@nik2208/node-auth 1.1.6 → 1.2.1

package/README.md

@@ -286,12 +286,12 @@ When you mount `auth.router()`, the following endpoints are available:
 | `POST` | `/auth/change-email/confirm` | Confirm email change with token |
 | `POST` | `/auth/2fa/setup` | Get TOTP secret + QR code (protected) |
 | `POST` | `/auth/2fa/verify-setup` | Verify TOTP code and enable 2FA (protected) |
-| `POST` | `/auth/2fa/verify` | Complete 2FA login |
+| `POST` | `/auth/2fa/verify` | Complete TOTP 2FA login |
 | `POST` | `/auth/2fa/disable` | Disable 2FA (protected) |
-| `POST` | `/auth/magic-link/send` | Send magic link email |
-| `POST` | `/auth/magic-link/verify` | Verify magic link token |
-| `POST` | `/auth/sms/send` | Send SMS verification code |
-| `POST` | `/auth/sms/verify` | Verify SMS code |
+| `POST` | `/auth/magic-link/send` | Send magic link — direct login (`mode='login'`, default) or 2FA challenge (`mode='2fa'`, requires `tempToken`) |
+| `POST` | `/auth/magic-link/verify` | Verify magic link — direct login (`mode='login'`, default) or 2FA completion (`mode='2fa'`, requires `tempToken`) |
+| `POST` | `/auth/sms/send` | Send SMS code — direct login (`mode='login'`, default, accepts `userId` **or** `email`) or 2FA challenge (`mode='2fa'`, requires `tempToken`) |
+| `POST` | `/auth/sms/verify` | Verify SMS code — direct login (`mode='login'`, default) or 2FA completion (`mode='2fa'`, requires `tempToken`) |
 | `GET` | `/auth/oauth/google` | Initiate Google OAuth |
 | `GET` | `/auth/oauth/google/callback` | Google OAuth callback |
 | `GET` | `/auth/oauth/github` | Initiate GitHub OAuth |
@@ -715,6 +715,271 @@ await fetch('/auth/change-email/confirm', {
 });
 ```
 
+## TOTP Two-Factor Authentication — Full UI Integration Guide
+
+TOTP (Time-based One-Time Password) is the **Google Authenticator / Authy** style 2FA. The following is the complete flow from both the server and UI perspective.
+
+### Prerequisites
+
+The user must be logged in (have a valid `accessToken` cookie or Bearer token).
+
+### Step 1 — Generate a secret and display the QR code
+
+Call `POST /auth/2fa/setup` from your settings page. The response contains:
+- `secret` — base32-encoded TOTP secret (store it temporarily in the UI, **never** in localStorage)
+- `otpauthUrl` — the `otpauth://` URI (used to generate the QR code)
+- `qrCode` — a `data:image/png;base64,...` data URL you can put directly into an `<img>` tag
+
+```typescript
+// Client-side (authenticated)
+const res = await fetch('/auth/2fa/setup', {
+  method: 'POST',
+  credentials: 'include',          // sends the accessToken cookie
+});
+const { secret, qrCode } = await res.json();
+
+// Display in your UI
+document.getElementById('qr-img').src = qrCode;
+document.getElementById('secret-text').textContent = secret; // for manual entry
+```
+
+**UI tip:** Show both the QR code and the plain-text secret. Some users cannot scan QR codes (accessibility, older devices).
+
+```html
+<!-- Example setup UI -->
+<div id="totp-setup">
+  <p>Scan this QR code with Google Authenticator, Authy, or any TOTP app:</p>
+  <img id="qr-img" alt="TOTP QR code" />
+  <p>Or enter this code manually: <code id="secret-text"></code></p>
+
+  <label>Enter the 6-digit code shown in the app to confirm:</label>
+  <input id="totp-input" type="text" maxlength="6" inputmode="numeric" autocomplete="one-time-code" />
+  <button onclick="verifySetup()">Enable 2FA</button>
+</div>
+```
+
+### Step 2 — Verify the setup and persist the secret
+
+The user enters the 6-digit code from their authenticator app. Call `POST /auth/2fa/verify-setup` with both the code **and** the secret returned from step 1.
+
+```typescript
+async function verifySetup() {
+  const code   = document.getElementById('totp-input').value.trim();
