@nauth-toolkit/core 0.1.34 → 0.1.36

package/dist/services/auth.service.js

@@ -92,6 +92,7 @@ class AuthService {
     accountLockoutStorage;
     config;
     logger;
+    hookRegistry;
     auditService;
     phoneVerificationService;
     mfaService;
@@ -105,7 +106,7 @@ class AuthService {
     challengeSessionRepository;
     authAuditRepository;
     trustedDeviceRepository;
-    constructor(userRepository, loginAttemptRepository, passwordService, jwtService, sessionService, challengeService, challengeHelper, emailVerificationService, clientInfoService, accountLockoutStorage, config, logger, auditService, // Optional - audit trail service (enabled via config.auditLogs.enabled)
+    constructor(userRepository, loginAttemptRepository, passwordService, jwtService, sessionService, challengeService, challengeHelper, emailVerificationService, clientInfoService, accountLockoutStorage, config, logger, hookRegistry, auditService, // Optional - audit trail service (enabled via config.auditLogs.enabled)
     phoneVerificationService, // Optional - only available when SMS provider is configured
     mfaService, // Optional - available when MFA modules are imported
     mfaDeviceRepository, // Optional - available when MFA modules are imported
@@ -130,6 +131,7 @@ class AuthService {
         this.accountLockoutStorage = accountLockoutStorage;
         this.config = config;
         this.logger = logger;
+        this.hookRegistry = hookRegistry;
         this.auditService = auditService;
         this.phoneVerificationService = phoneVerificationService;
         this.mfaService = mfaService;
@@ -224,6 +226,12 @@ class AuthService {
         }
         // Hash password
         const passwordHash = await this.passwordService.hashPassword(dto.password);
+        // ============================================================================
+        // Lifecycle Hook: preSignup
+        // ============================================================================
+        // Execute preSignup hook before user creation
+        // Hook can throw NAuthException with PRESIGNUP_FAILED to block signup with custom message
+        await this.hookRegistry.executePreSignup(dto, 'password', undefined, false);
         // Determine verification requirements based on verification method
         const verificationMethod = this.config.signup?.verificationMethod;
         // Validate required fields based on verification method
@@ -314,10 +322,15 @@ class AuthService {
         // All verification codes are sent when challenges are created (in AuthChallengeHelperService.createChallengeResponse)
         // This ensures proper sequential flow: email code first, then phone code after email is verified
         // This prevents user confusion from receiving multiple codes at once
-        // Execute afterSignup hook if configured
-        if (this.config.hooks?.afterSignup) {
-            await this.config.hooks.afterSignup(savedUser, { requiresVerification: verificationMethod !== 'none' });
-        }
+        // ============================================================================
+        // Lifecycle Hook: afterSignup
+        // ============================================================================
+        // Execute afterSignup hook immediately after account creation (non-blocking)
+        await this.hookRegistry.executeAfterSignup(savedUser, {
+            requiresVerification: verificationMethod !== 'none',
+            signupType: 'password',
+            adminSignup: false,
+        });
         // ============================================================================
         // Challenge System: Determine if user needs to complete challenges
         // ============================================================================
@@ -441,6 +454,12 @@ class AuthService {
             // Hash password
             passwordHash = await this.passwordService.hashPassword(dto.password);
         }
+        // ============================================================================
+        // Lifecycle Hook: preSignup
+        // ============================================================================
+        // Execute preSignup hook before user creation (admin signup)
+        // Hook can throw NAuthException with PRESIGNUP_FAILED to block signup with custom message
+        await this.hookRegistry.executePreSignup(dto, 'password', undefined, true);
         // Create user with override flags
         this.logger?.debug?.(`Creating admin user record for: ${dto.email} || ${dto.username} || ${dto.phone} (isEmailVerified: ${dto.isEmailVerified || false}, isPhoneVerified: ${dto.isPhoneVerified || false})`);
         const user = this.userRepository.create({
@@ -521,6 +540,14 @@ class AuthService {
             this.logger?.error?.(`Admin signup failed - database error: ${errorMessage}`);
             throw error;
         }
+        // ============================================================================
+        // Lifecycle Hook: afterSignup
+        // ============================================================================
+        // Execute afterSignup hook immediately after account creation (non-blocking)
+        await this.hookRegistry.executeAfterSignup(savedUser, {
+            signupType: 'password',
+            adminSignup: true,
+        });
         // No tokens, no challenge system, no verification emails - pure user creation
         // Return sanitized user object (excludes passwordHash and other sensitive fields)
         const userDto = user_response_dto_1.UserResponseDto.fromEntity(savedUser);
@@ -648,6 +675,21 @@ class AuthService {
             // Social-only user: no password (NULL in database)
             passwordHash = null;
         }
+        // ============================================================================
+        // Lifecycle Hook: preSignup
+        // ============================================================================
+        // Execute preSignup hook before user creation (admin social signup)
+        // Hook can throw NAuthException with PRESIGNUP_FAILED to block signup with custom message
+        // Convert AdminSignupSocialDTO to profile-like structure for hook
+        const profileData = {
