@nauth-toolkit/core 0.1.14 → 0.1.17

package/dist/dto/reset-password.dto.js

@@ -12,8 +12,37 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.ResetPasswordDTO = exports.ResetPasswordRequestDTO = void 0;
 const class_validator_1 = require("class-validator");
 const class_transformer_1 = require("class-transformer");
+/**
+ * Reset Password Request DTO
+ *
+ * Used to request a password reset token via email or phone.
+ *
+ * Security:
+ * - Identifier validated (email or phone)
+ * - Input sanitization applied
+ *
+ * @example
+ * ```typescript
+ * POST /auth/reset-password/request
+ * {
+ *   "identifier": "user@example.com"
+ * }
+ * ```
+ */
 class ResetPasswordRequestDTO {
-    identifier;
+    /**
+     * User identifier (email or phone)
+     *
+     * Validation:
+     * - Must be a string
+     * - Min 1 character
+     * - Max 255 characters (matches DB constraint for email)
+     *
+     * Sanitization:
+     * - Trimmed
+     * - Lowercased if email format detected
+     */
+    identifier; // email or phone
 }
 exports.ResetPasswordRequestDTO = ResetPasswordRequestDTO;
 __decorate([
@@ -24,6 +53,7 @@ __decorate([
     (0, class_transformer_1.Transform)(({ value }) => {
         if (typeof value === 'string') {
             const trimmed = value.trim();
+            // If it contains @, treat as email and lowercase
             if (trimmed.includes('@')) {
                 return trimmed.toLowerCase();
             }
@@ -33,8 +63,53 @@ __decorate([
     }),
     __metadata("design:type", String)
 ], ResetPasswordRequestDTO.prototype, "identifier", void 0);
+/**
+ * Reset Password DTO
+ *
+ * Used to reset password with a valid reset token.
+ *
+ * Security:
+ * - Token length validated (matches DB constraint: varchar(255))
+ * - Password strength enforced (8-128 chars)
+ * - Token format validated in service layer
+ *
+ * @example
+ * ```typescript
+ * POST /auth/reset-password
+ * {
+ *   "token": "reset-token-from-email",
+ *   "newPassword": "NewSecurePassword123!"
+ * }
+ * ```
+ */
 class ResetPasswordDTO {
+    /**
+     * Password reset token from email
+     *
+     * Validation:
+     * - Must be a string
+     * - Min 1 character (prevents empty strings)
+     * - Max 255 characters (matches DB constraint: varchar(255))
+     *
+     * Sanitization:
+     * - Trimmed
+     *
+     * Note: Token format and validity validated in service layer
+     */
     token;
+    /**
+     * New password
+     *
+     * Validation:
+     * - Must be a string
+     * - Min 8 characters (security requirement)
+     * - Max 128 characters (prevents DoS via bcrypt)
+     *
+     * Note: NOT trimmed (passwords can have leading/trailing spaces)
+     * Additional checks in service layer:
+     * - Password strength (if configured)
+     * - Password history (prevent reuse)
+     */
     newPassword;
 }
 exports.ResetPasswordDTO = ResetPasswordDTO;

package/dist/dto/reset-password.dto.js.map

@@ -1 +1 @@
-{"version":3,"file":"reset-password.dto.js","sourceRoot":"","sources":["../../src/dto/reset-password.dto.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,qDAA6E;AAC7E,yDAA8C;AAmB9C,MAAa,uBAAuB;IA4BlC,UAAU,CAAU;CACrB;AA7BD,0DA6BC;AADC;IAfC,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,6BAA6B,EAAE,CAAC;IACpD,IAAA,4BAAU,EAAC,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC;IACjD,IAAA,2BAAS,EAAC,CAAC,EAAE,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC;IACnD,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,2CAA2C,EAAE,CAAC;IACxE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;YAE7B,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC1B,OAAO,OAAO,CAAC,WAAW,EAAE,CAAC;YAC/B,CAAC;YACD,OAAO,OAAO,CAAC;QACjB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;2DACkB;AAsBtB,MAAa,gBAAgB;IAwB3B,KAAK,CAAU;IAmBf,WAAW,CAAU;CACtB;AA5CD,4CA4CC;AApBC;IAVC,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC;IAC/C,IAAA,4BAAU,EAAC,EAAE,OAAO,EAAE,mBAAmB,EAAE,CAAC;IAC5C,IAAA,2BAAS,EAAC,CAAC,EAAE,EAAE,OAAO,EAAE,mBAAmB,EAAE,CAAC;IAC9C,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,sCAAsC,EAAE,CAAC;IACnE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;QACtB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;+CACa;AAmBf;IAJC,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,+BAA+B,EAAE,CAAC;IACtD,IAAA,4BAAU,EAAC,EAAE,OAAO,EAAE,0BAA0B,EAAE,CAAC;IACnD,IAAA,2BAAS,EAAC,CAAC,EAAE,EAAE,OAAO,EAAE,wCAAwC,EAAE,CAAC;IACnE,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,yCAAyC,EAAE,CAAC;;qDAClD"}
+{"version":3,"file":"reset-password.dto.js","sourceRoot":"","sources":["../../src/dto/reset-password.dto.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,qDAA6E;AAC7E,yDAA8C;AAE9C;;;;;;;;;;;;;;;;GAgBG;AACH,MAAa,uBAAuB;IAClC;;;;;;;;;;;OAWG;IAgBH,UAAU,CAAU,CAAC,iBAAiB;CACvC;AA7BD,0DA6BC;AADC;IAfC,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,6BAA6B,EAAE,CAAC;IACpD,IAAA,4BAAU,EAAC,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC;IACjD,IAAA,2BAAS,EAAC,CAAC,EAAE,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC;IACnD,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,2CAA2C,EAAE,CAAC;IACxE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;YAC7B,iDAAiD;YACjD,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC1B,OAAO,OAAO,CAAC,WAAW,EAAE,CAAC;YAC/B,CAAC;YACD,OAAO,OAAO,CAAC;QACjB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;2DACkB;AAGtB;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAa,gBAAgB;IAC3B;;;;;;;;;;;;OAYG;IAWH,KAAK,CAAU;IAEf;;;;;;;;;;;;OAYG;IAKH,WAAW,CAAU;CACtB;AA5CD,4CA4CC;AApBC;IAVC,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC;IAC/C,IAAA,4BAAU,EAAC,EAAE,OAAO,EAAE,mBAAmB,EAAE,CAAC;IAC5C,IAAA,2BAAS,EAAC,CAAC,EAAE,EAAE,OAAO,EAAE,mBAAmB,EAAE,CAAC;IAC9C,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,sCAAsC,EAAE,CAAC;IACnE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;QACtB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;+CACa;AAmBf;IAJC,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,+BAA+B,EAAE,CAAC;IACtD,IAAA,4BAAU,EAAC,EAAE,OAAO,EAAE,0BAA0B,EAAE,CAAC;IACnD,IAAA,2BAAS,EAAC,CAAC,EAAE,EAAE,OAAO,EAAE,wCAAwC,EAAE,CAAC;IACnE,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,yCAAyC,EAAE,CAAC;;qDAClD"}

