@nauth-toolkit/core 0.2.7 → 0.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/bootstrap.d.ts +3 -0
- package/dist/bootstrap.d.ts.map +1 -1
- package/dist/bootstrap.js +63 -0
- package/dist/bootstrap.js.map +1 -1
- package/dist/dto/admin-api-key.dto.d.ts +69 -0
- package/dist/dto/admin-api-key.dto.d.ts.map +1 -0
- package/dist/dto/admin-api-key.dto.js +144 -0
- package/dist/dto/admin-api-key.dto.js.map +1 -0
- package/dist/dto/admin-signup-social.dto.d.ts +1 -1
- package/dist/dto/admin-signup-social.dto.js +1 -1
- package/dist/dto/admin-signup.dto.d.ts +1 -1
- package/dist/dto/admin-signup.dto.js +1 -1
- package/dist/dto/api-key.dto.d.ts +132 -0
- package/dist/dto/api-key.dto.d.ts.map +1 -0
- package/dist/dto/api-key.dto.js +198 -0
- package/dist/dto/api-key.dto.js.map +1 -0
- package/dist/dto/change-password.dto.d.ts +2 -2
- package/dist/dto/change-password.dto.js +2 -2
- package/dist/dto/index.d.ts +2 -0
- package/dist/dto/index.d.ts.map +1 -1
- package/dist/dto/index.js +3 -0
- package/dist/dto/index.js.map +1 -1
- package/dist/dto/reset-password.dto.d.ts +1 -1
- package/dist/dto/reset-password.dto.js +1 -1
- package/dist/dto/respond-challenge.dto.d.ts +1 -1
- package/dist/dto/respond-challenge.dto.js +1 -1
- package/dist/dto/signup.dto.d.ts +1 -1
- package/dist/dto/signup.dto.js +1 -1
- package/dist/entities/api-key.entity.d.ts +135 -0
- package/dist/entities/api-key.entity.d.ts.map +1 -0
- package/dist/entities/api-key.entity.js +149 -0
- package/dist/entities/api-key.entity.js.map +1 -0
- package/dist/entities/index.d.ts +1 -0
- package/dist/entities/index.d.ts.map +1 -1
- package/dist/entities/index.js +3 -1
- package/dist/entities/index.js.map +1 -1
- package/dist/enums/auth-audit-event-type.enum.d.ts +25 -1
- package/dist/enums/auth-audit-event-type.enum.d.ts.map +1 -1
- package/dist/enums/auth-audit-event-type.enum.js +27 -0
- package/dist/enums/auth-audit-event-type.enum.js.map +1 -1
- package/dist/enums/error-codes.enum.d.ts +56 -1
- package/dist/enums/error-codes.enum.d.ts.map +1 -1
- package/dist/enums/error-codes.enum.js +58 -0
- package/dist/enums/error-codes.enum.js.map +1 -1
- package/dist/exceptions/nauth.exception.d.ts.map +1 -1
- package/dist/exceptions/nauth.exception.js +13 -0
- package/dist/exceptions/nauth.exception.js.map +1 -1
- package/dist/handlers/api-key.handler.d.ts +45 -0
- package/dist/handlers/api-key.handler.d.ts.map +1 -0
- package/dist/handlers/api-key.handler.js +99 -0
- package/dist/handlers/api-key.handler.js.map +1 -0
- package/dist/handlers/auth.handler.d.ts.map +1 -1
- package/dist/handlers/auth.handler.js +6 -0
- package/dist/handlers/auth.handler.js.map +1 -1
- package/dist/index.d.ts +7 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +8 -1
- package/dist/index.js.map +1 -1
- package/dist/interfaces/config.interface.d.ts +162 -0
- package/dist/interfaces/config.interface.d.ts.map +1 -1
- package/dist/internal.d.ts +7 -0
- package/dist/internal.d.ts.map +1 -1
- package/dist/internal.js +8 -1
- package/dist/internal.js.map +1 -1
- package/dist/openapi/components.schemas.json +284 -7
- package/dist/platform/interfaces.d.ts +8 -0
- package/dist/platform/interfaces.d.ts.map +1 -1
- package/dist/schemas/auth-config.schema.d.ts +211 -0
- package/dist/schemas/auth-config.schema.d.ts.map +1 -1
- package/dist/schemas/auth-config.schema.js +33 -1
- package/dist/schemas/auth-config.schema.js.map +1 -1
- package/dist/services/admin-auth.service.d.ts +59 -1
- package/dist/services/admin-auth.service.d.ts.map +1 -1
- package/dist/services/admin-auth.service.js +99 -1
- package/dist/services/admin-auth.service.js.map +1 -1
- package/dist/services/api-key.service.d.ts +152 -0
- package/dist/services/api-key.service.d.ts.map +1 -0
- package/dist/services/api-key.service.js +378 -0
- package/dist/services/api-key.service.js.map +1 -0
- package/dist/services/telemetry.service.d.ts +154 -0
- package/dist/services/telemetry.service.d.ts.map +1 -0
- package/dist/services/telemetry.service.js +345 -0
- package/dist/services/telemetry.service.js.map +1 -0
- package/dist/utils/get-package-version.d.ts +15 -0
- package/dist/utils/get-package-version.d.ts.map +1 -0
- package/dist/utils/get-package-version.js +84 -0
- package/dist/utils/get-package-version.js.map +1 -0
- package/dist/utils/index.d.ts +1 -0
- package/dist/utils/index.d.ts.map +1 -1
- package/dist/utils/index.js +1 -0
- package/dist/utils/index.js.map +1 -1
- package/dist/utils/ip-match.d.ts +44 -0
- package/dist/utils/ip-match.d.ts.map +1 -0
- package/dist/utils/ip-match.js +135 -0
- package/dist/utils/ip-match.js.map +1 -0
- package/dist/utils/setup/get-repositories.d.ts +2 -1
- package/dist/utils/setup/get-repositories.d.ts.map +1 -1
- package/dist/utils/setup/get-repositories.js +2 -0
- package/dist/utils/setup/get-repositories.js.map +1 -1
- package/dist/utils/setup/init-services.d.ts +4 -2
- package/dist/utils/setup/init-services.d.ts.map +1 -1
- package/dist/utils/setup/init-services.js +8 -1
- package/dist/utils/setup/init-services.js.map +1 -1
- package/package.json +2 -2
|
@@ -0,0 +1,198 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
|
|
3
|
+
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
4
|
+
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
5
|
+
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
6
|
+
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
7
|
+
};
|
|
8
|
+
var __metadata = (this && this.__metadata) || function (k, v) {
|
|
9
|
+
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
10
|
+
};
|
|
11
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
|
+
exports.CreateApiKeyResponseDTO = exports.ApiKeyResponseDTO = exports.DeleteApiKeyDTO = exports.RevokeApiKeyDTO = exports.UpdateApiKeyDTO = exports.CreateApiKeyDTO = void 0;
|
|
13
|
+
const class_validator_1 = require("class-validator");
|
|
14
|
+
const class_transformer_1 = require("class-transformer");
|
|
15
|
+
/**
|
|
16
|
+
* DTO for creating an API key (user self-service)
|
|
17
|
+
*
|
|
18
|
+
* Security:
|
|
19
|
+
* - Expiry is explicit and mandatory (enforced in the service layer):
|
|
20
|
+
* provide a positive number of days, or `null` for a never-expiring key
|
|
21
|
+
* (only allowed when `apiKeys.allowIndefinite` is true).
|
|
22
|
+
* - Optional per-key IP allowlist restricts which source IPs may use the key.
|
|
23
|
+
*
|
|
24
|
+
* Note: The owning user is derived from the authenticated request, never from the body.
