@nauth-toolkit/core 0.2.7 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (104) hide show
  1. package/dist/bootstrap.d.ts +3 -0
  2. package/dist/bootstrap.d.ts.map +1 -1
  3. package/dist/bootstrap.js +63 -0
  4. package/dist/bootstrap.js.map +1 -1
  5. package/dist/dto/admin-api-key.dto.d.ts +69 -0
  6. package/dist/dto/admin-api-key.dto.d.ts.map +1 -0
  7. package/dist/dto/admin-api-key.dto.js +144 -0
  8. package/dist/dto/admin-api-key.dto.js.map +1 -0
  9. package/dist/dto/admin-signup-social.dto.d.ts +1 -1
  10. package/dist/dto/admin-signup-social.dto.js +1 -1
  11. package/dist/dto/admin-signup.dto.d.ts +1 -1
  12. package/dist/dto/admin-signup.dto.js +1 -1
  13. package/dist/dto/api-key.dto.d.ts +132 -0
  14. package/dist/dto/api-key.dto.d.ts.map +1 -0
  15. package/dist/dto/api-key.dto.js +198 -0
  16. package/dist/dto/api-key.dto.js.map +1 -0
  17. package/dist/dto/change-password.dto.d.ts +2 -2
  18. package/dist/dto/change-password.dto.js +2 -2
  19. package/dist/dto/index.d.ts +2 -0
  20. package/dist/dto/index.d.ts.map +1 -1
  21. package/dist/dto/index.js +3 -0
  22. package/dist/dto/index.js.map +1 -1
  23. package/dist/dto/reset-password.dto.d.ts +1 -1
  24. package/dist/dto/reset-password.dto.js +1 -1
  25. package/dist/dto/respond-challenge.dto.d.ts +1 -1
  26. package/dist/dto/respond-challenge.dto.js +1 -1
  27. package/dist/dto/signup.dto.d.ts +1 -1
  28. package/dist/dto/signup.dto.js +1 -1
  29. package/dist/entities/api-key.entity.d.ts +135 -0
  30. package/dist/entities/api-key.entity.d.ts.map +1 -0
  31. package/dist/entities/api-key.entity.js +149 -0
  32. package/dist/entities/api-key.entity.js.map +1 -0
  33. package/dist/entities/index.d.ts +1 -0
  34. package/dist/entities/index.d.ts.map +1 -1
  35. package/dist/entities/index.js +3 -1
  36. package/dist/entities/index.js.map +1 -1
  37. package/dist/enums/auth-audit-event-type.enum.d.ts +25 -1
  38. package/dist/enums/auth-audit-event-type.enum.d.ts.map +1 -1
  39. package/dist/enums/auth-audit-event-type.enum.js +27 -0
  40. package/dist/enums/auth-audit-event-type.enum.js.map +1 -1
  41. package/dist/enums/error-codes.enum.d.ts +56 -1
  42. package/dist/enums/error-codes.enum.d.ts.map +1 -1
  43. package/dist/enums/error-codes.enum.js +58 -0
  44. package/dist/enums/error-codes.enum.js.map +1 -1
  45. package/dist/exceptions/nauth.exception.d.ts.map +1 -1
  46. package/dist/exceptions/nauth.exception.js +13 -0
  47. package/dist/exceptions/nauth.exception.js.map +1 -1
  48. package/dist/handlers/api-key.handler.d.ts +45 -0
  49. package/dist/handlers/api-key.handler.d.ts.map +1 -0
  50. package/dist/handlers/api-key.handler.js +99 -0
  51. package/dist/handlers/api-key.handler.js.map +1 -0
  52. package/dist/handlers/auth.handler.d.ts.map +1 -1
  53. package/dist/handlers/auth.handler.js +6 -0
  54. package/dist/handlers/auth.handler.js.map +1 -1
  55. package/dist/index.d.ts +7 -0
  56. package/dist/index.d.ts.map +1 -1
  57. package/dist/index.js +8 -1
  58. package/dist/index.js.map +1 -1
  59. package/dist/interfaces/config.interface.d.ts +162 -0
  60. package/dist/interfaces/config.interface.d.ts.map +1 -1
  61. package/dist/internal.d.ts +7 -0
  62. package/dist/internal.d.ts.map +1 -1
  63. package/dist/internal.js +8 -1
  64. package/dist/internal.js.map +1 -1
  65. package/dist/openapi/components.schemas.json +284 -7
  66. package/dist/platform/interfaces.d.ts +8 -0
  67. package/dist/platform/interfaces.d.ts.map +1 -1
  68. package/dist/schemas/auth-config.schema.d.ts +211 -0
  69. package/dist/schemas/auth-config.schema.d.ts.map +1 -1
  70. package/dist/schemas/auth-config.schema.js +33 -1
  71. package/dist/schemas/auth-config.schema.js.map +1 -1
  72. package/dist/services/admin-auth.service.d.ts +59 -1
  73. package/dist/services/admin-auth.service.d.ts.map +1 -1
  74. package/dist/services/admin-auth.service.js +99 -1
  75. package/dist/services/admin-auth.service.js.map +1 -1
  76. package/dist/services/api-key.service.d.ts +152 -0
  77. package/dist/services/api-key.service.d.ts.map +1 -0
  78. package/dist/services/api-key.service.js +378 -0
  79. package/dist/services/api-key.service.js.map +1 -0
  80. package/dist/services/telemetry.service.d.ts +154 -0
  81. package/dist/services/telemetry.service.d.ts.map +1 -0
  82. package/dist/services/telemetry.service.js +345 -0
  83. package/dist/services/telemetry.service.js.map +1 -0
  84. package/dist/utils/get-package-version.d.ts +15 -0
  85. package/dist/utils/get-package-version.d.ts.map +1 -0
  86. package/dist/utils/get-package-version.js +84 -0
  87. package/dist/utils/get-package-version.js.map +1 -0
  88. package/dist/utils/index.d.ts +1 -0
  89. package/dist/utils/index.d.ts.map +1 -1
  90. package/dist/utils/index.js +1 -0
  91. package/dist/utils/index.js.map +1 -1
  92. package/dist/utils/ip-match.d.ts +44 -0
  93. package/dist/utils/ip-match.d.ts.map +1 -0
  94. package/dist/utils/ip-match.js +135 -0
  95. package/dist/utils/ip-match.js.map +1 -0
  96. package/dist/utils/setup/get-repositories.d.ts +2 -1
  97. package/dist/utils/setup/get-repositories.d.ts.map +1 -1
  98. package/dist/utils/setup/get-repositories.js +2 -0
  99. package/dist/utils/setup/get-repositories.js.map +1 -1
  100. package/dist/utils/setup/init-services.d.ts +4 -2
  101. package/dist/utils/setup/init-services.d.ts.map +1 -1
  102. package/dist/utils/setup/init-services.js +8 -1
  103. package/dist/utils/setup/init-services.js.map +1 -1
  104. package/package.json +2 -2
@@ -0,0 +1,198 @@
1
+ "use strict";
2
+ var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
3
+ var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
4
+ if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
5
+ else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
6
+ return c > 3 && r && Object.defineProperty(target, key, r), r;
7
+ };
8
+ var __metadata = (this && this.__metadata) || function (k, v) {
9
+ if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
10
+ };
11
+ Object.defineProperty(exports, "__esModule", { value: true });
12
+ exports.CreateApiKeyResponseDTO = exports.ApiKeyResponseDTO = exports.DeleteApiKeyDTO = exports.RevokeApiKeyDTO = exports.UpdateApiKeyDTO = exports.CreateApiKeyDTO = void 0;
13
+ const class_validator_1 = require("class-validator");
14
+ const class_transformer_1 = require("class-transformer");
15
+ /**
16
+ * DTO for creating an API key (user self-service)
17
+ *
18
+ * Security:
19
+ * - Expiry is explicit and mandatory (enforced in the service layer):
20
+ * provide a positive number of days, or `null` for a never-expiring key
21
+ * (only allowed when `apiKeys.allowIndefinite` is true).