package/dist/dto/respond-challenge.dto.d.ts

@@ -1,3 +1,22 @@
+/**
+ * Unified Challenge Response DTO with Comprehensive Validation
+ *
+ * Provides class-validator validation for challenge responses.
+ * This is the single source of truth for challenge response validation,
+ * used by both NestJS and Express adapters.
+ *
+ * Security Features:
+ * - All string inputs have max length (prevents DoS attacks)
+ * - Phone numbers validated against E.164 format
+ * - Password strength enforced (8-128 chars)
+ * - Conditional validation based on challenge type
+ * - Enum validation prevents invalid challenge types
+ *
+ * @module RespondChallengeDTO
+ */
+/**
+ * Challenge type enum for validation
+ */
 export declare enum ChallengeType {
     VERIFY_EMAIL = "VERIFY_EMAIL",
     VERIFY_PHONE = "VERIFY_PHONE",
@@ -5,6 +24,9 @@ export declare enum ChallengeType {
     FORCE_CHANGE_PASSWORD = "FORCE_CHANGE_PASSWORD",
     MFA_SETUP_REQUIRED = "MFA_SETUP_REQUIRED"
 }
+/**
+ * MFA method enum for validation
+ */
 export declare enum MFAMethodType {
     SMS = "sms",
     EMAIL = "email",
@@ -12,16 +34,141 @@ export declare enum MFAMethodType {
     PASSKEY = "passkey",
     BACKUP = "backup"
 }
+/**
+ * Unified DTO for responding to authentication challenges
+ *
+ * Uses conditional validation (@ValidateIf) to validate fields based on challenge type.
+ * This ensures proper validation while maintaining a single endpoint for all challenge types.
+ *
+ * Security:
+ * - All strings have max length constraints matching DB limits
+ * - Phone numbers validated against E.164 format (prevents SQL injection)
+ * - Verification codes validated for length (4-10 chars)
+ * - Passwords validated for strength requirements
+ * - Session tokens validated as UUID v4 format (prevents injection)
+ *
+ * @example
+ * ```typescript
+ * @Controller('auth')
+ * export class AuthController {
+ *   @Post('respond-challenge')
+ *   async respondToChallenge(@Body() dto: RespondChallengeDTO) {
+ *     return await this.authService.respondToChallenge(dto);
+ *   }
+ * }
+ * ```
+ */
 export declare class RespondChallengeDTO {
+    /**
+     * Challenge session token (UUID v4)
+     * Always required
+     *
+     * Validation:
+     * - Must be a valid UUID v4 format
+     * - Generated using randomUUID() in challenge service
+     * - Matches DB constraint: varchar(255) but UUID format enforced
+     *
+     * Sanitization:
+     * - Trimmed
+     * - Lowercased for consistency
+     *
+     * @example "a21b654c-2746-4168-acee-c175083a65cd"
+     */
     session: string;
+    /**
+     * Challenge type being responded to
+     * Always required
+     */
     type: ChallengeType;
+    /**
+     * Verification code
+     * Required for:
+     * - VERIFY_EMAIL
+     * - VERIFY_PHONE (when verifying code)
+     * - MFA_REQUIRED (for SMS/Email/TOTP/Backup methods)
+     *
+     * Validation:
+     * - Must be a string
+     * - Length 4-10 characters (covers all code types)
+     * - Alphanumeric only
+     *
+     * Note: NOT trimmed (codes should be exact)
+     */
     code?: string;
+    /**
+     * Phone number in E.164 format
+     * Required for VERIFY_PHONE when collecting phone number (first step)
+     *
+     * Validation:
+     * - Must be a string
+     * - Must match E.164 format: +[country code][number]
+     * - Example: +14155552671
+     * - Max 20 characters (matches DB limit)
+     *
+     * Sanitization:
+     * - Trimmed
+     * - Only digits and leading + allowed
+     */
     phone?: string;
+    /**
+     * New password
+     * Required for FORCE_CHANGE_PASSWORD challenge
+     *
+     * Validation:
+     * - Must be a string
+     * - Min 8 characters (security requirement)
+     * - Max 128 characters (prevents DoS via bcrypt)
+     *
+     * Note: NOT trimmed (passwords can have leading/trailing spaces)
+     */
     newPassword?: string;
+    /**
+     * MFA method being used or set up
+     * Required for:
+     * - MFA_REQUIRED challenge (method being used for verification)
+     * - MFA_SETUP_REQUIRED challenge (method being set up)
+     *
+     * Validation:
+     * - Must be one of: sms, email, totp, passkey, backup
+     */
     method?: MFAMethodType;
+    /**
+     * Passkey credential
+     * Required for MFA_REQUIRED when method is 'passkey'
+     *
+     * Validation:
+     * - Must be an object
+     * - Contains WebAuthn credential from navigator.credentials.get()
+     */
     credential?: Record<string, unknown>;
+    /**
+     * MFA setup data (method-specific)
+     * Required for MFA_SETUP_REQUIRED challenge
+     *
+     * Expected structure by method:
+     * - SMS: { phone: string, code: string }
+     * - Email: { code: string }
+     * - TOTP: { code: string }
+     * - Passkey: { credential: Record<string, unknown> }
+     *
+     * Validation:
+     * - Must be an object
+     * - Structure validated by MFA provider services
+     */
     setupData?: Record<string, unknown>;
 }
+/**
+ * Helper type guards for challenge response
+ *
+ * Use these to narrow TypeScript types in your application logic.
+ *
+ * @example
+ * ```typescript
+ * if (RespondChallengeValidation.isEmailVerification(dto)) {
+ *   // TypeScript knows dto.code is available
+ * }
+ * ```
+ */
 export declare namespace RespondChallengeValidation {
     function isEmailVerification(dto: RespondChallengeDTO): boolean;
     function isPhoneCollection(dto: RespondChallengeDTO): boolean;