|
|
25
|
+
*/
|
|
26
|
+
class CreateApiKeyDTO {
|
|
27
|
+
/**
|
|
28
|
+
* User-friendly label for the key (optional)
|
|
29
|
+
*
|
|
30
|
+
* Validation:
|
|
31
|
+
* - Max 255 characters
|
|
32
|
+
*
|
|
33
|
+
* Sanitization:
|
|
34
|
+
* - Trimmed
|
|
35
|
+
*/
|
|
36
|
+
name;
|
|
37
|
+
/**
|
|
38
|
+
* Key expiry in days, or `null` for a key that never expires
|
|
39
|
+
*
|
|
40
|
+
* This field is mandatory at creation. The service rejects the request when it
|
|
41
|
+
* is omitted (`API_KEY_EXPIRY_REQUIRED`), when `null` is used but indefinite keys
|
|
42
|
+
* are disallowed (`API_KEY_INDEFINITE_NOT_ALLOWED`), or when it exceeds the
|
|
43
|
+
* configured maximum (`API_KEY_EXPIRY_TOO_LONG`).
|
|
44
|
+
*
|
|
45
|
+
* Validation:
|
|
46
|
+
* - When provided and not null: positive integer
|
|
47
|
+
*/
|
|
48
|
+
expiresInDays;
|
|
49
|
+
/**
|
|
50
|
+
* Allowed source IPs / CIDR ranges for this key (optional)
|
|
51
|
+
*
|
|
52
|
+
* When omitted or empty, the key may be used from any IP. Each entry must be a
|
|
53
|
+
* valid IPv4/IPv6 address or CIDR range (validated in the service layer).
|
|
54
|
+
*
|
|
55
|
+
* Validation:
|
|
56
|
+
* - Array of strings, max 100 entries at the DTO layer (per-key cap enforced by config)
|
|
57
|
+
*/
|
|
58
|
+
allowedIps;
|
|
59
|
+
}
|
|
60
|
+
exports.CreateApiKeyDTO = CreateApiKeyDTO;
|
|
61
|
+
__decorate([
|
|
62
|
+
(0, class_validator_1.IsOptional)(),
|
|
63
|
+
(0, class_validator_1.IsString)({ message: 'Name must be a string' }),
|
|
64
|
+
(0, class_validator_1.MaxLength)(255, { message: 'Name must not exceed 255 characters' }),
|
|
65
|
+
(0, class_transformer_1.Transform)(({ value }) => (typeof value === 'string' ? value.trim() : value)),
|
|
66
|
+
__metadata("design:type", String)
|
|
67
|
+
], CreateApiKeyDTO.prototype, "name", void 0);
|
|
68
|
+
__decorate([
|
|
69
|
+
(0, class_validator_1.ValidateIf)((o) => o.expiresInDays !== undefined && o.expiresInDays !== null),
|
|
70
|
+
(0, class_validator_1.IsInt)({ message: 'expiresInDays must be an integer number of days or null' }),
|
|
71
|
+
(0, class_validator_1.Min)(1, { message: 'expiresInDays must be at least 1' }),
|
|
72
|
+
__metadata("design:type", Object)
|
|
73
|
+
], CreateApiKeyDTO.prototype, "expiresInDays", void 0);
|
|
74
|
+
__decorate([
|
|
75
|
+
(0, class_validator_1.IsOptional)(),
|
|
76
|
+
(0, class_validator_1.IsArray)({ message: 'allowedIps must be an array of IP addresses or CIDR ranges' }),
|
|
77
|
+
(0, class_validator_1.ArrayMaxSize)(100, { message: 'allowedIps has too many entries' }),
|
|
78
|
+
(0, class_validator_1.IsString)({ each: true, message: 'Each allowedIps entry must be a string' }),
|
|
79
|
+
__metadata("design:type", Array)
|
|
80
|
+
], CreateApiKeyDTO.prototype, "allowedIps", void 0);
|
|
81
|
+
/**
|
|
82
|
+
* DTO for updating an API key (user self-service)
|
|
83
|
+
*
|
|
84
|
+
* Only the label and IP allowlist are mutable. The secret and expiry are immutable —
|
|
85
|
+
* to rotate or extend a key, delete it and create a new one.
|
|
86
|
+
*/
|
|
87
|
+
class UpdateApiKeyDTO {
|
|
88
|
+
/**
|
|
89
|
+
* External key identifier (UUID v4)
|
|
90
|
+
*/
|
|
91
|
+
keyId;
|
|
92
|
+
/**
|
|
93
|
+
* New label for the key (optional)
|
|
94
|
+
*/
|
|
95
|
+
name;
|
|
96
|
+
/**
|
|
97
|
+
* Replacement IP allowlist (optional)
|
|
98
|
+
*
|
|
99
|
+
* Pass an empty array to clear restrictions (open to any IP).
|
|
100
|
+
*/
|
|
101
|
+
allowedIps;
|
|
102
|
+
}
|
|
103
|
+
exports.UpdateApiKeyDTO = UpdateApiKeyDTO;
|
|
104
|
+
__decorate([
|
|
105
|
+
(0, class_validator_1.IsUUID)('4', { message: 'keyId must be a valid UUID v4' }),
|
|
106
|
+
__metadata("design:type", String)
|
|
107
|
+
], UpdateApiKeyDTO.prototype, "keyId", void 0);
|
|
108
|
+
__decorate([
|
|
109
|
+
(0, class_validator_1.IsOptional)(),
|
|
110
|
+
(0, class_validator_1.IsString)({ message: 'Name must be a string' }),
|
|
111
|
+
(0, class_validator_1.MaxLength)(255, { message: 'Name must not exceed 255 characters' }),
|
|
112
|
+
(0, class_transformer_1.Transform)(({ value }) => (typeof value === 'string' ? value.trim() : value)),
|
|
113
|
+
__metadata("design:type", String)
|
|
114
|
+
], UpdateApiKeyDTO.prototype, "name", void 0);
|
|
115
|
+
__decorate([
|
|
116
|
+
(0, class_validator_1.IsOptional)(),
|
|
117
|
+
(0, class_validator_1.IsArray)({ message: 'allowedIps must be an array of IP addresses or CIDR ranges' }),
|
|
118
|
+
(0, class_validator_1.ArrayMaxSize)(100, { message: 'allowedIps has too many entries' }),
|
|
119
|
+
(0, class_validator_1.IsString)({ each: true, message: 'Each allowedIps entry must be a string' }),
|
|
120
|
+
__metadata("design:type", Array)
|
|
121
|
+
], UpdateApiKeyDTO.prototype, "allowedIps", void 0);
|
|
122
|
+
/**
|
|
123
|
+
* DTO for revoking an API key (soft delete)
|
|
124
|
+
*/
|
|
125
|
+
class RevokeApiKeyDTO {
|
|
126
|
+
/**
|
|
127
|
+
* External key identifier (UUID v4)
|
|
128
|
+
*/
|
|
129
|
+
keyId;
|
|
130
|
+
}
|
|
131
|
+
exports.RevokeApiKeyDTO = RevokeApiKeyDTO;
|
|
132
|
+
__decorate([
|
|
133
|
+
(0, class_validator_1.IsUUID)('4', { message: 'keyId must be a valid UUID v4' }),
|
|
134
|
+
__metadata("design:type", String)
|
|
135
|
+
], RevokeApiKeyDTO.prototype, "keyId", void 0);
|
|
136
|
+
/**
|
|
137
|
+
* DTO for permanently deleting an API key
|
|
138
|
+
*/
|
|
139
|
+
class DeleteApiKeyDTO {
|
|
140
|
+
/**
|
|
141
|
+
* External key identifier (UUID v4)
|
|
142
|
+
*/
|
|
143
|
+
keyId;
|
|
144
|
+
}
|
|
145
|
+
exports.DeleteApiKeyDTO = DeleteApiKeyDTO;
|
|
146
|
+
__decorate([
|
|
147
|
+
(0, class_validator_1.IsUUID)('4', { message: 'keyId must be a valid UUID v4' }),
|
|
148
|
+
__metadata("design:type", String)
|
|
149
|
+
], DeleteApiKeyDTO.prototype, "keyId", void 0);
|
|
150
|
+
/**
|
|
151
|
+
* Sanitized API key response
|
|
152
|
+
*
|
|
153
|
+
* Never includes the plaintext key or its hash. Returned by list and update operations.
