@nauth-toolkit/core 0.1.18 → 0.1.22

package/dist/services/auth.service.js

@@ -47,6 +47,7 @@ const error_codes_enum_1 = require("../enums/error-codes.enum");
 const mfa_method_enum_1 = require("../enums/mfa-method.enum");
 const class_validator_1 = require("class-validator");
 const crypto = __importStar(require("crypto"));
+const password_generator_1 = require("../utils/password-generator");
 /**
  * Dummy Argon2 hash for constant-time response
  *
@@ -289,6 +290,199 @@ class AuthService {
         return response;
     }
     // ============================================================================
+    // Admin Signup
+    // ============================================================================
+    /**
+     * Administrative user creation with override capabilities
+     *
+     * Allows administrators to create user accounts with:
+     * - Bypass email/phone verification requirements
+     * - Force password change on first login
+     * - Auto-generate secure passwords
+     *
+     * Security:
+     * - No built-in authentication - endpoint must be protected by framework adapter
+     * - All duplicate checks still enforced
+     * - Password policy still enforced (unless auto-generated)
+     * - Audit trail records admin-created accounts
+     *
+     * @param dto - Admin signup DTO with override flags
+     * @returns User object and optionally generated password
+     * @throws {NAuthException} EMAIL_EXISTS | USERNAME_EXISTS | PHONE_EXISTS | WEAK_PASSWORD
+     *
+     * @example
+     * ```typescript
+     * // Create user with pre-verified email
+     * const result = await authService.adminSignup({
+     *   email: 'user@example.com',
+     *   password: 'SecurePass123!',
+     *   isEmailVerified: true,
+     * });
+     *
+     * // Create user with auto-generated password
+     * const result = await authService.adminSignup({
+     *   email: 'user@example.com',
+     *   generatePassword: true,
+     *   isEmailVerified: true,
+     *   mustChangePassword: true,
+     * });
+     * // result.generatedPassword contains the temporary password
+     * ```
+     */
+    async adminSignup(dto) {
+        // Get client info from request context (transparent!)
+        const clientInfo = this.clientInfoService.get();
+        this.logger?.log?.(`Admin signup attempt for email: ${dto.email}`);
+        this.logger?.debug?.(`Admin signup details: { email: ${dto.email}, username: ${dto.username || 'none'}, ip: ${clientInfo.ipAddress} }`);
+        // Skip signup.enabled check (admin bypass)
+        // Check if user already exists (email and username)
+        this.logger?.debug?.(`Checking if user exists: ${dto.email}`);
+        const existingUserByEmail = await this.userRepository.findOne({
+            where: { email: dto.email },
+        });
+        if (existingUserByEmail) {
+            this.logger?.warn?.(`Admin signup failed - user already exists: ${dto.email}`);
+            throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.EMAIL_EXISTS, 'User with this email already exists');
+        }
+        // Check for duplicate username if provided
+        if (dto.username) {
+            this.logger?.debug?.(`Checking if username exists: ${dto.username}`);
+            const existingUserByUsername = await this.userRepository.findOne({
+                where: { username: dto.username },
+            });
+            if (existingUserByUsername) {
+                this.logger?.warn?.(`Admin signup failed - username already exists: ${dto.username}`);
+                throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.USERNAME_EXISTS, 'Username is already taken');
+            }
+        }
+        // Check for duplicate phone if provided and duplicates not allowed
+        if (dto.phone && !this.config.signup?.allowDuplicatePhones) {
+            this.logger?.debug?.(`Checking if phone exists: ${dto.phone}`);
+            const existingUserByPhone = await this.userRepository.findOne({
+                where: { phone: dto.phone },
+            });
+            if (existingUserByPhone) {
+                this.logger?.warn?.(`Admin signup failed - phone already exists: ${dto.phone}`);
+                throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.PHONE_EXISTS, 'Phone number is already registered');
+            }
+        }
+        // Handle password
+        let passwordHash;
+        let generatedPassword;
+        if (dto.generatePassword) {
+            // Generate secure random password
+            generatedPassword = (0, password_generator_1.generateSecurePassword)(16);
+            this.logger?.debug?.(`Generated password for admin-created user: ${dto.email}`);
+            passwordHash = await this.passwordService.hashPassword(generatedPassword);
+        }
+        else {
+            // Validate password policy
+            if (!dto.password) {
+                throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.WEAK_PASSWORD, 'Password is required when generatePassword is false');
+            }
+            this.logger?.debug?.('Validating password against policy');
+            const passwordValidation = await this.passwordService.validatePassword(dto.password, {
+                email: dto.email,
