npm - @nauth-toolkit/core - Versions diffs - 0.1.14 → 0.1.17 - Mend

@nauth-toolkit/core 0.1.14 → 0.1.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (623) hide show

package/dist/adapters/database-columns.d.ts +70 -0
package/dist/adapters/database-columns.d.ts.map +1 -1
package/dist/adapters/database-columns.js +76 -2
package/dist/adapters/database-columns.js.map +1 -1
package/dist/adapters/express.adapter.d.ts +66 -0
package/dist/adapters/express.adapter.d.ts.map +1 -1
package/dist/adapters/express.adapter.js +80 -0
package/dist/adapters/express.adapter.js.map +1 -1
package/dist/adapters/fastify.adapter.d.ts +42 -0
package/dist/adapters/fastify.adapter.d.ts.map +1 -1
package/dist/adapters/fastify.adapter.js +86 -0
package/dist/adapters/fastify.adapter.js.map +1 -1
package/dist/adapters/index.d.ts +5 -0
package/dist/adapters/index.d.ts.map +1 -1
package/dist/adapters/index.js +9 -0
package/dist/adapters/index.js.map +1 -1
package/dist/adapters/storage.factory.d.ts +107 -0
package/dist/adapters/storage.factory.d.ts.map +1 -1
package/dist/adapters/storage.factory.js +114 -0
package/dist/adapters/storage.factory.js.map +1 -1
package/dist/adapters.d.ts +8 -0
package/dist/adapters.d.ts.map +1 -1
package/dist/adapters.js +8 -0
package/dist/adapters.js.map +1 -1
package/dist/bootstrap.d.ts +82 -0
package/dist/bootstrap.d.ts.map +1 -1
package/dist/bootstrap.js +106 -0
package/dist/bootstrap.js.map +1 -1
package/dist/dto/admin-set-password.dto.d.ts +90 -0
package/dist/dto/admin-set-password.dto.d.ts.map +1 -1
package/dist/dto/admin-set-password.dto.js +91 -0
package/dist/dto/admin-set-password.dto.js.map +1 -1
package/dist/dto/auth-challenge.dto.d.ts +170 -0
package/dist/dto/auth-challenge.dto.d.ts.map +1 -1
package/dist/dto/auth-challenge.dto.js +170 -0
package/dist/dto/auth-challenge.dto.js.map +1 -1
package/dist/dto/auth-response.dto.d.ts +196 -0
package/dist/dto/auth-response.dto.d.ts.map +1 -1
package/dist/dto/auth-response.dto.js +149 -0
package/dist/dto/auth-response.dto.js.map +1 -1
package/dist/dto/challenge-response.dto.d.ts +155 -0
package/dist/dto/challenge-response.dto.d.ts.map +1 -1
package/dist/dto/challenge-response.dto.js +8 -0
package/dist/dto/challenge-response.dto.js.map +1 -1
package/dist/dto/change-password-request.dto.d.ts +35 -0
package/dist/dto/change-password-request.dto.d.ts.map +1 -1
package/dist/dto/change-password-request.dto.js +35 -0
package/dist/dto/change-password-request.dto.js.map +1 -1
package/dist/dto/change-password-response.dto.d.ts +25 -0
package/dist/dto/change-password-response.dto.d.ts.map +1 -1
package/dist/dto/change-password-response.dto.js +25 -0
package/dist/dto/change-password-response.dto.js.map +1 -1
package/dist/dto/change-password.dto.d.ts +45 -0
package/dist/dto/change-password.dto.d.ts.map +1 -1
package/dist/dto/change-password.dto.js +45 -0
package/dist/dto/change-password.dto.js.map +1 -1
package/dist/dto/confirm-forgot-password.dto.d.ts +59 -0
package/dist/dto/confirm-forgot-password.dto.d.ts.map +1 -1
package/dist/dto/confirm-forgot-password.dto.js +59 -0
package/dist/dto/confirm-forgot-password.dto.js.map +1 -1
package/dist/dto/error-response.dto.d.ts +103 -0
package/dist/dto/error-response.dto.d.ts.map +1 -1
package/dist/dto/error-response.dto.js +103 -0
package/dist/dto/error-response.dto.js.map +1 -1
package/dist/dto/forgot-password.dto.d.ts +58 -0
package/dist/dto/forgot-password.dto.d.ts.map +1 -1
package/dist/dto/forgot-password.dto.js +58 -0
package/dist/dto/forgot-password.dto.js.map +1 -1
package/dist/dto/get-available-methods.dto.d.ts +37 -0
package/dist/dto/get-available-methods.dto.d.ts.map +1 -1
package/dist/dto/get-available-methods.dto.js +37 -0
package/dist/dto/get-available-methods.dto.js.map +1 -1
package/dist/dto/get-challenge-data-response.dto.d.ts +24 -0
package/dist/dto/get-challenge-data-response.dto.d.ts.map +1 -1
package/dist/dto/get-challenge-data-response.dto.js +24 -0
package/dist/dto/get-challenge-data-response.dto.js.map +1 -1
package/dist/dto/get-challenge-data.dto.d.ts +46 -0
package/dist/dto/get-challenge-data.dto.d.ts.map +1 -1
package/dist/dto/get-challenge-data.dto.js +46 -0
package/dist/dto/get-challenge-data.dto.js.map +1 -1
package/dist/dto/get-client-info.dto.d.ts +74 -0
package/dist/dto/get-client-info.dto.d.ts.map +1 -1
package/dist/dto/get-client-info.dto.js +74 -0
package/dist/dto/get-client-info.dto.js.map +1 -1
package/dist/dto/get-device-token-response.dto.d.ts +21 -0
package/dist/dto/get-device-token-response.dto.d.ts.map +1 -1
package/dist/dto/get-device-token-response.dto.js +21 -0
package/dist/dto/get-device-token-response.dto.js.map +1 -1
package/dist/dto/get-events-by-type.dto.d.ts +50 -0
package/dist/dto/get-events-by-type.dto.d.ts.map +1 -1
package/dist/dto/get-events-by-type.dto.js +50 -0
package/dist/dto/get-events-by-type.dto.js.map +1 -1
package/dist/dto/get-ip-address-response.dto.d.ts +20 -0
package/dist/dto/get-ip-address-response.dto.d.ts.map +1 -1
package/dist/dto/get-ip-address-response.dto.js +20 -0
package/dist/dto/get-ip-address-response.dto.js.map +1 -1
package/dist/dto/get-mfa-status.dto.d.ts +59 -0
package/dist/dto/get-mfa-status.dto.d.ts.map +1 -1
package/dist/dto/get-mfa-status.dto.js +59 -0
package/dist/dto/get-mfa-status.dto.js.map +1 -1
package/dist/dto/get-risk-assessment-history.dto.d.ts +28 -0
package/dist/dto/get-risk-assessment-history.dto.d.ts.map +1 -1
package/dist/dto/get-risk-assessment-history.dto.js +28 -0
package/dist/dto/get-risk-assessment-history.dto.js.map +1 -1
package/dist/dto/get-session-id-response.dto.d.ts +21 -0
package/dist/dto/get-session-id-response.dto.d.ts.map +1 -1
package/dist/dto/get-session-id-response.dto.js +21 -0
package/dist/dto/get-session-id-response.dto.js.map +1 -1
package/dist/dto/get-setup-data-response.dto.d.ts +27 -0
package/dist/dto/get-setup-data-response.dto.d.ts.map +1 -1
package/dist/dto/get-setup-data-response.dto.js +27 -0
package/dist/dto/get-setup-data-response.dto.js.map +1 -1
package/dist/dto/get-setup-data.dto.d.ts +51 -0
package/dist/dto/get-setup-data.dto.d.ts.map +1 -1
package/dist/dto/get-setup-data.dto.js +51 -0
package/dist/dto/get-setup-data.dto.js.map +1 -1
package/dist/dto/get-suspicious-activity.dto.d.ts +31 -0
package/dist/dto/get-suspicious-activity.dto.d.ts.map +1 -1
package/dist/dto/get-suspicious-activity.dto.js +31 -0
package/dist/dto/get-suspicious-activity.dto.js.map +1 -1
package/dist/dto/get-user-agent-response.dto.d.ts +19 -0
package/dist/dto/get-user-agent-response.dto.d.ts.map +1 -1
package/dist/dto/get-user-agent-response.dto.js +19 -0
package/dist/dto/get-user-agent-response.dto.js.map +1 -1
package/dist/dto/get-user-auth-history.dto.d.ts +64 -0
package/dist/dto/get-user-auth-history.dto.d.ts.map +1 -1
package/dist/dto/get-user-auth-history.dto.js +64 -0
package/dist/dto/get-user-auth-history.dto.js.map +1 -1
package/dist/dto/get-user-by-email.dto.d.ts +42 -0
