npm - @nauth-toolkit/core - Versions diffs - 0.1.0 - Mend

@nauth-toolkit/core 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (778) hide show

package/dist/adapters/database-columns.d.ts +10 -0
package/dist/adapters/database-columns.d.ts.map +1 -0
package/dist/adapters/database-columns.js +85 -0
package/dist/adapters/database-columns.js.map +1 -0
package/dist/adapters/express.adapter.d.ts +41 -0
package/dist/adapters/express.adapter.d.ts.map +1 -0
package/dist/adapters/express.adapter.js +188 -0
package/dist/adapters/express.adapter.js.map +1 -0
package/dist/adapters/fastify.adapter.d.ts +33 -0
package/dist/adapters/fastify.adapter.d.ts.map +1 -0
package/dist/adapters/fastify.adapter.js +223 -0
package/dist/adapters/fastify.adapter.js.map +1 -0
package/dist/adapters/index.d.ts +5 -0
package/dist/adapters/index.d.ts.map +1 -0
package/dist/adapters/index.js +25 -0
package/dist/adapters/index.js.map +1 -0
package/dist/adapters/storage.factory.d.ts +7 -0
package/dist/adapters/storage.factory.d.ts.map +1 -0
package/dist/adapters/storage.factory.js +24 -0
package/dist/adapters/storage.factory.js.map +1 -0
package/dist/bootstrap.d.ts +41 -0
package/dist/bootstrap.d.ts.map +1 -0
package/dist/bootstrap.js +113 -0
package/dist/bootstrap.js.map +1 -0
package/dist/dto/auth-challenge.dto.d.ts +19 -0
package/dist/dto/auth-challenge.dto.d.ts.map +1 -0
package/dist/dto/auth-challenge.dto.js +86 -0
package/dist/dto/auth-challenge.dto.js.map +1 -0
package/dist/dto/auth-response.dto.d.ts +31 -0
package/dist/dto/auth-response.dto.d.ts.map +1 -0
package/dist/dto/auth-response.dto.js +18 -0
package/dist/dto/auth-response.dto.js.map +1 -0
package/dist/dto/challenge-response.dto.d.ts +36 -0
package/dist/dto/challenge-response.dto.d.ts.map +1 -0
package/dist/dto/challenge-response.dto.js +3 -0
package/dist/dto/challenge-response.dto.js.map +1 -0
package/dist/dto/change-password-request.dto.d.ts +5 -0
package/dist/dto/change-password-request.dto.d.ts.map +1 -0
package/dist/dto/change-password-request.dto.js +30 -0
package/dist/dto/change-password-request.dto.js.map +1 -0
package/dist/dto/change-password-response.dto.d.ts +4 -0
package/dist/dto/change-password-response.dto.d.ts.map +1 -0
package/dist/dto/change-password-response.dto.js +8 -0
package/dist/dto/change-password-response.dto.js.map +1 -0
package/dist/dto/change-password.dto.d.ts +5 -0
package/dist/dto/change-password.dto.d.ts.map +1 -0
package/dist/dto/change-password.dto.js +29 -0
package/dist/dto/change-password.dto.js.map +1 -0
package/dist/dto/error-response.dto.d.ts +9 -0
package/dist/dto/error-response.dto.d.ts.map +1 -0
package/dist/dto/error-response.dto.js +59 -0
package/dist/dto/error-response.dto.js.map +1 -0
package/dist/dto/get-available-methods.dto.d.ts +7 -0
package/dist/dto/get-available-methods.dto.d.ts.map +1 -0
package/dist/dto/get-available-methods.dto.js +33 -0
package/dist/dto/get-available-methods.dto.js.map +1 -0
package/dist/dto/get-challenge-data-response.dto.d.ts +4 -0
package/dist/dto/get-challenge-data-response.dto.d.ts.map +1 -0
package/dist/dto/get-challenge-data-response.dto.js +8 -0
package/dist/dto/get-challenge-data-response.dto.js.map +1 -0
package/dist/dto/get-challenge-data.dto.d.ts +8 -0
package/dist/dto/get-challenge-data.dto.d.ts.map +1 -0
package/dist/dto/get-challenge-data.dto.js +40 -0
package/dist/dto/get-challenge-data.dto.js.map +1 -0
package/dist/dto/get-client-info.dto.d.ts +17 -0
package/dist/dto/get-client-info.dto.d.ts.map +1 -0
package/dist/dto/get-client-info.dto.js +20 -0
package/dist/dto/get-client-info.dto.js.map +1 -0
package/dist/dto/get-device-token-response.dto.d.ts +4 -0
package/dist/dto/get-device-token-response.dto.d.ts.map +1 -0
package/dist/dto/get-device-token-response.dto.js +8 -0
package/dist/dto/get-device-token-response.dto.js.map +1 -0
package/dist/dto/get-events-by-type.dto.d.ts +17 -0
package/dist/dto/get-events-by-type.dto.d.ts.map +1 -0
package/dist/dto/get-events-by-type.dto.js +20 -0
package/dist/dto/get-events-by-type.dto.js.map +1 -0
package/dist/dto/get-ip-address-response.dto.d.ts +4 -0
package/dist/dto/get-ip-address-response.dto.d.ts.map +1 -0
package/dist/dto/get-ip-address-response.dto.js +8 -0
package/dist/dto/get-ip-address-response.dto.js.map +1 -0
package/dist/dto/get-mfa-status.dto.d.ts +16 -0
package/dist/dto/get-mfa-status.dto.d.ts.map +1 -0
package/dist/dto/get-mfa-status.dto.js +41 -0
package/dist/dto/get-mfa-status.dto.js.map +1 -0
package/dist/dto/get-risk-assessment-history.dto.d.ts +9 -0
package/dist/dto/get-risk-assessment-history.dto.d.ts.map +1 -0
package/dist/dto/get-risk-assessment-history.dto.js +13 -0
package/dist/dto/get-risk-assessment-history.dto.js.map +1 -0
package/dist/dto/get-session-id-response.dto.d.ts +4 -0
package/dist/dto/get-session-id-response.dto.d.ts.map +1 -0
package/dist/dto/get-session-id-response.dto.js +8 -0
package/dist/dto/get-session-id-response.dto.js.map +1 -0
package/dist/dto/get-setup-data-response.dto.d.ts +4 -0
package/dist/dto/get-setup-data-response.dto.d.ts.map +1 -0
package/dist/dto/get-setup-data-response.dto.js +8 -0
package/dist/dto/get-setup-data-response.dto.js.map +1 -0
package/dist/dto/get-setup-data.dto.d.ts +7 -0
package/dist/dto/get-setup-data.dto.d.ts.map +1 -0
package/dist/dto/get-setup-data.dto.js +43 -0
package/dist/dto/get-setup-data.dto.js.map +1 -0
package/dist/dto/get-suspicious-activity.dto.d.ts +9 -0
package/dist/dto/get-suspicious-activity.dto.d.ts.map +1 -0
package/dist/dto/get-suspicious-activity.dto.js +13 -0
package/dist/dto/get-suspicious-activity.dto.js.map +1 -0
package/dist/dto/get-user-agent-response.dto.d.ts +4 -0
package/dist/dto/get-user-agent-response.dto.d.ts.map +1 -0
package/dist/dto/get-user-agent-response.dto.js +8 -0
package/dist/dto/get-user-agent-response.dto.js.map +1 -0
package/dist/dto/get-user-auth-history.dto.d.ts +20 -0
package/dist/dto/get-user-auth-history.dto.d.ts.map +1 -0
package/dist/dto/get-user-auth-history.dto.js +22 -0
package/dist/dto/get-user-auth-history.dto.js.map +1 -0
package/dist/dto/get-user-by-email.dto.d.ts +5 -0
package/dist/dto/get-user-by-email.dto.d.ts.map +1 -0
package/dist/dto/get-user-by-email.dto.js +36 -0
package/dist/dto/get-user-by-email.dto.js.map +1 -0
package/dist/dto/get-user-by-id.dto.d.ts +4 -0
package/dist/dto/get-user-by-id.dto.d.ts.map +1 -0
package/dist/dto/get-user-by-id.dto.js +29 -0
package/dist/dto/get-user-by-id.dto.js.map +1 -0
package/dist/dto/get-user-devices.dto.d.ts +8 -0
package/dist/dto/get-user-devices.dto.d.ts.map +1 -0
package/dist/dto/get-user-devices.dto.js +33 -0
package/dist/dto/get-user-devices.dto.js.map +1 -0
package/dist/dto/get-user-response.dto.d.ts +2 -0
package/dist/dto/get-user-response.dto.d.ts.map +1 -0
package/dist/dto/get-user-response.dto.js +6 -0
package/dist/dto/get-user-response.dto.js.map +1 -0
package/dist/dto/has-provider.dto.d.ts +7 -0
package/dist/dto/has-provider.dto.d.ts.map +1 -0
package/dist/dto/has-provider.dto.js +38 -0
package/dist/dto/has-provider.dto.js.map +1 -0
package/dist/dto/index.d.ts +51 -0
package/dist/dto/index.d.ts.map +1 -0
package/dist/dto/index.js +67 -0
package/dist/dto/index.js.map +1 -0
package/dist/dto/is-trusted-device-response.dto.d.ts +4 -0
package/dist/dto/is-trusted-device-response.dto.d.ts.map +1 -0
package/dist/dto/is-trusted-device-response.dto.js +8 -0
package/dist/dto/is-trusted-device-response.dto.js.map +1 -0
package/dist/dto/list-providers-response.dto.d.ts +4 -0
package/dist/dto/list-providers-response.dto.d.ts.map +1 -0
