@nauth-toolkit/core 0.1.86 → 0.1.88

package/dist/services/auth.service.d.ts

@@ -14,48 +14,56 @@ import { InternalAuthAuditService as AuthAuditService } from './auth-audit.servi
 import { TrustedDeviceService } from './trusted-device.service';
 import { MFAService } from './mfa.service';
 import { SignupDTO } from '../dto/signup.dto';
-import { AdminSignupDTO, AdminSignupResponseDTO } from '../dto/admin-signup.dto';
-import { AdminSignupSocialDTO, AdminSignupSocialResponseDTO } from '../dto/admin-signup-social.dto';
-import { DeleteUserDTO, DeleteUserResponseDTO } from '../dto/delete-user.dto';
-import { GetUsersDTO, GetUsersResponseDTO } from '../dto/get-users.dto';
-import { DisableUserDTO, DisableUserResponseDTO } from '../dto/disable-user.dto';
-import { EnableUserDTO, EnableUserResponseDTO } from '../dto/enable-user.dto';
 import { LoginDTO } from '../dto/login.dto';
-import { ChangePasswordRequestDTO } from '../dto/change-password-request.dto';
+import { ChangePasswordDTO } from '../dto/change-password.dto';
 import { ChangePasswordResponseDTO } from '../dto/change-password-response.dto';
-import { UpdateUserAttributesRequestDTO } from '../dto/update-user-attributes-request.dto';
-import { UpdateVerifiedStatusRequestDTO } from '../dto/update-verified-status-request.dto';
+import { UpdateUserAttributesDTO } from '../dto/update-user-attributes.dto';
 import { UserResponseDto } from '../dto/user-response.dto';
 import { AuthResponseDTO, TokenResponse } from '../dto/auth-response.dto';
 import { RespondChallengeDTO } from '../dto/respond-challenge.dto';
-import { GetUserByEmailDTO } from '../dto/get-user-by-email.dto';
-import { GetUserByIdDTO } from '../dto/get-user-by-id.dto';
 import { LogoutDTO } from '../dto/logout.dto';
 import { LogoutResponseDTO } from '../dto/logout-response.dto';
 import { LogoutAllDTO } from '../dto/logout-all.dto';
 import { LogoutAllResponseDTO } from '../dto/logout-all-response.dto';
-import { GetUserSessionsDTO } from '../dto/get-user-sessions.dto';
 import { GetUserSessionsResponseDTO } from '../dto/get-user-sessions-response.dto';
 import { LogoutSessionDTO } from '../dto/logout-session.dto';
 import { LogoutSessionResponseDTO } from '../dto/logout-session-response.dto';
 import { RefreshTokenDTO } from '../dto/refresh-token.dto';
 import { ResendCodeDTO } from '../dto/resend-code.dto';
 import { ResendCodeResponseDTO } from '../dto/resend-code-response.dto';
-import { SetMustChangePasswordDTO } from '../dto/set-must-change-password.dto';
-import { SetMustChangePasswordResponseDTO } from '../dto/set-must-change-password-response.dto';
-import { AdminSetPasswordDTO, AdminSetPasswordResponseDTO } from '../dto/admin-set-password.dto';
-import { AdminResetPasswordDTO, AdminResetPasswordResponseDTO, ConfirmAdminResetPasswordDTO, ConfirmAdminResetPasswordResponseDTO } from '../dto/admin-reset-password.dto';
+import { ValidateAccessTokenDTO } from '../dto/validate-access-token.dto';
+import { ValidateAccessTokenResponseDTO } from '../dto/validate-access-token-response.dto';
 import { ForgotPasswordDTO, ForgotPasswordResponseDTO } from '../dto/forgot-password.dto';
 import { ConfirmForgotPasswordDTO, ConfirmForgotPasswordResponseDTO } from '../dto/confirm-forgot-password.dto';
 import { TrustDeviceResponseDTO } from '../dto/trust-device-response.dto';
 import { IsTrustedDeviceResponseDTO } from '../dto/is-trusted-device-response.dto';
-import { ValidateAccessTokenDTO } from '../dto/validate-access-token.dto';
-import { ValidateAccessTokenResponseDTO } from '../dto/validate-access-token-response.dto';
+import { GetMFAStatusResponseDTO } from '../dto/get-mfa-status.dto';
+import { GetUserAuthHistoryDTO } from '../dto/get-user-auth-history.dto';
+import { GetUserAuthHistoryResponseDTO } from '../dto/admin-get-user-auth-history.dto';
 import { PasswordResetService } from './password-reset.service';
 import { SocialAuthService } from './social-auth.service';
 import { HookRegistryService } from './hook-registry.service';
 import { NAuthConfig } from '../interfaces/config.interface';
 import { NAuthLogger } from '../utils/nauth-logger';
+/**
+ * Core user-facing authentication service
+ *
+ * This service implements **self-service** authentication flows for the currently authenticated user:
+ * - Signup, login, challenge completion, refresh token rotation
+ * - Logout / logout-all / logout-session (self-management)
+ * - Profile management and password change (self-management)
+ *
+ * Admin-only operations (explicit targeting via `sub`) are intentionally owned by {@link AdminAuthService}.