package/dist/dto/get-user-by-email.dto.d.ts.map +1 -1
package/dist/dto/get-user-by-email.dto.js +42 -0
package/dist/dto/get-user-by-email.dto.js.map +1 -1
package/dist/dto/get-user-by-id.dto.d.ts +32 -0
package/dist/dto/get-user-by-id.dto.d.ts.map +1 -1
package/dist/dto/get-user-by-id.dto.js +32 -0
package/dist/dto/get-user-by-id.dto.js.map +1 -1
package/dist/dto/get-user-devices.dto.d.ts +34 -0
package/dist/dto/get-user-devices.dto.d.ts.map +1 -1
package/dist/dto/get-user-devices.dto.js +34 -0
package/dist/dto/get-user-devices.dto.js.map +1 -1
package/dist/dto/get-user-response.dto.d.ts +14 -0
package/dist/dto/get-user-response.dto.d.ts.map +1 -1
package/dist/dto/get-user-response.dto.js +15 -0
package/dist/dto/get-user-response.dto.js.map +1 -1
package/dist/dto/has-provider.dto.d.ts +33 -0
package/dist/dto/has-provider.dto.d.ts.map +1 -1
package/dist/dto/has-provider.dto.js +33 -0
package/dist/dto/has-provider.dto.js.map +1 -1
package/dist/dto/index.js +5 -0
package/dist/dto/index.js.map +1 -1
package/dist/dto/is-trusted-device-response.dto.d.ts +28 -0
package/dist/dto/is-trusted-device-response.dto.d.ts.map +1 -1
package/dist/dto/is-trusted-device-response.dto.js +28 -0
package/dist/dto/is-trusted-device-response.dto.js.map +1 -1
package/dist/dto/list-providers-response.dto.d.ts +19 -0
package/dist/dto/list-providers-response.dto.d.ts.map +1 -1
package/dist/dto/list-providers-response.dto.js +19 -0
package/dist/dto/list-providers-response.dto.js.map +1 -1
package/dist/dto/login.dto.d.ts +48 -0
package/dist/dto/login.dto.d.ts.map +1 -1
package/dist/dto/login.dto.js +50 -1
package/dist/dto/login.dto.js.map +1 -1
package/dist/dto/logout-all-response.dto.d.ts +20 -0
package/dist/dto/logout-all-response.dto.d.ts.map +1 -1
package/dist/dto/logout-all-response.dto.js +20 -0
package/dist/dto/logout-all-response.dto.js.map +1 -1
package/dist/dto/logout-all.dto.d.ts +42 -0
package/dist/dto/logout-all.dto.d.ts.map +1 -1
package/dist/dto/logout-all.dto.js +42 -0
package/dist/dto/logout-all.dto.js.map +1 -1
package/dist/dto/logout-response.dto.d.ts +21 -0
package/dist/dto/logout-response.dto.d.ts.map +1 -1
package/dist/dto/logout-response.dto.js +21 -0
package/dist/dto/logout-response.dto.js.map +1 -1
package/dist/dto/logout.dto.d.ts +45 -0
package/dist/dto/logout.dto.d.ts.map +1 -1
package/dist/dto/logout.dto.js +45 -0
package/dist/dto/logout.dto.js.map +1 -1
package/dist/dto/refresh-token.dto.d.ts +28 -0
package/dist/dto/refresh-token.dto.d.ts.map +1 -1
package/dist/dto/refresh-token.dto.js +28 -0
package/dist/dto/refresh-token.dto.js.map +1 -1
package/dist/dto/remove-devices.dto.d.ts +51 -0
package/dist/dto/remove-devices.dto.d.ts.map +1 -1
package/dist/dto/remove-devices.dto.js +51 -0
package/dist/dto/remove-devices.dto.js.map +1 -1
package/dist/dto/resend-code-response.dto.d.ts +28 -0
package/dist/dto/resend-code-response.dto.d.ts.map +1 -1
package/dist/dto/resend-code-response.dto.js +28 -0
package/dist/dto/resend-code-response.dto.js.map +1 -1
package/dist/dto/resend-code.dto.d.ts +37 -0
package/dist/dto/resend-code.dto.d.ts.map +1 -1
package/dist/dto/resend-code.dto.js +37 -0
package/dist/dto/resend-code.dto.js.map +1 -1
package/dist/dto/reset-password.dto.d.ts +74 -0
package/dist/dto/reset-password.dto.d.ts.map +1 -1
package/dist/dto/reset-password.dto.js +76 -1
package/dist/dto/reset-password.dto.js.map +1 -1
package/dist/dto/respond-challenge.dto.d.ts +147 -0
package/dist/dto/respond-challenge.dto.d.ts.map +1 -1
package/dist/dto/respond-challenge.dto.js +162 -0
package/dist/dto/respond-challenge.dto.js.map +1 -1
package/dist/dto/set-mfa-exemption.dto.d.ts +65 -0
package/dist/dto/set-mfa-exemption.dto.d.ts.map +1 -1
package/dist/dto/set-mfa-exemption.dto.js +65 -0
package/dist/dto/set-mfa-exemption.dto.js.map +1 -1
package/dist/dto/set-must-change-password-response.dto.d.ts +23 -0
package/dist/dto/set-must-change-password-response.dto.d.ts.map +1 -1
package/dist/dto/set-must-change-password-response.dto.js +23 -0
package/dist/dto/set-must-change-password-response.dto.js.map +1 -1
package/dist/dto/set-must-change-password.dto.d.ts +32 -0
package/dist/dto/set-must-change-password.dto.d.ts.map +1 -1
package/dist/dto/set-must-change-password.dto.js +32 -0
package/dist/dto/set-must-change-password.dto.js.map +1 -1
package/dist/dto/set-preferred-method.dto.d.ts +48 -0
package/dist/dto/set-preferred-method.dto.d.ts.map +1 -1
package/dist/dto/set-preferred-method.dto.js +48 -0
package/dist/dto/set-preferred-method.dto.js.map +1 -1
package/dist/dto/setup-mfa.dto.d.ts +62 -0
package/dist/dto/setup-mfa.dto.d.ts.map +1 -1
package/dist/dto/setup-mfa.dto.js +62 -0
package/dist/dto/setup-mfa.dto.js.map +1 -1
package/dist/dto/signup.dto.d.ts +92 -0
package/dist/dto/signup.dto.d.ts.map +1 -1
package/dist/dto/signup.dto.js +93 -0
package/dist/dto/signup.dto.js.map +1 -1
package/dist/dto/social-auth.dto.d.ts +234 -0
package/dist/dto/social-auth.dto.d.ts.map +1 -1
package/dist/dto/social-auth.dto.js +234 -0
package/dist/dto/social-auth.dto.js.map +1 -1
package/dist/dto/trust-device-response.dto.d.ts +26 -0
package/dist/dto/trust-device-response.dto.d.ts.map +1 -1
package/dist/dto/trust-device-response.dto.js +26 -0
package/dist/dto/trust-device-response.dto.js.map +1 -1
package/dist/dto/trust-device.dto.d.ts +9 -0
package/dist/dto/trust-device.dto.d.ts.map +1 -1
package/dist/dto/trust-device.dto.js +9 -0
package/dist/dto/trust-device.dto.js.map +1 -1
package/dist/dto/update-user-attributes-request.dto.d.ts +36 -0
package/dist/dto/update-user-attributes-request.dto.d.ts.map +1 -1
package/dist/dto/update-user-attributes-request.dto.js +36 -0
package/dist/dto/update-user-attributes-request.dto.js.map +1 -1
package/dist/dto/user-response.dto.d.ts +81 -0
package/dist/dto/user-response.dto.d.ts.map +1 -1
package/dist/dto/user-response.dto.js +84 -2
package/dist/dto/user-response.dto.js.map +1 -1
package/dist/dto/user-update.dto.d.ts +132 -0
package/dist/dto/user-update.dto.d.ts.map +1 -1
package/dist/dto/user-update.dto.js +133 -0
package/dist/dto/user-update.dto.js.map +1 -1
package/dist/dto/verify-email.dto.d.ts +171 -0
package/dist/dto/verify-email.dto.d.ts.map +1 -1
package/dist/dto/verify-email.dto.js +173 -1
package/dist/dto/verify-email.dto.js.map +1 -1
package/dist/dto/verify-mfa-code.dto.d.ts +65 -0
package/dist/dto/verify-mfa-code.dto.d.ts.map +1 -1
package/dist/dto/verify-mfa-code.dto.js +65 -0
package/dist/dto/verify-mfa-code.dto.js.map +1 -1
package/dist/dto/verify-phone-by-sub.dto.d.ts +49 -0
package/dist/dto/verify-phone-by-sub.dto.d.ts.map +1 -1
package/dist/dto/verify-phone-by-sub.dto.js +49 -0
package/dist/dto/verify-phone-by-sub.dto.js.map +1 -1
package/dist/dto/verify-phone.dto.d.ts +139 -0
package/dist/dto/verify-phone.dto.d.ts.map +1 -1
package/dist/dto/verify-phone.dto.js +142 -1
package/dist/dto/verify-phone.dto.js.map +1 -1
