@nauth-toolkit/core 0.1.85 → 0.1.87

package/dist/dto/admin-reset-password.dto.d.ts

@@ -166,31 +166,25 @@ export declare class AdminResetPasswordResponseDTO {
 /**
  * Confirm Admin Reset Password DTO
  *
- * User completes admin-initiated password reset with code OR token.
- * Accepts either short code from email/SMS OR long token from link.
+ * User completes admin-initiated password reset with a verification code.
+ *
+ * NOTE:
+ * - Link support is optional, but links carry the same verification `code` as a query parameter
+ *   (e.g., `...?code=123456`) to keep consumer apps consistent (code-only).
  *
  * Security:
- * - One of code or token is required
- * - Token-based: No attempt tracking (single use, long random)
- * - Code-based: Attempt tracking (max 3 attempts)
+ * - Code is required
+ * - Attempt tracking enforced (max attempts configured in password reset service)
  * - Always revokes all sessions on completion
  * - Always sets mustChangePassword flag
  *
  * @example
  * ```typescript
- * // With code (from email/SMS)
  * await authService.confirmAdminResetPassword({
  *   identifier: 'user@example.com',
  *   code: '123456',
  *   newPassword: 'NewSecurePass123!'
  * });
- *
- * // With token (from link)
- * await authService.confirmAdminResetPassword({
- *   identifier: 'user@example.com',
- *   token: '64-char-hex-token-from-link',
- *   newPassword: 'NewSecurePass123!'
- * });
  * ```
  */
 export declare class ConfirmAdminResetPasswordDTO {
@@ -215,7 +209,7 @@ export declare class ConfirmAdminResetPasswordDTO {
      * Validation:
      * - Must be string
      * - Length 6-10 characters
-     * - Optional (token OR code required)
+     * - Required
      *
      * Sanitization:
      * - Trimmed
@@ -224,22 +218,7 @@ export declare class ConfirmAdminResetPasswordDTO {
      *
      * @example "123456"
      */
-    code?: string;
-    /**
-     * Verification token from link (64-char hex)
-     *
-     * Validation:
-     * - Must be string
-     * - Optional (token OR code required)
-     *
-     * Sanitization:
-     * - Trimmed
-     *
-     * WHY: Long token from link, single-use, no attempt tracking needed
-     *
-     * @example "a1b2c3d4..."
-     */
-    token?: string;
+    code: string;
     /**
      * New password
      *

package/dist/dto/admin-reset-password.dto.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"admin-reset-password.dto.d.ts","sourceRoot":"","sources":["../../src/dto/admin-reset-password.dto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAkBH;;GAEG;AACH,qBAAa,qBAAqB;IAChC;;;;;;;;;;;;;OAaG;IAgBH,UAAU,EAAG,MAAM,CAAC;IAEpB;;;;;;;;;OASG;IAGH,cAAc,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC;IAEjC;;;;;;;;;;;;;;;;;OAiBG;IAaH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB;;;;;;;;;;;OAWG;IAKH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;;;;;;;;;;;OAYG;IAGH,cAAc,CAAC,EAAE,OAAO,CAAC;IAEzB;;;;;;;;;;;;OAYG;IAUH,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;;;;;;;GAeG;AACH,qBAAa,6BAA6B;IACxC;;;OAGG;IACH,OAAO,EAAG,OAAO,CAAC;IAElB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;;OAGG;IACH,cAAc,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC;IAEjC;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,qBAAa,4BAA4B;IACvC;;;;;;;;;;;;;OAaG;IAgBH,UAAU,EAAG,MAAM,CAAC;IAEpB;;;;;;;;;;;;;;OAcG;IAUH,IAAI,CAAC,EAAE,MAAM,CAAC;IAEd;;;;;;;;;;;;;OAaG;IASH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;;;;;;;;;;;;;OAcG;IAKH,WAAW,EAAG,MAAM,CAAC;CACtB;AAED;;;;;;;;;;;GAWG;AACH,qBAAa,oCAAoC;IAC/C;;;OAGG;IACH,OAAO,EAAG,OAAO,CAAC;CACnB"}
+{"version":3,"file":"admin-reset-password.dto.d.ts","sourceRoot":"","sources":["../../src/dto/admin-reset-password.dto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAkBH;;GAEG;AACH,qBAAa,qBAAqB;IAChC;;;;;;;;;;;;;OAaG;IAgBH,UAAU,EAAG,MAAM,CAAC;IAEpB;;;;;;;;;OASG;IAGH,cAAc,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC;IAEjC;;;;;;;;;;;;;;;;;OAiBG;IAaH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB;;;;;;;;;;;OAWG;IAKH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;;;;;;;;;;;OAYG;IAGH,cAAc,CAAC,EAAE,OAAO,CAAC;IAEzB;;;;;;;;;;;;OAYG;IAUH,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;;;;;;;GAeG;AACH,qBAAa,6BAA6B;IACxC;;;OAGG;IACH,OAAO,EAAG,OAAO,CAAC;IAElB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;;OAGG;IACH,cAAc,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC;IAEjC;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,qBAAa,4BAA4B;IACvC;;;;;;;;;;;;;OAaG;IAgBH,UAAU,EAAG,MAAM,CAAC;IAEpB;;;;;;;;;;;;;;OAcG;IAUH,IAAI,EAAG,MAAM,CAAC;IAEd;;;;;;;;;;;;;;OAcG;IAKH,WAAW,EAAG,MAAM,CAAC;CACtB;AAED;;;;;;;;;;;GAWG;AACH,qBAAa,oCAAoC;IAC/C;;;OAGG;IACH,OAAO,EAAG,OAAO,CAAC;CACnB"}

