@nauth-toolkit/mfa-email 0.1.3

package/LICENSE

@@ -0,0 +1,90 @@
+NAUTH TOOLKIT EARLY ACCESS LICENSE
+Version 1.0 (December 2025)
+
+================================================================================
+FUTURE OPEN SOURCE NOTICE
+================================================================================
+NAuth Toolkit will transition to an open-source license (MIT or Apache 2.0) for
+core authentication features once the project reaches production readiness.
+
+This Early Access License is temporary and designed to:
+• Allow developers to build with nauth-toolkit during preview/beta
+• Provide clear expectations during the pre-release phase
+• Enable feedback and real-world testing before GA
+
+We're committed to keeping core auth free and open source. Premium features
+(enterprise SSO, advanced compliance, hosted options) will be offered separately
+under fair commercial terms.
+
+================================================================================
+EARLY ACCESS LICENSE TERMS
+================================================================================
+
+1. Grant of Use
+   You are granted a free, non-exclusive, non-transferable license to:
+   - Install and use nauth-toolkit packages in development, testing, staging,
+     and production environments
+   - Modify the code for your own internal use
+   - Deploy applications using nauth-toolkit to serve your users
+
+   You may NOT:
+   - Redistribute NAuth Toolkit as a standalone product or service
+   - Sell, sublicense, or offer NAuth Toolkit as part of a competing auth
+     platform or toolkit
+   - Remove or alter copyright notices
+
+2. No Fees During Early Access
+   There are no license fees, subscription costs, or usage charges during the
+   Early Access period. You may use nauth-toolkit freely for commercial and
+   non-commercial purposes within the terms of this license.
+
+3. Production Use
+   Production use is permitted but comes with standard early-access caveats:
+   - Features and APIs may change between preview releases
+   - Support is community-based (GitHub issues/discussions)
+   - No SLA or guaranteed uptime (you run it on your infrastructure)
+
+   We recommend thorough testing and having rollback plans for critical systems.
+
+4. Future Transition
+   When nauth-toolkit releases v1.0 GA:
+   - Core packages will adopt an open-source license (MIT or Apache 2.0)
+   - Your existing deployments will continue to work
+   - Premium features (if any) will be clearly documented with separate licensing
+   - No forced upgrades or surprise fees
+
+5. Ownership
+   NAuth Toolkit is developed and maintained by Noorix Digital Solutions.
+   You retain full ownership of your applications and data.
+
+6. Data and Privacy
+   NAuth Toolkit runs in YOUR infrastructure and database. You control all data.
+   You are responsible for compliance with applicable data protection laws.
+
+7. Disclaimer of Warranty
+   THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.
+
+8. Limitation of Liability
+   IN NO EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE FOR ANY INDIRECT, INCIDENTAL,
+   SPECIAL, CONSEQUENTIAL, OR EXEMPLARY DAMAGES, INCLUDING BUT NOT LIMITED TO LOSS
+   OF PROFITS, REVENUE, DATA, OR USE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+   DAMAGES.
+
+9. Termination
+   This license remains in effect until:
+   - You stop using nauth-toolkit, or
+   - The project transitions to open source (at which point the new license applies)
+
+   If you breach these terms, your license terminates and you must stop using the
+   software.
+
+10. Contact and Support
+    - Documentation: https://nauth.dev
+    - Issues/Discussions: GitHub (when public repository launches)
+    - Commercial inquiries: Contact admin@noorix.com
+
+================================================================================
+Thank you for being an early adopter. Your feedback shapes the future of NAuth.
+================================================================================

package/README.md

@@ -0,0 +1,30 @@
+# @nauth-toolkit/mfa-email
+
+Email MFA provider for nauth-toolkit
+
+## ⚠️ Preview Release Notice
+
+**This is a preview release for internal testing. Do not use in production yet.**
+
+This package is part of nauth-toolkit and is currently in early access/preview. Features and APIs may change between releases. For production use, please wait for the stable v1.0 release.
+
+## Installation
+
+```bash
+npm install @nauth-toolkit/mfa-email@preview
+# or
+yarn add @nauth-toolkit/mfa-email@preview
+```
+
+## License
+
+See LICENSE file in the package root for full license terms.
+
+## Documentation
+
+Full documentation: https://nauth.dev
+
+## Support
+
+- Issues/Discussions: GitHub (when repository is public)
+- Documentation: https://nauth.dev