package/dist/dto.d.ts +10 -0
package/dist/dto.d.ts.map +1 -1
package/dist/dto.js +10 -0
package/dist/dto.js.map +1 -1
package/dist/entities/auth-audit.entity.d.ts +159 -0
package/dist/entities/auth-audit.entity.d.ts.map +1 -1
package/dist/entities/auth-audit.entity.js +166 -0
package/dist/entities/auth-audit.entity.js.map +1 -1
package/dist/entities/challenge-session.entity.d.ts +87 -0
package/dist/entities/challenge-session.entity.d.ts.map +1 -1
package/dist/entities/challenge-session.entity.js +87 -0
package/dist/entities/challenge-session.entity.js.map +1 -1
package/dist/entities/index.d.ts +18 -0
package/dist/entities/index.d.ts.map +1 -1
package/dist/entities/index.js +18 -0
package/dist/entities/index.js.map +1 -1
package/dist/entities/login-attempt.entity.d.ts +43 -0
package/dist/entities/login-attempt.entity.d.ts.map +1 -1
package/dist/entities/login-attempt.entity.js +43 -0
package/dist/entities/login-attempt.entity.js.map +1 -1
package/dist/entities/mfa-device.entity.d.ts +112 -0
package/dist/entities/mfa-device.entity.d.ts.map +1 -1
package/dist/entities/mfa-device.entity.js +112 -0
package/dist/entities/mfa-device.entity.js.map +1 -1
package/dist/entities/rate-limit.entity.d.ts +31 -0
package/dist/entities/rate-limit.entity.d.ts.map +1 -1
package/dist/entities/rate-limit.entity.js +31 -0
package/dist/entities/rate-limit.entity.js.map +1 -1
package/dist/entities/session.entity.d.ts +121 -0
package/dist/entities/session.entity.d.ts.map +1 -1
package/dist/entities/session.entity.js +121 -0
package/dist/entities/session.entity.js.map +1 -1
package/dist/entities/social-account.entity.d.ts +75 -0
package/dist/entities/social-account.entity.d.ts.map +1 -1
package/dist/entities/social-account.entity.js +75 -0
package/dist/entities/social-account.entity.js.map +1 -1
package/dist/entities/storage-lock.entity.d.ts +28 -0
package/dist/entities/storage-lock.entity.d.ts.map +1 -1
package/dist/entities/storage-lock.entity.js +28 -0
package/dist/entities/storage-lock.entity.js.map +1 -1
package/dist/entities/trusted-device.entity.d.ts +83 -0
package/dist/entities/trusted-device.entity.d.ts.map +1 -1
package/dist/entities/trusted-device.entity.js +83 -0
package/dist/entities/trusted-device.entity.js.map +1 -1
package/dist/entities/user.entity.d.ts +166 -0
package/dist/entities/user.entity.d.ts.map +1 -1
package/dist/entities/user.entity.js +166 -0
package/dist/entities/user.entity.js.map +1 -1
package/dist/entities/verification-token.entity.d.ts +102 -0
package/dist/entities/verification-token.entity.d.ts.map +1 -1
package/dist/entities/verification-token.entity.js +102 -0
package/dist/entities/verification-token.entity.js.map +1 -1
package/dist/entities.d.ts +8 -0
package/dist/entities.d.ts.map +1 -1
package/dist/entities.js +8 -0
package/dist/entities.js.map +1 -1
package/dist/enums/auth-audit-event-type.enum.d.ts +211 -0
package/dist/enums/auth-audit-event-type.enum.d.ts.map +1 -1
package/dist/enums/auth-audit-event-type.enum.js +244 -0
package/dist/enums/auth-audit-event-type.enum.js.map +1 -1
package/dist/enums/error-codes.enum.d.ts +296 -0
package/dist/enums/error-codes.enum.d.ts.map +1 -1
package/dist/enums/error-codes.enum.js +332 -0
package/dist/enums/error-codes.enum.js.map +1 -1
package/dist/enums/mfa-method.enum.d.ts +74 -0
package/dist/enums/mfa-method.enum.d.ts.map +1 -1
package/dist/enums/mfa-method.enum.js +64 -0
package/dist/enums/mfa-method.enum.js.map +1 -1
package/dist/enums/risk-factor.enum.d.ts +91 -0
package/dist/enums/risk-factor.enum.d.ts.map +1 -1
package/dist/enums/risk-factor.enum.js +97 -0
package/dist/enums/risk-factor.enum.js.map +1 -1
package/dist/exceptions/nauth.exception.d.ts +149 -0
package/dist/exceptions/nauth.exception.d.ts.map +1 -1
package/dist/exceptions/nauth.exception.js +159 -0
package/dist/exceptions/nauth.exception.js.map +1 -1
package/dist/handlers/auth.handler.d.ts +32 -0
package/dist/handlers/auth.handler.d.ts.map +1 -1
package/dist/handlers/auth.handler.js +47 -1
package/dist/handlers/auth.handler.js.map +1 -1
package/dist/handlers/client-info.handler.d.ts +25 -0
package/dist/handlers/client-info.handler.d.ts.map +1 -1
package/dist/handlers/client-info.handler.js +36 -2
package/dist/handlers/client-info.handler.js.map +1 -1
package/dist/handlers/csrf.handler.d.ts +32 -0
package/dist/handlers/csrf.handler.d.ts.map +1 -1
package/dist/handlers/csrf.handler.js +49 -1
package/dist/handlers/csrf.handler.js.map +1 -1
package/dist/handlers/token-delivery.handler.d.ts +16 -0
package/dist/handlers/token-delivery.handler.d.ts.map +1 -1
package/dist/handlers/token-delivery.handler.js +22 -1
package/dist/handlers/token-delivery.handler.js.map +1 -1
package/dist/index.d.ts +34 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +67 -0
package/dist/index.js.map +1 -1
package/dist/interfaces/client-info.interface.d.ts +58 -0
package/dist/interfaces/client-info.interface.d.ts.map +1 -1
package/dist/interfaces/config.interface.d.ts +1774 -0
package/dist/interfaces/config.interface.d.ts.map +1 -1
package/dist/interfaces/config.interface.js +16 -0
package/dist/interfaces/config.interface.js.map +1 -1
package/dist/interfaces/entities.interface.d.ts +48 -0
package/dist/interfaces/entities.interface.d.ts.map +1 -1
package/dist/interfaces/entities.interface.js +8 -0
package/dist/interfaces/entities.interface.js.map +1 -1
package/dist/interfaces/index.js +5 -0
package/dist/interfaces/index.js.map +1 -1
package/dist/interfaces/logger.interface.d.ts +213 -0
package/dist/interfaces/logger.interface.d.ts.map +1 -1
package/dist/interfaces/logger.interface.js +35 -0
package/dist/interfaces/logger.interface.js.map +1 -1
package/dist/interfaces/mfa-provider.interface.d.ts +134 -0
package/dist/interfaces/mfa-provider.interface.d.ts.map +1 -1
package/dist/interfaces/oauth.interface.d.ts +110 -0
package/dist/interfaces/oauth.interface.d.ts.map +1 -1
package/dist/interfaces/provider.interface.d.ts +83 -0
package/dist/interfaces/provider.interface.d.ts.map +1 -1
package/dist/interfaces/sms-template.interface.d.ts +246 -0
package/dist/interfaces/sms-template.interface.d.ts.map +1 -1
package/dist/interfaces/sms-template.interface.js +26 -0
package/dist/interfaces/sms-template.interface.js.map +1 -1
package/dist/interfaces/social-auth-provider.interface.d.ts +115 -0
package/dist/interfaces/social-auth-provider.interface.d.ts.map +1 -1
package/dist/interfaces/storage-adapter.interface.d.ts +37 -0
package/dist/interfaces/storage-adapter.interface.d.ts.map +1 -1
package/dist/interfaces/template.interface.d.ts +351 -0
package/dist/interfaces/template.interface.d.ts.map +1 -1
package/dist/interfaces/template.interface.js +13 -0
package/dist/interfaces/template.interface.js.map +1 -1
package/dist/interfaces/token-verifier.interface.d.ts +101 -0
package/dist/interfaces/token-verifier.interface.d.ts.map +1 -1
package/dist/interfaces.d.ts +8 -0
