npm - @nauth-toolkit/core - Versions diffs - 0.1.0 - Mend

@nauth-toolkit/core 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (778) hide show

package/dist/adapters/database-columns.d.ts +10 -0
package/dist/adapters/database-columns.d.ts.map +1 -0
package/dist/adapters/database-columns.js +85 -0
package/dist/adapters/database-columns.js.map +1 -0
package/dist/adapters/express.adapter.d.ts +41 -0
package/dist/adapters/express.adapter.d.ts.map +1 -0
package/dist/adapters/express.adapter.js +188 -0
package/dist/adapters/express.adapter.js.map +1 -0
package/dist/adapters/fastify.adapter.d.ts +33 -0
package/dist/adapters/fastify.adapter.d.ts.map +1 -0
package/dist/adapters/fastify.adapter.js +223 -0
package/dist/adapters/fastify.adapter.js.map +1 -0
package/dist/adapters/index.d.ts +5 -0
package/dist/adapters/index.d.ts.map +1 -0
package/dist/adapters/index.js +25 -0
package/dist/adapters/index.js.map +1 -0
package/dist/adapters/storage.factory.d.ts +7 -0
package/dist/adapters/storage.factory.d.ts.map +1 -0
package/dist/adapters/storage.factory.js +24 -0
package/dist/adapters/storage.factory.js.map +1 -0
package/dist/bootstrap.d.ts +41 -0
package/dist/bootstrap.d.ts.map +1 -0
package/dist/bootstrap.js +113 -0
package/dist/bootstrap.js.map +1 -0
package/dist/dto/auth-challenge.dto.d.ts +19 -0
package/dist/dto/auth-challenge.dto.d.ts.map +1 -0
package/dist/dto/auth-challenge.dto.js +86 -0
package/dist/dto/auth-challenge.dto.js.map +1 -0
package/dist/dto/auth-response.dto.d.ts +31 -0
package/dist/dto/auth-response.dto.d.ts.map +1 -0
package/dist/dto/auth-response.dto.js +18 -0
package/dist/dto/auth-response.dto.js.map +1 -0
package/dist/dto/challenge-response.dto.d.ts +36 -0
package/dist/dto/challenge-response.dto.d.ts.map +1 -0
package/dist/dto/challenge-response.dto.js +3 -0
package/dist/dto/challenge-response.dto.js.map +1 -0
package/dist/dto/change-password-request.dto.d.ts +5 -0
package/dist/dto/change-password-request.dto.d.ts.map +1 -0
package/dist/dto/change-password-request.dto.js +30 -0
package/dist/dto/change-password-request.dto.js.map +1 -0
package/dist/dto/change-password-response.dto.d.ts +4 -0
package/dist/dto/change-password-response.dto.d.ts.map +1 -0
package/dist/dto/change-password-response.dto.js +8 -0
package/dist/dto/change-password-response.dto.js.map +1 -0
package/dist/dto/change-password.dto.d.ts +5 -0
package/dist/dto/change-password.dto.d.ts.map +1 -0
package/dist/dto/change-password.dto.js +29 -0
package/dist/dto/change-password.dto.js.map +1 -0
package/dist/dto/error-response.dto.d.ts +9 -0
package/dist/dto/error-response.dto.d.ts.map +1 -0
package/dist/dto/error-response.dto.js +59 -0
package/dist/dto/error-response.dto.js.map +1 -0
package/dist/dto/get-available-methods.dto.d.ts +7 -0
package/dist/dto/get-available-methods.dto.d.ts.map +1 -0
package/dist/dto/get-available-methods.dto.js +33 -0
package/dist/dto/get-available-methods.dto.js.map +1 -0
package/dist/dto/get-challenge-data-response.dto.d.ts +4 -0
package/dist/dto/get-challenge-data-response.dto.d.ts.map +1 -0
package/dist/dto/get-challenge-data-response.dto.js +8 -0
package/dist/dto/get-challenge-data-response.dto.js.map +1 -0
package/dist/dto/get-challenge-data.dto.d.ts +8 -0
package/dist/dto/get-challenge-data.dto.d.ts.map +1 -0
package/dist/dto/get-challenge-data.dto.js +40 -0
package/dist/dto/get-challenge-data.dto.js.map +1 -0
package/dist/dto/get-client-info.dto.d.ts +17 -0
package/dist/dto/get-client-info.dto.d.ts.map +1 -0
package/dist/dto/get-client-info.dto.js +20 -0
package/dist/dto/get-client-info.dto.js.map +1 -0
package/dist/dto/get-device-token-response.dto.d.ts +4 -0
package/dist/dto/get-device-token-response.dto.d.ts.map +1 -0
package/dist/dto/get-device-token-response.dto.js +8 -0
package/dist/dto/get-device-token-response.dto.js.map +1 -0
package/dist/dto/get-events-by-type.dto.d.ts +17 -0
package/dist/dto/get-events-by-type.dto.d.ts.map +1 -0
package/dist/dto/get-events-by-type.dto.js +20 -0
package/dist/dto/get-events-by-type.dto.js.map +1 -0
package/dist/dto/get-ip-address-response.dto.d.ts +4 -0
package/dist/dto/get-ip-address-response.dto.d.ts.map +1 -0
package/dist/dto/get-ip-address-response.dto.js +8 -0
package/dist/dto/get-ip-address-response.dto.js.map +1 -0
package/dist/dto/get-mfa-status.dto.d.ts +16 -0
package/dist/dto/get-mfa-status.dto.d.ts.map +1 -0
package/dist/dto/get-mfa-status.dto.js +41 -0
package/dist/dto/get-mfa-status.dto.js.map +1 -0
package/dist/dto/get-risk-assessment-history.dto.d.ts +9 -0
package/dist/dto/get-risk-assessment-history.dto.d.ts.map +1 -0
package/dist/dto/get-risk-assessment-history.dto.js +13 -0
package/dist/dto/get-risk-assessment-history.dto.js.map +1 -0
package/dist/dto/get-session-id-response.dto.d.ts +4 -0
package/dist/dto/get-session-id-response.dto.d.ts.map +1 -0
package/dist/dto/get-session-id-response.dto.js +8 -0
package/dist/dto/get-session-id-response.dto.js.map +1 -0
package/dist/dto/get-setup-data-response.dto.d.ts +4 -0
package/dist/dto/get-setup-data-response.dto.d.ts.map +1 -0
package/dist/dto/get-setup-data-response.dto.js +8 -0
package/dist/dto/get-setup-data-response.dto.js.map +1 -0
package/dist/dto/get-setup-data.dto.d.ts +7 -0
package/dist/dto/get-setup-data.dto.d.ts.map +1 -0
package/dist/dto/get-setup-data.dto.js +43 -0
package/dist/dto/get-setup-data.dto.js.map +1 -0
package/dist/dto/get-suspicious-activity.dto.d.ts +9 -0
package/dist/dto/get-suspicious-activity.dto.d.ts.map +1 -0
package/dist/dto/get-suspicious-activity.dto.js +13 -0
package/dist/dto/get-suspicious-activity.dto.js.map +1 -0
package/dist/dto/get-user-agent-response.dto.d.ts +4 -0
package/dist/dto/get-user-agent-response.dto.d.ts.map +1 -0
package/dist/dto/get-user-agent-response.dto.js +8 -0
package/dist/dto/get-user-agent-response.dto.js.map +1 -0
package/dist/dto/get-user-auth-history.dto.d.ts +20 -0
package/dist/dto/get-user-auth-history.dto.d.ts.map +1 -0
package/dist/dto/get-user-auth-history.dto.js +22 -0
package/dist/dto/get-user-auth-history.dto.js.map +1 -0
package/dist/dto/get-user-by-email.dto.d.ts +5 -0
package/dist/dto/get-user-by-email.dto.d.ts.map +1 -0
package/dist/dto/get-user-by-email.dto.js +36 -0
package/dist/dto/get-user-by-email.dto.js.map +1 -0
package/dist/dto/get-user-by-id.dto.d.ts +4 -0
package/dist/dto/get-user-by-id.dto.d.ts.map +1 -0
package/dist/dto/get-user-by-id.dto.js +29 -0
package/dist/dto/get-user-by-id.dto.js.map +1 -0
package/dist/dto/get-user-devices.dto.d.ts +8 -0
package/dist/dto/get-user-devices.dto.d.ts.map +1 -0
package/dist/dto/get-user-devices.dto.js +33 -0
package/dist/dto/get-user-devices.dto.js.map +1 -0
package/dist/dto/get-user-response.dto.d.ts +2 -0
package/dist/dto/get-user-response.dto.d.ts.map +1 -0
package/dist/dto/get-user-response.dto.js +6 -0
package/dist/dto/get-user-response.dto.js.map +1 -0
package/dist/dto/has-provider.dto.d.ts +7 -0
package/dist/dto/has-provider.dto.d.ts.map +1 -0
package/dist/dto/has-provider.dto.js +38 -0
package/dist/dto/has-provider.dto.js.map +1 -0
package/dist/dto/index.d.ts +51 -0
package/dist/dto/index.d.ts.map +1 -0
package/dist/dto/index.js +67 -0
package/dist/dto/index.js.map +1 -0
package/dist/dto/is-trusted-device-response.dto.d.ts +4 -0
package/dist/dto/is-trusted-device-response.dto.d.ts.map +1 -0
package/dist/dto/is-trusted-device-response.dto.js +8 -0
package/dist/dto/is-trusted-device-response.dto.js.map +1 -0
package/dist/dto/list-providers-response.dto.d.ts +4 -0
package/dist/dto/list-providers-response.dto.d.ts.map +1 -0
package/dist/dto/list-providers-response.dto.js +8 -0
package/dist/dto/list-providers-response.dto.js.map +1 -0
package/dist/dto/login.dto.d.ts +7 -0
package/dist/dto/login.dto.d.ts.map +1 -0
package/dist/dto/login.dto.js +68 -0
package/dist/dto/login.dto.js.map +1 -0
package/dist/dto/logout-all-response.dto.d.ts +4 -0
package/dist/dto/logout-all-response.dto.d.ts.map +1 -0
package/dist/dto/logout-all-response.dto.js +8 -0
package/dist/dto/logout-all-response.dto.js.map +1 -0
package/dist/dto/logout-all.dto.d.ts +5 -0
package/dist/dto/logout-all.dto.d.ts.map +1 -0
package/dist/dto/logout-all.dto.js +42 -0
package/dist/dto/logout-all.dto.js.map +1 -0
package/dist/dto/logout-response.dto.d.ts +4 -0
package/dist/dto/logout-response.dto.d.ts.map +1 -0
package/dist/dto/logout-response.dto.js +8 -0
package/dist/dto/logout-response.dto.js.map +1 -0
package/dist/dto/logout.dto.d.ts +5 -0
package/dist/dto/logout.dto.d.ts.map +1 -0
package/dist/dto/logout.dto.js +36 -0
package/dist/dto/logout.dto.js.map +1 -0
package/dist/dto/refresh-token.dto.d.ts +4 -0
package/dist/dto/refresh-token.dto.d.ts.map +1 -0
package/dist/dto/refresh-token.dto.js +24 -0
package/dist/dto/refresh-token.dto.js.map +1 -0
package/dist/dto/remove-devices.dto.d.ts +9 -0
package/dist/dto/remove-devices.dto.d.ts.map +1 -0
package/dist/dto/remove-devices.dto.js +50 -0
package/dist/dto/remove-devices.dto.js.map +1 -0
package/dist/dto/resend-code-response.dto.d.ts +4 -0
package/dist/dto/resend-code-response.dto.d.ts.map +1 -0
package/dist/dto/resend-code-response.dto.js +8 -0
package/dist/dto/resend-code-response.dto.js.map +1 -0
package/dist/dto/resend-code.dto.d.ts +4 -0
package/dist/dto/resend-code.dto.d.ts.map +1 -0