22
+ * - Optional per-key IP allowlist restricts which source IPs may use the key.
23
+ *
24
+ * Note: The owning user is derived from the authenticated request, never from the body.
25
+ */
26
+ class CreateApiKeyDTO {
27
+ /**
28
+ * User-friendly label for the key (optional)
29
+ *
30
+ * Validation:
31
+ * - Max 255 characters
32
+ *
33
+ * Sanitization:
34
+ * - Trimmed
35
+ */
36
+ name;
37
+ /**
38
+ * Key expiry in days, or `null` for a key that never expires
39
+ *
40
+ * This field is mandatory at creation. The service rejects the request when it
41
+ * is omitted (`API_KEY_EXPIRY_REQUIRED`), when `null` is used but indefinite keys
42
+ * are disallowed (`API_KEY_INDEFINITE_NOT_ALLOWED`), or when it exceeds the
43
+ * configured maximum (`API_KEY_EXPIRY_TOO_LONG`).
44
+ *
45
+ * Validation:
46
+ * - When provided and not null: positive integer
47
+ */
48
+ expiresInDays;
49
+ /**
50
+ * Allowed source IPs / CIDR ranges for this key (optional)
51
+ *
52
+ * When omitted or empty, the key may be used from any IP. Each entry must be a
53
+ * valid IPv4/IPv6 address or CIDR range (validated in the service layer).
54
+ *
55
+ * Validation:
56
+ * - Array of strings, max 100 entries at the DTO layer (per-key cap enforced by config)
57
+ */
58
+ allowedIps;
59
+ }
60
+ exports.CreateApiKeyDTO = CreateApiKeyDTO;
61
+ __decorate([
62
+ (0, class_validator_1.IsOptional)(),
63
+ (0, class_validator_1.IsString)({ message: 'Name must be a string' }),
64
+ (0, class_validator_1.MaxLength)(255, { message: 'Name must not exceed 255 characters' }),
65
+ (0, class_transformer_1.Transform)(({ value }) => (typeof value === 'string' ? value.trim() : value)),
66
+ __metadata("design:type", String)
67
+ ], CreateApiKeyDTO.prototype, "name", void 0);
68
+ __decorate([
69
+ (0, class_validator_1.ValidateIf)((o) => o.expiresInDays !== undefined && o.expiresInDays !== null),
70
+ (0, class_validator_1.IsInt)({ message: 'expiresInDays must be an integer number of days or null' }),
71
+ (0, class_validator_1.Min)(1, { message: 'expiresInDays must be at least 1' }),
72
+ __metadata("design:type", Object)
73
+ ], CreateApiKeyDTO.prototype, "expiresInDays", void 0);
74
+ __decorate([
75
+ (0, class_validator_1.IsOptional)(),
76
+ (0, class_validator_1.IsArray)({ message: 'allowedIps must be an array of IP addresses or CIDR ranges' }),
77
+ (0, class_validator_1.ArrayMaxSize)(100, { message: 'allowedIps has too many entries' }),
78
+ (0, class_validator_1.IsString)({ each: true, message: 'Each allowedIps entry must be a string' }),
79
+ __metadata("design:type", Array)
80
+ ], CreateApiKeyDTO.prototype, "allowedIps", void 0);
81
+ /**
82
+ * DTO for updating an API key (user self-service)
83
+ *
84
+ * Only the label and IP allowlist are mutable. The secret and expiry are immutable —
85
+ * to rotate or extend a key, delete it and create a new one.
86
+ */
87
+ class UpdateApiKeyDTO {
88
+ /**
89
+ * External key identifier (UUID v4)
90
+ */
91
+ keyId;
92
+ /**
93
+ * New label for the key (optional)
94
+ */
95
+ name;
96
+ /**
97
+ * Replacement IP allowlist (optional)
98
+ *
99
+ * Pass an empty array to clear restrictions (open to any IP).
100
+ */
101
+ allowedIps;
102
+ }
103
+ exports.UpdateApiKeyDTO = UpdateApiKeyDTO;
104
+ __decorate([
105
+ (0, class_validator_1.IsUUID)('4', { message: 'keyId must be a valid UUID v4' }),
106
+ __metadata("design:type", String)
107
+ ], UpdateApiKeyDTO.prototype, "keyId", void 0);
108
+ __decorate([
109
+ (0, class_validator_1.IsOptional)(),
110
+ (0, class_validator_1.IsString)({ message: 'Name must be a string' }),
111
+ (0, class_validator_1.MaxLength)(255, { message: 'Name must not exceed 255 characters' }),
112
+ (0, class_transformer_1.Transform)(({ value }) => (typeof value === 'string' ? value.trim() : value)),
113
+ __metadata("design:type", String)
114
+ ], UpdateApiKeyDTO.prototype, "name", void 0);
115
+ __decorate([
116
+ (0, class_validator_1.IsOptional)(),
117
+ (0, class_validator_1.IsArray)({ message: 'allowedIps must be an array of IP addresses or CIDR ranges' }),
118
+ (0, class_validator_1.ArrayMaxSize)(100, { message: 'allowedIps has too many entries' }),
119
+ (0, class_validator_1.IsString)({ each: true, message: 'Each allowedIps entry must be a string' }),
120
+ __metadata("design:type", Array)
121
+ ], UpdateApiKeyDTO.prototype, "allowedIps", void 0);
122
+ /**
123
+ * DTO for revoking an API key (soft delete)
124
+ */
125
+ class RevokeApiKeyDTO {
126
+ /**
127
+ * External key identifier (UUID v4)
128
+ */
129
+ keyId;
130
+ }
131
+ exports.RevokeApiKeyDTO = RevokeApiKeyDTO;
132
+ __decorate([
133
+ (0, class_validator_1.IsUUID)('4', { message: 'keyId must be a valid UUID v4' }),
134
+ __metadata("design:type", String)
135
+ ], RevokeApiKeyDTO.prototype, "keyId", void 0);
136
+ /**
137
+ * DTO for permanently deleting an API key
138
+ */
139
+ class DeleteApiKeyDTO {
140
+ /**
141
+ * External key identifier (UUID v4)
142
+ */
143
+ keyId;
144
+ }
145
+ exports.DeleteApiKeyDTO = DeleteApiKeyDTO;
146
+ __decorate([
147
+ (0, class_validator_1.IsUUID)('4', { message: 'keyId must be a valid UUID v4' }),
148
+ __metadata("design:type", String)
149
+ ], DeleteApiKeyDTO.prototype, "keyId", void 0);
150
+ /**
151
+ * Sanitized API key response
152
+ *
153
+ * Never includes the plaintext key or its hash. Returned by list and update operations.
