@nauth-toolkit/core 0.1.87 → 0.1.89

package/dist/dto/admin-get-mfa-status.dto.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Admin request DTO for getting MFA status (includes target user sub)
+ */
+export declare class AdminGetMFAStatusDTO {
+    /**
+     * User's unique identifier (UUID v4)
+     *
+     * Validation:
+     * - Must be a valid UUID v4 format
+     * - Matches DB constraint: char(36) or uuid
+     *
+     * Sanitization:
+     * - Trimmed
+     * - Lowercased for consistency
+     *
+     * @example "a21b654c-2746-4168-acee-c175083a65cd"
+     */
+    sub: string;
+}
+//# sourceMappingURL=admin-get-mfa-status.dto.d.ts.map

package/dist/dto/admin-get-mfa-status.dto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-get-mfa-status.dto.d.ts","sourceRoot":"","sources":["../../src/dto/admin-get-mfa-status.dto.ts"],"names":[],"mappings":"AAkBA;;GAEG;AACH,qBAAa,oBAAoB;IAC/B;;;;;;;;;;;;OAYG;IAQH,GAAG,EAAG,MAAM,CAAC;CACd"}

package/dist/dto/{change-password-request.dto.js → admin-get-mfa-status.dto.js}

@@ -1,23 +1,4 @@
 "use strict";
-/**
- * Change Password Request DTO
- *
- * Request DTO for changing a user's password (includes user sub).
- *
- * Security:
- * - User sub validated (UUID)
- * - Password validation enforced
- * - Current password required for security
- *
- * @example
- * ```typescript
- * await authService.changePassword({
- *   sub: 'user-uuid',
- *   currentPassword: 'OldPass123!',
- *   newPassword: 'NewPass456!'
- * });
- * ```
- */
 var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
     var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
     if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
@@ -28,22 +9,33 @@ var __metadata = (this && this.__metadata) || function (k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ChangePasswordRequestDTO = void 0;
+exports.AdminGetMFAStatusDTO = void 0;
+/**
+ * Admin Get MFA Status DTO
+ *
+ * Admin-only request DTO for retrieving MFA status for a target user.
+ *
+ * Security:
+ * - Requires target user sub (UUID v4)
+ *
+ * @example
+ * ```typescript
+ * const status = await mfaService.adminGetMfaStatus({
+ *   sub: 'a21b654c-2746-4168-acee-c175083a65cd',
+ * });
+ * ```
+ */
 const class_validator_1 = require("class-validator");
 const class_transformer_1 = require("class-transformer");
-const change_password_dto_1 = require("./change-password.dto");
 /**
- * Request DTO for changing password (includes user sub)
+ * Admin request DTO for getting MFA status (includes target user sub)
  */
-class ChangePasswordRequestDTO extends change_password_dto_1.ChangePasswordDTO {
+class AdminGetMFAStatusDTO {
     /**
      * User's unique identifier (UUID v4)
      *
-     * Optional at controller level - filled from authenticated user's JWT.
-     * Validated only when provided (service layer will ensure it's set).
-     *
      * Validation:
-     * - Must be a valid UUID v4 format when provided
+     * - Must be a valid UUID v4 format
      * - Matches DB constraint: char(36) or uuid
      *
      * Sanitization:
@@ -54,9 +46,8 @@ class ChangePasswordRequestDTO extends change_password_dto_1.ChangePasswordDTO {
      */
     sub;
 }
-exports.ChangePasswordRequestDTO = ChangePasswordRequestDTO;
+exports.AdminGetMFAStatusDTO = AdminGetMFAStatusDTO;
 __decorate([
-    (0, class_validator_1.ValidateIf)((o) => o.sub !== undefined && o.sub !== null && o.sub !== ''),
     (0, class_validator_1.IsUUID)('4', { message: 'User sub must be a valid UUID v4 format' }),
     (0, class_transformer_1.Transform)(({ value }) => {
         if (typeof value === 'string') {
@@ -64,7 +55,6 @@ __decorate([
         }
         return value;
     }),
-    (0, class_validator_1.IsOptional)(),
     __metadata("design:type", String)
-], ChangePasswordRequestDTO.prototype, "sub", void 0);
-//# sourceMappingURL=change-password-request.dto.js.map
+], AdminGetMFAStatusDTO.prototype, "sub", void 0);
+//# sourceMappingURL=admin-get-mfa-status.dto.js.map

