@nauth-toolkit/core 0.1.0

package/dist/services/auth-flow-context-builder.service.js

@@ -0,0 +1,253 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthFlowContextBuilder = void 0;
+class AuthFlowContextBuilder {
+    trustedDeviceService;
+    adaptiveMFADecisionService;
+    logger;
+    constructor(trustedDeviceService, adaptiveMFADecisionService, _clientInfoService, logger) {
+        this.trustedDeviceService = trustedDeviceService;
+        this.adaptiveMFADecisionService = adaptiveMFADecisionService;
+        this.logger = logger;
+    }
+    async build(params) {
+        const { user, config, authMethod, authProvider, deviceToken, skipMFAVerification } = params;
+        this.logger?.debug?.(`[ContextBuilder] Building context for user ${user.sub} (authMethod=${authMethod || 'password'}, mfaEnabled=${user.mfaEnabled}, mfaExempt=${user.mfaExempt || false})`);
+        const isEmailVerificationRequired = this.isEmailVerificationRequired(user, config, authMethod);
+        const isPhoneVerificationRequired = this.isPhoneVerificationRequired(user, config, authMethod);
+        const isPhoneCollectionNeeded = this.isPhoneCollectionNeeded(user, config, authMethod);
+        const isMFAExempt = this.checkMFAExempt(user);
+        const isMFASetupRequired = this.isMFASetupRequired(user, config, authMethod);
+        const isDeviceTrusted = await this.checkDeviceTrust(user, deviceToken, config);
+        const gracePeriodData = this.calculateGracePeriod(user, config);
+        const blockData = await this.checkBlocked(user);
+        const mfaVerificationData = await this.checkMFAVerification(user, config, authMethod, deviceToken, isDeviceTrusted, skipMFAVerification);
+        const isBlocked = blockData.blocked || (mfaVerificationData.isBlocked ?? false);
+        const blockedUntil = blockData.until;
+        const blockReason = blockData.reason || (mfaVerificationData.isBlocked ? 'Sign in blocked due to suspicious activity' : undefined);
+        const computed = {
+            isEmailVerificationRequired,
+            isPhoneVerificationRequired,
+            isPhoneCollectionNeeded,
+            isMFAExempt,
+            isMFASetupRequired,
+            isMFAVerificationRequired: mfaVerificationData.required,
+            isDeviceTrusted,
+            isGracePeriodActive: gracePeriodData.isActive,
+            gracePeriodEndsAt: gracePeriodData.endsAt,
+            isBlocked,
+            blockedUntil,
+            blockReason,
+            riskScore: mfaVerificationData.riskScore,
+            riskLevel: mfaVerificationData.riskLevel,
+        };
+        this.logger?.debug?.(`[ContextBuilder] Computed values: emailReq=${computed.isEmailVerificationRequired}, phoneReq=${computed.isPhoneVerificationRequired}, phoneCollect=${computed.isPhoneCollectionNeeded}, mfaExempt=${computed.isMFAExempt}, mfaSetupReq=${computed.isMFASetupRequired}, mfaVerifyReq=${computed.isMFAVerificationRequired}, trusted=${computed.isDeviceTrusted}, gracePeriod=${computed.isGracePeriodActive}, blocked=${computed.isBlocked}`);
+        return {
+            user,
+            config,
+            authMethod,
+            authProvider,
+            deviceToken,
+            skipMFAVerification,
+            computed,
+        };
+    }
+    isEmailVerificationRequired(user, config, authMethod) {
+        const verificationMethod = config.signup?.verificationMethod || 'email';
+        if (verificationMethod === 'none' || verificationMethod === 'phone') {
+            return false;
+        }
+        if (authMethod === 'social') {
+            return false;
+        }
+        if (user.isEmailVerified) {
+            return false;
+        }
+        return verificationMethod === 'email' || verificationMethod === 'both';
+    }
+    isPhoneVerificationRequired(user, config, _authMethod) {
+        const verificationMethod = config.signup?.verificationMethod || 'email';
+        if (verificationMethod === 'none' || verificationMethod === 'email') {
+            return false;
+        }
+        if (verificationMethod === 'phone' || verificationMethod === 'both') {
+            if (!user.phone) {
+                return false;
+            }
+            return !user.isPhoneVerified;
+        }
+        return false;
+    }
+    isPhoneCollectionNeeded(user, config, _authMethod) {
+        const verificationMethod = config.signup?.verificationMethod || 'email';
+        if (verificationMethod === 'none' || verificationMethod === 'email') {
+            return false;
+        }
+        if (user.isPhoneVerified) {
+            return false;
+        }
+        if ((verificationMethod === 'phone' || verificationMethod === 'both') && !user.phone) {
+            return true;
+        }
+        return false;
+    }
+    checkMFAExempt(user) {
+        const mfaExempt = user.mfaExempt;
+        return mfaExempt === true || mfaExempt === 1;
+    }
+    isMFASetupRequired(user, config, authMethod) {
+        if (this.checkMFAExempt(user)) {
+            return false;
+        }
+        if (!config.mfa?.enabled) {
+            return false;
+        }
+        if (user.mfaEnabled) {
+            return false;
+        }
+        if (authMethod === 'social' && config.mfa.requireForSocialLogin === false) {
+            return false;
+        }
+        const enforcement = config.mfa.enforcement || 'OPTIONAL';
+        if (enforcement === 'OPTIONAL') {
+            return false;
+        }
+        const gracePeriod = config.mfa.gracePeriod ?? 7;
+        const gracePeriodData = this.calculateGracePeriod(user, config);
+        if (gracePeriod === 0) {
+            return true;
+        }
+        if (gracePeriodData.isActive) {
+            return false;
+        }
+        return true;
+    }
+    async checkDeviceTrust(user, deviceToken, config) {
+        if (!deviceToken ||
+            !config?.mfa?.rememberDevices ||
+            config.mfa.rememberDevices === 'never' ||
+            !this.trustedDeviceService) {
+            return false;
+        }
+        try {
+            const validation = await this.trustedDeviceService.validateDeviceToken(deviceToken, user.id);
+            return validation.isValid;
+        }
+        catch (error) {
+            const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+            this.logger?.warn?.(`Failed to check device trust: ${errorMessage}`, { error, userId: user.id });
+            return false;
+        }
+    }
+    calculateGracePeriod(user, config) {
+        const gracePeriod = config.mfa?.gracePeriod ?? 7;
+        if (gracePeriod === 0) {
+            return { isActive: false };
+        }
+        const userWithDates = user;
+        const createdAt = userWithDates.createdAt;
+        if (!createdAt) {
+            return { isActive: false };
+        }
+        const gracePeriodEnd = new Date(createdAt);
+        gracePeriodEnd.setDate(gracePeriodEnd.getDate() + gracePeriod);
+        const now = new Date();
+        const isActive = now < gracePeriodEnd;
+        return {
+            isActive,
+            endsAt: isActive ? gracePeriodEnd : undefined,
+        };
+    }
+    async checkBlocked(user) {
+        if (!this.adaptiveMFADecisionService) {
+            return { blocked: false };
+        }
+        try {
+            const blockStatus = await this.adaptiveMFADecisionService.isUserBlocked(user.id);
+            return {
+                blocked: blockStatus.blocked,
+                until: blockStatus.expiresAt,
+                reason: blockStatus.message,
+            };
+        }
+        catch (error) {
+            const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+            this.logger?.warn?.(`Failed to check user block status: ${errorMessage}`, { error, userId: user.id });
+            return { blocked: false };
+        }
+    }
+    async checkMFAVerification(user, config, authMethod, _deviceToken, isDeviceTrusted, skipMFAVerification) {
+        if (skipMFAVerification) {
+            return { required: false };
+        }
+        if (this.checkMFAExempt(user)) {
+            return { required: false };
+        }
+        if (!config.mfa?.enabled) {
+            return { required: false };
+        }
+        if (!user.mfaEnabled) {
+            return { required: false };
+        }
+        if (authMethod === 'social' && config.mfa.requireForSocialLogin === false) {
+            return { required: false };
+        }
+        const enforcement = config.mfa.enforcement || 'OPTIONAL';
+        if (enforcement === 'OPTIONAL') {
+            if (isDeviceTrusted &&
+                config.mfa.rememberDevices &&
+                config.mfa.rememberDevices !== 'never' &&
+                config.mfa.bypassMFAForTrustedDevices === true) {
+                return { required: false };
+            }
+            return { required: true };
+        }
+        if (enforcement === 'REQUIRED' &&
+            isDeviceTrusted &&
+            config.mfa.rememberDevices &&
+            config.mfa.rememberDevices !== 'never' &&
+            config.mfa.bypassMFAForTrustedDevices === true) {
+            return { required: false };
+        }
+        if (enforcement === 'ADAPTIVE') {
+            if (!this.adaptiveMFADecisionService) {
+                this.logger?.warn?.(`ADAPTIVE enforcement enabled but AdaptiveMFADecisionService not available - falling back to REQUIRED behavior for user ${user.sub}`);
+                return { required: true };
+            }
+            try {
+                const decision = await this.adaptiveMFADecisionService.evaluateAdaptiveMFA(user, authMethod || 'password');
+                if (decision.action === 'block_signin') {
+                    if (decision.payload) {
+                        await this.adaptiveMFADecisionService.blockUserSignIn(user, decision.payload);
+                    }
+                    return {
+                        required: false,
+                        riskScore: decision.riskScore,
+                        riskLevel: decision.riskLevel,
+                        isBlocked: true,
+                    };
+                }
+                if (!isDeviceTrusted) {
+                    return {
+                        required: true,
+                        riskScore: decision.riskScore,
+                        riskLevel: decision.riskLevel,
+                    };
+                }
+                return {
+                    required: decision.action === 'require_mfa',
+                    riskScore: decision.riskScore,
+                    riskLevel: decision.riskLevel,
+                };
+            }
+            catch (error) {
+                const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+                this.logger?.warn?.(`Failed to evaluate adaptive MFA: ${errorMessage}`, { error, userId: user.id });
+                return { required: true };
+            }
+        }
+        return { required: true };
+    }
+}
+exports.AuthFlowContextBuilder = AuthFlowContextBuilder;
+//# sourceMappingURL=auth-flow-context-builder.service.js.map