package/dist/dto/list-providers-response.dto.js +8 -0
package/dist/dto/list-providers-response.dto.js.map +1 -0
package/dist/dto/login.dto.d.ts +7 -0
package/dist/dto/login.dto.d.ts.map +1 -0
package/dist/dto/login.dto.js +68 -0
package/dist/dto/login.dto.js.map +1 -0
package/dist/dto/logout-all-response.dto.d.ts +4 -0
package/dist/dto/logout-all-response.dto.d.ts.map +1 -0
package/dist/dto/logout-all-response.dto.js +8 -0
package/dist/dto/logout-all-response.dto.js.map +1 -0
package/dist/dto/logout-all.dto.d.ts +5 -0
package/dist/dto/logout-all.dto.d.ts.map +1 -0
package/dist/dto/logout-all.dto.js +42 -0
package/dist/dto/logout-all.dto.js.map +1 -0
package/dist/dto/logout-response.dto.d.ts +4 -0
package/dist/dto/logout-response.dto.d.ts.map +1 -0
package/dist/dto/logout-response.dto.js +8 -0
package/dist/dto/logout-response.dto.js.map +1 -0
package/dist/dto/logout.dto.d.ts +5 -0
package/dist/dto/logout.dto.d.ts.map +1 -0
package/dist/dto/logout.dto.js +36 -0
package/dist/dto/logout.dto.js.map +1 -0
package/dist/dto/refresh-token.dto.d.ts +4 -0
package/dist/dto/refresh-token.dto.d.ts.map +1 -0
package/dist/dto/refresh-token.dto.js +24 -0
package/dist/dto/refresh-token.dto.js.map +1 -0
package/dist/dto/remove-devices.dto.d.ts +9 -0
package/dist/dto/remove-devices.dto.d.ts.map +1 -0
package/dist/dto/remove-devices.dto.js +50 -0
package/dist/dto/remove-devices.dto.js.map +1 -0
package/dist/dto/resend-code-response.dto.d.ts +4 -0
package/dist/dto/resend-code-response.dto.d.ts.map +1 -0
package/dist/dto/resend-code-response.dto.js +8 -0
package/dist/dto/resend-code-response.dto.js.map +1 -0
package/dist/dto/resend-code.dto.d.ts +4 -0
package/dist/dto/resend-code.dto.d.ts.map +1 -0
package/dist/dto/resend-code.dto.js +29 -0
package/dist/dto/resend-code.dto.js.map +1 -0
package/dist/dto/reset-password.dto.d.ts +8 -0
package/dist/dto/reset-password.dto.d.ts.map +1 -0
package/dist/dto/reset-password.dto.js +61 -0
package/dist/dto/reset-password.dto.js.map +1 -0
package/dist/dto/respond-challenge.dto.d.ts +33 -0
package/dist/dto/respond-challenge.dto.d.ts.map +1 -0
package/dist/dto/respond-challenge.dto.js +131 -0
package/dist/dto/respond-challenge.dto.js.map +1 -0
package/dist/dto/set-mfa-exemption.dto.d.ts +12 -0
package/dist/dto/set-mfa-exemption.dto.d.ts.map +1 -0
package/dist/dto/set-mfa-exemption.dto.js +66 -0
package/dist/dto/set-mfa-exemption.dto.js.map +1 -0
package/dist/dto/set-must-change-password-response.dto.d.ts +4 -0
package/dist/dto/set-must-change-password-response.dto.d.ts.map +1 -0
package/dist/dto/set-must-change-password-response.dto.js +8 -0
package/dist/dto/set-must-change-password-response.dto.js.map +1 -0
package/dist/dto/set-must-change-password.dto.d.ts +4 -0
package/dist/dto/set-must-change-password.dto.d.ts.map +1 -0
package/dist/dto/set-must-change-password.dto.js +29 -0
package/dist/dto/set-must-change-password.dto.js.map +1 -0
package/dist/dto/set-preferred-method.dto.d.ts +8 -0
package/dist/dto/set-preferred-method.dto.d.ts.map +1 -0
package/dist/dto/set-preferred-method.dto.js +49 -0
package/dist/dto/set-preferred-method.dto.js.map +1 -0
package/dist/dto/setup-mfa.dto.d.ts +9 -0
package/dist/dto/setup-mfa.dto.d.ts.map +1 -0
package/dist/dto/setup-mfa.dto.js +55 -0
package/dist/dto/setup-mfa.dto.js.map +1 -0
package/dist/dto/signup.dto.d.ts +10 -0
package/dist/dto/signup.dto.d.ts.map +1 -0
package/dist/dto/signup.dto.js +109 -0
package/dist/dto/signup.dto.js.map +1 -0
package/dist/dto/social-auth.dto.d.ts +54 -0
package/dist/dto/social-auth.dto.d.ts.map +1 -0
package/dist/dto/social-auth.dto.js +232 -0
package/dist/dto/social-auth.dto.js.map +1 -0
package/dist/dto/trust-device-response.dto.d.ts +4 -0
package/dist/dto/trust-device-response.dto.d.ts.map +1 -0
package/dist/dto/trust-device-response.dto.js +8 -0
package/dist/dto/trust-device-response.dto.js.map +1 -0
package/dist/dto/trust-device.dto.d.ts +1 -0
package/dist/dto/trust-device.dto.d.ts.map +1 -0
package/dist/dto/trust-device.dto.js +2 -0
package/dist/dto/trust-device.dto.js.map +1 -0
package/dist/dto/update-user-attributes-request.dto.d.ts +5 -0
package/dist/dto/update-user-attributes-request.dto.d.ts.map +1 -0
package/dist/dto/update-user-attributes-request.dto.js +30 -0
package/dist/dto/update-user-attributes-request.dto.js.map +1 -0
package/dist/dto/user-response.dto.d.ts +20 -0
package/dist/dto/user-response.dto.d.ts.map +1 -0
package/dist/dto/user-response.dto.js +42 -0
package/dist/dto/user-response.dto.js.map +1 -0
package/dist/dto/user-update.dto.d.ts +12 -0
package/dist/dto/user-update.dto.d.ts.map +1 -0
package/dist/dto/user-update.dto.js +119 -0
package/dist/dto/user-update.dto.js.map +1 -0
package/dist/dto/verify-email.dto.d.ts +29 -0
package/dist/dto/verify-email.dto.d.ts.map +1 -0
package/dist/dto/verify-email.dto.js +161 -0
package/dist/dto/verify-email.dto.js.map +1 -0
package/dist/dto/verify-mfa-code.dto.d.ts +10 -0
package/dist/dto/verify-mfa-code.dto.d.ts.map +1 -0
package/dist/dto/verify-mfa-code.dto.js +56 -0
package/dist/dto/verify-mfa-code.dto.js.map +1 -0
package/dist/dto/verify-phone-by-sub.dto.d.ts +6 -0
package/dist/dto/verify-phone-by-sub.dto.d.ts.map +1 -0
package/dist/dto/verify-phone-by-sub.dto.js +49 -0
package/dist/dto/verify-phone-by-sub.dto.js.map +1 -0
package/dist/dto/verify-phone.dto.d.ts +24 -0
package/dist/dto/verify-phone.dto.d.ts.map +1 -0
package/dist/dto/verify-phone.dto.js +124 -0
package/dist/dto/verify-phone.dto.js.map +1 -0
package/dist/entities/auth-audit.entity.d.ts +31 -0
package/dist/entities/auth-audit.entity.d.ts.map +1 -0
package/dist/entities/auth-audit.entity.js +33 -0
package/dist/entities/auth-audit.entity.js.map +1 -0
package/dist/entities/challenge-session.entity.d.ts +17 -0
package/dist/entities/challenge-session.entity.d.ts.map +1 -0
package/dist/entities/challenge-session.entity.js +21 -0
package/dist/entities/challenge-session.entity.js.map +1 -0
package/dist/entities/index.d.ts +12 -0
package/dist/entities/index.d.ts.map +1 -0
package/dist/entities/index.js +26 -0
package/dist/entities/index.js.map +1 -0
package/dist/entities/login-attempt.entity.d.ts +13 -0
package/dist/entities/login-attempt.entity.d.ts.map +1 -0
package/dist/entities/login-attempt.entity.js +17 -0
package/dist/entities/login-attempt.entity.js.map +1 -0
package/dist/entities/mfa-device.entity.d.ts +22 -0
package/dist/entities/mfa-device.entity.d.ts.map +1 -0
package/dist/entities/mfa-device.entity.js +25 -0
package/dist/entities/mfa-device.entity.js.map +1 -0
package/dist/entities/rate-limit.entity.d.ts +9 -0
package/dist/entities/rate-limit.entity.d.ts.map +1 -0
package/dist/entities/rate-limit.entity.js +13 -0
package/dist/entities/rate-limit.entity.js.map +1 -0
package/dist/entities/session.entity.d.ts +32 -0
package/dist/entities/session.entity.d.ts.map +1 -0
package/dist/entities/session.entity.js +36 -0
package/dist/entities/session.entity.js.map +1 -0
package/dist/entities/social-account.entity.d.ts +13 -0
package/dist/entities/social-account.entity.d.ts.map +1 -0
package/dist/entities/social-account.entity.js +17 -0
package/dist/entities/social-account.entity.js.map +1 -0
package/dist/entities/storage-lock.entity.d.ts +8 -0
package/dist/entities/storage-lock.entity.d.ts.map +1 -0
package/dist/entities/storage-lock.entity.js +12 -0
package/dist/entities/storage-lock.entity.js.map +1 -0
package/dist/entities/trusted-device.entity.d.ts +17 -0
package/dist/entities/trusted-device.entity.d.ts.map +1 -0
package/dist/entities/trusted-device.entity.js +21 -0
package/dist/entities/trusted-device.entity.js.map +1 -0
