npm - @nauth-toolkit/core - Versions diffs - 0.1.0 - Mend

@nauth-toolkit/core 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (778) hide show

package/dist/adapters/database-columns.d.ts +10 -0
package/dist/adapters/database-columns.d.ts.map +1 -0
package/dist/adapters/database-columns.js +85 -0
package/dist/adapters/database-columns.js.map +1 -0
package/dist/adapters/express.adapter.d.ts +41 -0
package/dist/adapters/express.adapter.d.ts.map +1 -0
package/dist/adapters/express.adapter.js +188 -0
package/dist/adapters/express.adapter.js.map +1 -0
package/dist/adapters/fastify.adapter.d.ts +33 -0
package/dist/adapters/fastify.adapter.d.ts.map +1 -0
package/dist/adapters/fastify.adapter.js +223 -0
package/dist/adapters/fastify.adapter.js.map +1 -0
package/dist/adapters/index.d.ts +5 -0
package/dist/adapters/index.d.ts.map +1 -0
package/dist/adapters/index.js +25 -0
package/dist/adapters/index.js.map +1 -0
package/dist/adapters/storage.factory.d.ts +7 -0
package/dist/adapters/storage.factory.d.ts.map +1 -0
package/dist/adapters/storage.factory.js +24 -0
package/dist/adapters/storage.factory.js.map +1 -0
package/dist/bootstrap.d.ts +41 -0
package/dist/bootstrap.d.ts.map +1 -0
package/dist/bootstrap.js +113 -0
package/dist/bootstrap.js.map +1 -0
package/dist/dto/auth-challenge.dto.d.ts +19 -0
package/dist/dto/auth-challenge.dto.d.ts.map +1 -0
package/dist/dto/auth-challenge.dto.js +86 -0
package/dist/dto/auth-challenge.dto.js.map +1 -0
package/dist/dto/auth-response.dto.d.ts +31 -0
package/dist/dto/auth-response.dto.d.ts.map +1 -0
package/dist/dto/auth-response.dto.js +18 -0
package/dist/dto/auth-response.dto.js.map +1 -0
package/dist/dto/challenge-response.dto.d.ts +36 -0
package/dist/dto/challenge-response.dto.d.ts.map +1 -0
package/dist/dto/challenge-response.dto.js +3 -0
package/dist/dto/challenge-response.dto.js.map +1 -0
package/dist/dto/change-password-request.dto.d.ts +5 -0
package/dist/dto/change-password-request.dto.d.ts.map +1 -0
package/dist/dto/change-password-request.dto.js +30 -0
package/dist/dto/change-password-request.dto.js.map +1 -0
package/dist/dto/change-password-response.dto.d.ts +4 -0
package/dist/dto/change-password-response.dto.d.ts.map +1 -0
package/dist/dto/change-password-response.dto.js +8 -0
package/dist/dto/change-password-response.dto.js.map +1 -0
package/dist/dto/change-password.dto.d.ts +5 -0
package/dist/dto/change-password.dto.d.ts.map +1 -0
package/dist/dto/change-password.dto.js +29 -0
package/dist/dto/change-password.dto.js.map +1 -0
package/dist/dto/error-response.dto.d.ts +9 -0
package/dist/dto/error-response.dto.d.ts.map +1 -0
package/dist/dto/error-response.dto.js +59 -0
package/dist/dto/error-response.dto.js.map +1 -0
package/dist/dto/get-available-methods.dto.d.ts +7 -0
package/dist/dto/get-available-methods.dto.d.ts.map +1 -0
package/dist/dto/get-available-methods.dto.js +33 -0
package/dist/dto/get-available-methods.dto.js.map +1 -0
package/dist/dto/get-challenge-data-response.dto.d.ts +4 -0
package/dist/dto/get-challenge-data-response.dto.d.ts.map +1 -0
package/dist/dto/get-challenge-data-response.dto.js +8 -0
package/dist/dto/get-challenge-data-response.dto.js.map +1 -0
package/dist/dto/get-challenge-data.dto.d.ts +8 -0
package/dist/dto/get-challenge-data.dto.d.ts.map +1 -0
package/dist/dto/get-challenge-data.dto.js +40 -0
package/dist/dto/get-challenge-data.dto.js.map +1 -0
package/dist/dto/get-client-info.dto.d.ts +17 -0
package/dist/dto/get-client-info.dto.d.ts.map +1 -0
package/dist/dto/get-client-info.dto.js +20 -0
package/dist/dto/get-client-info.dto.js.map +1 -0
package/dist/dto/get-device-token-response.dto.d.ts +4 -0
package/dist/dto/get-device-token-response.dto.d.ts.map +1 -0
package/dist/dto/get-device-token-response.dto.js +8 -0
package/dist/dto/get-device-token-response.dto.js.map +1 -0
package/dist/dto/get-events-by-type.dto.d.ts +17 -0
package/dist/dto/get-events-by-type.dto.d.ts.map +1 -0
package/dist/dto/get-events-by-type.dto.js +20 -0
package/dist/dto/get-events-by-type.dto.js.map +1 -0
package/dist/dto/get-ip-address-response.dto.d.ts +4 -0
package/dist/dto/get-ip-address-response.dto.d.ts.map +1 -0
package/dist/dto/get-ip-address-response.dto.js +8 -0
package/dist/dto/get-ip-address-response.dto.js.map +1 -0
package/dist/dto/get-mfa-status.dto.d.ts +16 -0
package/dist/dto/get-mfa-status.dto.d.ts.map +1 -0
package/dist/dto/get-mfa-status.dto.js +41 -0
package/dist/dto/get-mfa-status.dto.js.map +1 -0
package/dist/dto/get-risk-assessment-history.dto.d.ts +9 -0
package/dist/dto/get-risk-assessment-history.dto.d.ts.map +1 -0
package/dist/dto/get-risk-assessment-history.dto.js +13 -0
package/dist/dto/get-risk-assessment-history.dto.js.map +1 -0
package/dist/dto/get-session-id-response.dto.d.ts +4 -0
package/dist/dto/get-session-id-response.dto.d.ts.map +1 -0
package/dist/dto/get-session-id-response.dto.js +8 -0
package/dist/dto/get-session-id-response.dto.js.map +1 -0
package/dist/dto/get-setup-data-response.dto.d.ts +4 -0
package/dist/dto/get-setup-data-response.dto.d.ts.map +1 -0
package/dist/dto/get-setup-data-response.dto.js +8 -0
package/dist/dto/get-setup-data-response.dto.js.map +1 -0
package/dist/dto/get-setup-data.dto.d.ts +7 -0
package/dist/dto/get-setup-data.dto.d.ts.map +1 -0
package/dist/dto/get-setup-data.dto.js +43 -0
package/dist/dto/get-setup-data.dto.js.map +1 -0
package/dist/dto/get-suspicious-activity.dto.d.ts +9 -0
package/dist/dto/get-suspicious-activity.dto.d.ts.map +1 -0
package/dist/dto/get-suspicious-activity.dto.js +13 -0
package/dist/dto/get-suspicious-activity.dto.js.map +1 -0
package/dist/dto/get-user-agent-response.dto.d.ts +4 -0
package/dist/dto/get-user-agent-response.dto.d.ts.map +1 -0
package/dist/dto/get-user-agent-response.dto.js +8 -0
package/dist/dto/get-user-agent-response.dto.js.map +1 -0
package/dist/dto/get-user-auth-history.dto.d.ts +20 -0
package/dist/dto/get-user-auth-history.dto.d.ts.map +1 -0
package/dist/dto/get-user-auth-history.dto.js +22 -0
package/dist/dto/get-user-auth-history.dto.js.map +1 -0
package/dist/dto/get-user-by-email.dto.d.ts +5 -0
package/dist/dto/get-user-by-email.dto.d.ts.map +1 -0
package/dist/dto/get-user-by-email.dto.js +36 -0
package/dist/dto/get-user-by-email.dto.js.map +1 -0
package/dist/dto/get-user-by-id.dto.d.ts +4 -0
package/dist/dto/get-user-by-id.dto.d.ts.map +1 -0
package/dist/dto/get-user-by-id.dto.js +29 -0
package/dist/dto/get-user-by-id.dto.js.map +1 -0
package/dist/dto/get-user-devices.dto.d.ts +8 -0
package/dist/dto/get-user-devices.dto.d.ts.map +1 -0
package/dist/dto/get-user-devices.dto.js +33 -0
package/dist/dto/get-user-devices.dto.js.map +1 -0
package/dist/dto/get-user-response.dto.d.ts +2 -0
package/dist/dto/get-user-response.dto.d.ts.map +1 -0
package/dist/dto/get-user-response.dto.js +6 -0
package/dist/dto/get-user-response.dto.js.map +1 -0
package/dist/dto/has-provider.dto.d.ts +7 -0
package/dist/dto/has-provider.dto.d.ts.map +1 -0
package/dist/dto/has-provider.dto.js +38 -0
package/dist/dto/has-provider.dto.js.map +1 -0
package/dist/dto/index.d.ts +51 -0
package/dist/dto/index.d.ts.map +1 -0
package/dist/dto/index.js +67 -0
package/dist/dto/index.js.map +1 -0
package/dist/dto/is-trusted-device-response.dto.d.ts +4 -0
package/dist/dto/is-trusted-device-response.dto.d.ts.map +1 -0
package/dist/dto/is-trusted-device-response.dto.js +8 -0
package/dist/dto/is-trusted-device-response.dto.js.map +1 -0
package/dist/dto/list-providers-response.dto.d.ts +4 -0
package/dist/dto/list-providers-response.dto.d.ts.map +1 -0
package/dist/dto/list-providers-response.dto.js +8 -0
package/dist/dto/list-providers-response.dto.js.map +1 -0
package/dist/dto/login.dto.d.ts +7 -0
package/dist/dto/login.dto.d.ts.map +1 -0
package/dist/dto/login.dto.js +68 -0
package/dist/dto/login.dto.js.map +1 -0
package/dist/dto/logout-all-response.dto.d.ts +4 -0
package/dist/dto/logout-all-response.dto.d.ts.map +1 -0
package/dist/dto/logout-all-response.dto.js +8 -0
package/dist/dto/logout-all-response.dto.js.map +1 -0
package/dist/dto/logout-all.dto.d.ts +5 -0
package/dist/dto/logout-all.dto.d.ts.map +1 -0
package/dist/dto/logout-all.dto.js +42 -0
package/dist/dto/logout-all.dto.js.map +1 -0
package/dist/dto/logout-response.dto.d.ts +4 -0
package/dist/dto/logout-response.dto.d.ts.map +1 -0
package/dist/dto/logout-response.dto.js +8 -0