package/dist/nestjs/email-mfa.module.d.ts

@@ -0,0 +1,10 @@
+import { OnModuleInit } from '@nestjs/common';
+import { EmailMFAProviderService } from '../src/email-mfa-provider.service';
+import { MFAService } from '@nauth-toolkit/core';
+export declare class EmailMFAModule implements OnModuleInit {
+    private readonly emailMFAProvider;
+    private readonly mfaService;
+    constructor(emailMFAProvider: EmailMFAProviderService, mfaService: MFAService);
+    onModuleInit(): void;
+}
+//# sourceMappingURL=email-mfa.module.d.ts.map

package/dist/nestjs/email-mfa.module.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"email-mfa.module.d.ts","sourceRoot":"","sources":["../../nestjs/email-mfa.module.ts"],"names":[],"mappings":"AAAA,OAAO,EAAU,YAAY,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,uBAAuB,EAAE,MAAM,mCAAmC,CAAC;AAE5E,OAAO,EAAE,UAAU,EAAyE,MAAM,qBAAqB,CAAC;AA0BxH,qBA2Ca,cAAe,YAAW,YAAY;IAE/C,OAAO,CAAC,QAAQ,CAAC,gBAAgB;IACjC,OAAO,CAAC,QAAQ,CAAC,UAAU;gBADV,gBAAgB,EAAE,uBAAuB,EACzC,UAAU,EAAE,UAAU;IAMzC,YAAY,IAAI,IAAI;CAMrB"}

package/dist/nestjs/email-mfa.module.js

@@ -0,0 +1,58 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EmailMFAModule = void 0;
+const common_1 = require("@nestjs/common");
+const email_mfa_provider_service_1 = require("../src/email-mfa-provider.service");
+const core_1 = require("@nauth-toolkit/core");
+const internal_1 = require("@nauth-toolkit/core/internal");
+let EmailMFAModule = class EmailMFAModule {
+    emailMFAProvider;
+    mfaService;
+    constructor(emailMFAProvider, mfaService) {
+        this.emailMFAProvider = emailMFAProvider;
+        this.mfaService = mfaService;
+    }
+    onModuleInit() {
+        if (!this.mfaService) {
+            throw new Error('MFAService is not available. Ensure AuthModule.forRoot() is imported before EmailMFAModule.');
+        }
+        this.mfaService.registerProvider(this.emailMFAProvider);
+    }
+};
+exports.EmailMFAModule = EmailMFAModule;
+exports.EmailMFAModule = EmailMFAModule = __decorate([
+    (0, common_1.Module)({
+        providers: [
+            {
+                provide: email_mfa_provider_service_1.EmailMFAProviderService,
+                useFactory: (mfaDeviceRepository, userRepository, config, logger, passwordService, emailVerificationService, challengeService, auditService, clientInfoService) => {
+                    return new email_mfa_provider_service_1.EmailMFAProviderService(mfaDeviceRepository, userRepository, config, logger, passwordService, emailVerificationService, challengeService, auditService, clientInfoService);
+                },
+                inject: [
+                    'MFADeviceRepository',
+                    'UserRepository',
+                    'NAUTH_CONFIG',
+                    'NAUTH_LOGGER',
+                    { token: internal_1.PasswordService, optional: true },
+                    { token: core_1.EmailVerificationService, optional: true },
+                    { token: 'ChallengeService', optional: true },
+                    { token: internal_1.AuthAuditService, optional: true },
+                    { token: core_1.ClientInfoService, optional: true },
+                ],
+            },
+        ],
+        exports: [email_mfa_provider_service_1.EmailMFAProviderService],
+    }),
+    __metadata("design:paramtypes", [email_mfa_provider_service_1.EmailMFAProviderService,
+        core_1.MFAService])
+], EmailMFAModule);
+//# sourceMappingURL=email-mfa.module.js.map

