   * ```
-   */
-  setup(user: IUser, setupData?: unknown): Promise<unknown>;
-  /**
-   * Verify and complete MFA setup
-   *
-   * Validates the verification code/credential and creates the MFA device.
-   *
-   * @param user - User completing setup
-   * @param verificationData - Provider-specific verification data (code, credential, etc.)
-   * @param deviceName - Optional device name
-   * @returns Created MFA device ID
-   * @throws {NAuthException} If verification fails
-   *
-   * @example
-   * ```typescript
-   * // TOTP: verificationData = { secret, code }
-   * const deviceId = await totpProvider.verifySetup(user, { secret: '...', code: '123456' });
-   *
-   * // SMS: verificationData = { phoneNumber, code }
-   * const deviceId = await smsProvider.verifySetup(user, { phoneNumber: '+1234567890', code: '123456' });
-   *
-   * // Passkey: verificationData = { credential, challenge }
-   * const deviceId = await passkeyProvider.verifySetup(user, { credential: {...}, challenge: '...' });
-   * ```
-   */
-  verifySetup(user: IUser, verificationData: unknown, deviceName?: string): Promise<number>;
-  /**
-   * Verify MFA code/credential during authentication
-   *
-   * Validates the MFA code or credential for an existing device.
-   *
-   * @param user - User being authenticated
-   * @param code - MFA code or credential (provider-specific)
-   * @param deviceId - Optional device ID to verify against (if not provided, finds active device)
-   * @returns True if verification succeeds
-   * @throws {NAuthException} If device not found or verification fails
-   *
-   * @example
-   * ```typescript
-   * // TOTP: code = '123456'
-   * const isValid = await totpProvider.verify(user, '123456');
-   *
-   * // SMS: code = '123456'
-   * const isValid = await smsProvider.verify(user, '123456');
-   *
-   * // Passkey: code = { credential: {...}, challenge: '...' }
-   * const isValid = await passkeyProvider.verify(user, { credential: {...}, challenge: '...' });
-   * ```
-   */
-  verify(user: IUser, code: unknown, deviceId?: number): Promise<boolean>;
-  /**
-   * Send verification code/challenge for authentication
-   *
-   * Used during login to send SMS code or generate passkey challenge.
-   * Not applicable for TOTP (user generates code locally).
-   *
-   * @param user - User requesting verification
-   * @returns Provider-specific challenge data (e.g., masked phone for SMS, WebAuthn options for Passkey)
-   * @throws {NAuthException} If no device registered or send fails
-   *
-   * @example
-   * ```typescript
-   * // SMS: returns masked phone number
-   * const maskedPhone = await smsProvider.sendChallenge(user); // '***-***-1234'
-   *
-   * // Passkey: returns WebAuthn authentication options
-   * const options = await passkeyProvider.sendChallenge(user); // { challenge: '...', ... }
-   * ```
-   */
-  sendChallenge?(user: IUser): Promise<unknown>; // Optional - only providers like SMS need it
-  /**
-   * Generate backup codes for user
-   *
-   * Creates single-use recovery codes that can be used when MFA devices are unavailable.
-   * Provided by BaseMFAProviderService for all providers.
-   *
-   * @param user - User to generate codes for
-   * @returns Generated backup codes (plain text - shown only once)
-   *
-   * @example
-   * ```typescript
-   * const codes = await provider.generateBackupCodes?.(user);
-   * // Returns: ['ABC12345', 'DEF67890', ...]
-   * ```
-   */
-  generateBackupCodes?(user: IUser): Promise<string[]>; // Optional - provided by BaseMFAProviderService
-}
-// Helper type to check if a provider implements sendChallenge
-export type MFAProviderWithChallenge = IMFAProviderService & Required<Pick<IMFAProviderService, 'sendChallenge'>>;