package/dist/dto/logout-response.dto.js.map +1 -0
package/dist/dto/logout.dto.d.ts +5 -0
package/dist/dto/logout.dto.d.ts.map +1 -0
package/dist/dto/logout.dto.js +36 -0
package/dist/dto/logout.dto.js.map +1 -0
package/dist/dto/refresh-token.dto.d.ts +4 -0
package/dist/dto/refresh-token.dto.d.ts.map +1 -0
package/dist/dto/refresh-token.dto.js +24 -0
package/dist/dto/refresh-token.dto.js.map +1 -0
package/dist/dto/remove-devices.dto.d.ts +9 -0
package/dist/dto/remove-devices.dto.d.ts.map +1 -0
package/dist/dto/remove-devices.dto.js +50 -0
package/dist/dto/remove-devices.dto.js.map +1 -0
package/dist/dto/resend-code-response.dto.d.ts +4 -0
package/dist/dto/resend-code-response.dto.d.ts.map +1 -0
package/dist/dto/resend-code-response.dto.js +8 -0
package/dist/dto/resend-code-response.dto.js.map +1 -0
package/dist/dto/resend-code.dto.d.ts +4 -0
package/dist/dto/resend-code.dto.d.ts.map +1 -0
package/dist/dto/resend-code.dto.js +29 -0
package/dist/dto/resend-code.dto.js.map +1 -0
package/dist/dto/reset-password.dto.d.ts +8 -0
package/dist/dto/reset-password.dto.d.ts.map +1 -0
package/dist/dto/reset-password.dto.js +61 -0
package/dist/dto/reset-password.dto.js.map +1 -0
package/dist/dto/respond-challenge.dto.d.ts +33 -0
package/dist/dto/respond-challenge.dto.d.ts.map +1 -0
package/dist/dto/respond-challenge.dto.js +131 -0
package/dist/dto/respond-challenge.dto.js.map +1 -0
package/dist/dto/set-mfa-exemption.dto.d.ts +12 -0
package/dist/dto/set-mfa-exemption.dto.d.ts.map +1 -0
package/dist/dto/set-mfa-exemption.dto.js +66 -0
package/dist/dto/set-mfa-exemption.dto.js.map +1 -0
package/dist/dto/set-must-change-password-response.dto.d.ts +4 -0
package/dist/dto/set-must-change-password-response.dto.d.ts.map +1 -0
package/dist/dto/set-must-change-password-response.dto.js +8 -0
package/dist/dto/set-must-change-password-response.dto.js.map +1 -0
package/dist/dto/set-must-change-password.dto.d.ts +4 -0
package/dist/dto/set-must-change-password.dto.d.ts.map +1 -0
package/dist/dto/set-must-change-password.dto.js +29 -0
package/dist/dto/set-must-change-password.dto.js.map +1 -0
package/dist/dto/set-preferred-method.dto.d.ts +8 -0
package/dist/dto/set-preferred-method.dto.d.ts.map +1 -0
package/dist/dto/set-preferred-method.dto.js +49 -0
package/dist/dto/set-preferred-method.dto.js.map +1 -0
package/dist/dto/setup-mfa.dto.d.ts +9 -0
package/dist/dto/setup-mfa.dto.d.ts.map +1 -0
package/dist/dto/setup-mfa.dto.js +55 -0
package/dist/dto/setup-mfa.dto.js.map +1 -0
package/dist/dto/signup.dto.d.ts +10 -0
package/dist/dto/signup.dto.d.ts.map +1 -0
package/dist/dto/signup.dto.js +109 -0
package/dist/dto/signup.dto.js.map +1 -0
package/dist/dto/social-auth.dto.d.ts +54 -0
package/dist/dto/social-auth.dto.d.ts.map +1 -0
package/dist/dto/social-auth.dto.js +232 -0
package/dist/dto/social-auth.dto.js.map +1 -0
package/dist/dto/trust-device-response.dto.d.ts +4 -0
package/dist/dto/trust-device-response.dto.d.ts.map +1 -0
package/dist/dto/trust-device-response.dto.js +8 -0
package/dist/dto/trust-device-response.dto.js.map +1 -0
package/dist/dto/trust-device.dto.d.ts +1 -0
package/dist/dto/trust-device.dto.d.ts.map +1 -0
package/dist/dto/trust-device.dto.js +2 -0
package/dist/dto/trust-device.dto.js.map +1 -0
package/dist/dto/update-user-attributes-request.dto.d.ts +5 -0
package/dist/dto/update-user-attributes-request.dto.d.ts.map +1 -0
package/dist/dto/update-user-attributes-request.dto.js +30 -0
package/dist/dto/update-user-attributes-request.dto.js.map +1 -0
package/dist/dto/user-response.dto.d.ts +20 -0
package/dist/dto/user-response.dto.d.ts.map +1 -0
package/dist/dto/user-response.dto.js +42 -0
package/dist/dto/user-response.dto.js.map +1 -0
package/dist/dto/user-update.dto.d.ts +12 -0
package/dist/dto/user-update.dto.d.ts.map +1 -0
package/dist/dto/user-update.dto.js +119 -0
package/dist/dto/user-update.dto.js.map +1 -0
package/dist/dto/verify-email.dto.d.ts +29 -0
package/dist/dto/verify-email.dto.d.ts.map +1 -0
package/dist/dto/verify-email.dto.js +161 -0
package/dist/dto/verify-email.dto.js.map +1 -0
package/dist/dto/verify-mfa-code.dto.d.ts +10 -0
package/dist/dto/verify-mfa-code.dto.d.ts.map +1 -0
package/dist/dto/verify-mfa-code.dto.js +56 -0
package/dist/dto/verify-mfa-code.dto.js.map +1 -0
package/dist/dto/verify-phone-by-sub.dto.d.ts +6 -0
package/dist/dto/verify-phone-by-sub.dto.d.ts.map +1 -0
package/dist/dto/verify-phone-by-sub.dto.js +49 -0
package/dist/dto/verify-phone-by-sub.dto.js.map +1 -0
package/dist/dto/verify-phone.dto.d.ts +24 -0
package/dist/dto/verify-phone.dto.d.ts.map +1 -0
package/dist/dto/verify-phone.dto.js +124 -0
package/dist/dto/verify-phone.dto.js.map +1 -0
package/dist/entities/auth-audit.entity.d.ts +31 -0
package/dist/entities/auth-audit.entity.d.ts.map +1 -0
package/dist/entities/auth-audit.entity.js +33 -0
package/dist/entities/auth-audit.entity.js.map +1 -0
package/dist/entities/challenge-session.entity.d.ts +17 -0
package/dist/entities/challenge-session.entity.d.ts.map +1 -0
package/dist/entities/challenge-session.entity.js +21 -0
package/dist/entities/challenge-session.entity.js.map +1 -0
package/dist/entities/index.d.ts +12 -0
package/dist/entities/index.d.ts.map +1 -0
package/dist/entities/index.js +26 -0
package/dist/entities/index.js.map +1 -0
package/dist/entities/login-attempt.entity.d.ts +13 -0
package/dist/entities/login-attempt.entity.d.ts.map +1 -0
package/dist/entities/login-attempt.entity.js +17 -0
package/dist/entities/login-attempt.entity.js.map +1 -0
package/dist/entities/mfa-device.entity.d.ts +22 -0
package/dist/entities/mfa-device.entity.d.ts.map +1 -0
package/dist/entities/mfa-device.entity.js +25 -0
package/dist/entities/mfa-device.entity.js.map +1 -0
package/dist/entities/rate-limit.entity.d.ts +9 -0
package/dist/entities/rate-limit.entity.d.ts.map +1 -0
package/dist/entities/rate-limit.entity.js +13 -0
package/dist/entities/rate-limit.entity.js.map +1 -0
package/dist/entities/session.entity.d.ts +32 -0
package/dist/entities/session.entity.d.ts.map +1 -0
package/dist/entities/session.entity.js +36 -0
package/dist/entities/session.entity.js.map +1 -0
package/dist/entities/social-account.entity.d.ts +13 -0
package/dist/entities/social-account.entity.d.ts.map +1 -0
package/dist/entities/social-account.entity.js +17 -0
package/dist/entities/social-account.entity.js.map +1 -0
package/dist/entities/storage-lock.entity.d.ts +8 -0
package/dist/entities/storage-lock.entity.d.ts.map +1 -0
package/dist/entities/storage-lock.entity.js +12 -0
package/dist/entities/storage-lock.entity.js.map +1 -0
package/dist/entities/trusted-device.entity.d.ts +17 -0
package/dist/entities/trusted-device.entity.d.ts.map +1 -0
package/dist/entities/trusted-device.entity.js +21 -0
package/dist/entities/trusted-device.entity.js.map +1 -0
package/dist/entities/user.entity.d.ts +41 -0
package/dist/entities/user.entity.d.ts.map +1 -0
package/dist/entities/user.entity.js +45 -0
package/dist/entities/user.entity.js.map +1 -0
package/dist/entities/verification-token.entity.d.ts +19 -0
package/dist/entities/verification-token.entity.d.ts.map +1 -0
package/dist/entities/verification-token.entity.js +29 -0
package/dist/entities/verification-token.entity.js.map +1 -0
package/dist/enums/auth-audit-event-type.enum.d.ts +55 -0
package/dist/enums/auth-audit-event-type.enum.d.ts.map +1 -0
package/dist/enums/auth-audit-event-type.enum.js +59 -0
package/dist/enums/auth-audit-event-type.enum.js.map +1 -0
package/dist/enums/error-codes.enum.d.ts +53 -0
package/dist/enums/error-codes.enum.d.ts.map +1 -0
package/dist/enums/error-codes.enum.js +57 -0
package/dist/enums/error-codes.enum.js.map +1 -0
package/dist/enums/mfa-method.enum.d.ts +11 -0
package/dist/enums/mfa-method.enum.d.ts.map +1 -0
package/dist/enums/mfa-method.enum.js +18 -0
package/dist/enums/mfa-method.enum.js.map +1 -0
package/dist/enums/risk-factor.enum.d.ts +14 -0
package/dist/enums/risk-factor.enum.d.ts.map +1 -0
package/dist/enums/risk-factor.enum.js +18 -0
package/dist/enums/risk-factor.enum.js.map +1 -0
package/dist/exceptions/nauth.exception.d.ts +18 -0
package/dist/exceptions/nauth.exception.d.ts.map +1 -0
package/dist/exceptions/nauth.exception.js +64 -0
package/dist/exceptions/nauth.exception.js.map +1 -0
package/dist/handlers/auth.handler.d.ts +18 -0
package/dist/handlers/auth.handler.d.ts.map +1 -0
package/dist/handlers/auth.handler.js +173 -0