+  const secret = document.getElementById('secret-text').textContent; // from step 1
+
+  const res = await fetch('/auth/2fa/verify-setup', {
+    method: 'POST',
+    credentials: 'include',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ token: code, secret }),
+  });
+
+  if (res.ok) {
+    // 2FA is now enabled — update UI, redirect to settings
+    alert('Two-factor authentication enabled!');
+  } else {
+    const { error } = await res.json();
+    alert('Invalid code: ' + error);
+  }
+}
+```
+
+The server calls `updateTotpSecret(userId, secret)` which sets `isTotpEnabled = true` on the user.
+
+### Step 3 — Login with TOTP
+
+When a user with `isTotpEnabled = true` calls `POST /auth/login`, the server responds:
+
+```json
+{
+  "requiresTwoFactor": true,
+  "tempToken": "<short-lived JWT>",
+  "available2faMethods": ["totp", "sms", "magic-link"]
+}
+```
+
+- `tempToken` expires in **5 minutes** — use it immediately.
+- `available2faMethods` lists which 2FA channels are available to this specific user (see [Multi-channel 2FA](#multi-channel-2fa) below).
+
+Show a code-entry UI and call `POST /auth/2fa/verify`:
+
+```typescript
+// After detecting requiresTwoFactor === true in the login response:
+let tempToken = data.tempToken;
+
+async function submit2fa() {
+  const totpCode = document.getElementById('totp-code-input').value.trim();
+
+  const res = await fetch('/auth/2fa/verify', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ tempToken, totpCode }),
+  });
+
+  if (res.ok) {
+    // Full session tokens are now set as HttpOnly cookies
+    window.location.href = '/dashboard';
+  } else {
+    const { error } = await res.json();
+    alert('Invalid code: ' + error);
+  }
+}
+```
+
+```html
+<!-- TOTP verification UI (shown after login step 1) -->
+<div id="totp-verify">
+  <p>Enter the 6-digit code from your authenticator app:</p>
+  <input id="totp-code-input" type="text" maxlength="6" inputmode="numeric"
+         autocomplete="one-time-code" autofocus />
+  <button onclick="submit2fa()">Verify</button>
+</div>
+```
+
+### Step 4 — Disable 2FA
+
+Call `POST /auth/2fa/disable` (authenticated):
+
+```typescript
+await fetch('/auth/2fa/disable', {
+  method: 'POST',
+  credentials: 'include',
+});
+```
+
+The server clears `totpSecret` and sets `isTotpEnabled = false`.
+
+---
+
+## Multi-Channel 2FA — SMS and Magic-Link as Second Factor
+
+After a successful `POST /auth/login` that returns `requiresTwoFactor: true`, the response includes `available2faMethods` — an array listing which 2FA channels are configured for the user:
+
+| Value | Requires |
+|-------|----------|
+| `'totp'` | User has `isTotpEnabled = true` and a stored `totpSecret` |
+| `'sms'` | User has a stored `phoneNumber` **and** `config.sms` is configured |
+| `'magic-link'` | `config.email.sendMagicLink` or `config.email.mailer` is configured |
+
+Your UI can let the user pick their preferred channel:
+
+```typescript
+const loginRes = await fetch('/auth/login', { /* ... */ });
+const { requiresTwoFactor, tempToken, available2faMethods } = await loginRes.json();
+
+if (requiresTwoFactor) {
+  // Offer available channels to the user
+  show2faChannelPicker(available2faMethods, tempToken);
+}
+```
+
+### 2FA via SMS
+
+**Step A — Request the code:**
+
+```typescript
+await fetch('/auth/sms/send', {
+  method: 'POST',
+  headers: { 'Content-Type': 'application/json' },
+  body: JSON.stringify({ mode: '2fa', tempToken }),
+});
+// The server validates the tempToken, finds the user's stored phoneNumber, and sends an OTP.
+```
+
+**Step B — Submit the code:**
+
+```typescript
+const res = await fetch('/auth/sms/verify', {
+  method: 'POST',
