npm - @nauth-toolkit/core - Versions diffs - 0.1.0 → 0.1.5 - Mend

@nauth-toolkit/core 0.1.0 → 0.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (184) hide show

package/LICENSE +90 -0
package/README.md +9 -0
package/package.json +8 -3
package/jest.config.js +0 -15
package/jest.setup.ts +0 -6
package/src/adapters/database-columns.ts +0 -165
package/src/adapters/express.adapter.ts +0 -385
package/src/adapters/fastify.adapter.ts +0 -416
package/src/adapters/index.ts +0 -16
package/src/adapters/storage.factory.ts +0 -143
package/src/bootstrap.ts +0 -374
package/src/dto/auth-challenge.dto.ts +0 -231
package/src/dto/auth-response.dto.ts +0 -253
package/src/dto/challenge-response.dto.ts +0 -234
package/src/dto/change-password-request.dto.ts +0 -50
package/src/dto/change-password-response.dto.ts +0 -29
package/src/dto/change-password.dto.ts +0 -57
package/src/dto/error-response.dto.ts +0 -136
package/src/dto/get-available-methods.dto.ts +0 -55
package/src/dto/get-challenge-data-response.dto.ts +0 -28
package/src/dto/get-challenge-data.dto.ts +0 -69
package/src/dto/get-client-info.dto.ts +0 -104
package/src/dto/get-device-token-response.dto.ts +0 -25
package/src/dto/get-events-by-type.dto.ts +0 -76
package/src/dto/get-ip-address-response.dto.ts +0 -24
package/src/dto/get-mfa-status.dto.ts +0 -94
package/src/dto/get-risk-assessment-history.dto.ts +0 -39
package/src/dto/get-session-id-response.dto.ts +0 -25
package/src/dto/get-setup-data-response.dto.ts +0 -31
package/src/dto/get-setup-data.dto.ts +0 -75
package/src/dto/get-suspicious-activity.dto.ts +0 -42
package/src/dto/get-user-agent-response.dto.ts +0 -23
package/src/dto/get-user-auth-history.dto.ts +0 -95
package/src/dto/get-user-by-email.dto.ts +0 -61
package/src/dto/get-user-by-id.dto.ts +0 -46
package/src/dto/get-user-devices.dto.ts +0 -53
package/src/dto/get-user-response.dto.ts +0 -17
package/src/dto/has-provider.dto.ts +0 -56
package/src/dto/index.ts +0 -57
package/src/dto/is-trusted-device-response.dto.ts +0 -34
package/src/dto/list-providers-response.dto.ts +0 -23
package/src/dto/login.dto.ts +0 -95
package/src/dto/logout-all-response.dto.ts +0 -24
package/src/dto/logout-all.dto.ts +0 -65
package/src/dto/logout-response.dto.ts +0 -25
package/src/dto/logout.dto.ts +0 -64
package/src/dto/refresh-token.dto.ts +0 -36
package/src/dto/remove-devices.dto.ts +0 -85
package/src/dto/resend-code-response.dto.ts +0 -32
package/src/dto/resend-code.dto.ts +0 -51
package/src/dto/reset-password.dto.ts +0 -115
package/src/dto/respond-challenge.dto.ts +0 -272
package/src/dto/set-mfa-exemption.dto.ts +0 -112
package/src/dto/set-must-change-password-response.dto.ts +0 -27
package/src/dto/set-must-change-password.dto.ts +0 -46
package/src/dto/set-preferred-method.dto.ts +0 -80
package/src/dto/setup-mfa.dto.ts +0 -98
package/src/dto/signup.dto.ts +0 -174
package/src/dto/social-auth.dto.ts +0 -422
package/src/dto/trust-device-response.dto.ts +0 -30
package/src/dto/trust-device.dto.ts +0 -9
package/src/dto/update-user-attributes-request.dto.ts +0 -51
package/src/dto/user-response.dto.ts +0 -138
package/src/dto/user-update.dto.ts +0 -222
package/src/dto/verify-email.dto.ts +0 -313
package/src/dto/verify-mfa-code.dto.ts +0 -103
package/src/dto/verify-phone-by-sub.dto.ts +0 -78
package/src/dto/verify-phone.dto.ts +0 -245
package/src/entities/auth-audit.entity.ts +0 -232
package/src/entities/challenge-session.entity.ts +0 -116
package/src/entities/index.ts +0 -29
package/src/entities/login-attempt.entity.ts +0 -64
package/src/entities/mfa-device.entity.ts +0 -151
package/src/entities/rate-limit.entity.ts +0 -44
package/src/entities/session.entity.ts +0 -180
package/src/entities/social-account.entity.ts +0 -96
package/src/entities/storage-lock.entity.ts +0 -39
package/src/entities/trusted-device.entity.ts +0 -112
package/src/entities/user.entity.ts +0 -243
package/src/entities/verification-token.entity.ts +0 -141
package/src/enums/auth-audit-event-type.enum.ts +0 -360
package/src/enums/error-codes.enum.ts +0 -420
package/src/enums/mfa-method.enum.ts +0 -97
package/src/enums/risk-factor.enum.ts +0 -111
package/src/exceptions/nauth.exception.ts +0 -231
package/src/handlers/auth.handler.ts +0 -260
package/src/handlers/client-info.handler.ts +0 -101
package/src/handlers/csrf.handler.ts +0 -156
package/src/handlers/token-delivery.handler.ts +0 -118
package/src/index.ts +0 -118
package/src/interfaces/client-info.interface.ts +0 -85
package/src/interfaces/config.interface.ts +0 -2135
package/src/interfaces/entities.interface.ts +0 -226
