@nauth-toolkit/mfa-totp 0.1.3

package/LICENSE

@@ -0,0 +1,90 @@
+NAUTH TOOLKIT EARLY ACCESS LICENSE
+Version 1.0 (December 2025)
+
+================================================================================
+FUTURE OPEN SOURCE NOTICE
+================================================================================
+NAuth Toolkit will transition to an open-source license (MIT or Apache 2.0) for
+core authentication features once the project reaches production readiness.
+
+This Early Access License is temporary and designed to:
+• Allow developers to build with nauth-toolkit during preview/beta
+• Provide clear expectations during the pre-release phase
+• Enable feedback and real-world testing before GA
+
+We're committed to keeping core auth free and open source. Premium features
+(enterprise SSO, advanced compliance, hosted options) will be offered separately
+under fair commercial terms.
+
+================================================================================
+EARLY ACCESS LICENSE TERMS
+================================================================================
+
+1. Grant of Use
+   You are granted a free, non-exclusive, non-transferable license to:
+   - Install and use nauth-toolkit packages in development, testing, staging,
+     and production environments
+   - Modify the code for your own internal use
+   - Deploy applications using nauth-toolkit to serve your users
+
+   You may NOT:
+   - Redistribute NAuth Toolkit as a standalone product or service
+   - Sell, sublicense, or offer NAuth Toolkit as part of a competing auth
+     platform or toolkit
+   - Remove or alter copyright notices
+
+2. No Fees During Early Access
+   There are no license fees, subscription costs, or usage charges during the
+   Early Access period. You may use nauth-toolkit freely for commercial and
+   non-commercial purposes within the terms of this license.
+
+3. Production Use
+   Production use is permitted but comes with standard early-access caveats:
+   - Features and APIs may change between preview releases
+   - Support is community-based (GitHub issues/discussions)
+   - No SLA or guaranteed uptime (you run it on your infrastructure)
+
+   We recommend thorough testing and having rollback plans for critical systems.
+
+4. Future Transition
+   When nauth-toolkit releases v1.0 GA:
+   - Core packages will adopt an open-source license (MIT or Apache 2.0)
+   - Your existing deployments will continue to work
+   - Premium features (if any) will be clearly documented with separate licensing
+   - No forced upgrades or surprise fees
+
+5. Ownership
+   NAuth Toolkit is developed and maintained by Noorix Digital Solutions.
+   You retain full ownership of your applications and data.
+
+6. Data and Privacy
+   NAuth Toolkit runs in YOUR infrastructure and database. You control all data.
+   You are responsible for compliance with applicable data protection laws.
+
+7. Disclaimer of Warranty
+   THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.
+
+8. Limitation of Liability
+   IN NO EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE FOR ANY INDIRECT, INCIDENTAL,
+   SPECIAL, CONSEQUENTIAL, OR EXEMPLARY DAMAGES, INCLUDING BUT NOT LIMITED TO LOSS
+   OF PROFITS, REVENUE, DATA, OR USE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+   DAMAGES.
+
+9. Termination
+   This license remains in effect until:
+   - You stop using nauth-toolkit, or
+   - The project transitions to open source (at which point the new license applies)
+
+   If you breach these terms, your license terminates and you must stop using the
+   software.
+
+10. Contact and Support
+    - Documentation: https://nauth.dev
+    - Issues/Discussions: GitHub (when public repository launches)
+    - Commercial inquiries: Contact admin@noorix.com
+
+================================================================================
+Thank you for being an early adopter. Your feedback shapes the future of NAuth.
+================================================================================

package/README.md

@@ -0,0 +1,30 @@
+# @nauth-toolkit/mfa-totp
+
+TOTP/Authenticator MFA provider for nauth-toolkit
+
+## ⚠️ Preview Release Notice
+
+**This is a preview release for internal testing. Do not use in production yet.**
+
+This package is part of nauth-toolkit and is currently in early access/preview. Features and APIs may change between releases. For production use, please wait for the stable v1.0 release.
+
+## Installation
+
+```bash
+npm install @nauth-toolkit/mfa-totp@preview
+# or
+yarn add @nauth-toolkit/mfa-totp@preview
+```
+
+## License
+
+See LICENSE file in the package root for full license terms.
+
+## Documentation
+
+Full documentation: https://nauth.dev
+
+## Support
+
+- Issues/Discussions: GitHub (when repository is public)
+- Documentation: https://nauth.dev

package/dist/nestjs/index.d.ts

@@ -0,0 +1,5 @@
+export { TOTPMFAModule } from './totp-mfa.module';
+export * from '../src/totp.service';
+export * from '../src/totp-mfa-provider.service';
+export * from '../src/dto/mfa.dto';
+//# sourceMappingURL=index.d.ts.map