package/dist/interfaces.d.ts.map +1 -1
package/dist/interfaces.js +8 -0
package/dist/interfaces.js.map +1 -1
package/dist/internal.d.ts +120 -0
package/dist/internal.d.ts.map +1 -1
package/dist/internal.js +138 -0
package/dist/internal.js.map +1 -1
package/dist/platform/interfaces.d.ts +187 -0
package/dist/platform/interfaces.d.ts.map +1 -1
package/dist/platform/interfaces.js +11 -0
package/dist/platform/interfaces.js.map +1 -1
package/dist/schemas/auth-config.schema.d.ts +48 -0
package/dist/schemas/auth-config.schema.d.ts.map +1 -1
package/dist/schemas/auth-config.schema.js +188 -9
package/dist/schemas/auth-config.schema.js.map +1 -1
package/dist/services/adaptive-mfa-decision.service.d.ts +144 -0
package/dist/services/adaptive-mfa-decision.service.d.ts.map +1 -1
package/dist/services/adaptive-mfa-decision.service.js +151 -5
package/dist/services/adaptive-mfa-decision.service.js.map +1 -1
package/dist/services/auth-audit.service.d.ts +195 -0
package/dist/services/auth-audit.service.d.ts.map +1 -1
package/dist/services/auth-audit.service.js +228 -1
package/dist/services/auth-audit.service.js.map +1 -1
package/dist/services/auth-challenge-helper.service.d.ts +144 -1
package/dist/services/auth-challenge-helper.service.d.ts.map +1 -1
package/dist/services/auth-challenge-helper.service.js +295 -16
package/dist/services/auth-challenge-helper.service.js.map +1 -1
package/dist/services/auth-flow-context-builder.service.d.ts +120 -1
package/dist/services/auth-flow-context-builder.service.d.ts.map +1 -1
package/dist/services/auth-flow-context-builder.service.js +184 -5
package/dist/services/auth-flow-context-builder.service.js.map +1 -1
package/dist/services/auth-flow-rules.d.ts +136 -0
package/dist/services/auth-flow-rules.d.ts.map +1 -1
package/dist/services/auth-flow-rules.js +137 -0
package/dist/services/auth-flow-rules.js.map +1 -1
package/dist/services/auth-flow-state-definitions.d.ts +40 -0
package/dist/services/auth-flow-state-definitions.d.ts.map +1 -1
package/dist/services/auth-flow-state-definitions.js +98 -0
package/dist/services/auth-flow-state-definitions.js.map +1 -1
package/dist/services/auth-flow-state-machine.service.d.ts +91 -0
package/dist/services/auth-flow-state-machine.service.d.ts.map +1 -1
package/dist/services/auth-flow-state-machine.service.js +102 -0
package/dist/services/auth-flow-state-machine.service.js.map +1 -1
package/dist/services/auth-flow-state-machine.types.d.ts +221 -0
package/dist/services/auth-flow-state-machine.types.d.ts.map +1 -1
package/dist/services/auth-flow-state-machine.types.js +47 -0
package/dist/services/auth-flow-state-machine.types.js.map +1 -1
package/dist/services/auth.service.d.ts +397 -1
package/dist/services/auth.service.d.ts.map +1 -1
package/dist/services/auth.service.js +943 -27
package/dist/services/auth.service.js.map +1 -1
package/dist/services/challenge.service.d.ts +255 -1
package/dist/services/challenge.service.d.ts.map +1 -1
package/dist/services/challenge.service.js +327 -3
package/dist/services/challenge.service.js.map +1 -1
package/dist/services/client-info.service.d.ts +143 -0
package/dist/services/client-info.service.d.ts.map +1 -1
package/dist/services/client-info.service.js +161 -0
package/dist/services/client-info.service.js.map +1 -1
package/dist/services/csrf.service.d.ts +15 -0
package/dist/services/csrf.service.d.ts.map +1 -1
package/dist/services/csrf.service.js +16 -0
package/dist/services/csrf.service.js.map +1 -1
package/dist/services/email-verification.service.d.ts +52 -0
package/dist/services/email-verification.service.d.ts.map +1 -1
package/dist/services/email-verification.service.js +149 -10
package/dist/services/email-verification.service.js.map +1 -1
package/dist/services/geo-location.service.d.ts +105 -0
package/dist/services/geo-location.service.d.ts.map +1 -1
package/dist/services/geo-location.service.js +188 -2
package/dist/services/geo-location.service.js.map +1 -1
package/dist/services/jwt.service.d.ts +257 -0
package/dist/services/jwt.service.d.ts.map +1 -1
package/dist/services/jwt.service.js +284 -1
package/dist/services/jwt.service.js.map +1 -1
package/dist/services/mfa-base.service.d.ts +179 -1
package/dist/services/mfa-base.service.d.ts.map +1 -1
package/dist/services/mfa-base.service.js +256 -2
package/dist/services/mfa-base.service.js.map +1 -1
package/dist/services/mfa.service.d.ts +304 -0
package/dist/services/mfa.service.d.ts.map +1 -1
package/dist/services/mfa.service.js +380 -0
package/dist/services/mfa.service.js.map +1 -1
package/dist/services/password-reset.service.d.ts +46 -0
package/dist/services/password-reset.service.d.ts.map +1 -1
package/dist/services/password-reset.service.js +79 -0
package/dist/services/password-reset.service.js.map +1 -1
package/dist/services/password.service.d.ts +139 -0
package/dist/services/password.service.d.ts.map +1 -1
package/dist/services/password.service.js +167 -9
package/dist/services/password.service.js.map +1 -1
package/dist/services/phone-verification.service.d.ts +75 -0
package/dist/services/phone-verification.service.d.ts.map +1 -1
package/dist/services/phone-verification.service.js +188 -6
package/dist/services/phone-verification.service.js.map +1 -1
package/dist/services/risk-detection.service.d.ts +198 -0
package/dist/services/risk-detection.service.d.ts.map +1 -1
package/dist/services/risk-detection.service.js +358 -11
package/dist/services/risk-detection.service.js.map +1 -1
package/dist/services/risk-scoring.service.d.ts +84 -0
package/dist/services/risk-scoring.service.d.ts.map +1 -1
package/dist/services/risk-scoring.service.js +87 -0
package/dist/services/risk-scoring.service.js.map +1 -1
package/dist/services/session.service.d.ts +204 -0
package/dist/services/session.service.d.ts.map +1 -1
package/dist/services/session.service.js +289 -4
package/dist/services/session.service.js.map +1 -1
package/dist/services/social-auth-base.service.d.ts +123 -1
package/dist/services/social-auth-base.service.d.ts.map +1 -1
package/dist/services/social-auth-base.service.js +155 -2
package/dist/services/social-auth-base.service.js.map +1 -1
package/dist/services/social-auth.service.d.ts +191 -0
package/dist/services/social-auth.service.d.ts.map +1 -1
package/dist/services/social-auth.service.js +215 -2
package/dist/services/social-auth.service.js.map +1 -1
package/dist/services/social-provider-registry.service.d.ts +86 -0
package/dist/services/social-provider-registry.service.d.ts.map +1 -1
package/dist/services/social-provider-registry.service.js +86 -0
package/dist/services/social-provider-registry.service.js.map +1 -1
package/dist/services/trusted-device.service.d.ts +105 -0
package/dist/services/trusted-device.service.d.ts.map +1 -1
package/dist/services/trusted-device.service.js +133 -4
package/dist/services/trusted-device.service.js.map +1 -1
package/dist/storage/account-lockout-storage.service.d.ts +35 -0