package/src/interfaces/index.ts +0 -15
package/src/interfaces/logger.interface.ts +0 -283
package/src/interfaces/mfa-provider.interface.ts +0 -154
package/src/interfaces/oauth.interface.ts +0 -148
package/src/interfaces/provider.interface.ts +0 -47
package/src/interfaces/social-auth-provider.interface.ts +0 -131
package/src/interfaces/storage-adapter.interface.ts +0 -82
package/src/interfaces/template.interface.ts +0 -510
package/src/interfaces/token-verifier.interface.ts +0 -110
package/src/internal.ts +0 -178
package/src/platform/interfaces.ts +0 -299
package/src/schemas/auth-config.schema.ts +0 -646
package/src/services/adaptive-mfa-decision.service.spec.ts +0 -1058
package/src/services/adaptive-mfa-decision.service.ts +0 -457
package/src/services/auth-audit.service.spec.ts +0 -675
package/src/services/auth-audit.service.ts +0 -558
package/src/services/auth-challenge-helper.service.spec.ts +0 -3227
package/src/services/auth-challenge-helper.service.ts +0 -825
package/src/services/auth-flow-context-builder.service.ts +0 -520
package/src/services/auth-flow-rules.ts +0 -202
package/src/services/auth-flow-state-definitions.ts +0 -190
package/src/services/auth-flow-state-machine.service.ts +0 -207
package/src/services/auth-flow-state-machine.types.ts +0 -316
package/src/services/auth.service.spec.ts +0 -4195
package/src/services/auth.service.ts +0 -3727
package/src/services/challenge.service.spec.ts +0 -1363
package/src/services/challenge.service.ts +0 -696
package/src/services/client-info.service.spec.ts +0 -572
package/src/services/client-info.service.ts +0 -374
package/src/services/csrf.service.ts +0 -54
package/src/services/email-verification.service.spec.ts +0 -1229
package/src/services/email-verification.service.ts +0 -578
package/src/services/geo-location.service.spec.ts +0 -603
package/src/services/geo-location.service.ts +0 -599
package/src/services/index.ts +0 -13
package/src/services/jwt.service.spec.ts +0 -882
package/src/services/jwt.service.ts +0 -621
package/src/services/mfa-base.service.spec.ts +0 -246
package/src/services/mfa-base.service.ts +0 -611
package/src/services/mfa.service.spec.ts +0 -693
package/src/services/mfa.service.ts +0 -960
package/src/services/password.service.spec.ts +0 -166
package/src/services/password.service.ts +0 -309
package/src/services/phone-verification.service.spec.ts +0 -1120
package/src/services/phone-verification.service.ts +0 -751
package/src/services/risk-detection.service.spec.ts +0 -1292
package/src/services/risk-detection.service.ts +0 -1012
package/src/services/risk-scoring.service.spec.ts +0 -204
package/src/services/risk-scoring.service.ts +0 -131
package/src/services/session.service.spec.ts +0 -1293
package/src/services/session.service.ts +0 -803
package/src/services/social-account.service.spec.ts +0 -725
package/src/services/social-auth-base.service.spec.ts +0 -418
package/src/services/social-auth-base.service.ts +0 -581
package/src/services/social-auth.service.spec.ts +0 -238
package/src/services/social-auth.service.ts +0 -436
package/src/services/social-provider-registry.service.spec.ts +0 -238
package/src/services/social-provider-registry.service.ts +0 -122
package/src/services/trusted-device.service.spec.ts +0 -505
package/src/services/trusted-device.service.ts +0 -339
package/src/storage/account-lockout-storage.service.spec.ts +0 -310
package/src/storage/account-lockout-storage.service.ts +0 -89
package/src/storage/index.ts +0 -3
package/src/storage/memory-storage.adapter.ts +0 -443
package/src/storage/rate-limit-storage.service.spec.ts +0 -247
package/src/storage/rate-limit-storage.service.ts +0 -38
package/src/templates/html-template.engine.spec.ts +0 -161
package/src/templates/html-template.engine.ts +0 -688
package/src/templates/index.ts +0 -7
package/src/utils/common-passwords.spec.ts +0 -230
package/src/utils/common-passwords.ts +0 -170
package/src/utils/context-storage.ts +0 -188
package/src/utils/cookie-names.util.ts +0 -67
package/src/utils/cookies.util.ts +0 -94
package/src/utils/index.ts +0 -12
package/src/utils/ip-extractor.spec.ts +0 -330
package/src/utils/ip-extractor.ts +0 -220
package/src/utils/nauth-logger.spec.ts +0 -388
package/src/utils/nauth-logger.ts +0 -215
package/src/utils/pii-redactor.spec.ts +0 -130
package/src/utils/pii-redactor.ts +0 -288
package/src/utils/setup/get-repositories.ts +0 -140
package/src/utils/setup/init-services.ts +0 -422
package/src/utils/setup/init-social.ts +0 -189
package/src/utils/setup/init-storage.ts +0 -94
package/src/utils/setup/register-mfa.ts +0 -165