+ *
+ * @example
+ * ```typescript
+ * // Login (self-service)
+ * const result = await authService.login({ identifier: 'user@example.com', password: 'Password123!' });
+ *
+ * // Refresh (self-service; cookies or JSON depending on config)
+ * const refreshed = await authService.refreshToken({ refreshToken: '...' });
+ * ```
+ */
 export declare class AuthService {
     private readonly userRepository;
     private readonly loginAttemptRepository;
@@ -118,194 +126,6 @@ export declare class AuthService {
      * ```
      */
     signup(dto: SignupDTO): Promise<AuthResponseDTO>;
-    /**
-     * Administrative user creation with override capabilities
-     *
-     * Allows administrators to create user accounts with:
-     * - Bypass email/phone verification requirements
-     * - Force password change on first login
-     * - Auto-generate secure passwords
-     *
-     * Security:
-     * - No built-in authentication - endpoint must be protected by framework adapter
-     * - All duplicate checks still enforced
-     * - Password policy still enforced (unless auto-generated)
-     * - Audit trail records admin-created accounts
-     *
-     * @param dto - Admin signup DTO with override flags
-     * @returns User object and optionally generated password
-     * @throws {NAuthException} EMAIL_EXISTS | USERNAME_EXISTS | PHONE_EXISTS | WEAK_PASSWORD
-     *
-     * @example
-     * ```typescript
-     * // Create user with pre-verified email
-     * const result = await authService.adminSignup({
-     *   email: 'user@example.com',
-     *   password: 'SecurePass123!',
-     *   isEmailVerified: true,
-     * });
-     *
-     * // Create user with auto-generated password
-     * const result = await authService.adminSignup({
-     *   email: 'user@example.com',
-     *   generatePassword: true,
-     *   isEmailVerified: true,
-     *   mustChangePassword: true,
-     * });
-     * // result.generatedPassword contains the temporary password
-     * ```
-     */
-    adminSignup(dto: AdminSignupDTO): Promise<AdminSignupResponseDTO>;
-    /**
-     * Administrative social user import with override capabilities
-     *
-     * Allows administrators to import existing social users from external platforms
-     * (e.g., Cognito, Auth0) into nauth with:
-     * - Bypass email/phone verification requirements
-     * - Optional password for hybrid social+password accounts
-     * - Social account linkage (provider + providerId)
-     * - Automatic user flag updates (hasSocialAuth)
-     *
-     * Use case: Migrating users from external authentication platforms while
-     * preserving their social login connections for transparent future logins.