package/dist/nestjs/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../nestjs/index.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAGlD,cAAc,qBAAqB,CAAC;AACpC,cAAc,kCAAkC,CAAC;AACjD,cAAc,oBAAoB,CAAC"}

package/dist/nestjs/index.js

@@ -0,0 +1,23 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TOTPMFAModule = void 0;
+var totp_mfa_module_1 = require("./totp-mfa.module");
+Object.defineProperty(exports, "TOTPMFAModule", { enumerable: true, get: function () { return totp_mfa_module_1.TOTPMFAModule; } });
+__exportStar(require("../src/totp.service"), exports);
+__exportStar(require("../src/totp-mfa-provider.service"), exports);
+__exportStar(require("../src/dto/mfa.dto"), exports);
+//# sourceMappingURL=index.js.map

package/dist/nestjs/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../nestjs/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAMA,qDAAkD;AAAzC,gHAAA,aAAa,OAAA;AAGtB,sDAAoC;AACpC,mEAAiD;AACjD,qDAAmC"}

package/dist/nestjs/totp-mfa.module.d.ts

@@ -0,0 +1,10 @@
+import { OnModuleInit } from '@nestjs/common';
+import { TOTPMFAProviderService } from '../src/totp-mfa-provider.service';
+import { MFAService } from '@nauth-toolkit/core';
+export declare class TOTPMFAModule implements OnModuleInit {
+    private readonly totpMFAProvider;
+    private readonly mfaService;
+    constructor(totpMFAProvider: TOTPMFAProviderService, mfaService: MFAService);
+    onModuleInit(): void;
+}
+//# sourceMappingURL=totp-mfa.module.d.ts.map

package/dist/nestjs/totp-mfa.module.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"totp-mfa.module.d.ts","sourceRoot":"","sources":["../../nestjs/totp-mfa.module.ts"],"names":[],"mappings":"AAAA,OAAO,EAAU,YAAY,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,sBAAsB,EAAE,MAAM,kCAAkC,CAAC;AAG1E,OAAO,EAAE,UAAU,EAA4B,MAAM,qBAAqB,CAAC;AAwB3E,qBAmDa,aAAc,YAAW,YAAY;IAE9C,OAAO,CAAC,QAAQ,CAAC,eAAe;IAChC,OAAO,CAAC,QAAQ,CAAC,UAAU;gBADV,eAAe,EAAE,sBAAsB,EACvC,UAAU,EAAE,UAAU;IAMzC,YAAY,IAAI,IAAI;CAMrB"}

package/dist/nestjs/totp-mfa.module.js

@@ -0,0 +1,67 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TOTPMFAModule = void 0;
+const common_1 = require("@nestjs/common");
+const totp_mfa_provider_service_1 = require("../src/totp-mfa-provider.service");
+const totp_service_1 = require("../src/totp.service");
+const core_1 = require("@nauth-toolkit/core");
+const internal_1 = require("@nauth-toolkit/core/internal");
+const core_2 = require("@nauth-toolkit/core");
+let TOTPMFAModule = class TOTPMFAModule {
+    totpMFAProvider;
+    mfaService;
+    constructor(totpMFAProvider, mfaService) {
+        this.totpMFAProvider = totpMFAProvider;
+        this.mfaService = mfaService;
+    }
+    onModuleInit() {
+        if (!this.mfaService) {
+            throw new Error('MFAService is not available. Ensure AuthModule.forRoot() is imported before TOTPMFAModule.');
+        }
+        this.mfaService.registerProvider(this.totpMFAProvider);
+    }
+};
+exports.TOTPMFAModule = TOTPMFAModule;
+exports.TOTPMFAModule = TOTPMFAModule = __decorate([
+    (0, common_1.Module)({
+        providers: [
+            {
+                provide: totp_service_1.TOTPService,
+                useFactory: (config, logger) => {
+                    return new totp_service_1.TOTPService(config, logger);
+                },
+                inject: ['NAUTH_CONFIG', 'NAUTH_LOGGER'],
+            },
+            {
+                provide: totp_mfa_provider_service_1.TOTPMFAProviderService,
+                useFactory: (mfaDeviceRepository, userRepository, config, logger, passwordService, totpService, challengeService, auditService, clientInfoService) => {
+                    return new totp_mfa_provider_service_1.TOTPMFAProviderService(mfaDeviceRepository, userRepository, config, logger, passwordService, totpService, challengeService, auditService, clientInfoService);
+                },
+                inject: [
+                    'MFADeviceRepository',
+                    'UserRepository',
+                    'NAUTH_CONFIG',
+                    'NAUTH_LOGGER',
+                    { token: internal_1.PasswordService, optional: true },
+                    totp_service_1.TOTPService,
+                    { token: 'ChallengeService', optional: true },
+                    { token: internal_1.AuthAuditService, optional: true },
+                    { token: core_2.ClientInfoService, optional: true },
+                ],
+            },
+        ],
+        exports: [totp_service_1.TOTPService, totp_mfa_provider_service_1.TOTPMFAProviderService],
+    }),
+    __metadata("design:paramtypes", [totp_mfa_provider_service_1.TOTPMFAProviderService,
+        core_1.MFAService])
+], TOTPMFAModule);
+//# sourceMappingURL=totp-mfa.module.js.map