package/dist/nestjs/email-mfa.module.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"email-mfa.module.js","sourceRoot":"","sources":["../../nestjs/email-mfa.module.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,2CAAsD;AACtD,kFAA4E;AAE5E,8CAAwH;AAExH,2DAA6G;AAmEtG,IAAM,cAAc,GAApB,MAAM,cAAc;IAEN;IACA;IAFnB,YACmB,gBAAyC,EACzC,UAAsB;QADtB,qBAAgB,GAAhB,gBAAgB,CAAyB;QACzC,eAAU,GAAV,UAAU,CAAY;IACtC,CAAC;IAKJ,YAAY;QACV,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CAAC,6FAA6F,CAAC,CAAC;QACjH,CAAC;QACD,IAAI,CAAC,UAAU,CAAC,gBAAgB,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IAC1D,CAAC;CACF,CAAA;AAfY,wCAAc;yBAAd,cAAc;IA3C1B,IAAA,eAAM,EAAC;QACN,SAAS,EAAE;YAET;gBACE,OAAO,EAAE,oDAAuB;gBAChC,UAAU,EAAE,CACV,mBAA8C,EAC9C,cAAoC,EACpC,MAAmB,EACnB,MAAmB,EACnB,eAAgC,EAChC,wBAA8D,EAC9D,gBAAqB,EACrB,YAAiB,EACjB,iBAAsB,EACtB,EAAE;oBACF,OAAO,IAAI,oDAAuB,CAChC,mBAAmB,EACnB,cAAc,EACd,MAAM,EACN,MAAM,EACN,eAAe,EACf,wBAAwB,EACxB,gBAAgB,EAChB,YAAY,EACZ,iBAAiB,CAClB,CAAC;gBACJ,CAAC;gBACD,MAAM,EAAE;oBACN,qBAAqB;oBACrB,gBAAgB;oBAChB,cAAc;oBACd,cAAc;oBACd,EAAE,KAAK,EAAE,0BAAe,EAAE,QAAQ,EAAE,IAAI,EAAE;oBAC1C,EAAE,KAAK,EAAE,+BAAwB,EAAE,QAAQ,EAAE,IAAI,EAAE;oBACnD,EAAE,KAAK,EAAE,kBAAkB,EAAE,QAAQ,EAAE,IAAI,EAAE;oBAC7C,EAAE,KAAK,EAAE,2BAAwB,EAAE,QAAQ,EAAE,IAAI,EAAE;oBACnD,EAAE,KAAK,EAAE,wBAAiB,EAAE,QAAQ,EAAE,IAAI,EAAE;iBAC7C;aACF;SACF;QACD,OAAO,EAAE,CAAC,oDAAuB,CAAC;KACnC,CAAC;qCAGqC,oDAAuB;QAC7B,iBAAU;GAH9B,cAAc,CAe1B"}

package/dist/nestjs/index.d.ts

@@ -0,0 +1,4 @@
+export { EmailMFAModule } from './email-mfa.module';
+export * from '../src/email-mfa-provider.service';
+export * from '../src/dto/mfa.dto';
+//# sourceMappingURL=index.d.ts.map

package/dist/nestjs/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../nestjs/index.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAGpD,cAAc,mCAAmC,CAAC;AAClD,cAAc,oBAAoB,CAAC"}

package/dist/nestjs/index.js

@@ -0,0 +1,22 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EmailMFAModule = void 0;
+var email_mfa_module_1 = require("./email-mfa.module");
+Object.defineProperty(exports, "EmailMFAModule", { enumerable: true, get: function () { return email_mfa_module_1.EmailMFAModule; } });
+__exportStar(require("../src/email-mfa-provider.service"), exports);
+__exportStar(require("../src/dto/mfa.dto"), exports);
+//# sourceMappingURL=index.js.map

package/dist/nestjs/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../nestjs/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAMA,uDAAoD;AAA3C,kHAAA,cAAc,OAAA;AAGvB,oEAAkD;AAClD,qDAAmC"}

package/dist/src/dto/mfa.dto.d.ts

@@ -0,0 +1,12 @@
+export interface SetupEmailMFADTO {
+    email: string;
+    deviceName?: string;
+}
+export interface VerifyEmailMFASetupDTO {
+    email: string;
+    code: string;
+}
+export interface SendEmailMFACodeDTO {
+    session: string;
+}
+//# sourceMappingURL=mfa.dto.d.ts.map

package/dist/src/dto/mfa.dto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mfa.dto.d.ts","sourceRoot":"","sources":["../../../src/dto/mfa.dto.ts"],"names":[],"mappings":"AAyBA,MAAM,WAAW,gBAAgB;IAM/B,KAAK,EAAE,MAAM,CAAC;IAMd,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAeD,MAAM,WAAW,sBAAsB;IAIrC,KAAK,EAAE,MAAM,CAAC;IAKd,IAAI,EAAE,MAAM,CAAC;CACd;AAcD,MAAM,WAAW,mBAAmB;IAIlC,OAAO,EAAE,MAAM,CAAC;CACjB"}

package/dist/src/dto/mfa.dto.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=mfa.dto.js.map

package/dist/src/dto/mfa.dto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mfa.dto.js","sourceRoot":"","sources":["../../../src/dto/mfa.dto.ts"],"names":[],"mappings":""}