package/src/utils/setup/run-nauth-migrations.ts +0 -61
package/src/utils/token-delivery-policy.ts +0 -38
package/src/validators/template.validator.ts +0 -219
package/tsconfig.json +0 -37
package/tsconfig.lint.json +0 -6

package/src/services/jwt.service.spec.ts DELETED Viewed

@@ -1,882 +0,0 @@
-import * as crypto from 'crypto';
-import { JwtService } from './jwt.service';
-import { JwtConfig } from '../interfaces/config.interface';
-import { NAuthException } from '../exceptions/nauth.exception';
-/**
- * JWT Service Unit Tests
- *
- * Covers:
- * - Token generation (access and refresh tokens)
- * - Token validation (access and refresh tokens)
- * - Multiple algorithms (HS256, HS384, HS512, RS256, RS384, RS512)
- * - Token expiration handling
- * - Token family tracking
- * - Token utilities (hash, decode, extract)
- * - Error handling
- * - Configuration edge cases
- */
-describe('JwtService', () => {
-  let service: JwtService;
-  let config: JwtConfig;
-  // Generate RSA key pair for asymmetric algorithm testing
-  const generateRSAKeyPair = (): { privateKey: string; publicKey: string } => {
-    const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', {
-      modulusLength: 2048,
-      publicKeyEncoding: {
-        type: 'spki',
-        format: 'pem',
-      },
-      privateKeyEncoding: {
-        type: 'pkcs8',
-        format: 'pem',
-      },
-    });
-    return { privateKey, publicKey };
-  };
-  const defaultConfig: JwtConfig = {
-    algorithm: 'HS256',
-    accessToken: {
-      secret: 'test-access-secret-min-32-characters',
-      expiresIn: '15m',
-    },
-    refreshToken: {
-      secret: 'test-refresh-secret-min-32-characters',
-      expiresIn: '30d',
-      rotation: true,
-      reuseDetection: true,
-    },
-    issuer: 'nauth-toolkit',
-    audience: 'test-app',
-  };
-  beforeEach(() => {
-    config = { ...defaultConfig };
-    service = new JwtService(config);
-  });
-  // ============================================================================
-  // Service Initialization
-  // ============================================================================
-  describe('constructor', () => {
-    it('should initialize with valid config', () => {
-      expect(service).toBeDefined();
-    });
-    it('should use default algorithm HS256 when not specified', () => {
-      const configWithoutAlgorithm = {
-        ...defaultConfig,
-        algorithm: undefined,
-      };
-      const serviceDefault = new JwtService(configWithoutAlgorithm);
-      expect(serviceDefault).toBeDefined();
-    });
-  });
-  // ============================================================================
-  // Token Generation
-  // ============================================================================
-  describe('generateTokenPair', () => {
-    it('should generate access and refresh tokens', async () => {
-      const tokens = await service.generateTokenPair({
-        userId: 'user-123',
-        email: 'test@example.com',
-        sessionId: 'session-456',
-      });
-      expect(tokens.accessToken).toBeDefined();
-      expect(tokens.refreshToken).toBeDefined();
-      expect(tokens.expiresIn).toBe(900); // 15 minutes
-    });
-    it('should include token family in both tokens', async () => {
-      const tokens = await service.generateTokenPair({
-        userId: 'user-123',
-        email: 'test@example.com',
-        sessionId: 'session-456',
-      });
-      const accessDecoded = service.decodeToken(tokens.accessToken);
-      const refreshDecoded = service.decodeToken(tokens.refreshToken);
-      expect(accessDecoded?.tokenFamily).toBeDefined();
-      expect(refreshDecoded?.tokenFamily).toBeDefined();
-      expect(accessDecoded?.tokenFamily).toBe(refreshDecoded?.tokenFamily);
-    });
-    it('should reuse provided token family', async () => {
-      const providedFamily = 'existing-family-id';
-      const tokens = await service.generateTokenPair({
-        userId: 'user-123',
-        email: 'test@example.com',
-        sessionId: 'session-456',
-        tokenFamily: providedFamily,
-      });
-      const accessDecoded = service.decodeToken(tokens.accessToken);
-      expect(accessDecoded?.tokenFamily).toBe(providedFamily);
-    });
-    it('should include all required fields in tokens', async () => {
-      const tokens = await service.generateTokenPair({
-        userId: 'user-123',
-        email: 'test@example.com',
-        sessionId: 'session-456',
-      });
-      const accessDecoded = service.decodeToken(tokens.accessToken);