package/dist/handlers/auth.handler.js.map +1 -0
package/dist/handlers/client-info.handler.d.ts +12 -0
package/dist/handlers/client-info.handler.d.ts.map +1 -0
package/dist/handlers/client-info.handler.js +61 -0
package/dist/handlers/client-info.handler.js.map +1 -0
package/dist/handlers/csrf.handler.d.ts +13 -0
package/dist/handlers/csrf.handler.d.ts.map +1 -0
package/dist/handlers/csrf.handler.js +84 -0
package/dist/handlers/csrf.handler.js.map +1 -0
package/dist/handlers/token-delivery.handler.d.ts +12 -0
package/dist/handlers/token-delivery.handler.d.ts.map +1 -0
package/dist/handlers/token-delivery.handler.js +86 -0
package/dist/handlers/token-delivery.handler.js.map +1 -0
package/dist/index.d.ts +27 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +51 -0
package/dist/index.js.map +1 -0
package/dist/interfaces/client-info.interface.d.ts +16 -0
package/dist/interfaces/client-info.interface.d.ts.map +1 -0
package/dist/interfaces/client-info.interface.js +3 -0
package/dist/interfaces/client-info.interface.js.map +1 -0
package/dist/interfaces/config.interface.d.ts +279 -0
package/dist/interfaces/config.interface.d.ts.map +1 -0
package/dist/interfaces/config.interface.js +3 -0
package/dist/interfaces/config.interface.js.map +1 -0
package/dist/interfaces/entities.interface.d.ts +169 -0
package/dist/interfaces/entities.interface.d.ts.map +1 -0
package/dist/interfaces/entities.interface.js +3 -0
package/dist/interfaces/entities.interface.js.map +1 -0
package/dist/interfaces/index.d.ts +11 -0
package/dist/interfaces/index.d.ts.map +1 -0
package/dist/interfaces/index.js +27 -0
package/dist/interfaces/index.js.map +1 -0
package/dist/interfaces/logger.interface.d.ts +43 -0
package/dist/interfaces/logger.interface.d.ts.map +1 -0
package/dist/interfaces/logger.interface.js +12 -0
package/dist/interfaces/logger.interface.js.map +1 -0
package/dist/interfaces/mfa-provider.interface.d.ts +12 -0
package/dist/interfaces/mfa-provider.interface.d.ts.map +1 -0
package/dist/interfaces/mfa-provider.interface.js +3 -0
package/dist/interfaces/mfa-provider.interface.js.map +1 -0
package/dist/interfaces/oauth.interface.d.ts +24 -0
package/dist/interfaces/oauth.interface.d.ts.map +1 -0
package/dist/interfaces/oauth.interface.js +3 -0
package/dist/interfaces/oauth.interface.js.map +1 -0
package/dist/interfaces/provider.interface.d.ts +12 -0
package/dist/interfaces/provider.interface.d.ts.map +1 -0
package/dist/interfaces/provider.interface.js +3 -0
package/dist/interfaces/provider.interface.js.map +1 -0
package/dist/interfaces/social-auth-provider.interface.d.ts +13 -0
package/dist/interfaces/social-auth-provider.interface.d.ts.map +1 -0
package/dist/interfaces/social-auth-provider.interface.js +3 -0
package/dist/interfaces/social-auth-provider.interface.js.map +1 -0
package/dist/interfaces/storage-adapter.interface.d.ts +39 -0
package/dist/interfaces/storage-adapter.interface.d.ts.map +1 -0
package/dist/interfaces/storage-adapter.interface.js +3 -0
package/dist/interfaces/storage-adapter.interface.js.map +1 -0
package/dist/interfaces/template.interface.d.ts +99 -0
package/dist/interfaces/template.interface.d.ts.map +1 -0
package/dist/interfaces/template.interface.js +15 -0
package/dist/interfaces/template.interface.js.map +1 -0
package/dist/interfaces/token-verifier.interface.d.ts +7 -0
package/dist/interfaces/token-verifier.interface.d.ts.map +1 -0
package/dist/interfaces/token-verifier.interface.js +3 -0
package/dist/interfaces/token-verifier.interface.js.map +1 -0
package/dist/internal.d.ts +20 -0
package/dist/internal.d.ts.map +1 -0
package/dist/internal.js +53 -0
package/dist/internal.js.map +1 -0
package/dist/platform/interfaces.d.ts +56 -0
package/dist/platform/interfaces.d.ts.map +1 -0
package/dist/platform/interfaces.js +3 -0
package/dist/platform/interfaces.js.map +1 -0
package/dist/schemas/auth-config.schema.d.ts +3411 -0
package/dist/schemas/auth-config.schema.d.ts.map +1 -0
package/dist/schemas/auth-config.schema.js +428 -0
package/dist/schemas/auth-config.schema.js.map +1 -0
package/dist/services/adaptive-mfa-decision.service.d.ts +39 -0
package/dist/services/adaptive-mfa-decision.service.d.ts.map +1 -0
package/dist/services/adaptive-mfa-decision.service.js +223 -0
package/dist/services/adaptive-mfa-decision.service.js.map +1 -0
package/dist/services/auth-audit.service.d.ts +44 -0
package/dist/services/auth-audit.service.d.ts.map +1 -0
package/dist/services/auth-audit.service.js +241 -0
package/dist/services/auth-audit.service.js.map +1 -0
package/dist/services/auth-challenge-helper.service.d.ts +48 -0
package/dist/services/auth-challenge-helper.service.d.ts.map +1 -0
package/dist/services/auth-challenge-helper.service.js +425 -0
package/dist/services/auth-challenge-helper.service.js.map +1 -0
package/dist/services/auth-flow-context-builder.service.d.ts +31 -0
package/dist/services/auth-flow-context-builder.service.d.ts.map +1 -0
package/dist/services/auth-flow-context-builder.service.js +253 -0
package/dist/services/auth-flow-context-builder.service.js.map +1 -0
package/dist/services/auth-flow-rules.d.ts +18 -0
package/dist/services/auth-flow-rules.d.ts.map +1 -0
package/dist/services/auth-flow-rules.js +55 -0
package/dist/services/auth-flow-rules.js.map +1 -0
package/dist/services/auth-flow-state-definitions.d.ts +5 -0
package/dist/services/auth-flow-state-definitions.d.ts.map +1 -0
package/dist/services/auth-flow-state-definitions.js +87 -0
package/dist/services/auth-flow-state-definitions.js.map +1 -0
package/dist/services/auth-flow-state-machine.service.d.ts +17 -0
package/dist/services/auth-flow-state-machine.service.d.ts.map +1 -0
package/dist/services/auth-flow-state-machine.service.js +91 -0
package/dist/services/auth-flow-state-machine.service.js.map +1 -0
package/dist/services/auth-flow-state-machine.types.d.ts +55 -0
package/dist/services/auth-flow-state-machine.types.d.ts.map +1 -0
package/dist/services/auth-flow-state-machine.types.js +16 -0
package/dist/services/auth-flow-state-machine.types.js.map +1 -0
package/dist/services/auth.service.d.ts +87 -0
package/dist/services/auth.service.d.ts.map +1 -0
package/dist/services/auth.service.js +2356 -0
package/dist/services/auth.service.js.map +1 -0
package/dist/services/challenge.service.d.ts +32 -0
package/dist/services/challenge.service.d.ts.map +1 -0
package/dist/services/challenge.service.js +293 -0
package/dist/services/challenge.service.js.map +1 -0
package/dist/services/client-info.service.d.ts +20 -0
package/dist/services/client-info.service.d.ts.map +1 -0
package/dist/services/client-info.service.js +202 -0
package/dist/services/client-info.service.js.map +1 -0
package/dist/services/csrf.service.d.ts +13 -0
package/dist/services/csrf.service.d.ts.map +1 -0
package/dist/services/csrf.service.js +67 -0
package/dist/services/csrf.service.js.map +1 -0
package/dist/services/email-verification.service.d.ts +30 -0
package/dist/services/email-verification.service.d.ts.map +1 -0
package/dist/services/email-verification.service.js +373 -0
package/dist/services/email-verification.service.js.map +1 -0
package/dist/services/geo-location.service.d.ts +85 -0
package/dist/services/geo-location.service.d.ts.map +1 -0
package/dist/services/geo-location.service.js +338 -0
package/dist/services/geo-location.service.js.map +1 -0
package/dist/services/index.d.ts +14 -0
package/dist/services/index.d.ts.map +1 -0
package/dist/services/index.js +30 -0
package/dist/services/index.js.map +1 -0
package/dist/services/jwt.service.d.ts +62 -0
package/dist/services/jwt.service.d.ts.map +1 -0
package/dist/services/jwt.service.js +261 -0
package/dist/services/jwt.service.js.map +1 -0
package/dist/services/mfa-base.service.d.ts +37 -0
package/dist/services/mfa-base.service.d.ts.map +1 -0
package/dist/services/mfa-base.service.js +297 -0
package/dist/services/mfa-base.service.js.map +1 -0
package/dist/services/mfa.service.d.ts +35 -0
package/dist/services/mfa.service.d.ts.map +1 -0
package/dist/services/mfa.service.js +449 -0
package/dist/services/mfa.service.js.map +1 -0
package/dist/services/password.service.d.ts +19 -0
package/dist/services/password.service.d.ts.map +1 -0
package/dist/services/password.service.js +150 -0
package/dist/services/password.service.js.map +1 -0
package/dist/services/phone-verification.service.d.ts +32 -0