154
+ */
155
+ class ApiKeyResponseDTO {
156
+ /** External key identifier (UUID v4) */
157
+ keyId;
158
+ /** User-friendly label */
159
+ name;
160
+ /** Last few characters of the key (display hint) */
161
+ lastFour;
162
+ /** Allowed source IPs / CIDR ranges (empty/null = any IP) */
163
+ allowedIps;
164
+ /** Expiry timestamp, or null if the key never expires */
165
+ expiresAt;
166
+ /** Whether the key is active */
167
+ isActive;
168
+ /** Whether the key was created by an administrator */
169
+ createdByAdmin;
170
+ /** Last successful use timestamp, or null if never used */
171
+ lastUsedAt;
172
+ /** IP of the last successful use (only when usage IP tracking is enabled) */
173
+ lastUsedIp;
174
+ /** Total number of successful authentications with this key */
175
+ usageCount;
176
+ /** Creation timestamp */
177
+ createdAt;
178
+ }
179
+ exports.ApiKeyResponseDTO = ApiKeyResponseDTO;
180
+ /**
181
+ * Response returned once when a key is created
182
+ *
183
+ * The plaintext `key` is shown only here and never again — the caller must store it securely.
184
+ */
185
+ class CreateApiKeyResponseDTO {
186
+ /**
187
+ * The full plaintext API key (shown once)
188
+ *
189
+ * Security: Never stored in plaintext. Deliver securely to the consumer.
190
+ */
191
+ key;
192
+ /**
193
+ * Sanitized metadata for the created key
194
+ */
195
+ apiKey;
196
+ }
197
+ exports.CreateApiKeyResponseDTO = CreateApiKeyResponseDTO;
198
+ //# sourceMappingURL=api-key.dto.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"api-key.dto.js","sourceRoot":"","sources":["../../src/dto/api-key.dto.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,qDAUyB;AACzB,yDAA8C;AAE9C;;;;;;;;;;GAUG;AACH,MAAa,eAAe;IAC1B;;;;;;;;OAQG;IAKH,IAAI,CAAU;IAEd;;;;;;;;;;OAUG;IAIH,aAAa,CAAiB;IAE9B;;;;;;;;OAQG;IAKH,UAAU,CAAY;CACvB;AA9CD,0CA8CC;AAhCC;IAJC,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,uBAAuB,EAAE,CAAC;IAC9C,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,qCAAqC,EAAE,CAAC;IAClE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;;6CAC/D;AAgBd;IAHC,IAAA,4BAAU,EAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,KAAK,SAAS,IAAI,CAAC,CAAC,aAAa,KAAK,IAAI,CAAC;IAC5E,IAAA,uBAAK,EAAC,EAAE,OAAO,EAAE,yDAAyD,EAAE,CAAC;IAC7E,IAAA,qBAAG,EAAC,CAAC,EAAE,EAAE,OAAO,EAAE,kCAAkC,EAAE,CAAC;;sDAC1B;AAe9B;IAJC,IAAA,4BAAU,GAAE;IACZ,IAAA,yBAAO,EAAC,EAAE,OAAO,EAAE,4DAA4D,EAAE,CAAC;IAClF,IAAA,8BAAY,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,iCAAiC,EAAE,CAAC;IACjE,IAAA,0BAAQ,EAAC,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,wCAAwC,EAAE,CAAC;;mDACtD;AAGxB;;;;;GAKG;AACH,MAAa,eAAe;IAC1B;;OAEG;IAEH,KAAK,CAAU;IAEf;;OAEG;IAKH,IAAI,CAAU;IAEd;;;;OAIG;IAKH,UAAU,CAAY;CACvB;AA1BD,0CA0BC;AArBC;IADC,IAAA,wBAAM,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,+BAA+B,EAAE,CAAC;;8CAC3C;AASf;IAJC,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,uBAAuB,EAAE,CAAC;IAC9C,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,qCAAqC,EAAE,CAAC;IAClE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;;6CAC/D;AAWd;IAJC,IAAA,4BAAU,GAAE;IACZ,IAAA,yBAAO,EAAC,EAAE,OAAO,EAAE,4DAA4D,EAAE,CAAC;IAClF,IAAA,8BAAY,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,iCAAiC,EAAE,CAAC;IACjE,IAAA,0BAAQ,EAAC,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,wCAAwC,EAAE,CAAC;;mDACtD;AAGxB;;GAEG;AACH,MAAa,eAAe;IAC1B;;OAEG;IAEH,KAAK,CAAU;CAChB;AAND,0CAMC;AADC;IADC,IAAA,wBAAM,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,+BAA+B,EAAE,CAAC;;8CAC3C;AAGjB;;GAEG;AACH,MAAa,eAAe;IAC1B;;OAEG;IAEH,KAAK,CAAU;CAChB;AAND,0CAMC;AADC;IADC,IAAA,wBAAM,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,+BAA+B,EAAE,CAAC;;8CAC3C;AAGjB;;;;GAIG;AACH,MAAa,iBAAiB;IAC5B,wCAAwC;IACxC,KAAK,CAAU;IAEf,0BAA0B;IAC1B,IAAI,CAAiB;IAErB,oDAAoD;IACpD,QAAQ,CAAiB;IAEzB,6DAA6D;IAC7D,UAAU,CAAmB;IAE7B,yDAAyD;IACzD,SAAS,CAAe;IAExB,gCAAgC;IAChC,QAAQ,CAAW;IAEnB,sDAAsD;IACtD,cAAc,CAAW;IAEzB,2DAA2D;IAC3D,UAAU,CAAe;IAEzB,6EAA6E;IAC7E,UAAU,CAAiB;IAE3B,+DAA+D;IAC/D,UAAU,CAAU;IAEpB,yBAAyB;IACzB,SAAS,CAAQ;CAClB;AAjCD,8CAiCC;AAED;;;;GAIG;AACH,MAAa,uBAAuB;IAClC;;;;OAIG;IACH,GAAG,CAAU;IAEb;;OAEG;IACH,MAAM,CAAqB;CAC5B;AAZD,0DAYC"}
@@ -8,7 +8,7 @@
8
8
  * - Old password verified before allowing change
9
9
  * - New password validated for minimum strength
10
10
  * - Password history checked (configurable)
11
- * - Max length prevents DoS via bcrypt
11
+ * - Max length prevents DoS via Argon2 hashing
12
12
  *
13
13
  * @example
14
14
  * ```typescript
@@ -36,7 +36,7 @@ export declare class ChangePasswordDTO {
