@nauth-toolkit/core 0.1.17 → 0.1.21

package/dist/dto/admin-signup.dto.js

@@ -0,0 +1,317 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AdminSignupResponseDTO = exports.AdminSignupDTO = void 0;
+const class_validator_1 = require("class-validator");
+const class_transformer_1 = require("class-transformer");
+/**
+ * DTO for administrative user creation with override capabilities
+ *
+ * Allows administrators to create user accounts with:
+ * - Bypass email/phone verification requirements
+ * - Force password change on first login
+ * - Auto-generate secure passwords
+ *
+ * Security:
+ * - All fields validated against DB constraints
+ * - Input sanitization applied automatically
+ * - Password strength enforced (8-128 chars) unless auto-generated
+ * - Email/username uniqueness checked in service layer
+ * - Audit trail records admin-created accounts
+ *
+ * Warning: This endpoint should be protected by admin authentication.
+ * The service does not enforce authorization - it is the responsibility
+ * of the framework adapter (NestJS/Express/Fastify) to protect the endpoint.
+ *
+ * @example
+ * ```typescript
+ * // Create user with pre-verified email
+ * const dto: AdminSignupDTO = {
+ *   email: 'user@example.com',
+ *   password: 'SecurePass123!',
+ *   isEmailVerified: true,
+ *   mustChangePassword: false,
+ * };
+ *
+ * // Create user with auto-generated password
+ * const dto: AdminSignupDTO = {
+ *   email: 'user@example.com',
+ *   generatePassword: true,
+ *   isEmailVerified: true,
+ *   mustChangePassword: true, // User must change generated password
+ * };
+ * ```
+ */
+class AdminSignupDTO {
+    /**
+     * User email address
+     *
+     * Validation:
+     * - Valid email format (RFC 5322)
+     * - Max 255 characters (matches DB limit)
+     *
+     * Sanitization:
+     * - Trimmed and lowercased
+     */
+    email;
+    /**
+     * User password
+     *
+     * Required unless `generatePassword` is true.
+     *
+     * Validation:
+     * - Min 8 characters
+     * - Max 128 characters (prevents DoS via bcrypt)
+     * - Additional policy checks in service layer
+     *
+     * Note: NOT trimmed (passwords can have leading/trailing spaces)
+     */
+    password;
+    /**
+     * Optional username
+     *
+     * Validation:
+     * - 3-50 characters
+     * - Alphanumeric, underscores, and hyphens only
+     * - Max 255 characters (DB limit)
+     *
+     * Sanitization:
+     * - Trimmed
+     * - Case preserved (username can be case-sensitive per config)
+     */
+    username;
+    /**
+     * Optional first name
+     *
+     * Validation:
+     * - 1-100 characters
+     * - Letters, spaces, hyphens, and apostrophes only
+     * - Max 100 characters (DB limit)
+     *
+     * Sanitization:
+     * - Trimmed
+     * - Title case preserved
+     */
+    firstName;
+    /**
+     * Optional last name
+     *
+     * Validation:
+     * - 1-100 characters
+     * - Letters, spaces, hyphens, and apostrophes only
+     * - Max 100 characters (DB limit)
+     *
+     * Sanitization:
+     * - Trimmed
+     * - Title case preserved
+     */
+    lastName;
+    /**
+     * Optional phone number
+     *
+     * Validation:
+     * - E.164 format (international standard)
+     * - MUST start with + (required for security)
+     * - Max 20 characters (DB limit)
+     * - Example: +14155552671, +61444567890
+     *
+     * Sanitization:
+     * - Whitespace removed
+     * - Only digits and leading + preserved
+     *
+     * Security:
+     * - Strict E.164 validation prevents SQL injection
+     * - Max length prevents oversized inputs
+     */
+    phone;
+    /**
+     * Optional metadata (custom fields)
+     *
+     * Security:
+     * - Validated in service layer if used
+     * - Max depth/size limits should be enforced
+     */
+    metadata;
+    /**
+     * Bypass email verification requirement
+     *
+     * If true, user's email is marked as verified without sending verification email.
+     * If false (default), user must verify email through normal flow.
+     *
+     * Default: false
+     */
+    isEmailVerified;
+    /**
+     * Bypass phone verification requirement
+     *
+     * If true, user's phone is marked as verified without sending verification SMS.
+     * If false (default), user must verify phone through normal flow.
+     *
+     * Default: false
+     */
+    isPhoneVerified;
+    /**
+     * Force password change on first login
+     *
+     * If true, user will be required to change password on next login.
+     * Useful when auto-generating passwords or when admin sets temporary passwords.
+     *
+     * Default: false
+     */
+    mustChangePassword;
+    /**
+     * Auto-generate secure password
+     *
+     * If true, a cryptographically secure random password will be generated.
+     * The generated password will be returned in the response (returned once only).
+     * Password field is not required when this is true.
+     *
+     * Default: false
+     *
+     * Security: Generated passwords are 16 characters, mixed case, numbers, and special characters.
+     * They are returned once in the response and never stored in plain text.
+     */
+    generatePassword;
+}
+exports.AdminSignupDTO = AdminSignupDTO;
+__decorate([
+    (0, class_validator_1.IsEmail)({}, { message: 'Invalid email format' }),
+    (0, class_validator_1.MaxLength)(255, { message: 'Email must not exceed 255 characters' }),
+    (0, class_transformer_1.Transform)(({ value }) => {