package/dist/dto/resend-code.dto.js +29 -0
package/dist/dto/resend-code.dto.js.map +1 -0
package/dist/dto/reset-password.dto.d.ts +8 -0
package/dist/dto/reset-password.dto.d.ts.map +1 -0
package/dist/dto/reset-password.dto.js +61 -0
package/dist/dto/reset-password.dto.js.map +1 -0
package/dist/dto/respond-challenge.dto.d.ts +33 -0
package/dist/dto/respond-challenge.dto.d.ts.map +1 -0
package/dist/dto/respond-challenge.dto.js +131 -0
package/dist/dto/respond-challenge.dto.js.map +1 -0
package/dist/dto/set-mfa-exemption.dto.d.ts +12 -0
package/dist/dto/set-mfa-exemption.dto.d.ts.map +1 -0
package/dist/dto/set-mfa-exemption.dto.js +66 -0
package/dist/dto/set-mfa-exemption.dto.js.map +1 -0
package/dist/dto/set-must-change-password-response.dto.d.ts +4 -0
package/dist/dto/set-must-change-password-response.dto.d.ts.map +1 -0
package/dist/dto/set-must-change-password-response.dto.js +8 -0
package/dist/dto/set-must-change-password-response.dto.js.map +1 -0
package/dist/dto/set-must-change-password.dto.d.ts +4 -0
package/dist/dto/set-must-change-password.dto.d.ts.map +1 -0
package/dist/dto/set-must-change-password.dto.js +29 -0
package/dist/dto/set-must-change-password.dto.js.map +1 -0
package/dist/dto/set-preferred-method.dto.d.ts +8 -0
package/dist/dto/set-preferred-method.dto.d.ts.map +1 -0
package/dist/dto/set-preferred-method.dto.js +49 -0
package/dist/dto/set-preferred-method.dto.js.map +1 -0
package/dist/dto/setup-mfa.dto.d.ts +9 -0
package/dist/dto/setup-mfa.dto.d.ts.map +1 -0
package/dist/dto/setup-mfa.dto.js +55 -0
package/dist/dto/setup-mfa.dto.js.map +1 -0
package/dist/dto/signup.dto.d.ts +10 -0
package/dist/dto/signup.dto.d.ts.map +1 -0
package/dist/dto/signup.dto.js +109 -0
package/dist/dto/signup.dto.js.map +1 -0
package/dist/dto/social-auth.dto.d.ts +54 -0
package/dist/dto/social-auth.dto.d.ts.map +1 -0
package/dist/dto/social-auth.dto.js +232 -0
package/dist/dto/social-auth.dto.js.map +1 -0
package/dist/dto/trust-device-response.dto.d.ts +4 -0
package/dist/dto/trust-device-response.dto.d.ts.map +1 -0
package/dist/dto/trust-device-response.dto.js +8 -0
package/dist/dto/trust-device-response.dto.js.map +1 -0
package/dist/dto/trust-device.dto.d.ts +1 -0
package/dist/dto/trust-device.dto.d.ts.map +1 -0
package/dist/dto/trust-device.dto.js +2 -0
package/dist/dto/trust-device.dto.js.map +1 -0
package/dist/dto/update-user-attributes-request.dto.d.ts +5 -0
package/dist/dto/update-user-attributes-request.dto.d.ts.map +1 -0
package/dist/dto/update-user-attributes-request.dto.js +30 -0
package/dist/dto/update-user-attributes-request.dto.js.map +1 -0
package/dist/dto/user-response.dto.d.ts +20 -0
package/dist/dto/user-response.dto.d.ts.map +1 -0
package/dist/dto/user-response.dto.js +42 -0
package/dist/dto/user-response.dto.js.map +1 -0
package/dist/dto/user-update.dto.d.ts +12 -0
package/dist/dto/user-update.dto.d.ts.map +1 -0
package/dist/dto/user-update.dto.js +119 -0
package/dist/dto/user-update.dto.js.map +1 -0
package/dist/dto/verify-email.dto.d.ts +29 -0
package/dist/dto/verify-email.dto.d.ts.map +1 -0
package/dist/dto/verify-email.dto.js +161 -0
package/dist/dto/verify-email.dto.js.map +1 -0
package/dist/dto/verify-mfa-code.dto.d.ts +10 -0
package/dist/dto/verify-mfa-code.dto.d.ts.map +1 -0
package/dist/dto/verify-mfa-code.dto.js +56 -0
package/dist/dto/verify-mfa-code.dto.js.map +1 -0
package/dist/dto/verify-phone-by-sub.dto.d.ts +6 -0
package/dist/dto/verify-phone-by-sub.dto.d.ts.map +1 -0
package/dist/dto/verify-phone-by-sub.dto.js +49 -0
package/dist/dto/verify-phone-by-sub.dto.js.map +1 -0
package/dist/dto/verify-phone.dto.d.ts +24 -0
package/dist/dto/verify-phone.dto.d.ts.map +1 -0
package/dist/dto/verify-phone.dto.js +124 -0
package/dist/dto/verify-phone.dto.js.map +1 -0
package/dist/entities/auth-audit.entity.d.ts +31 -0
package/dist/entities/auth-audit.entity.d.ts.map +1 -0
package/dist/entities/auth-audit.entity.js +33 -0
package/dist/entities/auth-audit.entity.js.map +1 -0
package/dist/entities/challenge-session.entity.d.ts +17 -0
package/dist/entities/challenge-session.entity.d.ts.map +1 -0
package/dist/entities/challenge-session.entity.js +21 -0
package/dist/entities/challenge-session.entity.js.map +1 -0
package/dist/entities/index.d.ts +12 -0
package/dist/entities/index.d.ts.map +1 -0
package/dist/entities/index.js +26 -0
package/dist/entities/index.js.map +1 -0
package/dist/entities/login-attempt.entity.d.ts +13 -0
package/dist/entities/login-attempt.entity.d.ts.map +1 -0
package/dist/entities/login-attempt.entity.js +17 -0
package/dist/entities/login-attempt.entity.js.map +1 -0
package/dist/entities/mfa-device.entity.d.ts +22 -0
package/dist/entities/mfa-device.entity.d.ts.map +1 -0
package/dist/entities/mfa-device.entity.js +25 -0
package/dist/entities/mfa-device.entity.js.map +1 -0
package/dist/entities/rate-limit.entity.d.ts +9 -0
package/dist/entities/rate-limit.entity.d.ts.map +1 -0
package/dist/entities/rate-limit.entity.js +13 -0
package/dist/entities/rate-limit.entity.js.map +1 -0
package/dist/entities/session.entity.d.ts +32 -0
package/dist/entities/session.entity.d.ts.map +1 -0
package/dist/entities/session.entity.js +36 -0
package/dist/entities/session.entity.js.map +1 -0
package/dist/entities/social-account.entity.d.ts +13 -0
package/dist/entities/social-account.entity.d.ts.map +1 -0
package/dist/entities/social-account.entity.js +17 -0
package/dist/entities/social-account.entity.js.map +1 -0
package/dist/entities/storage-lock.entity.d.ts +8 -0
package/dist/entities/storage-lock.entity.d.ts.map +1 -0
package/dist/entities/storage-lock.entity.js +12 -0
package/dist/entities/storage-lock.entity.js.map +1 -0
package/dist/entities/trusted-device.entity.d.ts +17 -0
package/dist/entities/trusted-device.entity.d.ts.map +1 -0
package/dist/entities/trusted-device.entity.js +21 -0
package/dist/entities/trusted-device.entity.js.map +1 -0
package/dist/entities/user.entity.d.ts +41 -0
package/dist/entities/user.entity.d.ts.map +1 -0
package/dist/entities/user.entity.js +45 -0
package/dist/entities/user.entity.js.map +1 -0
package/dist/entities/verification-token.entity.d.ts +19 -0
package/dist/entities/verification-token.entity.d.ts.map +1 -0
package/dist/entities/verification-token.entity.js +29 -0
package/dist/entities/verification-token.entity.js.map +1 -0
package/dist/enums/auth-audit-event-type.enum.d.ts +55 -0
package/dist/enums/auth-audit-event-type.enum.d.ts.map +1 -0
package/dist/enums/auth-audit-event-type.enum.js +59 -0
package/dist/enums/auth-audit-event-type.enum.js.map +1 -0
package/dist/enums/error-codes.enum.d.ts +53 -0
package/dist/enums/error-codes.enum.d.ts.map +1 -0
package/dist/enums/error-codes.enum.js +57 -0
package/dist/enums/error-codes.enum.js.map +1 -0
package/dist/enums/mfa-method.enum.d.ts +11 -0
package/dist/enums/mfa-method.enum.d.ts.map +1 -0
package/dist/enums/mfa-method.enum.js +18 -0
package/dist/enums/mfa-method.enum.js.map +1 -0
package/dist/enums/risk-factor.enum.d.ts +14 -0
package/dist/enums/risk-factor.enum.d.ts.map +1 -0
package/dist/enums/risk-factor.enum.js +18 -0
package/dist/enums/risk-factor.enum.js.map +1 -0
package/dist/exceptions/nauth.exception.d.ts +18 -0
package/dist/exceptions/nauth.exception.d.ts.map +1 -0
package/dist/exceptions/nauth.exception.js +64 -0
package/dist/exceptions/nauth.exception.js.map +1 -0
package/dist/handlers/auth.handler.d.ts +18 -0
package/dist/handlers/auth.handler.d.ts.map +1 -0
package/dist/handlers/auth.handler.js +173 -0
package/dist/handlers/auth.handler.js.map +1 -0
package/dist/handlers/client-info.handler.d.ts +12 -0
package/dist/handlers/client-info.handler.d.ts.map +1 -0
package/dist/handlers/client-info.handler.js +61 -0
package/dist/handlers/client-info.handler.js.map +1 -0
package/dist/handlers/csrf.handler.d.ts +13 -0
package/dist/handlers/csrf.handler.d.ts.map +1 -0
package/dist/handlers/csrf.handler.js +84 -0
package/dist/handlers/csrf.handler.js.map +1 -0
package/dist/handlers/token-delivery.handler.d.ts +12 -0
package/dist/handlers/token-delivery.handler.d.ts.map +1 -0
package/dist/handlers/token-delivery.handler.js +86 -0
package/dist/handlers/token-delivery.handler.js.map +1 -0
package/dist/index.d.ts +27 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +51 -0
package/dist/index.js.map +1 -0
package/dist/interfaces/client-info.interface.d.ts +16 -0
package/dist/interfaces/client-info.interface.d.ts.map +1 -0
package/dist/interfaces/client-info.interface.js +3 -0
package/dist/interfaces/client-info.interface.js.map +1 -0
package/dist/interfaces/config.interface.d.ts +279 -0
package/dist/interfaces/config.interface.d.ts.map +1 -0
package/dist/interfaces/config.interface.js +3 -0
package/dist/interfaces/config.interface.js.map +1 -0
package/dist/interfaces/entities.interface.d.ts +169 -0
package/dist/interfaces/entities.interface.d.ts.map +1 -0
package/dist/interfaces/entities.interface.js +3 -0
package/dist/interfaces/entities.interface.js.map +1 -0
package/dist/interfaces/index.d.ts +11 -0
package/dist/interfaces/index.d.ts.map +1 -0
package/dist/interfaces/index.js +27 -0
package/dist/interfaces/index.js.map +1 -0
package/dist/interfaces/logger.interface.d.ts +43 -0
package/dist/interfaces/logger.interface.d.ts.map +1 -0