-     *
-     * Security:
-     * - No built-in authentication - endpoint must be protected by framework adapter
-     * - All duplicate checks enforced (email, username, phone, provider+providerId)
-     * - Password policy enforced if password provided
-     * - Audit trail records admin-imported social accounts
-     *
-     * @param dto - Admin social signup DTO with social account details
-     * @returns User object and social account confirmation
-     * @throws {NAuthException} EMAIL_EXISTS | USERNAME_EXISTS | PHONE_EXISTS | SOCIAL_ACCOUNT_EXISTS | WEAK_PASSWORD
-     *
-     * @example
-     * ```typescript
-     * // Import social-only user from Cognito
-     * // Note: Email is automatically verified for social imports (like normal social signup)
-     * const result = await authService.adminSignupSocial({
-     *   email: 'user@example.com',
-     *   provider: 'google',
-     *   providerId: 'google_12345',
-     *   providerEmail: 'user@gmail.com',
-     *   socialMetadata: { sub: 'google_12345', given_name: 'John' },
-     * });
-     *
-     * // Import hybrid user with password + social
-     * const result = await authService.adminSignupSocial({
-     *   email: 'user@example.com',
-     *   password: 'SecurePass123!',
-     *   provider: 'apple',
-     *   providerId: 'apple_67890',
-     * });
-     * ```
-     */
-    adminSignupSocial(dto: AdminSignupSocialDTO): Promise<AdminSignupSocialResponseDTO>;
-    /**
-     * Administrative user deletion with complete cascade cleanup
-     *
-     * HARD DELETE - Permanently removes user and ALL associated data including:
-     * - Sessions, verification tokens, MFA devices, trusted devices
-     * - Social accounts, login attempts, challenge sessions, audit logs
-     *
-     * Security:
-     * - NO built-in authentication - endpoint MUST be protected by admin guards
-     * - Records admin action in separate audit log (not deleted with user)
-     * - Irreversible operation - all data permanently removed
-     *
-     * @param dto - User sub to delete
-     * @returns Deletion confirmation with cascade counts
-     * @throws {NAuthException} USER_NOT_FOUND
-     *
-     * @example
-     * ```typescript
-     * const result = await authService.deleteUser({ sub: 'user-uuid-123' });
-     * console.log(`Deleted user: ${result.deletedUserId}`);
-     * console.log(`Deleted ${result.deletedRecords.sessions} sessions`);
-     * ```
-     */
-    deleteUser(dto: DeleteUserDTO): Promise<DeleteUserResponseDTO>;
-    /**
-     * Get paginated list of users with advanced filtering
-     *
-     * Supports pagination, boolean filters, exact match filters,
-     * date filters with operators (gt, gte, lt, lte, eq), and flexible sorting.
-     *
-     * Security:
-     * - NO built-in authentication - endpoint MUST be protected by admin guards
-     * - Returns sanitized user data (no passwordHash, secrets)
-     *
-     * @param dto - Filters, pagination, sorting
-     * @returns Paginated user list with metadata
-     *
-     * @example
-     * ```typescript
-     * const result = await authService.getUsers({
-     *   page: 1,
-     *   limit: 20,
-     *   isEmailVerified: true,
-     *   hasSocialAuth: true,
-     *   createdAt: { operator: 'gte', value: new Date('2024-01-01') },
-     *   sortBy: 'createdAt',
-     *   sortOrder: 'DESC'
-     * });
-     * ```
-     */
-    getUsers(dto: GetUsersDTO): Promise<GetUsersResponseDTO>;
-    /**
-     * Administrative permanent account locking
-     *
-     * Sets permanent lock (lockedUntil=NULL) and immediately revokes all active sessions.
-     * Reuses existing rate-limit lock fields (isLocked, lockReason, lockedAt, lockedUntil).
-     *
-     * Permanent vs Temporary locks:
-     * - Rate limiting: lockedUntil = future date (temporary auto-unlock)
-     * - Admin disableUser: lockedUntil = NULL (permanent manual lock)
-     *
-     * Security:
-     * - NO built-in authentication - endpoint MUST be protected by admin guards
-     * - Revokes all sessions immediately (forced logout)
-     * - Records ACCOUNT_DISABLED audit event with admin identifier
-     *
-     * @param dto - User sub and optional reason
-     * @returns User object with updated lock status and revoked session count
-     * @throws {NAuthException} USER_NOT_FOUND
-     *
-     * @example
-     * ```typescript
-     * const result = await authService.disableUser({
-     *   sub: 'user-uuid-123',
-     *   reason: 'Suspicious activity detected'
-     * });
-     * console.log(`Revoked ${result.revokedSessions} sessions`);
-     * ```
-     */
-    disableUser(dto: DisableUserDTO): Promise<DisableUserResponseDTO>;
-    /**
-     * Enable (unlock) user account
-     *
-     * Unlocks a previously locked user account by clearing all lock fields.
-     * This reverses the effect of disableUser() or rate-limit lockouts.