package/dist/services/auth-flow-context-builder.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-flow-context-builder.service.js","sourceRoot":"","sources":["../../src/services/auth-flow-context-builder.service.ts"],"names":[],"mappings":";;;AAyBA,MAAa,sBAAsB;IAEd;IACA;IAEA;IAJnB,YACmB,oBAA2C,EAC3C,0BAAuD,EACxE,kBAAsC,EACrB,MAAoB;QAHpB,yBAAoB,GAApB,oBAAoB,CAAuB;QAC3C,+BAA0B,GAA1B,0BAA0B,CAA6B;QAEvD,WAAM,GAAN,MAAM,CAAc;IACpC,CAAC;IAwBJ,KAAK,CAAC,KAAK,CAAC,MAOX;QACC,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,WAAW,EAAE,mBAAmB,EAAE,GAAG,MAAM,CAAC;QAE5F,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAClB,8CAA8C,IAAI,CAAC,GAAG,gBAAgB,UAAU,IAAI,UAAU,gBAAgB,IAAI,CAAC,UAAU,eAAe,IAAI,CAAC,SAAS,IAAI,KAAK,GAAG,CACvK,CAAC;QAMF,MAAM,2BAA2B,GAAG,IAAI,CAAC,2BAA2B,CAAC,IAAI,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;QAC/F,MAAM,2BAA2B,GAAG,IAAI,CAAC,2BAA2B,CAAC,IAAI,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;QAC/F,MAAM,uBAAuB,GAAG,IAAI,CAAC,uBAAuB,CAAC,IAAI,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;QACvF,MAAM,WAAW,GAAG,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;QAC9C,MAAM,kBAAkB,GAAG,IAAI,CAAC,kBAAkB,CAAC,IAAI,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;QAC7E,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC;QAC/E,MAAM,eAAe,GAAG,IAAI,CAAC,oBAAoB,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAChE,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;QAChD,MAAM,mBAAmB,GAAG,MAAM,IAAI,CAAC,oBAAoB,CACzD,IAAI,EACJ,MAAM,EACN,UAAU,EACV,WAAW,EACX,eAAe,EACf,mBAAmB,CACpB,CAAC;QAGF,MAAM,SAAS,GAAG,SAAS,CAAC,OAAO,IAAI,CAAC,mBAAmB,CAAC,SAAS,IAAI,KAAK,CAAC,CAAC;QAChF,MAAM,YAAY,GAAG,SAAS,CAAC,KAAK,CAAC;QACrC,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,IAAI,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC,CAAC,4CAA4C,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;QAEnI,MAAM,QAAQ,GAAG;YACf,2BAA2B;YAC3B,2BAA2B;YAC3B,uBAAuB;YACvB,WAAW;YACX,kBAAkB;YAClB,yBAAyB,EAAE,mBAAmB,CAAC,QAAQ;YACvD,eAAe;YACf,mBAAmB,EAAE,eAAe,CAAC,QAAQ;YAC7C,iBAAiB,EAAE,eAAe,CAAC,MAAM;YACzC,SAAS;YACT,YAAY;YACZ,WAAW;YACX,SAAS,EAAE,mBAAmB,CAAC,SAAS;YACxC,SAAS,EAAE,mBAAmB,CAAC,SAAS;SACzC,CAAC;QAEF,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAClB,8CAA8C,QAAQ,CAAC,2BAA2B,cAAc,QAAQ,CAAC,2BAA2B,kBAAkB,QAAQ,CAAC,uBAAuB,eAAe,QAAQ,CAAC,WAAW,iBAAiB,QAAQ,CAAC,kBAAkB,kBAAkB,QAAQ,CAAC,yBAAyB,aAAa,QAAQ,CAAC,eAAe,iBAAiB,QAAQ,CAAC,mBAAmB,aAAa,QAAQ,CAAC,SAAS,EAAE,CAC7a,CAAC;QAEF,OAAO;YACL,IAAI;YACJ,MAAM;YACN,UAAU;YACV,YAAY;YACZ,WAAW;YACX,mBAAmB;YACnB,QAAQ;SACT,CAAC;IACJ,CAAC;IAUO,2BAA2B,CAAC,IAAW,EAAE,MAAmB,EAAE,UAAkC;QACtG,MAAM,kBAAkB,GAAG,MAAM,CAAC,MAAM,EAAE,kBAAkB,IAAI,OAAO,CAAC;QAGxE,IAAI,kBAAkB,KAAK,MAAM,IAAI,kBAAkB,KAAK,OAAO,EAAE,CAAC;YACpE,OAAO,KAAK,CAAC;QACf,CAAC;QAGD,IAAI,UAAU,KAAK,QAAQ,EAAE,CAAC;YAC5B,OAAO,KAAK,CAAC;QACf,CAAC;QAGD,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACzB,OAAO,KAAK,CAAC;QACf,CAAC;QAGD,OAAO,kBAAkB,KAAK,OAAO,IAAI,kBAAkB,KAAK,MAAM,CAAC;IACzE,CAAC;IAUO,2BAA2B,CAAC,IAAW,EAAE,MAAmB,EAAE,WAAmC;QACvG,MAAM,kBAAkB,GAAG,MAAM,CAAC,MAAM,EAAE,kBAAkB,IAAI,OAAO,CAAC;QAGxE,IAAI,kBAAkB,KAAK,MAAM,IAAI,kBAAkB,KAAK,OAAO,EAAE,CAAC;YACpE,OAAO,KAAK,CAAC;QACf,CAAC;QAID,IAAI,kBAAkB,KAAK,OAAO,IAAI,kBAAkB,KAAK,MAAM,EAAE,CAAC;YAEpE,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;gBAChB,OAAO,KAAK,CAAC;YACf,CAAC;YAGD,OAAO,CAAC,IAAI,CAAC,eAAe,CAAC;QAC/B,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAmBO,uBAAuB,CAAC,IAAW,EAAE,MAAmB,EAAE,WAAmC;QACnG,MAAM,kBAAkB,GAAG,MAAM,CAAC,MAAM,EAAE,kBAAkB,IAAI,OAAO,CAAC;QAGxE,IAAI,kBAAkB,KAAK,MAAM,IAAI,kBAAkB,KAAK,OAAO,EAAE,CAAC;YACpE,OAAO,KAAK,CAAC;QACf,CAAC;QASD,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACzB,OAAO,KAAK,CAAC;QACf,CAAC;QAGD,IAAI,CAAC,kBAAkB,KAAK,OAAO,IAAI,kBAAkB,KAAK,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YACrF,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAQO,cAAc,CAAC,IAAW;QAChC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;QAEjC,OAAO,SAAS,KAAK,IAAI,IAAK,SAAqB,KAAK,CAAC,CAAC;IAC5D,CAAC;IAUO,kBAAkB,CAAC,IAAW,EAAE,MAAmB,EAAE,UAAkC;QAE7F,IAAI,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC;QACf,CAAC;QAGD,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,OAAO,EAAE,CAAC;YACzB,OAAO,KAAK,CAAC;QACf,CAAC;QAGD,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,OAAO,KAAK,CAAC;QACf,CAAC;QAGD,IAAI,UAAU,KAAK,QAAQ,IAAI,MAAM,CAAC,GAAG,CAAC,qBAAqB,KAAK,KAAK,EAAE,CAAC;YAC1E,OAAO,KAAK,CAAC;QACf,CAAC;QAGD,MAAM,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,WAAW,IAAI,UAAU,CAAC;QAEzD,IAAI,WAAW,KAAK,UAAU,EAAE,CAAC;YAC/B,OAAO,KAAK,CAAC;QACf,CAAC;QAGD,MAAM,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,WAAW,IAAI,CAAC,CAAC;QAChD,MAAM,eAAe,GAAG,IAAI,CAAC,oBAAoB,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAGhE,IAAI,WAAW,KAAK,CAAC,EAAE,CAAC;YACtB,OAAO,IAAI,CAAC;QACd,CAAC;QAGD,IAAI,eAAe,CAAC,QAAQ,EAAE,CAAC;YAC7B,OAAO,KAAK,CAAC;QACf,CAAC;QAGD,OAAO,IAAI,CAAC;IACd,CAAC;IAUO,KAAK,CAAC,gBAAgB,CAAC,IAAW,EAAE,WAAoB,EAAE,MAAoB;QACpF,IACE,CAAC,WAAW;YACZ,CAAC,MAAM,EAAE,GAAG,EAAE,eAAe;YAC7B,MAAM,CAAC,GAAG,CAAC,eAAe,KAAK,OAAO;YACtC,CAAC,IAAI,CAAC,oBAAoB,EAC1B,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,mBAAmB,CAAC,WAAW,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;YAC7F,OAAO,UAAU,CAAC,OAAO,CAAC;QAC5B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;YAC9E,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,iCAAiC,YAAY,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;YACjG,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IASO,oBAAoB,CAAC,IAAW,EAAE,MAAmB;QAC3D,MAAM,WAAW,GAAG,MAAM,CAAC,GAAG,EAAE,WAAW,IAAI,CAAC,CAAC;QAGjD,IAAI,WAAW,KAAK,CAAC,EAAE,CAAC;YACtB,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;QAC7B,CAAC;QAGD,MAAM,aAAa,GAAG,IAAmC,CAAC;QAC1D,MAAM,SAAS,GAAG,aAAa,CAAC,SAAS,CAAC;QAE1C,IAAI,CAAC,SAAS,EAAE,CAAC;YAEf,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;QAC7B,CAAC;QAED,MAAM,cAAc,GAAG,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC;QAC3C,cAAc,CAAC,OAAO,CAAC,cAAc,CAAC,OAAO,EAAE,GAAG,WAAW,CAAC,CAAC;QAE/D,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,QAAQ,GAAG,GAAG,GAAG,cAAc,CAAC;QAEtC,OAAO;YACL,QAAQ;YACR,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,SAAS;SAC9C,CAAC;IACJ,CAAC;IAQO,KAAK,CAAC,YAAY,CAAC,IAAW;QACpC,IAAI,CAAC,IAAI,CAAC,0BAA0B,EAAE,CAAC;YACrC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;QAC5B,CAAC;QAED,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,0BAA0B,CAAC,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACjF,OAAO;gBACL,OAAO,EAAE,WAAW,CAAC,OAAO;gBAC5B,KAAK,EAAE,WAAW,CAAC,SAAS;gBAC5B,MAAM,EAAE,WAAW,CAAC,OAAO;aAC5B,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;YAC9E,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,sCAAsC,YAAY,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;YACtG,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;QAC5B,CAAC;IACH,CAAC;IAaO,KAAK,CAAC,oBAAoB,CAChC,IAAW,EACX,MAAmB,EACnB,UAAkC,EAClC,YAAqB,EACrB,eAAyB,EACzB,mBAA6B;QAG7B,IAAI,mBAAmB,EAAE,CAAC;YACxB,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;QAC7B,CAAC;QAGD,IAAI,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9B,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;QAC7B,CAAC;QAGD,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,OAAO,EAAE,CAAC;YACzB,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;QAC7B,CAAC;QAGD,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACrB,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;QAC7B,CAAC;QAGD,IAAI,UAAU,KAAK,QAAQ,IAAI,MAAM,CAAC,GAAG,CAAC,qBAAqB,KAAK,KAAK,EAAE,CAAC;YAC1E,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;QAC7B,CAAC;QAGD,MAAM,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,WAAW,IAAI,UAAU,CAAC;QAMzD,IAAI,WAAW,KAAK,UAAU,EAAE,CAAC;YAG/B,IACE,eAAe;gBACf,MAAM,CAAC,GAAG,CAAC,eAAe;gBAC1B,MAAM,CAAC,GAAG,CAAC,eAAe,KAAK,OAAO;gBACtC,MAAM,CAAC,GAAG,CAAC,0BAA0B,KAAK,IAAI,EAC9C,CAAC;gBACD,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;YAC7B,CAAC;YAED,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;QAC5B,CAAC;QAGD,IACE,WAAW,KAAK,UAAU;YAC1B,eAAe;YACf,MAAM,CAAC,GAAG,CAAC,eAAe;YAC1B,MAAM,CAAC,GAAG,CAAC,eAAe,KAAK,OAAO;YACtC,MAAM,CAAC,GAAG,CAAC,0BAA0B,KAAK,IAAI,EAC9C,CAAC;YACD,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;QAC7B,CAAC;QAGD,IAAI,WAAW,KAAK,UAAU,EAAE,CAAC;YAC/B,IAAI,CAAC,IAAI,CAAC,0BAA0B,EAAE,CAAC;gBAErC,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CACjB,0HAA0H,IAAI,CAAC,GAAG,EAAE,CACrI,CAAC;gBACF,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;YAC5B,CAAC;YAGD,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,0BAA0B,CAAC,mBAAmB,CAAC,IAAI,EAAE,UAAU,IAAI,UAAU,CAAC,CAAC;gBAG3G,IAAI,QAAQ,CAAC,MAAM,KAAK,cAAc,EAAE,CAAC;oBACvC,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;wBACrB,MAAM,IAAI,CAAC,0BAA0B,CAAC,eAAe,CAAC,IAAI,EAAE,QAAQ,CAAC,OAAO,CAAC,CAAC;oBAChF,CAAC;oBAED,OAAO;wBACL,QAAQ,EAAE,KAAK;wBACf,SAAS,EAAE,QAAQ,CAAC,SAAS;wBAC7B,SAAS,EAAE,QAAQ,CAAC,SAAS;wBAC7B,SAAS,EAAE,IAAI;qBAChB,CAAC;gBACJ,CAAC;gBAID,IAAI,CAAC,eAAe,EAAE,CAAC;oBACrB,OAAO;wBACL,QAAQ,EAAE,IAAI;wBACd,SAAS,EAAE,QAAQ,CAAC,SAAS;wBAC7B,SAAS,EAAE,QAAQ,CAAC,SAAS;qBAC9B,CAAC;gBACJ,CAAC;gBAGD,OAAO;oBACL,QAAQ,EAAE,QAAQ,CAAC,MAAM,KAAK,aAAa;oBAC3C,SAAS,EAAE,QAAQ,CAAC,SAAS;oBAC7B,SAAS,EAAE,QAAQ,CAAC,SAAS;iBAC9B,CAAC;YACJ,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;gBAC9E,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,oCAAoC,YAAY,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;gBAEpG,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;YAC5B,CAAC;QACH,CAAC;QAGD,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IAC5B,CAAC;CACF;AA9eD,wDA8eC"}