package/dist/nestjs/totp-mfa.module.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"totp-mfa.module.js","sourceRoot":"","sources":["../../nestjs/totp-mfa.module.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,2CAAsD;AACtD,gFAA0E;AAC1E,sDAAkD;AAElD,8CAA2E;AAE3E,2DAA6G;AAC7G,8CAAwD;AAwEjD,IAAM,aAAa,GAAnB,MAAM,aAAa;IAEL;IACA;IAFnB,YACmB,eAAuC,EACvC,UAAsB;QADtB,oBAAe,GAAf,eAAe,CAAwB;QACvC,eAAU,GAAV,UAAU,CAAY;IACtC,CAAC;IAKJ,YAAY;QACV,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CAAC,4FAA4F,CAAC,CAAC;QAChH,CAAC;QACD,IAAI,CAAC,UAAU,CAAC,gBAAgB,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IACzD,CAAC;CACF,CAAA;AAfY,sCAAa;wBAAb,aAAa;IAnDzB,IAAA,eAAM,EAAC;QACN,SAAS,EAAE;YAET;gBACE,OAAO,EAAE,0BAAW;gBACpB,UAAU,EAAE,CAAC,MAAmB,EAAE,MAAmB,EAAE,EAAE;oBACvD,OAAO,IAAI,0BAAW,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;gBACzC,CAAC;gBACD,MAAM,EAAE,CAAC,cAAc,EAAE,cAAc,CAAC;aACzC;YAED;gBACE,OAAO,EAAE,kDAAsB;gBAC/B,UAAU,EAAE,CACV,mBAA8C,EAC9C,cAAoC,EACpC,MAAmB,EACnB,MAAmB,EACnB,eAAgC,EAChC,WAAwB,EACxB,gBAAqB,EACrB,YAAiB,EACjB,iBAAsB,EACtB,EAAE;oBACF,OAAO,IAAI,kDAAsB,CAC/B,mBAAmB,EACnB,cAAc,EACd,MAAM,EACN,MAAM,EACN,eAAe,EACf,WAAW,EACX,gBAAgB,EAChB,YAAY,EACZ,iBAAiB,CAClB,CAAC;gBACJ,CAAC;gBACD,MAAM,EAAE;oBACN,qBAAqB;oBACrB,gBAAgB;oBAChB,cAAc;oBACd,cAAc;oBACd,EAAE,KAAK,EAAE,0BAAe,EAAE,QAAQ,EAAE,IAAI,EAAE;oBAC1C,0BAAW;oBACX,EAAE,KAAK,EAAE,kBAAkB,EAAE,QAAQ,EAAE,IAAI,EAAE;oBAC7C,EAAE,KAAK,EAAE,2BAAwB,EAAE,QAAQ,EAAE,IAAI,EAAE;oBACnD,EAAE,KAAK,EAAE,wBAAiB,EAAE,QAAQ,EAAE,IAAI,EAAE;iBAC7C;aACF;SACF;QACD,OAAO,EAAE,CAAC,0BAAW,EAAE,kDAAsB,CAAC;KAC/C,CAAC;qCAGoC,kDAAsB;QAC3B,iBAAU;GAH9B,aAAa,CAezB"}