-     *
-     * Security:
-     * - NO built-in authentication - endpoint MUST be protected by admin guards
-     * - Clears lock fields (isLocked, lockReason, lockedAt, lockedUntil)
-     * - Resets failed login attempts counter
-     * - Records ACCOUNT_ENABLED audit event with admin identifier
-     *
-     * @param dto - User sub to enable
-     * @returns User object with updated lock status
-     * @throws {NAuthException} USER_NOT_FOUND
-     *
-     * @example
-     * ```typescript
-     * const result = await authService.enableUser({
-     *   sub: 'user-uuid-123'
-     * });
-     * console.log(`User unlocked: ${result.user.email}`);
-     * ```
-     */
-    enableUser(dto: EnableUserDTO): Promise<EnableUserResponseDTO>;
     /**
      * Log in a user with identifier (email, username, or phone) and password.
      *
@@ -453,9 +273,8 @@ export declare class AuthService {
      * - Requires authentication - session ID must be present in request context
      * - Endpoint MUST be protected by authentication guards
      * - User cannot specify which session to logout (always current session)
-     * - Optional sub validation for additional security
      *
-     * @param dto - Logout options (optional sub for validation, optional forgetMe flag)
+     * @param dto - Logout options (optional forgetMe flag)
      * @returns Success status
      * @throws {NAuthException} SESSION_NOT_FOUND if session ID not found in request context
      *
@@ -464,10 +283,7 @@ export declare class AuthService {
      * @UseGuards(AuthGuard)
      * @Get('logout')
      * async logout(@CurrentUser() user: IUser, @Query('forgetMe') forgetMe?: string) {
-     *   const dto = new LogoutDTO();
-     *   dto.sub = user.sub; // Optional validation
-     *   dto.forgetMe = forgetMe === 'true';
-     *   return this.authService.logout(dto);
+     *   return this.authService.logout({ forgetMe: forgetMe === 'true' });
      * }
      * ```
      */
@@ -479,16 +295,13 @@ export declare class AuthService {
      * Optionally revokes all trusted devices if forgetDevices flag is set.
      *
      * Usage Patterns:
-     * - **User-initiated**: User logs out from all their own sessions (protected endpoint, user provides their own sub)
-     * - **Admin-initiated**: Admin force-logs out any user (admin-protected endpoint, admin provides target user's sub)
+     * - **User-initiated**: User logs out from all their own sessions (protected endpoint)
      *
      * Security:
-     * - Requires explicit sub parameter
-     * - NO built-in authentication - endpoint MUST be protected by guards
-     * - For user endpoints: Extract sub from authenticated user context (@CurrentUser)
-     * - For admin endpoints: Accept sub from route parameter and protect with admin guards
+     * - Uses authenticated user context for sub
+     * - Endpoint MUST be protected by authentication guards
      *
-     * @param dto - User sub and optional forgetDevices flag
+     * @param dto - Logout options (forgetDevices flag)
      * @returns Number of sessions revoked
      * @throws {NAuthException} NOT_FOUND if user not found
      *
@@ -498,17 +311,17 @@ export declare class AuthService {
      * @UseGuards(AuthGuard)
      * @Post('logout/all')
      * async logoutAll(@CurrentUser() user: IUser, @Body() body: { forgetDevices?: boolean }) {
-     *   return this.authService.logoutAll({ sub: user.sub, forgetDevices: body.forgetDevices });
+     *   return this.authService.logoutAll({ forgetDevices: body.forgetDevices });
      * }
      * ```
      *
      * @example Admin-initiated (admin manages any user)
      * ```typescript
-     * // Admin provides target user's sub
+     * // Use AdminAuthService.logoutAll with target sub
      * @UseGuards(AuthGuard, AdminGuard)
      * @Post('admin/users/:sub/logout-all')
      * async adminLogoutAll(@Param('sub') sub: string, @Body() body: { forgetDevices?: boolean }) {
-     *   return this.authService.logoutAll({ sub, forgetDevices: body.forgetDevices });
+     *   return this.adminAuthService.logoutAll({ sub, forgetDevices: body.forgetDevices });
      * }
      * ```
      */
@@ -521,16 +334,12 @@ export declare class AuthService {
      * Current session (if called from authenticated context) is marked with isCurrent=true.
