@nauth-toolkit/core 0.1.6 → 0.1.9

package/dist/services/auth.service.js

@@ -45,6 +45,7 @@ const verify_phone_by_sub_dto_1 = require("../dto/verify-phone-by-sub.dto");
 const nauth_exception_1 = require("../exceptions/nauth.exception");
 const error_codes_enum_1 = require("../enums/error-codes.enum");
 const mfa_method_enum_1 = require("../enums/mfa-method.enum");
+const class_validator_1 = require("class-validator");
 const crypto = __importStar(require("crypto"));
 const DUMMY_ARGON2_HASH = '$argon2id$v=19$m=65536,t=3,p=4$RFVNTVlfU0FMVF9GT1JfVElNSU5H$dummyhashfordummyhashfordummyhash1234567890';
 class AuthService {
@@ -65,7 +66,8 @@ class AuthService {
     mfaService;
     mfaDeviceRepository;
     trustedDeviceService;
-    constructor(userRepository, loginAttemptRepository, passwordService, jwtService, sessionService, challengeService, challengeHelper, emailVerificationService, clientInfoService, accountLockoutStorage, config, logger, auditService, phoneVerificationService, mfaService, mfaDeviceRepository, trustedDeviceService) {
+    passwordResetService;
+    constructor(userRepository, loginAttemptRepository, passwordService, jwtService, sessionService, challengeService, challengeHelper, emailVerificationService, clientInfoService, accountLockoutStorage, config, logger, auditService, phoneVerificationService, mfaService, mfaDeviceRepository, trustedDeviceService, passwordResetService) {
         this.userRepository = userRepository;
         this.loginAttemptRepository = loginAttemptRepository;
         this.passwordService = passwordService;
@@ -83,6 +85,7 @@ class AuthService {
         this.mfaService = mfaService;
         this.mfaDeviceRepository = mfaDeviceRepository;
         this.trustedDeviceService = trustedDeviceService;
+        this.passwordResetService = passwordResetService;
         this.logger?.log?.('AuthService initialized');
     }
     async signup(dto) {
@@ -427,7 +430,7 @@ class AuthService {
                     }
                 }
             }
-            catch (error) {
+            catch {
                 this.logger?.debug?.('Failed to extract sessionId/deviceId from token for audit');
             }
             const isTrustedDevice = response.trusted || false;
@@ -1150,31 +1153,19 @@ class AuthService {
             throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.CHALLENGE_INVALID, 'User not found in challenge session');
         }
         this.logger?.log?.(`Changing password for user: ${user.sub}`);
-        const validation = await this.passwordService.validatePassword(newPassword, {
-            email: user.email,
-            username: user.username || undefined,
+        await this.updateUserPassword({
+            user,
+            newPassword,
+            mustChangePassword: false,
+            revokeSessions: true,
+            revokeReason: 'Password changed (force change password)',
+            audit: {
+                eventType: auth_audit_event_type_enum_1.AuthAuditEventType.PASSWORD_CHANGED,
+                eventStatus: 'SUCCESS',
+                reason: 'force_change_password',
+                description: 'Password changed due to FORCE_CHANGE_PASSWORD challenge',
+            },
         });
-        if (!validation.valid) {
-            throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.WEAK_PASSWORD, validation.errors.join(', '), {
-                errors: validation.errors,
-            });
-        }
-        if (this.config.password?.historyCount) {
-            const historyToCheck = user.passwordHistory || [];
-            const allPreviousPasswords = user.passwordHash ? [user.passwordHash, ...historyToCheck] : historyToCheck;
-            const isReused = await this.passwordService.isPasswordInHistory(newPassword, allPreviousPasswords);
-            if (isReused) {
-                throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.PASSWORD_REUSED, 'You have used this password recently. Please choose a different password.');
-            }
-        }
-        const newHash = await this.passwordService.hashPassword(newPassword);
-        const newHistory = this.passwordService.addToHistory(user.passwordHistory || [], user.passwordHash);
-        user.passwordHash = newHash;
-        user.passwordChangedAt = new Date();
-        user.passwordHistory = newHistory;
-        user.mustChangePassword = false;
-        await this.userRepository.save(user);
-        this.logger?.log?.(`Password changed successfully for user: ${user.sub}`);