package/dist/interfaces/logger.interface.js +12 -0
package/dist/interfaces/logger.interface.js.map +1 -0
package/dist/interfaces/mfa-provider.interface.d.ts +12 -0
package/dist/interfaces/mfa-provider.interface.d.ts.map +1 -0
package/dist/interfaces/mfa-provider.interface.js +3 -0
package/dist/interfaces/mfa-provider.interface.js.map +1 -0
package/dist/interfaces/oauth.interface.d.ts +24 -0
package/dist/interfaces/oauth.interface.d.ts.map +1 -0
package/dist/interfaces/oauth.interface.js +3 -0
package/dist/interfaces/oauth.interface.js.map +1 -0
package/dist/interfaces/provider.interface.d.ts +12 -0
package/dist/interfaces/provider.interface.d.ts.map +1 -0
package/dist/interfaces/provider.interface.js +3 -0
package/dist/interfaces/provider.interface.js.map +1 -0
package/dist/interfaces/social-auth-provider.interface.d.ts +13 -0
package/dist/interfaces/social-auth-provider.interface.d.ts.map +1 -0
package/dist/interfaces/social-auth-provider.interface.js +3 -0
package/dist/interfaces/social-auth-provider.interface.js.map +1 -0
package/dist/interfaces/storage-adapter.interface.d.ts +39 -0
package/dist/interfaces/storage-adapter.interface.d.ts.map +1 -0
package/dist/interfaces/storage-adapter.interface.js +3 -0
package/dist/interfaces/storage-adapter.interface.js.map +1 -0
package/dist/interfaces/template.interface.d.ts +99 -0
package/dist/interfaces/template.interface.d.ts.map +1 -0
package/dist/interfaces/template.interface.js +15 -0
package/dist/interfaces/template.interface.js.map +1 -0
package/dist/interfaces/token-verifier.interface.d.ts +7 -0
package/dist/interfaces/token-verifier.interface.d.ts.map +1 -0
package/dist/interfaces/token-verifier.interface.js +3 -0
package/dist/interfaces/token-verifier.interface.js.map +1 -0
package/dist/internal.d.ts +20 -0
package/dist/internal.d.ts.map +1 -0
package/dist/internal.js +53 -0
package/dist/internal.js.map +1 -0
package/dist/platform/interfaces.d.ts +56 -0
package/dist/platform/interfaces.d.ts.map +1 -0
package/dist/platform/interfaces.js +3 -0
package/dist/platform/interfaces.js.map +1 -0
package/dist/schemas/auth-config.schema.d.ts +3411 -0
package/dist/schemas/auth-config.schema.d.ts.map +1 -0
package/dist/schemas/auth-config.schema.js +428 -0
package/dist/schemas/auth-config.schema.js.map +1 -0
package/dist/services/adaptive-mfa-decision.service.d.ts +39 -0
package/dist/services/adaptive-mfa-decision.service.d.ts.map +1 -0
package/dist/services/adaptive-mfa-decision.service.js +223 -0
package/dist/services/adaptive-mfa-decision.service.js.map +1 -0
package/dist/services/auth-audit.service.d.ts +44 -0
package/dist/services/auth-audit.service.d.ts.map +1 -0
package/dist/services/auth-audit.service.js +241 -0
package/dist/services/auth-audit.service.js.map +1 -0
package/dist/services/auth-challenge-helper.service.d.ts +48 -0
package/dist/services/auth-challenge-helper.service.d.ts.map +1 -0
package/dist/services/auth-challenge-helper.service.js +425 -0
package/dist/services/auth-challenge-helper.service.js.map +1 -0
package/dist/services/auth-flow-context-builder.service.d.ts +31 -0
package/dist/services/auth-flow-context-builder.service.d.ts.map +1 -0
package/dist/services/auth-flow-context-builder.service.js +253 -0
package/dist/services/auth-flow-context-builder.service.js.map +1 -0
package/dist/services/auth-flow-rules.d.ts +18 -0
package/dist/services/auth-flow-rules.d.ts.map +1 -0
package/dist/services/auth-flow-rules.js +55 -0
package/dist/services/auth-flow-rules.js.map +1 -0
package/dist/services/auth-flow-state-definitions.d.ts +5 -0
package/dist/services/auth-flow-state-definitions.d.ts.map +1 -0
package/dist/services/auth-flow-state-definitions.js +87 -0
package/dist/services/auth-flow-state-definitions.js.map +1 -0
package/dist/services/auth-flow-state-machine.service.d.ts +17 -0
package/dist/services/auth-flow-state-machine.service.d.ts.map +1 -0
package/dist/services/auth-flow-state-machine.service.js +91 -0
package/dist/services/auth-flow-state-machine.service.js.map +1 -0
package/dist/services/auth-flow-state-machine.types.d.ts +55 -0
package/dist/services/auth-flow-state-machine.types.d.ts.map +1 -0
package/dist/services/auth-flow-state-machine.types.js +16 -0
package/dist/services/auth-flow-state-machine.types.js.map +1 -0
package/dist/services/auth.service.d.ts +87 -0
package/dist/services/auth.service.d.ts.map +1 -0
package/dist/services/auth.service.js +2356 -0
package/dist/services/auth.service.js.map +1 -0
package/dist/services/challenge.service.d.ts +32 -0
package/dist/services/challenge.service.d.ts.map +1 -0
package/dist/services/challenge.service.js +293 -0
package/dist/services/challenge.service.js.map +1 -0
package/dist/services/client-info.service.d.ts +20 -0
package/dist/services/client-info.service.d.ts.map +1 -0
package/dist/services/client-info.service.js +202 -0
package/dist/services/client-info.service.js.map +1 -0
package/dist/services/csrf.service.d.ts +13 -0
package/dist/services/csrf.service.d.ts.map +1 -0
package/dist/services/csrf.service.js +67 -0
package/dist/services/csrf.service.js.map +1 -0
package/dist/services/email-verification.service.d.ts +30 -0
package/dist/services/email-verification.service.d.ts.map +1 -0
package/dist/services/email-verification.service.js +373 -0
package/dist/services/email-verification.service.js.map +1 -0
package/dist/services/geo-location.service.d.ts +85 -0
package/dist/services/geo-location.service.d.ts.map +1 -0
package/dist/services/geo-location.service.js +338 -0
package/dist/services/geo-location.service.js.map +1 -0
package/dist/services/index.d.ts +14 -0
package/dist/services/index.d.ts.map +1 -0
package/dist/services/index.js +30 -0
package/dist/services/index.js.map +1 -0
package/dist/services/jwt.service.d.ts +62 -0
package/dist/services/jwt.service.d.ts.map +1 -0
package/dist/services/jwt.service.js +261 -0
package/dist/services/jwt.service.js.map +1 -0
package/dist/services/mfa-base.service.d.ts +37 -0
package/dist/services/mfa-base.service.d.ts.map +1 -0
package/dist/services/mfa-base.service.js +297 -0
package/dist/services/mfa-base.service.js.map +1 -0
package/dist/services/mfa.service.d.ts +35 -0
package/dist/services/mfa.service.d.ts.map +1 -0
package/dist/services/mfa.service.js +449 -0
package/dist/services/mfa.service.js.map +1 -0
package/dist/services/password.service.d.ts +19 -0
package/dist/services/password.service.d.ts.map +1 -0
package/dist/services/password.service.js +150 -0
package/dist/services/password.service.js.map +1 -0
package/dist/services/phone-verification.service.d.ts +32 -0
package/dist/services/phone-verification.service.d.ts.map +1 -0
package/dist/services/phone-verification.service.js +474 -0
package/dist/services/phone-verification.service.js.map +1 -0
package/dist/services/risk-detection.service.d.ts +30 -0
package/dist/services/risk-detection.service.d.ts.map +1 -0
package/dist/services/risk-detection.service.js +518 -0
package/dist/services/risk-detection.service.js.map +1 -0
package/dist/services/risk-scoring.service.d.ts +12 -0
package/dist/services/risk-scoring.service.d.ts.map +1 -0
package/dist/services/risk-scoring.service.js +44 -0
package/dist/services/risk-scoring.service.js.map +1 -0
package/dist/services/session.service.d.ts +64 -0
package/dist/services/session.service.d.ts.map +1 -0
package/dist/services/session.service.js +455 -0
package/dist/services/session.service.js.map +1 -0
package/dist/services/social-auth-base.service.d.ts +57 -0
package/dist/services/social-auth-base.service.d.ts.map +1 -0
package/dist/services/social-auth-base.service.js +340 -0
package/dist/services/social-auth-base.service.js.map +1 -0
package/dist/services/social-auth.service.d.ts +31 -0
package/dist/services/social-auth.service.d.ts.map +1 -0
package/dist/services/social-auth.service.js +172 -0
package/dist/services/social-auth.service.js.map +1 -0
package/dist/services/social-provider-registry.service.d.ts +9 -0
package/dist/services/social-provider-registry.service.d.ts.map +1 -0
package/dist/services/social-provider-registry.service.js +30 -0
package/dist/services/social-provider-registry.service.js.map +1 -0
package/dist/services/trusted-device.service.d.ts +29 -0
package/dist/services/trusted-device.service.d.ts.map +1 -0
package/dist/services/trusted-device.service.js +190 -0
package/dist/services/trusted-device.service.js.map +1 -0
package/dist/storage/account-lockout-storage.service.d.ts +16 -0
package/dist/storage/account-lockout-storage.service.d.ts.map +1 -0
package/dist/storage/account-lockout-storage.service.js +50 -0
package/dist/storage/account-lockout-storage.service.js.map +1 -0
package/dist/storage/index.d.ts +4 -0
package/dist/storage/index.d.ts.map +1 -0
package/dist/storage/index.js +20 -0
package/dist/storage/index.js.map +1 -0
package/dist/storage/memory-storage.adapter.d.ts +33 -0
package/dist/storage/memory-storage.adapter.d.ts.map +1 -0
package/dist/storage/memory-storage.adapter.js +195 -0
package/dist/storage/memory-storage.adapter.js.map +1 -0
package/dist/storage/rate-limit-storage.service.d.ts +11 -0
package/dist/storage/rate-limit-storage.service.d.ts.map +1 -0
package/dist/storage/rate-limit-storage.service.js +33 -0