-      expect(accessDecoded?.sub).toBe('user-123');
-      expect(accessDecoded?.email).toBe('test@example.com');
-      expect(accessDecoded?.sessionId).toBe('session-456');
-      expect(accessDecoded?.type).toBe('access');
-      expect(accessDecoded?.iat).toBeDefined();
-      expect(accessDecoded?.exp).toBeDefined();
-    });
-  });
-  describe('generateAccessToken', () => {
-    it('should generate access token with issuer and audience', async () => {
-      const token = await service.generateAccessToken({
-        userId: 'user-123',
-        email: 'test@example.com',
-        sessionId: 'session-456',
-        tokenFamily: 'family-123',
-      });
-      expect(token).toBeDefined();
-      const decoded = service.decodeToken(token);
-      expect(decoded?.iss).toBe('nauth-toolkit');
-      expect(decoded?.aud).toBe('test-app');
-    });
-    it('should generate access token without issuer and audience', async () => {
-      const configWithoutIssuer = {
-        ...defaultConfig,
-        issuer: undefined,
-        audience: undefined,
-      };
-      const serviceWithoutIssuer = new JwtService(configWithoutIssuer);
-      const token = await serviceWithoutIssuer.generateAccessToken({
-        userId: 'user-123',
-        email: 'test@example.com',
-        sessionId: 'session-456',
-        tokenFamily: 'family-123',
-      });
-      expect(token).toBeDefined();
-      const decoded = serviceWithoutIssuer.decodeToken(token);
-      expect(decoded?.iss).toBeUndefined();
-      expect(decoded?.aud).toBeUndefined();
-    });
-    it('should generate access token with array audience', async () => {
-      const configWithArrayAudience = {
-        ...defaultConfig,
-        audience: ['app1', 'app2'],
-      };
-      const serviceWithArrayAudience = new JwtService(configWithArrayAudience);
-      const token = await serviceWithArrayAudience.generateAccessToken({
-        userId: 'user-123',
-        email: 'test@example.com',
-        sessionId: 'session-456',
-        tokenFamily: 'family-123',
-      });
-      expect(token).toBeDefined();
-      const decoded = serviceWithArrayAudience.decodeToken(token);
-      expect(Array.isArray(decoded?.aud)).toBe(true);
-      expect((decoded?.aud as string[]).length).toBe(2);
-    });
-    it('should throw error when access token key not configured', async () => {
-      const configWithoutKey: JwtConfig = {
-        ...defaultConfig,
-        accessToken: {
-          expiresIn: '15m',
-        },
-      };
-      const serviceWithoutKey = new JwtService(configWithoutKey);
-      try {
-        await serviceWithoutKey.generateAccessToken({
-          userId: 'user-123',
-          email: 'test@example.com',
-          sessionId: 'session-456',
-          tokenFamily: 'family-123',
-        });
-        fail('Should have thrown NAuthException');
-      } catch (error) {
-        expect(error).toBeInstanceOf(NAuthException);
-      }
-    });
-  });
-  describe('generateRefreshToken', () => {
-    it('should generate refresh token', async () => {
-      const token = await service.generateRefreshToken({
-        userId: 'user-123',
-        email: 'test@example.com',
-        sessionId: 'session-456',
-        tokenFamily: 'family-123',
-      });
-      expect(token).toBeDefined();
-      const decoded = service.decodeToken(token);
-      expect(decoded?.type).toBe('refresh');
-    });
-    it('should throw error when refresh token secret not configured', async () => {
-      const configWithoutSecret: JwtConfig = {
-        ...defaultConfig,
-        refreshToken: {
-          secret: '', // Empty secret to trigger error
-          expiresIn: '30d',
-        },
-      };
-      // Create service that will fail during key preparation
-      const serviceWithoutSecret = new JwtService(configWithoutSecret);
-      try {
-        await serviceWithoutSecret.generateRefreshToken({
-          userId: 'user-123',
-          email: 'test@example.com',
-          sessionId: 'session-456',
-          tokenFamily: 'family-123',
-        });
-        fail('Should have thrown NAuthException');
-      } catch (error) {
-        expect(error).toBeInstanceOf(NAuthException);
-      }
-    });
-  });
-  // ============================================================================
-  // Algorithm Support
-  // ============================================================================
-  describe('algorithm support', () => {
-    const symmetricAlgorithms: Array<'HS256' | 'HS384' | 'HS512'> = ['HS256', 'HS384', 'HS512'];