         await this.challengeService.validateAndConsumeSession(challengeSession.sessionToken, auth_challenge_dto_1.AuthChallenge.FORCE_CHANGE_PASSWORD);
         const updatedUser = await this.userRepository.findOne({ where: { sub: user.sub } });
         if (!updatedUser) {
@@ -1864,47 +1855,20 @@ class AuthService {
         if (!isValid) {
             throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.PASSWORD_INCORRECT, 'Current password is incorrect');
         }
-        const validation = await this.passwordService.validatePassword(dto.newPassword, {
-            email: user.email,
-            username: user.username || undefined,
-        });
-        if (!validation.valid) {
-            throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.WEAK_PASSWORD, validation.errors.join(', '), {
-                errors: validation.errors,
-            });
-        }
-        if (this.config.password?.historyCount) {
-            const historyToCheck = user.passwordHistory || [];
-            const allPreviousPasswords = user.passwordHash ? [user.passwordHash, ...historyToCheck] : historyToCheck;
-            const isReused = await this.passwordService.isPasswordInHistory(dto.newPassword, allPreviousPasswords);
-            if (isReused) {
-                throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.PASSWORD_REUSED, 'You have used this password recently. Please choose a different password.');
-            }
-        }
-        const newHash = await this.passwordService.hashPassword(dto.newPassword);
-        const newHistory = this.passwordService.addToHistory(user.passwordHistory || [], user.passwordHash);
-        user.passwordHash = newHash;
-        user.passwordChangedAt = new Date();
-        user.passwordHistory = newHistory;
-        await this.userRepository.save(user);
         if (this.config.hooks?.afterPasswordChange) {
             await this.config.hooks.afterPasswordChange(dto.sub);
         }
-        await this.sessionService.revokeAllUserSessions(user.id, 'Password changed');
-        try {
-            await this.auditService?.recordEvent({
-                userId: user.id,
+        await this.updateUserPassword({
+            user,
+            newPassword: dto.newPassword,
+            mustChangePassword: false,
+            revokeSessions: true,
+            revokeReason: 'Password changed',
+            audit: {
                 eventType: auth_audit_event_type_enum_1.AuthAuditEventType.PASSWORD_CHANGED,
                 eventStatus: 'SUCCESS',
-            });
-        }
-        catch (auditError) {
-            const errorMessage = auditError instanceof Error ? auditError.message : 'Unknown error';
-            this.logger?.error?.(`Failed to record PASSWORD_CHANGED audit event: ${errorMessage}`, {
-                error: auditError,
-                userId: user.id,
-            });
-        }
+            },
+        });
         return { success: true };
     }
     async updateUserAttributes(dto) {
@@ -2351,6 +2315,220 @@ class AuthService {
         this.logger?.log?.(`Must-change-password flag set for user: ${dto.userId}`);
         return { success: true };
     }
+    async adminSetPassword(dto) {
+        this.logger?.log?.(`Admin password reset requested for identifier: ${dto.identifier}`);
+        this.logger?.debug?.(`Reset details: { identifier: ${dto.identifier}, mustChangePassword: ${dto.mustChangePassword ?? true}, revokeSessions: ${dto.revokeSessions ?? true} }`);
+        let user = null;
+        if ((0, class_validator_1.isUUID)(dto.identifier)) {
+            this.logger?.debug?.(`Identifier appears to be UUID, searching by sub: ${dto.identifier}`);
+            user = (await this.userRepository.findOne({ where: { sub: dto.identifier } }));
+        }
+        if (!user) {
+            this.logger?.debug?.(`Searching by identifier (email/username/phone): ${dto.identifier}`);
+            user = await this.findUserByIdentifier(dto.identifier);
+        }
+        if (!user) {
+            this.logger?.warn?.(`Password reset failed - user not found: ${dto.identifier}`);
+            throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.NOT_FOUND, 'User not found');
+        }
+        if (!user.passwordHash) {
+            this.logger?.warn?.(`Password reset failed - user doesn't have a password (pure social signup): ${user.sub}`);
+            throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.PASSWORD_CHANGE_NOT_ALLOWED, 'Password reset not available. This account uses social authentication only and has no password.');