package/dist/src/email-mfa-provider.service.d.ts

@@ -0,0 +1,18 @@
+import { Repository } from 'typeorm';
+import { BaseMFADevice, BaseUser, IUser, NAuthConfig, NAuthLogger, EmailVerificationService, MFAMethod } from '@nauth-toolkit/core';
+import { BaseMFAProviderService } from '@nauth-toolkit/core/internal';
+export declare class EmailMFAProviderService extends BaseMFAProviderService {
+    private readonly emailVerificationService?;
+    readonly methodName = MFAMethod.EMAIL;
+    constructor(mfaDeviceRepository: Repository<BaseMFADevice>, userRepository: Repository<BaseUser>, config: NAuthConfig, logger: NAuthLogger, passwordService: unknown, emailVerificationService?: EmailVerificationService | undefined, challengeService?: unknown, auditService?: unknown, clientInfoService?: unknown);
+    setup(user: IUser, setupData?: unknown): Promise<{
+        deviceId: number;
+        autoCompleted: true;
+    } | {
+        maskedEmail: string;
+    }>;
+    verifySetup(user: IUser, verificationData: unknown, deviceName?: string): Promise<number>;
+    verify(user: IUser, code: unknown, deviceId?: number): Promise<boolean>;
+    sendChallenge(user: IUser): Promise<string>;
+}
+//# sourceMappingURL=email-mfa-provider.service.d.ts.map

package/dist/src/email-mfa-provider.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"email-mfa-provider.service.d.ts","sourceRoot":"","sources":["../../src/email-mfa-provider.service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAErC,OAAO,EACL,aAAa,EACb,QAAQ,EACR,KAAK,EACL,WAAW,EACX,WAAW,EAGX,wBAAwB,EACxB,SAAS,EAGV,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EAAE,sBAAsB,EAAE,MAAM,8BAA8B,CAAC;AAwBtE,qBAAa,uBAAwB,SAAQ,sBAAsB;IAS/D,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC;IAR5C,QAAQ,CAAC,UAAU,mBAAmB;gBAGpC,mBAAmB,EAAE,UAAU,CAAC,aAAa,CAAC,EAC9C,cAAc,EAAE,UAAU,CAAC,QAAQ,CAAC,EACpC,MAAM,EAAE,WAAW,EACnB,MAAM,EAAE,WAAW,EACnB,eAAe,EAAE,OAAO,EACP,wBAAwB,CAAC,EAAE,wBAAwB,YAAA,EACpE,gBAAgB,CAAC,EAAE,OAAO,EAC1B,YAAY,CAAC,EAAE,OAAO,EACtB,iBAAiB,CAAC,EAAE,OAAO;IAmCvB,KAAK,CACT,IAAI,EAAE,KAAK,EACX,SAAS,CAAC,EAAE,OAAO,GAClB,OAAO,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,aAAa,EAAE,IAAI,CAAA;KAAE,GAAG;QAAE,WAAW,EAAE,MAAM,CAAA;KAAE,CAAC;IA2FzE,WAAW,CAAC,IAAI,EAAE,KAAK,EAAE,gBAAgB,EAAE,OAAO,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAmGzF,MAAM,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAkFvE,aAAa,CAAC,IAAI,EAAE,KAAK,GAAG,OAAO,CAAC,MAAM,CAAC;CA4ClD"}