package/dist/services/phone-verification.service.d.ts.map +1 -0
package/dist/services/phone-verification.service.js +474 -0
package/dist/services/phone-verification.service.js.map +1 -0
package/dist/services/risk-detection.service.d.ts +30 -0
package/dist/services/risk-detection.service.d.ts.map +1 -0
package/dist/services/risk-detection.service.js +518 -0
package/dist/services/risk-detection.service.js.map +1 -0
package/dist/services/risk-scoring.service.d.ts +12 -0
package/dist/services/risk-scoring.service.d.ts.map +1 -0
package/dist/services/risk-scoring.service.js +44 -0
package/dist/services/risk-scoring.service.js.map +1 -0
package/dist/services/session.service.d.ts +64 -0
package/dist/services/session.service.d.ts.map +1 -0
package/dist/services/session.service.js +455 -0
package/dist/services/session.service.js.map +1 -0
package/dist/services/social-auth-base.service.d.ts +57 -0
package/dist/services/social-auth-base.service.d.ts.map +1 -0
package/dist/services/social-auth-base.service.js +340 -0
package/dist/services/social-auth-base.service.js.map +1 -0
package/dist/services/social-auth.service.d.ts +31 -0
package/dist/services/social-auth.service.d.ts.map +1 -0
package/dist/services/social-auth.service.js +172 -0
package/dist/services/social-auth.service.js.map +1 -0
package/dist/services/social-provider-registry.service.d.ts +9 -0
package/dist/services/social-provider-registry.service.d.ts.map +1 -0
package/dist/services/social-provider-registry.service.js +30 -0
package/dist/services/social-provider-registry.service.js.map +1 -0
package/dist/services/trusted-device.service.d.ts +29 -0
package/dist/services/trusted-device.service.d.ts.map +1 -0
package/dist/services/trusted-device.service.js +190 -0
package/dist/services/trusted-device.service.js.map +1 -0
package/dist/storage/account-lockout-storage.service.d.ts +16 -0
package/dist/storage/account-lockout-storage.service.d.ts.map +1 -0
package/dist/storage/account-lockout-storage.service.js +50 -0
package/dist/storage/account-lockout-storage.service.js.map +1 -0
package/dist/storage/index.d.ts +4 -0
package/dist/storage/index.d.ts.map +1 -0
package/dist/storage/index.js +20 -0
package/dist/storage/index.js.map +1 -0
package/dist/storage/memory-storage.adapter.d.ts +33 -0
package/dist/storage/memory-storage.adapter.d.ts.map +1 -0
package/dist/storage/memory-storage.adapter.js +195 -0
package/dist/storage/memory-storage.adapter.js.map +1 -0
package/dist/storage/rate-limit-storage.service.d.ts +11 -0
package/dist/storage/rate-limit-storage.service.d.ts.map +1 -0
package/dist/storage/rate-limit-storage.service.js +33 -0
package/dist/storage/rate-limit-storage.service.js.map +1 -0
package/dist/templates/html-template.engine.d.ts +16 -0
package/dist/templates/html-template.engine.d.ts.map +1 -0
package/dist/templates/html-template.engine.js +502 -0
package/dist/templates/html-template.engine.js.map +1 -0
package/dist/templates/index.d.ts +2 -0
package/dist/templates/index.d.ts.map +1 -0
package/dist/templates/index.js +18 -0
package/dist/templates/index.js.map +1 -0
package/dist/utils/common-passwords.d.ts +4 -0
package/dist/utils/common-passwords.d.ts.map +1 -0
package/dist/utils/common-passwords.js +108 -0
package/dist/utils/common-passwords.js.map +1 -0
package/dist/utils/context-storage.d.ts +13 -0
package/dist/utils/context-storage.d.ts.map +1 -0
package/dist/utils/context-storage.js +54 -0
package/dist/utils/context-storage.js.map +1 -0
package/dist/utils/cookie-names.util.d.ts +7 -0
package/dist/utils/cookie-names.util.d.ts.map +1 -0
package/dist/utils/cookie-names.util.js +30 -0
package/dist/utils/cookie-names.util.js.map +1 -0
package/dist/utils/cookies.util.d.ts +12 -0
package/dist/utils/cookies.util.d.ts.map +1 -0
package/dist/utils/cookies.util.js +48 -0
package/dist/utils/cookies.util.js.map +1 -0
package/dist/utils/index.d.ts +8 -0
package/dist/utils/index.d.ts.map +1 -0
package/dist/utils/index.js +24 -0
package/dist/utils/index.js.map +1 -0
package/dist/utils/ip-extractor.d.ts +12 -0
package/dist/utils/ip-extractor.d.ts.map +1 -0
package/dist/utils/ip-extractor.js +88 -0
package/dist/utils/ip-extractor.js.map +1 -0
package/dist/utils/nauth-logger.d.ts +20 -0
package/dist/utils/nauth-logger.d.ts.map +1 -0
package/dist/utils/nauth-logger.js +129 -0
package/dist/utils/nauth-logger.js.map +1 -0
package/dist/utils/pii-redactor.d.ts +16 -0
package/dist/utils/pii-redactor.d.ts.map +1 -0
package/dist/utils/pii-redactor.js +147 -0
package/dist/utils/pii-redactor.js.map +1 -0
package/dist/utils/setup/get-repositories.d.ts +16 -0
package/dist/utils/setup/get-repositories.d.ts.map +1 -0
package/dist/utils/setup/get-repositories.js +36 -0
package/dist/utils/setup/get-repositories.js.map +1 -0
package/dist/utils/setup/init-services.d.ts +41 -0
package/dist/utils/setup/init-services.d.ts.map +1 -0
package/dist/utils/setup/init-services.js +107 -0
package/dist/utils/setup/init-services.js.map +1 -0
package/dist/utils/setup/init-social.d.ts +13 -0
package/dist/utils/setup/init-social.d.ts.map +1 -0
package/dist/utils/setup/init-social.js +77 -0
package/dist/utils/setup/init-social.js.map +1 -0
package/dist/utils/setup/init-storage.d.ts +4 -0
package/dist/utils/setup/init-storage.d.ts.map +1 -0
package/dist/utils/setup/init-storage.js +79 -0
package/dist/utils/setup/init-storage.js.map +1 -0
package/dist/utils/setup/register-mfa.d.ts +5 -0
package/dist/utils/setup/register-mfa.d.ts.map +1 -0
package/dist/utils/setup/register-mfa.js +85 -0
package/dist/utils/setup/register-mfa.js.map +1 -0
package/dist/utils/setup/run-nauth-migrations.d.ts +5 -0
package/dist/utils/setup/run-nauth-migrations.d.ts.map +1 -0
package/dist/utils/setup/run-nauth-migrations.js +67 -0
package/dist/utils/setup/run-nauth-migrations.js.map +1 -0
package/dist/utils/token-delivery-policy.d.ts +6 -0
package/dist/utils/token-delivery-policy.d.ts.map +1 -0
package/dist/utils/token-delivery-policy.js +15 -0
package/dist/utils/token-delivery-policy.js.map +1 -0
package/dist/validators/template.validator.d.ts +7 -0
package/dist/validators/template.validator.d.ts.map +1 -0
package/dist/validators/template.validator.js +95 -0
package/dist/validators/template.validator.js.map +1 -0
package/jest.config.js +15 -0
package/jest.setup.ts +6 -0
package/package.json +73 -0
package/src/adapters/database-columns.ts +165 -0
package/src/adapters/express.adapter.ts +385 -0
package/src/adapters/fastify.adapter.ts +416 -0
package/src/adapters/index.ts +16 -0
package/src/adapters/storage.factory.ts +143 -0
package/src/bootstrap.ts +374 -0
package/src/dto/auth-challenge.dto.ts +231 -0
package/src/dto/auth-response.dto.ts +253 -0
package/src/dto/challenge-response.dto.ts +234 -0
package/src/dto/change-password-request.dto.ts +50 -0
package/src/dto/change-password-response.dto.ts +29 -0
package/src/dto/change-password.dto.ts +57 -0
package/src/dto/error-response.dto.ts +136 -0
package/src/dto/get-available-methods.dto.ts +55 -0
package/src/dto/get-challenge-data-response.dto.ts +28 -0
package/src/dto/get-challenge-data.dto.ts +69 -0
package/src/dto/get-client-info.dto.ts +104 -0
package/src/dto/get-device-token-response.dto.ts +25 -0
package/src/dto/get-events-by-type.dto.ts +76 -0
package/src/dto/get-ip-address-response.dto.ts +24 -0
package/src/dto/get-mfa-status.dto.ts +94 -0
package/src/dto/get-risk-assessment-history.dto.ts +39 -0
package/src/dto/get-session-id-response.dto.ts +25 -0
package/src/dto/get-setup-data-response.dto.ts +31 -0
package/src/dto/get-setup-data.dto.ts +75 -0
package/src/dto/get-suspicious-activity.dto.ts +42 -0
package/src/dto/get-user-agent-response.dto.ts +23 -0
package/src/dto/get-user-auth-history.dto.ts +95 -0
package/src/dto/get-user-by-email.dto.ts +61 -0
package/src/dto/get-user-by-id.dto.ts +46 -0
package/src/dto/get-user-devices.dto.ts +53 -0
package/src/dto/get-user-response.dto.ts +17 -0
package/src/dto/has-provider.dto.ts +56 -0
package/src/dto/index.ts +57 -0
package/src/dto/is-trusted-device-response.dto.ts +34 -0
package/src/dto/list-providers-response.dto.ts +23 -0
package/src/dto/login.dto.ts +95 -0
package/src/dto/logout-all-response.dto.ts +24 -0
package/src/dto/logout-all.dto.ts +65 -0
package/src/dto/logout-response.dto.ts +25 -0
package/src/dto/logout.dto.ts +64 -0
package/src/dto/refresh-token.dto.ts +36 -0