|
|
154
|
+
*/
|
|
155
|
+
class ApiKeyResponseDTO {
|
|
156
|
+
/** External key identifier (UUID v4) */
|
|
157
|
+
keyId;
|
|
158
|
+
/** User-friendly label */
|
|
159
|
+
name;
|
|
160
|
+
/** Last few characters of the key (display hint) */
|
|
161
|
+
lastFour;
|
|
162
|
+
/** Allowed source IPs / CIDR ranges (empty/null = any IP) */
|
|
163
|
+
allowedIps;
|
|
164
|
+
/** Expiry timestamp, or null if the key never expires */
|
|
165
|
+
expiresAt;
|
|
166
|
+
/** Whether the key is active */
|
|
167
|
+
isActive;
|
|
168
|
+
/** Whether the key was created by an administrator */
|
|
169
|
+
createdByAdmin;
|
|
170
|
+
/** Last successful use timestamp, or null if never used */
|
|
171
|
+
lastUsedAt;
|
|
172
|
+
/** IP of the last successful use (only when usage IP tracking is enabled) */
|
|
173
|
+
lastUsedIp;
|
|
174
|
+
/** Total number of successful authentications with this key */
|
|
175
|
+
usageCount;
|
|
176
|
+
/** Creation timestamp */
|
|
177
|
+
createdAt;
|
|
178
|
+
}
|
|
179
|
+
exports.ApiKeyResponseDTO = ApiKeyResponseDTO;
|
|
180
|
+
/**
|
|
181
|
+
* Response returned once when a key is created
|
|
182
|
+
*
|
|
183
|
+
* The plaintext `key` is shown only here and never again — the caller must store it securely.
|
|
184
|
+
*/
|
|
185
|
+
class CreateApiKeyResponseDTO {
|
|
186
|
+
/**
|
|
187
|
+
* The full plaintext API key (shown once)
|
|
188
|
+
*
|
|
189
|
+
* Security: Never stored in plaintext. Deliver securely to the consumer.
|
|
190
|
+
*/
|
|
191
|
+
key;
|
|
192
|
+
/**
|
|
193
|
+
* Sanitized metadata for the created key
|
|
194
|
+
*/
|
|
195
|
+
apiKey;
|
|
196
|
+
}
|
|
197
|
+
exports.CreateApiKeyResponseDTO = CreateApiKeyResponseDTO;
|
|
198
|
+
//# sourceMappingURL=api-key.dto.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"api-key.dto.js","sourceRoot":"","sources":["../../src/dto/api-key.dto.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,qDAUyB;AACzB,yDAA8C;AAE9C;;;;;;;;;;GAUG;AACH,MAAa,eAAe;IAC1B;;;;;;;;OAQG;IAKH,IAAI,CAAU;IAEd;;;;;;;;;;OAUG;IAIH,aAAa,CAAiB;IAE9B;;;;;;;;OAQG;IAKH,UAAU,CAAY;CACvB;AA9CD,0CA8CC;AAhCC;IAJC,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,uBAAuB,EAAE,CAAC;IAC9C,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,qCAAqC,EAAE,CAAC;IAClE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;;6CAC/D;AAgBd;IAHC,IAAA,4BAAU,EAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,KAAK,SAAS,IAAI,CAAC,CAAC,aAAa,KAAK,IAAI,CAAC;IAC5E,IAAA,uBAAK,EAAC,EAAE,OAAO,EAAE,yDAAyD,EAAE,CAAC;IAC7E,IAAA,qBAAG,EAAC,CAAC,EAAE,EAAE,OAAO,EAAE,kCAAkC,EAAE,CAAC;;sDAC1B;AAe9B;IAJC,IAAA,4BAAU,GAAE;IACZ,IAAA,yBAAO,EAAC,EAAE,OAAO,EAAE,4DAA4D,EAAE,CAAC;IAClF,IAAA,8BAAY,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,iCAAiC,EAAE,CAAC;IACjE,IAAA,0BAAQ,EAAC,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,wCAAwC,EAAE,CAAC;;mDACtD;AAGxB;;;;;GAKG;AACH,MAAa,eAAe;IAC1B;;OAEG;IAEH,KAAK,CAAU;IAEf;;OAEG;IAKH,IAAI,CAAU;IAEd;;;;OAIG;IAKH,UAAU,CAAY;CACvB;AA1BD,0CA0BC;AArBC;IADC,IAAA,wBAAM,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,+BAA+B,EAAE,CAAC;;8CAC3C;AASf;IAJC,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,EAAC,EAAE,OAAO,EAAE,uBAAuB,EAAE,CAAC;IAC9C,IAAA,2BAAS,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,qCAAqC,EAAE,CAAC;IAClE,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;;6CAC/D;AAWd;IAJC,IAAA,4BAAU,GAAE;IACZ,IAAA,yBAAO,EAAC,EAAE,OAAO,EAAE,4DAA4D,EAAE,CAAC;IAClF,IAAA,8BAAY,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,iCAAiC,EAAE,CAAC;IACjE,IAAA,0BAAQ,EAAC,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,wCAAwC,EAAE,CAAC;;mDACtD;AAGxB;;GAEG;AACH,MAAa,eAAe;IAC1B;;OAEG;IAEH,KAAK,CAAU;CAChB;AAND,0CAMC;AADC;IADC,IAAA,wBAAM,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,+BAA+B,EAAE,CAAC;;8CAC3C;AAGjB;;GAEG;AACH,MAAa,eAAe;IAC1B;;OAEG;IAEH,KAAK,CAAU;CAChB;AAND,0CAMC;AADC;IADC,IAAA,wBAAM,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,+BAA+B,EAAE,CAAC;;8CAC3C;AAGjB;;;;GAIG;AACH,MAAa,iBAAiB;IAC5B,wCAAwC;IACxC,KAAK,CAAU;IAEf,0BAA0B;IAC1B,IAAI,CAAiB;IAErB,oDAAoD;IACpD,QAAQ,CAAiB;IAEzB,6DAA6D;IAC7D,UAAU,CAAmB;IAE7B,yDAAyD;IACzD,SAAS,CAAe;IAExB,gCAAgC;IAChC,QAAQ,CAAW;IAEnB,sDAAsD;IACtD,cAAc,CAAW;IAEzB,2DAA2D;IAC3D,UAAU,CAAe;IAEzB,6EAA6E;IAC7E,UAAU,CAAiB;IAE3B,+DAA+D;IAC/D,UAAU,CAAU;IAEpB,yBAAyB;IACzB,SAAS,CAAQ;CAClB;AAjCD,8CAiCC;AAED;;;;GAIG;AACH,MAAa,uBAAuB;IAClC;;;;OAIG;IACH,GAAG,CAAU;IAEb;;OAEG;IACH,MAAM,CAAqB;CAC5B;AAZD,0DAYC"}
|
|
@@ -8,7 +8,7 @@
|
|
|
8
8
|
* - Old password verified before allowing change
|
|
9
9
|
* - New password validated for minimum strength
|
|
10
10
|
* - Password history checked (configurable)
|
|
11
|
-
* - Max length prevents DoS via
|
|
11
|
+
* - Max length prevents DoS via Argon2 hashing
|
|
12
12
|
*
|
|
13
13
|
* @example
|
|
14
14
|
* ```typescript
|
|
@@ -36,7 +36,7 @@ export declare class ChangePasswordDTO {
|
|
|
36
36
|
* Validation:
|
|
37
37
|
* - Must be a string
|
|
38
38
|
* - Min 8 characters (security requirement)
|
|
39
|
-
* - Max 128 characters (prevents DoS via
|