package/dist/dto/respond-challenge.dto.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"respond-challenge.dto.d.ts","sourceRoot":"","sources":["../../src/dto/respond-challenge.dto.ts"],"names":[],"mappings":"AAuBA,oBAAY,aAAa;IACvB,YAAY,iBAAiB;IAC7B,YAAY,iBAAiB;IAC7B,YAAY,iBAAiB;IAC7B,qBAAqB,0BAA0B;IAC/C,kBAAkB,uBAAuB;CAC1C;AAKD,oBAAY,aAAa;IACvB,GAAG,QAAQ;IACX,KAAK,UAAU;IACf,IAAI,SAAS;IACb,OAAO,YAAY;IACnB,MAAM,WAAW;CAClB;AA0BD,qBAAa,mBAAmB;IAuB9B,OAAO,EAAG,MAAM,CAAC;IAUjB,IAAI,EAAG,aAAa,CAAC;IA6BrB,IAAI,CAAC,EAAE,MAAM,CAAC;IAgCd,KAAK,CAAC,EAAE,MAAM,CAAC;IAqBf,WAAW,CAAC,EAAE,MAAM,CAAC;IAiBrB,MAAM,CAAC,EAAE,aAAa,CAAC;IAYvB,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAsBrC,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACrC;AAcD,yBAAiB,0BAA0B,CAAC;IAC1C,SAAgB,mBAAmB,CAAC,GAAG,EAAE,mBAAmB,GAAG,OAAO,CAErE;IAED,SAAgB,iBAAiB,CAAC,GAAG,EAAE,mBAAmB,GAAG,OAAO,CAEnE;IAED,SAAgB,mBAAmB,CAAC,GAAG,EAAE,mBAAmB,GAAG,OAAO,CAErE;IAED,SAAgB,gBAAgB,CAAC,GAAG,EAAE,mBAAmB,GAAG,OAAO,CAElE;IAED,SAAgB,iBAAiB,CAAC,GAAG,EAAE,mBAAmB,GAAG,OAAO,CAEnE;IAED,SAAgB,UAAU,CAAC,GAAG,EAAE,mBAAmB,GAAG,OAAO,CAE5D;CACF"}
+{"version":3,"file":"respond-challenge.dto.d.ts","sourceRoot":"","sources":["../../src/dto/respond-challenge.dto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAKH;;GAEG;AACH,oBAAY,aAAa;IACvB,YAAY,iBAAiB;IAC7B,YAAY,iBAAiB;IAC7B,YAAY,iBAAiB;IAC7B,qBAAqB,0BAA0B;IAC/C,kBAAkB,uBAAuB;CAC1C;AAED;;GAEG;AACH,oBAAY,aAAa;IACvB,GAAG,QAAQ;IACX,KAAK,UAAU;IACf,IAAI,SAAS;IACb,OAAO,YAAY;IACnB,MAAM,WAAW;CAClB;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,qBAAa,mBAAmB;IAC9B;;;;;;;;;;;;;;OAcG;IAQH,OAAO,EAAG,MAAM,CAAC;IAEjB;;;OAGG;IAKH,IAAI,EAAG,aAAa,CAAC;IAMrB;;;;;;;;;;;;;OAaG;IAUH,IAAI,CAAC,EAAE,MAAM,CAAC;IAMd;;;;;;;;;;;;;OAaG;IAaH,KAAK,CAAC,EAAE,MAAM,CAAC;IAMf;;;;;;;;;;OAUG;IAKH,WAAW,CAAC,EAAE,MAAM,CAAC;IAMrB;;;;;;;;OAQG;IAGH,MAAM,CAAC,EAAE,aAAa,CAAC;IAEvB;;;;;;;OAOG;IAGH,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAMrC;;;;;;;;;;;;;OAaG;IAGH,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACrC;AAED;;;;;;;;;;;GAWG;AACH,yBAAiB,0BAA0B,CAAC;IAC1C,SAAgB,mBAAmB,CAAC,GAAG,EAAE,mBAAmB,GAAG,OAAO,CAErE;IAED,SAAgB,iBAAiB,CAAC,GAAG,EAAE,mBAAmB,GAAG,OAAO,CAEnE;IAED,SAAgB,mBAAmB,CAAC,GAAG,EAAE,mBAAmB,GAAG,OAAO,CAErE;IAED,SAAgB,gBAAgB,CAAC,GAAG,EAAE,mBAAmB,GAAG,OAAO,CAElE;IAED,SAAgB,iBAAiB,CAAC,GAAG,EAAE,mBAAmB,GAAG,OAAO,CAEnE;IAED,SAAgB,UAAU,CAAC,GAAG,EAAE,mBAAmB,GAAG,OAAO,CAE5D;CACF"}