+  headers: { 'Content-Type': 'application/json' },
+  body: JSON.stringify({ mode: '2fa', tempToken, code: userEnteredCode }),
+});
+// On success, full session tokens are issued via HttpOnly cookies.
+```
+
+### 2FA via Magic-Link
+
+**Step A — Request the magic link:**
+
+```typescript
+await fetch('/auth/magic-link/send', {
+  method: 'POST',
+  headers: { 'Content-Type': 'application/json' },
+  body: JSON.stringify({ mode: '2fa', tempToken }),
+});
+// The server validates the tempToken, finds the user's email, and sends a magic link.
+```
+
+**Step B — Verify the link** (called from the link in the email):
+
+```typescript
+// Extract `token` from the link: /auth/magic-link/verify?token=...
+const res = await fetch('/auth/magic-link/verify', {
+  method: 'POST',
+  headers: { 'Content-Type': 'application/json' },
+  body: JSON.stringify({ token: tokenFromLink, mode: '2fa', tempToken }),
+});
+// On success, full session tokens are issued via HttpOnly cookies.
+```
+
+> **Security note:** In `mode='2fa'`, both the magic-link token and the `tempToken` are validated. The magic link must belong to the same user identified by the `tempToken`, preventing account takeover even if a magic-link token is stolen.
+
+---
+
+## Direct Passwordless Login
+
+### SMS Direct Login
+
+Users can log in by phone without a password. You can identify the user by their stored `userId` **or** by the `email` associated with their account (the stored `phoneNumber` is used either way):
+
+```typescript
+// Option A — identify by userId
+await fetch('/auth/sms/send', {
+  method: 'POST',
+  headers: { 'Content-Type': 'application/json' },
+  body: JSON.stringify({ userId: '123' }),       // mode: 'login' is the default
+});
+
+// Option B — identify by email (user enters their email; the stored phone is used)
+await fetch('/auth/sms/send', {
+  method: 'POST',
+  headers: { 'Content-Type': 'application/json' },
+  body: JSON.stringify({ email: 'user@example.com' }),
+});
+// If the email is not found the endpoint silently returns { success: true }
+// to prevent user enumeration.
+```
+
+Then verify the code to get full session tokens:
+
+```typescript
+await fetch('/auth/sms/verify', {
+  method: 'POST',
+  headers: { 'Content-Type': 'application/json' },
+  body: JSON.stringify({ userId: '123', code: '123456' }),
+});
+```
+
+### Magic-Link Direct Login
+
+Magic-link direct login is unchanged — no `mode` parameter needed:
+
+```typescript
+// Send
+await fetch('/auth/magic-link/send', {
+  method: 'POST',
+  headers: { 'Content-Type': 'application/json' },
+  body: JSON.stringify({ email: 'user@example.com' }),
+});
+
+// Verify (called when user clicks the link)
+await fetch('/auth/magic-link/verify', {
+  method: 'POST',
+  headers: { 'Content-Type': 'application/json' },
+  body: JSON.stringify({ token: tokenFromLink }),
+});
+```
+
 ## Admin Panel
 
 `createAdminRouter` mounts a **self-contained admin panel** — both the REST API and a vanilla-JS UI — at any path you choose. No build step, no external UI dependencies.
@@ -724,9 +989,10 @@ import { createAdminRouter } from 'node-auth';
 
 app.use('/admin', createAdminRouter(userStore, {
   adminSecret: process.env.ADMIN_SECRET!,  // Bearer token required for all admin routes
-  sessionStore,   // optional — enables Sessions tab
-  rbacStore,      // optional — enables Roles & Permissions tab
-  tenantStore,    // optional — enables Tenants tab
+  sessionStore,       // optional — enables Sessions tab
+  rbacStore,          // optional — enables Roles & Permissions tab + user-role assignment
+  tenantStore,        // optional — enables Tenants tab + user-tenant membership
+  userMetadataStore,  // optional — enables Metadata editor in the user panel
 }));
 ```
 