package/dist/storage/account-lockout-storage.service.d.ts.map +1 -1
package/dist/storage/account-lockout-storage.service.js +35 -0
package/dist/storage/account-lockout-storage.service.js.map +1 -1
package/dist/storage/memory-storage.adapter.d.ts +148 -0
package/dist/storage/memory-storage.adapter.d.ts.map +1 -1
package/dist/storage/memory-storage.adapter.js +201 -6
package/dist/storage/memory-storage.adapter.js.map +1 -1
package/dist/storage/rate-limit-storage.service.d.ts +3 -0
package/dist/storage/rate-limit-storage.service.d.ts.map +1 -1
package/dist/storage/rate-limit-storage.service.js +4 -0
package/dist/storage/rate-limit-storage.service.js.map +1 -1
package/dist/storage.d.ts +8 -0
package/dist/storage.d.ts.map +1 -1
package/dist/storage.js +8 -0
package/dist/storage.js.map +1 -1
package/dist/templates/html-template.engine.d.ts +110 -0
package/dist/templates/html-template.engine.d.ts.map +1 -1
package/dist/templates/html-template.engine.js +147 -0
package/dist/templates/html-template.engine.js.map +1 -1
package/dist/templates/index.d.ts +5 -0
package/dist/templates/index.d.ts.map +1 -1
package/dist/templates/index.js +5 -0
package/dist/templates/index.js.map +1 -1
package/dist/templates/sms-template.engine.d.ts +151 -0
package/dist/templates/sms-template.engine.d.ts.map +1 -1
package/dist/templates/sms-template.engine.js +171 -0
package/dist/templates/sms-template.engine.js.map +1 -1
package/dist/templates.d.ts +8 -0
package/dist/templates.d.ts.map +1 -1
package/dist/templates.js +8 -0
package/dist/templates.js.map +1 -1
package/dist/utils/common-passwords.d.ts +42 -0
package/dist/utils/common-passwords.d.ts.map +1 -1
package/dist/utils/common-passwords.js +88 -0
package/dist/utils/common-passwords.js.map +1 -1
package/dist/utils/context-storage.d.ts +129 -0
package/dist/utils/context-storage.d.ts.map +1 -1
package/dist/utils/context-storage.js +129 -0
package/dist/utils/context-storage.js.map +1 -1
package/dist/utils/cookie-names.util.d.ts +35 -0
package/dist/utils/cookie-names.util.d.ts.map +1 -1
package/dist/utils/cookie-names.util.js +37 -0
package/dist/utils/cookie-names.util.js.map +1 -1
package/dist/utils/cookies.util.d.ts +19 -0
package/dist/utils/cookies.util.d.ts.map +1 -1
package/dist/utils/cookies.util.js +30 -3
package/dist/utils/cookies.util.js.map +1 -1
package/dist/utils/index.d.ts +3 -0
package/dist/utils/index.d.ts.map +1 -1
package/dist/utils/index.js +4 -0
package/dist/utils/index.js.map +1 -1
package/dist/utils/ip-extractor.d.ts +88 -0
package/dist/utils/ip-extractor.d.ts.map +1 -1
package/dist/utils/ip-extractor.js +109 -16
package/dist/utils/ip-extractor.js.map +1 -1
package/dist/utils/nauth-logger.d.ts +70 -0
package/dist/utils/nauth-logger.d.ts.map +1 -1
package/dist/utils/nauth-logger.js +82 -4
package/dist/utils/nauth-logger.js.map +1 -1
package/dist/utils/pii-redactor.d.ts +70 -0
package/dist/utils/pii-redactor.d.ts.map +1 -1
package/dist/utils/pii-redactor.js +102 -0
package/dist/utils/pii-redactor.js.map +1 -1
package/dist/utils/setup/get-repositories.d.ts +16 -0
package/dist/utils/setup/get-repositories.d.ts.map +1 -1
package/dist/utils/setup/get-repositories.js +21 -0
package/dist/utils/setup/get-repositories.js.map +1 -1
package/dist/utils/setup/init-services.d.ts +40 -1
package/dist/utils/setup/init-services.d.ts.map +1 -1
package/dist/utils/setup/init-services.js +98 -0
package/dist/utils/setup/init-services.js.map +1 -1
package/dist/utils/setup/init-social.d.ts +27 -0
package/dist/utils/setup/init-social.d.ts.map +1 -1
package/dist/utils/setup/init-social.js +49 -0
package/dist/utils/setup/init-social.js.map +1 -1
package/dist/utils/setup/init-storage.d.ts +22 -0
package/dist/utils/setup/init-storage.d.ts.map +1 -1
package/dist/utils/setup/init-storage.js +36 -0
package/dist/utils/setup/init-storage.js.map +1 -1
package/dist/utils/setup/register-mfa.d.ts +22 -0
package/dist/utils/setup/register-mfa.d.ts.map +1 -1
package/dist/utils/setup/register-mfa.js +41 -0
package/dist/utils/setup/register-mfa.js.map +1 -1
package/dist/utils/setup/run-nauth-migrations.d.ts +7 -0
package/dist/utils/setup/run-nauth-migrations.d.ts.map +1 -1
package/dist/utils/setup/run-nauth-migrations.js +8 -0
package/dist/utils/setup/run-nauth-migrations.js.map +1 -1
package/dist/utils/token-delivery-policy.d.ts +17 -0
package/dist/utils/token-delivery-policy.d.ts.map +1 -1
package/dist/utils/token-delivery-policy.js +17 -0
package/dist/utils/token-delivery-policy.js.map +1 -1
package/dist/utils.d.ts +8 -0
package/dist/utils.d.ts.map +1 -1
package/dist/utils.js +8 -0
package/dist/utils.js.map +1 -1
package/dist/validators/template.validator.d.ts +80 -0
package/dist/validators/template.validator.d.ts.map +1 -1
package/dist/validators/template.validator.js +94 -0
package/dist/validators/template.validator.js.map +1 -1
package/package.json +7 -2

package/dist/services/session.service.js CHANGED Viewed

@@ -36,6 +36,45 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.SessionService = void 0;
 const typeorm_1 = require("typeorm");
 const auth_audit_event_type_enum_1 = require("../enums/auth-audit-event-type.enum");
+/**
+ * Session Service
+ *
+ * Manages user sessions and device tracking including:
+ * - Creating new sessions with device information
+ * - Finding sessions by ID or refresh token
+ * - Updating session activity and tokens (rotation)
+ * - Revoking individual or all user sessions
+ * - Token family management for reuse detection
+ * - Token reuse detection with storage tracking
+ * - Cleanup of expired sessions
+ *
+ * Security Features:
+ * - Token family tracking for reuse detection
+ * - Used refresh token tracking (prevents reuse attacks)
+ * - Session expiration management
+ * - Device fingerprinting support
+ * - Revocation with reason tracking
+ * - Activity timestamp updates
+ *
+ * @example
+ * ```typescript
+ * // Create session
+ * const session = await sessionService.createSession({
+ *   userId: user.id, // Internal ID (integer)
+ *   accessTokenHash: 'hash1',
+ *   refreshTokenHash: 'hash2',
+ *   tokenFamily: 'family-abc',
+ *   // Client info (ipAddress, userAgent, etc.) automatically extracted from ClientInfoService
+ *   expiresAt: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000),
+ * });
+ *
+ * // Revoke all user sessions (global signout)
+ * const revokedCount = await sessionService.revokeAllUserSessions(
+ *   user.id, // Internal ID (integer)
+ *   'User requested global signout'
+ * );
+ * ```
+ */
 class SessionService {
     sessionRepository;
     storageAdapter;
@@ -51,15 +90,31 @@ class SessionService {
         this.logger = logger;
         this.auditService = auditService;
     }
+    /**
+     * Calculate session expiration date from config
+     *
+     * Parses session.maxLifetime config (e.g., '30d', '7d', '5h') and returns
+     * the expiration Date. Defaults to 30 days if not configured.