+                username: dto.username,
+            });
+            if (!passwordValidation.valid) {
+                this.logger?.warn?.(`Password validation failed for ${dto.email}: ${passwordValidation.errors.join(', ')}`);
+                throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.WEAK_PASSWORD, passwordValidation.errors.join(', '), {
+                    errors: passwordValidation.errors,
+                });
+            }
+            // Hash password
+            passwordHash = await this.passwordService.hashPassword(dto.password);
+        }
+        // Create user with override flags
+        this.logger?.debug?.(`Creating admin user record for: ${dto.email} || ${dto.username} || ${dto.phone} (isEmailVerified: ${dto.isEmailVerified || false}, isPhoneVerified: ${dto.isPhoneVerified || false})`);
+        const user = this.userRepository.create({
+            email: dto.email,
+            username: dto.username,
+            firstName: dto.firstName,
+            lastName: dto.lastName,
+            phone: dto.phone,
+            passwordHash,
+            passwordChangedAt: new Date(),
+            isEmailVerified: dto.isEmailVerified ?? false, // Use DTO value or default to false
+            isPhoneVerified: dto.isPhoneVerified ?? false, // Use DTO value or default to false
+            mustChangePassword: dto.mustChangePassword ?? false, // Use DTO value or default to false
+            isActive: true, // Always active
+            metadata: dto.metadata,
+        });
+        let savedUser;
+        try {
+            savedUser = (await this.userRepository.save(user));
+            this.logger?.log?.(`Admin user created successfully: ${dto.email} (sub: ${savedUser.sub})`);
+            // ============================================================================
+            // Audit: Record account creation by admin
+            // ============================================================================
+            try {
+                await this.auditService?.recordEvent({
+                    userId: savedUser.id,
+                    eventType: auth_audit_event_type_enum_1.AuthAuditEventType.ACCOUNT_CREATED,
+                    eventStatus: 'INFO',
+                    authMethod: 'admin',
+                    // Client info automatically included from context
+                    metadata: {
+                        email: savedUser.email,
+                        username: savedUser.username || null,
+                        createdByAdmin: true,
+                        adminIdentifier: clientInfo.ipAddress || 'unknown',
+                        isEmailVerified: savedUser.isEmailVerified,
+                        isPhoneVerified: savedUser.isPhoneVerified,
+                        mustChangePassword: savedUser.mustChangePassword,
+                        passwordGenerated: !!generatedPassword,
+                    },
+                });
+            }
+            catch (auditError) {
+                // Non-blocking: Log but continue
+                const errorMessage = auditError instanceof Error ? auditError.message : 'Unknown error';
+                this.logger?.error?.(`Failed to record ACCOUNT_CREATED audit event: ${errorMessage}`, {
+                    error: auditError,
+                    userId: savedUser.id,
+                });
+            }
+        }
+        catch (error) {
+            // Handle database constraint violations gracefully
+            if (error && typeof error === 'object' && 'code' in error && error.code === '23505') {
+                // PostgreSQL unique constraint violation
+                const dbError = error;
+                if (dbError.detail?.includes('email')) {
+                    this.logger?.warn?.(`Admin signup failed - email constraint violation: ${dto.email}`);
+                    throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.EMAIL_EXISTS, 'User with this email already exists');
+                }
+                else if (dbError.detail?.includes('username')) {
+                    this.logger?.warn?.(`Admin signup failed - username constraint violation: ${dto.username}`);
+                    throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.USERNAME_EXISTS, 'Username is already taken');
+                }
+                else if (dbError.detail?.includes('phone')) {
+                    this.logger?.warn?.(`Admin signup failed - phone constraint violation: ${dto.phone}`);
+                    throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.PHONE_EXISTS, 'Phone number is already registered');
+                }
+                else {
+                    this.logger?.error?.(`Admin signup failed - database constraint violation: ${dbError.message}`);
+                    throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.EMAIL_EXISTS, 'User with this information already exists', {
+                        conflictType: 'unknown',
+                    });
+                }
+            }
+            // Re-throw other database errors
+            const errorMessage = error instanceof Error ? error.message : 'Unknown database error';
+            this.logger?.error?.(`Admin signup failed - database error: ${errorMessage}`);