package/dist/dto/admin-reset-password.dto.js

@@ -241,31 +241,25 @@ exports.AdminResetPasswordResponseDTO = AdminResetPasswordResponseDTO;
 /**
  * Confirm Admin Reset Password DTO
  *
- * User completes admin-initiated password reset with code OR token.
- * Accepts either short code from email/SMS OR long token from link.
+ * User completes admin-initiated password reset with a verification code.
+ *
+ * NOTE:
+ * - Link support is optional, but links carry the same verification `code` as a query parameter
+ *   (e.g., `...?code=123456`) to keep consumer apps consistent (code-only).
  *
  * Security:
- * - One of code or token is required
- * - Token-based: No attempt tracking (single use, long random)
- * - Code-based: Attempt tracking (max 3 attempts)
+ * - Code is required
+ * - Attempt tracking enforced (max attempts configured in password reset service)
  * - Always revokes all sessions on completion
  * - Always sets mustChangePassword flag
  *
  * @example
  * ```typescript
- * // With code (from email/SMS)
  * await authService.confirmAdminResetPassword({
  *   identifier: 'user@example.com',
  *   code: '123456',
  *   newPassword: 'NewSecurePass123!'
  * });
- *
- * // With token (from link)
- * await authService.confirmAdminResetPassword({
- *   identifier: 'user@example.com',
- *   token: '64-char-hex-token-from-link',
- *   newPassword: 'NewSecurePass123!'
- * });
  * ```
  */
 class ConfirmAdminResetPasswordDTO {
@@ -290,7 +284,7 @@ class ConfirmAdminResetPasswordDTO {
      * Validation:
      * - Must be string
      * - Length 6-10 characters
-     * - Optional (token OR code required)
+     * - Required
      *
      * Sanitization:
      * - Trimmed
@@ -300,21 +294,6 @@ class ConfirmAdminResetPasswordDTO {
      * @example "123456"
      */
     code;
-    /**
-     * Verification token from link (64-char hex)
-     *
-     * Validation:
-     * - Must be string
-     * - Optional (token OR code required)
-     *
-     * Sanitization:
-     * - Trimmed
-     *
-     * WHY: Long token from link, single-use, no attempt tracking needed
-     *
-     * @example "a1b2c3d4..."
-     */
-    token;
     /**
      * New password
      *
@@ -352,8 +331,8 @@ __decorate([
     __metadata("design:type", String)
 ], ConfirmAdminResetPasswordDTO.prototype, "identifier", void 0);
 __decorate([
-    (0, class_validator_1.IsOptional)(),
     (0, class_validator_1.IsString)({ message: 'Code must be a string' }),
+    (0, class_validator_1.IsNotEmpty)({ message: 'Code is required' }),
     (0, class_validator_1.Length)(6, 10, { message: 'Code must be between 6 and 10 characters' }),
     (0, class_transformer_1.Transform)(({ value }) => {
         if (typeof value === 'string') {
@@ -363,17 +342,6 @@ __decorate([
     }),
     __metadata("design:type", String)
 ], ConfirmAdminResetPasswordDTO.prototype, "code", void 0);
-__decorate([
-    (0, class_validator_1.IsOptional)(),
-    (0, class_validator_1.IsString)({ message: 'Token must be a string' }),
-    (0, class_transformer_1.Transform)(({ value }) => {
-        if (typeof value === 'string') {
-            return value.trim();
-        }
-        return value;
-    }),
-    __metadata("design:type", String)
-], ConfirmAdminResetPasswordDTO.prototype, "token", void 0);
 __decorate([
     (0, class_validator_1.IsString)({ message: 'New password must be a string' }),
     (0, class_validator_1.IsNotEmpty)({ message: 'New password is required' }),