package/dist/entities/user.entity.d.ts +41 -0
package/dist/entities/user.entity.d.ts.map +1 -0
package/dist/entities/user.entity.js +45 -0
package/dist/entities/user.entity.js.map +1 -0
package/dist/entities/verification-token.entity.d.ts +19 -0
package/dist/entities/verification-token.entity.d.ts.map +1 -0
package/dist/entities/verification-token.entity.js +29 -0
package/dist/entities/verification-token.entity.js.map +1 -0
package/dist/enums/auth-audit-event-type.enum.d.ts +55 -0
package/dist/enums/auth-audit-event-type.enum.d.ts.map +1 -0
package/dist/enums/auth-audit-event-type.enum.js +59 -0
package/dist/enums/auth-audit-event-type.enum.js.map +1 -0
package/dist/enums/error-codes.enum.d.ts +53 -0
package/dist/enums/error-codes.enum.d.ts.map +1 -0
package/dist/enums/error-codes.enum.js +57 -0
package/dist/enums/error-codes.enum.js.map +1 -0
package/dist/enums/mfa-method.enum.d.ts +11 -0
package/dist/enums/mfa-method.enum.d.ts.map +1 -0
package/dist/enums/mfa-method.enum.js +18 -0
package/dist/enums/mfa-method.enum.js.map +1 -0
package/dist/enums/risk-factor.enum.d.ts +14 -0
package/dist/enums/risk-factor.enum.d.ts.map +1 -0
package/dist/enums/risk-factor.enum.js +18 -0
package/dist/enums/risk-factor.enum.js.map +1 -0
package/dist/exceptions/nauth.exception.d.ts +18 -0
package/dist/exceptions/nauth.exception.d.ts.map +1 -0
package/dist/exceptions/nauth.exception.js +64 -0
package/dist/exceptions/nauth.exception.js.map +1 -0
package/dist/handlers/auth.handler.d.ts +18 -0
package/dist/handlers/auth.handler.d.ts.map +1 -0
package/dist/handlers/auth.handler.js +173 -0
package/dist/handlers/auth.handler.js.map +1 -0
package/dist/handlers/client-info.handler.d.ts +12 -0
package/dist/handlers/client-info.handler.d.ts.map +1 -0
package/dist/handlers/client-info.handler.js +61 -0
package/dist/handlers/client-info.handler.js.map +1 -0
package/dist/handlers/csrf.handler.d.ts +13 -0
package/dist/handlers/csrf.handler.d.ts.map +1 -0
package/dist/handlers/csrf.handler.js +84 -0
package/dist/handlers/csrf.handler.js.map +1 -0
package/dist/handlers/token-delivery.handler.d.ts +12 -0
package/dist/handlers/token-delivery.handler.d.ts.map +1 -0
package/dist/handlers/token-delivery.handler.js +86 -0
package/dist/handlers/token-delivery.handler.js.map +1 -0
package/dist/index.d.ts +27 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +51 -0
package/dist/index.js.map +1 -0
package/dist/interfaces/client-info.interface.d.ts +16 -0
package/dist/interfaces/client-info.interface.d.ts.map +1 -0
package/dist/interfaces/client-info.interface.js +3 -0
package/dist/interfaces/client-info.interface.js.map +1 -0
package/dist/interfaces/config.interface.d.ts +279 -0
package/dist/interfaces/config.interface.d.ts.map +1 -0
package/dist/interfaces/config.interface.js +3 -0
package/dist/interfaces/config.interface.js.map +1 -0
package/dist/interfaces/entities.interface.d.ts +169 -0
package/dist/interfaces/entities.interface.d.ts.map +1 -0
package/dist/interfaces/entities.interface.js +3 -0
package/dist/interfaces/entities.interface.js.map +1 -0
package/dist/interfaces/index.d.ts +11 -0
package/dist/interfaces/index.d.ts.map +1 -0
package/dist/interfaces/index.js +27 -0
package/dist/interfaces/index.js.map +1 -0
package/dist/interfaces/logger.interface.d.ts +43 -0
package/dist/interfaces/logger.interface.d.ts.map +1 -0
package/dist/interfaces/logger.interface.js +12 -0
package/dist/interfaces/logger.interface.js.map +1 -0
package/dist/interfaces/mfa-provider.interface.d.ts +12 -0
package/dist/interfaces/mfa-provider.interface.d.ts.map +1 -0
package/dist/interfaces/mfa-provider.interface.js +3 -0
package/dist/interfaces/mfa-provider.interface.js.map +1 -0
package/dist/interfaces/oauth.interface.d.ts +24 -0
package/dist/interfaces/oauth.interface.d.ts.map +1 -0
package/dist/interfaces/oauth.interface.js +3 -0
package/dist/interfaces/oauth.interface.js.map +1 -0
package/dist/interfaces/provider.interface.d.ts +12 -0
package/dist/interfaces/provider.interface.d.ts.map +1 -0
package/dist/interfaces/provider.interface.js +3 -0
package/dist/interfaces/provider.interface.js.map +1 -0
package/dist/interfaces/social-auth-provider.interface.d.ts +13 -0
package/dist/interfaces/social-auth-provider.interface.d.ts.map +1 -0
package/dist/interfaces/social-auth-provider.interface.js +3 -0
package/dist/interfaces/social-auth-provider.interface.js.map +1 -0
package/dist/interfaces/storage-adapter.interface.d.ts +39 -0
package/dist/interfaces/storage-adapter.interface.d.ts.map +1 -0
package/dist/interfaces/storage-adapter.interface.js +3 -0
package/dist/interfaces/storage-adapter.interface.js.map +1 -0
package/dist/interfaces/template.interface.d.ts +99 -0
package/dist/interfaces/template.interface.d.ts.map +1 -0
package/dist/interfaces/template.interface.js +15 -0
package/dist/interfaces/template.interface.js.map +1 -0
package/dist/interfaces/token-verifier.interface.d.ts +7 -0
package/dist/interfaces/token-verifier.interface.d.ts.map +1 -0
package/dist/interfaces/token-verifier.interface.js +3 -0
package/dist/interfaces/token-verifier.interface.js.map +1 -0
package/dist/internal.d.ts +20 -0
package/dist/internal.d.ts.map +1 -0
package/dist/internal.js +53 -0
package/dist/internal.js.map +1 -0
package/dist/platform/interfaces.d.ts +56 -0
package/dist/platform/interfaces.d.ts.map +1 -0
package/dist/platform/interfaces.js +3 -0
package/dist/platform/interfaces.js.map +1 -0
package/dist/schemas/auth-config.schema.d.ts +3411 -0
package/dist/schemas/auth-config.schema.d.ts.map +1 -0
package/dist/schemas/auth-config.schema.js +428 -0
package/dist/schemas/auth-config.schema.js.map +1 -0
package/dist/services/adaptive-mfa-decision.service.d.ts +39 -0
package/dist/services/adaptive-mfa-decision.service.d.ts.map +1 -0
package/dist/services/adaptive-mfa-decision.service.js +223 -0
package/dist/services/adaptive-mfa-decision.service.js.map +1 -0
package/dist/services/auth-audit.service.d.ts +44 -0
package/dist/services/auth-audit.service.d.ts.map +1 -0
package/dist/services/auth-audit.service.js +241 -0
package/dist/services/auth-audit.service.js.map +1 -0
package/dist/services/auth-challenge-helper.service.d.ts +48 -0
package/dist/services/auth-challenge-helper.service.d.ts.map +1 -0
package/dist/services/auth-challenge-helper.service.js +425 -0
package/dist/services/auth-challenge-helper.service.js.map +1 -0
package/dist/services/auth-flow-context-builder.service.d.ts +31 -0
package/dist/services/auth-flow-context-builder.service.d.ts.map +1 -0
package/dist/services/auth-flow-context-builder.service.js +253 -0
package/dist/services/auth-flow-context-builder.service.js.map +1 -0
package/dist/services/auth-flow-rules.d.ts +18 -0
package/dist/services/auth-flow-rules.d.ts.map +1 -0
package/dist/services/auth-flow-rules.js +55 -0
package/dist/services/auth-flow-rules.js.map +1 -0
package/dist/services/auth-flow-state-definitions.d.ts +5 -0
package/dist/services/auth-flow-state-definitions.d.ts.map +1 -0
package/dist/services/auth-flow-state-definitions.js +87 -0
package/dist/services/auth-flow-state-definitions.js.map +1 -0
package/dist/services/auth-flow-state-machine.service.d.ts +17 -0
package/dist/services/auth-flow-state-machine.service.d.ts.map +1 -0
package/dist/services/auth-flow-state-machine.service.js +91 -0
package/dist/services/auth-flow-state-machine.service.js.map +1 -0
package/dist/services/auth-flow-state-machine.types.d.ts +55 -0
package/dist/services/auth-flow-state-machine.types.d.ts.map +1 -0
package/dist/services/auth-flow-state-machine.types.js +16 -0