|
39
|
+
* - Max 128 characters (prevents DoS via Argon2 hashing)
|
|
40
40
|
*
|
|
41
41
|
* Note: NOT trimmed (passwords can have leading/trailing spaces)
|
|
42
42
|
*
|
|
@@ -9,7 +9,7 @@
|
|
|
9
9
|
* - Old password verified before allowing change
|
|
10
10
|
* - New password validated for minimum strength
|
|
11
11
|
* - Password history checked (configurable)
|
|
12
|
-
* - Max length prevents DoS via
|
|
12
|
+
* - Max length prevents DoS via Argon2 hashing
|
|
13
13
|
*
|
|
14
14
|
* @example
|
|
15
15
|
* ```typescript
|
|
@@ -49,7 +49,7 @@ class ChangePasswordDTO {
|
|
|
49
49
|
* Validation:
|
|
50
50
|
* - Must be a string
|
|
51
51
|
* - Min 8 characters (security requirement)
|
|
52
|
-
* - Max 128 characters (prevents DoS via
|
|
52
|
+
* - Max 128 characters (prevents DoS via Argon2 hashing)
|
|
53
53
|
*
|
|
54
54
|
* Note: NOT trimmed (passwords can have leading/trailing spaces)
|
|
55
55
|
*
|
package/dist/dto/index.d.ts
CHANGED
|
@@ -76,4 +76,6 @@ export * from './admin-get-user-auth-history.dto';
|
|
|
76
76
|
export * from './admin-get-user-auth-history.dto';
|
|
77
77
|
export * from './social-auth.dto';
|
|
78
78
|
export * from './social-redirect.dto';
|
|
79
|
+
export * from './api-key.dto';
|
|
80
|
+
export * from './admin-api-key.dto';
|
|
79
81
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/dto/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/dto/index.ts"],"names":[],"mappings":"AACA,cAAc,cAAc,CAAC;AAC7B,cAAc,oBAAoB,CAAC;AACnC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,mBAAmB,CAAC;AAClC,cAAc,iBAAiB,CAAC;AAChC,cAAc,oBAAoB,CAAC;AACnC,cAAc,mBAAmB,CAAC;AAClC,cAAc,aAAa,CAAC;AAC5B,cAAc,uBAAuB,CAAC;AACtC,cAAc,gCAAgC,CAAC;AAC/C,cAAc,qBAAqB,CAAC;AACpC,cAAc,mBAAmB,CAAC;AAClC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,oCAAoC,CAAC;AACnD,cAAc,sCAAsC,CAAC;AACrD,cAAc,oBAAoB,CAAC;AACnC,cAAc,oBAAoB,CAAC;AACnC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,sBAAsB,CAAC;AACrC,cAAc,uBAAuB,CAAC;AACtC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,qBAAqB,CAAC;AACpC,cAAc,qBAAqB,CAAC;AACpC,cAAc,sBAAsB,CAAC;AACrC,cAAc,0BAA0B,CAAC;AACzC,cAAc,yBAAyB,CAAC;AACxC,cAAc,sBAAsB,CAAC;AACrC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,0BAA0B,CAAC;AACzC,cAAc,mCAAmC,CAAC;AAClD,cAAc,6BAA6B,CAAC;AAC5C,cAAc,sBAAsB,CAAC;AACrC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,wBAAwB,CAAC;AACvC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,oBAAoB,CAAC;AACnC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,qBAAqB,CAAC;AACpC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,yBAAyB,CAAC;AACxC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,kCAAkC,CAAC;AACjD,cAAc,iBAAiB,CAAC;AAChC,cAAc,uBAAuB,CAAC;AACtC,cAAc,uBAAuB,CAAC;AACtC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,+BAA+B,CAAC;AAC9C,cAAc,iCAAiC,CAAC;AAChD,cAAc,+BAA+B,CAAC;AAC9C,cAAc,mBAAmB,CAAC;AAClC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,yBAAyB,CAAC;AACxC,cAAc,sBAAsB,CAAC;AACrC,cAAc,yBAAyB,CAAC;AACxC,cAAc,cAAc,CAAC;AAC7B,cAAc,uBAAuB,CAAC;AACtC,cAAc,kBAAkB,CAAC;AACjC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,wBAAwB,CAAC;AACvC,cAAc,yBAAyB,CAAC;AACxC,cAAc,kCAAkC,CAAC;AACjD,cAAc,sBAAsB,CAAC;AACrC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,iCAAiC,CAAC;AAChD,cAAc,4BAA4B,CAAC;AAC3C,cAAc,gCAAgC,CAAC;AAC/C,cAAc,yCAAyC,CAAC;AACxD,cAAc,0BAA0B,CAAC;AACzC,cAAc,4BAA4B,CAAC;AAE3C,cAAc,6BAA6B,CAAC;AAC5C,cAAc,kCAAkC,CAAC;AACjD,cAAc,6BAA6B,CAAC;AAC5C,cAAc,sCAAsC,CAAC;AACrD,cAAc,6BAA6B,CAAC;AAC5C,cAAc,mCAAmC,CAAC;AAClD,cAAc,mCAAmC,CAAC;AAElD,cAAc,mBAAmB,CAAC;AAClC,cAAc,uBAAuB,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/dto/index.ts"],"names":[],"mappings":"AACA,cAAc,cAAc,CAAC;AAC7B,cAAc,oBAAoB,CAAC;AACnC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,mBAAmB,CAAC;AAClC,cAAc,iBAAiB,CAAC;AAChC,cAAc,oBAAoB,CAAC;AACnC,cAAc,mBAAmB,CAAC;AAClC,cAAc,aAAa,CAAC;AAC5B,cAAc,uBAAuB,CAAC;AACtC,cAAc,gCAAgC,CAAC;AAC/C,cAAc,qBAAqB,CAAC;AACpC,cAAc,mBAAmB,CAAC;AAClC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,oCAAoC,CAAC;AACnD,cAAc,sCAAsC,CAAC;AACrD,cAAc,oBAAoB,CAAC;AACnC,cAAc,oBAAoB,CAAC;AACnC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,sBAAsB,CAAC;AACrC,cAAc,uBAAuB,CAAC;AACtC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,qBAAqB,CAAC;AACpC,cAAc,qBAAqB,CAAC;AACpC,cAAc,sBAAsB,CAAC;AACrC,cAAc,0BAA0B,CAAC;AACzC,cAAc,yBAAyB,CAAC;AACxC,cAAc,sBAAsB,CAAC;AACrC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,0BAA0B,CAAC;AACzC,cAAc,mCAAmC,CAAC;AAClD,cAAc,6BAA6B,CAAC;AAC5C,cAAc,sBAAsB,CAAC;AACrC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,wBAAwB,CAAC;AACvC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,oBAAoB,CAAC;AACnC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,qBAAqB,CAAC;AACpC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,yBAAyB,CAAC;AACxC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,kCAAkC,CAAC;AACjD,cAAc,iBAAiB,CAAC;AAChC,cAAc,uBAAuB,CAAC;AACtC,cAAc,uBAAuB,CAAC;AACtC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,+BAA+B,CAAC;AAC9C,cAAc,iCAAiC,CAAC;AAChD,cAAc,+BAA+B,CAAC;AAC9C,cAAc,mBAAmB,CAAC;AAClC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,yBAAyB,CAAC;AACxC,cAAc,sBAAsB,CAAC;AACrC,cAAc,yBAAyB,CAAC;AACxC,cAAc,cAAc,CAAC;AAC7B,cAAc,uBAAuB,CAAC;AACtC,cAAc,kBAAkB,CAAC;AACjC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,wBAAwB,CAAC;AACvC,cAAc,yBAAyB,CAAC;AACxC,cAAc,kCAAkC,CAAC;AACjD,cAAc,sBAAsB,CAAC;AACrC,cAAc,+BAA+B,CAAC;AAC9C,cAAc,iCAAiC,CAAC;AAChD,cAAc,4BAA4B,CAAC;AAC3C,cAAc,gCAAgC,CAAC;AAC/C,cAAc,yCAAyC,CAAC;AACxD,cAAc,0BAA0B,CAAC;AACzC,cAAc,4BAA4B,CAAC;AAE3C,cAAc,6BAA6B,CAAC;AAC5C,cAAc,kCAAkC,CAAC;AACjD,cAAc,6BAA6B,CAAC;AAC5C,cAAc,sCAAsC,CAAC;AACrD,cAAc,6BAA6B,CAAC;AAC5C,cAAc,mCAAmC,CAAC;AAClD,cAAc,mCAAmC,CAAC;AAElD,cAAc,mBAAmB,CAAC;AAClC,cAAc,uBAAuB,CAAC;AAGtC,cAAc,eAAe,CAAC;AAC9B,cAAc,qBAAqB,CAAC"}
|
package/dist/dto/index.js
CHANGED
|
@@ -94,6 +94,9 @@ __exportStar(require("./admin-get-user-auth-history.dto"), exports);
|
|
|
94
94
|
__exportStar(require("./admin-get-user-auth-history.dto"), exports);
|
|
95
95
|
__exportStar(require("./social-auth.dto"), exports);
|
|
96
96
|
__exportStar(require("./social-redirect.dto"), exports);
|
|
97
|
+
// API Key DTOs
|
|
98
|
+
__exportStar(require("./api-key.dto"), exports);
|
|
99
|
+
__exportStar(require("./admin-api-key.dto"), exports);
|
|
97
100
|
// Note: Social and MFA DTOs moved to their respective packages
|
|
98
101
|
// - social-login.dto → @nauth-toolkit/social-*
|
|
99
102
|
// - mfa.dto → @nauth-toolkit/mfa-*
|
package/dist/dto/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/dto/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,iBAAiB;AACjB,+CAA6B;AAC7B,qDAAmC;AACnC,4DAA0C;AAC1C,oDAAkC;AAClC,kDAAgC;AAChC,qDAAmC;AACnC,oDAAkC;AAClC,8CAA4B;AAC5B,wDAAsC;AACtC,iEAA+C;AAC/C,sDAAoC;AACpC,oDAAkC;AAClC,+DAA6C;AAC7C,qEAAmD;AACnD,uEAAqD;AACrD,qDAAmC;AACnC,qDAAmC;AACnC,4DAA0C;AAC1C,uDAAqC;AACrC,wDAAsC;AACtC,gEAA8C;AAC9C,sDAAoC;AACpC,sDAAoC;AACpC,uDAAqC;AACrC,2DAAyC;AACzC,0DAAwC;AACxC,uDAAqC;AACrC,gEAA8C;AAC9C,2DAAyC;AACzC,oEAAkD;AAClD,8DAA4C;AAC5C,uDAAqC;AACrC,6DAA2C;AAC3C,yDAAuC;AACvC,4DAA0C;AAC1C,qDAAmC;AACnC,gEAA8C;AAC9C,sDAAoC;AACpC,4DAA0C;AAC1C,0DAAwC;AACxC,6DAA2C;AAC3C,mEAAiD;AACjD,kDAAgC;AAChC,wDAAsC;AACtC,wDAAsC;AACtC,gEAA8C;AAC9C,gEAA8C;AAC9C,kEAAgD;AAChD,gEAA8C;AAC9C,oDAAkC;AAClC,6DAA2C;AAC3C,0DAAwC;AACxC,uDAAqC;AACrC,0DAAwC;AACxC,+CAA6B;AAC7B,wDAAsC;AACtC,mDAAiC;AACjC,4DAA0C;AAC1C,yDAAuC;AACvC,0DAAwC;AACxC,mEAAiD;AACjD,uDAAqC;AACrC,gEAA8C;AAC9C,kEAAgD;AAChD,6DAA2C;AAC3C,iEAA+C;AAC/C,0EAAwD;AACxD,2DAAyC;AACzC,6DAA2C;AAC3C,+EAA+E;AAC/E,8DAA4C;AAC5C,mEAAiD;AACjD,8DAA4C;AAC5C,uEAAqD;AACrD,8DAA4C;AAC5C,oEAAkD;AAClD,oEAAkD;AAElD,oDAAkC;AAClC,wDAAsC;AAEtC,+DAA+D;AAC/D,+CAA+C;AAC/C,mCAAmC"}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/dto/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,iBAAiB;AACjB,+CAA6B;AAC7B,qDAAmC;AACnC,4DAA0C;AAC1C,oDAAkC;AAClC,kDAAgC;AAChC,qDAAmC;AACnC,oDAAkC;AAClC,8CAA4B;AAC5B,wDAAsC;AACtC,iEAA+C;AAC/C,sDAAoC;AACpC,oDAAkC;AAClC,+DAA6C;AAC7C,qEAAmD;AACnD,uEAAqD;AACrD,qDAAmC;AACnC,qDAAmC;AACnC,4DAA0C;AAC1C,uDAAqC;AACrC,wDAAsC;AACtC,gEAA8C;AAC9C,sDAAoC;AACpC,sDAAoC;AACpC,uDAAqC;AACrC,2DAAyC;AACzC,0DAAwC;AACxC,uDAAqC;AACrC,gEAA8C;AAC9C,2DAAyC;AACzC,oEAAkD;AAClD,8DAA4C;AAC5C,uDAAqC;AACrC,6DAA2C;AAC3C,yDAAuC;AACvC,4DAA0C;AAC1C,qDAAmC;AACnC,gEAA8C;AAC9C,sDAAoC;AACpC,4DAA0C;AAC1C,0DAAwC;AACxC,6DAA2C;AAC3C,mEAAiD;AACjD,kDAAgC;AAChC,wDAAsC;AACtC,wDAAsC;AACtC,gEAA8C;AAC9C,gEAA8C;AAC9C,kEAAgD;AAChD,gEAA8C;AAC9C,oDAAkC;AAClC,6DAA2C;AAC3C,0DAAwC;AACxC,uDAAqC;AACrC,0DAAwC;AACxC,+CAA6B;AAC7B,wDAAsC;AACtC,mDAAiC;AACjC,4DAA0C;AAC1C,yDAAuC;AACvC,0DAAwC;AACxC,mEAAiD;AACjD,uDAAqC;AACrC,gEAA8C;AAC9C,kEAAgD;AAChD,6DAA2C;AAC3C,iEAA+C;AAC/C,0EAAwD;AACxD,2DAAyC;AACzC,6DAA2C;AAC3C,+EAA+E;AAC/E,8DAA4C;AAC5C,mEAAiD;AACjD,8DAA4C;AAC5C,uEAAqD;AACrD,8DAA4C;AAC5C,oEAAkD;AAClD,oEAAkD;AAElD,oDAAkC;AAClC,wDAAsC;AAEtC,eAAe;AACf,gDAA8B;AAC9B,sDAAoC;AAEpC,+DAA+D;AAC/D,+CAA+C;AAC/C,mCAAmC"}
|
|
@@ -70,7 +70,7 @@ export declare class ResetPasswordDTO {
|
|
|
70
70
|
* Validation:
|
|
71
71
|
* - Must be a string
|
|
72
72
|
* - Min 8 characters (security requirement)
|
|
73
|
-
* - Max 128 characters (prevents DoS via
|
|
73
|
+
* - Max 128 characters (prevents DoS via Argon2 hashing)
|
|
74
74
|
*
|
|
75
75
|
* Note: NOT trimmed (passwords can have leading/trailing spaces)
|
|
76
76
|
* Additional checks in service layer:
|
|
@@ -103,7 +103,7 @@ class ResetPasswordDTO {
|
|
|
103
103
|
* Validation:
|
|
104
104
|
* - Must be a string
|
|
105
105
|
* - Min 8 characters (security requirement)
|
|
106
|
-
* - Max 128 characters (prevents DoS via
|
|
106
|
+
* - Max 128 characters (prevents DoS via Argon2 hashing)
|
|
107
107
|
*
|
|
108
108
|
* Note: NOT trimmed (passwords can have leading/trailing spaces)
|
|
109
109
|
* Additional checks in service layer:
|
|
@@ -117,7 +117,7 @@ export declare class RespondChallengeDTO {
|
|
|
117
117
|
* Validation:
|
|
118
118
|
* - Must be a string
|
|
119
119
|
* - Min 8 characters (security requirement)
|
|
120
|
-
* - Max 128 characters (prevents DoS via