+     *
+     * @returns Session expiration date
+     */
     getSessionExpirationDate() {
         const maxLifetime = this.config.session?.maxLifetime || '30d';
         const expiresInSeconds = this.parseMaxLifetime(maxLifetime);
         return new Date(Date.now() + expiresInSeconds * 1000);
     }
+    /**
+     * Parse maxLifetime from string or number
+     *
+     * @param maxLifetime - Max lifetime (e.g., '30d', '7d', '5h', 2592000)
+     * @returns Max lifetime in seconds
+     * @private
+     */
     parseMaxLifetime(maxLifetime) {
         if (typeof maxLifetime === 'number') {
             return maxLifetime;
         }
+        // Parse time strings (e.g., '15m', '1h', '30d')
         const units = {
             s: 1,
             m: 60,
@@ -69,21 +124,59 @@ class SessionService {
         const match = maxLifetime.match(/^(\d+)([smhd])$/);
         if (!match) {
             this.logger?.warn?.(`Invalid session.maxLifetime format: ${maxLifetime}. Using default 30 days.`);
-            return 30 * 86400;
+            return 30 * 86400; // Default to 30 days in seconds
         }
         const [, value, unit] = match;
         return parseInt(value, 10) * units[unit];
     }
+    /**
+     * Create a new session
+     *
+     * Creates a session record with token hashes, device information,
+     * and expiration time. Used during login and signup.
+     *
+     * @param data - Session creation data
+     * @param data.userId - Internal user ID (integer, not sub)
+     * @param data.accessTokenHash - SHA-256 hash of access token
+     * @param data.refreshTokenHash - SHA-256 hash of refresh token
+     * @param data.tokenFamily - Token family ID for rotation detection
+     * @param data.deviceId - Optional device identifier (UUID). Auto-generated if not provided.
+     * @param data.deviceName - Optional device name. Falls back to parsed value from ClientInfoService if not provided.
+     * @param data.deviceType - Optional device type (mobile, desktop, tablet). Falls back to parsed value from ClientInfoService if not provided.
+     * @param data.expiresAt - Session expiration date
+     * @remarks Client info (ipAddress, ipCountry, ipCity, userAgent, platform, browser) is automatically extracted from ClientInfoService context
+     * @param data.isRemembered - Whether session is from "remember me"
+     * @param data.authMethod - Authentication method: 'password', 'google', 'facebook', 'github', etc.
+     * @returns Created session
+     *
+     * @example
+     * ```typescript
+     * const session = await sessionService.createSession({
+     *   userId: user.id, // Internal ID (integer)
+     *   accessTokenHash: jwtService.hashToken(accessToken),
+     *   refreshTokenHash: jwtService.hashToken(refreshToken),
+     *   tokenFamily: jwtService.generateTokenFamily(),
+     *   // Client info (ipAddress, userAgent, etc.) automatically extracted from ClientInfoService
+     *   expiresAt: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000),
+     * });
+     * ```
+     */
     async createSession(data) {
+        // ============================================================================
+        // Session Limit Enforcement (maxConcurrent)
+        // ============================================================================
         const maxConcurrent = this.config.session?.maxConcurrent;
         if (maxConcurrent && maxConcurrent > 0) {
+            // Count active sessions for this user (not revoked and not expired)
             const now = new Date();
+            // Fetch only IDs of active sessions ordered by oldest activity
             const activeIds = (await this.sessionRepository.find({
                 select: ['id'],
                 where: { userId: data.userId, isRevoked: false, expiresAt: (0, typeorm_1.MoreThan)(now) },
                 order: { lastActivityAt: 'ASC' },
             }));
             if (activeIds.length >= maxConcurrent) {
+                // Revoke oldest sessions to make room for new one (bulk update)
                 const toRevokeCount = activeIds.length - maxConcurrent + 1;
                 const idsToRevoke = activeIds.slice(0, toRevokeCount).map((s) => s.id);
                 if (idsToRevoke.length > 0) {
@@ -91,6 +184,7 @@ class SessionService {
                     const result = await this.sessionRepository.update({ id: (0, typeorm_1.In)(idsToRevoke) }, { isRevoked: true, revokedAt: nowTs, revokeReason: 'Max concurrent sessions exceeded' });
                     const affected = result.affected || idsToRevoke.length;
                     if (affected > 0) {
+                        // Single summary audit event
                         try {
                             await this.auditService?.recordEvent({
                                 userId: data.userId,
@@ -115,16 +209,35 @@ class SessionService {
                 }
             }
         }
+        // ============================================================================
+        // Get client info from context (transparent access - no parameters needed)
+        // ============================================================================
+        // Client info is automatically extracted by ClientInfoInterceptor and stored in context
+        // This includes parsed user agent info (platform, browser, deviceType, deviceName)
+        // This allows SessionService to access IP, userAgent, etc. without requiring them as parameters
         const clientInfo = this.clientInfoService.get();
+        // ============================================================================
+        // Use parsed device information from ClientInfoService (already parsed by interceptor)
+        // ============================================================================
+        // ClientInfoService already parsed the user agent in the interceptor
+        // Use provided values or fall back to parsed values from context
         const deviceType = data.deviceType || clientInfo.deviceType || null;
         const deviceName = data.deviceName || clientInfo.deviceName || null;
         const platform = clientInfo.platform || null;
         const browser = clientInfo.browser || null;
+        // ============================================================================
+        // Generate deviceId if not provided
+        // ============================================================================
+        // DeviceId is a unique UUID that identifies a specific browser/device
+        // It's used for trusted device tracking and MFA "remember device" features
+        // In browser contexts, this should be stored in localStorage/sessionStorage
+        // and sent with each login request to maintain continuity
         let deviceId = data.deviceId;
         if (!deviceId) {
             const crypto = await Promise.resolve().then(() => __importStar(require('crypto')));
             deviceId = crypto.randomUUID();
         }
+        // Debug: Log what we're about to save
         if (!clientInfo.ipLatitude || !clientInfo.ipLongitude) {
             this.logger?.warn?.(`[SessionService] Creating session WITHOUT coordinates: ` +
                 `IP=${clientInfo.ipAddress}, country=${clientInfo.ipCountry}, city=${clientInfo.ipCity}, ` +
@@ -143,6 +256,7 @@ class SessionService {
             deviceId,
             deviceName,
             deviceType,
+            // Client info automatically extracted from ClientInfoService (transparent access)
             ipAddress: clientInfo.ipAddress || null,
             ipCountry: clientInfo.ipCountry || null,
             ipCity: clientInfo.ipCity || null,
@@ -157,6 +271,9 @@ class SessionService {
             lastActivityAt: new Date(),
         });
         const savedSession = (await this.sessionRepository.save(session));
+        // ============================================================================
+        // Audit: Record session creation
+        // ============================================================================
         try {
             await this.auditService?.recordEvent({
                 userId: data.userId,
@@ -164,6 +281,7 @@ class SessionService {
                 eventStatus: 'INFO',
                 sessionId: savedSession.id,
                 authMethod: data.authMethod || null,
+                // Client info automatically included from context
                 metadata: {
                     deviceId: savedSession.deviceId,
                     deviceName: savedSession.deviceName,
@@ -173,6 +291,7 @@ class SessionService {
             });
         }
         catch (auditError) {
+            // Non-blocking: Log but continue
             const errorMessage = auditError instanceof Error ? auditError.message : 'Unknown error';
             this.logger?.error?.(`Failed to record SESSION_CREATED audit event: ${errorMessage}`, {
                 error: auditError,
@@ -182,13 +301,22 @@ class SessionService {
         }
         return savedSession;
     }
+    /**
+     * Find session by ID