      *
      * Usage Patterns:
-     * - **User viewing own sessions**: User views their active sessions (protected endpoint, user provides their own sub)
-     * - **Admin viewing any user's sessions**: Admin views any user's sessions (admin-protected endpoint, admin provides target user's sub)
+     * - **User viewing own sessions**: User views their active sessions (protected endpoint)
      *
      * Security:
-     * - Requires explicit sub parameter
-     * - NO built-in authentication - endpoint MUST be protected by guards
-     * - For user endpoints: Extract sub from authenticated user context (@CurrentUser)
-     * - For admin endpoints: Accept sub from route parameter and protect with admin guards
+     * - Uses authenticated user context for sub
+     * - Endpoint MUST be protected by authentication guards
      *
-     * @param dto - Contains user sub
      * @returns Array of sessions with device info, auth method, and isCurrent flag
      * @throws {NAuthException} NOT_FOUND if user not found
      *
@@ -539,7 +348,7 @@ export declare class AuthService {
      * @UseGuards(AuthGuard)
      * @Get('sessions')
      * async getSessions(@CurrentUser() user: IUser) {
-     *   return this.authService.getUserSessions({ sub: user.sub });
+     *   return this.authService.getUserSessions();
      * }
      * ```
      *
@@ -548,11 +357,70 @@ export declare class AuthService {
      * @UseGuards(AuthGuard, AdminGuard)
      * @Get('admin/users/:sub/sessions')
      * async adminGetSessions(@Param('sub') sub: string) {
-     *   return this.authService.getUserSessions({ sub });
+     *   return this.adminAuthService.getUserSessions({ sub });
+     * }
+     * ```
+     */
+    getUserSessions(): Promise<GetUserSessionsResponseDTO>;
+    /**
+     * Get MFA status for current authenticated user
+     *
+     * Returns comprehensive MFA status including enabled status, configured methods,
+     * available methods, backup codes, and exemption information.
+     *
+     * Usage Patterns:
+     * - **User viewing own MFA status**: User views their MFA configuration (protected endpoint)
+     *
+     * Security:
+     * - Uses authenticated user context for sub
+     * - Endpoint MUST be protected by authentication guards
+     *
+     * @returns MFA status response
+     * @throws {NAuthException} FORBIDDEN if user not authenticated
+     * @throws {NAuthException} NOT_FOUND if user not found
+     *
+     * @example User viewing own MFA status
+     * ```typescript
+     * @UseGuards(AuthGuard)
+     * @Get('mfa/status')
+     * async getMFAStatus() {
+     *   return this.authService.getMFAStatus();
      * }
      * ```
      */
-    getUserSessions(dto: GetUserSessionsDTO): Promise<GetUserSessionsResponseDTO>;
+    getMFAStatus(): Promise<GetMFAStatusResponseDTO>;
+    /**
+     * Get authentication audit history for current authenticated user
+     *
+     * Returns paginated audit trail of authentication events for the user:
+     * - Login attempts (success/failure)
+     * - Password changes
+     * - MFA setup/verification
+     * - Device trust events
+     * - Device information, location, risk factors
+     *
+     * Usage Patterns:
+     * - **User viewing own audit history**: User views their authentication history (protected endpoint)
+     *
+     * Security:
+     * - Uses authenticated user context for sub
+     * - Endpoint MUST be protected by authentication guards
+     *
+     * @param dto - Optional query parameters for filtering and pagination
+     * @returns Paginated audit history response
+     * @throws {NAuthException} FORBIDDEN if user not authenticated
+     * @throws {NAuthException} NOT_FOUND if user not found
+     *
+     * @example User viewing own audit history
+     * ```typescript
+     * @UseGuards(AuthGuard)
+     * @Get('audit/history')
+     * async getAuditHistory(@Query() query: GetUserAuthHistoryDTO) {
+     *   return this.authService.getUserAuthHistory(query);
+     * }
+     * ```
+     */
+    getUserAuthHistory(dto?: GetUserAuthHistoryDTO): Promise<GetUserAuthHistoryResponseDTO>;
     /**
      * Logout a specific session by ID
      *
@@ -561,17 +429,14 @@ export declare class AuthService {
      * Useful for "sign out from device" functionality in user dashboards.