package/dist/storage/rate-limit-storage.service.js.map +1 -0
package/dist/templates/html-template.engine.d.ts +16 -0
package/dist/templates/html-template.engine.d.ts.map +1 -0
package/dist/templates/html-template.engine.js +502 -0
package/dist/templates/html-template.engine.js.map +1 -0
package/dist/templates/index.d.ts +2 -0
package/dist/templates/index.d.ts.map +1 -0
package/dist/templates/index.js +18 -0
package/dist/templates/index.js.map +1 -0
package/dist/utils/common-passwords.d.ts +4 -0
package/dist/utils/common-passwords.d.ts.map +1 -0
package/dist/utils/common-passwords.js +108 -0
package/dist/utils/common-passwords.js.map +1 -0
package/dist/utils/context-storage.d.ts +13 -0
package/dist/utils/context-storage.d.ts.map +1 -0
package/dist/utils/context-storage.js +54 -0
package/dist/utils/context-storage.js.map +1 -0
package/dist/utils/cookie-names.util.d.ts +7 -0
package/dist/utils/cookie-names.util.d.ts.map +1 -0
package/dist/utils/cookie-names.util.js +30 -0
package/dist/utils/cookie-names.util.js.map +1 -0
package/dist/utils/cookies.util.d.ts +12 -0
package/dist/utils/cookies.util.d.ts.map +1 -0
package/dist/utils/cookies.util.js +48 -0
package/dist/utils/cookies.util.js.map +1 -0
package/dist/utils/index.d.ts +8 -0
package/dist/utils/index.d.ts.map +1 -0
package/dist/utils/index.js +24 -0
package/dist/utils/index.js.map +1 -0
package/dist/utils/ip-extractor.d.ts +12 -0
package/dist/utils/ip-extractor.d.ts.map +1 -0
package/dist/utils/ip-extractor.js +88 -0
package/dist/utils/ip-extractor.js.map +1 -0
package/dist/utils/nauth-logger.d.ts +20 -0
package/dist/utils/nauth-logger.d.ts.map +1 -0
package/dist/utils/nauth-logger.js +129 -0
package/dist/utils/nauth-logger.js.map +1 -0
package/dist/utils/pii-redactor.d.ts +16 -0
package/dist/utils/pii-redactor.d.ts.map +1 -0
package/dist/utils/pii-redactor.js +147 -0
package/dist/utils/pii-redactor.js.map +1 -0
package/dist/utils/setup/get-repositories.d.ts +16 -0
package/dist/utils/setup/get-repositories.d.ts.map +1 -0
package/dist/utils/setup/get-repositories.js +36 -0
package/dist/utils/setup/get-repositories.js.map +1 -0
package/dist/utils/setup/init-services.d.ts +41 -0
package/dist/utils/setup/init-services.d.ts.map +1 -0
package/dist/utils/setup/init-services.js +107 -0
package/dist/utils/setup/init-services.js.map +1 -0
package/dist/utils/setup/init-social.d.ts +13 -0
package/dist/utils/setup/init-social.d.ts.map +1 -0
package/dist/utils/setup/init-social.js +77 -0
package/dist/utils/setup/init-social.js.map +1 -0
package/dist/utils/setup/init-storage.d.ts +4 -0
package/dist/utils/setup/init-storage.d.ts.map +1 -0
package/dist/utils/setup/init-storage.js +79 -0
package/dist/utils/setup/init-storage.js.map +1 -0
package/dist/utils/setup/register-mfa.d.ts +5 -0
package/dist/utils/setup/register-mfa.d.ts.map +1 -0
package/dist/utils/setup/register-mfa.js +85 -0
package/dist/utils/setup/register-mfa.js.map +1 -0
package/dist/utils/setup/run-nauth-migrations.d.ts +5 -0
package/dist/utils/setup/run-nauth-migrations.d.ts.map +1 -0
package/dist/utils/setup/run-nauth-migrations.js +67 -0
package/dist/utils/setup/run-nauth-migrations.js.map +1 -0
package/dist/utils/token-delivery-policy.d.ts +6 -0
package/dist/utils/token-delivery-policy.d.ts.map +1 -0
package/dist/utils/token-delivery-policy.js +15 -0
package/dist/utils/token-delivery-policy.js.map +1 -0
package/dist/validators/template.validator.d.ts +7 -0
package/dist/validators/template.validator.d.ts.map +1 -0
package/dist/validators/template.validator.js +95 -0
package/dist/validators/template.validator.js.map +1 -0
package/jest.config.js +15 -0
package/jest.setup.ts +6 -0
package/package.json +73 -0
package/src/adapters/database-columns.ts +165 -0
package/src/adapters/express.adapter.ts +385 -0
package/src/adapters/fastify.adapter.ts +416 -0
package/src/adapters/index.ts +16 -0
package/src/adapters/storage.factory.ts +143 -0
package/src/bootstrap.ts +374 -0
package/src/dto/auth-challenge.dto.ts +231 -0
package/src/dto/auth-response.dto.ts +253 -0
package/src/dto/challenge-response.dto.ts +234 -0
package/src/dto/change-password-request.dto.ts +50 -0
package/src/dto/change-password-response.dto.ts +29 -0
package/src/dto/change-password.dto.ts +57 -0
package/src/dto/error-response.dto.ts +136 -0
package/src/dto/get-available-methods.dto.ts +55 -0
package/src/dto/get-challenge-data-response.dto.ts +28 -0
package/src/dto/get-challenge-data.dto.ts +69 -0
package/src/dto/get-client-info.dto.ts +104 -0
package/src/dto/get-device-token-response.dto.ts +25 -0
package/src/dto/get-events-by-type.dto.ts +76 -0
package/src/dto/get-ip-address-response.dto.ts +24 -0
package/src/dto/get-mfa-status.dto.ts +94 -0
package/src/dto/get-risk-assessment-history.dto.ts +39 -0
package/src/dto/get-session-id-response.dto.ts +25 -0
package/src/dto/get-setup-data-response.dto.ts +31 -0
package/src/dto/get-setup-data.dto.ts +75 -0
package/src/dto/get-suspicious-activity.dto.ts +42 -0
package/src/dto/get-user-agent-response.dto.ts +23 -0
package/src/dto/get-user-auth-history.dto.ts +95 -0
package/src/dto/get-user-by-email.dto.ts +61 -0
package/src/dto/get-user-by-id.dto.ts +46 -0
package/src/dto/get-user-devices.dto.ts +53 -0
package/src/dto/get-user-response.dto.ts +17 -0
package/src/dto/has-provider.dto.ts +56 -0
package/src/dto/index.ts +57 -0
package/src/dto/is-trusted-device-response.dto.ts +34 -0
package/src/dto/list-providers-response.dto.ts +23 -0
package/src/dto/login.dto.ts +95 -0
package/src/dto/logout-all-response.dto.ts +24 -0
package/src/dto/logout-all.dto.ts +65 -0
package/src/dto/logout-response.dto.ts +25 -0
package/src/dto/logout.dto.ts +64 -0
package/src/dto/refresh-token.dto.ts +36 -0
package/src/dto/remove-devices.dto.ts +85 -0
package/src/dto/resend-code-response.dto.ts +32 -0
package/src/dto/resend-code.dto.ts +51 -0
package/src/dto/reset-password.dto.ts +115 -0
package/src/dto/respond-challenge.dto.ts +272 -0
package/src/dto/set-mfa-exemption.dto.ts +112 -0
package/src/dto/set-must-change-password-response.dto.ts +27 -0
package/src/dto/set-must-change-password.dto.ts +46 -0
package/src/dto/set-preferred-method.dto.ts +80 -0
package/src/dto/setup-mfa.dto.ts +98 -0
package/src/dto/signup.dto.ts +174 -0
package/src/dto/social-auth.dto.ts +422 -0
package/src/dto/trust-device-response.dto.ts +30 -0
package/src/dto/trust-device.dto.ts +9 -0
package/src/dto/update-user-attributes-request.dto.ts +51 -0
package/src/dto/user-response.dto.ts +138 -0
package/src/dto/user-update.dto.ts +222 -0
package/src/dto/verify-email.dto.ts +313 -0
package/src/dto/verify-mfa-code.dto.ts +103 -0
package/src/dto/verify-phone-by-sub.dto.ts +78 -0
package/src/dto/verify-phone.dto.ts +245 -0
package/src/entities/auth-audit.entity.ts +232 -0
package/src/entities/challenge-session.entity.ts +116 -0
package/src/entities/index.ts +29 -0
package/src/entities/login-attempt.entity.ts +64 -0
package/src/entities/mfa-device.entity.ts +151 -0
package/src/entities/rate-limit.entity.ts +44 -0
package/src/entities/session.entity.ts +180 -0
package/src/entities/social-account.entity.ts +96 -0
package/src/entities/storage-lock.entity.ts +39 -0
package/src/entities/trusted-device.entity.ts +112 -0
package/src/entities/user.entity.ts +243 -0
package/src/entities/verification-token.entity.ts +141 -0
package/src/enums/auth-audit-event-type.enum.ts +360 -0
package/src/enums/error-codes.enum.ts +420 -0
package/src/enums/mfa-method.enum.ts +97 -0
package/src/enums/risk-factor.enum.ts +111 -0
package/src/exceptions/nauth.exception.ts +231 -0
package/src/handlers/auth.handler.ts +260 -0
package/src/handlers/client-info.handler.ts +101 -0
package/src/handlers/csrf.handler.ts +156 -0
package/src/handlers/token-delivery.handler.ts +118 -0
package/src/index.ts +118 -0
package/src/interfaces/client-info.interface.ts +85 -0
package/src/interfaces/config.interface.ts +2135 -0
package/src/interfaces/entities.interface.ts +226 -0
package/src/interfaces/index.ts +15 -0
package/src/interfaces/logger.interface.ts +283 -0
package/src/interfaces/mfa-provider.interface.ts +154 -0
package/src/interfaces/oauth.interface.ts +148 -0
package/src/interfaces/provider.interface.ts +47 -0
package/src/interfaces/social-auth-provider.interface.ts +131 -0
package/src/interfaces/storage-adapter.interface.ts +82 -0
package/src/interfaces/template.interface.ts +510 -0
package/src/interfaces/token-verifier.interface.ts +110 -0
package/src/internal.ts +178 -0
package/src/platform/interfaces.ts +299 -0
package/src/schemas/auth-config.schema.ts +646 -0
package/src/services/adaptive-mfa-decision.service.spec.ts +1058 -0
package/src/services/adaptive-mfa-decision.service.ts +457 -0
package/src/services/auth-audit.service.spec.ts +675 -0
package/src/services/auth-audit.service.ts +558 -0
package/src/services/auth-challenge-helper.service.spec.ts +3227 -0
package/src/services/auth-challenge-helper.service.ts +825 -0
package/src/services/auth-flow-context-builder.service.ts +520 -0
package/src/services/auth-flow-rules.ts +202 -0
package/src/services/auth-flow-state-definitions.ts +190 -0
package/src/services/auth-flow-state-machine.service.ts +207 -0
package/src/services/auth-flow-state-machine.types.ts +316 -0