package/dist/dto/admin-get-mfa-status.dto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-get-mfa-status.dto.js","sourceRoot":"","sources":["../../src/dto/admin-get-mfa-status.dto.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;;;;;;GAcG;AACH,qDAAyC;AACzC,yDAA8C;AAE9C;;GAEG;AACH,MAAa,oBAAoB;IAC/B;;;;;;;;;;;;OAYG;IAQH,GAAG,CAAU;CACd;AAtBD,oDAsBC;AADC;IAPC,IAAA,wBAAM,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,yCAAyC,EAAE,CAAC;IACnE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACpC,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;iDACW"}

package/dist/dto/admin-get-user-auth-history.dto.d.ts

@@ -0,0 +1,62 @@
+import { IAuthAudit } from '../interfaces/entities.interface';
+import { GetUserAuthHistoryDTO } from './get-user-auth-history.dto';
+/**
+ * Request DTO for getting user authentication history (admin-only)
+ *
+ * Admin DTO - requires sub field. Used by AdminAuthService.
+ *
+ * @example
+ * ```typescript
+ * const result = await auditService.getUserAuthHistory({
+ *   sub: 'user-uuid',
+ *   page: 1,
+ *   limit: 50,
+ *   eventTypes: [AuthAuditEventType.LOGIN_SUCCESS],
+ *   startDate: new Date('2025-01-01'),
+ * });
+ * ```
+ */
+export declare class AdminGetUserAuthHistoryDTO extends GetUserAuthHistoryDTO {
+    /**
+     * User's unique identifier (UUID v4)
+     *
+     * Validation:
+     * - Must be a valid UUID v4 format
+     * - Matches DB constraint: char(36) or uuid
+     *
+     * Sanitization:
+     * - Trimmed
+     * - Lowercased for consistency
+     *
+     * Required for admin operations.
+     *
+     * @example "a21b654c-2746-4168-acee-c175083a65cd"
+     */
+    sub: string;
+}
+/**
+ * Response DTO for paginated user authentication history
+ */
+export declare class GetUserAuthHistoryResponseDTO {
+    /**
+     * Array of audit records
+     */
+    data: IAuthAudit[];
+    /**
+     * Total number of records matching the query
+     */
+    total: number;
+    /**
+     * Current page number
+     */
+    page: number;
+    /**
+     * Number of records per page
+     */
+    limit: number;
+    /**
+     * Total number of pages
+     */
+    totalPages: number;
+}
+//# sourceMappingURL=admin-get-user-auth-history.dto.d.ts.map

package/dist/dto/admin-get-user-auth-history.dto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-get-user-auth-history.dto.d.ts","sourceRoot":"","sources":["../../src/dto/admin-get-user-auth-history.dto.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,kCAAkC,CAAC;AAG9D,OAAO,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAC;AAEpE;;;;;;;;;;;;;;;GAeG;AACH,qBAAa,0BAA2B,SAAQ,qBAAqB;IACnE;;;;;;;;;;;;;;OAcG;IAQH,GAAG,EAAG,MAAM,CAAC;CACd;AAED;;GAEG;AACH,qBAAa,6BAA6B;IACxC;;OAEG;IACH,IAAI,EAAG,UAAU,EAAE,CAAC;IAEpB;;OAEG;IACH,KAAK,EAAG,MAAM,CAAC;IAEf;;OAEG;IACH,IAAI,EAAG,MAAM,CAAC;IAEd;;OAEG;IACH,KAAK,EAAG,MAAM,CAAC;IAEf;;OAEG;IACH,UAAU,EAAG,MAAM,CAAC;CACrB"}