package/dist/src/dto/mfa.dto.d.ts

@@ -0,0 +1,143 @@
+export interface MFAChallengeResponseDTO {
+    challengeName: 'MFA_REQUIRED';
+    session: string;
+    challengeParameters: {
+        availableMethods: Array<'totp' | 'sms' | 'passkey' | 'backup'>;
+        preferredMethod?: 'totp' | 'sms' | 'passkey';
+        maskedPhone?: string;
+    };
+}
+export interface VerifyMFACodeDTO {
+    session: string;
+    method: 'totp' | 'sms' | 'backup';
+    code: string;
+    trustDevice?: boolean;
+    deviceId?: string;
+}
+export interface VerifyPasskeyDTO {
+    session: string;
+    credential: {
+        id: string;
+        rawId: string;
+        response: {
+            clientDataJSON: string;
+            authenticatorData: string;
+            signature: string;
+            userHandle?: string;
+        };
+        type: 'public-key';
+    };
+    trustDevice?: boolean;
+}
+export interface SetupTOTPResponseDTO {
+    secret: string;
+    qrCode: string;
+    manualEntryKey: string;
+    issuer: string;
+    accountName: string;
+}
+export interface VerifyTOTPSetupDTO {
+    secret: string;
+    code: string;
+    deviceName?: string;
+}
+export interface SetupSMSMFADTO {
+    phoneNumber: string;
+    deviceName?: string;
+}
+export interface VerifySMSMFASetupDTO {
+    phoneNumber: string;
+    code: string;
+}
+export interface SendSMSMFACodeDTO {
+    session: string;
+}
+export interface SetupPasskeyResponseDTO {
+    options: {
+        challenge: string;
+        rp: {
+            name: string;
+            id: string;
+        };
+        user: {
+            id: string;
+            name: string;
+            displayName: string;
+        };
+        pubKeyCredParams: Array<{
+            type: 'public-key';
+            alg: number;
+        }>;
+        timeout: number;
+        attestation: 'none' | 'indirect' | 'direct';
+        authenticatorSelection?: {
+            authenticatorAttachment?: 'platform' | 'cross-platform';
+            requireResidentKey?: boolean;
+            userVerification?: 'required' | 'preferred' | 'discouraged';
+        };
+        excludeCredentials?: Array<{
+            id: string;
+            type: 'public-key';
+            transports?: string[];
+        }>;
+    };
+}
+export interface VerifyPasskeySetupDTO {
+    credential: {
+        id: string;
+        rawId: string;
+        response: {
+            clientDataJSON: string;
+            attestationObject: string;
+        };
+        type: 'public-key';
+    };
+    deviceName?: string;
+}
+export interface GetPasskeyChallengeResponseDTO {
+    options: {
+        challenge: string;
+        timeout: number;
+        rpId: string;
+        allowCredentials: Array<{
+            id: string;
+            type: 'public-key';
+            transports?: string[];
+        }>;
+        userVerification: 'required' | 'preferred' | 'discouraged';
+    };
+}
+export interface GenerateBackupCodesResponseDTO {
+    codes: string[];
+    generated: string;
+}
+export interface MFADeviceDTO {
+    id: number;
+    type: 'totp' | 'sms' | 'passkey';
+    name: string;
+    isActive: boolean;
+    isPrimary: boolean;
+    lastUsedAt?: string;
+    createdAt: string;
+    maskedPhone?: string;
+}
+export interface ListMFADevicesResponseDTO {
+    devices: MFADeviceDTO[];
+    hasBackupCodes: boolean;
+}
+export interface UpdateMFADeviceDTO {
+    name?: string;
+    isPrimary?: boolean;
+}
+export interface DisableMFADeviceDTO {
+    password: string;
+}
+export interface MFAStatusResponseDTO {
+    enabled: boolean;
+    required: boolean;
+    gracePeriodEnds?: string;
+    configuredMethods: Array<'totp' | 'sms' | 'passkey'>;
+    preferredMethod?: 'totp' | 'sms' | 'passkey';
+    hasBackupCodes: boolean;
+}
+//# sourceMappingURL=mfa.dto.d.ts.map