+        if (typeof value === 'string') {
+            return value.trim().toLowerCase();
+        }
+        return value;
+    }),
+    __metadata("design:type", String)
+], AdminSignupDTO.prototype, "email", void 0);
+__decorate([
+    (0, class_validator_1.ValidateIf)((o) => !o.generatePassword),
+    (0, class_validator_1.IsString)({ message: 'Password must be a string' }),
+    (0, class_validator_1.MinLength)(8, { message: 'Password must be at least 8 characters' }),
+    (0, class_validator_1.MaxLength)(128, { message: 'Password must not exceed 128 characters' }),
+    __metadata("design:type", String)
+], AdminSignupDTO.prototype, "password", void 0);
+__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)({ message: 'Username must be a string' }),
+    (0, class_validator_1.MinLength)(3, { message: 'Username must be at least 3 characters' }),
+    (0, class_validator_1.MaxLength)(255, { message: 'Username must not exceed 255 characters' }),
+    (0, class_validator_1.Matches)(/^[a-zA-Z0-9_-]+$/, {
+        message: 'Username can only contain letters, numbers, underscores, and hyphens',
+    }),
+    (0, class_transformer_1.Transform)(({ value }) => {
+        if (typeof value === 'string') {
+            return value.trim().toLowerCase();
+        }
+        return value;
+    }),
+    __metadata("design:type", String)
+], AdminSignupDTO.prototype, "username", void 0);
+__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)({ message: 'First name must be a string' }),
+    (0, class_validator_1.MinLength)(1, { message: 'First name must be at least 1 character' }),
+    (0, class_validator_1.MaxLength)(100, { message: 'First name must not exceed 100 characters' }),
+    (0, class_validator_1.Matches)(/^[a-zA-Z\s\-']+$/, {
+        message: 'First name can only contain letters, spaces, hyphens, and apostrophes',
+    }),
+    (0, class_transformer_1.Transform)(({ value }) => {
+        if (typeof value === 'string') {
+            return value.trim();
+        }
+        return value;
+    }),
+    __metadata("design:type", String)
+], AdminSignupDTO.prototype, "firstName", void 0);
+__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)({ message: 'Last name must be a string' }),
+    (0, class_validator_1.MinLength)(1, { message: 'Last name must be at least 1 character' }),
+    (0, class_validator_1.MaxLength)(100, { message: 'Last name must not exceed 100 characters' }),
+    (0, class_validator_1.Matches)(/^[a-zA-Z\s\-']+$/, {
+        message: 'Last name can only contain letters, spaces, hyphens, and apostrophes',
+    }),
+    (0, class_transformer_1.Transform)(({ value }) => {
+        if (typeof value === 'string') {
+            return value.trim();
+        }
+        return value;
+    }),
+    __metadata("design:type", String)
+], AdminSignupDTO.prototype, "lastName", void 0);
+__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)({ message: 'Phone must be a string' }),
+    (0, class_validator_1.MaxLength)(20, { message: 'Phone must not exceed 20 characters' }),
+    (0, class_validator_1.Matches)(/^\+[1-9]\d{1,14}$/, {
+        message: 'Phone must be in E.164 format with + prefix (e.g., +14155552671)',
+    }),
+    (0, class_transformer_1.Transform)(({ value }) => {
+        if (typeof value === 'string') {
+            // Remove all whitespace and keep only digits and +
+            return value.replace(/\s/g, '');
+        }
+        return value;
+    }),
+    __metadata("design:type", String)
+], AdminSignupDTO.prototype, "phone", void 0);
+__decorate([
+    (0, class_validator_1.IsOptional)(),
+    __metadata("design:type", Object)
+], AdminSignupDTO.prototype, "metadata", void 0);
+__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsBoolean)({ message: 'isEmailVerified must be a boolean' }),
+    __metadata("design:type", Boolean)
+], AdminSignupDTO.prototype, "isEmailVerified", void 0);
+__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsBoolean)({ message: 'isPhoneVerified must be a boolean' }),
+    __metadata("design:type", Boolean)
+], AdminSignupDTO.prototype, "isPhoneVerified", void 0);
+__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsBoolean)({ message: 'mustChangePassword must be a boolean' }),
+    __metadata("design:type", Boolean)
+], AdminSignupDTO.prototype, "mustChangePassword", void 0);
+__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsBoolean)({ message: 'generatePassword must be a boolean' }),
+    __metadata("design:type", Boolean)
+], AdminSignupDTO.prototype, "generatePassword", void 0);
+/**
+ * Response DTO for admin signup
+ *
+ * Returns the created user object (sanitized, excludes sensitive fields like passwordHash)
+ * and optionally the generated password (only if generatePassword was true in the request).
+ */
+class AdminSignupResponseDTO {
+    /**
+     * Created user object (sanitized)
+     *
+     * Uses UserResponseDto which excludes sensitive fields:
+     * - No passwordHash
+     * - No internal database ID (uses 'sub' UUID instead)
+     * - No MFA secrets
+     * - No internal tracking fields
+     */
+    user;
+    /**
+     * Generated password (only present if generatePassword was true)
+     *
+     * Security: This is returned once and never stored in plain text.
+     * The admin should securely deliver this to the user.
+     */
+    generatedPassword;
+}
+exports.AdminSignupResponseDTO = AdminSignupResponseDTO;
+//# sourceMappingURL=admin-signup.dto.js.map