+        }
+        const mustChangePassword = dto.mustChangePassword ?? true;
+        const revokeSessions = dto.revokeSessions !== false;
+        const { sessionsRevoked } = await this.updateUserPassword({
+            user,
+            newPassword: dto.newPassword,
+            mustChangePassword,
+            revokeSessions,
+            revokeReason: 'Password reset by administrator',
+            audit: {
+                eventType: auth_audit_event_type_enum_1.AuthAuditEventType.PASSWORD_RESET_COMPLETED,
+                eventStatus: 'SUCCESS',
+                reason: 'admin_reset',
+                description: 'Password reset by administrator',
+                metadata: {
+                    identifier: dto.identifier,
+                    mustChangePassword,
+                },
+            },
+        });
+        return {
+            success: true,
+            mustChangePassword,
+            sessionsRevoked,
+        };
+    }
+    async forgotPassword(dto) {
+        const response = { success: true };
+        if (!this.passwordResetService) {
+            this.logger?.warn?.('PasswordResetService not configured; forgotPassword will not send any delivery');
+            return response;
+        }
+        if (this.config.login?.identifierType &&
+            !this.validateIdentifierType(dto.identifier, this.config.login.identifierType)) {
+            return response;
+        }
+        const user = await this.findUserByIdentifier(dto.identifier, this.config.login?.identifierType);
+        if (!user) {
+            return response;
+        }
+        if (!user.passwordHash) {
+            this.logger?.warn?.(`Password reset requested for social-only account; ignoring for user: ${user.sub}`);
+            try {
+                await this.auditService?.recordEvent({
+                    userId: user.id,
+                    eventType: auth_audit_event_type_enum_1.AuthAuditEventType.PASSWORD_RESET_REQUESTED,
+                    eventStatus: 'SUSPICIOUS',
+                    authMethod: 'social',
+                    reason: 'forgot_password_social_only',
+                    description: 'Password reset requested for social-only account (ignored)',
+                });
+            }
+            catch (auditError) {
+                const errorMessage = auditError instanceof Error ? auditError.message : 'Unknown error';
+                this.logger?.error?.(`Failed to record PASSWORD_RESET_REQUESTED audit event: ${errorMessage}`, {
+                    error: auditError,
+                    userId: user.id,
+                });
+            }
+            return response;
+        }
+        const verificationMethod = this.config.signup?.verificationMethod ?? 'email';
+        let delivery;
+        if (verificationMethod === 'none') {
+            if (user.email)
+                delivery = 'email';
+            else if (user.phone)
+                delivery = 'sms';
+        }
+        else if (verificationMethod === 'email') {
+            if (user.isEmailVerified && user.email)
+                delivery = 'email';
+        }
+        else if (verificationMethod === 'phone') {
+            if (user.isPhoneVerified && user.phone)
+                delivery = 'sms';
+        }
+        else if (verificationMethod === 'both') {
+            if (user.isEmailVerified && user.email)
+                delivery = 'email';
+            else if (user.isPhoneVerified && user.phone)
+                delivery = 'sms';
+        }
+        if (!delivery) {
+            return response;
+        }
+        try {
+            const result = await this.passwordResetService.requestReset(user, delivery);
+            response.destination = result.destination;
+            response.deliveryMedium = result.deliveryMedium;
+            response.expiresIn = result.expiresIn;
+        }
+        catch (error) {
+            if (error instanceof nauth_exception_1.NAuthException && error.code === error_codes_enum_1.AuthErrorCode.RATE_LIMIT_PASSWORD_RESET) {
+                throw error;
+            }
+            const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+            this.logger?.error?.(`Failed to send password reset code: ${errorMessage}`, { error });
+        }
+        return response;
+    }
+    async confirmForgotPassword(dto) {
+        if (!this.passwordResetService) {
+            throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.SERVICE_UNAVAILABLE, 'Password reset is not available');