package/dist/dto/admin-reset-password.dto.js.map

@@ -1 +1 @@
-{"version":3,"file":"admin-reset-password.dto.js","sourceRoot":"","sources":["../../src/dto/admin-reset-password.dto.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;;;;;;;;;;;;AAEH,qDAayB;AACzB,yDAA8C;AAE9C;;GAEG;AACH,MAAa,qBAAqB;IAChC;;;;;;;;;;;;;OAaG;IAgBH,UAAU,CAAU;IAEpB;;;;;;;;;OASG;IAGH,cAAc,CAAmB;IAEjC;;;;;;;;;;;;;;;;;OAiBG;IAaH,OAAO,CAAU;IAEjB;;;;;;;;;;;OAWG;IAKH,aAAa,CAAU;IAEvB;;;;;;;;;;;;OAYG;IAGH,cAAc,CAAW;IAEzB;;;;;;;;;;;;OAYG;IAUH,MAAM,CAAU;CACjB;AAxID,sDAwIC;AA1GC;IAfC,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,6BAA6B,EAAE,CAAC;IACpD,IAAA,4BAAU,EAAC,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC;IACjD,IAAA,2BAAS,EAAC,CAAC,EAAE,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC;IACnD,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,2CAA2C,EAAE,CAAC;IACxE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAsB,EAAE,EAAE;QAC3C,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;YAC7B,iDAAiD;YACjD,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC1B,OAAO,OAAO,CAAC,WAAW,EAAE,CAAC;YAC/B,CAAC;YACD,OAAO,OAAO,CAAC;QACjB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;yDACkB;AAcpB;IAFC,IAAA,4BAAU,GAAE;IACZ,IAAA,sBAAI,EAAC,CAAC,OAAO,EAAE,KAAK,CAAC,EAAE,EAAE,OAAO,EAAE,sCAAsC,EAAE,CAAC;;6DAC3C;AAgCjC;IAZC,IAAA,4BAAU,GAAE;IACZ,IAAA,uBAAK,EACJ,EAAE,gBAAgB,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,WAAW,EAAE,KAAK,EAAE,EAC5E,EAAE,OAAO,EAAE,qDAAqD,EAAE,CACnE;IACA,IAAA,2BAAS,EAAC,IAAI,EAAE,EAAE,OAAO,EAAE,0CAA0C,EAAE,CAAC;IACxE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAsB,EAAE,EAAE;QAC3C,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;QACtB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;sDACe;AAkBjB;IAJC,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,EAAC,EAAE,EAAE,EAAE,OAAO,EAAE,8BAA8B,EAAE,CAAC;IACzD,IAAA,qBAAG,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,sDAAsD,EAAE,CAAC;IAC7E,IAAA,qBAAG,EAAC,KAAK,EAAE,EAAE,OAAO,EAAE,sDAAsD,EAAE,CAAC;;4DACzD;AAiBvB;IAFC,IAAA,4BAAU,GAAE;IACZ,IAAA,2BAAS,EAAC,EAAE,OAAO,EAAE,kCAAkC,EAAE,CAAC;;6DAClC;AAwBzB;IATC,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,yBAAyB,EAAE,CAAC;IAChD,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,uCAAuC,EAAE,CAAC;IACpE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAsB,EAAE,EAAE;QAC3C,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;QACtB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;qDACc;AAGlB;;;;;;;;;;;;;;;GAeG;AACH,MAAa,6BAA6B;IACxC;;;OAGG;IACH,OAAO,CAAW;IAElB;;;OAGG;IACH,WAAW,CAAU;IAErB;;;OAGG;IACH,cAAc,CAAmB;IAEjC;;;OAGG;IACH,SAAS,CAAU;IAEnB;;;OAGG;IACH,eAAe,CAAU;CAC1B;AA9BD,sEA8BC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,MAAa,4BAA4B;IACvC;;;;;;;;;;;;;OAaG;IAgBH,UAAU,CAAU;IAEpB;;;;;;;;;;;;;;OAcG;IAUH,IAAI,CAAU;IAEd;;;;;;;;;;;;;OAaG;IASH,KAAK,CAAU;IAEf;;;;;;;;;;;;;;OAcG;IAKH,WAAW,CAAU;CACtB;AAtGD,oEAsGC;AAxEC;IAfC,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,6BAA6B,EAAE,CAAC;IACpD,IAAA,4BAAU,EAAC,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC;IACjD,IAAA,2BAAS,EAAC,CAAC,EAAE,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC;IACnD,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,2CAA2C,EAAE,CAAC;IACxE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAsB,EAAE,EAAE;QAC3C,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;YAC7B,iDAAiD;YACjD,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC1B,OAAO,OAAO,CAAC,WAAW,EAAE,CAAC;YAC/B,CAAC;YACD,OAAO,OAAO,CAAC;QACjB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;gEACkB;AA0BpB;IATC,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,uBAAuB,EAAE,CAAC;IAC9C,IAAA,wBAAM,EAAC,CAAC,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,0CAA0C,EAAE,CAAC;IACtE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;QACtB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;0DACY;AAwBd;IARC,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC;IAC/C,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;QACtB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;2DACa;AAqBf;IAJC,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,+BAA+B,EAAE,CAAC;IACtD,IAAA,4BAAU,EAAC,EAAE,OAAO,EAAE,0BAA0B,EAAE,CAAC;IACnD,IAAA,2BAAS,EAAC,CAAC,EAAE,EAAE,OAAO,EAAE,wCAAwC,EAAE,CAAC;IACnE,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,yCAAyC,EAAE,CAAC;;iEAClD;AAGvB;;;;;;;;;;;GAWG;AACH,MAAa,oCAAoC;IAC/C;;;OAGG;IACH,OAAO,CAAW;CACnB;AAND,oFAMC"}
+{"version":3,"file":"admin-reset-password.dto.js","sourceRoot":"","sources":["../../src/dto/admin-reset-password.dto.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;;;;;;;;;;;;AAEH,qDAayB;AACzB,yDAA8C;AAE9C;;GAEG;AACH,MAAa,qBAAqB;IAChC;;;;;;;;;;;;;OAaG;IAgBH,UAAU,CAAU;IAEpB;;;;;;;;;OASG;IAGH,cAAc,CAAmB;IAEjC;;;;;;;;;;;;;;;;;OAiBG;IAaH,OAAO,CAAU;IAEjB;;;;;;;;;;;OAWG;IAKH,aAAa,CAAU;IAEvB;;;;;;;;;;;;OAYG;IAGH,cAAc,CAAW;IAEzB;;;;;;;;;;;;OAYG;IAUH,MAAM,CAAU;CACjB;AAxID,sDAwIC;AA1GC;IAfC,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,6BAA6B,EAAE,CAAC;IACpD,IAAA,4BAAU,EAAC,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC;IACjD,IAAA,2BAAS,EAAC,CAAC,EAAE,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC;IACnD,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,2CAA2C,EAAE,CAAC;IACxE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAsB,EAAE,EAAE;QAC3C,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;YAC7B,iDAAiD;YACjD,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC1B,OAAO,OAAO,CAAC,WAAW,EAAE,CAAC;YAC/B,CAAC;YACD,OAAO,OAAO,CAAC;QACjB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;yDACkB;AAcpB;IAFC,IAAA,4BAAU,GAAE;IACZ,IAAA,sBAAI,EAAC,CAAC,OAAO,EAAE,KAAK,CAAC,EAAE,EAAE,OAAO,EAAE,sCAAsC,EAAE,CAAC;;6DAC3C;AAgCjC;IAZC,IAAA,4BAAU,GAAE;IACZ,IAAA,uBAAK,EACJ,EAAE,gBAAgB,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,WAAW,EAAE,KAAK,EAAE,EAC5E,EAAE,OAAO,EAAE,qDAAqD,EAAE,CACnE;IACA,IAAA,2BAAS,EAAC,IAAI,EAAE,EAAE,OAAO,EAAE,0CAA0C,EAAE,CAAC;IACxE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAsB,EAAE,EAAE;QAC3C,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;QACtB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;sDACe;AAkBjB;IAJC,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,EAAC,EAAE,EAAE,EAAE,OAAO,EAAE,8BAA8B,EAAE,CAAC;IACzD,IAAA,qBAAG,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,sDAAsD,EAAE,CAAC;IAC7E,IAAA,qBAAG,EAAC,KAAK,EAAE,EAAE,OAAO,EAAE,sDAAsD,EAAE,CAAC;;4DACzD;AAiBvB;IAFC,IAAA,4BAAU,GAAE;IACZ,IAAA,2BAAS,EAAC,EAAE,OAAO,EAAE,kCAAkC,EAAE,CAAC;;6DAClC;AAwBzB;IATC,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,yBAAyB,EAAE,CAAC;IAChD,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,uCAAuC,EAAE,CAAC;IACpE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAsB,EAAE,EAAE;QAC3C,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;QACtB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;qDACc;AAGlB;;;;;;;;;;;;;;;GAeG;AACH,MAAa,6BAA6B;IACxC;;;OAGG;IACH,OAAO,CAAW;IAElB;;;OAGG;IACH,WAAW,CAAU;IAErB;;;OAGG;IACH,cAAc,CAAmB;IAEjC;;;OAGG;IACH,SAAS,CAAU;IAEnB;;;OAGG;IACH,eAAe,CAAU;CAC1B;AA9BD,sEA8BC;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAa,4BAA4B;IACvC;;;;;;;;;;;;;OAaG;IAgBH,UAAU,CAAU;IAEpB;;;;;;;;;;;;;;OAcG;IAUH,IAAI,CAAU;IAEd;;;;;;;;;;;;;;OAcG;IAKH,WAAW,CAAU;CACtB;AA9ED,oEA8EC;AAhDC;IAfC,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,6BAA6B,EAAE,CAAC;IACpD,IAAA,4BAAU,EAAC,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC;IACjD,IAAA,2BAAS,EAAC,CAAC,EAAE,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC;IACnD,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,2CAA2C,EAAE,CAAC;IACxE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAsB,EAAE,EAAE;QAC3C,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;YAC7B,iDAAiD;YACjD,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC1B,OAAO,OAAO,CAAC,WAAW,EAAE,CAAC;YAC/B,CAAC;YACD,OAAO,OAAO,CAAC;QACjB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;gEACkB;AA0BpB;IATC,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,uBAAuB,EAAE,CAAC;IAC9C,IAAA,4BAAU,EAAC,EAAE,OAAO,EAAE,kBAAkB,EAAE,CAAC;IAC3C,IAAA,wBAAM,EAAC,CAAC,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,0CAA0C,EAAE,CAAC;IACtE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;QACtB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;0DACY;AAqBd;IAJC,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,+BAA+B,EAAE,CAAC;IACtD,IAAA,4BAAU,EAAC,EAAE,OAAO,EAAE,0BAA0B,EAAE,CAAC;IACnD,IAAA,2BAAS,EAAC,CAAC,EAAE,EAAE,OAAO,EAAE,wCAAwC,EAAE,CAAC;IACnE,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,yCAAyC,EAAE,CAAC;;iEAClD;AAGvB;;;;;;;;;;;GAWG;AACH,MAAa,oCAAoC;IAC/C;;;OAGG;IACH,OAAO,CAAW;CACnB;AAND,oFAMC"}