package/dist/dto/admin-signup.dto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-signup.dto.js","sourceRoot":"","sources":["../../src/dto/admin-signup.dto.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,qDAAsH;AACtH,yDAA8C;AAG9C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,MAAa,cAAc;IACzB;;;;;;;;;OASG;IASH,KAAK,CAAU;IAEf;;;;;;;;;;;OAWG;IAKH,QAAQ,CAAU;IAElB;;;;;;;;;;;OAWG;IAcH,QAAQ,CAAU;IAElB;;;;;;;;;;;OAWG;IAcH,SAAS,CAAU;IAEnB;;;;;;;;;;;OAWG;IAcH,QAAQ,CAAU;IAElB;;;;;;;;;;;;;;;;OAgBG;IAcH,KAAK,CAAU;IAEf;;;;;;OAMG;IAEH,QAAQ,CAA2B;IAEnC;;;;;;;OAOG;IAGH,eAAe,CAAW;IAE1B;;;;;;;OAOG;IAGH,eAAe,CAAW;IAE1B;;;;;;;OAOG;IAGH,kBAAkB,CAAW;IAE7B;;;;;;;;;;;OAWG;IAGH,gBAAgB,CAAW;CAC5B;AArND,wCAqNC;AAlMC;IARC,IAAA,yBAAO,EAAC,EAAE,EAAE,EAAE,OAAO,EAAE,sBAAsB,EAAE,CAAC;IAChD,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,sCAAsC,EAAE,CAAC;IACnE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACpC,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;6CACa;AAkBf;IAJC,IAAA,4BAAU,EAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC;IACtC,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,2BAA2B,EAAE,CAAC;IAClD,IAAA,2BAAS,EAAC,CAAC,EAAE,EAAE,OAAO,EAAE,wCAAwC,EAAE,CAAC;IACnE,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,yCAAyC,EAAE,CAAC;;gDACrD;AA2BlB;IAbC,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,2BAA2B,EAAE,CAAC;IAClD,IAAA,2BAAS,EAAC,CAAC,EAAE,EAAE,OAAO,EAAE,wCAAwC,EAAE,CAAC;IACnE,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,yCAAyC,EAAE,CAAC;IACtE,IAAA,yBAAO,EAAC,kBAAkB,EAAE;QAC3B,OAAO,EAAE,sEAAsE;KAChF,CAAC;IACD,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACpC,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;gDACgB;AA2BlB;IAbC,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,6BAA6B,EAAE,CAAC;IACpD,IAAA,2BAAS,EAAC,CAAC,EAAE,EAAE,OAAO,EAAE,yCAAyC,EAAE,CAAC;IACpE,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,2CAA2C,EAAE,CAAC;IACxE,IAAA,yBAAO,EAAC,kBAAkB,EAAE;QAC3B,OAAO,EAAE,uEAAuE;KACjF,CAAC;IACD,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;QACtB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;iDACiB;AA2BnB;IAbC,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,4BAA4B,EAAE,CAAC;IACnD,IAAA,2BAAS,EAAC,CAAC,EAAE,EAAE,OAAO,EAAE,wCAAwC,EAAE,CAAC;IACnE,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,0CAA0C,EAAE,CAAC;IACvE,IAAA,yBAAO,EAAC,kBAAkB,EAAE;QAC3B,OAAO,EAAE,sEAAsE;KAChF,CAAC;IACD,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;QACtB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;gDACgB;AAgClB;IAbC,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC;IAC/C,IAAA,2BAAS,EAAC,EAAE,EAAE,EAAE,OAAO,EAAE,qCAAqC,EAAE,CAAC;IACjE,IAAA,yBAAO,EAAC,mBAAmB,EAAE;QAC5B,OAAO,EAAE,kEAAkE;KAC5E,CAAC;IACD,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,mDAAmD;YACnD,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QAClC,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;6CACa;AAUf;IADC,IAAA,4BAAU,GAAE;;gDACsB;AAYnC;IAFC,IAAA,4BAAU,GAAE;IACZ,IAAA,2BAAS,EAAC,EAAE,OAAO,EAAE,mCAAmC,EAAE,CAAC;;uDAClC;AAY1B;IAFC,IAAA,4BAAU,GAAE;IACZ,IAAA,2BAAS,EAAC,EAAE,OAAO,EAAE,mCAAmC,EAAE,CAAC;;uDAClC;AAY1B;IAFC,IAAA,4BAAU,GAAE;IACZ,IAAA,2BAAS,EAAC,EAAE,OAAO,EAAE,sCAAsC,EAAE,CAAC;;0DAClC;AAgB7B;IAFC,IAAA,4BAAU,GAAE;IACZ,IAAA,2BAAS,EAAC,EAAE,OAAO,EAAE,oCAAoC,EAAE,CAAC;;wDAClC;AAG7B;;;;;GAKG;AACH,MAAa,sBAAsB;IACjC;;;;;;;;OAQG;IACH,IAAI,CAAmB;IAEvB;;;;;OAKG;IACH,iBAAiB,CAAU;CAC5B;AAnBD,wDAmBC"}