package/src/services/auth.service.spec.ts +4195 -0
package/src/services/auth.service.ts +3727 -0
package/src/services/challenge.service.spec.ts +1363 -0
package/src/services/challenge.service.ts +696 -0
package/src/services/client-info.service.spec.ts +572 -0
package/src/services/client-info.service.ts +374 -0
package/src/services/csrf.service.ts +54 -0
package/src/services/email-verification.service.spec.ts +1229 -0
package/src/services/email-verification.service.ts +578 -0
package/src/services/geo-location.service.spec.ts +603 -0
package/src/services/geo-location.service.ts +599 -0
package/src/services/index.ts +13 -0
package/src/services/jwt.service.spec.ts +882 -0
package/src/services/jwt.service.ts +621 -0
package/src/services/mfa-base.service.spec.ts +246 -0
package/src/services/mfa-base.service.ts +611 -0
package/src/services/mfa.service.spec.ts +693 -0
package/src/services/mfa.service.ts +960 -0
package/src/services/password.service.spec.ts +166 -0
package/src/services/password.service.ts +309 -0
package/src/services/phone-verification.service.spec.ts +1120 -0
package/src/services/phone-verification.service.ts +751 -0
package/src/services/risk-detection.service.spec.ts +1292 -0
package/src/services/risk-detection.service.ts +1012 -0
package/src/services/risk-scoring.service.spec.ts +204 -0
package/src/services/risk-scoring.service.ts +131 -0
package/src/services/session.service.spec.ts +1293 -0
package/src/services/session.service.ts +803 -0
package/src/services/social-account.service.spec.ts +725 -0
package/src/services/social-auth-base.service.spec.ts +418 -0
package/src/services/social-auth-base.service.ts +581 -0
package/src/services/social-auth.service.spec.ts +238 -0
package/src/services/social-auth.service.ts +436 -0
package/src/services/social-provider-registry.service.spec.ts +238 -0
package/src/services/social-provider-registry.service.ts +122 -0
package/src/services/trusted-device.service.spec.ts +505 -0
package/src/services/trusted-device.service.ts +339 -0
package/src/storage/account-lockout-storage.service.spec.ts +310 -0
package/src/storage/account-lockout-storage.service.ts +89 -0
package/src/storage/index.ts +3 -0
package/src/storage/memory-storage.adapter.ts +443 -0
package/src/storage/rate-limit-storage.service.spec.ts +247 -0
package/src/storage/rate-limit-storage.service.ts +38 -0
package/src/templates/html-template.engine.spec.ts +161 -0
package/src/templates/html-template.engine.ts +688 -0
package/src/templates/index.ts +7 -0
package/src/utils/common-passwords.spec.ts +230 -0
package/src/utils/common-passwords.ts +170 -0
package/src/utils/context-storage.ts +188 -0
package/src/utils/cookie-names.util.ts +67 -0
package/src/utils/cookies.util.ts +94 -0
package/src/utils/index.ts +12 -0
package/src/utils/ip-extractor.spec.ts +330 -0
package/src/utils/ip-extractor.ts +220 -0
package/src/utils/nauth-logger.spec.ts +388 -0
package/src/utils/nauth-logger.ts +215 -0
package/src/utils/pii-redactor.spec.ts +130 -0
package/src/utils/pii-redactor.ts +288 -0
package/src/utils/setup/get-repositories.ts +140 -0
package/src/utils/setup/init-services.ts +422 -0
package/src/utils/setup/init-social.ts +189 -0
package/src/utils/setup/init-storage.ts +94 -0
package/src/utils/setup/register-mfa.ts +165 -0
package/src/utils/setup/run-nauth-migrations.ts +61 -0
package/src/utils/token-delivery-policy.ts +38 -0
package/src/validators/template.validator.ts +219 -0
package/tsconfig.json +37 -0
package/tsconfig.lint.json +6 -0

package/src/services/mfa.service.ts ADDED Viewed

@@ -0,0 +1,960 @@
+import { Repository } from 'typeorm';
+import { BaseMFADevice, BaseUser } from '../entities';
+import { IUser, IMFADevice } from '../interfaces/entities.interface';
+import { IMFAProviderService } from '../interfaces/mfa-provider.interface';
+import { NAuthException } from '../exceptions/nauth.exception';
+import { AuthErrorCode } from '../enums/error-codes.enum';
+import { MFAMethod, MFADeviceMethod } from '../enums/mfa-method.enum';
+import { ChallengeService } from './challenge.service';
+import { AuthChallenge } from '../dto/auth-challenge.dto';
+import { NAuthConfig } from '../interfaces/config.interface';
+import { NAuthLogger } from '../utils/nauth-logger';
+import { InternalAuthAuditService as AuthAuditService } from './auth-audit.service';
+import { AuthAuditEventType } from '../enums/auth-audit-event-type.enum';
+import { ClientInfoService } from './client-info.service';
+import {
+  GetAvailableMethodsDTO,
+  GetAvailableMethodsResponseDTO,
+  GetChallengeDataDTO,
+  GetChallengeDataResponseDTO,
+  GetMFAStatusDTO,
+  GetMFAStatusResponseDTO,
+  GetSetupDataDTO,
+  GetSetupDataResponseDTO,
+  GetUserDevicesDTO,
+  GetUserDevicesResponseDTO,
+  HasProviderDTO,
+  HasProviderResponseDTO,
+  ListProvidersResponseDTO,
+  RemoveDevicesDTO,
+  RemoveDevicesResponseDTO,
+  SetMFAExemptionDTO,
+  SetMFAExemptionResponseDTO,
+  SetPreferredMethodDTO,
+  SetPreferredMethodResponseDTO,
+  SetupMFADTO,
+  SetupMFAResponseDTO,
+  VerifyMFACodeDTO,
+  VerifyMFACodeResponseDTO,
+} from '../dto';
+/**
+ * MFA Service Registry
+ *
+ * Central registry for managing MFA provider services.
+ * Routes requests to the appropriate provider based on method name.
+ *
+ * Provider services (TOTP, SMS, Passkey) automatically register themselves
+ * when their modules are imported via OnModuleInit.
+ *
+ * **Key Features:**
+ * - Provider registration and lookup
+ * - Unified interface for MFA operations
+ * - Routing verification requests to correct provider
+ * - Device management operations
+ *
+ * @example
+ * ```typescript
+ * @Controller('auth')
+ * export class AuthController {
+ *   constructor(private readonly mfaService: MFAService) {}
+ *
+ *   @Post('mfa/verify')
+ *   async verifyMFA(@Body() dto: { method: string; code: string }) {
+ *     const provider = this.mfaService.getProvider(dto.method);
+ *     return await provider.verify(user, dto.code);
+ *   }
+ * }
+ * ```
+ */
+export class MFAService {
+  private readonly providers = new Map<string, IMFAProviderService>();
+  constructor(
+    private readonly mfaDeviceRepository: Repository<BaseMFADevice>,
+    private readonly userRepository: Repository<BaseUser>,
+    private readonly challengeService?: ChallengeService,
+    private readonly config?: NAuthConfig,
+    private readonly logger?: NAuthLogger,
+    private readonly auditService?: AuthAuditService,
+    private readonly clientInfoService?: ClientInfoService,
+  ) {}
+  /**
+   * Register an MFA provider
+   *
+   * Called automatically by provider modules during initialization.
+   * Provider method names must be unique.
+   *
+   * @param provider - Provider service instance (must have methodName property)
+   * @throws {NAuthException} If provider is already registered
+   *
+   * @example
+   * ```typescript
+   * // In provider module's OnModuleInit
+   * this.mfaService.registerProvider(this.totpProvider);
+   * ```
+   */
+  registerProvider(provider: IMFAProviderService): void {
+    const name = provider.methodName;
+    if (this.providers.has(name)) {
+      throw new NAuthException(AuthErrorCode.VALIDATION_FAILED, `MFA provider '${name}' is already registered`);
+    }
+    this.providers.set(name, provider);
+  }
+  /**
+   * Get a provider by method name
+   *
+   * @param methodName - Method name (e.g., 'totp', 'sms', 'passkey')
+   * @returns Provider service instance
+   * @throws {NAuthException} If provider is not registered
+   *
+   * @example
+   * ```typescript
+   * const totpProvider = this.mfaService.getProvider('totp');
+   * const setupData = await totpProvider.setup(user);
+   * ```
+   */
+  getProvider(methodName: string): IMFAProviderService {
+    const provider = this.providers.get(methodName);
+    if (!provider) {
+      throw new NAuthException(
+        AuthErrorCode.VALIDATION_FAILED,
+        `MFA provider '${methodName}' is not registered. Import the provider module (e.g., TOTPMFAModule) and ensure it's properly configured.`,
+      );
+    }
+    return provider;
+  }
+  /**
+   * Check if a provider is registered
+   *
+   * @param dto - Request DTO with method name
+   * @returns Response DTO with hasProvider flag
+   *
+   * @example
+   * ```typescript
+   * const result = await this.mfaService.hasProvider({ methodName: 'totp' });
+   * if (result.hasProvider) {
+   *   // TOTP is available
+   * }
+   * ```
+   */
+  hasProvider(dto: HasProviderDTO): HasProviderResponseDTO {
+    return {
+      hasProvider: this.providers.has(dto.methodName),
+    };
+  }
+  /**
+   * Get all registered provider method names
+   *
+   * @returns Response DTO with array of method names
+   *
+   * @example
+   * ```typescript
+   * const result = this.mfaService.listProviders(); // { providers: ['totp', 'sms', 'passkey'] }
+   * ```
+   */
+  listProviders(): ListProvidersResponseDTO {
+    return {
+      providers: Array.from(this.providers.keys()),
+    };
+  }
+  /**
+   * Get available MFA methods for a user
+   *
+   * Returns list of methods that are:
+   * - Registered as providers
+   * - Allowed by configuration
+   *
+   * This returns ALL methods that can be set up, not just ones the user has configured.