package/dist/src/dto/mfa.dto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mfa.dto.d.ts","sourceRoot":"","sources":["../../../src/dto/mfa.dto.ts"],"names":[],"mappings":"AAiCA,MAAM,WAAW,uBAAuB;IAItC,aAAa,EAAE,cAAc,CAAC;IAM9B,OAAO,EAAE,MAAM,CAAC;IAKhB,mBAAmB,EAAE;QAInB,gBAAgB,EAAE,KAAK,CAAC,MAAM,GAAG,KAAK,GAAG,SAAS,GAAG,QAAQ,CAAC,CAAC;QAK/D,eAAe,CAAC,EAAE,MAAM,GAAG,KAAK,GAAG,SAAS,CAAC;QAM7C,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;CACH;AA6BD,MAAM,WAAW,gBAAgB;IAI/B,OAAO,EAAE,MAAM,CAAC;IAKhB,MAAM,EAAE,MAAM,GAAG,KAAK,GAAG,QAAQ,CAAC;IAKlC,IAAI,EAAE,MAAM,CAAC;IAQb,WAAW,CAAC,EAAE,OAAO,CAAC;IAMtB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AA0BD,MAAM,WAAW,gBAAgB;IAI/B,OAAO,EAAE,MAAM,CAAC;IAKhB,UAAU,EAAE;QACV,EAAE,EAAE,MAAM,CAAC;QACX,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE;YACR,cAAc,EAAE,MAAM,CAAC;YACvB,iBAAiB,EAAE,MAAM,CAAC;YAC1B,SAAS,EAAE,MAAM,CAAC;YAClB,UAAU,CAAC,EAAE,MAAM,CAAC;SACrB,CAAC;QACF,IAAI,EAAE,YAAY,CAAC;KACpB,CAAC;IAMF,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAuBD,MAAM,WAAW,oBAAoB;IAKnC,MAAM,EAAE,MAAM,CAAC;IAMf,MAAM,EAAE,MAAM,CAAC;IAOf,cAAc,EAAE,MAAM,CAAC;IAKvB,MAAM,EAAE,MAAM,CAAC;IAKf,WAAW,EAAE,MAAM,CAAC;CACrB;AAiBD,MAAM,WAAW,kBAAkB;IAIjC,MAAM,EAAE,MAAM,CAAC;IAKf,IAAI,EAAE,MAAM,CAAC;IAMb,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAoBD,MAAM,WAAW,cAAc;IAK7B,WAAW,EAAE,MAAM,CAAC;IAMpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAeD,MAAM,WAAW,oBAAoB;IAInC,WAAW,EAAE,MAAM,CAAC;IAKpB,IAAI,EAAE,MAAM,CAAC;CACd;AAcD,MAAM,WAAW,iBAAiB;IAIhC,OAAO,EAAE,MAAM,CAAC;CACjB;AA4BD,MAAM,WAAW,uBAAuB;IAKtC,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,CAAC;QAClB,EAAE,EAAE;YACF,IAAI,EAAE,MAAM,CAAC;YACb,EAAE,EAAE,MAAM,CAAC;SACZ,CAAC;QACF,IAAI,EAAE;YACJ,EAAE,EAAE,MAAM,CAAC;YACX,IAAI,EAAE,MAAM,CAAC;YACb,WAAW,EAAE,MAAM,CAAC;SACrB,CAAC;QACF,gBAAgB,EAAE,KAAK,CAAC;YACtB,IAAI,EAAE,YAAY,CAAC;YACnB,GAAG,EAAE,MAAM,CAAC;SACb,CAAC,CAAC;QACH,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,EAAE,MAAM,GAAG,UAAU,GAAG,QAAQ,CAAC;QAC5C,sBAAsB,CAAC,EAAE;YACvB,uBAAuB,CAAC,EAAE,UAAU,GAAG,gBAAgB,CAAC;YACxD,kBAAkB,CAAC,EAAE,OAAO,CAAC;YAC7B,gBAAgB,CAAC,EAAE,UAAU,GAAG,WAAW,GAAG,aAAa,CAAC;SAC7D,CAAC;QACF,kBAAkB,CAAC,EAAE,KAAK,CAAC;YACzB,EAAE,EAAE,MAAM,CAAC;YACX,IAAI,EAAE,YAAY,CAAC;YACnB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;SACvB,CAAC,CAAC;KACJ,CAAC;CACH;AAuBD,MAAM,WAAW,qBAAqB;IAIpC,UAAU,EAAE;QACV,EAAE,EAAE,MAAM,CAAC;QACX,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE;YACR,cAAc,EAAE,MAAM,CAAC;YACvB,iBAAiB,EAAE,MAAM,CAAC;SAC3B,CAAC;QACF,IAAI,EAAE,YAAY,CAAC;KACpB,CAAC;IAMF,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAoBD,MAAM,WAAW,8BAA8B;IAK7C,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,CAAC;QAClB,OAAO,EAAE,MAAM,CAAC;QAChB,IAAI,EAAE,MAAM,CAAC;QACb,gBAAgB,EAAE,KAAK,CAAC;YACtB,EAAE,EAAE,MAAM,CAAC;YACX,IAAI,EAAE,YAAY,CAAC;YACnB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;SACvB,CAAC,CAAC;QACH,gBAAgB,EAAE,UAAU,GAAG,WAAW,GAAG,aAAa,CAAC;KAC5D,CAAC;CACH;AAwBD,MAAM,WAAW,8BAA8B;IAK7C,KAAK,EAAE,MAAM,EAAE,CAAC;IAKhB,SAAS,EAAE,MAAM,CAAC;CACnB;AAwBD,MAAM,WAAW,YAAY;IAI3B,EAAE,EAAE,MAAM,CAAC;IAKX,IAAI,EAAE,MAAM,GAAG,KAAK,GAAG,SAAS,CAAC;IAKjC,IAAI,EAAE,MAAM,CAAC;IAKb,QAAQ,EAAE,OAAO,CAAC;IAKlB,SAAS,EAAE,OAAO,CAAC;IAKnB,UAAU,CAAC,EAAE,MAAM,CAAC;IAKpB,SAAS,EAAE,MAAM,CAAC;IAKlB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAkBD,MAAM,WAAW,yBAAyB;IAIxC,OAAO,EAAE,YAAY,EAAE,CAAC;IAKxB,cAAc,EAAE,OAAO,CAAC;CACzB;AAeD,MAAM,WAAW,kBAAkB;IAIjC,IAAI,CAAC,EAAE,MAAM,CAAC;IAKd,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAcD,MAAM,WAAW,mBAAmB;IAIlC,QAAQ,EAAE,MAAM,CAAC;CAClB;AAuBD,MAAM,WAAW,oBAAoB;IAInC,OAAO,EAAE,OAAO,CAAC;IAKjB,QAAQ,EAAE,OAAO,CAAC;IAMlB,eAAe,CAAC,EAAE,MAAM,CAAC;IAKzB,iBAAiB,EAAE,KAAK,CAAC,MAAM,GAAG,KAAK,GAAG,SAAS,CAAC,CAAC;IAKrD,eAAe,CAAC,EAAE,MAAM,GAAG,KAAK,GAAG,SAAS,CAAC;IAK7C,cAAc,EAAE,OAAO,CAAC;CACzB"}