|
|
120
|
+
* - Max 128 characters (prevents DoS via Argon2 hashing)
|
|
121
121
|
*
|
|
122
122
|
* Note: NOT trimmed (passwords can have leading/trailing spaces)
|
|
123
123
|
*/
|
|
@@ -142,7 +142,7 @@ class RespondChallengeDTO {
|
|
|
142
142
|
* Validation:
|
|
143
143
|
* - Must be a string
|
|
144
144
|
* - Min 8 characters (security requirement)
|
|
145
|
-
* - Max 128 characters (prevents DoS via
|
|
145
|
+
* - Max 128 characters (prevents DoS via Argon2 hashing)
|
|
146
146
|
*
|
|
147
147
|
* Note: NOT trimmed (passwords can have leading/trailing spaces)
|
|
148
148
|
*/
|
package/dist/dto/signup.dto.d.ts
CHANGED
|
@@ -24,7 +24,7 @@ export declare class SignupDTO {
|
|
|
24
24
|
*
|
|
25
25
|
* Validation:
|
|
26
26
|
* - Min 8 characters
|
|
27
|
-
* - Max 128 characters (prevents DoS via
|
|
27
|
+
* - Max 128 characters (prevents DoS via Argon2 hashing)
|
|
28
28
|
* - Additional policy checks in service layer
|
|
29
29
|
*
|
|
30
30
|
* Note: NOT trimmed (passwords can have leading/trailing spaces)
|
package/dist/dto/signup.dto.js
CHANGED
|
@@ -38,7 +38,7 @@ class SignupDTO {
|
|
|
38
38
|
*
|
|
39
39
|
* Validation:
|
|
40
40
|
* - Min 8 characters
|
|
41
|
-
* - Max 128 characters (prevents DoS via
|
|
41
|
+
* - Max 128 characters (prevents DoS via Argon2 hashing)
|
|
42
42
|
* - Additional policy checks in service layer
|
|
43
43
|
*
|
|
44
44
|
* Note: NOT trimmed (passwords can have leading/trailing spaces)
|
|
@@ -0,0 +1,135 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Base API Key Entity
|
|
3
|
+
*
|
|
4
|
+
* Stores long-lived API keys that authenticate as their owning user.
|
|
5
|
+
* Only a hash of the secret is persisted; the plaintext key is shown once at creation.
|
|
6
|
+
* Database adapters extend this class and add ORM-specific decorators.
|
|
7
|
+
*
|
|
8
|
+
* @remarks
|
|
9
|
+
* This class is database-agnostic. TypeORM, Prisma, or other ORMs
|
|
10
|
+
* extend this class in their respective packages.
|
|
11
|
+
*
|
|
12
|
+
* Security:
|
|
13
|
+
* - The full key is never stored; only `keyHash` (SHA-256) is persisted.
|
|
14
|
+
* - `lookupId` is a non-secret, indexed identifier used for O(1) lookup.
|
|
15
|
+
* - `allowedIps` restricts which source IPs may use the key (empty/null = any IP).
|
|
16
|
+
*/
|
|
17
|
+
export declare class BaseApiKey {
|
|
18
|
+
/**
|
|
19
|
+
* Internal API key ID (auto-increment integer)
|
|
20
|
+
*/
|
|
21
|
+
id: number;
|
|
22
|
+
/**
|
|
23
|
+
* External API key identifier (UUID v4)
|
|
24
|
+
* Exposed in API responses instead of the internal integer id.
|
|
25
|
+
*/
|
|
26
|
+
keyId: string;
|
|
27
|
+
/**
|
|
28
|
+
* Internal user ID (foreign key to users table)
|
|
29
|
+
* The key authenticates as this user.
|
|
30
|
+
*/
|
|
31
|
+
userId: number;
|
|
32
|
+
/**
|
|
33
|
+
* Non-secret lookup identifier (indexed, unique)
|
|
34
|
+
*
|
|
35
|
+
* Embedded in the plaintext key and used to locate the record without
|
|
36
|
+
* scanning every hash. Not a secret on its own.
|
|
37
|
+
*/
|
|
38
|
+
lookupId: string;
|
|
39
|
+
/**
|
|
40
|
+
* SHA-256 hash of the full plaintext key
|
|
41
|
+
* The plaintext key is never stored.
|
|
42
|
+
*/
|
|
43
|
+
keyHash: string;
|
|
44
|
+
/**
|
|
45
|
+
* User-friendly key label (optional)
|
|
46
|
+
* E.g. "CI pipeline", "Zapier integration".
|
|
47
|
+
*/
|
|
48
|
+
name?: string | null;
|
|
49
|
+
/**
|
|
50
|
+
* Last few characters of the plaintext key (display hint)
|
|
51
|
+
* Helps users identify a key in listings without exposing the secret.
|
|
52
|
+
*/
|
|
53
|
+
lastFour?: string | null;
|
|
54
|
+
/**
|
|
55
|
+
* Allowed source IPs / CIDR ranges for this key
|
|
56
|
+
*
|
|
57
|
+
* When empty or null, the key may be used from any IP.
|
|
58
|
+
* When populated, requests from IPs outside the list are rejected.
|
|
59
|
+
*/
|
|
60
|
+
allowedIps?: string[] | null;
|
|
61
|
+
/**
|
|
62
|
+
* Key expiration timestamp
|
|
63
|
+
* NULL means the key never expires (only allowed when config permits).
|
|
64
|
+
*/
|
|
65
|
+
expiresAt?: Date | null;
|
|
66
|
+
/**
|
|
67
|
+
* Whether the key is active
|
|
68
|
+
* Set to false on revoke (soft delete) to disable without removing history.
|
|
69
|
+
*/
|
|
70
|
+
isActive: boolean;
|
|
71
|
+
/**
|
|
72
|
+
* When the key was revoked
|
|
73
|
+
* NULL if not revoked.
|
|
74
|
+
*/
|
|
75
|
+
revokedAt?: Date | null;
|
|
76
|
+
/**
|
|
77
|
+
* Reason the key was revoked (optional)
|
|
78
|
+
*/
|
|
79
|
+
revokeReason?: string | null;
|
|
80
|
+
/**
|
|
81
|
+
* Whether the key was created by an administrator on behalf of the user
|
|
82
|
+
*/
|
|
83
|
+
createdByAdmin: boolean;
|
|
84
|
+
/**
|
|
85
|
+
* When the key was last used for authentication
|
|
86
|
+
* NULL if never used. Updated on a throttled basis (see config).
|
|
87
|
+
*/
|
|
88
|
+
lastUsedAt?: Date | null;
|
|
89
|
+
/**
|
|
90
|
+
* IP address of the most recent successful use
|
|
91
|
+
* Only populated when usage IP tracking is enabled.