package/dist/services/auth-flow-rules.d.ts

@@ -0,0 +1,18 @@
+import { AuthFlowContext, Rule } from './auth-flow-state-machine.types';
+export declare class RuleBuilder {
+    static all(rules: Rule[]): Rule;
+    static any(rules: Rule[]): Rule;
+    static not(rule: Rule): Rule;
+}
+export declare const Rules: {
+    mustChangePassword: (context: AuthFlowContext) => boolean;
+    emailVerificationPending: (context: AuthFlowContext) => boolean;
+    phoneCollectionNeeded: (context: AuthFlowContext) => boolean;
+    phoneVerificationPending: (context: AuthFlowContext) => boolean;
+    mfaSetupRequired: (context: AuthFlowContext) => boolean;
+    mfaVerificationRequired: (context: AuthFlowContext) => boolean;
+    gracePeriodActiveAdaptive: (context: AuthFlowContext) => boolean;
+    isBlocked: (context: AuthFlowContext) => boolean;
+    authenticated: (_context: AuthFlowContext) => boolean;
+};
+//# sourceMappingURL=auth-flow-rules.d.ts.map

package/dist/services/auth-flow-rules.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-flow-rules.d.ts","sourceRoot":"","sources":["../../src/services/auth-flow-rules.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,IAAI,EAAE,MAAM,iCAAiC,CAAC;AAgBxE,qBAAa,WAAW;IAgBtB,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,GAAG,IAAI;IAqB/B,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,GAAG,IAAI;IAkB/B,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,GAAG,IAAI;CAK7B;AAUD,eAAO,MAAM,KAAK;kCAQc,eAAe,KAAG,OAAO;wCAWnB,eAAe,KAAG,OAAO;qCAW5B,eAAe,KAAG,OAAO;wCAWtB,eAAe,KAAG,OAAO;gCAWjC,eAAe,KAAG,OAAO;uCAWlB,eAAe,KAAG,OAAO;yCAiBvB,eAAe,KAAG,OAAO;yBAiBzC,eAAe,KAAG,OAAO;8BAcpB,eAAe,KAAG,OAAO;CAIpD,CAAC"}

package/dist/services/auth-flow-rules.js

@@ -0,0 +1,55 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Rules = exports.RuleBuilder = void 0;
+class RuleBuilder {
+    static all(rules) {
+        return (context) => {
+            return rules.every((rule) => rule(context));
+        };
+    }
+    static any(rules) {
+        return (context) => {
+            return rules.some((rule) => rule(context));
+        };
+    }
+    static not(rule) {
+        return (context) => {
+            return !rule(context);
+        };
+    }
+}
+exports.RuleBuilder = RuleBuilder;
+exports.Rules = {
+    mustChangePassword: (context) => {
+        return context.user.mustChangePassword === true;
+    },
+    emailVerificationPending: (context) => {
+        return context.computed.isEmailVerificationRequired;
+    },
+    phoneCollectionNeeded: (context) => {
+        return context.computed.isPhoneCollectionNeeded;
+    },
+    phoneVerificationPending: (context) => {
+        return context.computed.isPhoneVerificationRequired;
+    },
+    mfaSetupRequired: (context) => {
+        return context.computed.isMFASetupRequired;
+    },
+    mfaVerificationRequired: (context) => {
+        return context.computed.isMFAVerificationRequired;
+    },
+    gracePeriodActiveAdaptive: (context) => {
+        const enforcement = context.config.mfa?.enforcement || 'OPTIONAL';
+        return (enforcement === 'ADAPTIVE' &&
+            context.computed.isGracePeriodActive &&
+            !context.user.mfaEnabled &&
+            !context.computed.isBlocked);
+    },
+    isBlocked: (context) => {
+        return context.computed.isBlocked;
+    },
+    authenticated: (_context) => {
+        return true;
+    },
+};
+//# sourceMappingURL=auth-flow-rules.js.map

