@nauth-toolkit/core 0.1.35 → 0.1.37

package/dist/services/auth.service.js

@@ -48,6 +48,7 @@ const login_dto_1 = require("../dto/login.dto");
 const change_password_request_dto_1 = require("../dto/change-password-request.dto");
 const update_user_attributes_request_dto_1 = require("../dto/update-user-attributes-request.dto");
 const user_response_dto_1 = require("../dto/user-response.dto");
+const auth_response_dto_1 = require("../dto/auth-response.dto");
 const auth_challenge_dto_1 = require("../dto/auth-challenge.dto");
 const respond_challenge_dto_1 = require("../dto/respond-challenge.dto");
 const get_user_by_email_dto_1 = require("../dto/get-user-by-email.dto");
@@ -92,6 +93,7 @@ class AuthService {
     accountLockoutStorage;
     config;
     logger;
+    hookRegistry;
     auditService;
     phoneVerificationService;
     mfaService;
@@ -105,7 +107,7 @@ class AuthService {
     challengeSessionRepository;
     authAuditRepository;
     trustedDeviceRepository;
-    constructor(userRepository, loginAttemptRepository, passwordService, jwtService, sessionService, challengeService, challengeHelper, emailVerificationService, clientInfoService, accountLockoutStorage, config, logger, auditService, // Optional - audit trail service (enabled via config.auditLogs.enabled)
+    constructor(userRepository, loginAttemptRepository, passwordService, jwtService, sessionService, challengeService, challengeHelper, emailVerificationService, clientInfoService, accountLockoutStorage, config, logger, hookRegistry, auditService, // Optional - audit trail service (enabled via config.auditLogs.enabled)
     phoneVerificationService, // Optional - only available when SMS provider is configured
     mfaService, // Optional - available when MFA modules are imported
     mfaDeviceRepository, // Optional - available when MFA modules are imported
@@ -130,6 +132,7 @@ class AuthService {
         this.accountLockoutStorage = accountLockoutStorage;
         this.config = config;
         this.logger = logger;
+        this.hookRegistry = hookRegistry;
         this.auditService = auditService;
         this.phoneVerificationService = phoneVerificationService;
         this.mfaService = mfaService;
@@ -229,20 +232,7 @@ class AuthService {
         // ============================================================================
         // Execute preSignup hook before user creation
         // Hook can throw NAuthException with PRESIGNUP_FAILED to block signup with custom message
-        if (this.config.hooks?.preSignup) {
-            try {
-                await this.config.hooks.preSignup(dto, 'password', undefined, false);
-            }
-            catch (hookError) {
-                // If hook throws NAuthException with PRESIGNUP_FAILED, re-throw it
-                if (hookError instanceof nauth_exception_1.NAuthException && hookError.code === error_codes_enum_1.AuthErrorCode.PRESIGNUP_FAILED) {
-                    throw hookError;
-                }
-                // For other errors, wrap in PRESIGNUP_FAILED
-                const errorMessage = hookError instanceof Error ? hookError.message : 'Pre-signup validation failed';
-                throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.PRESIGNUP_FAILED, errorMessage);
-            }
-        }
+        await this.hookRegistry.executePreSignup(dto, 'password', undefined, false);
         // Determine verification requirements based on verification method
         const verificationMethod = this.config.signup?.verificationMethod;
         // Validate required fields based on verification method
@@ -333,20 +323,23 @@ class AuthService {
         // All verification codes are sent when challenges are created (in AuthChallengeHelperService.createChallengeResponse)
         // This ensures proper sequential flow: email code first, then phone code after email is verified
         // This prevents user confusion from receiving multiple codes at once
-        // Execute afterSignup hook if configured
-        // Called immediately after account creation, before challenges are created
-        if (this.config.hooks?.afterSignup) {
-            try {
-                await this.config.hooks.afterSignup(savedUser, {
-                    requiresVerification: verificationMethod !== 'none',
-                    signupType: 'password',
-                });
-            }
-            catch (hookError) {
-                // Non-blocking: auth succeeded; hook errors should not break signup
-                const errorMessage = hookError instanceof Error ? hookError.message : 'Unknown error';
-                this.logger?.error?.(`afterSignup hook failed (continuing): ${errorMessage}`, { error: hookError });
-            }
+        // ============================================================================
+        // Lifecycle Hook: postSignup
+        // ============================================================================
+        // Execute postSignup hook immediately after account creation (non-blocking)
+        await this.hookRegistry.executePostSignup(savedUser, {
+            requiresVerification: verificationMethod !== 'none',
+            signupType: 'password',
+            adminSignup: false,
+        });
+        // ============================================================================
+        // refresh user data in case post signup hook has modified the user
+        // ============================================================================
+        const refreshedUser = await this.userRepository.findOne({