+   * Use getUserDevices() to check which methods the user has actually set up.
+   *
+   * @param dto - Request DTO with user sub
+   * @returns Response DTO with array of available method names
+   *
+   * @example
+   * ```typescript
+   * const result = await this.mfaService.getAvailableMethods({ sub: user.sub });
+   * // Returns: { availableMethods: ['totp', 'sms', 'passkey'] }
+   * ```
+   */
+  async getAvailableMethods(dto: GetAvailableMethodsDTO): Promise<GetAvailableMethodsResponseDTO> {
+    // Look up user by sub to validate user exists
+    const userEntity = await this.userRepository.findOne({ where: { sub: dto.sub } });
+    if (!userEntity) {
+      throw new NAuthException(AuthErrorCode.NOT_FOUND, 'User not found');
+    }
+    const available: string[] = [];
+    for (const [methodName, provider] of this.providers.entries()) {
+      // Check if method is allowed by configuration
+      if (!provider.isMethodAllowed()) {
+        continue;
+      }
+      // Return all allowed methods (whether user has set them up or not)
+      available.push(methodName);
+    }
+    return {
+      availableMethods: available,
+    };
+  }
+  /**
+   * Verify MFA code using appropriate provider
+   *
+   * Routes the verification request to the correct provider based on method name.
+   *
+   * @param dto - Request DTO with user sub, method name, code, and optional device ID
+   * @returns Response DTO with verification result
+   * @throws {NAuthException} If method is not available or verification fails
+   *
+   * @example
+   * ```typescript
+   * // Verify TOTP code
+   * const result = await this.mfaService.verifyCode({
+   *   sub: user.sub,
+   *   methodName: 'totp',
+   *   code: '123456'
+   * });
+   *
+   * // Verify backup code
+   * const result = await this.mfaService.verifyCode({
+   *   sub: user.sub,
+   *   methodName: 'backup',
+   *   code: 'ABC12345'
+   * });
+   * ```
+   */
+  async verifyCode(dto: VerifyMFACodeDTO): Promise<VerifyMFACodeResponseDTO> {
+    // Look up user by sub
+    const userEntity = await this.userRepository.findOne({ where: { sub: dto.sub } });
+    if (!userEntity) {
+      throw new NAuthException(AuthErrorCode.NOT_FOUND, 'User not found');
+    }
+    const user = userEntity as unknown as IUser;
+    // Handle backup codes specially (not a provider, uses base class helper)
+    if (dto.methodName === MFAMethod.BACKUP) {
+      // Get any provider to access backup code verification
+      // All providers extend BaseMFAProviderService which has verifyBackupCode
+      const firstProvider = Array.from(this.providers.values())[0];
+      if (firstProvider && 'verifyBackupCode' in firstProvider) {
+        const providerWithBackup = firstProvider as IMFAProviderService & {
+          verifyBackupCode: (user: IUser, code: string) => Promise<boolean>;
+        };
+        const isValid = await providerWithBackup.verifyBackupCode(user, dto.code as string);
+        return { valid: isValid };
+      }
+      throw new NAuthException(AuthErrorCode.VALIDATION_FAILED, 'Backup code verification not available');
+    }
+    // Get provider and verify
+    const provider = this.getProvider(dto.methodName);
+    const isValid = await provider.verify(user, dto.code, dto.deviceId);
+    return { valid: isValid };
+  }
+  /**
+   * Setup MFA device using appropriate provider
+   *
+   * @param dto - Request DTO with user sub, method name, and optional setup data
+   * @returns Response DTO with provider-specific setup data
+   *
+   * @example
+   * ```typescript
+   * const result = await this.mfaService.setup({
+   *   sub: user.sub,
+   *   methodName: 'totp'
+   * });
+   * // Returns: { setupData: { secret, qrCode, manualEntryKey } }
+   * ```
+   */
+  async setup(dto: SetupMFADTO): Promise<SetupMFAResponseDTO> {
+    // Look up user by sub
+    const userEntity = await this.userRepository.findOne({ where: { sub: dto.sub } });
+    if (!userEntity) {
+      throw new NAuthException(AuthErrorCode.NOT_FOUND, 'User not found');
+    }
+    const user = userEntity as unknown as IUser;
+    const provider = this.getProvider(dto.methodName);
+    const setupData = await provider.setup(user, dto.setupData);
+    return {
+      setupData: setupData as Record<string, unknown>,
+    };
+  }
+  /**
+   * Get user's MFA devices
+   *
+   * @param dto - Request DTO with user sub
+   * @returns Response DTO with array of MFA devices
+   *
+   * @example
+   * ```typescript
+   * const result = await this.mfaService.getUserDevices({ sub: user.sub });
+   * // Returns: { devices: [...] }
+   * ```
+   */
+  async getUserDevices(dto: GetUserDevicesDTO): Promise<GetUserDevicesResponseDTO> {
+    // Look up user by sub to get internal ID
+    const userEntity = await this.userRepository.findOne({ where: { sub: dto.sub } });
+    if (!userEntity) {
+      throw new NAuthException(AuthErrorCode.NOT_FOUND, 'User not found');
+    }
+    // Only fetch active devices (inactive devices are soft-deleted)
+    const devices = await this.mfaDeviceRepository.find({
+      where: { userId: userEntity.id, isActive: true },
+      order: { createdAt: 'DESC' },
+    } as Record<string, unknown>);
+    return {
+      devices: devices as unknown as IMFADevice[],
+    };
+  }
+  /**
+   * Get comprehensive MFA status for a user
+   *
+   * Returns complete MFA configuration status including:
+   * - Whether MFA is enabled/required
+   * - Configured and available methods
+   * - Preferred method
+   * - Backup codes status
+   * - MFA exemption information
+   *
+   * This method encapsulates all business logic for MFA status,
+   * ensuring consumer apps don't need to query databases or build responses manually.
+   *
+   * @param dto - Request DTO with user sub
+   * @returns Response DTO with complete MFA status
+   *
+   * @example
+   * ```typescript
+   * @Get('mfa/status')
+   * async getMFAStatus(@CurrentUser() user: IUser) {
+   *   return await this.mfaService.getMFAStatus({ sub: user.sub });
+   * }
+   * ```
+   */
+  async getMFAStatus(dto: GetMFAStatusDTO): Promise<GetMFAStatusResponseDTO> {
+    // Get user entity with MFA-related fields
+    // Note: mfaExemptGrantedBy is intentionally excluded as it's sensitive admin information
+    const userEntity = await this.userRepository.findOne({
+      select: [
+        'id',
+        'mfaEnabled',
+        'backupCodes',
+        'preferredMfaMethod',
+        'mfaExempt',
+        'mfaExemptReason',
+        'mfaExemptGrantedAt',
+      ],
+      where: { sub: dto.sub },
+    });
+    if (!userEntity) {
+      throw new NAuthException(AuthErrorCode.NOT_FOUND, 'User not found');
+    }
+    const enabled = userEntity.mfaEnabled || false;
+    // Get available methods (all registered & allowed methods)
+    const availableMethodsResult = await this.getAvailableMethods({ sub: dto.sub });
+    // Add 'backup' to available methods if backup codes are enabled in config
+    const finalAvailableMethods = [...availableMethodsResult.availableMethods];
+    if (this.config?.mfa?.backup?.enabled) {
+      if (!finalAvailableMethods.includes(MFAMethod.BACKUP)) {
+        finalAvailableMethods.push(MFAMethod.BACKUP);
+      }
+    }
+    // Get user's configured devices
+    const devicesResult = await this.getUserDevices({ sub: dto.sub });
+    const configuredMethods = [
+      ...new Set(devicesResult.devices.filter((d) => d.isActive).map((d) => d.type)),
+    ] as MFADeviceMethod[];
+    // Determine if MFA is required based on config and user state
+    const required = enabled && configuredMethods.length > 0;
+    // Check backup codes
+    const hasBackupCodes = !!userEntity.backupCodes && userEntity.backupCodes.length > 0;
+    return {
+      enabled,
+      required,
+      configuredMethods,
+      availableMethods: finalAvailableMethods,
+      hasBackupCodes,
+      preferredMethod: userEntity.preferredMfaMethod as MFADeviceMethod | undefined,
+      mfaExempt: userEntity.mfaExempt || false,
+      mfaExemptReason: userEntity.mfaExemptReason || null,
+      mfaExemptGrantedAt: userEntity.mfaExemptGrantedAt || null,
+    };
+  }
+  /**
+   * Remove MFA devices by method type
+   *
+   * Comprehensive method that handles all aspects of MFA device removal:
+   * - Looks up user by sub (consumer apps should pass user.sub from @CurrentUser())
+   * - Validates method type
+   * - Removes all active devices of the specified method type
+   * - Updates user's preferred method if the removed method was preferred
+   * - Updates device primary flags
+   * - Disables MFA if this was the last device
+   * - Creates MFA_SETUP_REQUIRED challenge if MFA enforcement requires it
+   *
+   * This method encapsulates all database operations related to MFA device removal,
+   * ensuring the consumer app doesn't need to directly manipulate nauth_* tables.