package/dist/services/auth-flow-rules.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-flow-rules.js","sourceRoot":"","sources":["../../src/services/auth-flow-rules.ts"],"names":[],"mappings":";;;AAgBA,MAAa,WAAW;IAgBtB,MAAM,CAAC,GAAG,CAAC,KAAa;QACtB,OAAO,CAAC,OAAwB,EAAW,EAAE;YAC3C,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;QAC9C,CAAC,CAAC;IACJ,CAAC;IAiBD,MAAM,CAAC,GAAG,CAAC,KAAa;QACtB,OAAO,CAAC,OAAwB,EAAW,EAAE;YAC3C,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;QAC7C,CAAC,CAAC;IACJ,CAAC;IAcD,MAAM,CAAC,GAAG,CAAC,IAAU;QACnB,OAAO,CAAC,OAAwB,EAAW,EAAE;YAC3C,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC,CAAC;IACJ,CAAC;CACF;AA5DD,kCA4DC;AAUY,QAAA,KAAK,GAAG;IAQnB,kBAAkB,EAAE,CAAC,OAAwB,EAAW,EAAE;QACxD,OAAO,OAAO,CAAC,IAAI,CAAC,kBAAkB,KAAK,IAAI,CAAC;IAClD,CAAC;IASD,wBAAwB,EAAE,CAAC,OAAwB,EAAW,EAAE;QAC9D,OAAO,OAAO,CAAC,QAAQ,CAAC,2BAA2B,CAAC;IACtD,CAAC;IASD,qBAAqB,EAAE,CAAC,OAAwB,EAAW,EAAE;QAC3D,OAAO,OAAO,CAAC,QAAQ,CAAC,uBAAuB,CAAC;IAClD,CAAC;IASD,wBAAwB,EAAE,CAAC,OAAwB,EAAW,EAAE;QAC9D,OAAO,OAAO,CAAC,QAAQ,CAAC,2BAA2B,CAAC;IACtD,CAAC;IASD,gBAAgB,EAAE,CAAC,OAAwB,EAAW,EAAE;QACtD,OAAO,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC;IAC7C,CAAC;IASD,uBAAuB,EAAE,CAAC,OAAwB,EAAW,EAAE;QAC7D,OAAO,OAAO,CAAC,QAAQ,CAAC,yBAAyB,CAAC;IACpD,CAAC;IAeD,yBAAyB,EAAE,CAAC,OAAwB,EAAW,EAAE;QAC/D,MAAM,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,EAAE,WAAW,IAAI,UAAU,CAAC;QAClE,OAAO,CACL,WAAW,KAAK,UAAU;YAC1B,OAAO,CAAC,QAAQ,CAAC,mBAAmB;YACpC,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU;YACxB,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAC5B,CAAC;IACJ,CAAC;IASD,SAAS,EAAE,CAAC,OAAwB,EAAW,EAAE;QAC/C,OAAO,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;IACpC,CAAC;IAYD,aAAa,EAAE,CAAC,QAAyB,EAAW,EAAE;QAEpD,OAAO,IAAI,CAAC;IACd,CAAC;CACF,CAAC"}

package/dist/services/auth-flow-state-definitions.d.ts

@@ -0,0 +1,5 @@
+import { AuthFlowState, StateDefinition } from './auth-flow-state-machine.types';
+export declare const STATE_DEFINITIONS: StateDefinition[];
+export declare function getStateDefinition(state: AuthFlowState): StateDefinition | undefined;
+export declare function getStateDefinitionsByPriority(): StateDefinition[];
+//# sourceMappingURL=auth-flow-state-definitions.d.ts.map

package/dist/services/auth-flow-state-definitions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-flow-state-definitions.d.ts","sourceRoot":"","sources":["../../src/services/auth-flow-state-definitions.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,eAAe,EAAqC,MAAM,iCAAiC,CAAC;AAuBpH,eAAO,MAAM,iBAAiB,EAAE,eAAe,EAwI9C,CAAC;AAaF,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,aAAa,GAAG,eAAe,GAAG,SAAS,CAEpF;AAaD,wBAAgB,6BAA6B,IAAI,eAAe,EAAE,CAEjE"}

package/dist/services/auth-flow-state-definitions.js

@@ -0,0 +1,87 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.STATE_DEFINITIONS = void 0;
+exports.getStateDefinition = getStateDefinition;
+exports.getStateDefinitionsByPriority = getStateDefinitionsByPriority;
+const auth_flow_state_machine_types_1 = require("./auth-flow-state-machine.types");
+const auth_challenge_dto_1 = require("../dto/auth-challenge.dto");
+const auth_flow_rules_1 = require("./auth-flow-rules");
+const mfa_method_enum_1 = require("../enums/mfa-method.enum");
+exports.STATE_DEFINITIONS = [
+    {
+        state: auth_flow_state_machine_types_1.AuthFlowState.PENDING_PASSWORD_CHANGE,
+        priority: 1,
+        condition: auth_flow_rules_1.Rules.mustChangePassword,
+        challenge: auth_challenge_dto_1.AuthChallenge.FORCE_CHANGE_PASSWORD,
+    },
+    {
+        state: auth_flow_state_machine_types_1.AuthFlowState.PENDING_EMAIL_VERIFICATION,
+        priority: 2,
+        condition: auth_flow_rules_1.Rules.emailVerificationPending,
+        challenge: auth_challenge_dto_1.AuthChallenge.VERIFY_EMAIL,
+    },
+    {
+        state: auth_flow_state_machine_types_1.AuthFlowState.PENDING_PHONE_COLLECTION,
+        priority: 3,
+        condition: auth_flow_rules_1.Rules.phoneCollectionNeeded,
+        challenge: auth_challenge_dto_1.AuthChallenge.VERIFY_PHONE,
+    },
+    {
+        state: auth_flow_state_machine_types_1.AuthFlowState.PENDING_PHONE_VERIFICATION,
+        priority: 4,
+        condition: auth_flow_rules_1.Rules.phoneVerificationPending,
+        challenge: auth_challenge_dto_1.AuthChallenge.VERIFY_PHONE,
+    },
+    {
+        state: auth_flow_state_machine_types_1.AuthFlowState.PENDING_MFA_SETUP,
+        priority: 5,
+        condition: auth_flow_rules_1.Rules.mfaSetupRequired,
+        challenge: auth_challenge_dto_1.AuthChallenge.MFA_SETUP_REQUIRED,
+        onEnter: async (context) => {
+            if (context.user.isPhoneVerified && context.user.phone && context.user.preferredMfaMethod === mfa_method_enum_1.MFAMethod.SMS) {
+                context.skipMFAVerification = true;
+            }
+        },
+    },
+    {
+        state: auth_flow_state_machine_types_1.AuthFlowState.PENDING_MFA_VERIFICATION,
+        priority: 6,
+        condition: auth_flow_rules_1.Rules.mfaVerificationRequired,
+        challenge: auth_challenge_dto_1.AuthChallenge.MFA_REQUIRED,
+    },
+    {
+        state: auth_flow_state_machine_types_1.AuthFlowState.GRACE_PERIOD_ACTIVE,
+        priority: 7,
+        condition: auth_flow_rules_1.Rules.gracePeriodActiveAdaptive,
+        buildMetadata: (context) => {
+            return {
+                gracePeriodEndsAt: context.computed.gracePeriodEndsAt,
+                riskScore: context.computed.riskScore,
+                riskLevel: context.computed.riskLevel,
+            };
+        },
+    },
+    {
+        state: auth_flow_state_machine_types_1.AuthFlowState.BLOCKED,
+        priority: 8,
+        condition: auth_flow_rules_1.Rules.isBlocked,
+        buildMetadata: (context) => {
+            return {
+                blockedUntil: context.computed.blockedUntil,
+                reason: context.computed.blockReason,
+            };
+        },
+    },
+    {
+        state: auth_flow_state_machine_types_1.AuthFlowState.AUTHENTICATED,
+        priority: 9,
+        condition: auth_flow_rules_1.Rules.authenticated,
+    },
+];
+function getStateDefinition(state) {
+    return exports.STATE_DEFINITIONS.find((def) => def.state === state);
+}
+function getStateDefinitionsByPriority() {
+    return [...exports.STATE_DEFINITIONS].sort((a, b) => a.priority - b.priority);
+}
+//# sourceMappingURL=auth-flow-state-definitions.js.map