36
36
  * Validation:
37
37
  * - Must be a string
38
38
  * - Min 8 characters (security requirement)
39
- * - Max 128 characters (prevents DoS via bcrypt)
39
+ * - Max 128 characters (prevents DoS via Argon2 hashing)
40
40
  *
41
41
  * Note: NOT trimmed (passwords can have leading/trailing spaces)
42
42
  *
@@ -9,7 +9,7 @@
9
9
  * - Old password verified before allowing change
10
10
  * - New password validated for minimum strength
11
11
  * - Password history checked (configurable)
12
- * - Max length prevents DoS via bcrypt
12
+ * - Max length prevents DoS via Argon2 hashing
13
13
  *
14
14
  * @example
15
15
  * ```typescript
@@ -49,7 +49,7 @@ class ChangePasswordDTO {
49
49
  * Validation:
50
50
  * - Must be a string
51
51
  * - Min 8 characters (security requirement)
52
- * - Max 128 characters (prevents DoS via bcrypt)
52
+ * - Max 128 characters (prevents DoS via Argon2 hashing)
53
53
  *
54
54
  * Note: NOT trimmed (passwords can have leading/trailing spaces)
55
55
  *
@@ -76,4 +76,6 @@ export * from './admin-get-user-auth-history.dto';
76
76
  export * from './admin-get-user-auth-history.dto';
77
77
  export * from './social-auth.dto';
78
78
  export * from './social-redirect.dto';
79
+ export * from './api-key.dto';
80
+ export * from './admin-api-key.dto';
79
81
  //# sourceMappingURL=index.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/dto/index.ts"],"names":[],"mappings":"AACA,cAAc,cAAc,CAAC;AAC7B,cAAc,oBAAoB,CAAC;AACnC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,mBAAmB,CAAC;AAClC,cAAc,iBAAiB,CAAC;AAChC,cAAc,oBAAoB,CAAC;AACnC,cAAc,mBAAmB,CAAC;AAClC,cAAc,aAAa,CAAC;AAC5B,cAAc,uBAAuB,CAAC;AACtC,cAAc,gCAAgC,CAAC;AAC/C,cAAc,qBAAqB,CAAC;AACpC,cAAc,mBAAmB,CAAC;AAClC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,oCAAoC,CAAC;AACnD,cAAc,sCAAsC,CAAC;AACrD,cAAc,oBAAoB,CAAC;AACnC,cAAc,oBAAoB,CAAC;AACnC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,sBAAsB,CAAC;AACrC,cAAc,uBAAuB,CAAC;AACtC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,qBAAqB,CAAC;AACpC,cAAc,qBAAqB,CAAC;AACpC,cAAc,sBAAsB,CAAC;AACrC,cAAc,0BAA0B,CAAC;AACzC,cAAc,yBAAyB,CAAC;AACxC,cAAc,sBAAsB,CAAC;AACrC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,0BAA0B,CAAC;AACzC,cAAc,mCAAmC,CAAC;AAClD,cAAc,6BAA6B,CAAC;AAC5C,cAAc,sBAAsB,CAAC;AACrC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,wBAAwB,CAAC;AACvC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,oBAAoB,CAAC;AACnC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,qBAAqB,CAAC;AACpC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,yBAAyB,CAAC;AACxC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,kCAAkC,CAAC;AACjD,cAAc,iBAAiB,CAAC;AAChC,cAAc,uBAAuB,CAAC;AACtC,cAAc,uBAAuB,CAAC;AACtC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,+BAA+B,CAAC;AAC9C,cAAc,iCAAiC,CAAC;AAChD,cAAc,+BAA+B,CAAC;AAC9C,cAAc,mBAAmB,CAAC;AAClC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,yBAAyB,CAAC;AACxC,cAAc,sBAAsB,CAAC;AACrC,cAAc,yBAAyB,CAAC;AACxC,cAAc,cAAc,CAAC;AAC7B,cAAc,uBAAuB,CAAC;AACtC,cAAc,kBAAkB,CAAC;AACjC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,wBAAwB,CAAC;AACvC,cAAc,yBAAyB,CAAC;AACxC,cAAc,kCAAkC,CAAC;AACjD,cAAc,sBAAsB,CAAC;AACrC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,iCAAiC,CAAC;AAChD,cAAc,4BAA4B,CAAC;AAC3C,cAAc,gCAAgC,CAAC;AAC/C,cAAc,yCAAyC,CAAC;AACxD,cAAc,0BAA0B,CAAC;AACzC,cAAc,4BAA4B,CAAC;AAE3C,cAAc,6BAA6B,CAAC;AAC5C,cAAc,kCAAkC,CAAC;AACjD,cAAc,6BAA6B,CAAC;AAC5C,cAAc,sCAAsC,CAAC;AACrD,cAAc,6BAA6B,CAAC;AAC5C,cAAc,mCAAmC,CAAC;AAClD,cAAc,mCAAmC,CAAC;AAElD,cAAc,mBAAmB,CAAC;AAClC,cAAc,uBAAuB,CAAC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/dto/index.ts"],"names":[],"mappings":"AACA,cAAc,cAAc,CAAC;AAC7B,cAAc,oBAAoB,CAAC;AACnC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,mBAAmB,CAAC;AAClC,cAAc,iBAAiB,CAAC;AAChC,cAAc,oBAAoB,CAAC;AACnC,cAAc,mBAAmB,CAAC;AAClC,cAAc,aAAa,CAAC;AAC5B,cAAc,uBAAuB,CAAC;AACtC,cAAc,gCAAgC,CAAC;AAC/C,cAAc,qBAAqB,CAAC;AACpC,cAAc,mBAAmB,CAAC;AAClC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,oCAAoC,CAAC;AACnD,cAAc,sCAAsC,CAAC;AACrD,cAAc,oBAAoB,CAAC;AACnC,cAAc,oBAAoB,CAAC;AACnC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,sBAAsB,CAAC;AACrC,cAAc,uBAAuB,CAAC;AACtC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,qBAAqB,CAAC;AACpC,cAAc,qBAAqB,CAAC;AACpC,cAAc,sBAAsB,CAAC;AACrC,cAAc,0BAA0B,CAAC;AACzC,cAAc,yBAAyB,CAAC;AACxC,cAAc,sBAAsB,CAAC;AACrC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,0BAA0B,CAAC;AACzC,cAAc,mCAAmC,CAAC;AAClD,cAAc,6BAA6B,CAAC;AAC5C,cAAc,sBAAsB,CAAC;AACrC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,wBAAwB,CAAC;AACvC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,oBAAoB,CAAC;AACnC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,qBAAqB,CAAC;AACpC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,yBAAyB,CAAC;AACxC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,kCAAkC,CAAC;AACjD,cAAc,iBAAiB,CAAC;AAChC,cAAc,uBAAuB,CAAC;AACtC,cAAc,uBAAuB,CAAC;AACtC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,+BAA+B,CAAC;AAC9C,cAAc,iCAAiC,CAAC;AAChD,cAAc,+BAA+B,CAAC;AAC9C,cAAc,mBAAmB,CAAC;AAClC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,yBAAyB,CAAC;AACxC,cAAc,sBAAsB,CAAC;AACrC,cAAc,yBAAyB,CAAC;AACxC,cAAc,cAAc,CAAC;AAC7B,cAAc,uBAAuB,CAAC;AACtC,cAAc,kBAAkB,CAAC;AACjC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,wBAAwB,CAAC;AACvC,cAAc,yBAAyB,CAAC;AACxC,cAAc,kCAAkC,CAAC;AACjD,cAAc,sBAAsB,CAAC;AACrC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,iCAAiC,CAAC;AAChD,cAAc,4BAA4B,CAAC;AAC3C,cAAc,gCAAgC,CAAC;AAC/C,cAAc,yCAAyC,CAAC;AACxD,cAAc,0BAA0B,CAAC;AACzC,cAAc,4BAA4B,CAAC;AAE3C,cAAc,6BAA6B,CAAC;AAC5C,cAAc,kCAAkC,CAAC;AACjD,cAAc,6BAA6B,CAAC;AAC5C,cAAc,sCAAsC,CAAC;AACrD,cAAc,6BAA6B,CAAC;AAC5C,cAAc,mCAAmC,CAAC;AAClD,cAAc,mCAAmC,CAAC;AAElD,cAAc,mBAAmB,CAAC;AAClC,cAAc,uBAAuB,CAAC;AAGtC,cAAc,eAAe,CAAC;AAC9B,cAAc,qBAAqB,CAAC"}
package/dist/dto/index.js CHANGED
@@ -94,6 +94,9 @@ __exportStar(require("./admin-get-user-auth-history.dto"), exports);
94
94
  __exportStar(require("./admin-get-user-auth-history.dto"), exports);
95
95
  __exportStar(require("./social-auth.dto"), exports);
96
96
  __exportStar(require("./social-redirect.dto"), exports);
97
+ // API Key DTOs
98
+ __exportStar(require("./api-key.dto"), exports);
99
+ __exportStar(require("./admin-api-key.dto"), exports);
97
100
  // Note: Social and MFA DTOs moved to their respective packages
98
101
  // - social-login.dto → @nauth-toolkit/social-*
99
102
  // - mfa.dto → @nauth-toolkit/mfa-*
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/dto/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,iBAAiB;AACjB,+CAA6B;AAC7B,qDAAmC;AACnC,4DAA0C;AAC1C,oDAAkC;AAClC,kDAAgC;AAChC,qDAAmC;AACnC,oDAAkC;AAClC,8CAA4B;AAC5B,wDAAsC;AACtC,iEAA+C;AAC/C,sDAAoC;AACpC,oDAAkC;AAClC,+DAA6C;AAC7C,qEAAmD;AACnD,uEAAqD;AACrD,qDAAmC;AACnC,qDAAmC;AACnC,4DAA0C;AAC1C,uDAAqC;AACrC,wDAAsC;AACtC,gEAA8C;AAC9C,sDAAoC;AACpC,sDAAoC;AACpC,uDAAqC;AACrC,2DAAyC;AACzC,0DAAwC;AACxC,uDAAqC;AACrC,gEAA8C;AAC9C,2DAAyC;AACzC,oEAAkD;AAClD,8DAA4C;AAC5C,uDAAqC;AACrC,6DAA2C;AAC3C,yDAAuC;AACvC,4DAA0C;AAC1C,qDAAmC;AACnC,gEAA8C;AAC9C,sDAAoC;AACpC,4DAA0C;AAC1C,0DAAwC;AACxC,6DAA2C;AAC3C,mEAAiD;AACjD,kDAAgC;AAChC,wDAAsC;AACtC,wDAAsC;AACtC,gEAA8C;AAC9C,gEAA8C;AAC9C,kEAAgD;AAChD,gEAA8C;AAC9C,oDAAkC;AAClC,6DAA2C;AAC3C,0DAAwC;AACxC,uDAAqC;AACrC,0DAAwC;AACxC,+CAA6B;AAC7B,wDAAsC;AACtC,mDAAiC;AACjC,4DAA0C;AAC1C,yDAAuC;AACvC,0DAAwC;AACxC,mEAAiD;AACjD,uDAAqC;AACrC,gEAA8C;AAC9C,kEAAgD;AAChD,6DAA2C;AAC3C,iEAA+C;AAC/C,0EAAwD;AACxD,2DAAyC;AACzC,6DAA2C;AAC3C,+EAA+E;AAC/E,8DAA4C;AAC5C,mEAAiD;AACjD,8DAA4C;AAC5C,uEAAqD;AACrD,8DAA4C;AAC5C,oEAAkD;AAClD,oEAAkD;AAElD,oDAAkC;AAClC,wDAAsC;AAEtC,+DAA+D;AAC/D,+CAA+C;AAC/C,mCAAmC"}
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/dto/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,iBAAiB;AACjB,+CAA6B;AAC7B,qDAAmC;AACnC,4DAA0C;AAC1C,oDAAkC;AAClC,kDAAgC;AAChC,qDAAmC;AACnC,oDAAkC;AAClC,8CAA4B;AAC5B,wDAAsC;AACtC,iEAA+C;AAC/C,sDAAoC;AACpC,oDAAkC;AAClC,+DAA6C;AAC7C,qEAAmD;AACnD,uEAAqD;AACrD,qDAAmC;AACnC,qDAAmC;AACnC,4DAA0C;AAC1C,uDAAqC;AACrC,wDAAsC;AACtC,gEAA8C;AAC9C,sDAAoC;AACpC,sDAAoC;AACpC,uDAAqC;AACrC,2DAAyC;AACzC,0DAAwC;AACxC,uDAAqC;AACrC,gEAA8C;AAC9C,2DAAyC;AACzC,oEAAkD;AAClD,8DAA4C;AAC5C,uDAAqC;AACrC,6DAA2C;AAC3C,yDAAuC;AACvC,4DAA0C;AAC1C,qDAAmC;AACnC,gEAA8C;AAC9C,sDAAoC;AACpC,4DAA0C;AAC1C,0DAAwC;AACxC,6DAA2C;AAC3C,mEAAiD;AACjD,kDAAgC;AAChC,wDAAsC;AACtC,wDAAsC;AACtC,gEAA8C;AAC9C,gEAA8C;AAC9C,kEAAgD;AAChD,gEAA8C;AAC9C,oDAAkC;AAClC,6DAA2C;AAC3C,0DAAwC;AACxC,uDAAqC;AACrC,0DAAwC;AACxC,+CAA6B;AAC7B,wDAAsC;AACtC,mDAAiC;AACjC,4DAA0C;AAC1C,yDAAuC;AACvC,0DAAwC;AACxC,mEAAiD;AACjD,uDAAqC;AACrC,gEAA8C;AAC9C,kEAAgD;AAChD,6DAA2C;AAC3C,iEAA+C;AAC/C,0EAAwD;AACxD,2DAAyC;AACzC,6DAA2C;AAC3C,+EAA+E;AAC/E,8DAA4C;AAC5C,mEAAiD;AACjD,8DAA4C;AAC5C,uEAAqD;AACrD,8DAA4C;AAC5C,oEAAkD;AAClD,oEAAkD;AAElD,oDAAkC;AAClC,wDAAsC;AAEtC,eAAe;AACf,gDAA8B;AAC9B,sDAAoC;AAEpC,+DAA+D;AAC/D,+CAA+C;AAC/C,mCAAmC"}
@@ -70,7 +70,7 @@ export declare class ResetPasswordDTO {
70
70
  * Validation:
71
71
  * - Must be a string
72
72