package/dist/src/email-mfa-provider.service.js

@@ -0,0 +1,157 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EmailMFAProviderService = void 0;
+const core_1 = require("@nauth-toolkit/core");
+const internal_1 = require("@nauth-toolkit/core/internal");
+class EmailMFAProviderService extends internal_1.BaseMFAProviderService {
+    emailVerificationService;
+    methodName = core_1.MFAMethod.EMAIL;
+    constructor(mfaDeviceRepository, userRepository, config, logger, passwordService, emailVerificationService, challengeService, auditService, clientInfoService) {
+        super(mfaDeviceRepository, userRepository, config, logger, passwordService, challengeService, auditService, clientInfoService);
+        this.emailVerificationService = emailVerificationService;
+    }
+    async setup(user, setupData) {
+        this.logger?.log?.(`Setting up Email MFA for user: ${user.sub}`);
+        if (!this.isMethodAllowed()) {
+            throw new core_1.NAuthException(core_1.AuthErrorCode.VALIDATION_FAILED, 'Email MFA is not enabled', { feature: 'email-mfa' });
+        }
+        const dto = setupData;
+        const userEntity = user;
+        const isEmailVerified = userEntity.isEmailVerified || false;
+        const email = dto?.email || userEntity.email;
+        if (!email) {
+            throw new core_1.NAuthException(core_1.AuthErrorCode.VALIDATION_FAILED, 'Email address is required for Email MFA setup. Please provide an email address.');
+        }
+        if (isEmailVerified) {
+            this.logger?.log?.(`Email already verified for user ${user.sub}, auto-completing Email MFA setup`);
+            const deviceId = await this.verifySetup(user, {
+                email,
+                code: '',
+            }, dto?.deviceName);
+            return { deviceId, autoCompleted: true };
+        }
+        if (!this.emailVerificationService) {
+            throw new core_1.NAuthException(core_1.AuthErrorCode.VALIDATION_FAILED, 'Email verification service is not available. Email provider must be configured.');
+        }
+        const sendDto = new core_1.SendVerificationEmailDTO();
+        sendDto.sub = user.sub;
+        const setupDataWithSession = setupData;
+        if (setupDataWithSession?.challengeSessionId) {
+            sendDto.challengeSessionId = setupDataWithSession.challengeSessionId;
+        }
+        await this.emailVerificationService.sendVerificationEmail(sendDto);
+        const maskedEmail = this.maskEmail(email);
+        this.logger?.log?.(`Email MFA code sent to: ${maskedEmail}`);
+        return { maskedEmail };
+    }
+    async verifySetup(user, verificationData, deviceName) {
+        this.logger?.log?.(`Verifying Email MFA setup for user: ${user.sub}`);
+        const dto = verificationData;
+        const userEntity = user;
+        const userId = userEntity.id;
+        const userMfaEnabled = userEntity.mfaEnabled || false;
+        const isEmailVerified = userEntity.isEmailVerified || false;
+        const email = dto.email || userEntity.email;
+        if (!email) {
+            throw new core_1.NAuthException(core_1.AuthErrorCode.VALIDATION_FAILED, 'Email address is required for Email MFA setup. Please provide an email address.');
+        }
+        if (!isEmailVerified) {
+            if (!this.emailVerificationService) {
+                throw new core_1.NAuthException(core_1.AuthErrorCode.VALIDATION_FAILED, 'Email verification service is not available. Email provider must be configured.');
+            }
+            if (!dto.code || dto.code.trim() === '') {
+                throw new core_1.NAuthException(core_1.AuthErrorCode.VALIDATION_FAILED, 'Verification code is required');
+            }
+            try {
+                const verifyDto = new core_1.VerifyEmailWithCodeDTO();
+                verifyDto.email = user.email;
+                verifyDto.code = dto.code;
+                await this.emailVerificationService.verifyEmailWithCode(verifyDto);
+                this.logger?.log?.(`Email verified during Email MFA setup for user ${user.sub} - email is now marked as verified in database`);
+            }
+            catch (error) {
+                const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+                this.logger?.error?.(`Failed to verify email during Email MFA setup for user ${user.sub}: ${errorMessage}`, error);
+                throw new core_1.NAuthException(core_1.AuthErrorCode.VERIFICATION_CODE_INVALID, 'Invalid Email code');
+            }
+        }
+        else {
+            this.logger?.log?.(`Email already verified for user ${user.sub}, skipping Email code verification during MFA setup`);
+        }
+        const device = await this.createDevice(userId, {
+            name: deviceName || 'Email',
+            email,
+            isActive: true,
+            isPrimary: !userMfaEnabled,
+        });
+        await this.enableMFAForUser(user);
+        this.logger?.log?.(`Email MFA setup completed for user: ${user.sub}`);
+        return device.id;
+    }
+    async verify(user, code, deviceId) {
+        this.logger?.log?.(`Verifying Email code for user: ${user.sub}`);
+        if (!this.emailVerificationService) {
+            this.logger?.warn?.('Email verification attempted but email verification service is not available');
+            return false;
+        }
+        const emailCode = code;
+        if (!emailCode || typeof emailCode !== 'string') {
+            this.logger?.warn?.('Invalid Email code format');
+            return false;
+        }
+        const userEntity = user;
+        const userId = userEntity.id;
+        const isEmailVerified = userEntity.isEmailVerified || false;
+        const device = deviceId ? await this.findDevice(userId, deviceId) : null;
+        try {
+            const verifyDto = new core_1.VerifyEmailWithCodeDTO();
+            verifyDto.email = user.email;
+            verifyDto.code = emailCode;
+            await this.emailVerificationService.verifyEmailWithCode(verifyDto);
+            if (!isEmailVerified) {
+                this.logger?.log?.(`Email code verified and email marked as verified during MFA for user: ${user.sub}`);
+            }
+            else {
+                this.logger?.log?.(`Email code verified for MFA (email already verified) for user: ${user.sub}`);
+            }
+            if (device) {
+                await this.updateDeviceUsage(device.id);
+            }
+            this.logger?.log?.(`Email code verified successfully for user: ${user.sub}`);
+            return true;
+        }
+        catch (error) {
+            if (error instanceof core_1.NAuthException) {
+                throw error;
+            }
+            const errorMessage = error instanceof Error ? error.message : String(error);
+            const errorCode = error?.code || 'UNKNOWN';
+            this.logger?.warn?.(`Email code verification failed for user: ${user.sub}, code: ${emailCode}, error: ${errorCode} - ${errorMessage}`);
+            return false;
+        }
+    }
+    async sendChallenge(user) {
+        this.logger?.log?.(`Sending Email MFA code for user: ${user.sub}`);
+        const userEntity = user;
+        const userId = userEntity.id;
+        const device = await this.findDevice(userId);
+        if (!device) {
+            throw new core_1.NAuthException(core_1.AuthErrorCode.NOT_FOUND, 'No Email device registered', { deviceType: 'email' });
+        }
+        const emailAddress = device.email || user.email;
+        if (!emailAddress) {
+            throw new core_1.NAuthException(core_1.AuthErrorCode.VALIDATION_FAILED, 'No email address found for Email MFA. Please update your profile or re-setup Email MFA.', { deviceType: 'email' });
+        }
+        if (!this.emailVerificationService) {
+            throw new core_1.NAuthException(core_1.AuthErrorCode.VALIDATION_FAILED, 'Email verification service is not available. Email provider must be configured.');
+        }
+        const sendDto = new core_1.SendVerificationEmailDTO();
+        sendDto.sub = user.sub;
+        sendDto.skipAlreadyVerifiedCheck = true;
+        await this.emailVerificationService.sendVerificationEmail(sendDto);
+        this.logger?.log?.(`Email MFA code sent for user: ${user.sub}`);
+        return this.maskEmail(emailAddress);
+    }
+}
+exports.EmailMFAProviderService = EmailMFAProviderService;
+//# sourceMappingURL=email-mfa-provider.service.js.map