|
|
92
|
+
*/
|
|
93
|
+
lastUsedIp?: string | null;
|
|
94
|
+
/**
|
|
95
|
+
* Total number of successful authentications with this key
|
|
96
|
+
*/
|
|
97
|
+
usageCount: number;
|
|
98
|
+
/**
|
|
99
|
+
* Additional metadata (JSON)
|
|
100
|
+
*/
|
|
101
|
+
metadata?: Record<string, unknown> | null;
|
|
102
|
+
/**
|
|
103
|
+
* Creation timestamp
|
|
104
|
+
*/
|
|
105
|
+
createdAt: Date;
|
|
106
|
+
/**
|
|
107
|
+
* Last update timestamp
|
|
108
|
+
*/
|
|
109
|
+
updatedAt: Date;
|
|
110
|
+
/**
|
|
111
|
+
* Check if the key is expired
|
|
112
|
+
*
|
|
113
|
+
* @returns true if the key has an expiry that is in the past
|
|
114
|
+
*
|
|
115
|
+
* @example
|
|
116
|
+
* ```typescript
|
|
117
|
+
* if (apiKey.isExpired()) {
|
|
118
|
+
* throw new Error('API key has expired');
|
|
119
|
+
* }
|
|
120
|
+
* ```
|
|
121
|
+
*/
|
|
122
|
+
isExpired(): boolean;
|
|
123
|
+
/**
|
|
124
|
+
* Check whether a given source IP is allowed to use this key
|
|
125
|
+
*
|
|
126
|
+
* An empty or null allowlist permits any IP. Otherwise the IP must match
|
|
127
|
+
* one of the configured entries (exact IPv4/IPv6 or CIDR range).
|
|
128
|
+
*
|
|
129
|
+
* @param ip - Source IP address of the request
|
|
130
|
+
* @param matcher - IP/CIDR match function (injected to keep this class dependency-free)
|
|
131
|
+
* @returns true if the IP is allowed
|
|
132
|
+
*/
|
|
133
|
+
isIpAllowed(ip: string | null | undefined, matcher: (ip: string, allow: string) => boolean): boolean;
|
|
134
|
+
}
|
|
135
|
+
//# sourceMappingURL=api-key.entity.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"api-key.entity.d.ts","sourceRoot":"","sources":["../../src/entities/api-key.entity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AACH,qBAAa,UAAU;IACrB;;OAEG;IACH,EAAE,EAAG,MAAM,CAAC;IAEZ;;;OAGG;IACH,KAAK,EAAG,MAAM,CAAC;IAEf;;;OAGG;IACH,MAAM,EAAG,MAAM,CAAC;IAEhB;;;;;OAKG;IACH,QAAQ,EAAG,MAAM,CAAC;IAElB;;;OAGG;IACH,OAAO,EAAG,MAAM,CAAC;IAEjB;;;OAGG;IACH,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAErB;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAEzB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IAE7B;;;OAGG;IACH,SAAS,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAExB;;;OAGG;IACH,QAAQ,EAAG,OAAO,CAAC;IAEnB;;;OAGG;IACH,SAAS,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAExB;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAE7B;;OAEG;IACH,cAAc,EAAG,OAAO,CAAC;IAEzB;;;OAGG;IACH,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAEzB;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAE3B;;OAEG;IACH,UAAU,EAAG,MAAM,CAAC;IAEpB;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IAE1C;;OAEG;IACH,SAAS,EAAG,IAAI,CAAC;IAEjB;;OAEG;IACH,SAAS,EAAG,IAAI,CAAC;IAEjB;;;;;;;;;;;OAWG;IACH,SAAS,IAAI,OAAO;IAIpB;;;;;;;;;OASG;IACH,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAAE,OAAO,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,KAAK,OAAO,GAAG,OAAO;CASrG"}
|
|
@@ -0,0 +1,149 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.BaseApiKey = void 0;
|
|
4
|
+
/**
|
|
5
|
+
* Base API Key Entity
|
|
6
|
+
*
|
|
7
|
+
* Stores long-lived API keys that authenticate as their owning user.
|
|
8
|
+
* Only a hash of the secret is persisted; the plaintext key is shown once at creation.
|
|
9
|
+
* Database adapters extend this class and add ORM-specific decorators.
|
|
10
|
+
*
|
|
11
|
+
* @remarks
|
|
12
|
+
* This class is database-agnostic. TypeORM, Prisma, or other ORMs
|
|
13
|
+
* extend this class in their respective packages.
|
|
14
|
+
*
|
|
15
|
+
* Security:
|
|
16
|
+
* - The full key is never stored; only `keyHash` (SHA-256) is persisted.
|
|
17
|
+
* - `lookupId` is a non-secret, indexed identifier used for O(1) lookup.
|
|
18
|
+
* - `allowedIps` restricts which source IPs may use the key (empty/null = any IP).
|
|
19
|
+
*/
|
|
20
|
+
class BaseApiKey {
|
|
21
|
+
/**
|
|
22
|
+
* Internal API key ID (auto-increment integer)
|
|
23
|
+
*/
|
|
24
|
+
id;
|
|
25
|
+
/**
|
|
26
|
+
* External API key identifier (UUID v4)
|
|
27
|
+
* Exposed in API responses instead of the internal integer id.
|
|
28
|
+
*/
|
|
29
|
+
keyId;
|
|
30
|
+
/**
|
|
31
|
+
* Internal user ID (foreign key to users table)
|
|
32
|
+
* The key authenticates as this user.
|
|
33
|
+
*/
|
|
34
|
+
userId;
|
|
35
|
+
/**
|
|
36
|
+
* Non-secret lookup identifier (indexed, unique)
|
|
37
|
+
*
|
|
38
|
+
* Embedded in the plaintext key and used to locate the record without
|
|
39
|
+
* scanning every hash. Not a secret on its own.
|
|
40
|
+
*/
|
|
41
|
+
lookupId;
|
|
42
|
+
/**
|
|
43
|
+
* SHA-256 hash of the full plaintext key
|
|
44
|
+
* The plaintext key is never stored.
|
|
45
|
+
*/
|
|
46
|
+
keyHash;
|
|
47
|
+
/**
|
|
48
|
+
* User-friendly key label (optional)
|
|
49
|
+
* E.g. "CI pipeline", "Zapier integration".
|
|
50
|
+
*/
|
|
51
|
+
name;
|
|
52
|
+
/**
|
|
53
|
+
* Last few characters of the plaintext key (display hint)
|
|
54
|
+
* Helps users identify a key in listings without exposing the secret.
|
|
55
|
+
*/
|
|
56
|
+
lastFour;
|
|
57
|
+
/**
|
|
58
|
+
* Allowed source IPs / CIDR ranges for this key
|
|
59
|
+
*
|
|
60
|
+
* When empty or null, the key may be used from any IP.
|
|
61
|
+
* When populated, requests from IPs outside the list are rejected.
|
|
62
|
+
*/
|
|
63
|
+
allowedIps;
|
|
64
|
+
/**
|
|
65
|
+
* Key expiration timestamp
|
|
66
|
+
* NULL means the key never expires (only allowed when config permits).
|
|
67
|
+
*/
|
|
68
|
+
expiresAt;
|
|
69
|
+
/**
|
|
70
|
+
* Whether the key is active
|
|
71
|
+
* Set to false on revoke (soft delete) to disable without removing history.
|
|
72
|
+
*/
|
|
73
|
+
isActive;
|
|
74
|
+
/**
|
|
75
|
+
* When the key was revoked
|
|
76
|
+
* NULL if not revoked.
|
|
77
|
+
*/
|
|
78
|
+
revokedAt;
|
|
79
|
+
/**
|
|
80
|
+
* Reason the key was revoked (optional)
|
|
81
|
+
*/
|
|
82
|
+
revokeReason;
|
|
83
|
+
/**
|
|
84
|
+
* Whether the key was created by an administrator on behalf of the user
|
|
85
|
+
*/
|
|
86
|
+
createdByAdmin;
|
|
87
|
+
/**
|
|
88
|
+
* When the key was last used for authentication
|
|
89
|
+
* NULL if never used. Updated on a throttled basis (see config).