package/dist/services/auth-flow-state-machine.types.js.map +1 -0
package/dist/services/auth.service.d.ts +87 -0
package/dist/services/auth.service.d.ts.map +1 -0
package/dist/services/auth.service.js +2356 -0
package/dist/services/auth.service.js.map +1 -0
package/dist/services/challenge.service.d.ts +32 -0
package/dist/services/challenge.service.d.ts.map +1 -0
package/dist/services/challenge.service.js +293 -0
package/dist/services/challenge.service.js.map +1 -0
package/dist/services/client-info.service.d.ts +20 -0
package/dist/services/client-info.service.d.ts.map +1 -0
package/dist/services/client-info.service.js +202 -0
package/dist/services/client-info.service.js.map +1 -0
package/dist/services/csrf.service.d.ts +13 -0
package/dist/services/csrf.service.d.ts.map +1 -0
package/dist/services/csrf.service.js +67 -0
package/dist/services/csrf.service.js.map +1 -0
package/dist/services/email-verification.service.d.ts +30 -0
package/dist/services/email-verification.service.d.ts.map +1 -0
package/dist/services/email-verification.service.js +373 -0
package/dist/services/email-verification.service.js.map +1 -0
package/dist/services/geo-location.service.d.ts +85 -0
package/dist/services/geo-location.service.d.ts.map +1 -0
package/dist/services/geo-location.service.js +338 -0
package/dist/services/geo-location.service.js.map +1 -0
package/dist/services/index.d.ts +14 -0
package/dist/services/index.d.ts.map +1 -0
package/dist/services/index.js +30 -0
package/dist/services/index.js.map +1 -0
package/dist/services/jwt.service.d.ts +62 -0
package/dist/services/jwt.service.d.ts.map +1 -0
package/dist/services/jwt.service.js +261 -0
package/dist/services/jwt.service.js.map +1 -0
package/dist/services/mfa-base.service.d.ts +37 -0
package/dist/services/mfa-base.service.d.ts.map +1 -0
package/dist/services/mfa-base.service.js +297 -0
package/dist/services/mfa-base.service.js.map +1 -0
package/dist/services/mfa.service.d.ts +35 -0
package/dist/services/mfa.service.d.ts.map +1 -0
package/dist/services/mfa.service.js +449 -0
package/dist/services/mfa.service.js.map +1 -0
package/dist/services/password.service.d.ts +19 -0
package/dist/services/password.service.d.ts.map +1 -0
package/dist/services/password.service.js +150 -0
package/dist/services/password.service.js.map +1 -0
package/dist/services/phone-verification.service.d.ts +32 -0
package/dist/services/phone-verification.service.d.ts.map +1 -0
package/dist/services/phone-verification.service.js +474 -0
package/dist/services/phone-verification.service.js.map +1 -0
package/dist/services/risk-detection.service.d.ts +30 -0
package/dist/services/risk-detection.service.d.ts.map +1 -0
package/dist/services/risk-detection.service.js +518 -0
package/dist/services/risk-detection.service.js.map +1 -0
package/dist/services/risk-scoring.service.d.ts +12 -0
package/dist/services/risk-scoring.service.d.ts.map +1 -0
package/dist/services/risk-scoring.service.js +44 -0
package/dist/services/risk-scoring.service.js.map +1 -0
package/dist/services/session.service.d.ts +64 -0
package/dist/services/session.service.d.ts.map +1 -0
package/dist/services/session.service.js +455 -0
package/dist/services/session.service.js.map +1 -0
package/dist/services/social-auth-base.service.d.ts +57 -0
package/dist/services/social-auth-base.service.d.ts.map +1 -0
package/dist/services/social-auth-base.service.js +340 -0
package/dist/services/social-auth-base.service.js.map +1 -0
package/dist/services/social-auth.service.d.ts +31 -0
package/dist/services/social-auth.service.d.ts.map +1 -0
package/dist/services/social-auth.service.js +172 -0
package/dist/services/social-auth.service.js.map +1 -0
package/dist/services/social-provider-registry.service.d.ts +9 -0
package/dist/services/social-provider-registry.service.d.ts.map +1 -0
package/dist/services/social-provider-registry.service.js +30 -0
package/dist/services/social-provider-registry.service.js.map +1 -0
package/dist/services/trusted-device.service.d.ts +29 -0
package/dist/services/trusted-device.service.d.ts.map +1 -0
package/dist/services/trusted-device.service.js +190 -0
package/dist/services/trusted-device.service.js.map +1 -0
package/dist/storage/account-lockout-storage.service.d.ts +16 -0
package/dist/storage/account-lockout-storage.service.d.ts.map +1 -0
package/dist/storage/account-lockout-storage.service.js +50 -0
package/dist/storage/account-lockout-storage.service.js.map +1 -0
package/dist/storage/index.d.ts +4 -0
package/dist/storage/index.d.ts.map +1 -0
package/dist/storage/index.js +20 -0
package/dist/storage/index.js.map +1 -0
package/dist/storage/memory-storage.adapter.d.ts +33 -0
package/dist/storage/memory-storage.adapter.d.ts.map +1 -0
package/dist/storage/memory-storage.adapter.js +195 -0
package/dist/storage/memory-storage.adapter.js.map +1 -0
package/dist/storage/rate-limit-storage.service.d.ts +11 -0
package/dist/storage/rate-limit-storage.service.d.ts.map +1 -0
package/dist/storage/rate-limit-storage.service.js +33 -0
package/dist/storage/rate-limit-storage.service.js.map +1 -0
package/dist/templates/html-template.engine.d.ts +16 -0
package/dist/templates/html-template.engine.d.ts.map +1 -0
package/dist/templates/html-template.engine.js +502 -0
package/dist/templates/html-template.engine.js.map +1 -0
package/dist/templates/index.d.ts +2 -0
package/dist/templates/index.d.ts.map +1 -0
package/dist/templates/index.js +18 -0
package/dist/templates/index.js.map +1 -0
package/dist/utils/common-passwords.d.ts +4 -0
package/dist/utils/common-passwords.d.ts.map +1 -0
package/dist/utils/common-passwords.js +108 -0
package/dist/utils/common-passwords.js.map +1 -0
package/dist/utils/context-storage.d.ts +13 -0
package/dist/utils/context-storage.d.ts.map +1 -0
package/dist/utils/context-storage.js +54 -0
package/dist/utils/context-storage.js.map +1 -0
package/dist/utils/cookie-names.util.d.ts +7 -0
package/dist/utils/cookie-names.util.d.ts.map +1 -0
package/dist/utils/cookie-names.util.js +30 -0
package/dist/utils/cookie-names.util.js.map +1 -0
package/dist/utils/cookies.util.d.ts +12 -0
package/dist/utils/cookies.util.d.ts.map +1 -0
package/dist/utils/cookies.util.js +48 -0
package/dist/utils/cookies.util.js.map +1 -0
package/dist/utils/index.d.ts +8 -0
package/dist/utils/index.d.ts.map +1 -0
package/dist/utils/index.js +24 -0
package/dist/utils/index.js.map +1 -0
package/dist/utils/ip-extractor.d.ts +12 -0
package/dist/utils/ip-extractor.d.ts.map +1 -0
package/dist/utils/ip-extractor.js +88 -0
package/dist/utils/ip-extractor.js.map +1 -0
package/dist/utils/nauth-logger.d.ts +20 -0
package/dist/utils/nauth-logger.d.ts.map +1 -0
package/dist/utils/nauth-logger.js +129 -0
package/dist/utils/nauth-logger.js.map +1 -0
package/dist/utils/pii-redactor.d.ts +16 -0
package/dist/utils/pii-redactor.d.ts.map +1 -0
package/dist/utils/pii-redactor.js +147 -0
package/dist/utils/pii-redactor.js.map +1 -0
package/dist/utils/setup/get-repositories.d.ts +16 -0
package/dist/utils/setup/get-repositories.d.ts.map +1 -0
package/dist/utils/setup/get-repositories.js +36 -0
package/dist/utils/setup/get-repositories.js.map +1 -0
package/dist/utils/setup/init-services.d.ts +41 -0
package/dist/utils/setup/init-services.d.ts.map +1 -0
package/dist/utils/setup/init-services.js +107 -0
package/dist/utils/setup/init-services.js.map +1 -0
package/dist/utils/setup/init-social.d.ts +13 -0
package/dist/utils/setup/init-social.d.ts.map +1 -0
package/dist/utils/setup/init-social.js +77 -0
package/dist/utils/setup/init-social.js.map +1 -0