package/dist/dto/get-challenge-data-response.dto.d.ts

@@ -2,15 +2,33 @@
  * Response DTO for getting MFA challenge data
  *
  * Used to return method-specific challenge data during MFA verification.
- * Currently only passkey method requires challenge data (WebAuthn options).
+ * Supports multiple MFA methods:
+ * - Passkey: Returns WebAuthn authentication options (object)
+ * - SMS: Returns masked phone number where code was sent (string)
+ * - Email: Returns masked email address where code was sent (string)
  *
  * @example
  * ```typescript
+ * // Passkey: WebAuthn options
  * const challengeData = await mfaService.getChallengeData({
  *   session: 'challenge-session-token',
  *   method: 'passkey'
  * });
- * // Returns: { publicKey: { challenge: '...', ... } }
+ * // Returns: { challengeData: { publicKey: { challenge: '...', ... } } }
+ *
+ * // SMS: Masked phone number
+ * const challengeData = await mfaService.getChallengeData({
+ *   session: 'challenge-session-token',
+ *   method: 'sms'
+ * });
+ * // Returns: { challengeData: '***-***-1234' }
+ *
+ * // Email: Masked email address
+ * const challengeData = await mfaService.getChallengeData({
+ *   session: 'challenge-session-token',
+ *   method: 'email'
+ * });
+ * // Returns: { challengeData: 'u***r@example.com' }
  * ```
  */
 /**
@@ -20,8 +38,14 @@ export declare class GetChallengeDataResponseDTO {
     /**
      * Provider-specific challenge data
      *
-     * For passkey: WebAuthn public key options
-     * Structure: { publicKey: { challenge: string, allowCredentials: [...], ... } }
+     * Type varies by method:
+     * - Passkey: WebAuthn public key options object
+     *   Structure: { publicKey: { challenge: string, allowCredentials: [...], ... } }
+     * - SMS: Masked phone number string (e.g., '***-***-1234')
+     * - Email: Masked email address string (e.g., 'u***r@example.com')
+     *
+     * Note: Type is `Record<string, unknown>` which accommodates both object and string types.
+     * Frontend should check `typeof challengeData === 'string'` to determine if it's SMS/Email (string) or Passkey (object).
      */
     challengeData: Record<string, unknown>;
 }