      *
      * Usage Patterns:
-     * - **User logging out own session**: User revokes specific session (protected endpoint, user provides their own sub)
-     * - **Admin revoking any user's session**: Admin revokes specific session for any user (admin-protected endpoint, admin provides target user's sub)
+     * - **User logging out own session**: User revokes specific session (protected endpoint)
      *
      * Security:
-     * - Requires explicit sub parameter
+     * - Uses authenticated user context for sub
      * - Validates session belongs to user (prevents unauthorized session revocation)
-     * - NO built-in authentication - endpoint MUST be protected by guards
-     * - For user endpoints: Extract sub from authenticated user context (@CurrentUser)
-     * - For admin endpoints: Accept sub from route parameter and protect with admin guards
+     * - Endpoint MUST be protected by authentication guards
      *
-     * @param dto - Contains sessionId and user sub
+     * @param dto - Contains sessionId
      * @returns Success status and whether it was the current session
      * @throws {NAuthException} NOT_FOUND if user not found
      * @throws {NAuthException} SESSION_NOT_FOUND if session not found
@@ -582,7 +447,7 @@ export declare class AuthService {
      * @UseGuards(AuthGuard)
      * @Delete('sessions/:sessionId')
      * async logoutSession(@CurrentUser() user: IUser, @Param('sessionId') sessionId: string) {
-     *   return this.authService.logoutSession({ sub: user.sub, sessionId });
+     *   return this.authService.logoutSession({ sessionId });
      * }
      * ```
      *
@@ -591,7 +456,7 @@ export declare class AuthService {
      * @UseGuards(AuthGuard, AdminGuard)
      * @Delete('admin/users/:sub/sessions/:sessionId')
      * async adminRevokeSession(@Param('sub') sub: string, @Param('sessionId') sessionId: string) {
-     *   return this.authService.logoutSession({ sub, sessionId });
+     *   return this.adminAuthService.revokeUserSession({ sub, sessionId });
      * }
      * ```
      */
@@ -603,69 +468,51 @@ export declare class AuthService {
      * checks password reuse policy, and updates the user's password hash and history.
      * Executes configured pre-change hooks if provided.
      *
-     * @param sub - External user identifier (sub/UUID)
      * @param dto - ChangePasswordDTO containing old and new password
      * @returns void
      * @throws {NAuthException} If the user is not found, current password is incorrect, the new password is weak, password reuse is detected, or password change is disallowed by hooks.
      *
      * @example
      * ```typescript
-     * await authService.changePassword('user-uuid', {
+     * await authService.changePassword({
      *   oldPassword: 'currentPass123!',
      *   newPassword: 'newStr0ngPass!@#',
      * });
      * ```
      */
-    changePassword(dto: ChangePasswordRequestDTO): Promise<ChangePasswordResponseDTO>;
+    changePassword(dto: ChangePasswordDTO): Promise<ChangePasswordResponseDTO>;
     /**
      * Update user profile attributes.
      *
      * Updates user fields (name, email, phone, username, metadata) and enforces unique constraints and verification rules.
      *
-     * @param dto - UpdateUserAttributesRequestDTO containing sub and fields to update
+     * @param dto - UpdateUserAttributesDTO containing fields to update
      * @returns Updated user object
      * @throws {NAuthException} If user not found or unique constraint violated
      *
      * @example
-     * await authService.updateUserAttributes({ sub: 'user-uuid', email: 'test@example.com' });
+     * await authService.updateUserAttributes({ email: 'test@example.com' });
      */
-    updateUserAttributes(dto: UpdateUserAttributesRequestDTO): Promise<UserResponseDto>;
+    updateUserAttributes(dto: UpdateUserAttributesDTO): Promise<UserResponseDto>;
     /**
-     * Update email and/or phone verification status.
-     *
-     * Intended for admin use cases such as migration or offline validation.
-     * Updates verification status without requiring actual verification codes.
+     * Get user for authentication context
      *
-     * Validation:
-     * - Cannot set verified=true if email/phone doesn't exist
-     * - Can set verified=false even if email/phone doesn't exist (default state)
-     * - Only updates provided fields (partial update)
+     * Loads user by sub (external identifier) with all fields needed for auth context.
+     * Computes hasPasswordHash from passwordHash, then removes passwordHash and other sensitive fields.
      *
-     * Audit:
-     * - Records EMAIL_VERIFIED or PHONE_VERIFIED audit events
-     * - Includes performedBy from authenticated admin context
+     * This method is used by AuthHandler and AuthGuard to load authenticated users.
+     * It ensures consistent user object shape across platforms (core + NestJS).