+            where: { id: savedUser.id },
+        });
+        if (refreshedUser) {
+            savedUser = refreshedUser;
         }
         // ============================================================================
         // Challenge System: Determine if user needs to complete challenges
@@ -476,20 +469,7 @@ class AuthService {
         // ============================================================================
         // Execute preSignup hook before user creation (admin signup)
         // Hook can throw NAuthException with PRESIGNUP_FAILED to block signup with custom message
-        if (this.config.hooks?.preSignup) {
-            try {
-                await this.config.hooks.preSignup(dto, 'password', undefined, true);
-            }
-            catch (hookError) {
-                // If hook throws NAuthException with PRESIGNUP_FAILED, re-throw it
-                if (hookError instanceof nauth_exception_1.NAuthException && hookError.code === error_codes_enum_1.AuthErrorCode.PRESIGNUP_FAILED) {
-                    throw hookError;
-                }
-                // For other errors, wrap in PRESIGNUP_FAILED
-                const errorMessage = hookError instanceof Error ? hookError.message : 'Pre-signup validation failed';
-                throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.PRESIGNUP_FAILED, errorMessage);
-            }
-        }
+        await this.hookRegistry.executePreSignup(dto, 'password', undefined, true);
         // Create user with override flags
         this.logger?.debug?.(`Creating admin user record for: ${dto.email} || ${dto.username} || ${dto.phone} (isEmailVerified: ${dto.isEmailVerified || false}, isPhoneVerified: ${dto.isPhoneVerified || false})`);
         const user = this.userRepository.create({
@@ -570,6 +550,14 @@ class AuthService {
             this.logger?.error?.(`Admin signup failed - database error: ${errorMessage}`);
             throw error;
         }
+        // ============================================================================
+        // Lifecycle Hook: afterSignup
+        // ============================================================================
+        // Execute afterSignup hook immediately after account creation (non-blocking)
+        await this.hookRegistry.executePostSignup(savedUser, {
+            signupType: 'password',
+            adminSignup: true,
+        });
         // No tokens, no challenge system, no verification emails - pure user creation
         // Return sanitized user object (excludes passwordHash and other sensitive fields)
         const userDto = user_response_dto_1.UserResponseDto.fromEntity(savedUser);
@@ -702,29 +690,16 @@ class AuthService {
         // ============================================================================
         // Execute preSignup hook before user creation (admin social signup)
         // Hook can throw NAuthException with PRESIGNUP_FAILED to block signup with custom message
-        if (this.config.hooks?.preSignup) {
-            try {
-                // Convert AdminSignupSocialDTO to OAuthUserProfile-like structure for hook
-                const profileData = {
-                    email: dto.email,
-                    id: dto.providerId,
-                    firstName: dto.firstName,
-                    lastName: dto.lastName,
-                    verified: true, // Admin signup always has verified email
-                    raw: dto.socialMetadata,
-                };
-                await this.config.hooks.preSignup(profileData, 'social', dto.provider, true);
-            }
-            catch (hookError) {
-                // If hook throws NAuthException with PRESIGNUP_FAILED, re-throw it
-                if (hookError instanceof nauth_exception_1.NAuthException && hookError.code === error_codes_enum_1.AuthErrorCode.PRESIGNUP_FAILED) {
-                    throw hookError;
-                }
-                // For other errors, wrap in PRESIGNUP_FAILED
-                const errorMessage = hookError instanceof Error ? hookError.message : 'Pre-signup validation failed';
-                throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.PRESIGNUP_FAILED, errorMessage);
-            }
-        }
+        // Convert AdminSignupSocialDTO to profile-like structure for hook
+        const profileData = {
+            email: dto.email,
+            id: dto.providerId,
+            firstName: dto.firstName,
+            lastName: dto.lastName,
+            verified: true, // Admin signup always has verified email
+            raw: dto.socialMetadata,
+        };
+        await this.hookRegistry.executePreSignup(profileData, 'social', dto.provider, true);
         // Create user with override flags
         // Note: Email is always verified for social imports (like normal social signup)
         this.logger?.debug?.(`Creating admin social user record for: ${dto.email} || ${dto.username} || ${dto.phone} (isEmailVerified: true [auto-verified for social], isPhoneVerified: ${dto.isPhoneVerified || false})`);
@@ -759,23 +734,12 @@ class AuthService {
             // ============================================================================
             // Lifecycle Hook: afterSignup
             // ============================================================================
-            // Execute afterSignup hook immediately after account creation, before returning response
-            // This allows consumer apps to perform actions like welcome emails, external system sync, etc.