package/dist/dto/index.d.ts

@@ -1,4 +1,5 @@
 export * from './signup.dto';
+export * from './admin-signup.dto';
 export * from './login.dto';
 export * from './change-password.dto';
 export * from './change-password-request.dto';

package/dist/dto/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/dto/index.ts"],"names":[],"mappings":"AACA,cAAc,cAAc,CAAC;AAC7B,cAAc,aAAa,CAAC;AAC5B,cAAc,uBAAuB,CAAC;AACtC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,gCAAgC,CAAC;AAC/C,cAAc,qBAAqB,CAAC;AACpC,cAAc,mBAAmB,CAAC;AAClC,cAAc,sCAAsC,CAAC;AACrD,cAAc,oBAAoB,CAAC;AACnC,cAAc,oBAAoB,CAAC;AACnC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,sBAAsB,CAAC;AACrC,cAAc,uBAAuB,CAAC;AACtC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,qBAAqB,CAAC;AACpC,cAAc,qBAAqB,CAAC;AACpC,cAAc,sBAAsB,CAAC;AACrC,cAAc,0BAA0B,CAAC;AACzC,cAAc,yBAAyB,CAAC;AACxC,cAAc,sBAAsB,CAAC;AACrC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,0BAA0B,CAAC;AACzC,cAAc,mCAAmC,CAAC;AAClD,cAAc,6BAA6B,CAAC;AAC5C,cAAc,sBAAsB,CAAC;AACrC,cAAc,wBAAwB,CAAC;AACvC,cAAc,oBAAoB,CAAC;AACnC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,sBAAsB,CAAC;AACrC,cAAc,yBAAyB,CAAC;AACxC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,iBAAiB,CAAC;AAChC,cAAc,uBAAuB,CAAC;AACtC,cAAc,uBAAuB,CAAC;AACtC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,+BAA+B,CAAC;AAC9C,cAAc,iCAAiC,CAAC;AAChD,cAAc,+BAA+B,CAAC;AAC9C,cAAc,mBAAmB,CAAC;AAClC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,yBAAyB,CAAC;AACxC,cAAc,sBAAsB,CAAC;AACrC,cAAc,yBAAyB,CAAC;AACxC,cAAc,cAAc,CAAC;AAC7B,cAAc,uBAAuB,CAAC;AACtC,cAAc,kBAAkB,CAAC;AACjC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,gCAAgC,CAAC;AAC/C,cAAc,yCAAyC,CAAC;AACxD,cAAc,0BAA0B,CAAC;AAEzC,cAAc,6BAA6B,CAAC;AAC5C,cAAc,kCAAkC,CAAC;AAEjD,cAAc,mBAAmB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/dto/index.ts"],"names":[],"mappings":"AACA,cAAc,cAAc,CAAC;AAC7B,cAAc,oBAAoB,CAAC;AACnC,cAAc,aAAa,CAAC;AAC5B,cAAc,uBAAuB,CAAC;AACtC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,gCAAgC,CAAC;AAC/C,cAAc,qBAAqB,CAAC;AACpC,cAAc,mBAAmB,CAAC;AAClC,cAAc,sCAAsC,CAAC;AACrD,cAAc,oBAAoB,CAAC;AACnC,cAAc,oBAAoB,CAAC;AACnC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,sBAAsB,CAAC;AACrC,cAAc,uBAAuB,CAAC;AACtC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,qBAAqB,CAAC;AACpC,cAAc,qBAAqB,CAAC;AACpC,cAAc,sBAAsB,CAAC;AACrC,cAAc,0BAA0B,CAAC;AACzC,cAAc,yBAAyB,CAAC;AACxC,cAAc,sBAAsB,CAAC;AACrC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,0BAA0B,CAAC;AACzC,cAAc,mCAAmC,CAAC;AAClD,cAAc,6BAA6B,CAAC;AAC5C,cAAc,sBAAsB,CAAC;AACrC,cAAc,wBAAwB,CAAC;AACvC,cAAc,oBAAoB,CAAC;AACnC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,sBAAsB,CAAC;AACrC,cAAc,yBAAyB,CAAC;AACxC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,iBAAiB,CAAC;AAChC,cAAc,uBAAuB,CAAC;AACtC,cAAc,uBAAuB,CAAC;AACtC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,+BAA+B,CAAC;AAC9C,cAAc,iCAAiC,CAAC;AAChD,cAAc,+BAA+B,CAAC;AAC9C,cAAc,mBAAmB,CAAC;AAClC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,yBAAyB,CAAC;AACxC,cAAc,sBAAsB,CAAC;AACrC,cAAc,yBAAyB,CAAC;AACxC,cAAc,cAAc,CAAC;AAC7B,cAAc,uBAAuB,CAAC;AACtC,cAAc,kBAAkB,CAAC;AACjC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,gCAAgC,CAAC;AAC/C,cAAc,yCAAyC,CAAC;AACxD,cAAc,0BAA0B,CAAC;AAEzC,cAAc,6BAA6B,CAAC;AAC5C,cAAc,kCAAkC,CAAC;AAEjD,cAAc,mBAAmB,CAAC"}

package/dist/dto/index.js

@@ -16,6 +16,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
 Object.defineProperty(exports, "__esModule", { value: true });
 // Core Auth DTOs
 __exportStar(require("./signup.dto"), exports);
+__exportStar(require("./admin-signup.dto"), exports);
 __exportStar(require("./login.dto"), exports);
 __exportStar(require("./change-password.dto"), exports);
 __exportStar(require("./change-password-request.dto"), exports);

package/dist/dto/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/dto/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,iBAAiB;AACjB,+CAA6B;AAC7B,8CAA4B;AAC5B,wDAAsC;AACtC,gEAA8C;AAC9C,iEAA+C;AAC/C,sDAAoC;AACpC,oDAAkC;AAClC,uEAAqD;AACrD,qDAAmC;AACnC,qDAAmC;AACnC,4DAA0C;AAC1C,uDAAqC;AACrC,wDAAsC;AACtC,gEAA8C;AAC9C,sDAAoC;AACpC,sDAAoC;AACpC,uDAAqC;AACrC,2DAAyC;AACzC,0DAAwC;AACxC,uDAAqC;AACrC,gEAA8C;AAC9C,2DAAyC;AACzC,oEAAkD;AAClD,8DAA4C;AAC5C,uDAAqC;AACrC,yDAAuC;AACvC,qDAAmC;AACnC,gEAA8C;AAC9C,uDAAqC;AACrC,0DAAwC;AACxC,6DAA2C;AAC3C,kDAAgC;AAChC,wDAAsC;AACtC,wDAAsC;AACtC,gEAA8C;AAC9C,gEAA8C;AAC9C,kEAAgD;AAChD,gEAA8C;AAC9C,oDAAkC;AAClC,6DAA2C;AAC3C,0DAAwC;AACxC,uDAAqC;AACrC,0DAAwC;AACxC,+CAA6B;AAC7B,wDAAsC;AACtC,mDAAiC;AACjC,4DAA0C;AAC1C,iEAA+C;AAC/C,0EAAwD;AACxD,2DAAyC;AACzC,+EAA+E;AAC/E,8DAA4C;AAC5C,mEAAiD;AAEjD,oDAAkC;AAElC,+DAA+D;AAC/D,+CAA+C;AAC/C,mCAAmC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/dto/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,iBAAiB;AACjB,+CAA6B;AAC7B,qDAAmC;AACnC,8CAA4B;AAC5B,wDAAsC;AACtC,gEAA8C;AAC9C,iEAA+C;AAC/C,sDAAoC;AACpC,oDAAkC;AAClC,uEAAqD;AACrD,qDAAmC;AACnC,qDAAmC;AACnC,4DAA0C;AAC1C,uDAAqC;AACrC,wDAAsC;AACtC,gEAA8C;AAC9C,sDAAoC;AACpC,sDAAoC;AACpC,uDAAqC;AACrC,2DAAyC;AACzC,0DAAwC;AACxC,uDAAqC;AACrC,gEAA8C;AAC9C,2DAAyC;AACzC,oEAAkD;AAClD,8DAA4C;AAC5C,uDAAqC;AACrC,yDAAuC;AACvC,qDAAmC;AACnC,gEAA8C;AAC9C,uDAAqC;AACrC,0DAAwC;AACxC,6DAA2C;AAC3C,kDAAgC;AAChC,wDAAsC;AACtC,wDAAsC;AACtC,gEAA8C;AAC9C,gEAA8C;AAC9C,kEAAgD;AAChD,gEAA8C;AAC9C,oDAAkC;AAClC,6DAA2C;AAC3C,0DAAwC;AACxC,uDAAqC;AACrC,0DAAwC;AACxC,+CAA6B;AAC7B,wDAAsC;AACtC,mDAAiC;AACjC,4DAA0C;AAC1C,iEAA+C;AAC/C,0EAAwD;AACxD,2DAAyC;AACzC,+EAA+E;AAC/E,8DAA4C;AAC5C,mEAAiD;AAEjD,oDAAkC;AAElC,+DAA+D;AAC/D,+CAA+C;AAC/C,mCAAmC"}