  * - Min 8 characters (security requirement)
73
- * - Max 128 characters (prevents DoS via bcrypt)
73
+ * - Max 128 characters (prevents DoS via Argon2 hashing)
74
74
  *
75
75
  * Note: NOT trimmed (passwords can have leading/trailing spaces)
76
76
  * Additional checks in service layer:
@@ -103,7 +103,7 @@ class ResetPasswordDTO {
103
103
  * Validation:
104
104
  * - Must be a string
105
105
  * - Min 8 characters (security requirement)
106
- * - Max 128 characters (prevents DoS via bcrypt)
106
+ * - Max 128 characters (prevents DoS via Argon2 hashing)
107
107
  *
108
108
  * Note: NOT trimmed (passwords can have leading/trailing spaces)
109
109
  * Additional checks in service layer:
@@ -117,7 +117,7 @@ export declare class RespondChallengeDTO {
117
117
  * Validation:
118
118
  * - Must be a string
119
119
  * - Min 8 characters (security requirement)
120
- * - Max 128 characters (prevents DoS via bcrypt)
120
+ * - Max 128 characters (prevents DoS via Argon2 hashing)
121
121
  *
122
122
  * Note: NOT trimmed (passwords can have leading/trailing spaces)
123
123
  */
@@ -142,7 +142,7 @@ class RespondChallengeDTO {
142
142
  * Validation:
143
143
  * - Must be a string
144
144
  * - Min 8 characters (security requirement)
145
- * - Max 128 characters (prevents DoS via bcrypt)
145
+ * - Max 128 characters (prevents DoS via Argon2 hashing)
146
146
  *
147
147
  * Note: NOT trimmed (passwords can have leading/trailing spaces)
148
148
  */
@@ -24,7 +24,7 @@ export declare class SignupDTO {
24
24
  *
25
25
  * Validation:
26
26
  * - Min 8 characters
27
- * - Max 128 characters (prevents DoS via bcrypt)
27
+ * - Max 128 characters (prevents DoS via Argon2 hashing)
28
28
  * - Additional policy checks in service layer
29
29
  *
30
30
  * Note: NOT trimmed (passwords can have leading/trailing spaces)
@@ -38,7 +38,7 @@ class SignupDTO {
38
38
  *
39
39
  * Validation:
40
40
  * - Min 8 characters
41
- * - Max 128 characters (prevents DoS via bcrypt)
41
+ * - Max 128 characters (prevents DoS via Argon2 hashing)
42
42
  * - Additional policy checks in service layer
43
43
  *
44
44
  * Note: NOT trimmed (passwords can have leading/trailing spaces)
@@ -0,0 +1,135 @@
1
+ /**
2
+ * Base API Key Entity
3
+ *
4
+ * Stores long-lived API keys that authenticate as their owning user.
5
+ * Only a hash of the secret is persisted; the plaintext key is shown once at creation.
6
+ * Database adapters extend this class and add ORM-specific decorators.
7
+ *
8
+ * @remarks
9
+ * This class is database-agnostic. TypeORM, Prisma, or other ORMs
10
+ * extend this class in their respective packages.
11
+ *
12
+ * Security:
13
+ * - The full key is never stored; only `keyHash` (SHA-256) is persisted.
14
+ * - `lookupId` is a non-secret, indexed identifier used for O(1) lookup.
15
+ * - `allowedIps` restricts which source IPs may use the key (empty/null = any IP).
16
+ */
17
+ export declare class BaseApiKey {
18
+ /**
19
+ * Internal API key ID (auto-increment integer)
20
+ */
21
+ id: number;
22
+ /**
23
+ * External API key identifier (UUID v4)
24
+ * Exposed in API responses instead of the internal integer id.
25
+ */
26
+ keyId: string;
27
+ /**
28
+ * Internal user ID (foreign key to users table)
29
+ * The key authenticates as this user.
30
+ */
31
+ userId: number;
32
+ /**
33
+ * Non-secret lookup identifier (indexed, unique)
34
+ *
35
+ * Embedded in the plaintext key and used to locate the record without
36
+ * scanning every hash. Not a secret on its own.
37
+ */
38
+ lookupId: string;
39
+ /**
40
+ * SHA-256 hash of the full plaintext key
41
+ * The plaintext key is never stored.
42
+ */
43
+ keyHash: string;
44
+ /**
45
+ * User-friendly key label (optional)
46
+ * E.g. "CI pipeline", "Zapier integration".
47
+ */
48
+ name?: string | null;
49
+ /**
50
+ * Last few characters of the plaintext key (display hint)
51
+ * Helps users identify a key in listings without exposing the secret.
52
+ */
53
+ lastFour?: string | null;
54
+ /**
55
+ * Allowed source IPs / CIDR ranges for this key
56
+ *
57
+ * When empty or null, the key may be used from any IP.
58
+ * When populated, requests from IPs outside the list are rejected.
59
+ */
60
+ allowedIps?: string[] | null;
61
+ /**
62
+ * Key expiration timestamp
63
+ * NULL means the key never expires (only allowed when config permits).
64
+ */
65
+ expiresAt?: Date | null;
66
+ /**
67
+ * Whether the key is active
68
+ * Set to false on revoke (soft delete) to disable without removing history.