      *
-     * @param dto - Request DTO containing sub and verification status flags
-     * @returns Updated user object
-     * @throws {NAuthException} If user not found or trying to verify non-existent email/phone
+     * @param sub - External user identifier (UUID)
+     * @returns User object with hasPasswordHash flag, without sensitive fields
+     * @throws {NAuthException} If user not found or account is inactive
      *
      * @example
      * ```typescript
-     * // Update email verification only
-     * await authService.updateVerifiedStatus({
-     *   sub: 'user-uuid',
-     *   isEmailVerified: true
-     * });
-     *
-     * // Update both email and phone verification
-     * await authService.updateVerifiedStatus({
-     *   sub: 'user-uuid',
-     *   isEmailVerified: true,
-     *   isPhoneVerified: false
-     * });
+     * const user = await authService.getUserForAuthContext('user-uuid');
      * ```
      */
-    updateVerifiedStatus(dto: UpdateVerifiedStatusRequestDTO): Promise<UserResponseDto>;
+    getUserForAuthContext(sub: string): Promise<IUser>;
     /**
      * Validate JWT access token
      *
@@ -702,178 +549,6 @@ export declare class AuthService {
      * ```
      */
     validateAccessToken(dto: ValidateAccessTokenDTO): Promise<ValidateAccessTokenResponseDTO>;
-    /**
-     * Get user for authentication context
-     *
-     * Loads user by sub (external identifier) with all fields needed for auth context.
-     * Computes hasPasswordHash from passwordHash, then removes passwordHash and other sensitive fields.
-     *
-     * This method is used by AuthHandler and AuthGuard to load authenticated users.
-     * It ensures consistent user object shape across platforms (core + NestJS).
-     *
-     * @param sub - External user identifier (UUID)
-     * @returns User object with hasPasswordHash flag, without sensitive fields
-     * @throws {NAuthException} If user not found or account is inactive
-     *
-     * @example
-     * ```typescript
-     * const user = await authService.getUserForAuthContext('user-uuid-123');
-     * // user.hasPasswordHash === true/false
-     * // user.passwordHash === undefined (removed)
-     * ```
-     */
-    getUserForAuthContext(sub: string): Promise<IUser>;
-    /**
-     * Get user by external identifier (sub/UUID).
-     *
-     * @param dto - GetUserByIdDTO containing sub
-     * @returns User response DTO or null if not found
-     *
-     * @example
-     * ```typescript
-     * const user = await authService.getUserById({ sub: 'user-uuid' });
-     * ```
-     */
-    getUserById(dto: GetUserByIdDTO): Promise<UserResponseDto | null>;
-    /**
-     * Get user by email address.
-     *
-     * @param dto - GetUserByEmailDTO containing email and optional requireEmailVerified
-     * @returns User response DTO or null if not found
-     * @internal - For use by social auth providers
-     *
-     * @example
-     * ```typescript
-     * const user = await authService.getUserByEmail({ email: 'user@example.com', requireEmailVerified: true });
-     * ```
-     */
-    getUserByEmail(dto: GetUserByEmailDTO): Promise<UserResponseDto | null>;
-    /**
-     * Require user to change password at next login.
-     *
-     * Throws if user not found or has no password set (e.g. social login only).
-     *
-     * @param dto - SetMustChangePasswordDTO containing userId (sub)
-     * @returns Success response
-     * @throws {NAuthException} If user is not found or cannot change password
-     *
-     * @example
-     * ```typescript
-     * await authService.setMustChangePassword({ userId: 'user-uuid-123' });
-     * ```
-     */
-    setMustChangePassword(dto: SetMustChangePasswordDTO): Promise<SetMustChangePasswordResponseDTO>;
-    /**
-     * Admin-only: Initiate a code-based password reset workflow.
-     *
-     * Unlike adminSetPassword(), this sends a verification code (and optional link)
-     * to the user via email/SMS and allows them to set their own password.