+        }
+        const user = await this.findUserByIdentifier(dto.identifier, this.config.login?.identifierType);
+        if (!user || !user.passwordHash) {
+            throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.PASSWORD_RESET_CODE_INVALID, 'Invalid password reset code');
+        }
+        const { sessionsRevoked: _sessionsRevoked } = await this.updateUserPassword({
+            user,
+            newPassword: dto.newPassword,
+            mustChangePassword: false,
+            revokeSessions: true,
+            revokeReason: 'Password reset',
+            beforePersist: async () => {
+                await this.passwordResetService.consumeValidCode(user, dto.code);
+            },
+            audit: {
+                eventType: auth_audit_event_type_enum_1.AuthAuditEventType.PASSWORD_RESET_COMPLETED,
+                eventStatus: 'SUCCESS',
+                authMethod: 'password',
+                description: 'Password reset completed by user',
+                reason: 'forgot_password',
+            },
+        });
+        return { success: true, mustChangePassword: false };
+    }
+    async updateUserPassword(params) {
+        const { user, newPassword, mustChangePassword, revokeSessions, revokeReason, beforePersist, audit } = params;
+        const userEntity = (await this.userRepository.findOne({ where: { id: user.id } }));
+        if (!userEntity) {
+            throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.NOT_FOUND, 'User not found');
+        }
+        const validation = await this.passwordService.validatePassword(newPassword, {
+            email: userEntity.email,
+            username: userEntity.username || undefined,
+        });
+        if (!validation.valid) {
+            throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.WEAK_PASSWORD, validation.errors.join(', '), {
+                errors: validation.errors,
+            });
+        }
+        if (this.config.password?.historyCount) {
+            const historyToCheck = userEntity.passwordHistory || [];
+            const allPreviousPasswords = userEntity.passwordHash
+                ? [userEntity.passwordHash, ...historyToCheck]
+                : historyToCheck;
+            const isReused = await this.passwordService.isPasswordInHistory(newPassword, allPreviousPasswords);
+            if (isReused) {
+                throw new nauth_exception_1.NAuthException(error_codes_enum_1.AuthErrorCode.PASSWORD_REUSED, 'Cannot reuse a recent password');
+            }
+        }
+        if (beforePersist) {
+            await beforePersist();
+        }
+        const newHash = await this.passwordService.hashPassword(newPassword);
+        const newHistory = userEntity.passwordHash
+            ? this.passwordService.addToHistory(userEntity.passwordHistory || [], userEntity.passwordHash)
+            : userEntity.passwordHistory || [];
+        userEntity.passwordHash = newHash;
+        userEntity.passwordChangedAt = new Date();
+        userEntity.passwordHistory = newHistory;
+        userEntity.mustChangePassword = mustChangePassword;
+        await this.userRepository.save(userEntity);
+        let sessionsRevoked = 0;
+        if (revokeSessions) {
+            sessionsRevoked = await this.sessionService.revokeAllUserSessions(userEntity.id, revokeReason);
+        }
+        if (audit) {
+            try {
+                await this.auditService?.recordEvent({
+                    userId: userEntity.id,
+                    eventType: audit.eventType,
+                    eventStatus: audit.eventStatus,
+                    reason: audit.reason,
+                    description: audit.description,
+                    authMethod: audit.authMethod,
+                    metadata: {
+                        ...audit.metadata,
+                        mustChangePassword,
+                        sessionsRevoked,
+                    },
+                });
+            }
+            catch (auditError) {
+                const errorMessage = auditError instanceof Error ? auditError.message : 'Unknown error';
+                this.logger?.error?.(`Failed to record ${audit.eventType} audit event: ${errorMessage}`, {
+                    error: auditError,
+                    userId: userEntity.id,
+                });
+            }
+        }
+        return { sessionsRevoked };
+    }
 }
 exports.AuthService = AuthService;
 //# sourceMappingURL=auth.service.js.map