package/dist/dto/get-challenge-data-response.dto.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"get-challenge-data-response.dto.d.ts","sourceRoot":"","sources":["../../src/dto/get-challenge-data-response.dto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH;;GAEG;AACH,qBAAa,2BAA2B;IACtC;;;;;OAKG;IACH,aAAa,EAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACzC"}
+{"version":3,"file":"get-challenge-data-response.dto.d.ts","sourceRoot":"","sources":["../../src/dto/get-challenge-data-response.dto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH;;GAEG;AACH,qBAAa,2BAA2B;IACtC;;;;;;;;;;;OAWG;IACH,aAAa,EAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACzC"}

package/dist/dto/get-challenge-data-response.dto.js

@@ -3,15 +3,33 @@
  * Response DTO for getting MFA challenge data
  *
  * Used to return method-specific challenge data during MFA verification.
- * Currently only passkey method requires challenge data (WebAuthn options).
+ * Supports multiple MFA methods:
+ * - Passkey: Returns WebAuthn authentication options (object)
+ * - SMS: Returns masked phone number where code was sent (string)
+ * - Email: Returns masked email address where code was sent (string)
  *
  * @example
  * ```typescript
+ * // Passkey: WebAuthn options
  * const challengeData = await mfaService.getChallengeData({
  *   session: 'challenge-session-token',
  *   method: 'passkey'
  * });
- * // Returns: { publicKey: { challenge: '...', ... } }
+ * // Returns: { challengeData: { publicKey: { challenge: '...', ... } } }
+ *
+ * // SMS: Masked phone number
+ * const challengeData = await mfaService.getChallengeData({
+ *   session: 'challenge-session-token',
+ *   method: 'sms'
+ * });
+ * // Returns: { challengeData: '***-***-1234' }
+ *
+ * // Email: Masked email address
+ * const challengeData = await mfaService.getChallengeData({
+ *   session: 'challenge-session-token',
+ *   method: 'email'
+ * });
+ * // Returns: { challengeData: 'u***r@example.com' }
  * ```
  */
 Object.defineProperty(exports, "__esModule", { value: true });
@@ -23,8 +41,14 @@ class GetChallengeDataResponseDTO {
     /**
      * Provider-specific challenge data
      *
-     * For passkey: WebAuthn public key options
-     * Structure: { publicKey: { challenge: string, allowCredentials: [...], ... } }
+     * Type varies by method:
+     * - Passkey: WebAuthn public key options object
+     *   Structure: { publicKey: { challenge: string, allowCredentials: [...], ... } }
+     * - SMS: Masked phone number string (e.g., '***-***-1234')
+     * - Email: Masked email address string (e.g., 'u***r@example.com')
+     *
+     * Note: Type is `Record<string, unknown>` which accommodates both object and string types.
+     * Frontend should check `typeof challengeData === 'string'` to determine if it's SMS/Email (string) or Passkey (object).
      */
     challengeData;
 }

package/dist/dto/get-challenge-data-response.dto.js.map

@@ -1 +1 @@
-{"version":3,"file":"get-challenge-data-response.dto.js","sourceRoot":"","sources":["../../src/dto/get-challenge-data-response.dto.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;;AAEH;;GAEG;AACH,MAAa,2BAA2B;IACtC;;;;;OAKG;IACH,aAAa,CAA2B;CACzC;AARD,kEAQC"}
+{"version":3,"file":"get-challenge-data-response.dto.js","sourceRoot":"","sources":["../../src/dto/get-challenge-data-response.dto.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;;;AAEH;;GAEG;AACH,MAAa,2BAA2B;IACtC;;;;;;;;;;;OAWG;IACH,aAAa,CAA2B;CACzC;AAdD,kEAcC"}

package/dist/dto/get-challenge-data.dto.d.ts

@@ -2,7 +2,10 @@
  * DTO for requesting MFA challenge data
  *
  * Used to get method-specific challenge information during MFA verification.
- * Currently only passkey method requires challenge data (WebAuthn options).
+ * Supports:
+ * - Passkey: Returns WebAuthn authentication options
+ * - SMS: Sends SMS code and returns masked phone number
+ * - Email: Sends email code and returns masked email address
  *
  * Security:
  * - Session token length limited (prevents DoS)
@@ -10,19 +13,36 @@
  *
  * @example
  * ```typescript
+ * // Passkey: Get WebAuthn options
  * const challengeData = await authService.getChallengeData({
  *   session: 'challenge-session-token',
  *   method: 'passkey'
  * });
- * // Returns: { publicKey: { challenge: '...', ... } }
+ * // Returns: { challengeData: { challenge: '...', allowCredentials: [...], ... } }
+ *
+ * // SMS: Send code and get masked phone
+ * const challengeData = await authService.getChallengeData({
+ *   session: 'challenge-session-token',
+ *   method: 'sms'
+ * });
+ * // Returns: { challengeData: '***-***-1234' }
+ *
+ * // Email: Send code and get masked email
+ * const challengeData = await authService.getChallengeData({
+ *   session: 'challenge-session-token',
+ *   method: 'email'
+ * });
+ * // Returns: { challengeData: 'u***r@example.com' }
  * ```
  */
 /**
  * MFA method enum for challenge data
- * Currently only passkey requires challenge data
+ * Supports passkey (WebAuthn options), SMS (sends code), and Email (sends code)
  */
 export declare enum MFAChallengeMethod {
-    PASSKEY = "passkey"
+    PASSKEY = "passkey",
+    SMS = "sms",
+    EMAIL = "email"
 }
 /**
  * DTO for getting MFA challenge data
@@ -47,7 +67,7 @@ export declare class GetChallengeDataDTO {
      * MFA method requiring challenge data
      *
      * Validation:
-     * - Must be 'passkey' (only method that needs challenge data)
+     * - Must be 'passkey' (WebAuthn options), 'sms' (sends code), or 'email' (sends code)
      */
     method: MFAChallengeMethod;
 }