-    const asymmetricAlgorithms: Array<'RS256' | 'RS384' | 'RS512'> = ['RS256', 'RS384', 'RS512'];
-    symmetricAlgorithms.forEach((algorithm) => {
-      it(`should generate and validate tokens with ${algorithm}`, async () => {
-        const configWithAlgorithm = {
-          ...defaultConfig,
-          algorithm,
-        };
-        const serviceWithAlgorithm = new JwtService(configWithAlgorithm);
-        const tokens = await serviceWithAlgorithm.generateTokenPair({
-          userId: 'user-123',
-          email: 'test@example.com',
-          sessionId: 'session-456',
-        });
-        const result = await serviceWithAlgorithm.validateAccessToken(tokens.accessToken);
-        expect(result.valid).toBe(true);
-        expect(result.payload?.sub).toBe('user-123');
-      });
-    });
-    asymmetricAlgorithms.forEach((algorithm) => {
-      it(`should generate and validate tokens with ${algorithm}`, async () => {
-        const { privateKey, publicKey } = generateRSAKeyPair();
-        const configWithAlgorithm: JwtConfig = {
-          ...defaultConfig,
-          algorithm,
-          accessToken: {
-            privateKey,
-            publicKey,
-            expiresIn: '15m',
-          },
-        };
-        const serviceWithAlgorithm = new JwtService(configWithAlgorithm);
-        const tokens = await serviceWithAlgorithm.generateTokenPair({
-          userId: 'user-123',
-          email: 'test@example.com',
-          sessionId: 'session-456',
-        });
-        const result = await serviceWithAlgorithm.validateAccessToken(tokens.accessToken);
-        expect(result.valid).toBe(true);
-        expect(result.payload?.sub).toBe('user-123');
-      });
-    });
-    it('should use HS256 for refresh token when access token uses asymmetric algorithm', async () => {
-      const { privateKey, publicKey } = generateRSAKeyPair();
-      const configWithRS256: JwtConfig = {
-        ...defaultConfig,
-        algorithm: 'RS256',
-        accessToken: {
-          privateKey,
-          publicKey,
-          expiresIn: '15m',
-        },
-      };
-      const serviceWithRS256 = new JwtService(configWithRS256);
-      const tokens = await serviceWithRS256.generateTokenPair({
-        userId: 'user-123',
-        email: 'test@example.com',
-        sessionId: 'session-456',
-      });
-      // Refresh token should still validate (uses HS256)
-      const refreshResult = await serviceWithRS256.validateRefreshToken(tokens.refreshToken);
-      expect(refreshResult.valid).toBe(true);
-    });
-  });
-  // ============================================================================
-  // Token Validation
-  // ============================================================================
-  describe('validateAccessToken', () => {
-    it('should validate valid access token', async () => {
-      const tokens = await service.generateTokenPair({
-        userId: 'user-123',
-        email: 'test@example.com',
-        sessionId: 'session-456',
-      });
-      const result = await service.validateAccessToken(tokens.accessToken);
-      expect(result.valid).toBe(true);
-      expect(result.payload).toBeDefined();
-      expect(result.payload?.sub).toBe('user-123');
-      expect(result.payload?.email).toBe('test@example.com');
-      expect(result.payload?.type).toBe('access');
-    });
-    it('should reject refresh token as access token', async () => {
-      const tokens = await service.generateTokenPair({
-        userId: 'user-123',
-        email: 'test@example.com',
-        sessionId: 'session-456',
-      });
-      const result = await service.validateAccessToken(tokens.refreshToken);
-      expect(result.valid).toBe(false);
-      expect(result.errorType).toBe('invalid');
-    });
-    it('should reject malformed token', async () => {
-      const result = await service.validateAccessToken('invalid-token');
-      expect(result.valid).toBe(false);
-      // jose library may return 'invalid' or 'malformed' for malformed tokens
-      expect(result.errorType).toBeDefined();
-      expect(['invalid', 'malformed']).toContain(result.errorType!);
-    });
-    it('should reject expired token', async () => {
-      // Create token with very short expiration (using real-world string format)
-      const configWithShortExpiry = {
-        ...defaultConfig,
-        accessToken: {
-          ...defaultConfig.accessToken,
-          expiresIn: '1s', // 1 second - matches real-world config format ('15m', '30d', etc.)