package/dist/utils/setup/init-storage.d.ts +4 -0
package/dist/utils/setup/init-storage.d.ts.map +1 -0
package/dist/utils/setup/init-storage.js +79 -0
package/dist/utils/setup/init-storage.js.map +1 -0
package/dist/utils/setup/register-mfa.d.ts +5 -0
package/dist/utils/setup/register-mfa.d.ts.map +1 -0
package/dist/utils/setup/register-mfa.js +85 -0
package/dist/utils/setup/register-mfa.js.map +1 -0
package/dist/utils/setup/run-nauth-migrations.d.ts +5 -0
package/dist/utils/setup/run-nauth-migrations.d.ts.map +1 -0
package/dist/utils/setup/run-nauth-migrations.js +67 -0
package/dist/utils/setup/run-nauth-migrations.js.map +1 -0
package/dist/utils/token-delivery-policy.d.ts +6 -0
package/dist/utils/token-delivery-policy.d.ts.map +1 -0
package/dist/utils/token-delivery-policy.js +15 -0
package/dist/utils/token-delivery-policy.js.map +1 -0
package/dist/validators/template.validator.d.ts +7 -0
package/dist/validators/template.validator.d.ts.map +1 -0
package/dist/validators/template.validator.js +95 -0
package/dist/validators/template.validator.js.map +1 -0
package/jest.config.js +15 -0
package/jest.setup.ts +6 -0
package/package.json +73 -0
package/src/adapters/database-columns.ts +165 -0
package/src/adapters/express.adapter.ts +385 -0
package/src/adapters/fastify.adapter.ts +416 -0
package/src/adapters/index.ts +16 -0
package/src/adapters/storage.factory.ts +143 -0
package/src/bootstrap.ts +374 -0
package/src/dto/auth-challenge.dto.ts +231 -0
package/src/dto/auth-response.dto.ts +253 -0
package/src/dto/challenge-response.dto.ts +234 -0
package/src/dto/change-password-request.dto.ts +50 -0
package/src/dto/change-password-response.dto.ts +29 -0
package/src/dto/change-password.dto.ts +57 -0
package/src/dto/error-response.dto.ts +136 -0
package/src/dto/get-available-methods.dto.ts +55 -0
package/src/dto/get-challenge-data-response.dto.ts +28 -0
package/src/dto/get-challenge-data.dto.ts +69 -0
package/src/dto/get-client-info.dto.ts +104 -0
package/src/dto/get-device-token-response.dto.ts +25 -0
package/src/dto/get-events-by-type.dto.ts +76 -0
package/src/dto/get-ip-address-response.dto.ts +24 -0
package/src/dto/get-mfa-status.dto.ts +94 -0
package/src/dto/get-risk-assessment-history.dto.ts +39 -0
package/src/dto/get-session-id-response.dto.ts +25 -0
package/src/dto/get-setup-data-response.dto.ts +31 -0
package/src/dto/get-setup-data.dto.ts +75 -0
package/src/dto/get-suspicious-activity.dto.ts +42 -0
package/src/dto/get-user-agent-response.dto.ts +23 -0
package/src/dto/get-user-auth-history.dto.ts +95 -0
package/src/dto/get-user-by-email.dto.ts +61 -0
package/src/dto/get-user-by-id.dto.ts +46 -0
package/src/dto/get-user-devices.dto.ts +53 -0
package/src/dto/get-user-response.dto.ts +17 -0
package/src/dto/has-provider.dto.ts +56 -0
package/src/dto/index.ts +57 -0
package/src/dto/is-trusted-device-response.dto.ts +34 -0
package/src/dto/list-providers-response.dto.ts +23 -0
package/src/dto/login.dto.ts +95 -0
package/src/dto/logout-all-response.dto.ts +24 -0
package/src/dto/logout-all.dto.ts +65 -0
package/src/dto/logout-response.dto.ts +25 -0
package/src/dto/logout.dto.ts +64 -0
package/src/dto/refresh-token.dto.ts +36 -0
package/src/dto/remove-devices.dto.ts +85 -0
package/src/dto/resend-code-response.dto.ts +32 -0
package/src/dto/resend-code.dto.ts +51 -0
package/src/dto/reset-password.dto.ts +115 -0
package/src/dto/respond-challenge.dto.ts +272 -0
package/src/dto/set-mfa-exemption.dto.ts +112 -0
package/src/dto/set-must-change-password-response.dto.ts +27 -0
package/src/dto/set-must-change-password.dto.ts +46 -0
package/src/dto/set-preferred-method.dto.ts +80 -0
package/src/dto/setup-mfa.dto.ts +98 -0
package/src/dto/signup.dto.ts +174 -0
package/src/dto/social-auth.dto.ts +422 -0
package/src/dto/trust-device-response.dto.ts +30 -0
package/src/dto/trust-device.dto.ts +9 -0
package/src/dto/update-user-attributes-request.dto.ts +51 -0
package/src/dto/user-response.dto.ts +138 -0
package/src/dto/user-update.dto.ts +222 -0
package/src/dto/verify-email.dto.ts +313 -0
package/src/dto/verify-mfa-code.dto.ts +103 -0
package/src/dto/verify-phone-by-sub.dto.ts +78 -0
package/src/dto/verify-phone.dto.ts +245 -0
package/src/entities/auth-audit.entity.ts +232 -0
package/src/entities/challenge-session.entity.ts +116 -0
package/src/entities/index.ts +29 -0
package/src/entities/login-attempt.entity.ts +64 -0
package/src/entities/mfa-device.entity.ts +151 -0
package/src/entities/rate-limit.entity.ts +44 -0
package/src/entities/session.entity.ts +180 -0
package/src/entities/social-account.entity.ts +96 -0
package/src/entities/storage-lock.entity.ts +39 -0
package/src/entities/trusted-device.entity.ts +112 -0
package/src/entities/user.entity.ts +243 -0
package/src/entities/verification-token.entity.ts +141 -0
package/src/enums/auth-audit-event-type.enum.ts +360 -0
package/src/enums/error-codes.enum.ts +420 -0
package/src/enums/mfa-method.enum.ts +97 -0
package/src/enums/risk-factor.enum.ts +111 -0
package/src/exceptions/nauth.exception.ts +231 -0
package/src/handlers/auth.handler.ts +260 -0
package/src/handlers/client-info.handler.ts +101 -0
package/src/handlers/csrf.handler.ts +156 -0
package/src/handlers/token-delivery.handler.ts +118 -0
package/src/index.ts +118 -0
package/src/interfaces/client-info.interface.ts +85 -0
package/src/interfaces/config.interface.ts +2135 -0
package/src/interfaces/entities.interface.ts +226 -0
package/src/interfaces/index.ts +15 -0
package/src/interfaces/logger.interface.ts +283 -0
package/src/interfaces/mfa-provider.interface.ts +154 -0
package/src/interfaces/oauth.interface.ts +148 -0
package/src/interfaces/provider.interface.ts +47 -0
package/src/interfaces/social-auth-provider.interface.ts +131 -0
package/src/interfaces/storage-adapter.interface.ts +82 -0
package/src/interfaces/template.interface.ts +510 -0
package/src/interfaces/token-verifier.interface.ts +110 -0
package/src/internal.ts +178 -0
package/src/platform/interfaces.ts +299 -0
package/src/schemas/auth-config.schema.ts +646 -0
package/src/services/adaptive-mfa-decision.service.spec.ts +1058 -0
package/src/services/adaptive-mfa-decision.service.ts +457 -0
package/src/services/auth-audit.service.spec.ts +675 -0
package/src/services/auth-audit.service.ts +558 -0
package/src/services/auth-challenge-helper.service.spec.ts +3227 -0
package/src/services/auth-challenge-helper.service.ts +825 -0
package/src/services/auth-flow-context-builder.service.ts +520 -0
package/src/services/auth-flow-rules.ts +202 -0
package/src/services/auth-flow-state-definitions.ts +190 -0
package/src/services/auth-flow-state-machine.service.ts +207 -0
package/src/services/auth-flow-state-machine.types.ts +316 -0
package/src/services/auth.service.spec.ts +4195 -0
package/src/services/auth.service.ts +3727 -0
package/src/services/challenge.service.spec.ts +1363 -0
package/src/services/challenge.service.ts +696 -0
package/src/services/client-info.service.spec.ts +572 -0
package/src/services/client-info.service.ts +374 -0
package/src/services/csrf.service.ts +54 -0
package/src/services/email-verification.service.spec.ts +1229 -0
package/src/services/email-verification.service.ts +578 -0
package/src/services/geo-location.service.spec.ts +603 -0
package/src/services/geo-location.service.ts +599 -0
package/src/services/index.ts +13 -0
package/src/services/jwt.service.spec.ts +882 -0
package/src/services/jwt.service.ts +621 -0
package/src/services/mfa-base.service.spec.ts +246 -0
package/src/services/mfa-base.service.ts +611 -0
package/src/services/mfa.service.spec.ts +693 -0