package/dist/dto/respond-challenge.dto.js

@@ -1,4 +1,20 @@
 "use strict";
+/**
+ * Unified Challenge Response DTO with Comprehensive Validation
+ *
+ * Provides class-validator validation for challenge responses.
+ * This is the single source of truth for challenge response validation,
+ * used by both NestJS and Express adapters.
+ *
+ * Security Features:
+ * - All string inputs have max length (prevents DoS attacks)
+ * - Phone numbers validated against E.164 format
+ * - Password strength enforced (8-128 chars)
+ * - Conditional validation based on challenge type
+ * - Enum validation prevents invalid challenge types
+ *
+ * @module RespondChallengeDTO
+ */
 var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
     var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
     if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
@@ -12,6 +28,9 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.RespondChallengeValidation = exports.RespondChallengeDTO = exports.MFAMethodType = exports.ChallengeType = void 0;
 const class_validator_1 = require("class-validator");
 const class_transformer_1 = require("class-transformer");
+/**
+ * Challenge type enum for validation
+ */
 var ChallengeType;
 (function (ChallengeType) {
     ChallengeType["VERIFY_EMAIL"] = "VERIFY_EMAIL";
@@ -20,6 +39,9 @@ var ChallengeType;
     ChallengeType["FORCE_CHANGE_PASSWORD"] = "FORCE_CHANGE_PASSWORD";
     ChallengeType["MFA_SETUP_REQUIRED"] = "MFA_SETUP_REQUIRED";
 })(ChallengeType || (exports.ChallengeType = ChallengeType = {}));
+/**
+ * MFA method enum for validation
+ */
 var MFAMethodType;
 (function (MFAMethodType) {
     MFAMethodType["SMS"] = "sms";
@@ -28,14 +50,142 @@ var MFAMethodType;
     MFAMethodType["PASSKEY"] = "passkey";
     MFAMethodType["BACKUP"] = "backup";
 })(MFAMethodType || (exports.MFAMethodType = MFAMethodType = {}));
+/**
+ * Unified DTO for responding to authentication challenges
+ *
+ * Uses conditional validation (@ValidateIf) to validate fields based on challenge type.
+ * This ensures proper validation while maintaining a single endpoint for all challenge types.
+ *
+ * Security:
+ * - All strings have max length constraints matching DB limits
+ * - Phone numbers validated against E.164 format (prevents SQL injection)
+ * - Verification codes validated for length (4-10 chars)
+ * - Passwords validated for strength requirements
+ * - Session tokens validated as UUID v4 format (prevents injection)
+ *
+ * @example
+ * ```typescript
+ * @Controller('auth')
+ * export class AuthController {
+ *   @Post('respond-challenge')
+ *   async respondToChallenge(@Body() dto: RespondChallengeDTO) {
+ *     return await this.authService.respondToChallenge(dto);
+ *   }
+ * }
+ * ```
+ */
 class RespondChallengeDTO {
+    /**
+     * Challenge session token (UUID v4)
+     * Always required
+     *
+     * Validation:
+     * - Must be a valid UUID v4 format
+     * - Generated using randomUUID() in challenge service
+     * - Matches DB constraint: varchar(255) but UUID format enforced
+     *
+     * Sanitization:
+     * - Trimmed
+     * - Lowercased for consistency
+     *
+     * @example "a21b654c-2746-4168-acee-c175083a65cd"
+     */
     session;
+    /**
+     * Challenge type being responded to
+     * Always required
+     */
     type;
+    // ============================================================================
+    // VERIFY_EMAIL / VERIFY_PHONE / MFA_REQUIRED (code-based)
+    // ============================================================================
+    /**
+     * Verification code
+     * Required for:
+     * - VERIFY_EMAIL
+     * - VERIFY_PHONE (when verifying code)
+     * - MFA_REQUIRED (for SMS/Email/TOTP/Backup methods)
+     *
+     * Validation:
+     * - Must be a string
+     * - Length 4-10 characters (covers all code types)
+     * - Alphanumeric only
+     *
+     * Note: NOT trimmed (codes should be exact)
+     */
     code;
+    // ============================================================================
+    // VERIFY_PHONE (phone collection)
+    // ============================================================================
+    /**
+     * Phone number in E.164 format
+     * Required for VERIFY_PHONE when collecting phone number (first step)
+     *
+     * Validation:
+     * - Must be a string
+     * - Must match E.164 format: +[country code][number]
+     * - Example: +14155552671
+     * - Max 20 characters (matches DB limit)
+     *
+     * Sanitization:
+     * - Trimmed
+     * - Only digits and leading + allowed
+     */
     phone;
+    // ============================================================================
+    // FORCE_CHANGE_PASSWORD
+    // ============================================================================
+    /**
+     * New password
+     * Required for FORCE_CHANGE_PASSWORD challenge
+     *
+     * Validation:
+     * - Must be a string
+     * - Min 8 characters (security requirement)
+     * - Max 128 characters (prevents DoS via bcrypt)
+     *
+     * Note: NOT trimmed (passwords can have leading/trailing spaces)
+     */
     newPassword;
+    // ============================================================================
+    // MFA_REQUIRED / MFA_SETUP_REQUIRED
+    // ============================================================================
+    /**
+     * MFA method being used or set up
+     * Required for:
+     * - MFA_REQUIRED challenge (method being used for verification)
+     * - MFA_SETUP_REQUIRED challenge (method being set up)
+     *
+     * Validation:
+     * - Must be one of: sms, email, totp, passkey, backup
+     */
     method;
+    /**
+     * Passkey credential
+     * Required for MFA_REQUIRED when method is 'passkey'
+     *
+     * Validation:
+     * - Must be an object
+     * - Contains WebAuthn credential from navigator.credentials.get()
+     */
     credential;
+    // ============================================================================
+    // MFA_SETUP_REQUIRED
+    // ============================================================================
+    /**
+     * MFA setup data (method-specific)
+     * Required for MFA_SETUP_REQUIRED challenge
+     *
+     * Expected structure by method:
+     * - SMS: { phone: string, code: string }
+     * - Email: { code: string }
+     * - TOTP: { code: string }
+     * - Passkey: { credential: Record<string, unknown> }
+     *
+     * Validation:
+     * - Must be an object
+     * - Structure validated by MFA provider services
+     */
     setupData;
 }
 exports.RespondChallengeDTO = RespondChallengeDTO;
@@ -101,6 +251,18 @@ __decorate([
     (0, class_validator_1.IsObject)({ message: 'Setup data must be an object' }),
     __metadata("design:type", Object)
 ], RespondChallengeDTO.prototype, "setupData", void 0);
+/**
+ * Helper type guards for challenge response
+ *
+ * Use these to narrow TypeScript types in your application logic.
+ *
+ * @example
+ * ```typescript
+ * if (RespondChallengeValidation.isEmailVerification(dto)) {
+ *   // TypeScript knows dto.code is available
+ * }
+ * ```
+ */
 var RespondChallengeValidation;
 (function (RespondChallengeValidation) {
     function isEmailVerification(dto) {