@@ -734,12 +1000,16 @@ Open `http://localhost:3000/admin/` in your browser, enter the admin secret, and
 
 | Tab | Requires | Features |
 |-----|----------|---------|
-| **Users** | `IUserStore.listUsers` | Paginated user table, delete user |
+| **Users** | `IUserStore.listUsers` | Paginated user table, delete user, **Manage** panel per user |
 | **Sessions** | `ISessionStore.getAllSessions` | All active sessions, revoke by handle |
 | **Roles & Permissions** | `IRolesPermissionsStore.getAllRoles` | List roles with permissions, create/delete roles |
-| **Tenants** | `ITenantStore.getAllTenants` | List tenants, create/delete tenants |
+| **Tenants** | `ITenantStore.getAllTenants` | List tenants, create/delete tenants, manage members |
+
+The **Manage** panel (click the "Manage" button in the Users table) provides:
+- **Role assignment** — assign/remove roles when `rbacStore` is configured
+- **Metadata editor** — view and edit raw JSON metadata when `userMetadataStore` is configured
 
-Tabs that are not configured are hidden automatically.
+Tabs and features that are not configured are hidden automatically.
 
 ### Admin REST API
 
@@ -751,6 +1021,11 @@ All admin API endpoints require `Authorization: Bearer <adminSecret>`.
 | `GET` | `/admin/api/users` | List users (`?limit=&offset=`) |
 | `GET` | `/admin/api/users/:id` | Get single user |
 | `DELETE` | `/admin/api/users/:id` | Delete user (requires `IUserStore.deleteUser`) |
+| `GET` | `/admin/api/users/:id/roles` | List roles assigned to a user |
+| `POST` | `/admin/api/users/:id/roles` | Assign a role to a user (`{ role, tenantId? }`) |
+| `DELETE` | `/admin/api/users/:id/roles/:role` | Remove a role from a user |
+| `GET` | `/admin/api/users/:id/metadata` | Get user metadata |
+| `PUT` | `/admin/api/users/:id/metadata` | Replace user metadata (full JSON body) |
 | `GET` | `/admin/api/sessions` | List all sessions (`?limit=&offset=`) |
 | `DELETE` | `/admin/api/sessions/:handle` | Revoke a session |
 | `GET` | `/admin/api/roles` | List all roles with permissions |
@@ -759,6 +1034,9 @@ All admin API endpoints require `Authorization: Bearer <adminSecret>`.
 | `GET` | `/admin/api/tenants` | List all tenants |
 | `POST` | `/admin/api/tenants` | Create a tenant |
 | `DELETE` | `/admin/api/tenants/:id` | Delete a tenant |
+| `GET` | `/admin/api/tenants/:id/users` | List user IDs belonging to a tenant |
+| `POST` | `/admin/api/tenants/:id/users` | Add a user to a tenant (`{ userId }`) |
+| `DELETE` | `/admin/api/tenants/:id/users/:userId` | Remove a user from a tenant |
 
 > **Security note:** Mount the admin router behind a VPN or IP allow-list in production. The `adminSecret` is a single shared token — treat it like a root password.
 