package/dist/handlers/csrf.handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"csrf.handler.d.ts","sourceRoot":"","sources":["../../src/handlers/csrf.handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,WAAW,EAAiC,WAAW,EAAE,MAAM,UAAU,CAAC;AACnF,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AACvD,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAKrE;;;;GAIG;AACH,qBAAa,WAAW;IAEpB,OAAO,CAAC,QAAQ,CAAC,WAAW;IAC5B,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;gBAFP,WAAW,EAAE,WAAW,EACxB,MAAM,EAAE,WAAW,EACnB,MAAM,CAAC,EAAE,WAAW,YAAA;IAGvC;;;;OAIG;IACU,MAAM,CAAC,GAAG,EAAE,YAAY,EAAE,GAAG,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IAkC3G;;OAEG;YACW,sBAAsB;IAgCpC;;;;;OAKG;YACW,aAAa;CA0C5B"}
+{"version":3,"file":"csrf.handler.d.ts","sourceRoot":"","sources":["../../src/handlers/csrf.handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,WAAW,EAAiC,WAAW,EAAE,MAAM,UAAU,CAAC;AACnF,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AACvD,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAKrE;;;;GAIG;AACH,qBAAa,WAAW;IAEpB,OAAO,CAAC,QAAQ,CAAC,WAAW;IAC5B,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;gBAFP,WAAW,EAAE,WAAW,EACxB,MAAM,EAAE,WAAW,EACnB,MAAM,CAAC,EAAE,WAAW,YAAA;IAGvC;;;;OAIG;IACU,MAAM,CAAC,GAAG,EAAE,YAAY,EAAE,GAAG,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IAkC3G;;OAEG;YACW,sBAAsB;IAsCpC;;;;;OAKG;YACW,aAAa;CA0C5B"}

package/dist/handlers/csrf.handler.js

@@ -77,14 +77,19 @@ class CsrfHandler {
         }
         // Generate new token
         const token = this.csrfService.generateToken();
+        // Allow per-app override, but default to readable cookie (NOT httpOnly)
+        // so browser clients can send the value back in the CSRF header.
+        const csrfCookieOptions = this.csrfService.getCookieOptions();
         // Build cookie options
         const cookieOptions = {
-            httpOnly: true, // Prevents XSS access to token
+            // CSRF token is not a secret; it must be readable by JS to be sent as a header.
+            // If an app wants httpOnly CSRF (header-based acquisition), they can override via config.
+            httpOnly: csrfCookieOptions.httpOnly ?? false,
             secure: this.config.tokenDelivery?.cookieOptions?.secure ?? true,
             sameSite: (this.config.tokenDelivery?.cookieOptions?.sameSite || 'strict'),
             domain: this.config.tokenDelivery?.cookieOptions?.domain,
             path: '/',
-            ...this.csrfService.getCookieOptions(),
+            ...csrfCookieOptions,
         };
         // Set cookie
         res.setCookie(cookieName, token, cookieOptions);