package/dist/services/auth-flow-state-definitions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-flow-state-definitions.js","sourceRoot":"","sources":["../../src/services/auth-flow-state-definitions.ts"],"names":[],"mappings":";;;AA4KA,gDAEC;AAaD,sEAEC;AA7LD,mFAAoH;AACpH,kEAA0D;AAC1D,uDAA0C;AAC1C,8DAAqD;AAoBxC,QAAA,iBAAiB,GAAsB;IAKlD;QACE,KAAK,EAAE,6CAAa,CAAC,uBAAuB;QAC5C,QAAQ,EAAE,CAAC;QACX,SAAS,EAAE,uBAAK,CAAC,kBAAkB;QACnC,SAAS,EAAE,kCAAa,CAAC,qBAAqB;KAC/C;IAMD;QACE,KAAK,EAAE,6CAAa,CAAC,0BAA0B;QAC/C,QAAQ,EAAE,CAAC;QACX,SAAS,EAAE,uBAAK,CAAC,wBAAwB;QACzC,SAAS,EAAE,kCAAa,CAAC,YAAY;KACtC;IAMD;QACE,KAAK,EAAE,6CAAa,CAAC,wBAAwB;QAC7C,QAAQ,EAAE,CAAC;QACX,SAAS,EAAE,uBAAK,CAAC,qBAAqB;QACtC,SAAS,EAAE,kCAAa,CAAC,YAAY;KACtC;IAMD;QACE,KAAK,EAAE,6CAAa,CAAC,0BAA0B;QAC/C,QAAQ,EAAE,CAAC;QACX,SAAS,EAAE,uBAAK,CAAC,wBAAwB;QACzC,SAAS,EAAE,kCAAa,CAAC,YAAY;KACtC;IAMD;QACE,KAAK,EAAE,6CAAa,CAAC,iBAAiB;QACtC,QAAQ,EAAE,CAAC;QACX,SAAS,EAAE,uBAAK,CAAC,gBAAgB;QACjC,SAAS,EAAE,kCAAa,CAAC,kBAAkB;QAU3C,OAAO,EAAE,KAAK,EAAE,OAAwB,EAAiB,EAAE;YAEzD,IAAI,OAAO,CAAC,IAAI,CAAC,eAAe,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,kBAAkB,KAAK,2BAAS,CAAC,GAAG,EAAE,CAAC;gBAG5G,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC;YACrC,CAAC;QACH,CAAC;KACF;IAMD;QACE,KAAK,EAAE,6CAAa,CAAC,wBAAwB;QAC7C,QAAQ,EAAE,CAAC;QACX,SAAS,EAAE,uBAAK,CAAC,uBAAuB;QACxC,SAAS,EAAE,kCAAa,CAAC,YAAY;KACtC;IAOD;QACE,KAAK,EAAE,6CAAa,CAAC,mBAAmB;QACxC,QAAQ,EAAE,CAAC;QACX,SAAS,EAAE,uBAAK,CAAC,yBAAyB;QAK1C,aAAa,EAAE,CAAC,OAAwB,EAAgC,EAAE;YACxE,OAAO;gBACL,iBAAiB,EAAE,OAAO,CAAC,QAAQ,CAAC,iBAAiB;gBACrD,SAAS,EAAE,OAAO,CAAC,QAAQ,CAAC,SAAS;gBACrC,SAAS,EAAE,OAAO,CAAC,QAAQ,CAAC,SAAS;aACtC,CAAC;QACJ,CAAC;KACF;IAMD;QACE,KAAK,EAAE,6CAAa,CAAC,OAAO;QAC5B,QAAQ,EAAE,CAAC;QACX,SAAS,EAAE,uBAAK,CAAC,SAAS;QAK1B,aAAa,EAAE,CAAC,OAAwB,EAAgC,EAAE;YACxE,OAAO;gBACL,YAAY,EAAE,OAAO,CAAC,QAAQ,CAAC,YAAY;gBAC3C,MAAM,EAAE,OAAO,CAAC,QAAQ,CAAC,WAAW;aACrC,CAAC;QACJ,CAAC;KACF;IAOD;QACE,KAAK,EAAE,6CAAa,CAAC,aAAa;QAClC,QAAQ,EAAE,CAAC;QACX,SAAS,EAAE,uBAAK,CAAC,aAAa;KAC/B;CACF,CAAC;AAaF,SAAgB,kBAAkB,CAAC,KAAoB;IACrD,OAAO,yBAAiB,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,KAAK,KAAK,KAAK,CAAC,CAAC;AAC9D,CAAC;AAaD,SAAgB,6BAA6B;IAC3C,OAAO,CAAC,GAAG,yBAAiB,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC;AACxE,CAAC"}

package/dist/services/auth-flow-state-machine.service.d.ts

@@ -0,0 +1,17 @@
+import { AuthFlowState, AuthFlowContext, StateDefinition, ResponseMetadata } from './auth-flow-state-machine.types';
+import { AuthFlowContextBuilder } from './auth-flow-context-builder.service';
+import { NAuthLogger } from '../utils/nauth-logger';
+export declare class AuthFlowStateMachineService {
+    private readonly contextBuilder;
+    private readonly logger?;
+    constructor(contextBuilder: AuthFlowContextBuilder, logger?: NAuthLogger | undefined);
+    evaluateState(context: AuthFlowContext): Promise<AuthFlowState>;
+    getStateDefinition(state: AuthFlowState): StateDefinition | undefined;
+    buildMetadata(state: AuthFlowState, context: AuthFlowContext): ResponseMetadata | undefined;
+    transitionAfterChallenge(params: {
+        completedChallenge: string;
+        context: AuthFlowContext;
+        updateFn?: (user: AuthFlowContext['user']) => Promise<void>;
+    }): Promise<AuthFlowState>;
+}
+//# sourceMappingURL=auth-flow-state-machine.service.d.ts.map