+   *
+   * @param dto - Request DTO with user sub and method type
+   * @returns Response DTO with deletedCount and whether MFA was disabled
+   * @throws {NAuthException} If user not found, invalid method type, or no devices found
+   *
+   * @example
+   * ```typescript
+   * // Consumer app controller
+   * @Delete('mfa/devices/:method')
+   * async removeMFAMethod(@CurrentUser() user: IUser, @Param('method') method: string) {
+   *   const result = await this.mfaService.removeDevices({ userSub: user.sub, methodType: method });
+   *   return { message: 'MFA method removed successfully', ...result };
+   * }
+   * ```
+   */
+  async removeDevices(dto: RemoveDevicesDTO): Promise<RemoveDevicesResponseDTO> {
+    // Validate method type
+    const validMethods = [MFAMethod.TOTP, MFAMethod.SMS, MFAMethod.EMAIL, MFAMethod.PASSKEY];
+    const normalizedMethod = dto.methodType.toLowerCase();
+    if (!validMethods.includes(normalizedMethod as MFAMethod)) {
+      throw new NAuthException(
+        AuthErrorCode.VALIDATION_FAILED,
+        `Invalid MFA method: ${dto.methodType}. Valid methods are: ${validMethods.join(', ')}`,
+      );
+    }
+    // Look up user by sub using repository directly (no AuthService dependency needed)
+    const userEntity = await this.userRepository.findOne({ where: { sub: dto.userSub } });
+    if (!userEntity) {
+      throw new NAuthException(AuthErrorCode.NOT_FOUND, 'User entity not found');
+    }
+    const userId = userEntity.id;
+    if (!userId) {
+      throw new NAuthException(AuthErrorCode.INTERNAL_ERROR, 'User entity missing internal ID');
+    }
+    // Cast to IUser for type safety
+    const user = userEntity as unknown as IUser;
+    const preferredMethod = userEntity.preferredMfaMethod;
+    const isPreferredMethod = preferredMethod === normalizedMethod;
+    // Get all active devices for this user
+    const devicesResult = await this.getUserDevices({ sub: dto.userSub });
+    const activeDevices = devicesResult.devices.filter((d) => d.isActive);
+    // Get devices of the method type to remove
+    const devicesToRemove = activeDevices.filter((d) => d.type.toLowerCase() === normalizedMethod);
+    if (devicesToRemove.length === 0) {
+      throw new NAuthException(
+        AuthErrorCode.VALIDATION_FAILED,
+        `No active ${normalizedMethod} MFA devices found for this user`,
+      );
+    }
+    // Delete all devices of this method type
+    let deletedCount = 0;
+    for (const device of devicesToRemove) {
+      const result = await this.mfaDeviceRepository.delete(device.id);
+      deletedCount += result.affected || 0;
+    }
+    // Check if any devices remain after removal
+    const remainingDevicesResult = await this.getUserDevices({ sub: dto.userSub });
+    const remainingActiveDevices = remainingDevicesResult.devices.filter((d) => d.isActive);
+    let mfaDisabled = false;
+    // If no active devices remain, disable MFA for user
+    if (remainingActiveDevices.length === 0) {
+      userEntity.mfaEnabled = false;
+      userEntity.mfaMethods = [];
+      userEntity.preferredMfaMethod = null;
+      await this.userRepository.save(userEntity);
+      mfaDisabled = true;
+      // ============================================================================
+      // Audit: Record MFA disabled (all devices removed)
+      // ============================================================================
+      if (this.auditService && this.clientInfoService) {
+        try {
+          await this.auditService?.recordEvent({
+            userId: user.id,
+            eventType: AuthAuditEventType.MFA_DISABLED,
+            eventStatus: 'INFO',
+            reason: 'all_devices_removed',
+            description: 'MFA disabled - all devices removed',
+            // Client info automatically included from context
+            metadata: {
+              removedMethod: normalizedMethod,
+              deletedCount,
+            },
+          });
+        } catch (auditError) {
+          // Non-blocking: Log but continue
+          const errorMessage = auditError instanceof Error ? auditError.message : 'Unknown error';
+          this.logger?.error?.(`Failed to record MFA_DISABLED audit event: ${errorMessage}`, {
+            error: auditError,
+            userId: user.id,
+          });
+        }
+      }
+      // Automatically create MFA_SETUP_REQUIRED challenge if MFA enforcement requires it
+      if (this.challengeService && this.config?.mfa?.enabled) {
+        const enforcement = this.config.mfa.enforcement || 'OPTIONAL';
+        if (enforcement === 'REQUIRED' || enforcement === 'ADAPTIVE') {
+          const user = userEntity as unknown as IUser;
+          try {
+            // Client info (ipAddress, userAgent) automatically extracted from ClientInfoService
+            await this.challengeService.createChallengeSession(user, AuthChallenge.MFA_SETUP_REQUIRED, {
+              allowedMethods: this.config.mfa.allowedMethods || [],
+              requiresSetup: true,
+            });
+            this.logger?.log?.(`Created MFA_SETUP_REQUIRED challenge for user ${user.sub} after MFA removal`);
+          } catch (error) {
+            // Log but don't fail the removal if challenge creation fails
+            this.logger?.warn?.(`Failed to create MFA_SETUP_REQUIRED challenge after MFA removal: ${error}`);
+          }
+        }
+      }
+    } else {
+      // Update mfaMethods array with remaining methods
+      const remainingMethods = [...new Set(remainingActiveDevices.map((d) => d.type))];
+      userEntity.mfaMethods = remainingMethods;
+      // If the removed method was preferred, update preferred method and device primary flags
+      if (isPreferredMethod) {
+        const newPreferredMethod = remainingActiveDevices[0].type;
+        userEntity.preferredMfaMethod = newPreferredMethod;
+        await this.userRepository.save(userEntity);
+        // Update device primary flags - set first remaining device as primary
+        if (remainingActiveDevices[0].id) {
+          await this.mfaDeviceRepository.update({ id: remainingActiveDevices[0].id }, { isPrimary: true });
+        }
+        // Unset primary flag on other devices
+        for (let i = 1; i < remainingActiveDevices.length; i++) {
+          if (remainingActiveDevices[i].id) {
+            await this.mfaDeviceRepository.update({ id: remainingActiveDevices[i].id }, { isPrimary: false });
+          }
+        }
+        this.logger?.log?.(`Updated preferred MFA method to ${newPreferredMethod} after removing ${normalizedMethod}`);
+      } else {
+        // No preferred method change needed, just update mfaMethods
+        await this.userRepository.save(userEntity);
+      }
+    }
+    // ============================================================================
+    // Audit: Record MFA device removal
+    // ============================================================================
+    if (deletedCount > 0 && this.auditService && this.clientInfoService) {
+      try {
+        const user = userEntity as unknown as IUser;
+        await this.auditService?.recordEvent({
+          userId: user.id,
+          eventType: AuthAuditEventType.MFA_DEVICE_REMOVED,
+          eventStatus: 'INFO',
+          metadata: {
+            method: normalizedMethod,
+            deletedCount,
+            remainingDevices: remainingActiveDevices.length,
+            mfaDisabled,
+          },
+          // Client info automatically included from context
+        });
+      } catch (auditError) {
+        // Non-blocking: Log but continue
+        const errorMessage = auditError instanceof Error ? auditError.message : 'Unknown error';
+        this.logger?.error?.(`Failed to record MFA_DEVICE_REMOVED audit event: ${errorMessage}`, {
+          error: auditError,
+          userId: user.id,
+          method: normalizedMethod,
+        });
+      }
+    }
+    return { deletedCount, mfaDisabled };
+  }
+  /**
+   * Set preferred MFA method for a user
+   *
+   * Updates the user's preferred MFA method and device primary flags.
+   * Validates that the method is configured for the user before setting it as preferred.
+   *
+   * This method encapsulates all database operations related to preferred method updates,
+   * ensuring the consumer app doesn't need to directly manipulate nauth_* tables.
+   *
+   * @param dto - Request DTO with user sub and method type
+   * @returns Response DTO with success message
+   * @throws {NAuthException} If user not found, invalid method type, or method not configured
+   *
+   * @example
+   * ```typescript
+   * // Consumer app controller
+   * @Put('mfa/preferred')
+   * async setPreferredMFAMethod(@CurrentUser() user: IUser, @Body() body: { method: string }) {
+   *   return await this.mfaService.setPreferredMethod({ userSub: user.sub, methodType: body.method });
+   * }
+   * ```
+   */
+  async setPreferredMethod(dto: SetPreferredMethodDTO): Promise<SetPreferredMethodResponseDTO> {
+    // Validate method type
+    const validMethods = [MFAMethod.TOTP, MFAMethod.SMS, MFAMethod.EMAIL, MFAMethod.PASSKEY];
+    const normalizedMethod = dto.methodType.toLowerCase();
+    if (!validMethods.includes(normalizedMethod as MFAMethod)) {
+      throw new NAuthException(
+        AuthErrorCode.VALIDATION_FAILED,
+        `Invalid MFA method: ${dto.methodType}. Valid methods are: ${validMethods.join(', ')}`,
+      );
+    }
+    // Look up user by sub using repository directly (no AuthService dependency needed)
+    const userEntity = await this.userRepository.findOne({ where: { sub: dto.userSub } });
+    if (!userEntity) {
+      throw new NAuthException(AuthErrorCode.NOT_FOUND, 'User not found');
+    }
+    const userId = userEntity.id;
+    if (!userId) {
+      throw new NAuthException(AuthErrorCode.INTERNAL_ERROR, 'User entity missing internal ID');
+    }
+    // Cast to IUser for type safety
+    const user = userEntity as unknown as IUser;
+    // Verify user has this method configured
+    const devicesResult = await this.getUserDevices({ sub: dto.userSub });
+    // Normalize device types for comparison (database might store in different case)
+    const preferredDevice = devicesResult.devices.find((d) => d.type.toLowerCase() === normalizedMethod && d.isActive);
+    if (!preferredDevice) {
+      throw new NAuthException(
+        AuthErrorCode.VALIDATION_FAILED,
+        `MFA method '${normalizedMethod}' is not configured for this user`,
+      );
+    }
+    // Update user's preferred method directly via repository
+    await this.userRepository.update(
+      { id: userId },
+      {
+        preferredMfaMethod: normalizedMethod as MFADeviceMethod,
+      },
+    );
+    // Update device isPrimary flags: set preferred device as primary, unset others
+    const activeDevices = devicesResult.devices.filter((d) => d.isActive);
+    for (const device of activeDevices) {
+      await this.mfaDeviceRepository.update({ id: device.id }, { isPrimary: device.id === preferredDevice.id });
+    }
+    this.logger?.log?.(`Device ${preferredDevice.id} set as primary for user ${dto.userSub}`);
+    // ============================================================================
+    // Audit: Record preferred MFA method update
+    // ============================================================================
+    if (this.auditService && this.clientInfoService) {
+      try {
+        const previousMethod = userEntity.preferredMfaMethod;
+        await this.auditService?.recordEvent({
+          userId: user.id,
+          eventType: AuthAuditEventType.MFA_PREFERRED_METHOD_UPDATED,
+          eventStatus: 'INFO',
+          metadata: {
+            // Client info automatically included from context
+            previousMethod: previousMethod || null,
+            newMethod: normalizedMethod,
+            deviceId: preferredDevice.id,
+          },
+        });
+      } catch (auditError) {
+        // Non-blocking: Log but continue
+        const errorMessage = auditError instanceof Error ? auditError.message : 'Unknown error';
+        this.logger?.error?.(`Failed to record MFA_PREFERRED_METHOD_UPDATED audit event: ${errorMessage}`, {
+          error: auditError,
+          userId: user.id,
+          method: normalizedMethod,
+        });
+      }
+    }
+    return {
+      message: 'Preferred method updated',
+    };
+  }
+  /**
+   * Grant or revoke a user's exemption from multi-factor authentication (MFA) requirements.