package/dist/dto/respond-challenge.dto.js.map

@@ -1 +1 @@
-{"version":3,"file":"respond-challenge.dto.js","sourceRoot":"","sources":["../../src/dto/respond-challenge.dto.ts"],"names":[],"mappings":";;;;;;;;;;;;AAiBA,qDAAwH;AACxH,yDAA8C;AAK9C,IAAY,aAMX;AAND,WAAY,aAAa;IACvB,8CAA6B,CAAA;IAC7B,8CAA6B,CAAA;IAC7B,8CAA6B,CAAA;IAC7B,gEAA+C,CAAA;IAC/C,0DAAyC,CAAA;AAC3C,CAAC,EANW,aAAa,6BAAb,aAAa,QAMxB;AAKD,IAAY,aAMX;AAND,WAAY,aAAa;IACvB,4BAAW,CAAA;IACX,gCAAe,CAAA;IACf,8BAAa,CAAA;IACb,oCAAmB,CAAA;IACnB,kCAAiB,CAAA;AACnB,CAAC,EANW,aAAa,6BAAb,aAAa,QAMxB;AA0BD,MAAa,mBAAmB;IAuB9B,OAAO,CAAU;IAUjB,IAAI,CAAiB;IA6BrB,IAAI,CAAU;IAgCd,KAAK,CAAU;IAqBf,WAAW,CAAU;IAiBrB,MAAM,CAAiB;IAYvB,UAAU,CAA2B;IAsBrC,SAAS,CAA2B;CACrC;AAvKD,kDAuKC;AAhJC;IAPC,IAAA,wBAAM,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,8CAA8C,EAAE,CAAC;IACxE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACpC,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;oDACe;AAUjB;IAJC,IAAA,wBAAM,EAAC,aAAa,EAAE;QACrB,OAAO,EACL,oHAAoH;KACvH,CAAC;;iDACmB;AA6BrB;IATC,IAAA,4BAAU,EACT,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,IAAI,KAAK,aAAa,CAAC,YAAY;QACrC,CAAC,CAAC,CAAC,IAAI,KAAK,aAAa,CAAC,YAAY,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC;QACnD,CAAC,CAAC,CAAC,IAAI,KAAK,aAAa,CAAC,YAAY,IAAI,CAAC,CAAC,MAAM,KAAK,aAAa,CAAC,OAAO,CAAC,CAChF;IACA,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,uBAAuB,EAAE,CAAC;IAC9C,IAAA,wBAAM,EAAC,CAAC,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,0CAA0C,EAAE,CAAC;IACtE,IAAA,yBAAO,EAAC,gBAAgB,EAAE,EAAE,OAAO,EAAE,2CAA2C,EAAE,CAAC;;iDACtE;AAgCd;IAZC,IAAA,4BAAU,EAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,aAAa,CAAC,YAAY,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;IACnE,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC;IAC/C,IAAA,2BAAS,EAAC,EAAE,EAAE,EAAE,OAAO,EAAE,4CAA4C,EAAE,CAAC;IACxE,IAAA,yBAAO,EAAC,mBAAmB,EAAE;QAC5B,OAAO,EAAE,oDAAoD;KAC9D,CAAC;IACD,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;QACtB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;kDACa;AAqBf;IAJC,IAAA,4BAAU,EAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,aAAa,CAAC,qBAAqB,CAAC;IACjE,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,+BAA+B,EAAE,CAAC;IACtD,IAAA,2BAAS,EAAC,CAAC,EAAE,EAAE,OAAO,EAAE,wCAAwC,EAAE,CAAC;IACnE,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,yCAAyC,EAAE,CAAC;;wDAClD;AAiBrB;IAFC,IAAA,4BAAU,EAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,aAAa,CAAC,YAAY,IAAI,CAAC,CAAC,IAAI,KAAK,aAAa,CAAC,kBAAkB,CAAC;IACvG,IAAA,wBAAM,EAAC,aAAa,EAAE,EAAE,OAAO,EAAE,8DAA8D,EAAE,CAAC;;mDAC5E;AAYvB;IAFC,IAAA,4BAAU,EAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,aAAa,CAAC,YAAY,IAAI,CAAC,CAAC,MAAM,KAAK,aAAa,CAAC,OAAO,CAAC;IAC9F,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,8BAA8B,EAAE,CAAC;;uDACjB;AAsBrC;IAFC,IAAA,4BAAU,EAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