+            email: dto.email,
+            id: dto.providerId,
+            firstName: dto.firstName,
+            lastName: dto.lastName,
+            verified: true, // Admin signup always has verified email
+            raw: dto.socialMetadata,
+        };
+        await this.hookRegistry.executePreSignup(profileData, 'social', dto.provider, true);
         // Create user with override flags
         // Note: Email is always verified for social imports (like normal social signup)
         this.logger?.debug?.(`Creating admin social user record for: ${dto.email} || ${dto.username} || ${dto.phone} (isEmailVerified: true [auto-verified for social], isPhoneVerified: ${dto.isPhoneVerified || false})`);
@@ -680,6 +722,15 @@ class AuthService {
             savedUser.hasSocialAuth = true;
             savedUser.socialProviders = [dto.provider];
             // ============================================================================
+            // Lifecycle Hook: afterSignup
+            // ============================================================================
+            // Execute afterSignup hook immediately after account creation (non-blocking)
+            await this.hookRegistry.executeAfterSignup(savedUser, {
+                signupType: 'social',
+                provider: dto.provider,
+                adminSignup: true,
+            });
+            // ============================================================================
             // Audit: Record account creation by admin (social import)
             // ============================================================================
             try {
@@ -1868,18 +1919,10 @@ class AuthService {
             }
         }
         // ============================================================================
-        // Lifecycle Hook: afterLogin
+        // Lifecycle Hook: afterLogin (TODO: Implement provider-based hook)
         // ============================================================================
-        if (this.config.hooks?.afterLogin) {
-            try {
-                await this.config.hooks.afterLogin(user, session);
-            }
-            catch (hookError) {
-                const errorMessage = hookError instanceof Error ? hookError.message : 'Unknown error';
-                // Non-blocking: auth succeeded; hook errors should not break login
-                this.logger?.error?.(`afterLogin hook failed (continuing): ${errorMessage}`, { error: hookError });
-            }
-        }
+        // TODO: Implement provider-based hook for afterLogin
+        // await this.hookRegistry.executeAfterLogin(user, session);
         // ============================================================================
         // Trusted Device Token Management (Remember Device Feature)
         // ============================================================================
@@ -3521,22 +3564,24 @@ class AuthService {
         if (!user || !user.passwordHash) {
             throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.NOT_FOUND, 'User not found');
         }
-        // Execute beforePasswordChange hook (use sub for external API)
-        if (this.config.hooks?.beforePasswordChange) {
-            const result = await this.config.hooks.beforePasswordChange(dto.sub, dto.oldPassword);
-            if (result === false) {
-                throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.PASSWORD_CHANGE_NOT_ALLOWED, 'Password change not allowed');
-            }
-        }
+        // ============================================================================
+        // Lifecycle Hook: beforePasswordChange (TODO: Implement provider-based hook)
+        // ============================================================================
+        // TODO: Implement provider-based hook for beforePasswordChange
+        // const allowed = await this.hookRegistry.executeBeforePasswordChange(dto.sub, dto.oldPassword);
+        // if (!allowed) {
+        //   throw new NAuthException(AuthErrorCode.PASSWORD_CHANGE_NOT_ALLOWED, 'Password change not allowed');
+        // }
         // Verify old password
         const isValid = await this.passwordService.verifyPassword(dto.oldPassword, user.passwordHash);
         if (!isValid) {
             throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.PASSWORD_INCORRECT, 'Current password is incorrect');
         }
-        // Execute afterPasswordChange hook (use sub for external API)
-        if (this.config.hooks?.afterPasswordChange) {
-            await this.config.hooks.afterPasswordChange(dto.sub);
-        }
+        // ============================================================================
+        // Lifecycle Hook: afterPasswordChange (TODO: Implement provider-based hook)
+        // ============================================================================
+        // TODO: Implement provider-based hook for afterPasswordChange
+        // await this.hookRegistry.executeAfterPasswordChange(dto.sub);
         await this.updateUserPassword({
             user,
             newPassword: dto.newPassword,
@@ -4124,18 +4169,10 @@ class AuthService {
             }
         }
         // ============================================================================
-        // Lifecycle Hook: afterLoginFailed
+        // Lifecycle Hook: afterLoginFailed (TODO: Implement provider-based hook)
         // ============================================================================
-        if (this.config.hooks?.afterLoginFailed) {
-            try {
-                await this.config.hooks.afterLoginFailed(identifier, reason || 'unknown');
-            }
-            catch (hookError) {
-                const errorMessage = hookError instanceof Error ? hookError.message : 'Unknown error';
-                // Non-blocking: login already failed; do not throw
-                this.logger?.error?.(`afterLoginFailed hook failed (continuing): ${errorMessage}`, { error: hookError });
-            }
-        }
+        // TODO: Implement provider-based hook for afterLoginFailed
+        // await this.hookRegistry.executeAfterLoginFailed(identifier, reason || 'unknown');
     }
     /**
      * Records a login attempt with client context.