-        },
-      };
-      const serviceWithShortExpiry = new JwtService(configWithShortExpiry);
-      const tokens = await serviceWithShortExpiry.generateTokenPair({
-        userId: 'user-123',
-        email: 'test@example.com',
-        sessionId: 'session-456',
-      });
-      // Wait for token to expire (add buffer for clock skew and parsing)
-      await new Promise((resolve) => setTimeout(resolve, 2100));
-      const result = await serviceWithShortExpiry.validateAccessToken(tokens.accessToken);
-      expect(result.valid).toBe(false);
-      expect(result.errorType).toBe('expired');
-    });
-    it('should reject token with wrong signature', async () => {
-      const tokens = await service.generateTokenPair({
-        userId: 'user-123',
-        email: 'test@example.com',
-        sessionId: 'session-456',
-      });
-      // Create service with different secret
-      const differentConfig = {
-        ...defaultConfig,
-        accessToken: {
-          ...defaultConfig.accessToken,
-          secret: 'different-secret-min-32-characters-long',
-        },
-      };
-      const differentService = new JwtService(differentConfig);
-      const result = await differentService.validateAccessToken(tokens.accessToken);
-      expect(result.valid).toBe(false);
-      // jose library may return 'invalid' or 'malformed' for wrong signature
-      expect(result.errorType).toBeDefined();
-      expect(['invalid', 'malformed']).toContain(result.errorType!);
-    });
-    it('should validate token with public key for asymmetric algorithm', async () => {
-      const { privateKey, publicKey } = generateRSAKeyPair();
-      const configWithRS256: JwtConfig = {
-        ...defaultConfig,
-        algorithm: 'RS256',
-        accessToken: {
-          privateKey,
-          publicKey,
-          expiresIn: '15m',
-        },
-      };
-      const serviceWithRS256 = new JwtService(configWithRS256);
-      const tokens = await serviceWithRS256.generateTokenPair({
-        userId: 'user-123',
-        email: 'test@example.com',
-        sessionId: 'session-456',
-      });
-      const result = await serviceWithRS256.validateAccessToken(tokens.accessToken);
-      expect(result.valid).toBe(true);
-      expect(result.payload?.sub).toBe('user-123');
-    });
-    it('should reject token when issuer mismatch', async () => {
-      const tokens = await service.generateTokenPair({
-        userId: 'user-123',
-        email: 'test@example.com',
-        sessionId: 'session-456',
-      });
-      const configWithDifferentIssuer = {
-        ...defaultConfig,
-        issuer: 'different-issuer',
-      };
-      const serviceWithDifferentIssuer = new JwtService(configWithDifferentIssuer);
-      const result = await serviceWithDifferentIssuer.validateAccessToken(tokens.accessToken);
-      expect(result.valid).toBe(false);
-      // jose library may return 'invalid' or 'malformed' for issuer mismatch
-      expect(result.errorType).toBeDefined();
-      expect(['invalid', 'malformed']).toContain(result.errorType!);
-    });
-    it('should reject token when audience mismatch', async () => {
-      const tokens = await service.generateTokenPair({
-        userId: 'user-123',
-        email: 'test@example.com',
-        sessionId: 'session-456',
-      });
-      const configWithDifferentAudience = {
-        ...defaultConfig,
-        audience: 'different-audience',
-      };
-      const serviceWithDifferentAudience = new JwtService(configWithDifferentAudience);
-      const result = await serviceWithDifferentAudience.validateAccessToken(tokens.accessToken);
-      expect(result.valid).toBe(false);
-      // jose library may return 'invalid' or 'malformed' for audience mismatch
-      expect(result.errorType).toBeDefined();
-      expect(['invalid', 'malformed']).toContain(result.errorType!);
-    });
-    it('should handle missing public key gracefully for asymmetric algorithm', async () => {
-      const { privateKey } = generateRSAKeyPair();
-      const configWithoutPublicKey: JwtConfig = {
-        ...defaultConfig,
-        algorithm: 'RS256',
-        accessToken: {
-          privateKey,
-          expiresIn: '15m',
-        },
-      };
-      const serviceWithoutPublicKey = new JwtService(configWithoutPublicKey);
-      const tokens = await serviceWithoutPublicKey.generateTokenPair({
-        userId: 'user-123',
-        email: 'test@example.com',
-        sessionId: 'session-456',
-      });
-      // Validation should fail without public key
-      const result = await serviceWithoutPublicKey.validateAccessToken(tokens.accessToken);
-      expect(result.valid).toBe(false);
-    });
-  });
-  describe('validateRefreshToken', () => {
-    it('should validate valid refresh token', async () => {
-      const tokens = await service.generateTokenPair({
-        userId: 'user-123',
-        email: 'test@example.com',
-        sessionId: 'session-456',
-      });
-      const result = await service.validateRefreshToken(tokens.refreshToken);
-      expect(result.valid).toBe(true);
-      expect(result.payload).toBeDefined();
-      expect(result.payload?.type).toBe('refresh');
-      expect(result.payload?.sub).toBe('user-123');
-    });
-    it('should reject access token as refresh token', async () => {
-      const tokens = await service.generateTokenPair({
-        userId: 'user-123',
-        email: 'test@example.com',
-        sessionId: 'session-456',
-      });
-      const result = await service.validateRefreshToken(tokens.accessToken);
-      expect(result.valid).toBe(false);
-      expect(result.errorType).toBe('invalid');
-    });
-    it('should reject malformed refresh token', async () => {
-      const result = await service.validateRefreshToken('invalid-token');
-      expect(result.valid).toBe(false);
-      // jose library may return 'invalid' or 'malformed' for malformed tokens
-      expect(result.errorType).toBeDefined();
-      expect(['invalid', 'malformed']).toContain(result.errorType!);
-    });
-    it('should reject expired refresh token', async () => {
-      const configWithShortExpiry = {
-        ...defaultConfig,
-        refreshToken: {
-          ...defaultConfig.refreshToken,
-          expiresIn: '1s', // 1 second - matches real-world config format ('30d', '7d', etc.)