package/dist/dto/admin-get-user-auth-history.dto.js

@@ -0,0 +1,87 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GetUserAuthHistoryResponseDTO = exports.AdminGetUserAuthHistoryDTO = void 0;
+const class_validator_1 = require("class-validator");
+const class_transformer_1 = require("class-transformer");
+const get_user_auth_history_dto_1 = require("./get-user-auth-history.dto");
+/**
+ * Request DTO for getting user authentication history (admin-only)
+ *
+ * Admin DTO - requires sub field. Used by AdminAuthService.
+ *
+ * @example
+ * ```typescript
+ * const result = await auditService.getUserAuthHistory({
+ *   sub: 'user-uuid',
+ *   page: 1,
+ *   limit: 50,
+ *   eventTypes: [AuthAuditEventType.LOGIN_SUCCESS],
+ *   startDate: new Date('2025-01-01'),
+ * });
+ * ```
+ */
+class AdminGetUserAuthHistoryDTO extends get_user_auth_history_dto_1.GetUserAuthHistoryDTO {
+    /**
+     * User's unique identifier (UUID v4)
+     *
+     * Validation:
+     * - Must be a valid UUID v4 format
+     * - Matches DB constraint: char(36) or uuid
+     *
+     * Sanitization:
+     * - Trimmed
+     * - Lowercased for consistency
+     *
+     * Required for admin operations.
+     *
+     * @example "a21b654c-2746-4168-acee-c175083a65cd"
+     */
+    sub;
+}
+exports.AdminGetUserAuthHistoryDTO = AdminGetUserAuthHistoryDTO;
+__decorate([
+    (0, class_validator_1.IsUUID)('4', { message: 'User sub must be a valid UUID v4 format' }),
+    (0, class_transformer_1.Transform)(({ value }) => {
+        if (typeof value === 'string') {
+            return value.trim().toLowerCase();
+        }
+        return value;
+    }),
+    __metadata("design:type", String)
+], AdminGetUserAuthHistoryDTO.prototype, "sub", void 0);
+/**
+ * Response DTO for paginated user authentication history
+ */
+class GetUserAuthHistoryResponseDTO {
+    /**
+     * Array of audit records
+     */
+    data;
+    /**
+     * Total number of records matching the query
+     */
+    total;
+    /**
+     * Current page number
+     */
+    page;
+    /**
+     * Number of records per page
+     */
+    limit;
+    /**
+     * Total number of pages
+     */
+    totalPages;
+}
+exports.GetUserAuthHistoryResponseDTO = GetUserAuthHistoryResponseDTO;
+//# sourceMappingURL=admin-get-user-auth-history.dto.js.map

package/dist/dto/admin-get-user-auth-history.dto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-get-user-auth-history.dto.js","sourceRoot":"","sources":["../../src/dto/admin-get-user-auth-history.dto.ts"],"names":[],"mappings":";;;;;;;;;;;;AACA,qDAAyC;AACzC,yDAA8C;AAC9C,2EAAoE;AAEpE;;;;;;;;;;;;;;;GAeG;AACH,MAAa,0BAA2B,SAAQ,iDAAqB;IACnE;;;;;;;;;;;;;;OAcG;IAQH,GAAG,CAAU;CACd;AAxBD,gEAwBC;AADC;IAPC,IAAA,wBAAM,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,yCAAyC,EAAE,CAAC;IACnE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACpC,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;uDACW;AAGf;;GAEG;AACH,MAAa,6BAA6B;IACxC;;OAEG;IACH,IAAI,CAAgB;IAEpB;;OAEG;IACH,KAAK,CAAU;IAEf;;OAEG;IACH,IAAI,CAAU;IAEd;;OAEG;IACH,KAAK,CAAU;IAEf;;OAEG;IACH,UAAU,CAAU;CACrB;AAzBD,sEAyBC"}