package/src/services/mfa.service.ts +960 -0
package/src/services/password.service.spec.ts +166 -0
package/src/services/password.service.ts +309 -0
package/src/services/phone-verification.service.spec.ts +1120 -0
package/src/services/phone-verification.service.ts +751 -0
package/src/services/risk-detection.service.spec.ts +1292 -0
package/src/services/risk-detection.service.ts +1012 -0
package/src/services/risk-scoring.service.spec.ts +204 -0
package/src/services/risk-scoring.service.ts +131 -0
package/src/services/session.service.spec.ts +1293 -0
package/src/services/session.service.ts +803 -0
package/src/services/social-account.service.spec.ts +725 -0
package/src/services/social-auth-base.service.spec.ts +418 -0
package/src/services/social-auth-base.service.ts +581 -0
package/src/services/social-auth.service.spec.ts +238 -0
package/src/services/social-auth.service.ts +436 -0
package/src/services/social-provider-registry.service.spec.ts +238 -0
package/src/services/social-provider-registry.service.ts +122 -0
package/src/services/trusted-device.service.spec.ts +505 -0
package/src/services/trusted-device.service.ts +339 -0
package/src/storage/account-lockout-storage.service.spec.ts +310 -0
package/src/storage/account-lockout-storage.service.ts +89 -0
package/src/storage/index.ts +3 -0
package/src/storage/memory-storage.adapter.ts +443 -0
package/src/storage/rate-limit-storage.service.spec.ts +247 -0
package/src/storage/rate-limit-storage.service.ts +38 -0
package/src/templates/html-template.engine.spec.ts +161 -0
package/src/templates/html-template.engine.ts +688 -0
package/src/templates/index.ts +7 -0
package/src/utils/common-passwords.spec.ts +230 -0
package/src/utils/common-passwords.ts +170 -0
package/src/utils/context-storage.ts +188 -0
package/src/utils/cookie-names.util.ts +67 -0
package/src/utils/cookies.util.ts +94 -0
package/src/utils/index.ts +12 -0
package/src/utils/ip-extractor.spec.ts +330 -0
package/src/utils/ip-extractor.ts +220 -0
package/src/utils/nauth-logger.spec.ts +388 -0
package/src/utils/nauth-logger.ts +215 -0
package/src/utils/pii-redactor.spec.ts +130 -0
package/src/utils/pii-redactor.ts +288 -0
package/src/utils/setup/get-repositories.ts +140 -0
package/src/utils/setup/init-services.ts +422 -0
package/src/utils/setup/init-social.ts +189 -0
package/src/utils/setup/init-storage.ts +94 -0
package/src/utils/setup/register-mfa.ts +165 -0
package/src/utils/setup/run-nauth-migrations.ts +61 -0
package/src/utils/token-delivery-policy.ts +38 -0
package/src/validators/template.validator.ts +219 -0
package/tsconfig.json +37 -0
package/tsconfig.lint.json +6 -0

package/src/services/challenge.service.ts ADDED Viewed

@@ -0,0 +1,696 @@
+import { IUser, IChallengeSession } from '../interfaces/entities.interface';
+import { Repository, LessThan } from 'typeorm';
+import { BaseChallengeSession } from '../entities';
+import { randomUUID } from 'crypto';
+import { AuthChallenge } from '../dto/auth-challenge.dto';
+import { NAuthLogger } from '../utils/nauth-logger';
+import { InternalAuthAuditService as AuthAuditService } from './auth-audit.service';
+import { AuthAuditEventType } from '../enums/auth-audit-event-type.enum';
+import { NAuthException } from '../exceptions/nauth.exception';
+import { AuthErrorCode } from '../enums/error-codes.enum';
+import { ClientInfoService } from './client-info.service';
+import { NAuthConfig } from '../interfaces/config.interface';
+/**
+ * Challenge Session Service
+ *
+ * Manages authentication challenge sessions for the challenge-response flow.
+ * Challenge sessions are temporary, short-lived sessions (typically 15 minutes)
+ * that track pending authentication challenges similar to AWS Cognito.
+ *
+ * Handles:
+ * - Challenge session creation and validation
+ * - Session expiration and cleanup
+ * - Attempt tracking and rate limiting
+ * - Secure session token generation
+ *
+ * @example
+ * ```typescript
+ * // Create a challenge session
+ * const session = await challengeService.createChallengeSession(
+ *   user,
+ *   AuthChallenge.VERIFY_EMAIL,
+ *   { email: user.email }
+ * );
+ *
+ * // Validate and consume a challenge session
+ * const validSession = await challengeService.validateAndConsumeSession(
+ *   sessionToken,
+ *   AuthChallenge.VERIFY_EMAIL
+ * );
+ * ```
+ */
+export class ChallengeService {
+  /**
+   * Default challenge session expiration time (15 minutes)
+   */
+  private readonly DEFAULT_EXPIRATION_MINUTES = 15;
+  /**
+   * Default maximum attempts per challenge session
+   */
+  private readonly DEFAULT_MAX_ATTEMPTS = 3;
+  constructor(
+    private readonly challengeSessionRepository: Repository<BaseChallengeSession>,
+    private readonly clientInfoService: ClientInfoService,
+    private readonly logger: NAuthLogger,
+    private readonly auditService?: AuthAuditService, // Optional - audit trail service (enabled via config.auditLogs.enabled)
+    private readonly config?: NAuthConfig, // Optional - config for maxAttempts
+  ) {}
+  /**
+   * Per-user cleanup throttle map to avoid frequent cleanup writes
+   */
+  private readonly lastCleanupByUserId: Map<number, number> = new Map();
+  // ============================================================================
+  // Challenge Session Creation
+  // ============================================================================
+  /**
+   * Create a new challenge session
+   *
+   * Generates a unique session token and stores challenge metadata.
+   * The session token is returned to the client and must be submitted
+   * when responding to the challenge.
+   *
+   * **Deduplication:**
+   * If an active (non-completed, non-expired) session already exists for the same user
+   * and challenge type, this method returns the existing session instead of creating
+   * a duplicate. This prevents:
+   * - Excessive `CHALLENGE_CREATED` audit events
+   * - Database bloat from duplicate sessions
+   * - User confusion from multiple active sessions for the same challenge
+   *
+   * @param user - User the challenge session belongs to
+   * @param challengeName - Type of challenge (VERIFY_EMAIL, VERIFY_PHONE, etc.)
+   * @param metadata - Challenge-specific data
+   * @returns Challenge session with session token (new or existing)
+   * @remarks Client info (ipAddress, userAgent) is automatically extracted from ClientInfoService context
+   *
+   * @example
+   * ```typescript
+   * const session = await challengeService.createChallengeSession(
+   *   user,
+   *   AuthChallenge.VERIFY_EMAIL,
+   *   { email: user.email, verificationTokenId: tokenId }
+   * );
+   * // Returns: { sessionToken: 'uuid-here', expiresAt: Date, ... }
+   * // If called again before completion, returns same session (no duplicate audit event)
+   * ```
+   */
+  async createChallengeSession(
+    user: IUser,
+    challengeName: AuthChallenge,
+    metadata?: Record<string, unknown>,
+  ): Promise<IChallengeSession> {
+    // Get client info from context (transparent access)
+    const clientInfo = this.clientInfoService.get();
+    // ============================================================================
+    // DEDUPLICATION: Check for existing active challenge session
+    // ============================================================================
+    // If an active (non-completed, non-expired) session already exists for this
+    // user and challenge type, return it instead of creating a duplicate.
+    // This prevents excessive audit logging and database bloat.