package/src/dto/remove-devices.dto.ts +85 -0
package/src/dto/resend-code-response.dto.ts +32 -0
package/src/dto/resend-code.dto.ts +51 -0
package/src/dto/reset-password.dto.ts +115 -0
package/src/dto/respond-challenge.dto.ts +272 -0
package/src/dto/set-mfa-exemption.dto.ts +112 -0
package/src/dto/set-must-change-password-response.dto.ts +27 -0
package/src/dto/set-must-change-password.dto.ts +46 -0
package/src/dto/set-preferred-method.dto.ts +80 -0
package/src/dto/setup-mfa.dto.ts +98 -0
package/src/dto/signup.dto.ts +174 -0
package/src/dto/social-auth.dto.ts +422 -0
package/src/dto/trust-device-response.dto.ts +30 -0
package/src/dto/trust-device.dto.ts +9 -0
package/src/dto/update-user-attributes-request.dto.ts +51 -0
package/src/dto/user-response.dto.ts +138 -0
package/src/dto/user-update.dto.ts +222 -0
package/src/dto/verify-email.dto.ts +313 -0
package/src/dto/verify-mfa-code.dto.ts +103 -0
package/src/dto/verify-phone-by-sub.dto.ts +78 -0
package/src/dto/verify-phone.dto.ts +245 -0
package/src/entities/auth-audit.entity.ts +232 -0
package/src/entities/challenge-session.entity.ts +116 -0
package/src/entities/index.ts +29 -0
package/src/entities/login-attempt.entity.ts +64 -0
package/src/entities/mfa-device.entity.ts +151 -0
package/src/entities/rate-limit.entity.ts +44 -0
package/src/entities/session.entity.ts +180 -0
package/src/entities/social-account.entity.ts +96 -0
package/src/entities/storage-lock.entity.ts +39 -0
package/src/entities/trusted-device.entity.ts +112 -0
package/src/entities/user.entity.ts +243 -0
package/src/entities/verification-token.entity.ts +141 -0
package/src/enums/auth-audit-event-type.enum.ts +360 -0
package/src/enums/error-codes.enum.ts +420 -0
package/src/enums/mfa-method.enum.ts +97 -0
package/src/enums/risk-factor.enum.ts +111 -0
package/src/exceptions/nauth.exception.ts +231 -0
package/src/handlers/auth.handler.ts +260 -0
package/src/handlers/client-info.handler.ts +101 -0
package/src/handlers/csrf.handler.ts +156 -0
package/src/handlers/token-delivery.handler.ts +118 -0
package/src/index.ts +118 -0
package/src/interfaces/client-info.interface.ts +85 -0
package/src/interfaces/config.interface.ts +2135 -0
package/src/interfaces/entities.interface.ts +226 -0
package/src/interfaces/index.ts +15 -0
package/src/interfaces/logger.interface.ts +283 -0
package/src/interfaces/mfa-provider.interface.ts +154 -0
package/src/interfaces/oauth.interface.ts +148 -0
package/src/interfaces/provider.interface.ts +47 -0
package/src/interfaces/social-auth-provider.interface.ts +131 -0
package/src/interfaces/storage-adapter.interface.ts +82 -0
package/src/interfaces/template.interface.ts +510 -0
package/src/interfaces/token-verifier.interface.ts +110 -0
package/src/internal.ts +178 -0
package/src/platform/interfaces.ts +299 -0
package/src/schemas/auth-config.schema.ts +646 -0
package/src/services/adaptive-mfa-decision.service.spec.ts +1058 -0
package/src/services/adaptive-mfa-decision.service.ts +457 -0
package/src/services/auth-audit.service.spec.ts +675 -0
package/src/services/auth-audit.service.ts +558 -0
package/src/services/auth-challenge-helper.service.spec.ts +3227 -0
package/src/services/auth-challenge-helper.service.ts +825 -0
package/src/services/auth-flow-context-builder.service.ts +520 -0
package/src/services/auth-flow-rules.ts +202 -0
package/src/services/auth-flow-state-definitions.ts +190 -0
package/src/services/auth-flow-state-machine.service.ts +207 -0
package/src/services/auth-flow-state-machine.types.ts +316 -0
package/src/services/auth.service.spec.ts +4195 -0
package/src/services/auth.service.ts +3727 -0
package/src/services/challenge.service.spec.ts +1363 -0
package/src/services/challenge.service.ts +696 -0
package/src/services/client-info.service.spec.ts +572 -0
package/src/services/client-info.service.ts +374 -0
package/src/services/csrf.service.ts +54 -0
package/src/services/email-verification.service.spec.ts +1229 -0
package/src/services/email-verification.service.ts +578 -0
package/src/services/geo-location.service.spec.ts +603 -0
package/src/services/geo-location.service.ts +599 -0
package/src/services/index.ts +13 -0
package/src/services/jwt.service.spec.ts +882 -0
package/src/services/jwt.service.ts +621 -0
package/src/services/mfa-base.service.spec.ts +246 -0
package/src/services/mfa-base.service.ts +611 -0
package/src/services/mfa.service.spec.ts +693 -0
package/src/services/mfa.service.ts +960 -0
package/src/services/password.service.spec.ts +166 -0
package/src/services/password.service.ts +309 -0
package/src/services/phone-verification.service.spec.ts +1120 -0
package/src/services/phone-verification.service.ts +751 -0
package/src/services/risk-detection.service.spec.ts +1292 -0
package/src/services/risk-detection.service.ts +1012 -0
package/src/services/risk-scoring.service.spec.ts +204 -0
package/src/services/risk-scoring.service.ts +131 -0
package/src/services/session.service.spec.ts +1293 -0
package/src/services/session.service.ts +803 -0
package/src/services/social-account.service.spec.ts +725 -0
package/src/services/social-auth-base.service.spec.ts +418 -0
package/src/services/social-auth-base.service.ts +581 -0
package/src/services/social-auth.service.spec.ts +238 -0
package/src/services/social-auth.service.ts +436 -0
package/src/services/social-provider-registry.service.spec.ts +238 -0
package/src/services/social-provider-registry.service.ts +122 -0
package/src/services/trusted-device.service.spec.ts +505 -0
package/src/services/trusted-device.service.ts +339 -0
package/src/storage/account-lockout-storage.service.spec.ts +310 -0
package/src/storage/account-lockout-storage.service.ts +89 -0
package/src/storage/index.ts +3 -0
package/src/storage/memory-storage.adapter.ts +443 -0
package/src/storage/rate-limit-storage.service.spec.ts +247 -0
package/src/storage/rate-limit-storage.service.ts +38 -0
package/src/templates/html-template.engine.spec.ts +161 -0
package/src/templates/html-template.engine.ts +688 -0
package/src/templates/index.ts +7 -0
package/src/utils/common-passwords.spec.ts +230 -0
package/src/utils/common-passwords.ts +170 -0
package/src/utils/context-storage.ts +188 -0
package/src/utils/cookie-names.util.ts +67 -0
package/src/utils/cookies.util.ts +94 -0
package/src/utils/index.ts +12 -0
package/src/utils/ip-extractor.spec.ts +330 -0
package/src/utils/ip-extractor.ts +220 -0
package/src/utils/nauth-logger.spec.ts +388 -0
package/src/utils/nauth-logger.ts +215 -0
package/src/utils/pii-redactor.spec.ts +130 -0
package/src/utils/pii-redactor.ts +288 -0
package/src/utils/setup/get-repositories.ts +140 -0
package/src/utils/setup/init-services.ts +422 -0
package/src/utils/setup/init-social.ts +189 -0
package/src/utils/setup/init-storage.ts +94 -0
package/src/utils/setup/register-mfa.ts +165 -0
package/src/utils/setup/run-nauth-migrations.ts +61 -0
package/src/utils/token-delivery-policy.ts +38 -0
package/src/validators/template.validator.ts +219 -0
package/tsconfig.json +37 -0
package/tsconfig.lint.json +6 -0

package/src/services/phone-verification.service.ts ADDED Viewed

@@ -0,0 +1,751 @@
+import { Repository, IsNull } from 'typeorm';
+import { IUser, IVerificationToken } from '../interfaces/entities.interface';
+import { BaseVerificationToken, BaseUser } from '../entities';
+import { SMSProvider } from '../interfaces/provider.interface';
+import { StorageAdapter } from '../interfaces/storage-adapter.interface';
+import { NAuthConfig } from '../interfaces/config.interface';
+import { ClientInfoService } from './client-info.service';
+import { InternalAuthAuditService as AuthAuditService } from './auth-audit.service';
+import { AuthAuditEventType } from '../enums/auth-audit-event-type.enum';
+import { NAuthException } from '../exceptions/nauth.exception';
+import { AuthErrorCode } from '../enums/error-codes.enum';
+import { NAuthLogger } from '../utils/nauth-logger';
+import {
+  SendVerificationSMSDTO,
+  SendVerificationSMSResponseDTO,
+  VerifyPhoneWithCodeDTO,
+  VerifyPhoneResponseDTO,
+  ResendVerificationSMSDTO,
+  ResendVerificationSMSResponseDTO,
+} from '../dto/verify-phone.dto';
+import { VerifyPhoneWithCodeBySubDTO } from '../dto/verify-phone-by-sub.dto';
+import * as crypto from 'crypto';
+/**
+ * Phone Verification Service (Core)
+ *
+ * Database-agnostic phone verification workflow with provider-driven SMS delivery.