-        },
-      };
-      const serviceWithShortExpiry = new JwtService(configWithShortExpiry);
-      const tokens = await serviceWithShortExpiry.generateTokenPair({
-        userId: 'user-123',
-        email: 'test@example.com',
-        sessionId: 'session-456',
-      });
-      // Wait for token to expire (add buffer for clock skew and parsing)
-      await new Promise((resolve) => setTimeout(resolve, 2100));
-      const result = await serviceWithShortExpiry.validateRefreshToken(tokens.refreshToken);
-      expect(result.valid).toBe(false);
-      expect(result.errorType).toBe('expired');
-    });
-    it('should handle missing refresh token key during validation', async () => {
-      const configWithoutSecret: JwtConfig = {
-        ...defaultConfig,
-        refreshToken: {
-          secret: '', // Empty secret
-          expiresIn: '30d',
-        },
-      };
-      const serviceWithoutSecret = new JwtService(configWithoutSecret);
-      // Validation should fail without secret
-      const result = await serviceWithoutSecret.validateRefreshToken('any-token');
-      expect(result.valid).toBe(false);
-    });
-  });
-  // ============================================================================
-  // Token Utilities
-  // ============================================================================
-  describe('decodeToken', () => {
-    it('should decode token without verification', async () => {
-      const tokens = await service.generateTokenPair({
-        userId: 'user-123',
-        email: 'test@example.com',
-        sessionId: 'session-456',
-      });
-      const decoded = service.decodeToken(tokens.accessToken);
-      expect(decoded).toBeDefined();
-      expect(decoded?.sub).toBe('user-123');
-      expect(decoded?.email).toBe('test@example.com');
-      expect(decoded?.sessionId).toBe('session-456');
-    });
-    it('should return null for malformed token', () => {
-      const decoded = service.decodeToken('invalid-token');
-      expect(decoded).toBeNull();
-    });
-    it('should decode expired token', async () => {
-      const configWithShortExpiry = {
-        ...defaultConfig,
-        accessToken: {
-          ...defaultConfig.accessToken,
-          expiresIn: '1s', // 1 second - matches real-world config format
-        },
-      };
-      const serviceWithShortExpiry = new JwtService(configWithShortExpiry);
-      const tokens = await serviceWithShortExpiry.generateTokenPair({
-        userId: 'user-123',
-        email: 'test@example.com',
-        sessionId: 'session-456',
-      });
-      // Wait for token to expire (add buffer for clock skew and parsing)
-      await new Promise((resolve) => setTimeout(resolve, 2100));
-      // Decode should still work (no verification)
-      const decoded = serviceWithShortExpiry.decodeToken(tokens.accessToken);
-      expect(decoded).toBeDefined();
-      expect(decoded?.sub).toBe('user-123');
-    });
-  });
-  describe('hashToken', () => {
-    it('should generate consistent hash for same token', () => {
-      const token = 'test-token';
-      const hash1 = service.hashToken(token);
-      const hash2 = service.hashToken(token);
-      expect(hash1).toBe(hash2);
-      expect(hash1.length).toBe(64); // SHA-256 hex length
-    });
-    it('should generate different hashes for different tokens', () => {
-      const hash1 = service.hashToken('token1');
-      const hash2 = service.hashToken('token2');
-      expect(hash1).not.toBe(hash2);
-    });
-    it('should generate hash for empty token', () => {
-      const hash = service.hashToken('');
-      expect(hash).toBeDefined();
-      expect(hash.length).toBe(64);
-    });
-  });
-  describe('extractTokenFromHeader', () => {
-    it('should extract token from Bearer header', () => {
-      const token = service.extractTokenFromHeader('Bearer eyJhbGc...');
-      expect(token).toBe('eyJhbGc...');
-    });
-    it('should return null for missing header', () => {
-      const token = service.extractTokenFromHeader(undefined);
-      expect(token).toBeNull();
-    });
-    it('should return null for invalid format', () => {
-      const token = service.extractTokenFromHeader('Basic abc123');
-      expect(token).toBeNull();
-    });
-    it('should return null for Bearer without token', () => {
-      const token = service.extractTokenFromHeader('Bearer ');
-      expect(token).toBeNull();
-    });
-    it('should return null for Bearer with only whitespace', () => {
-      const token = service.extractTokenFromHeader('Bearer   ');
-      expect(token).toBeNull();
-    });
-    it('should extract token with multiple spaces (first token after split)', () => {
-      // Note: split(' ') splits on single space, so 'Bearer   token' becomes ['Bearer', '', '', 'token']
-      // The implementation returns the second element, which would be empty string
-      // This test verifies the actual behavior (may need implementation fix)
-      const token = service.extractTokenFromHeader('Bearer   eyJhbGc...');
-      // Implementation returns first token after split, which is empty string for multiple spaces
-      expect(token).toBeNull(); // Current implementation returns empty string which becomes null
-    });
-    it('should return null for empty string', () => {
-      const token = service.extractTokenFromHeader('');
-      expect(token).toBeNull();
-    });
-  });
-  describe('generateTokenFamily', () => {
-    it('should generate unique token families', () => {
-      const family1 = service.generateTokenFamily();