package/dist/dto/admin-logout-all.dto.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Admin Logout All DTO
+ *
+ * Request DTO for logging out a target user from all sessions (admin-initiated).
+ *
+ * Security:
+ * - Requires target user sub (UUID)
+ * - Prevents unauthorized logout attempts
+ *
+ * @example
+ * ```typescript
+ * const result = await adminAuthService.logoutAll({
+ *   sub: 'user-uuid',
+ *   forgetDevices: true,
+ * });
+ * ```
+ */
+/**
+ * Request DTO for admin logout all sessions
+ */
+export declare class AdminLogoutAllDTO {
+    /**
+     * User's unique identifier (UUID v4)
+     *
+     * Validation:
+     * - Must be a valid UUID v4 format
+     * - Matches DB constraint: char(36) or uuid
+     *
+     * Sanitization:
+     * - Trimmed
+     * - Lowercased for consistency
+     *
+     * @example "a21b654c-2746-4168-acee-c175083a65cd"
+     */
+    sub: string;
+    /**
+     * Whether to also forget/revoke all trusted devices
+     *
+     * If true, all trusted devices for this user will be revoked,
+     * requiring MFA on next login from any device.
+     *
+     * Default: false (devices remain trusted)
+     *
+     * @example false
+     */
+    forgetDevices?: boolean;
+}
+//# sourceMappingURL=admin-logout-all.dto.d.ts.map

package/dist/dto/admin-logout-all.dto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-logout-all.dto.d.ts","sourceRoot":"","sources":["../../src/dto/admin-logout-all.dto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAKH;;GAEG;AACH,qBAAa,iBAAiB;IAC5B;;;;;;;;;;;;OAYG;IAQH,GAAG,EAAG,MAAM,CAAC;IAEb;;;;;;;;;OASG;IAQH,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB"}

package/dist/dto/admin-logout-all.dto.js

@@ -0,0 +1,85 @@
+"use strict";
+/**
+ * Admin Logout All DTO
+ *
+ * Request DTO for logging out a target user from all sessions (admin-initiated).
+ *
+ * Security:
+ * - Requires target user sub (UUID)
+ * - Prevents unauthorized logout attempts
+ *
+ * @example
+ * ```typescript
+ * const result = await adminAuthService.logoutAll({
+ *   sub: 'user-uuid',
+ *   forgetDevices: true,
+ * });
+ * ```
+ */
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AdminLogoutAllDTO = void 0;
+const class_validator_1 = require("class-validator");
+const class_transformer_1 = require("class-transformer");
+/**
+ * Request DTO for admin logout all sessions
+ */
+class AdminLogoutAllDTO {
+    /**
+     * User's unique identifier (UUID v4)
+     *
+     * Validation:
+     * - Must be a valid UUID v4 format
+     * - Matches DB constraint: char(36) or uuid
+     *
+     * Sanitization:
+     * - Trimmed
+     * - Lowercased for consistency
+     *
+     * @example "a21b654c-2746-4168-acee-c175083a65cd"
+     */
+    sub;
+    /**
+     * Whether to also forget/revoke all trusted devices
+     *
+     * If true, all trusted devices for this user will be revoked,
+     * requiring MFA on next login from any device.
+     *
+     * Default: false (devices remain trusted)
+     *
+     * @example false
+     */
+    forgetDevices;
+}
+exports.AdminLogoutAllDTO = AdminLogoutAllDTO;
+__decorate([
+    (0, class_validator_1.IsUUID)('4', { message: 'User sub must be a valid UUID v4 format' }),
+    (0, class_transformer_1.Transform)(({ value }) => {
+        if (typeof value === 'string') {
+            return value.trim().toLowerCase();
+        }
+        return value;
+    }),
+    __metadata("design:type", String)
+], AdminLogoutAllDTO.prototype, "sub", void 0);
+__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsBoolean)(),
+    (0, class_transformer_1.Transform)(({ value }) => {
+        if (value === 'true' || value === '1')
+            return true;
+        if (value === 'false' || value === '0')
+            return false;
+        return value;
+    }),
+    __metadata("design:type", Boolean)
+], AdminLogoutAllDTO.prototype, "forgetDevices", void 0);
+//# sourceMappingURL=admin-logout-all.dto.js.map