69
+ */
70
+ isActive: boolean;
71
+ /**
72
+ * When the key was revoked
73
+ * NULL if not revoked.
74
+ */
75
+ revokedAt?: Date | null;
76
+ /**
77
+ * Reason the key was revoked (optional)
78
+ */
79
+ revokeReason?: string | null;
80
+ /**
81
+ * Whether the key was created by an administrator on behalf of the user
82
+ */
83
+ createdByAdmin: boolean;
84
+ /**
85
+ * When the key was last used for authentication
86
+ * NULL if never used. Updated on a throttled basis (see config).
87
+ */
88
+ lastUsedAt?: Date | null;
89
+ /**
90
+ * IP address of the most recent successful use
91
+ * Only populated when usage IP tracking is enabled.
92
+ */
93
+ lastUsedIp?: string | null;
94
+ /**
95
+ * Total number of successful authentications with this key
96
+ */
97
+ usageCount: number;
98
+ /**
99
+ * Additional metadata (JSON)
100
+ */
101
+ metadata?: Record<string, unknown> | null;
102
+ /**
103
+ * Creation timestamp
104
+ */
105
+ createdAt: Date;
106
+ /**
107
+ * Last update timestamp
108
+ */
109
+ updatedAt: Date;
110
+ /**
111
+ * Check if the key is expired
112
+ *
113
+ * @returns true if the key has an expiry that is in the past
114
+ *
115
+ * @example
116
+ * ```typescript
117
+ * if (apiKey.isExpired()) {
118
+ * throw new Error('API key has expired');
119
+ * }
120
+ * ```
121
+ */
122
+ isExpired(): boolean;
123
+ /**
124
+ * Check whether a given source IP is allowed to use this key
125
+ *
126
+ * An empty or null allowlist permits any IP. Otherwise the IP must match
127
+ * one of the configured entries (exact IPv4/IPv6 or CIDR range).
128
+ *
129
+ * @param ip - Source IP address of the request
130
+ * @param matcher - IP/CIDR match function (injected to keep this class dependency-free)
131
+ * @returns true if the IP is allowed
132
+ */
133
+ isIpAllowed(ip: string | null | undefined, matcher: (ip: string, allow: string) => boolean): boolean;
134
+ }
135
+ //# sourceMappingURL=api-key.entity.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"api-key.entity.d.ts","sourceRoot":"","sources":["../../src/entities/api-key.entity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AACH,qBAAa,UAAU;IACrB;;OAEG;IACH,EAAE,EAAG,MAAM,CAAC;IAEZ;;;OAGG;IACH,KAAK,EAAG,MAAM,CAAC;IAEf;;;OAGG;IACH,MAAM,EAAG,MAAM,CAAC;IAEhB;;;;;OAKG;IACH,QAAQ,EAAG,MAAM,CAAC;IAElB;;;OAGG;IACH,OAAO,EAAG,MAAM,CAAC;IAEjB;;;OAGG;IACH,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAErB;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAEzB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IAE7B;;;OAGG;IACH,SAAS,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAExB;;;OAGG;IACH,QAAQ,EAAG,OAAO,CAAC;IAEnB;;;OAGG;IACH,SAAS,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAExB;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAE7B;;OAEG;IACH,cAAc,EAAG,OAAO,CAAC;IAEzB;;;OAGG;IACH,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAEzB;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAE3B;;OAEG;IACH,UAAU,EAAG,MAAM,CAAC;IAEpB;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IAE1C;;OAEG;IACH,SAAS,EAAG,IAAI,CAAC;IAEjB;;OAEG;IACH,SAAS,EAAG,IAAI,CAAC;IAEjB;;;;;;;;;;;OAWG;IACH,SAAS,IAAI,OAAO;IAIpB;;;;;;;;;OASG;IACH,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAAE,OAAO,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,KAAK,OAAO,GAAG,OAAO;CASrG"}
@@ -0,0 +1,149 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ exports.BaseApiKey = void 0;
4
+ /**
5
+ * Base API Key Entity
6
+ *
7
+ * Stores long-lived API keys that authenticate as their owning user.
8
+ * Only a hash of the secret is persisted; the plaintext key is shown once at creation.
9
+ * Database adapters extend this class and add ORM-specific decorators.
10
+ *
11
+ * @remarks
12
+ * This class is database-agnostic. TypeORM, Prisma, or other ORMs
13
+ * extend this class in their respective packages.
14
+ *
15
+ * Security:
16
+ * - The full key is never stored; only `keyHash` (SHA-256) is persisted.
17
+ * - `lookupId` is a non-secret, indexed identifier used for O(1) lookup.
18
+ * - `allowedIps` restricts which source IPs may use the key (empty/null = any IP).
19
+ */
20
+ class BaseApiKey {
21
+ /**
22
+ * Internal API key ID (auto-increment integer)
23
+ */
24
+ id;
25
+ /**
26
+ * External API key identifier (UUID v4)
27
+ * Exposed in API responses instead of the internal integer id.
28
+ */
29
+ keyId;
30
+ /**
31
+ * Internal user ID (foreign key to users table)
32
+ * The key authenticates as this user.
33
+ */
34
+ userId;
35
+ /**
36
+ * Non-secret lookup identifier (indexed, unique)
37
+ *
38
+ * Embedded in the plaintext key and used to locate the record without
39
+ * scanning every hash. Not a secret on its own.
40
+ */
41
+ lookupId;
42
+ /**
43
+ * SHA-256 hash of the full plaintext key
44
+ * The plaintext key is never stored.
45
+ */
46
+ keyHash;
47
+ /**
48
+ * User-friendly key label (optional)
49
+ * E.g. "CI pipeline", "Zapier integration".
50
+ */
51
+ name;
52
+ /**
53
+ * Last few characters of the plaintext key (display hint)
54
+ * Helps users identify a key in listings without exposing the secret.
55
+ */
56
+ lastFour;
57
+ /**
58
+ * Allowed source IPs / CIDR ranges for this key
59
+ *
60
+ * When empty or null, the key may be used from any IP.
61
+ * When populated, requests from IPs outside the list are rejected.
62
+ */
63
+ allowedIps;
64
+ /**
65
+ * Key expiration timestamp
66
+ * NULL means the key never expires (only allowed when config permits).
67
+ */
68
+ expiresAt;
69
+ /**
70
+ * Whether the key is active
71
+ * Set to false on revoke (soft delete) to disable without removing history.
72
+ */
73
+ isActive;
74
+ /**
75
+ * When the key was revoked
76
+ * NULL if not revoked.
77
+ */
78
+ revokedAt;
79
+ /**
80
+ * Reason the key was revoked (optional)
81
+ */
82
+ revokeReason;
83
+ /**
84
+ * Whether the key was created by an administrator on behalf of the user
85
+ */
86
+ createdByAdmin;
87
+ /**
88
+ * When the key was last used for authentication
89
+ * NULL if never used. Updated on a throttled basis (see config).