+   *
+   * SECURITY: This admin-only operation updates the user's MFA exemption status, logs the action,
+   * and records an audit event. MFA exemption bypasses MFA at login, but all other security controls remain enforced.
+   *
+   * @param dto - Request DTO with user sub, exempt flag, reason, and grantedBy
+   * @returns Response DTO with updated exemption fields
+   * @throws {NAuthException} If the user is not found
+   *
+   * @example
+   * ```typescript
+   * // Grant MFA exemption
+   * await mfaService.setMFAExemption({
+   *   userSub: 'user-uuid',
+   *   exempt: true,
+   *   reason: 'Business partner requires MFA bypass',
+   *   grantedBy: 'admin@example.com'
+   * });
+   *
+   * // Revoke MFA exemption
+   * await mfaService.setMFAExemption({
+   *   userSub: 'user-uuid',
+   *   exempt: false,
+   *   reason: 'MFA now mandatory for this user',
+   *   grantedBy: 'admin@example.com'
+   * });
+   * ```
+   */
+  async setMFAExemption(dto: SetMFAExemptionDTO): Promise<SetMFAExemptionResponseDTO> {
+    // Find user by sub (external identifier)
+    const userEntity = await this.userRepository.findOne({ where: { sub: dto.userSub } });
+    if (!userEntity) {
+      throw new NAuthException(AuthErrorCode.NOT_FOUND, 'User not found');
+    }
+    const user = userEntity as unknown as IUser;
+    // Prepare update
+    const updateFields: Record<string, unknown> = {
+      mfaExempt: dto.exempt,
+      mfaExemptReason: dto.reason || null,
+      mfaExemptGrantedAt: dto.exempt ? new Date() : null,
+      mfaExemptGrantedBy: dto.exempt ? dto.grantedBy || null : null,
+    };
+    // If revoking exemption and MFA is required, check if user needs to set up MFA
+    // Note: This is just for logging - actual MFA setup requirement is checked by state machine on next login
+    if (!dto.exempt && userEntity.mfaExempt === true && !userEntity.mfaEnabled) {
+      this.logger?.warn?.(`MFA exemption revoked for user ${dto.userSub} - MFA setup will be required on next login`);
+    }
+    // Update user in database
+    await this.userRepository.update(userEntity.id, updateFields);
+    // Log the exemption change for audit trail
+    this.logger?.log?.(`MFA exemption ${dto.exempt ? 'granted' : 'revoked'} for user ${dto.userSub}`, {
+      userSub: dto.userSub,
+      exempt: dto.exempt,
+      reason: dto.reason || 'No reason provided',
+      grantedBy: dto.grantedBy || 'System',
+      timestamp: new Date().toISOString(),
+    });
+    // ============================================================================
+    // Audit: Record MFA exemption grant/revoke
+    // ============================================================================
+    if (this.auditService && this.clientInfoService) {
+      try {
+        await this.auditService.recordEvent({
+          userId: user.id,
+          eventType: dto.exempt ? AuthAuditEventType.MFA_EXEMPTION_GRANTED : AuthAuditEventType.MFA_EXEMPTION_REVOKED,
+          eventStatus: 'INFO',
+          performedBy: dto.grantedBy || null,
+          // Client info automatically included from context
+          reason: dto.reason || null,
+          metadata: {
+            previousExemptStatus: userEntity.mfaExempt,
+            newExemptStatus: dto.exempt,
+          },
+        });
+      } catch (auditError) {
+        // Non-blocking: Log but continue
+        const errorMessage = auditError instanceof Error ? auditError.message : 'Unknown error';
+        this.logger?.error?.(`Failed to record MFA exemption audit event: ${errorMessage}`, {
+          error: auditError,
+          userId: user.id,
+        });
+      }
+    }
+    // Fetch updated user to return exemption fields
+    const exemptionData = await this.userRepository.findOne({
+      where: { id: userEntity.id },
+      select: ['mfaExempt', 'mfaExemptReason', 'mfaExemptGrantedAt'],
+    });
+    if (!exemptionData) {
+      throw new NAuthException(AuthErrorCode.NOT_FOUND, 'User not found after update');
+    }
+    return {
+      mfaExempt: exemptionData.mfaExempt || false,
+      mfaExemptReason: exemptionData.mfaExemptReason || null,
+      mfaExemptGrantedAt: exemptionData.mfaExemptGrantedAt || null,
+    };
+  }
+  /**
+   * Get MFA setup data during MFA_SETUP_REQUIRED challenge
+   *
+   * Returns provider-specific setup data:
+   * - TOTP: { secret, qrCode, manualEntryKey }
+   * - SMS: { maskedPhone } or error if phone required
+   * - Passkey: WebAuthn registration options
+   *
+   * @param dto - Request DTO with session token, method, and optional setup data
+   * @returns Response DTO with provider-specific setup data
+   * @throws {NAuthException} INVALID_CHALLENGE_SESSION | VALIDATION_FAILED | PHONE_REQUIRED
+   *
+   * @example
+   * ```typescript
+   * const result = await mfaService.getSetupData({
+   *   session: 'session-token',
+   *   method: 'totp'
+   * });
+   * // Returns: { setupData: { secret: '...', qrCode: '...', manualEntryKey: '...' } }
+   *
+   * const result = await mfaService.getSetupData({
+   *   session: 'session-token',
+   *   method: 'sms',
+   *   setupData: { phoneNumber: '+1234567890' }
+   * });
+   * // Returns: { setupData: { maskedPhone: '***-***-7890' } }
+   * ```
+   */
+  async getSetupData(dto: GetSetupDataDTO): Promise<GetSetupDataResponseDTO> {
+    if (!this.challengeService) {
+      throw new NAuthException(AuthErrorCode.INTERNAL_ERROR, 'Challenge service is not available');
+    }
+    this.logger?.debug?.(`Getting MFA setup data: session=${dto.session}, method=${dto.method}`);
+    // Validate session and ensure it's MFA_SETUP_REQUIRED
+    const challengeSession = await this.challengeService.validateSession(dto.session);
+    if (challengeSession.challengeName !== AuthChallenge.MFA_SETUP_REQUIRED) {
+      throw new NAuthException(
+        AuthErrorCode.VALIDATION_FAILED,
+        `Cannot get setup data: expected MFA_SETUP_REQUIRED challenge, got ${challengeSession.challengeName}`,
+      );
+    }
+    // Get user from session
+    const user = challengeSession.user;
+    if (!user) {
+      throw new NAuthException(AuthErrorCode.VALIDATION_FAILED, 'Challenge session has no associated user');
+    }
+    // Get provider and call setup
+    // Pass challenge session ID in setupData so provider can link verification tokens
+    const setupDataWithSession = {
+      ...(dto.setupData || {}),
+      challengeSessionId: challengeSession.id,
+    };
+    this.logger?.debug?.(`Passing challengeSessionId=${challengeSession.id} to ${dto.method} provider for MFA setup`);
+    const provider = this.getProvider(dto.method);
+    const result = await provider.setup(user, setupDataWithSession);
+    this.logger?.debug?.(`MFA setup data generated: method=${dto.method}, user=${user.sub}`);
+    return {
+      setupData: result as Record<string, unknown>,
+    };
+  }
+  /**
+   * Get MFA challenge data during MFA_REQUIRED challenge
+   *
+   * Currently only used for passkey authentication to get WebAuthn options.
+   * SMS/TOTP codes are sent automatically when the challenge is created.
+   *
+   * @param dto - Request DTO with session token and method
+   * @returns Response DTO with provider-specific challenge data
+   * @throws {NAuthException} INVALID_CHALLENGE_SESSION | VALIDATION_FAILED
+   *
+   * @example
+   * ```typescript
+   * const result = await mfaService.getChallengeData({
+   *   session: 'session-token',
+   *   method: 'passkey'
+   * });
+   * // Returns: { challengeData: { challenge: '...', allowCredentials: [...], ... } }
+   * ```
+   */
+  async getChallengeData(dto: GetChallengeDataDTO): Promise<GetChallengeDataResponseDTO> {
+    if (!this.challengeService) {
+      throw new NAuthException(AuthErrorCode.INTERNAL_ERROR, 'Challenge service is not available');
+    }
+    this.logger?.debug?.(`Getting MFA challenge data: session=${dto.session}, method=${dto.method}`);
+    // Validate session and ensure it's MFA_REQUIRED
+    const challengeSession = await this.challengeService.validateSession(dto.session);
+    if (challengeSession.challengeName !== AuthChallenge.MFA_REQUIRED) {
+      throw new NAuthException(
+        AuthErrorCode.VALIDATION_FAILED,
+        `Cannot get challenge data: expected MFA_REQUIRED challenge, got ${challengeSession.challengeName}`,
+      );
+    }
+    // Get user from session
+    const user = challengeSession.user;
+    if (!user) {
+      throw new NAuthException(AuthErrorCode.VALIDATION_FAILED, 'Challenge session has no associated user');
+    }
+    // Get provider and send challenge
+    const provider = this.getProvider(dto.method);
+    if (!provider.sendChallenge) {
+      throw new NAuthException(
+        AuthErrorCode.VALIDATION_FAILED,
+        `MFA method '${dto.method}' does not support challenge data generation`,
+      );
+    }
+    const challengeData = await provider.sendChallenge(user);
+    // For passkey, store the challenge in session metadata for verification
+    if (dto.method === 'passkey') {
+      const passkeyOptions = challengeData as { options: { challenge: string } };
+      const passkeyChallenge = passkeyOptions.options?.challenge;
+      if (passkeyChallenge) {
+        await this.challengeService.updateMetadata(dto.session, {
+          passkeyChallenge,
+        });
+        this.logger?.debug?.(`Passkey challenge stored in session metadata: user=${user.sub}`);
+      }
+    }
+    this.logger?.debug?.(`MFA challenge data generated: method=${dto.method}, user=${user.sub}`);
+    return {
+      challengeData: challengeData as Record<string, unknown>,
+    };
+  }
+}