,aAAa,CAAC,kBAAkB,CAAC;IAC9D,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,8BAA8B,EAAE,CAAC;;sDAClB;AAetC,IAAiB,0BAA0B,CAwB1C;AAxBD,WAAiB,0BAA0B;IACzC,SAAgB,mBAAmB,CAAC,GAAwB;QAC1D,OAAO,GAAG,CAAC,IAAI,KAAK,aAAa,CAAC,YAAY,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC;IAC/D,CAAC;IAFe,8CAAmB,sBAElC,CAAA;IAED,SAAgB,iBAAiB,CAAC,GAAwB;QACxD,OAAO,GAAG,CAAC,IAAI,KAAK,aAAa,CAAC,YAAY,IAAI,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC;IAChE,CAAC;IAFe,4CAAiB,oBAEhC,CAAA;IAED,SAAgB,mBAAmB,CAAC,GAAwB;QAC1D,OAAO,GAAG,CAAC,IAAI,KAAK,aAAa,CAAC,YAAY,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC;IAC/D,CAAC;IAFe,8CAAmB,sBAElC,CAAA;IAED,SAAgB,gBAAgB,CAAC,GAAwB;QACvD,OAAO,GAAG,CAAC,IAAI,KAAK,aAAa,CAAC,qBAAqB,IAAI,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC;IAC/E,CAAC;IAFe,2CAAgB,mBAE/B,CAAA;IAED,SAAgB,iBAAiB,CAAC,GAAwB;QACxD,OAAO,GAAG,CAAC,IAAI,KAAK,aAAa,CAAC,YAAY,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC;IACjE,CAAC;IAFe,4CAAiB,oBAEhC,CAAA;IAED,SAAgB,UAAU,CAAC,GAAwB;QACjD,OAAO,GAAG,CAAC,IAAI,KAAK,aAAa,CAAC,kBAAkB,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC;IAC1F,CAAC;IAFe,qCAAU,aAEzB,CAAA;AACH,CAAC,EAxBgB,0BAA0B,0CAA1B,0BAA0B,QAwB1C"}
+{"version":3,"file":"respond-challenge.dto.js","sourceRoot":"","sources":["../../src/dto/respond-challenge.dto.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;GAeG;;;;;;;;;;;;AAEH,qDAAwH;AACxH,yDAA8C;AAE9C;;GAEG;AACH,IAAY,aAMX;AAND,WAAY,aAAa;IACvB,8CAA6B,CAAA;IAC7B,8CAA6B,CAAA;IAC7B,8CAA6B,CAAA;IAC7B,gEAA+C,CAAA;IAC/C,0DAAyC,CAAA;AAC3C,CAAC,EANW,aAAa,6BAAb,aAAa,QAMxB;AAED;;GAEG;AACH,IAAY,aAMX;AAND,WAAY,aAAa;IACvB,4BAAW,CAAA;IACX,gCAAe,CAAA;IACf,8BAAa,CAAA;IACb,oCAAmB,CAAA;IACnB,kCAAiB,CAAA;AACnB,CAAC,EANW,aAAa,6BAAb,aAAa,QAMxB;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAa,mBAAmB;IAC9B;;;;;;;;;;;;;;OAcG;IAQH,OAAO,CAAU;IAEjB;;;OAGG;IAKH,IAAI,CAAiB;IAErB,+EAA+E;IAC/E,0DAA0D;IAC1D,+EAA+E;IAE/E;;;;;;;;;;;;;OAaG;IAUH,IAAI,CAAU;IAEd,+EAA+E;IAC/E,kCAAkC;IAClC,+EAA+E;IAE/E;;;;;;;;;;;;;OAaG;IAaH,KAAK,CAAU;IAEf,+EAA+E;IAC/E,wBAAwB;IACxB,+EAA+E;IAE/E;;;;;;;;;;OAUG;IAKH,WAAW,CAAU;IAErB,+EAA+E;IAC/E,oCAAoC;IACpC,+EAA+E;IAE/E;;;;;;;;OAQG;IAGH,MAAM,CAAiB;IAEvB;;;;;;;OAOG;IAGH,UAAU,CAA2B;IAErC,+EAA+E;IAC/E,qBAAqB;IACrB,+EAA+E;IAE/E;;;;;;;;;;;;;OAaG;IAGH,SAAS,CAA2B;CACrC;AAvKD,kDAuKC;AAhJC;IAPC,IAAA,wBAAM,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,8CAA8C,EAAE,CAAC;IACxE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACpC,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;oDACe;AAUjB;IAJC,IAAA,wBAAM,EAAC,aAAa,EAAE;QACrB,OAAO,EACL,oHAAoH;KACvH,CAAC;;iDACmB;AA6BrB;IATC,IAAA,4BAAU,EACT,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,IAAI,KAAK,aAAa,CAAC,YAAY;QACrC,CAAC,CAAC,CAAC,IAAI,KAAK,aAAa,CAAC,YAAY,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC;QACnD,CAAC,CAAC,CAAC,IAAI,KAAK,aAAa,CAAC,YAAY,IAAI,CAAC,CAAC,MAAM,KAAK,aAAa,CAAC,OAAO,CAAC,CAChF;IACA,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,uBAAuB,EAAE,CAAC;IAC9C,IAAA,wBAAM,EAAC,CAAC,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,0CAA0C,EAAE,CAAC;IACtE,IAAA,yBAAO,EAAC,gBAAgB,EAAE,EAAE,OAAO,EAAE,2CAA2C,EAAE,CAAC;;iDACtE;AAgCd;IAZC,IAAA,4BAAU,EAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,aAAa,CAAC,YAAY,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;IACnE,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC;IAC/C,IAAA,2BAAS,EAAC,EAAE,EAAE,EAAE,OAAO,EAAE,4CAA4C,EAAE,CAAC;IACxE,IAAA,yBAAO,EAAC,mBAAmB,EAAE;QAC5B,OAAO,EAAE,oDAAoD;KAC9D,CAAC;IACD,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;QACtB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;kDACa;AAqBf;IAJC,IAAA,4BAAU,EAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,aAAa,CAAC,qBAAqB,CAAC;IACjE,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,+BAA+B,EAAE,CAAC;IACtD,IAAA,2BAAS,EAAC,CAAC,EAAE,EAAE,OAAO,EAAE,wCAAwC,EAAE,CAAC;IACnE,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,yCAAyC,EAAE,CAAC;;wDAClD;AAiBrB;IAFC,IAAA,4BAAU,EAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,aAAa,CAAC,YAAY,IAAI,CAAC,CAAC,IAAI,KAAK,aAAa,CAAC,kBAAkB,CAAC;IACvG,IAAA,wBAAM,EAAC,aAAa,EAAE,EAAE,OAAO,EAAE,8DAA8D,EAAE,CAAC;;mDAC5E;AAYvB;IAFC,IAAA,4BAAU,EAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,aAAa,CAAC,YAAY,IAAI,CAAC,CAAC,MAAM,KAAK,aAAa,CAAC,OAAO,CAAC;IAC9F,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,8BAA8B,EAAE,CAAC;;uDACjB;AAsBrC;IAFC,IAAA,4BAAU,EAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,aAAa,CAAC,kBAAkB,CAAC;IAC9D,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,8BAA8B,EAAE,CAAC;;sDAClB;AAGtC;;;;;;;;;;;GAWG;AACH,IAAiB,0BAA0B,CAwB1C;AAxBD,WAAiB,0BAA0B;IACzC,SAAgB,mBAAmB,CAAC,GAAwB;QAC1D,OAAO,GAAG,CAAC,IAAI,KAAK,aAAa,CAAC,YAAY,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC;IAC/D,CAAC;IAFe,8CAAmB,sBAElC,CAAA;IAED,SAAgB,iBAAiB,CAAC,GAAwB;QACxD,OAAO,GAAG,CAAC,IAAI,KAAK,aAAa,CAAC,YAAY,IAAI,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC;IAChE,CAAC;IAFe,4CAAiB,oBAEhC,CAAA;IAED,SAAgB,mBAAmB,CAAC,GAAwB;QAC1D,OAAO,GAAG,CAAC,IAAI,KAAK,aAAa,CAAC,YAAY,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC;IAC/D,CAAC;IAFe,8CAAmB,sBAElC,CAAA;IAED,SAAgB,gBAAgB,CAAC,GAAwB;QACvD,OAAO,GAAG,CAAC,IAAI,KAAK,aAAa,CAAC,qBAAqB,IAAI,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC;IAC/E,CAAC;IAFe,2CAAgB,mBAE/B,CAAA;IAED,SAAgB,iBAAiB,CAAC,GAAwB;QACxD,OAAO,GAAG,CAAC,IAAI,KAAK,aAAa,CAAC,YAAY,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC;IACjE,CAAC;IAFe,4CAAiB,oBAEhC,CAAA;IAED,SAAgB,UAAU,CAAC,GAAwB;QACjD,OAAO,GAAG,CAAC,IAAI,KAAK,aAAa,CAAC,kBAAkB,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC;IAC1F,CAAC;IAFe,qCAAU,aAEzB,CAAA;AACH,CAAC,EAxBgB,0BAA0B,0CAA1B,0BAA0B,QAwB1C"}