package/dist/dto/admin-logout-all.dto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-logout-all.dto.js","sourceRoot":"","sources":["../../src/dto/admin-logout-all.dto.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;GAgBG;;;;;;;;;;;;AAEH,qDAAgE;AAChE,yDAA8C;AAE9C;;GAEG;AACH,MAAa,iBAAiB;IAC5B;;;;;;;;;;;;OAYG;IAQH,GAAG,CAAU;IAEb;;;;;;;;;OASG;IAQH,aAAa,CAAW;CACzB;AAzCD,8CAyCC;AApBC;IAPC,IAAA,wBAAM,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,yCAAyC,EAAE,CAAC;IACnE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACpC,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;8CACW;AAmBb;IAPC,IAAA,4BAAU,GAAE;IACZ,IAAA,2BAAS,GAAE;IACX,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,GAAG;YAAE,OAAO,IAAI,CAAC;QACnD,IAAI,KAAK,KAAK,OAAO,IAAI,KAAK,KAAK,GAAG;YAAE,OAAO,KAAK,CAAC;QACrD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;wDACsB"}

package/dist/dto/admin-remove-devices.dto.d.ts

@@ -0,0 +1,25 @@
+import { RemoveDevicesDTO, RemoveDevicesResponseDTO } from './remove-devices.dto';
+/**
+ * Admin DTO for removing MFA devices for a specific user
+ *
+ * Admin APIs must explicitly target a user via `sub`.
+ * This DTO mirrors {@link RemoveDevicesDTO} but adds `sub`.
+ *
+ * @example
+ * ```typescript
+ * const result = await mfaService.adminRemoveDevices({
+ *   sub: 'a21b654c-2746-4168-acee-c175083a65cd',
+ *   methodType: 'totp',
+ * });
+ * ```
+ */
+export declare class AdminRemoveDevicesDTO extends RemoveDevicesDTO {
+    /**
+     * Target user's unique identifier (UUID v4)
+     *
+     * @example "a21b654c-2746-4168-acee-c175083a65cd"
+     */
+    sub: string;
+}
+export { RemoveDevicesResponseDTO };
+//# sourceMappingURL=admin-remove-devices.dto.d.ts.map

package/dist/dto/admin-remove-devices.dto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-remove-devices.dto.d.ts","sourceRoot":"","sources":["../../src/dto/admin-remove-devices.dto.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,gBAAgB,EAAE,wBAAwB,EAAE,MAAM,sBAAsB,CAAC;AAElF;;;;;;;;;;;;;GAaG;AACH,qBAAa,qBAAsB,SAAQ,gBAAgB;IACzD;;;;OAIG;IAQH,GAAG,EAAG,MAAM,CAAC;CACd;AAED,OAAO,EAAE,wBAAwB,EAAE,CAAC"}

package/dist/dto/admin-remove-devices.dto.js

@@ -0,0 +1,50 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RemoveDevicesResponseDTO = exports.AdminRemoveDevicesDTO = void 0;
+const class_validator_1 = require("class-validator");
+const class_transformer_1 = require("class-transformer");
+const remove_devices_dto_1 = require("./remove-devices.dto");
+Object.defineProperty(exports, "RemoveDevicesResponseDTO", { enumerable: true, get: function () { return remove_devices_dto_1.RemoveDevicesResponseDTO; } });
+/**
+ * Admin DTO for removing MFA devices for a specific user
+ *
+ * Admin APIs must explicitly target a user via `sub`.
+ * This DTO mirrors {@link RemoveDevicesDTO} but adds `sub`.
+ *
+ * @example
+ * ```typescript
+ * const result = await mfaService.adminRemoveDevices({
+ *   sub: 'a21b654c-2746-4168-acee-c175083a65cd',
+ *   methodType: 'totp',
+ * });
+ * ```
+ */
+class AdminRemoveDevicesDTO extends remove_devices_dto_1.RemoveDevicesDTO {
+    /**
+     * Target user's unique identifier (UUID v4)
+     *
+     * @example "a21b654c-2746-4168-acee-c175083a65cd"
+     */
+    sub;
+}
+exports.AdminRemoveDevicesDTO = AdminRemoveDevicesDTO;
+__decorate([
+    (0, class_validator_1.IsUUID)('4', { message: 'User sub must be a valid UUID v4 format' }),
+    (0, class_transformer_1.Transform)(({ value }) => {
+        if (typeof value === 'string') {
+            return value.trim().toLowerCase();
+        }
+        return value;
+    }),
+    __metadata("design:type", String)
+], AdminRemoveDevicesDTO.prototype, "sub", void 0);
+//# sourceMappingURL=admin-remove-devices.dto.js.map