package/dist/handlers/csrf.handler.js.map

@@ -1 +1 @@
-{"version":3,"file":"csrf.handler.js","sourceRoot":"","sources":["../../src/handlers/csrf.handler.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG;;;AAEH,oCAAmF;AAInF,sDAAsD;AACtD,MAAM,YAAY,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;AAEhD;;;;GAIG;AACH,MAAa,WAAW;IAEH;IACA;IACA;IAHnB,YACmB,WAAwB,EACxB,MAAmB,EACnB,MAAoB;QAFpB,gBAAW,GAAX,WAAW,CAAa;QACxB,WAAM,GAAN,MAAM,CAAa;QACnB,WAAM,GAAN,MAAM,CAAc;IACpC,CAAC;IAEJ;;;;OAIG;IACI,KAAK,CAAC,MAAM,CAAC,GAAiB,EAAE,GAAkB,EAAE,IAAgC;QACzF,kDAAkD;QAClD,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,MAAM,IAAI,MAAM,CAAC;QAC3D,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;YAChD,MAAM,IAAI,EAAE,CAAC;YACb,OAAO;QACT,CAAC;QAED,0CAA0C;QAC1C,IAAI,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YACtC,MAAM,IAAI,CAAC,sBAAsB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;YAC5C,MAAM,IAAI,EAAE,CAAC;YACb,OAAO;QACT,CAAC;QAED,yCAAyC;QACzC,IAAI,GAAG,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC;YAC/B,MAAM,IAAI,EAAE,CAAC;YACb,OAAO;QACT,CAAC;QAED,sBAAsB;QACtB,MAAM,aAAa,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,IAAI,EAAE,aAAa,IAAI,EAAE,CAAC;QACtE,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC9D,MAAM,IAAI,EAAE,CAAC;YACb,OAAO;QACT,CAAC;QAED,mEAAmE;QACnE,MAAM,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;QAE9B,MAAM,IAAI,EAAE,CAAC;IACf,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,sBAAsB,CAAC,GAAiB,EAAE,GAAkB;QACxE,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC;QACpD,MAAM,aAAa,GAAG,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAE9C,IAAI,aAAa,EAAE,CAAC;YAClB,+CAA+C;YAC/C,OAAO,GAAG,CAAC,UAAU,CAAC,cAAc,CAAC;YACrC,OAAO;QACT,CAAC;QAED,qBAAqB;QACrB,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC;QAE/C,uBAAuB;QACvB,MAAM,aAAa,GAAG;YACpB,QAAQ,EAAE,IAAI,EAAE,+BAA+B;YAC/C,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,aAAa,EAAE,MAAM,IAAI,IAAI;YAChE,QAAQ,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,aAAa,EAAE,QAAQ,IAAI,QAAQ,CAA8B;YACvG,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,aAAa,EAAE,MAAM;YACxD,IAAI,EAAE,GAAG;YACT,GAAG,IAAI,CAAC,WAAW,CAAC,gBAAgB,EAAE;SACvC,CAAC;QAEF,aAAa;QACb,GAAG,CAAC,SAAS,CAAC,UAAU,EAAE,KAAK,EAAE,aAAa,CAAC,CAAC;QAEhD,kEAAkE;QAClE,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,aAAa,EAAE,EAAE,KAAK,CAAC,CAAC;QAEpD,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,8BAA8B,CAAC,CAAC;IACvD,CAAC;IAED;;;;;OAKG;IACK,KAAK,CAAC,aAAa,CAAC,GAAiB;QAC3C,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC;QACpD,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC;QAEpD,gCAAgC;QAChC,IAAI,gBAAgB,GAAG,GAAG,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QACjD,IAAI,CAAC,gBAAgB,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;YAClC,2BAA2B;YAC3B,MAAM,IAAI,GAAG,GAAG,CAAC,IAA+B,CAAC;YACjD,gBAAgB,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,WAAW,CAAC,CAAuB,CAAC;QACpG,CAAC;QAED,wBAAwB;QACxB,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAE5C,iCAAiC;QACjC,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtB,GAAG,CAAC,UAAU,CAAC,cAAc,GAAG,IAAI,sBAAc,CAChD,qBAAa,CAAC,kBAAkB,EAChC,gCAAgC,UAAU,0DAA0D,UAAU,UAAU,CACzH,CAAC;YACF,OAAO;QACT,CAAC;QAED,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,GAAG,CAAC,UAAU,CAAC,cAAc,GAAG,IAAI,sBAAc,CAChD,qBAAa,CAAC,kBAAkB,EAChC,kEAAkE,CACnE,CAAC;YACF,OAAO;QACT,CAAC;QAED,yBAAyB;QACzB,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,aAAa,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,WAAW,CAAC,CAAC;QAEtF,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,GAAG,CAAC,UAAU,CAAC,cAAc,GAAG,IAAI,sBAAc,CAAC,qBAAa,CAAC,kBAAkB,EAAE,sBAAsB,CAAC,CAAC;YAC7G,OAAO;QACT,CAAC;QAED,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,mCAAmC,CAAC,CAAC;IAC5D,CAAC;CACF;AAjID,kCAiIC"}