+     * @param sessionId - Session ID (can be string from JWT or number)
+     */
     async findById(sessionId) {
         return (await this.sessionRepository.findOne({
             where: { id: typeof sessionId === 'string' ? parseInt(sessionId, 10) : sessionId },
         }));
     }
+    /**
+     * Find session by ID with minimal fields (hot-path)
+     * @param sessionId - Session ID (string or number)
+     */
     async findByIdLight(sessionId) {
         const id = typeof sessionId === 'string' ? parseInt(sessionId, 10) : sessionId;
+        // Select minimal session fields to reduce DB payload
         const record = (await this.sessionRepository.findOne({
             select: ['id', 'version', 'isRevoked', 'expiresAt', 'userId'],
             where: { id },
@@ -205,24 +333,40 @@ class SessionService {
         };
         return light;
     }
+    /**
+     * Find session by refresh token hash
+     */
     async findByRefreshToken(refreshTokenHash) {
         return (await this.sessionRepository.findOne({
             select: ['id', 'userId', 'isRevoked', 'tokenFamily', 'expiresAt'],
             where: { refreshTokenHash, isRevoked: false },
         }));
     }
+    /**
+     * Find all active sessions for a user
+     * @param userId - Internal user ID (integer)
+     * @returns Array of active sessions
+     */
     async findUserSessions(userId) {
         return (await this.sessionRepository.find({
             where: { userId, isRevoked: false },
             order: { createdAt: 'DESC' },
         }));
     }
+    /**
+     * Update session activity timestamp
+     * @param sessionId - Session ID (can be string from JWT or number)
+     */
     async updateActivity(sessionId) {
         const id = typeof sessionId === 'string' ? parseInt(sessionId, 10) : sessionId;
         await this.sessionRepository.update(id, {
             lastActivityAt: new Date(),
         });
     }
+    /**
+     * Update session with new tokens (for rotation)
+     * @param sessionId - Session ID (can be string from JWT or number)
+     */
     async updateTokens(sessionId, accessTokenHash, refreshTokenHash) {
         const id = typeof sessionId === 'string' ? parseInt(sessionId, 10) : sessionId;
         await this.sessionRepository.update(id, {
@@ -231,18 +375,30 @@ class SessionService {
             lastActivityAt: new Date(),
         });
     }
+    /**
+     * Create a session and update token hashes atomically within one transaction
+     *
+     * Uses a callback to generate token hashes after obtaining the session ID.
+     * This allows callers to embed sessionId in JWTs, then persist hashes atomically.
+     */
     async createSessionAtomic(data, generateHashes) {
+        // Get client info from context (transparent access)
+        // ClientInfoService already parsed the user agent in the interceptor
         const clientInfo = this.clientInfoService.get();
         const result = await this.sessionRepository.manager.transaction(async (trx) => {
+            // Use parsed device information from ClientInfoService (already parsed by interceptor)
+            // Use provided values or fall back to parsed values from context
             const deviceType = data.deviceType || clientInfo.deviceType || null;
             const deviceName = data.deviceName || clientInfo.deviceName || null;
             const platform = clientInfo.platform || null;
             const browser = clientInfo.browser || null;
+            // Generate deviceId if missing
             let deviceId = data.deviceId;
             if (!deviceId) {
                 const crypto = await Promise.resolve().then(() => __importStar(require('crypto')));
                 deviceId = crypto.randomUUID();
             }
+            // Create with placeholder hashes (non-nullable columns)
             const sessionEntity = this.sessionRepository.create({
                 userId: data.userId,
                 accessTokenHash: '',
@@ -251,6 +407,7 @@ class SessionService {
                 deviceId,
                 deviceName,
                 deviceType,
+                // Client info automatically extracted from ClientInfoService (transparent access)
                 ipAddress: clientInfo.ipAddress || null,
                 ipCountry: clientInfo.ipCountry || null,
                 ipCity: clientInfo.ipCity || null,
@@ -264,6 +421,7 @@ class SessionService {
                 isRemembered: data.isRemembered || false,
                 lastActivityAt: new Date(),
             });
+            // Debug: Log what we're about to save in atomic transaction
             if (!clientInfo.ipLatitude || !clientInfo.ipLongitude) {
                 this.logger?.warn?.(`[SessionService.createSessionAtomic] Creating session WITHOUT coordinates: ` +
                     `IP=${clientInfo.ipAddress}, country=${clientInfo.ipCountry}, city=${clientInfo.ipCity}, ` +
@@ -283,6 +441,7 @@ class SessionService {
                 .set({ accessTokenHash, refreshTokenHash, lastActivityAt: new Date() })
                 .where({ id: savedId })
                 .execute();
+            // Re-fetch minimal session fields to return
             const sessionLight = (await trx.findOne(this.sessionRepository.target, {
                 where: { id: savedId },
             }));
@@ -291,6 +450,9 @@ class SessionService {
             }
             return { session: sessionLight, extra };
         });
+        // ============================================================================
+        // Audit: Record session creation
+        // ============================================================================
         try {
             await this.auditService?.recordEvent({
                 userId: data.userId,
@@ -298,6 +460,7 @@ class SessionService {
                 eventStatus: 'INFO',
                 sessionId: result.session.id,
                 authMethod: data.authMethod || null,
+                // Client info automatically included from context
                 metadata: {
                     deviceId: result.session.deviceId,
                     deviceName: result.session.deviceName,
@@ -307,6 +470,7 @@ class SessionService {
             });
         }
         catch (auditError) {
+            // Non-blocking: Log but continue
             const errorMessage = auditError instanceof Error ? auditError.message : 'Unknown error';
             this.logger?.error?.(`Failed to record SESSION_CREATED audit event: ${errorMessage}`, {
                 error: auditError,
@@ -316,17 +480,27 @@ class SessionService {
         }
         return result;
     }
+    /**
+     * Revoke a single session
+     * @param sessionId - Session ID (can be string from JWT or number)
+     * @param reason - Optional reason for revocation
+     * @param metadata - Optional metadata to include in audit trail
+     */
     async revokeSession(sessionId, reason, metadata) {
         const id = typeof sessionId === 'string' ? parseInt(sessionId, 10) : sessionId;
+        // Get session to retrieve userId for audit logging
         const session = await this.findById(id);
         if (!session) {
-            return;
+            return; // Session doesn't exist, nothing to revoke
         }
         await this.sessionRepository.update(id, {
             isRevoked: true,
             revokedAt: new Date(),
             revokeReason: reason,
         });
+        // ============================================================================
+        // Audit: Record session revocation
+        // ============================================================================
         try {
             await this.auditService?.recordEvent({
                 userId: session.userId,
@@ -335,10 +509,12 @@ class SessionService {
                 sessionId: id,
                 reason: reason || 'User logout',
                 description: `Session revoked: ${reason || 'User logout'}`,
+                // Client info automatically included from context
                 metadata: metadata || undefined,
             });
         }
         catch (auditError) {
+            // Non-blocking: Log but continue
             const errorMessage = auditError instanceof Error ? auditError.message : 'Unknown error';
             this.logger?.error?.(`Failed to record SESSION_REVOKED audit event: ${errorMessage}`, {
                 error: auditError,
@@ -347,7 +523,14 @@ class SessionService {
             });
         }
     }
+    /**
+     * Revoke all sessions for a user (global signout)
+     * @param userId - Internal user ID (integer)
+     * @param reason - Optional reason for revocation
+     * @returns Number of sessions revoked
+     */
     async revokeAllUserSessions(userId, reason) {
+        // Get sessions before revoking for audit logging
         const sessions = await this.findUserSessions(userId);
         const result = await this.sessionRepository.update({ userId, isRevoked: false }, {
             isRevoked: true,
@@ -355,10 +538,15 @@ class SessionService {
             revokeReason: reason,
         });
         const revokedCount = result.affected || 0;