+            throw error;
+        }
+        // No tokens, no challenge system, no verification emails - pure user creation
+        // Return sanitized user object (excludes passwordHash and other sensitive fields)
+        const userDto = user_response_dto_1.UserResponseDto.fromEntity(savedUser);
+        return {
+            user: userDto,
+            generatedPassword,
+        };
+    }
+    // ============================================================================
     // User Login
     // ============================================================================
     /**
@@ -794,10 +988,19 @@ class AuthService {
                 });
             }
         }
-        // // Execute afterLogin hook
-        // if (this.config.hooks?.afterLogin) {
-        //   await this.config.hooks.afterLogin(user, session);
-        // }
+        // ============================================================================
+        // Lifecycle Hook: afterLogin
+        // ============================================================================
+        if (this.config.hooks?.afterLogin) {
+            try {
+                await this.config.hooks.afterLogin(user, session);
+            }
+            catch (hookError) {
+                const errorMessage = hookError instanceof Error ? hookError.message : 'Unknown error';
+                // Non-blocking: auth succeeded; hook errors should not break login
+                this.logger?.error?.(`afterLogin hook failed (continuing): ${errorMessage}`, { error: hookError });
+            }
+        }
         // ============================================================================
         // Trusted Device Token Management (Remember Device Feature)
         // ============================================================================
@@ -847,11 +1050,13 @@ class AuthService {
                 isEmailVerified: userDto.isEmailVerified,
                 isPhoneVerified: userDto.isPhoneVerified ?? undefined,
                 socialProviders: userDto.socialProviders && userDto.socialProviders.length > 0 ? userDto.socialProviders : undefined,
+                hasPasswordHash: userDto.hasPasswordHash,
             },
             accessToken: tokens.accessToken,
             refreshToken: tokens.refreshToken,
             accessTokenExpiresAt: accessTokenValidation.payload?.exp || 0,
             refreshTokenExpiresAt: refreshTokenValidation.payload?.exp || 0,
+            authMethod: 'password',
             trusted: isTrusted, // Include trusted flag so frontend knows if device is already trusted
             // Include deviceToken - CookieTokenInterceptor will handle cookie/stripping based on @TokenDelivery decorator
             deviceToken,
@@ -3008,7 +3213,7 @@ class AuthService {
             const attempts = await this.accountLockoutStorage.recordFailedAttempt(ipAddress);
             // Lock IP if max attempts reached
             if (attempts >= (this.config.lockout.maxAttempts || 5)) {
-                await this.accountLockoutStorage.blockIpAdresss(ipAddress, this.config.lockout.duration || 900, // 15 minutes default
+                await this.accountLockoutStorage.lockIpAddress(ipAddress, this.config.lockout.duration || 900, // 15 minutes default
                 'Too many failed login attempts from this IP');
                 // // Execute hook with IP address
                 // if (this.config.hooks?.afterAccountLock) {
@@ -3016,10 +3221,19 @@ class AuthService {
                 // }
             }
         }
-        // // Execute hook
-        // if (this.config.hooks?.afterLoginFailed) {
-        //   await this.config.hooks.afterLoginFailed(identifier, reason || 'unknown');
-        // }
+        // ============================================================================
+        // Lifecycle Hook: afterLoginFailed
+        // ============================================================================
+        if (this.config.hooks?.afterLoginFailed) {
+            try {
+                await this.config.hooks.afterLoginFailed(identifier, reason || 'unknown');
+            }
+            catch (hookError) {
+                const errorMessage = hookError instanceof Error ? hookError.message : 'Unknown error';
+                // Non-blocking: login already failed; do not throw
+                this.logger?.error?.(`afterLoginFailed hook failed (continuing): ${errorMessage}`, { error: hookError });
+            }
+        }
     }
     /**
      * Records a login attempt with client context.
@@ -3044,10 +3258,50 @@ class AuthService {
         await this.loginAttemptRepository.save(attempt);
     }
     /**
-     * Get user by ID (sub)
-     * @param sub - User sub (external identifier)
-     * @returns User entity or null
+     * Get user for authentication context
+     *
+     * Loads user by sub (external identifier) with all fields needed for auth context.
+     * Computes hasPasswordHash from passwordHash, then removes passwordHash and other sensitive fields.
+     *
+     * This method is used by AuthHandler and AuthGuard to load authenticated users.
+     * It ensures consistent user object shape across platforms (core + NestJS).