-            // Called for both normal and social signups, with metadata indicating signup type
-            if (this.config.hooks?.afterSignup) {
-                try {
-                    await this.config.hooks.afterSignup(savedUser, {
-                        requiresVerification: !savedUser.isEmailVerified || !savedUser.isPhoneVerified,
-                        signupType: 'social',
-                        provider: dto.provider,
-                    });
-                }
-                catch (hookError) {
-                    // Non-blocking: auth succeeded; hook errors should not break signup
-                    const errorMessage = hookError instanceof Error ? hookError.message : 'Unknown error';
-                    this.logger?.error?.(`afterSignup hook failed (continuing): ${errorMessage}`, { error: hookError });
-                }
-            }
+            // Execute afterSignup hook immediately after account creation (non-blocking)
+            await this.hookRegistry.executePostSignup(savedUser, {
+                signupType: 'social',
+                provider: dto.provider,
+                adminSignup: true,
+            });
             // ============================================================================
             // Audit: Record account creation by admin (social import)
             // ============================================================================
@@ -1965,18 +1929,10 @@ class AuthService {
             }
         }
         // ============================================================================
-        // Lifecycle Hook: afterLogin
+        // Lifecycle Hook: afterLogin (TODO: Implement provider-based hook)
         // ============================================================================
-        if (this.config.hooks?.afterLogin) {
-            try {
-                await this.config.hooks.afterLogin(user, session);
-            }
-            catch (hookError) {
-                const errorMessage = hookError instanceof Error ? hookError.message : 'Unknown error';
-                // Non-blocking: auth succeeded; hook errors should not break login
-                this.logger?.error?.(`afterLogin hook failed (continuing): ${errorMessage}`, { error: hookError });
-            }
-        }
+        // TODO: Implement provider-based hook for afterLogin
+        // await this.hookRegistry.executeAfterLogin(user, session);
         // ============================================================================
         // Trusted Device Token Management (Remember Device Feature)
         // ============================================================================
@@ -2015,19 +1971,8 @@ class AuthService {
         // Note: deviceToken inclusion in response body is handled by CookieTokenInterceptor
         // which checks route-level @TokenDelivery decorator and global config
         // to decide whether to set as cookie and/or strip from body
-        const userDto = user_response_dto_1.UserResponseDto.fromEntity(user);
         const authResponse = {
-            user: {
-                sub: userDto.sub,
-                email: userDto.email,
-                firstName: userDto.firstName,
-                lastName: userDto.lastName,
-                phone: userDto.phone ?? undefined,
-                isEmailVerified: userDto.isEmailVerified,
-                isPhoneVerified: userDto.isPhoneVerified ?? undefined,
-                socialProviders: userDto.socialProviders && userDto.socialProviders.length > 0 ? userDto.socialProviders : undefined,
-                hasPasswordHash: userDto.hasPasswordHash,
-            },
+            user: (0, auth_response_dto_1.toAuthResponseUser)(user),
             accessToken: tokens.accessToken,
             refreshToken: tokens.refreshToken,
             accessTokenExpiresAt: accessTokenValidation.payload?.exp || 0,
@@ -3618,22 +3563,24 @@ class AuthService {
         if (!user || !user.passwordHash) {
             throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.NOT_FOUND, 'User not found');
         }
-        // Execute beforePasswordChange hook (use sub for external API)
-        if (this.config.hooks?.beforePasswordChange) {
-            const result = await this.config.hooks.beforePasswordChange(dto.sub, dto.oldPassword);
-            if (result === false) {
-                throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.PASSWORD_CHANGE_NOT_ALLOWED, 'Password change not allowed');
-            }
-        }
+        // ============================================================================
+        // Lifecycle Hook: beforePasswordChange (TODO: Implement provider-based hook)
+        // ============================================================================
+        // TODO: Implement provider-based hook for beforePasswordChange
+        // const allowed = await this.hookRegistry.executeBeforePasswordChange(dto.sub, dto.oldPassword);
+        // if (!allowed) {
+        //   throw new NAuthException(AuthErrorCode.PASSWORD_CHANGE_NOT_ALLOWED, 'Password change not allowed');
+        // }
         // Verify old password
         const isValid = await this.passwordService.verifyPassword(dto.oldPassword, user.passwordHash);
         if (!isValid) {
             throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.PASSWORD_INCORRECT, 'Current password is incorrect');
         }
-        // Execute afterPasswordChange hook (use sub for external API)
-        if (this.config.hooks?.afterPasswordChange) {
-            await this.config.hooks.afterPasswordChange(dto.sub);
-        }
+        // ============================================================================
+        // Lifecycle Hook: afterPasswordChange (TODO: Implement provider-based hook)
+        // ============================================================================
+        // TODO: Implement provider-based hook for afterPasswordChange
+        // await this.hookRegistry.executeAfterPasswordChange(dto.sub);
         await this.updateUserPassword({
             user,
             newPassword: dto.newPassword,
@@ -4221,18 +4168,10 @@ class AuthService {
             }
         }
         // ============================================================================
-        // Lifecycle Hook: afterLoginFailed
+        // Lifecycle Hook: afterLoginFailed (TODO: Implement provider-based hook)
         // ============================================================================
-        if (this.config.hooks?.afterLoginFailed) {
-            try {
-                await this.config.hooks.afterLoginFailed(identifier, reason || 'unknown');
-            }
-            catch (hookError) {
-                const errorMessage = hookError instanceof Error ? hookError.message : 'Unknown error';
-                // Non-blocking: login already failed; do not throw
-                this.logger?.error?.(`afterLoginFailed hook failed (continuing): ${errorMessage}`, { error: hookError });
-            }
-        }
+        // TODO: Implement provider-based hook for afterLoginFailed
+        // await this.hookRegistry.executeAfterLoginFailed(identifier, reason || 'unknown');
     }
     /**
      * Records a login attempt with client context.