package/dist/src/dto/mfa.dto.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=mfa.dto.js.map

package/dist/src/dto/mfa.dto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mfa.dto.js","sourceRoot":"","sources":["../../../src/dto/mfa.dto.ts"],"names":[],"mappings":""}

package/dist/src/index.d.ts

@@ -0,0 +1,4 @@
+export { TOTPService } from './totp.service';
+export { TOTPMFAProviderService } from './totp-mfa-provider.service';
+export * from './dto/mfa.dto';
+//# sourceMappingURL=index.d.ts.map

package/dist/src/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AACrE,cAAc,eAAe,CAAC"}

package/dist/src/index.js

@@ -0,0 +1,23 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TOTPMFAProviderService = exports.TOTPService = void 0;
+var totp_service_1 = require("./totp.service");
+Object.defineProperty(exports, "TOTPService", { enumerable: true, get: function () { return totp_service_1.TOTPService; } });
+var totp_mfa_provider_service_1 = require("./totp-mfa-provider.service");
+Object.defineProperty(exports, "TOTPMFAProviderService", { enumerable: true, get: function () { return totp_mfa_provider_service_1.TOTPMFAProviderService; } });
+__exportStar(require("./dto/mfa.dto"), exports);
+//# sourceMappingURL=index.js.map

package/dist/src/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAOA,+CAA6C;AAApC,2GAAA,WAAW,OAAA;AACpB,yEAAqE;AAA5D,mIAAA,sBAAsB,OAAA;AAC/B,gDAA8B"}

package/dist/src/totp-mfa-provider.service.d.ts

@@ -0,0 +1,14 @@
+import { Repository } from 'typeorm';
+import { BaseMFADevice, BaseUser, IUser, NAuthConfig, NAuthLogger, MFAMethod } from '@nauth-toolkit/core';
+import { BaseMFAProviderService } from '@nauth-toolkit/core/internal';
+import { TOTPService } from './totp.service';
+import { SetupTOTPResponseDTO } from './dto/mfa.dto';
+export declare class TOTPMFAProviderService extends BaseMFAProviderService {
+    private readonly totpService;
+    readonly methodName = MFAMethod.TOTP;
+    constructor(mfaDeviceRepository: Repository<BaseMFADevice>, userRepository: Repository<BaseUser>, config: NAuthConfig, logger: NAuthLogger, passwordService: unknown, totpService: TOTPService, challengeService?: unknown, auditService?: unknown, clientInfoService?: unknown);
+    setup(user: IUser, _setupData?: unknown): Promise<SetupTOTPResponseDTO>;
+    verifySetup(user: IUser, verificationData: unknown, deviceName?: string): Promise<number>;
+    verify(user: IUser, code: unknown, deviceId?: number): Promise<boolean>;
+}
+//# sourceMappingURL=totp-mfa-provider.service.d.ts.map

package/dist/src/totp-mfa-provider.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"totp-mfa-provider.service.d.ts","sourceRoot":"","sources":["../../src/totp-mfa-provider.service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAErC,OAAO,EACL,aAAa,EACb,QAAQ,EACR,KAAK,EACL,WAAW,EACX,WAAW,EAGX,SAAS,EACV,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EAAE,sBAAsB,EAAE,MAAM,8BAA8B,CAAC;AACtE,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,EAAE,oBAAoB,EAAsB,MAAM,eAAe,CAAC;AAsBzE,qBAAa,sBAAuB,SAAQ,sBAAsB;IAS9D,OAAO,CAAC,QAAQ,CAAC,WAAW;IAR9B,QAAQ,CAAC,UAAU,kBAAkB;gBAGnC,mBAAmB,EAAE,UAAU,CAAC,aAAa,CAAC,EAC9C,cAAc,EAAE,UAAU,CAAC,QAAQ,CAAC,EACpC,MAAM,EAAE,WAAW,EACnB,MAAM,EAAE,WAAW,EACnB,eAAe,EAAE,OAAO,EACP,WAAW,EAAE,WAAW,EACzC,gBAAgB,CAAC,EAAE,OAAO,EAC1B,YAAY,CAAC,EAAE,OAAO,EACtB,iBAAiB,CAAC,EAAE,OAAO;IA+BvB,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,UAAU,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,oBAAoB,CAAC;IA0CvE,WAAW,CAAC,IAAI,EAAE,KAAK,EAAE,gBAAgB,EAAE,OAAO,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IA0DzF,MAAM,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;CAoC9E"}