package/dist/src/email-mfa-provider.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"email-mfa-provider.service.js","sourceRoot":"","sources":["../../src/email-mfa-provider.service.ts"],"names":[],"mappings":";;;AAEA,8CAY6B;AAE7B,2DAAsE;AAwBtE,MAAa,uBAAwB,SAAQ,iCAAsB;IAS9C;IARV,UAAU,GAAG,gBAAS,CAAC,KAAK,CAAC;IAEtC,YACE,mBAA8C,EAC9C,cAAoC,EACpC,MAAmB,EACnB,MAAmB,EACnB,eAAwB,EACP,wBAAmD,EACpE,gBAA0B,EAC1B,YAAsB,EACtB,iBAA2B;QAE3B,KAAK,CACH,mBAAmB,EACnB,cAAc,EACd,MAAM,EACN,MAAM,EACN,eAAe,EACf,gBAAuB,EACvB,YAAmB,EACnB,iBAAwB,CACzB,CAAC;QAde,6BAAwB,GAAxB,wBAAwB,CAA2B;IAetE,CAAC;IAuBD,KAAK,CAAC,KAAK,CACT,IAAW,EACX,SAAmB;QAEnB,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,kCAAkC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAGjE,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,EAAE,CAAC;YAC5B,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,iBAAiB,EAAE,0BAA0B,EAAE,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC,CAAC;QAClH,CAAC;QAED,MAAM,GAAG,GAAG,SAAyC,CAAC;QACtD,MAAM,UAAU,GAAG,IAA0C,CAAC;QAC9D,MAAM,eAAe,GAAI,UAAU,CAAC,eAA2B,IAAI,KAAK,CAAC;QAGzE,MAAM,KAAK,GAAG,GAAG,EAAE,KAAK,IAAK,UAAU,CAAC,KAA4B,CAAC;QAErE,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,qBAAc,CACtB,oBAAa,CAAC,iBAAiB,EAC/B,iFAAiF,CAClF,CAAC;QACJ,CAAC;QAMD,IAAI,eAAe,EAAE,CAAC;YACpB,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,mCAAmC,IAAI,CAAC,GAAG,mCAAmC,CAAC,CAAC;YAEnG,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,CACrC,IAAI,EACJ;gBACE,KAAK;gBACL,IAAI,EAAE,EAAE;aACT,EACD,GAAG,EAAE,UAAU,CAChB,CAAC;YACF,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QAC3C,CAAC;QAID,IAAI,CAAC,IAAI,CAAC,wBAAwB,EAAE,CAAC;YACnC,MAAM,IAAI,qBAAc,CACtB,oBAAa,CAAC,iBAAiB,EAC/B,iFAAiF,CAClF,CAAC;QACJ,CAAC;QAID,MAAM,OAAO,GAAG,IAAI,+BAAwB,EAAE,CAAC;QAC/C,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC;QACvB,MAAM,oBAAoB,GAAG,SAA6E,CAAC;QAC3G,IAAI,oBAAoB,EAAE,kBAAkB,EAAE,CAAC;YAC7C,OAAO,CAAC,kBAAkB,GAAG,oBAAoB,CAAC,kBAAkB,CAAC;QACvE,CAAC;QACD,MAAM,IAAI,CAAC,wBAAwB,CAAC,qBAAqB,CAAC,OAAO,CAAC,CAAC;QAEnE,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC1C,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,2BAA2B,WAAW,EAAE,CAAC,CAAC;QAG7D,OAAO,EAAE,WAAW,EAAE,CAAC;IACzB,CAAC;IA2BD,KAAK,CAAC,WAAW,CAAC,IAAW,EAAE,gBAAyB,EAAE,UAAmB;QAC3E,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,uCAAuC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAEtE,MAAM,GAAG,GAAG,gBAA0C,CAAC;QACvD,MAAM,UAAU,GAAG,IAA0C,CAAC;QAC9D,MAAM,MAAM,GAAG,UAAU,CAAC,EAAY,CAAC;QACvC,MAAM,cAAc,GAAI,UAAU,CAAC,UAAsB,IAAI,KAAK,CAAC;QACnE,MAAM,eAAe,GAAI,UAAU,CAAC,eAA2B,IAAI,KAAK,CAAC;QAIzE,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,IAAK,UAAU,CAAC,KAA4B,CAAC;QAEpE,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,qBAAc,CACtB,oBAAa,CAAC,iBAAiB,EAC/B,iFAAiF,CAClF,CAAC;QACJ,CAAC;QAMD,IAAI,CAAC,eAAe,EAAE,CAAC;YAErB,IAAI,CAAC,IAAI,CAAC,wBAAwB,EAAE,CAAC;gBACnC,MAAM,IAAI,qBAAc,CACtB,oBAAa,CAAC,iBAAiB,EAC/B,iFAAiF,CAClF,CAAC;YACJ,CAAC;YAED,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;gBACxC,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,iBAAiB,EAAE,+BAA+B,CAAC,CAAC;YAC7F,CAAC;YAED,IAAI,CAAC;gBAEH,MAAM,SAAS,GAAG,IAAI,6BAAsB,EAAE,CAAC;gBAC/C,SAAS,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;gBAC7B,SAAS,CAAC,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;gBAC1B,MAAM,IAAI,CAAC,wBAAwB,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC;gBACnE,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAChB,kDAAkD,IAAI,CAAC,GAAG,gDAAgD,CAC3G,CAAC;YACJ,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBAEf,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;gBAC9E,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAClB,0DAA0D,IAAI,CAAC,GAAG,KAAK,YAAY,EAAE,EACrF,KAAK,CACN,CAAC;gBACF,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,yBAAyB,EAAE,oBAAoB,CAAC,CAAC;YAC1F,CAAC;QACH,CAAC;aAAM,CAAC;YAEN,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAChB,mCAAmC,IAAI,CAAC,GAAG,qDAAqD,CACjG,CAAC;QACJ,CAAC;QAQD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE;YAC7C,IAAI,EAAE,UAAU,IAAI,OAAO;YAC3B,KAAK;YACL,QAAQ,EAAE,IAAI;YACd,SAAS,EAAE,CAAC,cAAc;SAC3B,CAAC,CAAC;