package/dist/services/auth-flow-state-machine.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-flow-state-machine.service.d.ts","sourceRoot":"","sources":["../../src/services/auth-flow-state-machine.service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAC;AACpH,OAAO,EAAE,sBAAsB,EAAE,MAAM,qCAAqC,CAAC;AAC7E,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AA4BpD,qBAAa,2BAA2B;IAEpC,OAAO,CAAC,QAAQ,CAAC,cAAc;IAC/B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;gBADP,cAAc,EAAE,sBAAsB,EACtC,MAAM,CAAC,EAAE,WAAW,YAAA;IAmBjC,aAAa,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,aAAa,CAAC;IAyDrE,kBAAkB,CAAC,KAAK,EAAE,aAAa,GAAG,eAAe,GAAG,SAAS;IAmBrE,aAAa,CAAC,KAAK,EAAE,aAAa,EAAE,OAAO,EAAE,eAAe,GAAG,gBAAgB,GAAG,SAAS;IA2CrF,wBAAwB,CAAC,MAAM,EAAE;QACrC,kBAAkB,EAAE,MAAM,CAAC;QAC3B,OAAO,EAAE,eAAe,CAAC;QACzB,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE,eAAe,CAAC,MAAM,CAAC,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;KAC7D,GAAG,OAAO,CAAC,aAAa,CAAC;CA+B3B"}

package/dist/services/auth-flow-state-machine.service.js

@@ -0,0 +1,91 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthFlowStateMachineService = void 0;
+const auth_flow_state_machine_types_1 = require("./auth-flow-state-machine.types");
+const auth_flow_state_definitions_1 = require("./auth-flow-state-definitions");
+class AuthFlowStateMachineService {
+    contextBuilder;
+    logger;
+    constructor(contextBuilder, logger) {
+        this.contextBuilder = contextBuilder;
+        this.logger = logger;
+    }
+    async evaluateState(context) {
+        const stateDefinitions = (0, auth_flow_state_definitions_1.getStateDefinitionsByPriority)();
+        this.logger?.debug?.(`[StateMachine] Evaluating states for user ${context.user.sub} (priority 1-9, first match wins)`);
+        for (const definition of stateDefinitions) {
+            const ruleResult = definition.condition(context);
+            this.logger?.debug?.(`[StateMachine] Priority ${definition.priority}: ${definition.state} → ${ruleResult ? 'MATCH' : 'skip'}`);
+            if (ruleResult) {
+                if (definition.onEnter) {
+                    this.logger?.debug?.(`[StateMachine] Executing onEnter hook for ${definition.state}`);
+                    try {
+                        await definition.onEnter(context);
+                    }
+                    catch (error) {
+                        const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+                        this.logger?.warn?.(`onEnter hook failed for state ${definition.state}: ${errorMessage}`, {
+                            error,
+                            state: definition.state,
+                            userId: context.user.id,
+                        });
+                    }
+                }
+                this.logger?.debug?.(`[StateMachine] ✓ Selected state: ${definition.state} for user ${context.user.sub}`);
+                return definition.state;
+            }
+        }
+        this.logger?.warn?.(`No state matched for user ${context.user.sub} - falling back to AUTHENTICATED`, {
+            userId: context.user.id,
+        });
+        return auth_flow_state_machine_types_1.AuthFlowState.AUTHENTICATED;
+    }
+    getStateDefinition(state) {
+        return (0, auth_flow_state_definitions_1.getStateDefinition)(state);
+    }
+    buildMetadata(state, context) {
+        const definition = this.getStateDefinition(state);
+        if (!definition || !definition.buildMetadata) {
+            return undefined;
+        }
+        try {
+            return definition.buildMetadata(context);
+        }
+        catch (error) {
+            const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+            this.logger?.warn?.(`buildMetadata failed for state ${state}: ${errorMessage}`, {
+                error,
+                state,
+                userId: context.user.id,
+            });
+            return undefined;
+        }
+    }
+    async transitionAfterChallenge(params) {
+        const { completedChallenge, context, updateFn } = params;
+        if (updateFn) {
+            try {
+                await updateFn(context.user);
+            }
+            catch (error) {
+                const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+                this.logger?.error?.(`Failed to update user after challenge completion: ${errorMessage}`, {
+                    error,
+                    challenge: completedChallenge,
+                    userId: context.user.id,
+                });
+            }
+        }
+        const newContext = await this.contextBuilder.build({
+            user: context.user,
+            config: context.config,
+            authMethod: context.authMethod,
+            authProvider: context.authProvider,
+            deviceToken: context.deviceToken,
+            skipMFAVerification: context.skipMFAVerification,
+        });
+        return this.evaluateState(newContext);
+    }
+}
+exports.AuthFlowStateMachineService = AuthFlowStateMachineService;
+//# sourceMappingURL=auth-flow-state-machine.service.js.map

package/dist/services/auth-flow-state-machine.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-flow-state-machine.service.js","sourceRoot":"","sources":["../../src/services/auth-flow-state-machine.service.ts"],"names":[],"mappings":";;;AAAA,mFAAoH;AAGpH,+EAAkG;AA2BlG,MAAa,2BAA2B;IAEnB;IACA;IAFnB,YACmB,cAAsC,EACtC,MAAoB;QADpB,mBAAc,GAAd,cAAc,CAAwB;QACtC,WAAM,GAAN,MAAM,CAAc;IACpC,CAAC;IAkBJ,KAAK,CAAC,aAAa,CAAC,OAAwB;QAE1C,MAAM,gBAAgB,GAAG,IAAA,2DAA6B,GAAE,CAAC;QAEzD,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAClB,6CAA6C,OAAO,CAAC,IAAI,CAAC,GAAG,mCAAmC,CACjG,CAAC;QAGF,KAAK,MAAM,UAAU,IAAI,gBAAgB,EAAE,CAAC;YAE1C,MAAM,UAAU,GAAG,UAAU,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;YACjD,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAClB,2BAA2B,UAAU,CAAC,QAAQ,KAAK,UAAU,CAAC,KAAK,MAAM,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,EAAE,CACzG,CAAC;YAEF,IAAI,UAAU,EAAE,CAAC;gBAEf,IAAI,UAAU,CAAC,OAAO,EAAE,CAAC;oBACvB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,6CAA6C,UAAU,CAAC,KAAK,EAAE,CAAC,CAAC;oBACtF,IAAI,CAAC;wBACH,MAAM,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;oBACpC,CAAC;oBAAC,OAAO,KAAK,EAAE,CAAC;wBACf,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;wBAC9E,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,iCAAiC,UAAU,CAAC,KAAK,KAAK,YAAY,EAAE,EAAE;4BACxF,KAAK;4BACL,KAAK,EAAE,UAAU,CAAC,KAAK;4BACvB,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,EAAE;yBACxB,CAAC,CAAC;oBAEL,CAAC;gBACH,CAAC;gBAED,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,oCAAoC,UAAU,CAAC,KAAK,aAAa,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;gBAC1G,OAAO,UAAU,CAAC,KAAK,CAAC;YAC1B,CAAC;QACH,CAAC;QAID,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,6BAA6B,OAAO,CAAC,IAAI,CAAC,GAAG,kCAAkC,EAAE;YACnG,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,EAAE;SACxB,CAAC,CAAC;QACH,OAAO,6CAAa,CAAC,aAAa,CAAC;IACrC,CAAC;IAaD,kBAAkB,CAAC,KAAoB;QACrC,OAAO,IAAA,gDAAkB,EAAC,KAAK,CAAC,CAAC;IACnC,CAAC;IAiBD,aAAa,CAAC,KAAoB,EAAE,OAAwB;QAC1D,MAAM,UAAU,GAAG,IAAI,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAClD,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,aAAa,EAAE,CAAC;YAC7C,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,IAAI,CAAC;YACH,OAAO,UAAU,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;QAC3C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;YAC9E,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,kCAAkC,KAAK,KAAK,YAAY,EAAE,EAAE;gBAC9E,KAAK;gBACL,KAAK;gBACL,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,EAAE;aACxB,CAAC,CAAC;YACH,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IA0BD,KAAK,CAAC,wBAAwB,CAAC,MAI9B;QACC,MAAM,EAAE,kBAAkB,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,MAAM,CAAC;QAGzD,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,CAAC;gBACH,MAAM,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAC/B,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;gBAC9E,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,qDAAqD,YAAY,EAAE,EAAE;oBACxF,KAAK;oBACL,SAAS,EAAE,kBAAkB;oBAC7B,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,EAAE;iBACxB,CAAC,CAAC;YAEL,CAAC;QACH,CAAC;QAGD,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC;YACjD,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,mBAAmB,EAAE,OAAO,CAAC,mBAAmB;SACjD,CAAC,CAAC;QAGH,OAAO,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC;IACxC,CAAC;CACF;AAhLD,kEAgLC"}