package/dist/dto/admin-remove-devices.dto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-remove-devices.dto.js","sourceRoot":"","sources":["../../src/dto/admin-remove-devices.dto.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,qDAAyC;AACzC,yDAA8C;AAC9C,6DAAkF;AAgCzE,yGAhCkB,6CAAwB,OAgClB;AA9BjC;;;;;;;;;;;;;GAaG;AACH,MAAa,qBAAsB,SAAQ,qCAAgB;IACzD;;;;OAIG;IAQH,GAAG,CAAU;CACd;AAdD,sDAcC;AADC;IAPC,IAAA,wBAAM,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,yCAAyC,EAAE,CAAC;IACnE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACpC,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;;kDACW"}

package/dist/dto/admin-reset-password.dto.d.ts

@@ -2,11 +2,11 @@
  * Admin Reset Password Request DTO
  *
  * Request DTO for admin-initiated password reset workflow.
- * Allows resetting a user's password by identifier (email, username, phone, or sub).
+ * Allows resetting a user's password by sub (UUID).
  *
  * Security:
  * - Admin-only operation (should be protected by admin guard)
- * - User identifier validated
+ * - User sub validated
  * - Code + optional link delivery (like email verification)
  * - Configurable expiry (default: 1 hour)
  * - Optional immediate session revocation
@@ -16,7 +16,7 @@
  * ```typescript
  * // With link for consumer app custom UI
  * await authService.adminResetPassword({
- *   identifier: 'user@example.com',
+ *   sub: 'a21b654c-2746-4168-acee-c175083a65cd',
  *   baseUrl: 'https://myapp.com/reset-password',
  *   deliveryMethod: 'email',
  *   revokeSessions: true
@@ -24,7 +24,7 @@
  *
  * // Code only (no link)
  * await authService.adminResetPassword({
- *   identifier: 'user@example.com',
+ *   sub: 'a21b654c-2746-4168-acee-c175083a65cd',
  *   deliveryMethod: 'email'
  * });
  * ```
@@ -34,20 +34,18 @@
  */
 export declare class AdminResetPasswordDTO {
     /**
-     * User identifier (email, username, phone, or sub/UUID)
+     * User sub (UUID)
      *
      * Validation:
-     * - Must be a string
-     * - Min 1 character
-     * - Max 255 characters
+     * - Must be a valid UUID v4
      *
      * Sanitization:
      * - Trimmed
-     * - Lowercased if email format detected
+     * - Lowercased for consistency
      *
-     * @example "user@example.com" | "johndoe" | "+1234567890" | "uuid"
+     * @example "a21b654c-2746-4168-acee-c175083a65cd"
      */
-    identifier: string;
+    sub: string;
     /**
      * Delivery method for reset code
      *
@@ -181,7 +179,7 @@ export declare class AdminResetPasswordResponseDTO {
  * @example
  * ```typescript
  * await authService.confirmAdminResetPassword({
- *   identifier: 'user@example.com',
+ *   sub: 'a21b654c-2746-4168-acee-c175083a65cd',
  *   code: '123456',
  *   newPassword: 'NewSecurePass123!'
  * });
@@ -189,20 +187,18 @@ export declare class AdminResetPasswordResponseDTO {
  */
 export declare class ConfirmAdminResetPasswordDTO {
     /**