-     *
-     * Features:
-     * - Code + optional link delivery (like email verification)
-     * - Optional immediate session revocation
-     * - Configurable expiry (default 1 hour)
-     * - Admin-specific email template
-     * - No rate limiting (admin bypass)
-     * - Separate audit trail with reason
-     *
-     * Security:
-     * - Admin-only operation (protect route with admin guard)
-     * - Non-enumerating (throws NOT_FOUND if user doesn't exist)
-     * - Separate token type ('admin_password_reset')
-     * - Audit logging with reason
-     *
-     * @param dto - Admin reset password request
-     * @returns Response with masked destination, expiry, and sessions revoked count
-     * @throws {NAuthException} NOT_FOUND when user not found
-     *
-     * @example
-     * ```typescript
-     * // With link for custom UI
-     * const result = await authService.adminResetPassword({
-     *   identifier: 'user@example.com',
-     *   baseUrl: 'https://myapp.com/reset-password',
-     *   revokeSessions: true,
-     *   reason: 'User reported compromise'
-     * });
-     * // result: { success: true, destination: 'u***r@example.com', expiresIn: 3600, sessionsRevoked: 3 }
-     *
-     * // Code only (no link)
-     * const result = await authService.adminResetPassword({
-     *   identifier: 'user@example.com'
-     * });
-     * ```
-     */
-    adminResetPassword(dto: AdminResetPasswordDTO): Promise<AdminResetPasswordResponseDTO>;
-    /**
-     * Complete admin-initiated password reset with verification code or token.
-     *
-     * Accepts either:
-     * - code: Short numeric code from email/SMS (6-10 digits, attempt tracking)
-     * - token: Long hex token from link (64 chars, single use, no attempts)
-     *
-     * Security:
-     * - Verifies code/token via PasswordResetService
-     * - Enforces password policy and history
-     * - Always revokes all sessions on completion
-     * - Does not force password change (user already set new password)
-     * - Records audit event
-     *
-     * @param dto - Confirm admin reset password request
-     * @returns Success response
-     * @throws {NAuthException} NOT_FOUND | PASSWORD_RESET_CODE_INVALID | PASSWORD_RESET_CODE_EXPIRED | PASSWORD_RESET_MAX_ATTEMPTS | WEAK_PASSWORD | PASSWORD_REUSED | INVALID_CREDENTIALS
-     *
-     * @example
-     * ```typescript
-     * // With code
-     * await authService.confirmAdminResetPassword({
-     *   identifier: 'user@example.com',
-     *   code: '123456',
-     *   newPassword: 'NewSecurePass123!'
-     * });
-     *
-     * // With token from link
-     * await authService.confirmAdminResetPassword({
-     *   identifier: 'user@example.com',
-     *   token: '64-char-hex-token',
-     *   newPassword: 'NewSecurePass123!'
-     * });
-     * ```
-     */
-    confirmAdminResetPassword(dto: ConfirmAdminResetPasswordDTO): Promise<ConfirmAdminResetPasswordResponseDTO>;
-    /**
-     * Admin-only: Reset a user's password by identifier.
-     *
-     * Allows administrators to reset a user's password using any identifier
-     * (email, username, phone, or sub). Automatically revokes sessions and optionally
-     * requires password change on next login using the existing challenge system.
-     *
-     * SECURITY: This is an admin-only operation. Ensure proper authorization
-     * checks are in place before calling this method.
-     *
-     * @param dto - Admin reset password request
-     * @returns Response with success status and session revocation count
-     * @throws {NAuthException} If user not found, user has no password (social-only), or password validation fails
-     *
-     * @example
-     * ```typescript
-     * // Reset with force password change
-     * const result = await authService.adminSetPassword({
-     *   identifier: 'user@example.com',
-     *   newPassword: 'NewSecurePassword123!',
-     *   mustChangePassword: true,
-     *   revokeSessions: true
-     * });
-     *
-     * // Reset without forcing password change
-     * const result = await authService.adminSetPassword({
-     *   identifier: 'a21b654c-2746-4168-acee-c175083a65cd',
-     *   newPassword: 'NewSecurePassword123!',
-     *   mustChangePassword: false
-     * });
-     * ```
-     */
-    adminSetPassword(dto: AdminSetPasswordDTO): Promise<AdminSetPasswordResponseDTO>;
     /**
      * Request a password reset code for an account.
      *
@@ -905,5 +580,6 @@ export declare class AuthService {
      * @throws {NAuthException} PASSWORD_RESET_CODE_INVALID | PASSWORD_RESET_CODE_EXPIRED | PASSWORD_RESET_MAX_ATTEMPTS
      */
     confirmForgotPassword(dto: ConfirmForgotPasswordDTO): Promise<ConfirmForgotPasswordResponseDTO>;
+    private getCurrentUserOrThrow;
 }
 //# sourceMappingURL=auth.service.d.ts.map