-      const family2 = service.generateTokenFamily();
-      expect(family1).toBeDefined();
-      expect(family2).toBeDefined();
-      expect(family1).not.toBe(family2);
-      expect(family1.length).toBe(64); // 32 bytes hex (256 bits - SECURITY FIX #10)
-    });
-    it('should generate token families with correct format', () => {
-      const family = service.generateTokenFamily();
-      expect(family).toMatch(/^[a-f0-9]{64}$/); // Hex string, 64 characters
-    });
-    it('should generate many unique token families', () => {
-      const families = new Set<string>();
-      for (let i = 0; i < 100; i++) {
-        families.add(service.generateTokenFamily());
-      }
-      expect(families.size).toBe(100); // All unique
-    });
-  });
-  // ============================================================================
-  // Expiration Time Utilities
-  // ============================================================================
-  describe('getAccessTokenExpiry', () => {
-    it('should return expiry time in seconds', () => {
-      const expiry = service.getAccessTokenExpiry();
-      expect(expiry).toBe(900); // 15 minutes
-    });
-    it('should handle different expiry formats', () => {
-      const configWithNumberExpiry = {
-        ...defaultConfig,
-        accessToken: {
-          ...defaultConfig.accessToken,
-          expiresIn: 3600, // 1 hour in seconds
-        },
-      };
-      const serviceWithNumberExpiry = new JwtService(configWithNumberExpiry);
-      expect(serviceWithNumberExpiry.getAccessTokenExpiry()).toBe(3600);
-    });
-  });
-  describe('getRefreshTokenTTL', () => {
-    it('should return TTL in seconds', () => {
-      const ttl = service.getRefreshTokenTTL();
-      expect(ttl).toBe(2592000); // 30 days
-    });
-    it('should handle different TTL formats', () => {
-      const configWithNumberTTL = {
-        ...defaultConfig,
-        refreshToken: {
-          ...defaultConfig.refreshToken,
-          expiresIn: 604800, // 7 days in seconds
-        },
-      };
-      const serviceWithNumberTTL = new JwtService(configWithNumberTTL);
-      expect(serviceWithNumberTTL.getRefreshTokenTTL()).toBe(604800);
-    });
-  });
-  // ============================================================================
-  // Expiration Time Parsing
-  // ============================================================================
-  describe('parseExpiresIn edge cases', () => {
-    it('should parse numeric expiresIn', async () => {
-      const configWithNumber = {
-        ...defaultConfig,
-        accessToken: {
-          ...defaultConfig.accessToken,
-          expiresIn: 3600,
-        },
-      };
-      const serviceWithNumber = new JwtService(configWithNumber);
-      expect(serviceWithNumber.getAccessTokenExpiry()).toBe(3600);
-    });
-    it('should parse expiresIn with different units', async () => {
-      const testCases = [
-        { value: '60s', expected: 60 },
-        { value: '1m', expected: 60 },
-        { value: '1h', expected: 3600 },
-        { value: '1d', expected: 86400 },
-      ];
-      for (const testCase of testCases) {
-        const config = {
-          ...defaultConfig,
-          accessToken: {
-            ...defaultConfig.accessToken,
-            expiresIn: testCase.value,
-          },
-        };
-        const service = new JwtService(config);
-        expect(service.getAccessTokenExpiry()).toBe(testCase.expected);
-      }
-    });
-    it('should throw error for invalid expiresIn format', async () => {
-      const configWithInvalidFormat: JwtConfig = {
-        ...defaultConfig,
-        accessToken: {
-          ...defaultConfig.accessToken,
-          expiresIn: 'invalid' as any,
-        },
-      };
-      // parseExpiresIn is called during token generation, not construction
-      const serviceWithInvalidFormat = new JwtService(configWithInvalidFormat);
-      try {
-        await serviceWithInvalidFormat.generateTokenPair({
-          userId: 'user-123',
-          email: 'test@example.com',
-          sessionId: 'session-456',
-        });
-        fail('Should have thrown an error');
-      } catch (error) {
-        // May throw NAuthException or TypeError from jose library
-        expect(error).toBeDefined();
-        expect(error instanceof NAuthException || error instanceof Error).toBe(true);
-      }
-    });
-  });
-  // ============================================================================
-  // Error Handling
-  // ============================================================================
-  describe('error handling', () => {
-    it('should handle validation errors gracefully', async () => {
-      const result = await service.validateAccessToken('not.a.valid.jwt.token');
-      expect(result.valid).toBe(false);
-      expect(result.errorType).toBeDefined();
-    });
-    it('should handle missing keys error', async () => {
-      const configWithoutKeys: JwtConfig = {
-        ...defaultConfig,
-        accessToken: {
-          expiresIn: '15m',
-        },
-      };
-      const serviceWithoutKeys = new JwtService(configWithoutKeys);
-      try {
-        await serviceWithoutKeys.generateAccessToken({
-          userId: 'user-123',
-          email: 'test@example.com',
-          sessionId: 'session-456',
-          tokenFamily: 'family-123',
-        });
-        fail('Should have thrown NAuthException');
-      } catch (error) {
-        expect(error).toBeInstanceOf(NAuthException);
-      }
-    });
-  });
-});