package/dist/dto/get-challenge-data.dto.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"get-challenge-data.dto.d.ts","sourceRoot":"","sources":["../../src/dto/get-challenge-data.dto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAKH;;;GAGG;AACH,oBAAY,kBAAkB;IAC5B,OAAO,YAAY;CACpB;AAED;;GAEG;AACH,qBAAa,mBAAmB;IAC9B;;;;;;;;;;;;;OAaG;IAQH,OAAO,EAAG,MAAM,CAAC;IAEjB;;;;;OAKG;IAIH,MAAM,EAAG,kBAAkB,CAAC;CAC7B"}
+{"version":3,"file":"get-challenge-data.dto.d.ts","sourceRoot":"","sources":["../../src/dto/get-challenge-data.dto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AAKH;;;GAGG;AACH,oBAAY,kBAAkB;IAC5B,OAAO,YAAY;IACnB,GAAG,QAAQ;IACX,KAAK,UAAU;CAChB;AAED;;GAEG;AACH,qBAAa,mBAAmB;IAC9B;;;;;;;;;;;;;OAaG;IAQH,OAAO,EAAG,MAAM,CAAC;IAEjB;;;;;OAKG;IAIH,MAAM,EAAG,kBAAkB,CAAC;CAC7B"}

package/dist/dto/get-challenge-data.dto.js

@@ -3,7 +3,10 @@
  * DTO for requesting MFA challenge data
  *
  * Used to get method-specific challenge information during MFA verification.
- * Currently only passkey method requires challenge data (WebAuthn options).
+ * Supports:
+ * - Passkey: Returns WebAuthn authentication options
+ * - SMS: Sends SMS code and returns masked phone number
+ * - Email: Sends email code and returns masked email address
  *
  * Security:
  * - Session token length limited (prevents DoS)
@@ -11,11 +14,26 @@
  *
  * @example
  * ```typescript
+ * // Passkey: Get WebAuthn options
  * const challengeData = await authService.getChallengeData({
  *   session: 'challenge-session-token',
  *   method: 'passkey'
  * });
- * // Returns: { publicKey: { challenge: '...', ... } }
+ * // Returns: { challengeData: { challenge: '...', allowCredentials: [...], ... } }
+ *
+ * // SMS: Send code and get masked phone
+ * const challengeData = await authService.getChallengeData({
+ *   session: 'challenge-session-token',
+ *   method: 'sms'
+ * });
+ * // Returns: { challengeData: '***-***-1234' }
+ *
+ * // Email: Send code and get masked email
+ * const challengeData = await authService.getChallengeData({
+ *   session: 'challenge-session-token',
+ *   method: 'email'
+ * });
+ * // Returns: { challengeData: 'u***r@example.com' }
  * ```
  */
 var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
@@ -33,11 +51,13 @@ const class_validator_1 = require("class-validator");
 const class_transformer_1 = require("class-transformer");
 /**
  * MFA method enum for challenge data
- * Currently only passkey requires challenge data
+ * Supports passkey (WebAuthn options), SMS (sends code), and Email (sends code)
  */
 var MFAChallengeMethod;
 (function (MFAChallengeMethod) {
     MFAChallengeMethod["PASSKEY"] = "passkey";
+    MFAChallengeMethod["SMS"] = "sms";
+    MFAChallengeMethod["EMAIL"] = "email";
 })(MFAChallengeMethod || (exports.MFAChallengeMethod = MFAChallengeMethod = {}));
 /**
  * DTO for getting MFA challenge data
@@ -62,7 +82,7 @@ class GetChallengeDataDTO {
      * MFA method requiring challenge data
      *
      * Validation:
-     * - Must be 'passkey' (only method that needs challenge data)
+     * - Must be 'passkey' (WebAuthn options), 'sms' (sends code), or 'email' (sends code)
      */
     method;
 }
@@ -79,7 +99,7 @@ __decorate([
 ], GetChallengeDataDTO.prototype, "session", void 0);
 __decorate([
     (0, class_validator_1.IsEnum)(MFAChallengeMethod, {
-        message: 'Method must be: passkey',
+        message: 'Method must be: passkey, sms, or email',
     }),
     __metadata("design:type", String)
 ], GetChallengeDataDTO.prototype, "method", void 0);

package/dist/dto/get-challenge-data.dto.js.map

@@ -1 +1 @@
-{"version":3,"file":"get-challenge-data.dto.js","sourceRoot":"","sources":["../../src/dto/get-challenge-data.dto.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;GAkBG;;;;;;;;;;;;AAEH,qDAAiD;AACjD,yDAA8C;AAE9C;;;GAGG;AACH,IAAY,kBAEX;AAFD,WAAY,kBAAkB;IAC5B,yCAAmB,CAAA;AACrB,CAAC,EAFW,kBAAkB,kCAAlB,kBAAkB,QAE7B;AAED;;GAEG;AACH,MAAa,mBAAmB;IAC9B;;;;;;;;;;;;;OAaG;IAQH,OAAO,CAAU;IAEjB;;;;;OAKG;IAIH,MAAM,CAAsB;CAC7B;AAlCD,kDAkCC;AAZC;IAPC,IAAA,wBAAM,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,8CAA8C,EAAE,CAAC;IACxE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACpC,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;oDACe;AAWjB;IAHC,IAAA,wBAAM,EAAC,kBAAkB,EAAE;QAC1B,OAAO,EAAE,yBAAyB;KACnC,CAAC;;mDAC0B"}
+{"version":3,"file":"get-challenge-data.dto.js","sourceRoot":"","sources":["../../src/dto/get-challenge-data.dto.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;;;;;;;;;;;;AAEH,qDAAiD;AACjD,yDAA8C;AAE9C;;;GAGG;AACH,IAAY,kBAIX;AAJD,WAAY,kBAAkB;IAC5B,yCAAmB,CAAA;IACnB,iCAAW,CAAA;IACX,qCAAe,CAAA;AACjB,CAAC,EAJW,kBAAkB,kCAAlB,kBAAkB,QAI7B;AAED;;GAEG;AACH,MAAa,mBAAmB;IAC9B;;;;;;;;;;;;;OAaG;IAQH,OAAO,CAAU;IAEjB;;;;;OAKG;IAIH,MAAM,CAAsB;CAC7B;AAlCD,kDAkCC;AAZC;IAPC,IAAA,wBAAM,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,8CAA8C,EAAE,CAAC;IACxE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACpC,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;oDACe;AAWjB;IAHC,IAAA,wBAAM,EAAC,kBAAkB,EAAE;QAC1B,OAAO,EAAE,wCAAwC;KAClD,CAAC;;mDAC0B"}