package/dist/src/totp-mfa-provider.service.js

@@ -0,0 +1,71 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TOTPMFAProviderService = void 0;
+const core_1 = require("@nauth-toolkit/core");
+const internal_1 = require("@nauth-toolkit/core/internal");
+class TOTPMFAProviderService extends internal_1.BaseMFAProviderService {
+    totpService;
+    methodName = core_1.MFAMethod.TOTP;
+    constructor(mfaDeviceRepository, userRepository, config, logger, passwordService, totpService, challengeService, auditService, clientInfoService) {
+        super(mfaDeviceRepository, userRepository, config, logger, passwordService, challengeService, auditService, clientInfoService);
+        this.totpService = totpService;
+    }
+    async setup(user, _setupData) {
+        this.logger?.log?.(`Setting up TOTP for user: ${user.sub}`);
+        if (!this.isMethodAllowed()) {
+            throw new core_1.NAuthException(core_1.AuthErrorCode.VALIDATION_FAILED, 'TOTP is not enabled', { feature: 'totp' });
+        }
+        const setup = await this.totpService.generateSecret(user.email);
+        this.logger?.log?.(`TOTP setup initiated for user: ${user.sub}`);
+        return setup;
+    }
+    async verifySetup(user, verificationData, deviceName) {
+        this.logger?.log?.(`Verifying TOTP setup for user: ${user.sub}`);
+        const dto = verificationData;
+        if (!this.totpService.isValidSecret(dto.secret)) {
+            throw new core_1.NAuthException(core_1.AuthErrorCode.VALIDATION_FAILED, 'Invalid TOTP secret', { field: 'secret' });
+        }
+        const result = this.totpService.verifyCodeWithDetails(dto.secret, dto.code);
+        if (!result.valid) {
+            throw new core_1.NAuthException(core_1.AuthErrorCode.VERIFICATION_CODE_INVALID, result.error || 'Invalid TOTP code');
+        }
+        const userEntity = user;
+        const userId = userEntity.id;
+        const userMfaEnabled = userEntity.mfaEnabled || false;
+        const device = await this.createDevice(userId, {
+            name: deviceName || dto.deviceName || 'Authenticator App',
+            secret: dto.secret,
+            isActive: true,
+            isPrimary: !userMfaEnabled,
+        });
+        await this.enableMFAForUser(user);
+        this.logger?.log?.(`TOTP setup completed for user: ${user.sub}`);
+        return device.id;
+    }
+    async verify(user, code, deviceId) {
+        this.logger?.log?.(`Verifying TOTP code for user: ${user.sub}`);
+        const totpCode = code;
+        if (!totpCode || typeof totpCode !== 'string') {
+            this.logger?.warn?.('Invalid TOTP code format');
+            return false;
+        }
+        const userEntity = user;
+        const userId = userEntity.id;
+        const device = await this.findDevice(userId, deviceId);
+        if (!device || !device.secret) {
+            this.logger?.warn?.(`No active TOTP device found for user: ${user.sub}`);
+            return false;
+        }
+        const isValid = this.totpService.verifyCode(device.secret, totpCode);
+        if (isValid) {
+            await this.updateDeviceUsage(device.id);
+            this.logger?.log?.(`TOTP code verified successfully for user: ${user.sub}`);
+        }
+        else {
+            this.logger?.warn?.(`TOTP code verification failed for user: ${user.sub}`);
+        }
+        return isValid;
+    }
+}
+exports.TOTPMFAProviderService = TOTPMFAProviderService;
+//# sourceMappingURL=totp-mfa-provider.service.js.map