+{"version":3,"file":"csrf.handler.js","sourceRoot":"","sources":["../../src/handlers/csrf.handler.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG;;;AAEH,oCAAmF;AAInF,sDAAsD;AACtD,MAAM,YAAY,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;AAEhD;;;;GAIG;AACH,MAAa,WAAW;IAEH;IACA;IACA;IAHnB,YACmB,WAAwB,EACxB,MAAmB,EACnB,MAAoB;QAFpB,gBAAW,GAAX,WAAW,CAAa;QACxB,WAAM,GAAN,MAAM,CAAa;QACnB,WAAM,GAAN,MAAM,CAAc;IACpC,CAAC;IAEJ;;;;OAIG;IACI,KAAK,CAAC,MAAM,CAAC,GAAiB,EAAE,GAAkB,EAAE,IAAgC;QACzF,kDAAkD;QAClD,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,MAAM,IAAI,MAAM,CAAC;QAC3D,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;YAChD,MAAM,IAAI,EAAE,CAAC;YACb,OAAO;QACT,CAAC;QAED,0CAA0C;QAC1C,IAAI,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YACtC,MAAM,IAAI,CAAC,sBAAsB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;YAC5C,MAAM,IAAI,EAAE,CAAC;YACb,OAAO;QACT,CAAC;QAED,yCAAyC;QACzC,IAAI,GAAG,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC;YAC/B,MAAM,IAAI,EAAE,CAAC;YACb,OAAO;QACT,CAAC;QAED,sBAAsB;QACtB,MAAM,aAAa,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,IAAI,EAAE,aAAa,IAAI,EAAE,CAAC;QACtE,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC9D,MAAM,IAAI,EAAE,CAAC;YACb,OAAO;QACT,CAAC;QAED,mEAAmE;QACnE,MAAM,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;QAE9B,MAAM,IAAI,EAAE,CAAC;IACf,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,sBAAsB,CAAC,GAAiB,EAAE,GAAkB;QACxE,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC;QACpD,MAAM,aAAa,GAAG,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAE9C,IAAI,aAAa,EAAE,CAAC;YAClB,+CAA+C;YAC/C,OAAO,GAAG,CAAC,UAAU,CAAC,cAAc,CAAC;YACrC,OAAO;QACT,CAAC;QAED,qBAAqB;QACrB,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC;QAE/C,wEAAwE;QACxE,iEAAiE;QACjE,MAAM,iBAAiB,GAAG,IAAI,CAAC,WAAW,CAAC,gBAAgB,EAAE,CAAC;QAE9D,uBAAuB;QACvB,MAAM,aAAa,GAAG;YACpB,gFAAgF;YAChF,0FAA0F;YAC1F,QAAQ,EAAE,iBAAiB,CAAC,QAAQ,IAAI,KAAK;YAC7C,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,aAAa,EAAE,MAAM,IAAI,IAAI;YAChE,QAAQ,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,aAAa,EAAE,QAAQ,IAAI,QAAQ,CAA8B;YACvG,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,aAAa,EAAE,MAAM;YACxD,IAAI,EAAE,GAAG;YACT,GAAG,iBAAiB;SACrB,CAAC;QAEF,aAAa;QACb,GAAG,CAAC,SAAS,CAAC,UAAU,EAAE,KAAK,EAAE,aAAa,CAAC,CAAC;QAEhD,kEAAkE;QAClE,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,aAAa,EAAE,EAAE,KAAK,CAAC,CAAC;QAEpD,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,8BAA8B,CAAC,CAAC;IACvD,CAAC;IAED;;;;;OAKG;IACK,KAAK,CAAC,aAAa,CAAC,GAAiB;QAC3C,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC;QACpD,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC;QAEpD,gCAAgC;QAChC,IAAI,gBAAgB,GAAG,GAAG,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QACjD,IAAI,CAAC,gBAAgB,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;YAClC,2BAA2B;YAC3B,MAAM,IAAI,GAAG,GAAG,CAAC,IAA+B,CAAC;YACjD,gBAAgB,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,WAAW,CAAC,CAAuB,CAAC;QACpG,CAAC;QAED,wBAAwB;QACxB,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAE5C,iCAAiC;QACjC,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtB,GAAG,CAAC,UAAU,CAAC,cAAc,GAAG,IAAI,sBAAc,CAChD,qBAAa,CAAC,kBAAkB,EAChC,gCAAgC,UAAU,0DAA0D,UAAU,UAAU,CACzH,CAAC;YACF,OAAO;QACT,CAAC;QAED,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,GAAG,CAAC,UAAU,CAAC,cAAc,GAAG,IAAI,sBAAc,CAChD,qBAAa,CAAC,kBAAkB,EAChC,kEAAkE,CACnE,CAAC;YACF,OAAO;QACT,CAAC;QAED,yBAAyB;QACzB,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,aAAa,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,WAAW,CAAC,CAAC;QAEtF,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,GAAG,CAAC,UAAU,CAAC,cAAc,GAAG,IAAI,sBAAc,CAAC,qBAAa,CAAC,kBAAkB,EAAE,sBAAsB,CAAC,CAAC;YAC7G,OAAO;QACT,CAAC;QAED,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,mCAAmC,CAAC,CAAC;IAC5D,CAAC;CACF;AAvID,kCAuIC"}