+    const existingSession = await this.challengeSessionRepository.findOne({
+      where: {
+        userId: user.id,
+        challengeName,
+        isCompleted: false,
+      },
+      order: { createdAt: 'DESC' },
+      relations: ['user'],
+    });
+    if (existingSession) {
+      const session = existingSession as unknown as IChallengeSession;
+      // Get current maxAttempts from config
+      const currentMaxAttempts = this.config?.challenge?.maxAttempts ?? this.DEFAULT_MAX_ATTEMPTS;
+      // Check if session is still valid (not expired and not max attempts exceeded)
+      const isExpired = session.expiresAt <= new Date();
+      const isMaxAttemptsExceeded = session.attempts >= session.maxAttempts;
+      if (!isExpired && !isMaxAttemptsExceeded) {
+        // Update maxAttempts to match current config if different
+        // This ensures sessions created with old config values are updated
+        if (session.maxAttempts !== currentMaxAttempts) {
+          session.maxAttempts = currentMaxAttempts;
+          await this.challengeSessionRepository.save(session);
+          this.logger?.debug?.(
+            `Updated maxAttempts for existing session: user=${user.sub}, old=${session.maxAttempts}, new=${currentMaxAttempts}`,
+          );
+        }
+        this.logger?.debug?.(
+          `Reusing existing challenge session: user=${user.sub}, challenge=${challengeName}, session=${session.sessionToken}`,
+        );
+        // ============================================================================
+        // Audit: Record challenge reuse for complete audit trail
+        // ============================================================================
+        try {
+          await this.auditService?.recordEvent({
+            userId: user.id,
+            eventType: AuthAuditEventType.CHALLENGE_CREATED,
+            eventStatus: 'INFO',
+            challengeSessionId: session.id,
+            metadata: {
+              challengeName,
+              sessionToken: session.sessionToken,
+              reused: true, // Indicate this was an existing session
+            },
+          });
+        } catch (auditError) {
+          // Non-blocking: Log but continue
+          const errorMessage = auditError instanceof Error ? auditError.message : 'Unknown error';
+          this.logger?.error?.(`Failed to record CHALLENGE_CREATED (reused) audit event: ${errorMessage}`, {
+            error: auditError,
+            userId: user.id,
+            challengeName,
+          });
+        }
+        return session;
+      }
+      // If expired or max attempts exceeded, delete it and create a new one
+      const reason = isExpired ? 'expired' : 'max attempts exceeded';
+      this.logger?.debug?.(
+        `Existing challenge session ${reason}, creating new one: user=${user.sub}, challenge=${challengeName}`,
+      );
+      await this.challengeSessionRepository.delete({ id: session.id });
+    }
+    // Clean up any expired or completed sessions for this user (throttled)
+    const now = Date.now();
+    const lastCleanup = this.lastCleanupByUserId.get(user.id) || 0;
+    // Run at most once per 5 minutes per user to reduce write load
+    if (now - lastCleanup > 5 * 60 * 1000) {
+      await this.cleanupExpiredSessions(user.id);
+      this.lastCleanupByUserId.set(user.id, now);
+    }
+    const sessionToken = randomUUID();
+    const expiresAt = new Date(Date.now() + this.DEFAULT_EXPIRATION_MINUTES * 60 * 1000);
+    // Get maxAttempts from config or use default
+    const maxAttempts = this.config?.challenge?.maxAttempts ?? this.DEFAULT_MAX_ATTEMPTS;
+    const challengeSession = this.challengeSessionRepository.create({
+      userId: user.id,
+      challengeName,
+      sessionToken,
+      expiresAt,
+      metadata,
+      // Client info automatically extracted from ClientInfoService (transparent access)
+      ipAddress: clientInfo.ipAddress || null,
+      userAgent: clientInfo.userAgent || null,
+      attempts: 0, // Explicitly initialize attempts to 0
+      maxAttempts,
+    });
+    await this.challengeSessionRepository.save(challengeSession);
+    this.logger?.log?.(
+      `Challenge session created: user=${user.sub}, challenge=${challengeName}, maxAttempts=${maxAttempts}`,
+    );
+    // ============================================================================
+    // Audit: Record challenge creation
+    // ============================================================================
+    try {
+      await this.auditService?.recordEvent({
+        userId: user.id,
+        eventType: AuthAuditEventType.CHALLENGE_CREATED,
+        eventStatus: 'INFO',
+        challengeSessionId: (challengeSession as unknown as IChallengeSession).id,
+        // Client info automatically included from context (no need to pass explicitly)
+        metadata: {
+          challengeName,
+          sessionToken: (challengeSession as unknown as IChallengeSession).sessionToken,
+        },
+      });
+    } catch (auditError) {
+      // Non-blocking: Log but continue
+      const errorMessage = auditError instanceof Error ? auditError.message : 'Unknown error';
+      this.logger?.error?.(`Failed to record CHALLENGE_CREATED audit event: ${errorMessage}`, {
+        error: auditError,
+        userId: user.id,
+        challengeName,
+      });
+    }
+    return challengeSession as unknown as IChallengeSession;
+  }
+  // ============================================================================
+  // Challenge Session Validation
+  // ============================================================================
+  /**
+   * Validate a challenge session token for code requests
+   *
+   * Validates session for requesting new verification codes (SMS, email, etc.).
+   * Skips max attempts check since requesting a new code is not a verification attempt.
+   * This method is used internally by nauth when sending verification codes.
+   *
+   * @param sessionToken - Session token to validate
+   * @param expectedChallenge - Expected challenge type (optional, for additional verification)
+   * @returns Valid challenge session
+   * @throws {UnauthorizedException} If session is invalid, expired, or already completed
+   *
+   * @example
+   * ```typescript
+   * // Used internally by nauth when sending verification codes
+   * const session = await challengeService.validateSessionForCodeRequest(
+   *   'session-token-123',
+   *   AuthChallenge.MFA_REQUIRED
+   * );
+   * ```
+   */
+  async validateSessionForCodeRequest(
+    sessionToken: string,
+    expectedChallenge?: AuthChallenge,
+  ): Promise<IChallengeSession> {
+    return this.validateSessionInternal(sessionToken, expectedChallenge, true);
+  }
+  /**
+   * Validate a challenge session token
+   *
+   * Checks if the session token is valid, not expired, not completed,
+   * and matches the expected challenge type. Does NOT consume the session.
+   * Enforces max attempts check for verification attempts.
+   *
+   * @param sessionToken - Session token to validate
+   * @param expectedChallenge - Expected challenge type (optional, for additional verification)
+   * @returns Valid challenge session
+   * @throws {UnauthorizedException} If session is invalid, expired, or already completed
+   *
+   * @example
+   * ```typescript
+   * try {
+   *   const session = await challengeService.validateSession(
+   *     'session-token-123',
+   *     AuthChallenge.VERIFY_EMAIL
+   *   );
+   *   // Session is valid, proceed with verification
+   * } catch (error) {
+   *   // Session is invalid
+   * }
+   * ```
+   */
+  async validateSession(sessionToken: string, expectedChallenge?: AuthChallenge): Promise<IChallengeSession> {
+    return this.validateSessionInternal(sessionToken, expectedChallenge, false);
+  }
+  /**
+   * Internal method to validate challenge session
+   *
+   * @param sessionToken - Session token to validate
+   * @param expectedChallenge - Expected challenge type (optional)
+   * @param skipMaxAttemptsCheck - If true, skip max attempts check (for code requests)
+   * @returns Valid challenge session
+   * @private
+   */
+  private async validateSessionInternal(
+    sessionToken: string,
+    expectedChallenge?: AuthChallenge,
+    skipMaxAttemptsCheck = false,
+  ): Promise<IChallengeSession> {
+    // Load session with ALL user fields (needed for challenge determination and MFA setup)
+    const session = await this.challengeSessionRepository.findOne({
+      where: { sessionToken },
+      relations: ['user'],
+    });
+    if (!session) {
+      this.logger?.warn?.('Invalid challenge session token');
+      throw new NAuthException(AuthErrorCode.CHALLENGE_INVALID, 'Invalid or expired challenge session');
+    }
+    // Check expiration
+    const challengeSession = session as unknown as IChallengeSession;
+    if (challengeSession.expiresAt < new Date()) {
+      this.logger?.warn?.(`Expired challenge session: user=${challengeSession.user?.sub}`);
+      throw new NAuthException(AuthErrorCode.CHALLENGE_EXPIRED, 'Challenge session has expired');
+    }
+    // Check if already completed
+    if (session.isCompleted) {
+      this.logger?.warn?.(`Already completed challenge session: user=${challengeSession.user?.sub}`);
+      throw new NAuthException(AuthErrorCode.CHALLENGE_ALREADY_COMPLETED, 'Challenge has already been completed');
+    }
+    // Check max attempts (skip if requesting new code, but enforce for verification attempts)
+    // Ensure attempts is initialized (should be 0, but handle edge cases)
+    const currentAttempts = challengeSession.attempts ?? 0;
+    if (!skipMaxAttemptsCheck && currentAttempts >= challengeSession.maxAttempts) {
+      this.logger?.warn?.(
+        `Max attempts exceeded for challenge session: user=${challengeSession.user?.sub}, attempts=${currentAttempts}/${challengeSession.maxAttempts}`,
+      );
+      throw new NAuthException(AuthErrorCode.CHALLENGE_MAX_ATTEMPTS, 'Maximum challenge attempts exceeded');
+    }
+    // Verify challenge type if specified
+    if (expectedChallenge && session.challengeName !== expectedChallenge) {
+      this.logger?.warn?.(`Challenge type mismatch: expected=${expectedChallenge}, actual=${session.challengeName}`);
+      throw new NAuthException(AuthErrorCode.CHALLENGE_TYPE_MISMATCH, 'Invalid challenge type');
+    }
+    return session as unknown as IChallengeSession;
+  }
+  /**
+   * Increment attempt counter for a challenge session
+   *
+   * Tracks failed attempts to complete a challenge.
+   * Used to prevent brute-force attacks on verification codes.
+   *
+   * @param session - Challenge session to increment
+   * @returns Updated session
+   *
+   * @example
+   * ```typescript
+   * await challengeService.incrementAttempts(session);
+   * ```
+   */
+  async incrementAttempts(session: IChallengeSession): Promise<IChallengeSession> {
+    // ============================================================================
+    // CRITICAL: Atomic Increment to Prevent Race Conditions
+    // ============================================================================
+    // Use TypeORM's increment() for atomic UPDATE attempts = attempts + 1
+    // This is concurrency-safe even under high load:
+    // - Database executes: UPDATE challenge_session SET attempts = attempts + 1 WHERE id = ?