package/dist/src/totp-mfa-provider.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"totp-mfa-provider.service.js","sourceRoot":"","sources":["../../src/totp-mfa-provider.service.ts"],"names":[],"mappings":";;;AAEA,8CAS6B;AAE7B,2DAAsE;AAwBtE,MAAa,sBAAuB,SAAQ,iCAAsB;IAS7C;IARV,UAAU,GAAG,gBAAS,CAAC,IAAI,CAAC;IAErC,YACE,mBAA8C,EAC9C,cAAoC,EACpC,MAAmB,EACnB,MAAmB,EACnB,eAAwB,EACP,WAAwB,EACzC,gBAA0B,EAC1B,YAAsB,EACtB,iBAA2B;QAE3B,KAAK,CACH,mBAAmB,EACnB,cAAc,EACd,MAAM,EACN,MAAM,EACN,eAAe,EACf,gBAAuB,EACvB,YAAmB,EACnB,iBAAwB,CACzB,CAAC;QAde,gBAAW,GAAX,WAAW,CAAa;IAe3C,CAAC;IAmBD,KAAK,CAAC,KAAK,CAAC,IAAW,EAAE,UAAoB;QAC3C,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,6BAA6B,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAG5D,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,EAAE,CAAC;YAC5B,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,iBAAiB,EAAE,qBAAqB,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;QACxG,CAAC;QAGD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAEhE,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,kCAAkC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAEjE,OAAO,KAAK,CAAC;IACf,CAAC;IA4BD,KAAK,CAAC,WAAW,CAAC,IAAW,EAAE,gBAAyB,EAAE,UAAmB;QAC3E,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,kCAAkC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAEjE,MAAM,GAAG,GAAG,gBAAsC,CAAC;QAGnD,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YAChD,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,iBAAiB,EAAE,qBAAqB,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;QACxG,CAAC;QAGD,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,qBAAqB,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;QAC5E,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAClB,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,yBAAyB,EAAE,MAAM,CAAC,KAAK,IAAI,mBAAmB,CAAC,CAAC;QACzG,CAAC;QAGD,MAAM,UAAU,GAAG,IAA0C,CAAC;QAC9D,MAAM,MAAM,GAAG,UAAU,CAAC,EAAY,CAAC;QACvC,MAAM,cAAc,GAAI,UAAU,CAAC,UAAsB,IAAI,KAAK,CAAC;QAQnE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE;YAC7C,IAAI,EAAE,UAAU,IAAI,GAAG,CAAC,UAAU,IAAI,mBAAmB;YACzD,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,QAAQ,EAAE,IAAI;YACd,SAAS,EAAE,CAAC,cAAc;SAC3B,CAAC,CAAC;QAGH,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC;QAElC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,kCAAkC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAEjE,OAAO,MAAM,CAAC,EAAE,CAAC;IACnB,CAAC;IAkBD,KAAK,CAAC,MAAM,CAAC,IAAW,EAAE,IAAa,EAAE,QAAiB;QACxD,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,iCAAiC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAEhE,MAAM,QAAQ,GAAG,IAAc,CAAC;QAChC,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC9C,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,0BAA0B,CAAC,CAAC;YAChD,OAAO,KAAK,CAAC;QACf,CAAC;QAGD,MAAM,UAAU,GAAG,IAA0C,CAAC;QAC9D,MAAM,MAAM,GAAG,UAAU,CAAC,EAAY,CAAC;QAGvC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QACvD,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YAC9B,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,yCAAyC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;YACzE,OAAO,KAAK,CAAC;QACf,CAAC;QAGD,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAErE,IAAI,OAAO,EAAE,CAAC;YAEZ,MAAM,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YACxC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,6CAA6C,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAC9E,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,2CAA2C,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAC7E,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;CAIF;AAnLD,wDAmLC"}

package/dist/src/totp.service.d.ts

@@ -0,0 +1,22 @@
+import { NAuthConfig, NAuthLogger } from '@nauth-toolkit/core';
+import { SetupTOTPResponseDTO } from './dto/mfa.dto';
+export declare class TOTPService {
+    private readonly config;
+    private readonly logger;
+    private readonly defaultConfig;
+    constructor(config: NAuthConfig, logger: NAuthLogger);
+    private configureAuthenticator;
+    private getTOTPConfig;
+    private getIssuer;
+    generateSecret(accountName: string): Promise<SetupTOTPResponseDTO>;
+    private formatSecretForManualEntry;
+    verifyCode(secret: string, code: string): boolean;
+    verifyCodeWithDetails(secret: string, code: string): {
+        valid: boolean;
+        error?: string;
+    };
+    generateCode(secret: string): string;
+    isValidSecret(secret: string): boolean;
+    getTimeRemaining(): number;
+}
+//# sourceMappingURL=totp.service.d.ts.map

package/dist/src/totp.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"totp.service.d.ts","sourceRoot":"","sources":["../../src/totp.service.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAc,WAAW,EAAiC,MAAM,qBAAqB,CAAC;AAC1G,OAAO,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAC;AAyBrD,qBAAa,WAAW;IASpB,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,MAAM;IATzB,OAAO,CAAC,QAAQ,CAAC,aAAa,CAK5B;gBAGiB,MAAM,EAAE,WAAW,EACnB,MAAM,EAAE,WAAW;IAkBtC,OAAO,CAAC,sBAAsB;IAqB9B,OAAO,CAAC,aAAa;IAarB,OAAO,CAAC,SAAS;IAyBX,cAAc,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAkDxE,OAAO,CAAC,0BAA0B;IA8BlC,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO;IA8CjD,qBAAqB,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IA+CvF,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM;IAmBpC,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO;IAgCtC,gBAAgB,IAAI,MAAM;CAM3B"}