+ *
+ * WHY: Keeps core business logic independent of database and SMS vendors. Databases are
+ * injected via repository tokens and SMS via an `SMSProvider` adapter so consumers
+ * can plug in Postgres, MySQL, or any SMS provider without code changes.
+ *
+ * @example
+ * ```typescript
+ * // Send OTP
+ * const tokenId = await phoneVerificationService.sendVerificationSMS('user-sub');
+ *
+ * // Verify by sub
+ * await phoneVerificationService.verifyPhoneWithCodeBySub('user-sub', '123456');
+ *
+ * // Resend
+ * await phoneVerificationService.resendVerificationSMS('user-sub');
+ * ```
+ */
+export class PhoneVerificationService {
+  constructor(
+    private readonly verificationTokenRepo: Repository<BaseVerificationToken>,
+    private readonly userRepo: Repository<BaseUser>,
+    private readonly smsProvider: SMSProvider,
+    private readonly storageAdapter: StorageAdapter,
+    private readonly config: NAuthConfig,
+    private readonly clientInfoService: ClientInfoService,
+    private readonly logger: NAuthLogger,
+    private readonly auditService?: AuthAuditService, // Optional - audit trail service (enabled via config.auditLogs.enabled)
+  ) {}
+  /**
+   * Send verification SMS to user identified by `sub`.
+   * Applies rate limits and resend delay, stores hashed token + OTP, and sends via SMS provider.
+   *
+   * @param dto - Request DTO containing sub and skipAlreadyVerifiedCheck
+   * @returns Response DTO with verification token ID
+   * @throws {NAuthException} RATE_LIMIT_SMS | NOT_FOUND | PHONE_REQUIRED | ALREADY_VERIFIED | RATE_LIMIT_RESEND
+   */
+  async sendVerificationSMS(dto: SendVerificationSMSDTO): Promise<SendVerificationSMSResponseDTO> {
+    const { sub, skipAlreadyVerifiedCheck = true, challengeSessionId } = dto;
+    const rateLimitKey = `phone-verification:${sub}`;
+    // Get rate limit configuration from config (moved to signup.phoneVerification)
+    const rateLimitMax = this.config.signup?.phoneVerification?.rateLimitMax || 3;
+    const rateLimitWindow = this.config.signup?.phoneVerification?.rateLimitWindow || 3600; // 1 hour in seconds
+    // Check if key exists and has valid TTL (not expired)
+    const ttlBefore = await this.storageAdapter.ttl(rateLimitKey);
+    // Window is expired if: key doesn't exist (-1), expired (<0), or TTL is longer than configured window (config changed)
+    const isWindowExpired = ttlBefore === -1 || ttlBefore < 0 || ttlBefore > rateLimitWindow;
+    // If TTL is longer than configured window (config changed), delete the old key to reset it
+    // This ensures the new window uses the current rateLimitWindow instead of preserving old expiry
+    if (ttlBefore > rateLimitWindow) {
+      await this.storageAdapter.del(rateLimitKey);
+    }
+    // Increment counter (will reset to 1 if key expired or doesn't exist)
+    // Pass TTL so new records are created with correct expiry immediately
+    const currentCount = await this.storageAdapter.incr(rateLimitKey, isWindowExpired ? rateLimitWindow : undefined);
+    // If we created a new window, log it
+    if (isWindowExpired && currentCount === 1) {
+      this.logger?.debug?.(
+        `Rate limit window reset for phone verification: sub=${sub}, window=${rateLimitWindow}s, max=${rateLimitMax}`,
+      );
+    }
+    // Get actual TTL after setting expiry (for error message)
+    const actualTtl = await this.storageAdapter.ttl(rateLimitKey);
+    this.logger?.debug?.(
+      `Phone verification rate limit check: sub=${sub}, count=${currentCount}/${rateLimitMax}, ttl=${actualTtl}s`,
+    );
+    if (currentCount > rateLimitMax) {
+      this.logger?.warn?.(
+        `SMS rate limit exceeded: sub=${sub}, count=${currentCount}, max=${rateLimitMax}, retryAfter=${actualTtl}s`,
+      );
+      throw new NAuthException(
+        AuthErrorCode.RATE_LIMIT_SMS,
+        `Too many verification SMS sent. Please try again in ${actualTtl > 0 ? actualTtl : rateLimitWindow} seconds`,
+        {
+          retryAfter: actualTtl > 0 ? actualTtl : rateLimitWindow,
+          currentCount,
+          maxAttempts: rateLimitMax,
+        },
+      );
+    }
+    // Load user by external identifier
+    const user = (await this.userRepo.findOne({ where: { sub } })) as IUser | null;
+    if (!user) {
+      throw new NAuthException(AuthErrorCode.NOT_FOUND, 'User not found');
+    }
+    if (!user.phone) {
+      throw new NAuthException(AuthErrorCode.PHONE_REQUIRED, 'No phone number associated with this account');
+    }
+    // Only check "already verified" if not skipping (skip for MFA contexts where codes are needed even if phone is verified)
+    if (!skipAlreadyVerifiedCheck && user.isPhoneVerified) {
+      throw new NAuthException(AuthErrorCode.ALREADY_VERIFIED, 'Phone already verified');
+    }
+    // Enforce resend delay to prevent abuse
+    const resendDelay = this.config.signup?.phoneVerification?.resendDelay ?? 60;
+    const lastToken = (await this.verificationTokenRepo.findOne({
+      where: { userId: user.id, type: 'phone' },
+      order: { createdAt: 'DESC' },
+    })) as IVerificationToken | null;
+    if (lastToken) {
+      const secondsSinceLastSend = (Date.now() - lastToken.createdAt.getTime()) / 1000;
+      if (secondsSinceLastSend < resendDelay) {
+        const waitSeconds = Math.ceil(resendDelay - secondsSinceLastSend);
+        throw new NAuthException(
+          AuthErrorCode.RATE_LIMIT_RESEND,
+          `Please wait ${waitSeconds} seconds before requesting another code`,
+          {
+            retryAfter: waitSeconds,
+            resendDelay,
+          },
+        );
+      }
+    }
+    // Invalidate existing unused tokens for this user
+    await this.verificationTokenRepo.update(
+      { userId: user.id, type: 'phone', usedAt: IsNull() },
+      { usedAt: new Date() },
+    );
+    // Generate OTP and hashed token
+    const code = this.generateCode();
+    const token = this.generateToken();
+    const tokenHash = this.hashToken(token);
+    // Capture client info for auditability
+    const clientInfo = this.clientInfoService.get();
+    const { ipAddress, userAgent } = clientInfo;
+    const verificationToken = this.verificationTokenRepo.create({
+      userId: user.id,
+      challengeSessionId: challengeSessionId ?? null, // Link to challenge session if provided
+      type: 'phone',
+      token: tokenHash,
+      code,
+      expiresAt: new Date(Date.now() + (this.config.signup?.phoneVerification?.expiresIn || 300) * 1000),
+      attempts: 0,
+      ipAddress,
+      userAgent,
+    });
+    const saved = (await this.verificationTokenRepo.save(verificationToken)) as unknown as IVerificationToken;
+    this.logger?.log?.(
+      `SMS token created: sub=${sub}, tokenId=${saved.id}, code=${code}, codeType=${typeof code}, userId=${user.id}, usedAt=${saved.usedAt || 'null'}`,
+    );
+    await this.smsProvider.sendOTP(user.phone, code);
+    this.logger?.log?.(
+      `SMS verification code sent: sub=${sub}, tokenId=${saved.id}, phone=${this.maskPhone(user.phone)}`,
+    );
+    // ============================================================================
+    // Audit: Record phone verification request
+    // ============================================================================
+    try {
+      await this.auditService?.recordEvent({
+        userId: user.id,
+        eventType: AuthAuditEventType.PHONE_VERIFICATION_REQUESTED,
+        eventStatus: 'INFO',
+        metadata: {
+          // Client info automatically included from context
+          verificationTokenId: saved.id,
+          phone: this.maskPhone(user.phone),
+        },
+      });
+    } catch (auditError) {
+      // Non-blocking: Log but continue
+      const errorMessage = auditError instanceof Error ? auditError.message : 'Unknown error';
+      this.logger?.error?.(`Failed to record PHONE_VERIFICATION_REQUESTED audit event: ${errorMessage}`, {
+        error: auditError,
+        userId: user.id,
+      });
+    }
+    return { tokenId: saved.id };
+  }
+  /**
+   * Verify phone by phone number and code.
+   * Handles duplicate phone numbers by selecting the token whose user matches the phone provided.