+     *
+     * @param sub - External user identifier (UUID)
+     * @returns User object with hasPasswordHash flag, without sensitive fields
+     * @throws {NAuthException} If user not found or account is inactive
+     *
+     * @example
+     * ```typescript
+     * const user = await authService.getUserForAuthContext('user-uuid-123');
+     * // user.hasPasswordHash === true/false
+     * // user.passwordHash === undefined (removed)
+     * ```
      */
+    async getUserForAuthContext(sub) {
+        // Load user with all fields including passwordHash (needed to compute hasPasswordHash)
+        const user = await this.userRepository.findOne({
+            where: { sub },
+        });
+        if (!user) {
+            throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.NOT_FOUND, 'User not found');
+        }
+        if (!user.isActive) {
+            throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.ACCOUNT_INACTIVE, 'Account is not active');
+        }
+        // Compute hasPasswordHash from passwordHash
+        const hasPasswordHash = Boolean(user.passwordHash);
+        // Create safe user object without sensitive fields
+        const safeUser = {
+            ...user,
+            hasPasswordHash,
+        };
+        // Remove sensitive fields
+        delete safeUser.passwordHash;
+        delete safeUser.totpSecret;
+        delete safeUser.backupCodes;
+        delete safeUser.passwordHistory;
+        return safeUser;
+    }
     async getUserById(dto) {
         const user = (await this.userRepository.findOne({ where: { sub: dto.sub } }));
         return user ? user_response_dto_1.UserResponseDto.fromEntity(user) : null;
@@ -3154,17 +3408,9 @@ class AuthService {
             this.logger?.warn?.(`Password reset failed - user not found: ${dto.identifier}`);
             throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.NOT_FOUND, 'User not found');
         }
-        // ============================================================================
-        // Validate User Can Have Password Reset
-        // ============================================================================
-        // CRITICAL PROTECTION: Only allow for users with password authentication
-        // Pure social users cannot have password reset (they don't have passwords)
-        if (!user.passwordHash) {
-            this.logger?.warn?.(`Password reset failed - user doesn't have a password (pure social signup): ${user.sub}`);
-            throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.PASSWORD_CHANGE_NOT_ALLOWED, 'Password reset not available. This account uses social authentication only and has no password.');
-        }
         const mustChangePassword = dto.mustChangePassword ?? true; // Default to true for security
         const revokeSessions = dto.revokeSessions !== false;
+        const wasSocialOnly = !user.passwordHash;
         const { sessionsRevoked } = await this.updateUserPassword({
             user,
             newPassword: dto.newPassword,
@@ -3179,6 +3425,9 @@ class AuthService {
                 metadata: {
                     identifier: dto.identifier,
                     mustChangePassword,
+                    // WHY: Admins can set the first password for social-only accounts so users can login via either route later.
+                    // This flag helps downstream observability without exposing anything to clients.
+                    wasSocialOnly,
                 },
             },
         });
@@ -3227,34 +3476,11 @@ class AuthService {
         if (!user) {
             return response; // Non-enumerating
         }
-        // Only password-capable accounts can use forgot-password.
-        // Hybrid (password + social) is allowed (passwordHash exists).
-        if (!user.passwordHash) {
-            // ============================================================================
-            // Security: record attempt for social-only accounts (no password set)
-            // ============================================================================
-            // WHY: A malicious actor may spam forgot-password to learn about accounts or to harass users.
-            // We keep the API response non-enumerating, but still record an audit event for observability.
-            this.logger?.warn?.(`Password reset requested for social-only account; ignoring for user: ${user.sub}`);
-            try {
-                await this.auditService?.recordEvent({
-                    userId: user.id,
-                    eventType: auth_audit_event_type_enum_1.AuthAuditEventType.PASSWORD_RESET_REQUESTED,
-                    eventStatus: 'SUSPICIOUS',
-                    authMethod: 'social',
-                    reason: 'forgot_password_social_only',
-                    description: 'Password reset requested for social-only account (ignored)',
-                });
-            }
-            catch (auditError) {
-                const errorMessage = auditError instanceof Error ? auditError.message : 'Unknown error';
-                this.logger?.error?.(`Failed to record PASSWORD_RESET_REQUESTED audit event: ${errorMessage}`, {
-                    error: auditError,
-                    userId: user.id,
-                });
-            }
-            return response;
-        }
+        // ============================================================================
+        // Allow social-only accounts to set their first password via forgot-password
+        // ============================================================================
+        // WHY: Social-first users commonly want to add a password later. The reset code proves possession
+        // of the delivery channel (email/sms) and avoids weakening account security.
         const verificationMethod = this.config.signup?.verificationMethod ?? 'email';
         // ============================================================================
         // Determine delivery channel
@@ -3320,7 +3546,7 @@ class AuthService {
             throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.SERVICE_UNAVAILABLE, 'Password reset is not available');
         }
         const user = await this.findUserByIdentifier(dto.identifier, this.config.login?.identifierType);
-        if (!user || !user.passwordHash) {
+        if (!user) {
             // Non-enumerating: treat as invalid code
             throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.PASSWORD_RESET_CODE_INVALID, 'Invalid password reset code');
         }