-     * User identifier (email, username, phone, or sub/UUID)
+     * User sub (UUID)
      *
      * Validation:
-     * - Must be a string
-     * - Min 1 character
-     * - Max 255 characters
+     * - Must be a valid UUID v4
      *
      * Sanitization:
      * - Trimmed
-     * - Lowercased if email format detected
+     * - Lowercased for consistency
      *
-     * @example "user@example.com"
+     * @example "a21b654c-2746-4168-acee-c175083a65cd"
      */
-    identifier: string;
+    sub: string;
     /**
      * Verification code from email/SMS (6-10 digits)
      *

package/dist/dto/admin-reset-password.dto.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"admin-reset-password.dto.d.ts","sourceRoot":"","sources":["../../src/dto/admin-reset-password.dto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAkBH;;GAEG;AACH,qBAAa,qBAAqB;IAChC;;;;;;;;;;;;;OAaG;IAgBH,UAAU,EAAG,MAAM,CAAC;IAEpB;;;;;;;;;OASG;IAGH,cAAc,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC;IAEjC;;;;;;;;;;;;;;;;;OAiBG;IAaH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB;;;;;;;;;;;OAWG;IAKH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;;;;;;;;;;;OAYG;IAGH,cAAc,CAAC,EAAE,OAAO,CAAC;IAEzB;;;;;;;;;;;;OAYG;IAUH,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;;;;;;;GAeG;AACH,qBAAa,6BAA6B;IACxC;;;OAGG;IACH,OAAO,EAAG,OAAO,CAAC;IAElB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;;OAGG;IACH,cAAc,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC;IAEjC;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,qBAAa,4BAA4B;IACvC;;;;;;;;;;;;;OAaG;IAgBH,UAAU,EAAG,MAAM,CAAC;IAEpB;;;;;;;;;;;;;;OAcG;IAUH,IAAI,EAAG,MAAM,CAAC;IAEd;;;;;;;;;;;;;;OAcG;IAKH,WAAW,EAAG,MAAM,CAAC;CACtB;AAED;;;;;;;;;;;GAWG;AACH,qBAAa,oCAAoC;IAC/C;;;OAGG;IACH,OAAO,EAAG,OAAO,CAAC;CACnB"}
+{"version":3,"file":"admin-reset-password.dto.d.ts","sourceRoot":"","sources":["../../src/dto/admin-reset-password.dto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAmBH;;GAEG;AACH,qBAAa,qBAAqB;IAChC;;;;;;;;;;;OAWG;IAQH,GAAG,EAAG,MAAM,CAAC;IAEb;;;;;;;;;OASG;IAGH,cAAc,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC;IAEjC;;;;;;;;;;;;;;;;;OAiBG;IAaH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB;;;;;;;;;;;OAWG;IAKH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;;;;;;;;;;;OAYG;IAGH,cAAc,CAAC,EAAE,OAAO,CAAC;IAEzB;;;;;;;;;;;;OAYG;IAUH,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;;;;;;;GAeG;AACH,qBAAa,6BAA6B;IACxC;;;OAGG;IACH,OAAO,EAAG,OAAO,CAAC;IAElB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;;OAGG;IACH,cAAc,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC;IAEjC;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,qBAAa,4BAA4B;IACvC;;;;;;;;;;;OAWG;IAQH,GAAG,EAAG,MAAM,CAAC;IAEb;;;;;;;;;;;;;;OAcG;IAUH,IAAI,EAAG,MAAM,CAAC;IAEd;;;;;;;;;;;;;;OAcG;IAKH,WAAW,EAAG,MAAM,CAAC;CACtB;AAED;;;;;;;;;;;GAWG;AACH,qBAAa,oCAAoC;IAC/C;;;OAGG;IACH,OAAO,EAAG,OAAO,CAAC;CACnB"}