+   *
+   * @param dto - Request DTO containing phone and code
+   * @returns Response DTO with success message
+   * @throws {NAuthException} VERIFICATION_CODE_INVALID | VERIFICATION_CODE_EXPIRED | VERIFICATION_TOO_MANY_ATTEMPTS
+   */
+  async verifyPhoneWithCode(dto: VerifyPhoneWithCodeDTO): Promise<VerifyPhoneResponseDTO> {
+    const { phone, code, challengeSessionId } = dto;
+    // Find all unused tokens matching the code and type
+    // If challengeSessionId is provided, ensure token belongs to specific session
+    const whereClause = {
+      type: 'phone' as const,
+      code,
+      usedAt: IsNull(),
+      ...(challengeSessionId !== undefined && { challengeSessionId }), // Include if provided
+    };
+    const candidateTokens = (await this.verificationTokenRepo.find({
+      where: whereClause,
+      order: { createdAt: 'DESC' },
+    })) as unknown as IVerificationToken[];
+    // Resolve the token whose user has the given phone
+    let matched: { token: IVerificationToken; user: IUser } | null = null;
+    for (const token of candidateTokens) {
+      const user = (await this.userRepo.findOne({ where: { id: token.userId } })) as IUser | null;
+      if (user && user.phone === phone) {
+        matched = { token, user };
+        break;
+      }
+    }
+    if (!matched) {
+      throw new NAuthException(AuthErrorCode.VERIFICATION_CODE_INVALID, 'Invalid or expired verification code');
+    }
+    const { token, user } = matched;
+    // Get verification attempt rate limit configuration from config
+    const maxAttemptsPerUser = this.config.signup?.phoneVerification?.maxAttemptsPerUser ?? 10;
+    const maxAttemptsPerIP = this.config.signup?.phoneVerification?.maxAttemptsPerIP ?? 20;
+    const attemptWindow = this.config.signup?.phoneVerification?.attemptWindow ?? 3600; // 1 hour
+    // Rate limit verification attempts per user (not just per token)
+    const userRateLimitKey = `verify-attempts:user:${user.id}`;
+    const userAttempts = await this.storageAdapter.incr(userRateLimitKey);
+    if (userAttempts === 1) {
+      await this.storageAdapter.expire(userRateLimitKey, attemptWindow);
+    }
+    if (userAttempts > maxAttemptsPerUser) {
+      throw new NAuthException(
+        AuthErrorCode.VERIFICATION_TOO_MANY_ATTEMPTS,
+        'Too many verification attempts. Please try again later.',
+      );
+    }
+    // Also rate limit by IP
+    const clientInfo = this.clientInfoService.get();
+    if (clientInfo.ipAddress) {
+      const ipRateLimitKey = `verify-attempts:ip:${clientInfo.ipAddress}`;
+      const ipAttempts = await this.storageAdapter.incr(ipRateLimitKey);
+      if (ipAttempts === 1) {
+        await this.storageAdapter.expire(ipRateLimitKey, attemptWindow);
+      }
+      if (ipAttempts > maxAttemptsPerIP) {
+        throw new NAuthException(
+          AuthErrorCode.VERIFICATION_TOO_MANY_ATTEMPTS,
+          'Too many verification attempts from this IP. Please try again later.',
+        );
+      }
+    }
+    // Expiry check (use entity method if provided)
+    const isExpired =
+      typeof token.isExpired === 'function' ? !!token.isExpired() : token.expiresAt.getTime() <= Date.now();
+    if (isExpired) {
+      throw new NAuthException(AuthErrorCode.VERIFICATION_CODE_EXPIRED, 'Verification code has expired');
+    }
+    // Attempts check (use entity method if provided)
+    const maxAttempts = this.config.signup?.phoneVerification?.maxAttempts ?? 3;
+    const tooManyAttempts =
+      typeof token.maxAttemptsExceeded === 'function'
+        ? !!token.maxAttemptsExceeded(maxAttempts)
+        : token.attempts >= maxAttempts;
+    if (tooManyAttempts) {
+      throw new NAuthException(
+        AuthErrorCode.VERIFICATION_TOO_MANY_ATTEMPTS,
+        'Too many failed attempts. Request a new code.',
+        {
+          maxAttempts,
+          currentAttempts: token.attempts,
+        },
+      );
+    }
+    // Increment attempts even on success to prevent reuse by race
+    token.attempts += 1;
+    if (token.code !== code) {
+      await this.verificationTokenRepo.save(token);
+      this.logger?.debug?.(
+        `Phone verification failed: phone=${this.maskPhone(phone)}, attempts=${token.attempts}/${maxAttempts}`,
+      );
+      // ============================================================================
+      // Audit: Record phone verification failure
+      // ============================================================================
+      try {
+        await this.auditService?.recordEvent({
+          userId: user.id,
+          eventType: AuthAuditEventType.PHONE_VERIFICATION_FAILED,
+          eventStatus: 'FAILURE',
+          reason: 'invalid_code',
+          // Client info automatically included from context
+          description: 'Invalid verification code provided',
+          metadata: {
+            verificationTokenId: token.id,
+            attempts: token.attempts,
+            phone: this.maskPhone(phone),
+          },
+        });
+      } catch (auditError) {
+        // Non-blocking: Log but continue
+        const errorMessage = auditError instanceof Error ? auditError.message : 'Unknown error';
+        this.logger?.error?.(`Failed to record PHONE_VERIFICATION_FAILED audit event: ${errorMessage}`, {
+          error: auditError,
+          userId: user.id,
+        });
+      }
+      throw new NAuthException(AuthErrorCode.VERIFICATION_CODE_INVALID, 'Invalid verification code', {
+        attemptsRemaining: Math.max(0, maxAttempts - token.attempts),
+      });
+    }
+    // Mark token used
+    token.usedAt = new Date();
+    await this.verificationTokenRepo.save(token);
+    // Update user flags
+    await this.userRepo.update(user.id, {
+      isPhoneVerified: true,
+      isActive: true,
+    });
+    this.logger?.log?.(`Phone verification successful: userId=${user.id}, phone=${this.maskPhone(phone)}`);
+    // ============================================================================
+    // Audit: Record phone verification success
+    // ============================================================================
+    try {
+      // Client info (ipAddress, userAgent) automatically extracted from ClientInfoService
+      // Note: ClientInfoService is used transparently by AuditService
+      await this.auditService?.recordEvent({
+        userId: user.id,
+        eventType: AuthAuditEventType.PHONE_VERIFIED,
+        eventStatus: 'SUCCESS',
+        metadata: {
+          // Client info automatically included from context
+          verificationTokenId: token.id,
+          verificationMethod: 'code',
+          phone: this.maskPhone(phone),
+        },
+      });
+    } catch (auditError) {
+      // Non-blocking: Log but continue
+      const errorMessage = auditError instanceof Error ? auditError.message : 'Unknown error';
+      this.logger?.error?.(`Failed to record PHONE_VERIFIED audit event: ${errorMessage}`, {
+        error: auditError,
+        userId: user.id,
+      });
+    }
+    return { message: 'Phone verified successfully. Please log in to continue.' };
+  }
+  /**
+   * Verify phone by user sub and code.
+   *
+   * @param dto - Request DTO containing sub and code
+   * @returns Response DTO with success message
+   */
+  async verifyPhoneWithCodeBySub(dto: VerifyPhoneWithCodeBySubDTO): Promise<VerifyPhoneResponseDTO> {
+    const { sub, code, challengeSessionId } = dto;
+    // Load user to get current phone verification status
+    // This ensures we have the latest state from the database
+    const user = (await this.userRepo.findOne({ where: { sub } })) as IUser | null;
+    if (!user) {
+      throw new NAuthException(AuthErrorCode.NOT_FOUND, 'User not found');
+    }
+    if (!user.phone) {
+      throw new NAuthException(AuthErrorCode.PHONE_REQUIRED, 'No phone number associated with this account');
+    }
+    // Store initial verification status to avoid unnecessary updates
+    const wasPhoneVerified = Boolean(user.isPhoneVerified);
+    // ============================================================================
+    // Security: Rate limit configuration
+    // IP-based rate limiting applies only to INVALID attempts to prevent brute force
+    // Valid codes should not be blocked by IP rate limits
+    // ============================================================================
+    const maxAttemptsPerIP = this.config.signup?.phoneVerification?.maxAttemptsPerIP ?? 20;
+    const attemptWindow = this.config.signup?.phoneVerification?.attemptWindow ?? 3600; // 1 hour
+    const clientInfo = this.clientInfoService.get();
+    // Find verification token
+    // Query for unused tokens matching the code (order by newest first)
+    // Ensure code is a string (database stores as varchar/string)
+    // TypeORM may receive code as number from JSON, so convert to string for query
+    const codeString = String(code);
+    this.logger?.log?.(
+      `Looking for verification token: sub=${sub}, code=${codeString}, codeType=${typeof code}, userId=${user.id}`,
+    );
+    // If challengeSessionId is provided, ensure token belongs to specific session
+    const whereClause = {
+      userId: user.id,
+      type: 'phone' as const,
+      code: codeString,
+      usedAt: IsNull(),
+      ...(challengeSessionId !== undefined && { challengeSessionId }), // Include if provided
+    };
+    const verificationToken = (await this.verificationTokenRepo.findOne({
+      where: whereClause,
+      order: { createdAt: 'DESC' },
+    })) as IVerificationToken | null;
+    // ============================================================================
+    // Security: Increment IP rate limit for invalid attempts only
+    // This prevents brute force attacks while allowing valid codes through
+    // ============================================================================
+    const incrementIPRateLimit = async (): Promise<void> => {
+      if (clientInfo.ipAddress) {
+        const ipRateLimitKey = `verify-attempts:ip:${clientInfo.ipAddress}`;
+        const ipAttempts = await this.storageAdapter.incr(ipRateLimitKey);
+        if (ipAttempts === 1) {
+          await this.storageAdapter.expire(ipRateLimitKey, attemptWindow);
+        }
+        if (ipAttempts > maxAttemptsPerIP) {
+          throw new NAuthException(
+            AuthErrorCode.VERIFICATION_TOO_MANY_ATTEMPTS,
+            'Too many verification attempts from this IP. Please try again later.',
+          );
+        }
+      }
+    };
+    if (!verificationToken) {
+      this.logger?.warn?.(
+        `Phone verification token not found: sub=${sub}, code=${codeString}, originalCodeType=${typeof code}, userId=${user.id}`,
+      );
+      // Invalid attempt - increment IP rate limit
+      await incrementIPRateLimit();
+      throw new NAuthException(AuthErrorCode.VERIFICATION_CODE_INVALID, 'Invalid or expired verification code');
+    }
+    const isExpired =
+      typeof verificationToken.isExpired === 'function'