package/dist/dto/set-mfa-exemption.dto.d.ts

@@ -7,7 +7,7 @@
  * @example
  * ```typescript
  * const result = await mfaService.setMFAExemption({
- *   userSub: 'user-uuid',
+ *   identifier: 'user@example.com', // email, username, phone, or user sub (UUID)
  *   exempt: true,
  *   reason: 'Business partner requires MFA bypass',
  *   grantedBy: 'admin@example.com'
@@ -16,22 +16,25 @@
  */
 /**
  * DTO for setting MFA exemption
+ *
+ * SECURITY: This DTO targets an arbitrary user; it must only be accepted by admin-protected APIs.
  */
 export declare class SetMFAExemptionDTO {
     /**
-     * User's unique identifier (UUID v4)
+     * Target user identifier
      *
-     * Validation:
-     * - Must be a valid UUID v4 format
-     * - Matches DB constraint: char(36) or uuid
+     * Can be any supported identifier:
+     * - user sub (UUID)
+     * - email
+     * - username
+     * - phone (E.164)
      *
      * Sanitization:
      * - Trimmed
-     * - Lowercased for consistency
      *
-     * @example "a21b654c-2746-4168-acee-c175083a65cd"
+     * @example "user@example.com"
      */
-    userSub: string;
+    identifier: string;
     /**
      * Whether to grant exemption (true) or revoke exemption (false)
      */

package/dist/dto/set-mfa-exemption.dto.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"set-mfa-exemption.dto.d.ts","sourceRoot":"","sources":["../../src/dto/set-mfa-exemption.dto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAKH;;GAEG;AACH,qBAAa,kBAAkB;IAC7B;;;;;;;;;;;;OAYG;IAQH,OAAO,EAAG,MAAM,CAAC;IAEjB;;OAEG;IAEH,MAAM,EAAG,OAAO,CAAC;IAEjB;;;;;;;;OAQG;IAUH,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAEvB;;;;;;;;OAQG;IAUH,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;AAED;;GAEG;AACH,qBAAa,0BAA0B;IACrC;;OAEG;IACH,SAAS,EAAG,OAAO,CAAC;IAEpB;;OAEG;IACH,eAAe,EAAG,MAAM,GAAG,IAAI,CAAC;IAEhC;;OAEG;IACH,kBAAkB,EAAG,IAAI,GAAG,IAAI,CAAC;CAClC"}
+{"version":3,"file":"set-mfa-exemption.dto.d.ts","sourceRoot":"","sources":["../../src/dto/set-mfa-exemption.dto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAKH;;;;GAIG;AACH,qBAAa,kBAAkB;IAC7B;;;;;;;;;;;;;OAaG;IASH,UAAU,EAAG,MAAM,CAAC;IAEpB;;OAEG;IAEH,MAAM,EAAG,OAAO,CAAC;IAEjB;;;;;;;;OAQG;IAUH,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAEvB;;;;;;;;OAQG;IAUH,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;AAED;;GAEG;AACH,qBAAa,0BAA0B;IACrC;;OAEG;IACH,SAAS,EAAG,OAAO,CAAC;IAEpB;;OAEG;IACH,eAAe,EAAG,MAAM,GAAG,IAAI,CAAC;IAEhC;;OAEG;IACH,kBAAkB,EAAG,IAAI,GAAG,IAAI,CAAC;CAClC"}

package/dist/dto/set-mfa-exemption.dto.js

@@ -8,7 +8,7 @@
  * @example
  * ```typescript
  * const result = await mfaService.setMFAExemption({
- *   userSub: 'user-uuid',
+ *   identifier: 'user@example.com', // email, username, phone, or user sub (UUID)
  *   exempt: true,
  *   reason: 'Business partner requires MFA bypass',
  *   grantedBy: 'admin@example.com'
@@ -30,22 +30,25 @@ const class_validator_1 = require("class-validator");
 const class_transformer_1 = require("class-transformer");
 /**
  * DTO for setting MFA exemption
+ *
+ * SECURITY: This DTO targets an arbitrary user; it must only be accepted by admin-protected APIs.
  */
 class SetMFAExemptionDTO {
     /**
-     * User's unique identifier (UUID v4)
+     * Target user identifier
      *
-     * Validation:
-     * - Must be a valid UUID v4 format
-     * - Matches DB constraint: char(36) or uuid
+     * Can be any supported identifier:
+     * - user sub (UUID)
+     * - email
+     * - username
+     * - phone (E.164)
      *
      * Sanitization:
      * - Trimmed
-     * - Lowercased for consistency
      *
-     * @example "a21b654c-2746-4168-acee-c175083a65cd"
+     * @example "user@example.com"
      */
-    userSub;
+    identifier;
     /**
      * Whether to grant exemption (true) or revoke exemption (false)
      */
@@ -73,15 +76,16 @@ class SetMFAExemptionDTO {
 }
 exports.SetMFAExemptionDTO = SetMFAExemptionDTO;
 __decorate([
-    (0, class_validator_1.IsUUID)('4', { message: 'User sub must be a valid UUID v4 format' }),
+    (0, class_validator_1.IsString)({ message: 'Identifier must be a string' }),
+    (0, class_validator_1.MaxLength)(255, { message: 'Identifier must not exceed 255 characters' }),
     (0, class_transformer_1.Transform)(({ value }) => {
         if (typeof value === 'string') {
-            return value.trim().toLowerCase();
+            return value.trim();
         }
         return value;
     }),
     __metadata("design:type", String)
-], SetMFAExemptionDTO.prototype, "userSub", void 0);
+], SetMFAExemptionDTO.prototype, "identifier", void 0);
 __decorate([
     (0, class_validator_1.IsBoolean)({ message: 'Exempt must be a boolean' }),
     __metadata("design:type", Boolean)