|
|
90
|
+
*/
|
|
91
|
+
lastUsedAt;
|
|
92
|
+
/**
|
|
93
|
+
* IP address of the most recent successful use
|
|
94
|
+
* Only populated when usage IP tracking is enabled.
|
|
95
|
+
*/
|
|
96
|
+
lastUsedIp;
|
|
97
|
+
/**
|
|
98
|
+
* Total number of successful authentications with this key
|
|
99
|
+
*/
|
|
100
|
+
usageCount;
|
|
101
|
+
/**
|
|
102
|
+
* Additional metadata (JSON)
|
|
103
|
+
*/
|
|
104
|
+
metadata;
|
|
105
|
+
/**
|
|
106
|
+
* Creation timestamp
|
|
107
|
+
*/
|
|
108
|
+
createdAt;
|
|
109
|
+
/**
|
|
110
|
+
* Last update timestamp
|
|
111
|
+
*/
|
|
112
|
+
updatedAt;
|
|
113
|
+
/**
|
|
114
|
+
* Check if the key is expired
|
|
115
|
+
*
|
|
116
|
+
* @returns true if the key has an expiry that is in the past
|
|
117
|
+
*
|
|
118
|
+
* @example
|
|
119
|
+
* ```typescript
|
|
120
|
+
* if (apiKey.isExpired()) {
|
|
121
|
+
* throw new Error('API key has expired');
|
|
122
|
+
* }
|
|
123
|
+
* ```
|
|
124
|
+
*/
|
|
125
|
+
isExpired() {
|
|
126
|
+
return this.expiresAt !== null && this.expiresAt !== undefined && new Date() > this.expiresAt;
|
|
127
|
+
}
|
|
128
|
+
/**
|
|
129
|
+
* Check whether a given source IP is allowed to use this key
|
|
130
|
+
*
|
|
131
|
+
* An empty or null allowlist permits any IP. Otherwise the IP must match
|
|
132
|
+
* one of the configured entries (exact IPv4/IPv6 or CIDR range).
|
|
133
|
+
*
|
|
134
|
+
* @param ip - Source IP address of the request
|
|
135
|
+
* @param matcher - IP/CIDR match function (injected to keep this class dependency-free)
|
|
136
|
+
* @returns true if the IP is allowed
|
|
137
|
+
*/
|
|
138
|
+
isIpAllowed(ip, matcher) {
|
|
139
|
+
if (!this.allowedIps || this.allowedIps.length === 0) {
|
|
140
|
+
return true;
|
|
141
|
+
}
|
|
142
|
+
if (!ip) {
|
|
143
|
+
return false;
|
|
144
|
+
}
|
|
145
|
+
return this.allowedIps.some((entry) => matcher(ip, entry));
|
|
146
|
+
}
|
|
147
|
+
}
|
|
148
|
+
exports.BaseApiKey = BaseApiKey;
|
|
149
|
+
//# sourceMappingURL=api-key.entity.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"api-key.entity.js","sourceRoot":"","sources":["../../src/entities/api-key.entity.ts"],"names":[],"mappings":";;;AAAA;;;;;;;;;;;;;;;GAeG;AACH,MAAa,UAAU;IACrB;;OAEG;IACH,EAAE,CAAU;IAEZ;;;OAGG;IACH,KAAK,CAAU;IAEf;;;OAGG;IACH,MAAM,CAAU;IAEhB;;;;;OAKG;IACH,QAAQ,CAAU;IAElB;;;OAGG;IACH,OAAO,CAAU;IAEjB;;;OAGG;IACH,IAAI,CAAiB;IAErB;;;OAGG;IACH,QAAQ,CAAiB;IAEzB;;;;;OAKG;IACH,UAAU,CAAmB;IAE7B;;;OAGG;IACH,SAAS,CAAe;IAExB;;;OAGG;IACH,QAAQ,CAAW;IAEnB;;;OAGG;IACH,SAAS,CAAe;IAExB;;OAEG;IACH,YAAY,CAAiB;IAE7B;;OAEG;IACH,cAAc,CAAW;IAEzB;;;OAGG;IACH,UAAU,CAAe;IAEzB;;;OAGG;IACH,UAAU,CAAiB;IAE3B;;OAEG;IACH,UAAU,CAAU;IAEpB;;OAEG;IACH,QAAQ,CAAkC;IAE1C;;OAEG;IACH,SAAS,CAAQ;IAEjB;;OAEG;IACH,SAAS,CAAQ;IAEjB;;;;;;;;;;;OAWG;IACH,SAAS;QACP,OAAO,IAAI,CAAC,SAAS,KAAK,IAAI,IAAI,IAAI,CAAC,SAAS,KAAK,SAAS,IAAI,IAAI,IAAI,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC;IAChG,CAAC;IAED;;;;;;;;;OASG;IACH,WAAW,CAAC,EAA6B,EAAE,OAA+C;QACxF,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACrD,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,CAAC,EAAE,EAAE,CAAC;YACR,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,CAAC;IAC7D,CAAC;CACF;AAnJD,gCAmJC"}
|
package/dist/entities/index.d.ts
CHANGED
|
@@ -28,4 +28,5 @@ export { BaseAuthAudit, type AuthAuditEventStatus } from './auth-audit.entity';
|
|
|
28
28
|
export { BaseRateLimit } from './rate-limit.entity';
|
|
29
29
|
export { BaseStorageLock } from './storage-lock.entity';
|
|
30
30
|
export { BaseSocialProviderSecret } from './social-provider-secret.entity';
|
|
31
|
+
export { BaseApiKey } from './api-key.entity';
|
|
31
32
|
//# sourceMappingURL=index.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/entities/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AACH,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAC;AACpE,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AAClE,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,KAAK,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC/E,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,wBAAwB,EAAE,MAAM,iCAAiC,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/entities/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AACH,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAC;AACpE,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AAClE,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,KAAK,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC/E,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,wBAAwB,EAAE,MAAM,iCAAiC,CAAC;AAC3E,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC"}
|
package/dist/entities/index.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.BaseSocialProviderSecret = exports.BaseStorageLock = exports.BaseRateLimit = exports.BaseAuthAudit = exports.BaseMFADevice = exports.BaseChallengeSession = exports.BaseSocialAccount = exports.BaseVerificationToken = exports.BaseLoginAttempt = exports.BaseTrustedDevice = exports.BaseSession = exports.BaseUser = void 0;
|
|
3
|
+
exports.BaseApiKey = exports.BaseSocialProviderSecret = exports.BaseStorageLock = exports.BaseRateLimit = exports.BaseAuthAudit = exports.BaseMFADevice = exports.BaseChallengeSession = exports.BaseSocialAccount = exports.BaseVerificationToken = exports.BaseLoginAttempt = exports.BaseTrustedDevice = exports.BaseSession = exports.BaseUser = void 0;
|
|
4
4
|
/**
|
|
5
5
|
* Base Entity Classes
|
|
6
6
|
*
|
|
@@ -43,4 +43,6 @@ var storage_lock_entity_1 = require("./storage-lock.entity");
|
|
|
43
43
|
Object.defineProperty(exports, "BaseStorageLock", { enumerable: true, get: function () { return storage_lock_entity_1.BaseStorageLock; } });
|
|
44
44
|
var social_provider_secret_entity_1 = require("./social-provider-secret.entity");
|
|
45
45
|
Object.defineProperty(exports, "BaseSocialProviderSecret", { enumerable: true, get: function () { return social_provider_secret_entity_1.BaseSocialProviderSecret; } });
|
|
46
|
+
var api_key_entity_1 = require("./api-key.entity");
|
|
47
|
+
Object.defineProperty(exports, "BaseApiKey", { enumerable: true, get: function () { return api_key_entity_1.BaseApiKey; } });
|
|
46
48
|
//# sourceMappingURL=index.js.map
|