+        ? !!verificationToken.isExpired()
+        : verificationToken.expiresAt.getTime() <= Date.now();
+    if (isExpired) {
+      // Expired token - increment IP rate limit
+      await incrementIPRateLimit();
+      throw new NAuthException(AuthErrorCode.VERIFICATION_CODE_EXPIRED, 'Verification code has expired');
+    }
+    const maxAttempts = this.config.signup?.phoneVerification?.maxAttempts ?? 3;
+    const tooManyAttempts =
+      typeof verificationToken.maxAttemptsExceeded === 'function'
+        ? !!verificationToken.maxAttemptsExceeded(maxAttempts)
+        : verificationToken.attempts >= maxAttempts;
+    if (tooManyAttempts) {
+      // Token exceeded max attempts - increment IP rate limit
+      await incrementIPRateLimit();
+      throw new NAuthException(
+        AuthErrorCode.VERIFICATION_TOO_MANY_ATTEMPTS,
+        'Too many failed attempts. Request a new code.',
+        {
+          maxAttempts,
+          currentAttempts: verificationToken.attempts,
+        },
+      );
+    }
+    // ============================================================================
+    // Security: Rate limit verification attempts per user (for invalid attempts only)
+    // This prevents users from exhausting their own tokens through repeated attempts
+    // Valid codes should not be blocked by user rate limits
+    // ============================================================================
+    const maxAttemptsPerUser = this.config.signup?.phoneVerification?.maxAttemptsPerUser ?? 10;
+    // Helper to increment user rate limit (only for invalid attempts)
+    const incrementUserRateLimit = async (): Promise<void> => {
+      const userRateLimitKey = `verify-attempts:user:${user.id}`;
+      const userAttempts = await this.storageAdapter.incr(userRateLimitKey);
+      if (userAttempts === 1) {
+        await this.storageAdapter.expire(userRateLimitKey, attemptWindow);
+      }
+      if (userAttempts > maxAttemptsPerUser) {
+        throw new NAuthException(
+          AuthErrorCode.VERIFICATION_TOO_MANY_ATTEMPTS,
+          'Too many verification attempts. Please try again later.',
+        );
+      }
+    };
+    verificationToken.attempts += 1;
+    // Compare normalized codes (trim whitespace for comparison)
+    const storedCode = String(verificationToken.code).trim();
+    const providedCode = String(code).trim();
+    if (storedCode !== providedCode) {
+      // Invalid code - increment both IP and user rate limits
+      await incrementIPRateLimit();
+      await incrementUserRateLimit();
+      await this.verificationTokenRepo.save(verificationToken);
+      this.logger?.debug?.(
+        `Phone verification failed: sub=${sub}, attempts=${verificationToken.attempts}/${maxAttempts}`,
+      );
+      // ============================================================================
+      // Audit: Record phone verification failure (by sub)
+      // ============================================================================
+      try {
+        await this.auditService?.recordEvent({
+          userId: user.id,
+          eventType: AuthAuditEventType.PHONE_VERIFICATION_FAILED,
+          eventStatus: 'FAILURE',
+          reason: 'invalid_code',
+          // Client info automatically included from context
+          description: 'Invalid verification code provided',
+          metadata: {
+            verificationTokenId: verificationToken.id,
+            attempts: verificationToken.attempts,
+            phone: this.maskPhone(user.phone || ''),
+          },
+        });
+      } catch (auditError) {
+        // Non-blocking: Log but continue
+        const errorMessage = auditError instanceof Error ? auditError.message : 'Unknown error';
+        this.logger?.error?.(`Failed to record PHONE_VERIFICATION_FAILED audit event (by sub): ${errorMessage}`, {
+          error: auditError,
+          userId: user.id,
+        });
+      }
+      throw new NAuthException(AuthErrorCode.VERIFICATION_CODE_INVALID, 'Invalid verification code', {
+        attemptsRemaining: Math.max(0, maxAttempts - verificationToken.attempts),
+      });
+    }
+    // ============================================================================
+    // Code is valid - proceed without rate limit checks
+    // Valid codes should always be allowed through
+    // ============================================================================
+    verificationToken.usedAt = new Date();
+    await this.verificationTokenRepo.save(verificationToken);
+    // ============================================================================
+    // Only update user if phone is not already verified to avoid unnecessary DB write
+    // This prevents updating updatedAt timestamp when phone is already verified
+    // We use the verification status from when user was loaded at the start
+    // ============================================================================
+    if (!wasPhoneVerified) {
+      // Use update() with explicit WHERE clause to ensure the change is persisted
+      // This bypasses entity tracking issues and ensures the update is committed
+      await this.userRepo.update(
+        { sub },
+        {
+          isPhoneVerified: true,
+          isActive: true,
+        },
+      );
+      this.logger?.log?.(`Phone verification successful: sub=${sub}, userId=${user.id} - phone marked as verified`);
+    } else {
+      // Phone already verified - just mark token as used, no user update needed
+      this.logger?.log?.(`Phone verification code validated: sub=${sub}, userId=${user.id} - phone already verified`);
+    }
+    // ============================================================================
+    // Audit: Record phone verification success (by sub)
+    // ============================================================================
+    try {
+      // Client info (ipAddress, userAgent) automatically extracted from ClientInfoService
+      // Note: ClientInfoService is used transparently by AuditService
+      await this.auditService?.recordEvent({
+        userId: user.id,
+        eventType: AuthAuditEventType.PHONE_VERIFIED,
+        eventStatus: 'SUCCESS',
+        metadata: {
+          // Client info automatically included from context
+          verificationTokenId: verificationToken.id,
+          verificationMethod: 'code',
+          phone: this.maskPhone(user.phone || ''),
+        },
+      });
+    } catch (auditError) {
+      // Non-blocking: Log but continue
+      const errorMessage = auditError instanceof Error ? auditError.message : 'Unknown error';
+      this.logger?.error?.(`Failed to record PHONE_VERIFIED audit event (by sub): ${errorMessage}`, {
+        error: auditError,
+        userId: user.id,
+      });
+    }
+    return { message: 'Phone verified successfully. Please log in to continue.' };
+  }
+  /**
+   * Resend verification SMS
+   * Supports both sub and phone-based resend
+   *
+   * @param dto - Request DTO containing sub or phone
+   * @returns Response DTO with verification token ID
+   */
+  async resendVerificationSMS(dto: ResendVerificationSMSDTO): Promise<ResendVerificationSMSResponseDTO> {
+    // Validate that either sub or phone is provided
+    if (!dto.sub && !dto.phone) {
+      throw new NAuthException(AuthErrorCode.VALIDATION_FAILED, 'Either sub or phone must be provided');
+    }
+    if (dto.sub) {
+      return this.resendVerificationSMSBySub(dto.sub);
+    }
+    return this.resendVerificationSMSForPhone(dto.phone!);
+  }
+  /**
+   * Resend verification SMS by user sub (private helper)
+   *
+   * @param sub - External user identifier
+   * @returns New verification token id
+   */
+  private async resendVerificationSMSBySub(sub: string): Promise<ResendVerificationSMSResponseDTO> {
+    const user = (await this.userRepo.findOne({ where: { sub } })) as IUser | null;
+    if (!user) {
+      throw new NAuthException(AuthErrorCode.NOT_FOUND, 'User not found');
+    }
+    const resendDelay = this.config.signup?.phoneVerification?.resendDelay ?? 60;
+    const lastToken = (await this.verificationTokenRepo.findOne({
+      where: { userId: user.id, type: 'phone' },
+      order: { createdAt: 'DESC' },
+    })) as IVerificationToken | null;
+    if (lastToken) {
+      const secondsSinceLastSend = (Date.now() - lastToken.createdAt.getTime()) / 1000;
+      if (secondsSinceLastSend < resendDelay) {
+        const waitSeconds = Math.ceil(resendDelay - secondsSinceLastSend);
+        this.logger?.debug?.(`Resend rate limit: sub=${sub}, wait=${waitSeconds}s, delay=${resendDelay}s`);
+        throw new NAuthException(
+          AuthErrorCode.RATE_LIMIT_RESEND,
+          `Please wait ${waitSeconds} seconds before requesting another code`,
+          {
+            retryAfter: waitSeconds,
+            resendDelay,
+          },
+        );
+      }
+    }
+    this.logger?.debug?.(`Resending SMS verification code: sub=${sub}`);
+    // Preserve challengeSessionId from the last token to ensure verification succeeds
+    const sendDto = Object.assign(new SendVerificationSMSDTO(), {
+      sub,
+      challengeSessionId: lastToken?.challengeSessionId ?? undefined,
+    });
+    const result = await this.sendVerificationSMS(sendDto);
+    return { tokenId: result.tokenId };
+  }
+  /**
+   * Resend verification SMS by phone number (private helper)
+   *
+   * @param phone - Phone number
+   * @returns New verification token id
+   */
+  private async resendVerificationSMSForPhone(phone: string): Promise<ResendVerificationSMSResponseDTO> {
+    const user = (await this.userRepo.findOne({ where: { phone } })) as IUser | null;
+    if (!user) {
+      throw new NAuthException(AuthErrorCode.NOT_FOUND, 'User not found');
+    }
+    if (user.isPhoneVerified) {
+      throw new NAuthException(AuthErrorCode.ALREADY_VERIFIED, 'Phone number is already verified');
+    }
+    return this.resendVerificationSMSBySub(user.sub);
+  }
+  // ============================================================================
+  // Helpers
+  // ============================================================================
+  /**
+   * Generate N-digit OTP code (default 6)
+   */
+  private generateCode(): string {
+    const codeLength = this.config.signup?.phoneVerification?.codeLength || 6;
+    const min = Math.pow(10, codeLength - 1);
+    const max = Math.pow(10, codeLength) - 1;
+    return Math.floor(min + Math.random() * (max - min + 1)).toString();
+  }
+  /**
+   * Generate secure random token
+   */
+  private generateToken(): string {
+    return crypto.randomBytes(32).toString('hex');
+  }
+  /**
+   * Hash token with SHA-256
+   */
+  private hashToken(token: string): string {
+    return crypto.createHash('sha256').update(token).digest('hex');
+  }
+  /**
+   * Mask phone number for logging (preserves last 4 digits)
+   * @private
+   */
+  private maskPhone(phone: string): string {
+    if (!phone || phone.length < 4) return '***';
+    return `***${phone.slice(-4)}`;
+  }
+}