package/dist/dto/set-mfa-exemption.dto.js.map

@@ -1 +1 @@
-{"version":3,"file":"set-mfa-exemption.dto.js","sourceRoot":"","sources":["../../src/dto/set-mfa-exemption.dto.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;GAeG;;;;;;;;;;;;AAEH,qDAAqF;AACrF,yDAA8C;AAE9C;;GAEG;AACH,MAAa,kBAAkB;IAC7B;;;;;;;;;;;;OAYG;IAQH,OAAO,CAAU;IAEjB;;OAEG;IAEH,MAAM,CAAW;IAEjB;;;;;;;;OAQG;IAUH,MAAM,CAAiB;IAEvB;;;;;;;;OAQG;IAUH,SAAS,CAAiB;CAC3B;AApED,gDAoEC;AA/CC;IAPC,IAAA,wBAAM,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,yCAAyC,EAAE,CAAC;IACnE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACpC,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;mDACe;AAMjB;IADC,IAAA,2BAAS,EAAC,EAAE,OAAO,EAAE,0BAA0B,EAAE,CAAC;;kDAClC;AAoBjB;IATC,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,yBAAyB,EAAE,CAAC;IAChD,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,uCAAuC,EAAE,CAAC;IACpE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;QACtB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;kDACqB;AAoBvB;IATC,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,6BAA6B,EAAE,CAAC;IACpD,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,2CAA2C,EAAE,CAAC;IACxE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;QACtB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;qDACwB;AAG5B;;GAEG;AACH,MAAa,0BAA0B;IACrC;;OAEG;IACH,SAAS,CAAW;IAEpB;;OAEG;IACH,eAAe,CAAiB;IAEhC;;OAEG;IACH,kBAAkB,CAAe;CAClC;AAfD,gEAeC"}
+{"version":3,"file":"set-mfa-exemption.dto.js","sourceRoot":"","sources":["../../src/dto/set-mfa-exemption.dto.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;GAeG;;;;;;;;;;;;AAEH,qDAA6E;AAC7E,yDAA8C;AAE9C;;;;GAIG;AACH,MAAa,kBAAkB;IAC7B;;;;;;;;;;;;;OAaG;IASH,UAAU,CAAU;IAEpB;;OAEG;IAEH,MAAM,CAAW;IAEjB;;;;;;;;OAQG;IAUH,MAAM,CAAiB;IAEvB;;;;;;;;OAQG;IAUH,SAAS,CAAiB;CAC3B;AAtED,gDAsEC;AA/CC;IARC,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,6BAA6B,EAAE,CAAC;IACpD,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,2CAA2C,EAAE,CAAC;IACxE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;QACtB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;sDACkB;AAMpB;IADC,IAAA,2BAAS,EAAC,EAAE,OAAO,EAAE,0BAA0B,EAAE,CAAC;;kDAClC;AAoBjB;IATC,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,yBAAyB,EAAE,CAAC;IAChD,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,uCAAuC,EAAE,CAAC;IACpE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;QACtB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;kDACqB;AAoBvB;IATC,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,6BAA6B,EAAE,CAAC;IACpD,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,2CAA2C,EAAE,CAAC;IACxE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;QACtB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;qDACwB;AAG5B;;GAEG;AACH,MAAa,0BAA0B;IACrC;;OAEG;IACH,SAAS,CAAW;IAEpB;;OAEG;IACH,eAAe,CAAiB;IAEhC;;OAEG;IACH,kBAAkB,CAAe;CAClC;AAfD,gEAeC"}

package/dist/services/auth.service.d.ts

@@ -806,14 +806,14 @@ export declare class AuthService {
      */
     adminResetPassword(dto: AdminResetPasswordDTO): Promise<AdminResetPasswordResponseDTO>;
     /**
-     * Complete admin-initiated password reset with verification code or token.
+     * Complete admin-initiated password reset with a verification code.
      *
-     * Accepts either:
-     * - code: Short numeric code from email/SMS (6-10 digits, attempt tracking)
-     * - token: Long hex token from link (64 chars, single use, no attempts)
+     * NOTE:
+     * - Links (when provided) should include the same verification code as a query parameter
+     *   (e.g., `...?code=123456`) to keep consumer apps code-only and consistent.
      *
      * Security:
-     * - Verifies code/token via PasswordResetService
+     * - Verifies code via PasswordResetService
      * - Enforces password policy and history
      * - Always revokes all sessions on completion
      * - Does not force password change (user already set new password)
@@ -825,19 +825,11 @@ export declare class AuthService {
      *
      * @example
      * ```typescript
-     * // With code
      * await authService.confirmAdminResetPassword({
      *   identifier: 'user@example.com',
      *   code: '123456',
      *   newPassword: 'NewSecurePass123!'
      * });
-     *
-     * // With token from link
-     * await authService.confirmAdminResetPassword({
-     *   identifier: 'user@example.com',
-     *   token: '64-char-hex-token',
-     *   newPassword: 'NewSecurePass123!'
-     * });
      * ```
      */
     confirmAdminResetPassword(dto: ConfirmAdminResetPasswordDTO): Promise<ConfirmAdminResetPasswordResponseDTO>;