+        // ============================================================================
+        // Audit: Record session revocations (one event per session for global signout)
+        // ============================================================================
         if (revokedCount > 0) {
             try {
                 const isGlobalSignout = reason === 'Global signout';
                 if (isGlobalSignout) {
+                    // For global signout, record individual SESSION_REVOKED event for each session
+                    // AuthService.logoutAll() will record a GLOBAL_SIGNOUT event separately
                     for (const session of sessions) {
                         try {
                             await this.auditService?.recordEvent({
@@ -368,12 +556,14 @@ class SessionService {
                                 reason: 'Global signout',
                                 description: `Session revoked by global signout`,
                                 sessionId: session.id,
+                                // Client info automatically included from context
                                 metadata: {
                                     revokedBy: 'global_signout',
                                 },
                             });
                         }
                         catch (sessionAuditError) {
+                            // Non-blocking: Log but continue with other sessions
                             const errorMessage = sessionAuditError instanceof Error ? sessionAuditError.message : 'Unknown error';
                             this.logger?.error?.(`Failed to record SESSION_REVOKED audit event for session ${session.id}: ${errorMessage}`, {
                                 error: sessionAuditError,
@@ -384,12 +574,14 @@ class SessionService {
                     }
                 }
                 else {
+                    // For other reasons (e.g., "Login from new session"), record one summary event
                     await this.auditService?.recordEvent({
                         userId,
                         eventType: auth_audit_event_type_enum_1.AuthAuditEventType.SESSION_REVOKED,
                         eventStatus: 'INFO',
                         reason: reason || 'Session revocation',
                         description: `All user sessions revoked (${revokedCount} session(s))`,
+                        // Client info automatically included from context
                         metadata: {
                             revokedCount,
                             sessionIds: sessions.map((s) => s.id),
@@ -398,6 +590,7 @@ class SessionService {
                 }
             }
             catch (auditError) {
+                // Non-blocking: Log but continue
                 const errorMessage = auditError instanceof Error ? auditError.message : 'Unknown error';
                 this.logger?.error?.(`Failed to record SESSION_REVOKED audit event (all sessions): ${errorMessage}`, {
                     error: auditError,
@@ -408,6 +601,9 @@ class SessionService {
         }
         return revokedCount;
     }
+    /**
+     * Revoke all sessions in a token family (for reuse detection)
+     */
     async revokeTokenFamily(tokenFamily, reason) {
         const result = await this.sessionRepository.update({ tokenFamily, isRevoked: false }, {
             isRevoked: true,
@@ -416,37 +612,126 @@ class SessionService {
         });
         return result.affected || 0;
     }
+    /**
+     * Cleanup expired sessions
+     */
     async cleanupExpiredSessions() {
         const result = await this.sessionRepository.delete({
             expiresAt: (0, typeorm_1.LessThan)(new Date()),
         });
         return result.affected || 0;
     }
+    /**
+     * Count active sessions for a user
+     * @param userId - Internal user ID (integer)
+     * @returns Number of active sessions
+     */
     async countUserSessions(userId) {
         return await this.sessionRepository.count({
             where: { userId, isRevoked: false },
         });
     }
+    // ============================================================================
+    // Token Reuse Detection (Security Feature)
+    // ============================================================================
+    /**
+     * Mark a refresh token as used
+     *
+     * Stores the token hash in cache with expiration matching the refresh token TTL.
+     * Used to detect token reuse attacks where stolen tokens are reused multiple times.
+     *
+     * SECURITY CRITICAL: This prevents token replay attacks
+     *
+     * @param tokenHash - SHA-256 hash of the refresh token
+     * @param ttlSeconds - Time to live in seconds (should match refresh token expiry)
+     *
+     * @example
+     * ```typescript
+     * // Mark token as used during refresh
+     * await sessionService.markRefreshTokenAsUsed(tokenHash, 30 * 24 * 60 * 60);
+     * ```
+     */
     async markRefreshTokenAsUsed(tokenHash, ttlSeconds) {
         const key = `used-token:${tokenHash}`;
+        // Use atomic set-if-not-exists operation
+        // Returns null if key already exists (NX failed), string if key was set
         const result = await this.storageAdapter.set(key, 'true', ttlSeconds, { nx: true });
-        return result !== null;
+        return result !== null; // True if successfully set, false if already existed
     }
+    /**
+     * Check if a refresh token has been used before
+     *
+     * If token has been used, it indicates a token reuse attack and the entire
+     * token family should be revoked immediately.
+     *
+     * @param tokenHash - SHA-256 hash of the refresh token
+     * @returns True if token has been used before, false otherwise
+     *
+     * @example
+     * ```typescript
+     * const isReused = await sessionService.isRefreshTokenUsed(tokenHash);
+     * if (isReused) {
+     *   // TOKEN REUSE DETECTED - SECURITY BREACH!
+     *   await sessionService.revokeTokenFamily(session.tokenFamily);
+     *   throw new UnauthorizedException('Token reuse detected');
+     * }
+     * ```
+     */
     async isRefreshTokenUsed(tokenHash) {
         const key = `used-token:${tokenHash}`;
         return await this.storageAdapter.exists(key);
     }
+    /**
+     * Acquire a distributed lock for token refresh
+     *
+     * Uses atomic set-if-not-exists (NX) operation to prevent concurrent refresh attempts.
+     * Lock is automatically released after TTL expires, or manually via releaseRefreshLock.
+     *
+     * @param lockKey - Lock key (e.g., `session-refresh:${sessionId}` or `refresh-lock:${tokenHash}`)
+     * @param ttlMs - Lock TTL in milliseconds (default: 10000ms)
+     * @returns True if lock was acquired, false if already locked by another request
+     *
+     * @example
+     * ```typescript
+     * const lockKey = `session-refresh:${sessionId}`;
+     * const lockAcquired = await sessionService.acquireRefreshLock(lockKey, 10000);
+     * if (!lockAcquired) {
+     *   throw new Error('Refresh already in progress');
+     * }
+     * try {
+     *   // ... perform refresh ...
+     * } finally {
+     *   await sessionService.releaseRefreshLock(lockKey);
+     * }
+     * ```
+     */
     async acquireRefreshLock(lockKey, ttlMs = 10000) {
+        // ============================================================================
+        // CRITICAL FIX: Use atomic set-if-not-exists (NX) for lock acquisition
+        // ============================================================================
+        // The set() method with nx: true uses a transaction with pessimistic locking
+        // to atomically check and insert. This ensures only one request can acquire
+        // the lock even when multiple requests arrive simultaneously.
+        // Increased default TTL to 10 seconds to handle slower database operations
+        // Add small jitter (±5%) to reduce synchronized expirations under load
         const baseTtlSeconds = Math.max(1, Math.ceil(ttlMs / 1000));
         const jitterMax = Math.max(1, Math.floor(baseTtlSeconds * 0.05));
-        const jitter = Math.floor(Math.random() * (jitterMax * 2 + 1)) - jitterMax;
+        const jitter = Math.floor(Math.random() * (jitterMax * 2 + 1)) - jitterMax; // [-jitterMax, +jitterMax]
         const ttlWithJitter = Math.max(1, baseTtlSeconds + jitter);
         const result = await this.storageAdapter.set(lockKey, 'locked', ttlWithJitter, { nx: true });
         const acquired = result !== null;
+        // Debug logging to help diagnose lock issues
         if (!acquired) {
+            // Lock acquisition failed - another request has it
+            // This is expected behavior when multiple requests try to refresh simultaneously
         }
         return acquired;
     }
+    /**
+     * Release a distributed lock for token refresh
+     *
+     * @param lockKey - Lock key (must match the key used in acquireRefreshLock)
+     */
     async releaseRefreshLock(lockKey) {
         await this.storageAdapter.del(lockKey);
     }