package/dist/handlers/social-redirect.handler.d.ts

@@ -0,0 +1,126 @@
+import { AuthResponseDTO } from '../dto/auth-response.dto';
+import { NAuthConfig } from '../interfaces/config.interface';
+import { ISocialAuthStateStore } from '../interfaces/social-auth-state-store.interface';
+import { StorageAdapter } from '../interfaces/storage-adapter.interface';
+import { NAuthCookieOptions } from '../platform/interfaces';
+import { SocialAuthService } from '../services/social-auth.service';
+import { NAuthLogger } from '../utils/nauth-logger';
+/**
+ * Social Redirect Handler (framework-neutral)
+ *
+ * Consumer backends should implement their own HTTP controllers/routes and delegate to this handler.
+ * The handler returns a small "response recipe" that the consumer applies to their framework response.
+ *
+ * Key properties:
+ * - Backend-first redirect (provider -> backend callback -> frontend)
+ * - Cluster-safe CSRF `state` storage via `ISocialAuthStateStore` (StorageAdapter-backed)
+ * - Optional `appState` round-trip (opaque string, URL-encoded)
+ * - Supports `cookies`, `json`, and `hybrid` (origin-based) delivery modes
+ *
+ * @example
+ * ```typescript
+ * // NestJS controller pseudocode
+ * const start = await socialRedirect.start({ provider: 'google', returnTo: '/auth/callback', appState: '12345', req });
+ * return res.redirect(start.redirectUrl);
+ *
+ * const cb = await socialRedirect.callback({ provider: 'google', code, state, req });
+ * cb.cookies?.forEach((c) => res.setCookie(c.name, c.value, c.options));
+ * return res.redirect(cb.redirectUrl);
+ *
+ * const auth = await socialRedirect.exchange(exchangeToken);
+ * return auth;
+ * ```
+ */
+export declare class SocialRedirectHandler {
+    private readonly config;
+    private readonly socialAuthService;
+    private readonly socialStateStore;
+    private readonly storage;
+    private readonly logger?;
+    private readonly csrfService;
+    private readonly exchangeTtlSeconds;
+    constructor(config: NAuthConfig, socialAuthService: SocialAuthService, socialStateStore: ISocialAuthStateStore, storage: StorageAdapter, logger?: NAuthLogger | undefined, exchangeTtlSeconds?: number);
+    /**
+     * Start redirect-first social login.
+     *
+     * @param input - Start parameters
+     * @returns Redirect recipe to send user to the provider authorization URL
+     * @throws {NAuthException} When provider/returnTo are invalid or config is missing
+     */
+    start(input: SocialRedirectStartInput): Promise<SocialRedirectStartResult>;
+    /**
+     * Handle provider callback and produce a frontend redirect recipe.
+     *
+     * @param input - Callback parameters from provider (GET query or POST form_post)
+     * @returns Redirect recipe to send user back to frontend with `appState` (and optional `exchangeToken`)
+     * @throws {NAuthException} When required params are missing/invalid
+     */
+    callback(input: SocialRedirectCallbackInput): Promise<SocialRedirectCallbackResult>;
+    /**
+     * Exchange a short-lived exchange token for an AuthResponse.
+     *
+     * @param exchangeToken - One-time token from callback redirect URL
+     * @returns AuthResponse payload (tokens or challenge)
+     * @throws {NAuthException} When exchangeToken is invalid/expired
+     */
+    exchange(exchangeToken: string): Promise<AuthResponseDTO>;
+    private buildAuthCookies;
+    private buildCsrfCookie;
+    private getFrontendBaseUrl;
+    private buildFrontendRedirectUrl;
+    private appendQuery;
+    private resolveEffectiveDelivery;
+    private normalizeProvider;
+    private getExchangeKey;
+    private safeParseExchangePayload;
+}
+/**
+ * Start input for redirect-first social login.
+ */
+export interface SocialRedirectStartInput {
+    /** OAuth provider (google|apple|facebook) */
+    provider: string;
+    /** Frontend path or URL to return to (default: `/auth/callback`) */
+    returnTo?: string;
+    /** Optional application state to round-trip back to frontend */
+    appState?: string;
+    /** Optional action (default: `login`) */
+    action?: 'login' | 'link';
+    /** Optional delivery preference */
+    delivery?: 'cookies' | 'json';
+    /** Request object for hybrid origin-based delivery */
+    req?: unknown;
+}
+/**
+ * Callback input for redirect-first social login.
+ */
+export interface SocialRedirectCallbackInput {
+    provider: string;
+    code?: string;
+    state?: string;
+    error?: string;
+    errorDescription?: string;
+    req?: unknown;
+}
+/**
+ * Cookie instruction returned by SocialRedirectHandler.
+ */
+export interface SocialRedirectCookie {
+    name: string;
+    value: string;
+    options?: NAuthCookieOptions;
+}
+/**
+ * Start redirect result.
+ */
+export interface SocialRedirectStartResult {
+    redirectUrl: string;
+}
+/**
+ * Callback redirect result.
+ */
+export interface SocialRedirectCallbackResult {
+    redirectUrl: string;
+    cookies?: SocialRedirectCookie[];
+}
+//# sourceMappingURL=social-redirect.handler.d.ts.map

package/dist/handlers/social-redirect.handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"social-redirect.handler.d.ts","sourceRoot":"","sources":["../../src/handlers/social-redirect.handler.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAE3D,OAAO,EAAE,WAAW,EAAE,MAAM,gCAAgC,CAAC;AAC7D,OAAO,EAAE,qBAAqB,EAAE,MAAM,iDAAiD,CAAC;AACxF,OAAO,EAAE,cAAc,EAAE,MAAM,yCAAyC,CAAC;AACzE,OAAO,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAC5D,OAAO,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC;AAIpE,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAEpD;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,qBAAa,qBAAqB;IAK9B,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,iBAAiB;IAClC,OAAO,CAAC,QAAQ,CAAC,gBAAgB;IACjC,OAAO,CAAC,QAAQ,CAAC,OAAO;IACxB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;IAR1B,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAc;IAC1C,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAS;gBAGzB,MAAM,EAAE,WAAW,EACnB,iBAAiB,EAAE,iBAAiB,EACpC,gBAAgB,EAAE,qBAAqB,EACvC,OAAO,EAAE,cAAc,EACvB,MAAM,CAAC,EAAE,WAAW,YAAA,EACrC,kBAAkB,GAAE,MAAW;IAMjC;;;;;;OAMG;IACG,KAAK,CAAC,KAAK,EAAE,wBAAwB,GAAG,OAAO,CAAC,yBAAyB,CAAC;IAuBhF;;;;;;OAMG;IACG,QAAQ,CAAC,KAAK,EAAE,2BAA2B,GAAG,OAAO,CAAC,4BAA4B,CAAC;IA0DzF;;;;;;OAMG;IACG,QAAQ,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC;IAuB/D,OAAO,CAAC,gBAAgB;IAyDxB,OAAO,CAAC,eAAe;IA0BvB,OAAO,CAAC,kBAAkB;IAY1B,OAAO,CAAC,wBAAwB;IAqBhC,OAAO,CAAC,WAAW;IAYnB,OAAO,CAAC,wBAAwB;IA4BhC,OAAO,CAAC,iBAAiB;IAWzB,OAAO,CAAC,cAAc;IAItB,OAAO,CAAC,wBAAwB;CAYjC;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,6CAA6C;IAC7C,QAAQ,EAAE,MAAM,CAAC;IACjB,oEAAoE;IACpE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,yCAAyC;IACzC,MAAM,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC;IAC1B,mCAAmC;IACnC,QAAQ,CAAC,EAAE,SAAS,GAAG,MAAM,CAAC;IAC9B,sDAAsD;IACtD,GAAG,CAAC,EAAE,OAAO,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC1C,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,GAAG,CAAC,EAAE,OAAO,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,kBAAkB,CAAC;CAC9B;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC3C,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,oBAAoB,EAAE,CAAC;CAClC"}