package/dist/services/auth-flow-state-machine.types.d.ts

@@ -0,0 +1,55 @@
+import { IUser } from '../interfaces/entities.interface';
+import { NAuthConfig } from '../interfaces/config.interface';
+import { AuthChallenge } from '../dto/auth-challenge.dto';
+export declare enum AuthFlowState {
+    PENDING_PASSWORD_CHANGE = "PENDING_PASSWORD_CHANGE",
+    PENDING_EMAIL_VERIFICATION = "PENDING_EMAIL_VERIFICATION",
+    PENDING_PHONE_COLLECTION = "PENDING_PHONE_COLLECTION",
+    PENDING_PHONE_VERIFICATION = "PENDING_PHONE_VERIFICATION",
+    PENDING_MFA_SETUP = "PENDING_MFA_SETUP",
+    PENDING_MFA_VERIFICATION = "PENDING_MFA_VERIFICATION",
+    GRACE_PERIOD_ACTIVE = "GRACE_PERIOD_ACTIVE",
+    BLOCKED = "BLOCKED",
+    AUTHENTICATED = "AUTHENTICATED"
+}
+export interface AuthFlowContext {
+    user: IUser;
+    config: NAuthConfig;
+    authMethod?: 'password' | 'social';
+    authProvider?: string;
+    deviceToken?: string;
+    skipMFAVerification?: boolean;
+    computed: {
+        isEmailVerificationRequired: boolean;
+        isPhoneVerificationRequired: boolean;
+        isPhoneCollectionNeeded: boolean;
+        isMFAExempt: boolean;
+        isMFASetupRequired: boolean;
+        isMFAVerificationRequired: boolean;
+        isDeviceTrusted: boolean;
+        isGracePeriodActive: boolean;
+        gracePeriodEndsAt?: Date;
+        isBlocked: boolean;
+        blockedUntil?: Date;
+        blockReason?: string;
+        riskScore?: number;
+        riskLevel?: 'low' | 'medium' | 'high';
+    };
+}
+export type Rule = (context: AuthFlowContext) => boolean;
+export interface ResponseMetadata {
+    gracePeriodEndsAt?: Date;
+    riskScore?: number;
+    riskLevel?: 'low' | 'medium' | 'high';
+    blockedUntil?: Date;
+    reason?: string;
+}
+export interface StateDefinition {
+    state: AuthFlowState;
+    priority: number;
+    condition: Rule;
+    challenge?: AuthChallenge;
+    buildMetadata?: (context: AuthFlowContext) => ResponseMetadata | undefined;
+    onEnter?: (context: AuthFlowContext) => Promise<void> | void;
+}
+//# sourceMappingURL=auth-flow-state-machine.types.d.ts.map

package/dist/services/auth-flow-state-machine.types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-flow-state-machine.types.d.ts","sourceRoot":"","sources":["../../src/services/auth-flow-state-machine.types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,kCAAkC,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,MAAM,gCAAgC,CAAC;AAC7D,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAa1D,oBAAY,aAAa;IAKvB,uBAAuB,4BAA4B;IAMnD,0BAA0B,+BAA+B;IAMzD,wBAAwB,6BAA6B;IAMrD,0BAA0B,+BAA+B;IAMzD,iBAAiB,sBAAsB;IAMvC,wBAAwB,6BAA6B;IAMrD,mBAAmB,wBAAwB;IAM3C,OAAO,YAAY;IAMnB,aAAa,kBAAkB;CAChC;AAuBD,MAAM,WAAW,eAAe;IAI9B,IAAI,EAAE,KAAK,CAAC;IAKZ,MAAM,EAAE,WAAW,CAAC;IAKpB,UAAU,CAAC,EAAE,UAAU,GAAG,QAAQ,CAAC;IAKnC,YAAY,CAAC,EAAE,MAAM,CAAC;IAKtB,WAAW,CAAC,EAAE,MAAM,CAAC;IAKrB,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAM9B,QAAQ,EAAE;QAIR,2BAA2B,EAAE,OAAO,CAAC;QAKrC,2BAA2B,EAAE,OAAO,CAAC;QAKrC,uBAAuB,EAAE,OAAO,CAAC;QAKjC,WAAW,EAAE,OAAO,CAAC;QAKrB,kBAAkB,EAAE,OAAO,CAAC;QAK5B,yBAAyB,EAAE,OAAO,CAAC;QAKnC,eAAe,EAAE,OAAO,CAAC;QAKzB,mBAAmB,EAAE,OAAO,CAAC;QAK7B,iBAAiB,CAAC,EAAE,IAAI,CAAC;QAKzB,SAAS,EAAE,OAAO,CAAC;QAKnB,YAAY,CAAC,EAAE,IAAI,CAAC;QAKpB,WAAW,CAAC,EAAE,MAAM,CAAC;QAKrB,SAAS,CAAC,EAAE,MAAM,CAAC;QAKnB,SAAS,CAAC,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;KACvC,CAAC;CACH;AAkBD,MAAM,MAAM,IAAI,GAAG,CAAC,OAAO,EAAE,eAAe,KAAK,OAAO,CAAC;AAiBzD,MAAM,WAAW,gBAAgB;IAI/B,iBAAiB,CAAC,EAAE,IAAI,CAAC;IAKzB,SAAS,CAAC,EAAE,MAAM,CAAC;IAKnB,SAAS,CAAC,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IAKtC,YAAY,CAAC,EAAE,IAAI,CAAC;IAKpB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAsBD,MAAM,WAAW,eAAe;IAI9B,KAAK,EAAE,aAAa,CAAC;IAMrB,QAAQ,EAAE,MAAM,CAAC;IAKjB,SAAS,EAAE,IAAI,CAAC;IAMhB,SAAS,CAAC,EAAE,aAAa,CAAC;IAM1B,aAAa,CAAC,EAAE,CAAC,OAAO,EAAE,eAAe,KAAK,gBAAgB,GAAG,SAAS,CAAC;IAO3E,OAAO,CAAC,EAAE,CAAC,OAAO,EAAE,eAAe,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;CAC9D"}