90
+ */
91
+ lastUsedAt;
92
+ /**
93
+ * IP address of the most recent successful use
94
+ * Only populated when usage IP tracking is enabled.
95
+ */
96
+ lastUsedIp;
97
+ /**
98
+ * Total number of successful authentications with this key
99
+ */
100
+ usageCount;
101
+ /**
102
+ * Additional metadata (JSON)
103
+ */
104
+ metadata;
105
+ /**
106
+ * Creation timestamp
107
+ */
108
+ createdAt;
109
+ /**
110
+ * Last update timestamp
111
+ */
112
+ updatedAt;
113
+ /**
114
+ * Check if the key is expired
115
+ *
116
+ * @returns true if the key has an expiry that is in the past
117
+ *
118
+ * @example
119
+ * ```typescript
120
+ * if (apiKey.isExpired()) {
121
+ * throw new Error('API key has expired');
122
+ * }
123
+ * ```
124
+ */
125
+ isExpired() {
126
+ return this.expiresAt !== null && this.expiresAt !== undefined && new Date() > this.expiresAt;
127
+ }
128
+ /**
129
+ * Check whether a given source IP is allowed to use this key
130
+ *
131
+ * An empty or null allowlist permits any IP. Otherwise the IP must match
132
+ * one of the configured entries (exact IPv4/IPv6 or CIDR range).
133
+ *
134
+ * @param ip - Source IP address of the request
135
+ * @param matcher - IP/CIDR match function (injected to keep this class dependency-free)
136
+ * @returns true if the IP is allowed
137
+ */
138
+ isIpAllowed(ip, matcher) {
139
+ if (!this.allowedIps || this.allowedIps.length === 0) {
140
+ return true;
141
+ }
142
+ if (!ip) {
143
+ return false;
144
+ }
145
+ return this.allowedIps.some((entry) => matcher(ip, entry));
146
+ }
147
+ }
148
+ exports.BaseApiKey = BaseApiKey;
149
+ //# sourceMappingURL=api-key.entity.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"api-key.entity.js","sourceRoot":"","sources":["../../src/entities/api-key.entity.ts"],"names":[],"mappings":";;;AAAA;;;;;;;;;;;;;;;GAeG;AACH,MAAa,UAAU;IACrB;;OAEG;IACH,EAAE,CAAU;IAEZ;;;OAGG;IACH,KAAK,CAAU;IAEf;;;OAGG;IACH,MAAM,CAAU;IAEhB;;;;;OAKG;IACH,QAAQ,CAAU;IAElB;;;OAGG;IACH,OAAO,CAAU;IAEjB;;;OAGG;IACH,IAAI,CAAiB;IAErB;;;OAGG;IACH,QAAQ,CAAiB;IAEzB;;;;;OAKG;IACH,UAAU,CAAmB;IAE7B;;;OAGG;IACH,SAAS,CAAe;IAExB;;;OAGG;IACH,QAAQ,CAAW;IAEnB;;;OAGG;IACH,SAAS,CAAe;IAExB;;OAEG;IACH,YAAY,CAAiB;IAE7B;;OAEG;IACH,cAAc,CAAW;IAEzB;;;OAGG;IACH,UAAU,CAAe;IAEzB;;;OAGG;IACH,UAAU,CAAiB;IAE3B;;OAEG;IACH,UAAU,CAAU;IAEpB;;OAEG;IACH,QAAQ,CAAkC;IAE1C;;OAEG;IACH,SAAS,CAAQ;IAEjB;;OAEG;IACH,SAAS,CAAQ;IAEjB;;;;;;;;;;;OAWG;IACH,SAAS;QACP,OAAO,IAAI,CAAC,SAAS,KAAK,IAAI,IAAI,IAAI,CAAC,SAAS,KAAK,SAAS,IAAI,IAAI,IAAI,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC;IAChG,CAAC;IAED;;;;;;;;;OASG;IACH,WAAW,CAAC,EAA6B,EAAE,OAA+C;QACxF,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACrD,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,CAAC,EAAE,EAAE,CAAC;YACR,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,CAAC;IAC7D,CAAC;CACF;AAnJD,gCAmJC"}
@@ -28,4 +28,5 @@ export { BaseAuthAudit, type AuthAuditEventStatus } from './auth-audit.entity';
28
28
  export { BaseRateLimit } from './rate-limit.entity';
29
29
  export { BaseStorageLock } from './storage-lock.entity';
30
30
  export { BaseSocialProviderSecret } from './social-provider-secret.entity';
31
+ export { BaseApiKey } from './api-key.entity';
31
32
  //# sourceMappingURL=index.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/entities/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AACH,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAC;AACpE,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AAClE,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,KAAK,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC/E,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,wBAAwB,EAAE,MAAM,iCAAiC,CAAC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/entities/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AACH,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAC;AACpE,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AAClE,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,KAAK,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC/E,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,wBAAwB,EAAE,MAAM,iCAAiC,CAAC;AAC3E,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC"}
@@ -1,6 +1,6 @@
1
1
  "use strict";
2
2
  Object.defineProperty(exports, "__esModule", { value: true });
3
- exports.BaseSocialProviderSecret = exports.BaseStorageLock = exports.BaseRateLimit = exports.BaseAuthAudit = exports.BaseMFADevice = exports.BaseChallengeSession = exports.BaseSocialAccount = exports.BaseVerificationToken = exports.BaseLoginAttempt = exports.BaseTrustedDevice = exports.BaseSession = exports.BaseUser = void 0;
3
+ exports.BaseApiKey = exports.BaseSocialProviderSecret = exports.BaseStorageLock = exports.BaseRateLimit = exports.BaseAuthAudit = exports.BaseMFADevice = exports.BaseChallengeSession = exports.BaseSocialAccount = exports.BaseVerificationToken = exports.BaseLoginAttempt = exports.BaseTrustedDevice = exports.BaseSession = exports.BaseUser = void 0;
4
4
  /**
5
5
  * Base Entity Classes
6
6
  *
@@ -43,4 +43,6 @@ var storage_lock_entity_1 = require("./storage-lock.entity");
43
43
  Object.defineProperty(exports, "BaseStorageLock", { enumerable: true, get: function () { return storage_lock_entity_1.BaseStorageLock; } });
44
44
  var social_provider_secret_entity_1 = require("./social-provider-secret.entity");
45
45
  Object.defineProperty(exports, "BaseSocialProviderSecret", { enumerable: true, get: function () { return social_provider_secret_entity_1.BaseSocialProviderSecret; } });
46
+ var api_key_entity_1 = require("./api-key.entity");
47
+ Object.defineProperty(exports, "BaseApiKey", { enumerable: true, get: function () { return api_key_entity_1.BaseApiKey; } });
46
48
  //# sourceMappingURL=index.js.map