+    // - No read-modify-write race condition
+    // - Single database round-trip (better performance than SELECT + UPDATE)
+    // - Works across all databases (MySQL, PostgreSQL, SQLite)
+    await this.challengeSessionRepository.increment({ id: session.id }, 'attempts', 1);
+    // Reload session to get updated attempts count and user for audit logging
+    const freshSession = await this.challengeSessionRepository.findOne({
+      where: { id: session.id },
+      relations: ['user'],
+    });
+    if (!freshSession) {
+      this.logger?.warn?.(`Session not found after increment: id=${session.id}`);
+      throw new NAuthException(AuthErrorCode.CHALLENGE_INVALID, 'Challenge session not found');
+    }
+    const freshChallengeSession = freshSession as unknown as IChallengeSession;
+    this.logger?.debug?.(
+      `Challenge attempt incremented: session=${freshChallengeSession.sessionToken}, attempts=${freshChallengeSession.attempts}/${freshChallengeSession.maxAttempts}`,
+    );
+    // ============================================================================
+    // Audit: Record challenge attempt failure if max attempts exceeded
+    // ============================================================================
+    if (freshChallengeSession.attempts >= freshChallengeSession.maxAttempts) {
+      try {
+        const user = freshChallengeSession.user;
+        if (user) {
+          await this.auditService?.recordEvent({
+            userId: user.id,
+            eventType: AuthAuditEventType.CHALLENGE_ATTEMPT_FAILED,
+            eventStatus: 'FAILURE',
+            challengeSessionId: freshChallengeSession.id,
+            reason: 'max_attempts_exceeded',
+            // Client info (ipAddress, userAgent, etc.) automatically included from context
+            description: `Challenge attempt failed - maximum attempts (${freshChallengeSession.maxAttempts}) exceeded`,
+            metadata: {
+              challengeName: freshChallengeSession.challengeName,
+              attempts: freshChallengeSession.attempts,
+              maxAttempts: freshChallengeSession.maxAttempts,
+            },
+          });
+        }
+      } catch (auditError) {
+        // Non-blocking: Log but continue
+        const errorMessage = auditError instanceof Error ? auditError.message : 'Unknown error';
+        const sessionUser = freshChallengeSession.user;
+        this.logger?.error?.(`Failed to record CHALLENGE_ATTEMPT_FAILED audit event: ${errorMessage}`, {
+          error: auditError,
+          userId: sessionUser?.id,
+          challengeName: freshChallengeSession.challengeName,
+        });
+      }
+    }
+    return freshChallengeSession;
+  }
+  /**
+   * Validate and consume a challenge session
+   *
+   * Validates the session and marks it as completed if validation succeeds.
+   * This method should be called only after successful challenge completion.
+   *
+   * @param sessionToken - Session token to validate and consume
+   * @param expectedChallenge - Expected challenge type
+   * @returns Valid, completed challenge session with user
+   * @throws {UnauthorizedException} If session is invalid
+   *
+   * @example
+   * ```typescript
+   * const session = await challengeService.validateAndConsumeSession(
+   *   'session-token-123',
+   *   AuthChallenge.VERIFY_EMAIL
+   * );
+   * // Session is now marked complete and cannot be reused
+   * ```
+   */
+  async validateAndConsumeSession(sessionToken: string, expectedChallenge: AuthChallenge): Promise<IChallengeSession> {
+    const session = await this.validateSession(sessionToken, expectedChallenge);
+    // Mark session as completed
+    session.isCompleted = true;
+    session.completedAt = new Date();
+    await this.challengeSessionRepository.save(session);
+    const user = session.user;
+    if (!user) {
+      throw new NAuthException(AuthErrorCode.NOT_FOUND, 'User not found in challenge session');
+    }
+    this.logger?.log?.(`Challenge session completed: user=${user.sub}, challenge=${session.challengeName}`);
+    // ============================================================================
+    // Audit: Record challenge completion
+    // ============================================================================
+    try {
+      // Build metadata with challenge name and MFA method (if applicable)
+      const auditMetadata: Record<string, unknown> = {
+        // Client info automatically included from context
+        challengeName: session.challengeName,
+      };
+      // For MFA challenges, include the MFA method used
+      if (
+        (session.challengeName === AuthChallenge.MFA_REQUIRED ||
+          session.challengeName === AuthChallenge.MFA_SETUP_REQUIRED) &&
+        session.metadata?.mfaMethod
+      ) {
+        auditMetadata.mfaMethod = session.metadata.mfaMethod;
+      }
+      await this.auditService?.recordEvent({
+        userId: user.id,
+        eventType: AuthAuditEventType.CHALLENGE_COMPLETED,
+        eventStatus: 'SUCCESS',
+        challengeSessionId: session.id,
+        // Client info (ipAddress, userAgent, etc.) automatically included from context
+        metadata: auditMetadata,
+      });
+    } catch (auditError) {
+      // Non-blocking: Log but continue
+      const errorMessage = auditError instanceof Error ? auditError.message : 'Unknown error';
+      this.logger?.error?.(`Failed to record CHALLENGE_COMPLETED audit event: ${errorMessage}`, {
+        error: auditError,
+        userId: user.id,
+        challengeName: session.challengeName,
+      });
+    }
+    return session;
+  }
+  /**
+   * Update challenge session metadata
+   *
+   * Updates the metadata field of an existing challenge session.
+   * Used to store additional challenge-specific data (e.g., passkey challenge).
+   *
+   * @param sessionToken - Session token to update
+   * @param metadata - Metadata to merge into existing metadata
+   * @returns Updated challenge session
+   * @throws {NAuthException} If session not found or invalid
+   *
+   * @example
+   * ```typescript
+   * await challengeService.updateMetadata('session-token-123', {
+   *   passkeyChallenge: 'base64-challenge-string'
+   * });
+   * ```
+   */
+  async updateMetadata(sessionToken: string, metadata: Record<string, unknown>): Promise<IChallengeSession> {
+    const session = await this.validateSession(sessionToken);
+    // Merge new metadata with existing metadata
+    const existingMetadata = session.metadata || {};
+    const updatedMetadata = { ...existingMetadata, ...metadata };
+    // Update session metadata
+    await this.challengeSessionRepository.update({ sessionToken }, { metadata: updatedMetadata } as Record<
+      string,
+      unknown
+    >);
+    // Return updated session
+    const updatedSession = await this.challengeSessionRepository.findOne({
+      where: { sessionToken },
+      relations: ['user'],
+    });
+    if (!updatedSession) {
+      throw new NAuthException(AuthErrorCode.CHALLENGE_INVALID, 'Failed to update challenge session metadata');
+    }
+    return updatedSession as unknown as IChallengeSession;
+  }
+  // ============================================================================
+  // Challenge Session Cleanup
+  // ============================================================================
+  /**
+   * Clean up expired or completed challenge sessions for a user
+   *
+   * Removes old sessions to prevent database bloat.
+   * Called automatically when creating new challenge sessions.
+   *
+   * @param userId - User ID to clean up sessions for
+   *
+   * @example
+   * ```typescript
+   * await challengeService.cleanupExpiredSessions(user.id);
+   * ```
+   */
+  async cleanupExpiredSessions(userId: number): Promise<void> {
+    await this.challengeSessionRepository.delete({
+      userId,
+      expiresAt: LessThan(new Date()),
+    });
+    await this.challengeSessionRepository.delete({
+      userId,
+      isCompleted: true,
+    });
+  }
+  /**
+   * Clean up all expired challenge sessions (for all users)
+   *
+   * Should be called periodically (e.g., via cron job) to maintain
+   * database health.
+   *
+   * @returns Number of sessions deleted
+   *
+   * @example
+   * ```typescript
+   * // In a scheduled job
+   * const deleted = await challengeService.cleanupAllExpiredSessions();
+   * logger.log(`Cleaned up ${deleted} expired challenge sessions`);
+   * ```
+   */
+  async cleanupAllExpiredSessions(): Promise<number> {
+    const result = await this.challengeSessionRepository.delete({
+      expiresAt: LessThan(new Date()),
+    });
+    const deletedCount = result.affected || 0;
+    this.logger?.log?.(`Cleaned up ${deletedCount} expired challenge sessions`);
+    return deletedCount;
+  }
+  /**
+   * Delete challenge sessions by challenge name for a user
+   *
+   * Removes all active (not completed, not expired) challenge sessions
+   * of the specified type for a user. Used to clean up phantom challenges
+   * when user completes the requirement (e.g., sets up MFA).
+   *
+   * @param userId - Internal user ID
+   * @param challengeName - Challenge type to delete
+   * @returns Number of sessions deleted
+   *
+   * @example
+   * ```typescript
+   * // Clear MFA_SETUP_REQUIRED challenge when user sets up MFA
+   * const deleted = await challengeService.deleteUserChallengeSessions(
+   *   user.id,
+   *   AuthChallenge.MFA_SETUP_REQUIRED
+   * );
+   * ```
+   */
+  async deleteUserChallengeSessions(userId: number, challengeName: AuthChallenge): Promise<number> {
+    const result = await this.challengeSessionRepository.delete({
+      userId,
+      challengeName,
+      isCompleted: false,
+    });
+    const deletedCount = result.affected || 0;
+    if (deletedCount > 0) {
+      this.logger?.log?.(`Deleted ${deletedCount} ${challengeName} challenge session(s) for user ID ${userId}`);
+    }
+    return deletedCount;
+  }
+  // ============================================================================
+  // Helper Methods
+  // ============================================================================
+  /**
+   * Mask email address for display in challenge parameters
+   *
+   * Shows first character and domain, hides the rest.
+   *
+   * @param email - Email to mask
+   * @returns Masked email
+   *
+   * @example
+   * ```typescript
+   * maskEmail('john.doe@example.com')
+   * // Returns: 'j***@example.com'
+   * ```
+   */
+  maskEmail(email: string): string {
+    const [localPart, domain] = email.split('@');
+    if (!domain) return email;
+    return `${localPart[0]}***@${domain}`;
+  }
+  /**
+   * Mask phone number for display in challenge parameters
+   *
+   * Shows last 4 digits, hides the rest.
+   *
+   * @param phone - Phone to mask
+   * @returns Masked phone
+   *
+   * @example
+   * ```typescript
+   * maskPhone('+1234567890')
+   * // Returns: '***-***-7890'
+   * ```
+   */
+  maskPhone(phone: string): string {
+    const digits = phone.replace(/\D/g, '');
+    if (digits.length < 4) return phone;
+    return `***-***-${digits.slice(-4)}`;
+  }
+}