package/dist/dto/set-mfa-exemption.dto.d.ts

@@ -1,12 +1,77 @@
+/**
+ * DTO for setting MFA exemption
+ *
+ * Used to grant or revoke a user's exemption from multi-factor authentication requirements.
+ * Admin-only operation.
+ *
+ * @example
+ * ```typescript
+ * const result = await mfaService.setMFAExemption({
+ *   userSub: 'user-uuid',
+ *   exempt: true,
+ *   reason: 'Business partner requires MFA bypass',
+ *   grantedBy: 'admin@example.com'
+ * });
+ * ```
+ */
+/**
+ * DTO for setting MFA exemption
+ */
 export declare class SetMFAExemptionDTO {
+    /**
+     * User's unique identifier (UUID v4)
+     *
+     * Validation:
+     * - Must be a valid UUID v4 format
+     * - Matches DB constraint: char(36) or uuid
+     *
+     * Sanitization:
+     * - Trimmed
+     * - Lowercased for consistency
+     *
+     * @example "a21b654c-2746-4168-acee-c175083a65cd"
+     */
     userSub: string;
+    /**
+     * Whether to grant exemption (true) or revoke exemption (false)
+     */
     exempt: boolean;
+    /**
+     * Optional reason for the exemption status change
+     *
+     * Validation:
+     * - Max 500 characters
+     *
+     * Sanitization:
+     * - Trimmed
+     */
     reason?: string | null;
+    /**
+     * Optional identifier of the admin performing this action
+     *
+     * Validation:
+     * - Max 255 characters
+     *
+     * Sanitization:
+     * - Trimmed
+     */
     grantedBy?: string | null;
 }
+/**
+ * Response DTO for setting MFA exemption
+ */
 export declare class SetMFAExemptionResponseDTO {
+    /**
+     * Whether user is exempt from MFA requirements
+     */
     mfaExempt: boolean;
+    /**
+     * Reason for MFA exemption (if exempt)
+     */
     mfaExemptReason: string | null;
+    /**
+     * Date when MFA exemption was granted (if exempt)
+     */
     mfaExemptGrantedAt: Date | null;
 }
 //# sourceMappingURL=set-mfa-exemption.dto.d.ts.map

package/dist/dto/set-mfa-exemption.dto.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"set-mfa-exemption.dto.d.ts","sourceRoot":"","sources":["../../src/dto/set-mfa-exemption.dto.ts"],"names":[],"mappings":"AAuBA,qBAAa,kBAAkB;IAqB7B,OAAO,EAAG,MAAM,CAAC;IAMjB,MAAM,EAAG,OAAO,CAAC;IAoBjB,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAoBvB,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;AAKD,qBAAa,0BAA0B;IAIrC,SAAS,EAAG,OAAO,CAAC;IAKpB,eAAe,EAAG,MAAM,GAAG,IAAI,CAAC;IAKhC,kBAAkB,EAAG,IAAI,GAAG,IAAI,CAAC;CAClC"}
+{"version":3,"file":"set-mfa-exemption.dto.d.ts","sourceRoot":"","sources":["../../src/dto/set-mfa-exemption.dto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAKH;;GAEG;AACH,qBAAa,kBAAkB;IAC7B;;;;;;;;;;;;OAYG;IAQH,OAAO,EAAG,MAAM,CAAC;IAEjB;;OAEG;IAEH,MAAM,EAAG,OAAO,CAAC;IAEjB;;;;;;;;OAQG;IAUH,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAEvB;;;;;;;;OAQG;IAUH,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;AAED;;GAEG;AACH,qBAAa,0BAA0B;IACrC;;OAEG;IACH,SAAS,EAAG,OAAO,CAAC;IAEpB;;OAEG;IACH,eAAe,EAAG,MAAM,GAAG,IAAI,CAAC;IAEhC;;OAEG;IACH,kBAAkB,EAAG,IAAI,GAAG,IAAI,CAAC;CAClC"}

package/dist/dto/set-mfa-exemption.dto.js

@@ -1,4 +1,20 @@
 "use strict";
+/**
+ * DTO for setting MFA exemption
+ *
+ * Used to grant or revoke a user's exemption from multi-factor authentication requirements.
+ * Admin-only operation.
+ *
+ * @example
+ * ```typescript
+ * const result = await mfaService.setMFAExemption({
+ *   userSub: 'user-uuid',
+ *   exempt: true,
+ *   reason: 'Business partner requires MFA bypass',
+ *   grantedBy: 'admin@example.com'
+ * });
+ * ```
+ */
 var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
     var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
     if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
@@ -12,10 +28,47 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.SetMFAExemptionResponseDTO = exports.SetMFAExemptionDTO = void 0;
 const class_validator_1 = require("class-validator");
 const class_transformer_1 = require("class-transformer");
+/**
+ * DTO for setting MFA exemption
+ */
 class SetMFAExemptionDTO {
+    /**
+     * User's unique identifier (UUID v4)
+     *
+     * Validation:
+     * - Must be a valid UUID v4 format
+     * - Matches DB constraint: char(36) or uuid
+     *
+     * Sanitization:
+     * - Trimmed
+     * - Lowercased for consistency
+     *
+     * @example "a21b654c-2746-4168-acee-c175083a65cd"
+     */
     userSub;
+    /**
+     * Whether to grant exemption (true) or revoke exemption (false)
+     */
     exempt;
+    /**
+     * Optional reason for the exemption status change
+     *
+     * Validation:
+     * - Max 500 characters
+     *
+     * Sanitization:
+     * - Trimmed
+     */
     reason;
+    /**
+     * Optional identifier of the admin performing this action
+     *
+     * Validation:
+     * - Max 255 characters
+     *
+     * Sanitization:
+     * - Trimmed
+     */
     grantedBy;
 }
 exports.SetMFAExemptionDTO = SetMFAExemptionDTO;
@@ -57,9 +110,21 @@ __decorate([
     }),
     __metadata("design:type", Object)
 ], SetMFAExemptionDTO.prototype, "grantedBy", void 0);
+/**
+ * Response DTO for setting MFA exemption
+ */
 class SetMFAExemptionResponseDTO {
+    /**
+     * Whether user is exempt from MFA requirements
+     */
     mfaExempt;
+    /**
+     * Reason for MFA exemption (if exempt)
+     */
     mfaExemptReason;
+    /**
+     * Date when MFA exemption was granted (if exempt)
+     */
     mfaExemptGrantedAt;
 }
 exports.SetMFAExemptionResponseDTO = SetMFAExemptionResponseDTO;