QAGH,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC;QAElC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,uCAAuC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAEtE,OAAO,MAAM,CAAC,EAAE,CAAC;IACnB,CAAC;IAkBD,KAAK,CAAC,MAAM,CAAC,IAAW,EAAE,IAAa,EAAE,QAAiB;QACxD,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,kCAAkC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAGjE,IAAI,CAAC,IAAI,CAAC,wBAAwB,EAAE,CAAC;YACnC,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,8EAA8E,CAAC,CAAC;YACpG,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,SAAS,GAAG,IAAc,CAAC;QACjC,IAAI,CAAC,SAAS,IAAI,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;YAChD,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,2BAA2B,CAAC,CAAC;YACjD,OAAO,KAAK,CAAC;QACf,CAAC;QAGD,MAAM,UAAU,GAAG,IAA0C,CAAC;QAC9D,MAAM,MAAM,GAAG,UAAU,CAAC,EAAY,CAAC;QACvC,MAAM,eAAe,GAAI,UAAU,CAAC,eAA2B,IAAI,KAAK,CAAC;QAGzE,MAAM,MAAM,GAAG,QAAQ,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QAGzE,IAAI,CAAC;YAQH,MAAM,SAAS,GAAG,IAAI,6BAAsB,EAAE,CAAC;YAC/C,SAAS,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;YAC7B,SAAS,CAAC,IAAI,GAAG,SAAS,CAAC;YAC3B,MAAM,IAAI,CAAC,wBAAwB,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC;YAEnE,IAAI,CAAC,eAAe,EAAE,CAAC;gBACrB,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,yEAAyE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;YAC1G,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,kEAAkE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;YACnG,CAAC;YAGD,IAAI,MAAM,EAAE,CAAC;gBACX,MAAM,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YAC1C,CAAC;YAED,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,8CAA8C,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;YAC7E,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAGf,IAAI,KAAK,YAAY,qBAAc,EAAE,CAAC;gBACpC,MAAM,KAAK,CAAC;YACd,CAAC;YAGD,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC5E,MAAM,SAAS,GAAI,KAAa,EAAE,IAAI,IAAI,SAAS,CAAC;YACpD,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CACjB,4CAA4C,IAAI,CAAC,GAAG,WAAW,SAAS,YAAY,SAAS,MAAM,YAAY,EAAE,CAClH,CAAC;YACF,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAiBD,KAAK,CAAC,aAAa,CAAC,IAAW;QAC7B,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,oCAAoC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAGnE,MAAM,UAAU,GAAG,IAA0C,CAAC;QAC9D,MAAM,MAAM,GAAG,UAAU,CAAC,EAAY,CAAC;QAGvC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,SAAS,EAAE,4BAA4B,EAAE,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC,CAAC;QAC3G,CAAC;QAID,MAAM,YAAY,GAAG,MAAM,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC;QAChD,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,MAAM,IAAI,qBAAc,CACtB,oBAAa,CAAC,iBAAiB,EAC/B,yFAAyF,EACzF,EAAE,UAAU,EAAE,OAAO,EAAE,CACxB,CAAC;QACJ,CAAC;QAGD,IAAI,CAAC,IAAI,CAAC,wBAAwB,EAAE,CAAC;YACnC,MAAM,IAAI,qBAAc,CACtB,oBAAa,CAAC,iBAAiB,EAC/B,iFAAiF,CAClF,CAAC;QACJ,CAAC;QAKD,MAAM,OAAO,GAAG,IAAI,+BAAwB,EAAE,CAAC;QAC/C,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,wBAAwB,GAAG,IAAI,CAAC;QACxC,MAAM,IAAI,CAAC,wBAAwB,CAAC,qBAAqB,CAAC,OAAO,CAAC,CAAC;QAEnE,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,iCAAiC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAEhE,OAAO,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;IACtC,CAAC;CACF;AA9WD,0DA8WC"}

package/dist/src/index.d.ts

@@ -0,0 +1,3 @@
+export { EmailMFAProviderService } from './email-mfa-provider.service';
+export * from './dto/mfa.dto';
+//# sourceMappingURL=index.d.ts.map

package/dist/src/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,cAAc,eAAe,CAAC"}

package/dist/src/index.js

@@ -0,0 +1,21 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EmailMFAProviderService = void 0;
+var email_mfa_provider_service_1 = require("./email-mfa-provider.service");
+Object.defineProperty(exports, "EmailMFAProviderService", { enumerable: true, get: function () { return email_mfa_provider_service_1.EmailMFAProviderService; } });
+__exportStar(require("./dto/mfa.dto"), exports);
+//# sourceMappingURL=index.js.map

package/dist/src/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAOA,2EAAuE;AAA9D,qIAAA,uBAAuB,OAAA;AAChC,gDAA8B"}