package/dist/interfaces/user-store.interface.d.ts

@@ -52,6 +52,11 @@ export interface IUserStore<U extends BaseUser = BaseUser> {
      * Required to support POST /auth/change-email/confirm.
      */
     findByEmailChangeToken?(token: string): Promise<U | null>;
+    /**
+     * Set or clear the "2FA required" flag for a single user.
+     * Required to support `POST /admin/api/2fa-policy` (batch 2FA enforcement).
+     */
+    updateRequire2FA?(userId: string, required: boolean): Promise<void>;
     /**
      * Return a paginated list of users.
      * Used by the optional admin router to display the users table.

package/dist/interfaces/user-store.interface.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"user-store.interface.d.ts","sourceRoot":"","sources":["../../src/interfaces/user-store.interface.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAEhD,MAAM,WAAW,UAAU,CAAC,CAAC,SAAS,QAAQ,GAAG,QAAQ;IACvD,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAC9C,QAAQ,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IACxC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;IACrC,kBAAkB,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,EAAE,MAAM,EAAE,IAAI,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7F,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,EAAE,MAAM,EAAE,IAAI,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3F,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACtE,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACvE,oBAAoB,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,EAAE,MAAM,EAAE,IAAI,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/F,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI,EAAE,MAAM,EAAE,IAAI,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEvF;;;OAGG;IACH,gBAAgB,CAAC,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAEpD;;;OAGG;IACH,oBAAoB,CAAC,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAIxD;;;OAGG;IACH,4BAA4B,CAAC,CAC3B,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,GAAG,IAAI,EACpB,MAAM,EAAE,IAAI,GAAG,IAAI,GAClB,OAAO,CAAC,IAAI,CAAC,CAAC;IAEjB;;;OAGG;IACH,mBAAmB,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEzE;;;OAGG;IACH,4BAA4B,CAAC,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAIhE;;;;;OAKG;IACH,sBAAsB,CAAC,CACrB,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,GAAG,IAAI,EAC3B,KAAK,EAAE,MAAM,GAAG,IAAI,EACpB,MAAM,EAAE,IAAI,GAAG,IAAI,GAClB,OAAO,CAAC,IAAI,CAAC,CAAC;IAEjB;;;;OAIG;IACH,WAAW,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE9D;;;OAGG;IACH,sBAAsB,CAAC,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAI1D;;;;;;OAMG;IACH,SAAS,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC;CACzD"}
+{"version":3,"file":"user-store.interface.d.ts","sourceRoot":"","sources":["../../src/interfaces/user-store.interface.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAEhD,MAAM,WAAW,UAAU,CAAC,CAAC,SAAS,QAAQ,GAAG,QAAQ;IACvD,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAC9C,QAAQ,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IACxC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;IACrC,kBAAkB,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,EAAE,MAAM,EAAE,IAAI,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7F,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,EAAE,MAAM,EAAE,IAAI,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3F,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACtE,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACvE,oBAAoB,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,EAAE,MAAM,EAAE,IAAI,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/F,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI,EAAE,MAAM,EAAE,IAAI,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEvF;;;OAGG;IACH,gBAAgB,CAAC,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAEpD;;;OAGG;IACH,oBAAoB,CAAC,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAIxD;;;OAGG;IACH,4BAA4B,CAAC,CAC3B,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,GAAG,IAAI,EACpB,MAAM,EAAE,IAAI,GAAG,IAAI,GAClB,OAAO,CAAC,IAAI,CAAC,CAAC;IAEjB;;;OAGG;IACH,mBAAmB,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEzE;;;OAGG;IACH,4BAA4B,CAAC,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAIhE;;;;;OAKG;IACH,sBAAsB,CAAC,CACrB,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,GAAG,IAAI,EAC3B,KAAK,EAAE,MAAM,GAAG,IAAI,EACpB,MAAM,EAAE,IAAI,GAAG,IAAI,GAClB,OAAO,CAAC,IAAI,CAAC,CAAC;IAEjB;;;;OAIG;IACH,WAAW,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE9D;;;OAGG;IACH,sBAAsB,CAAC,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAE1D;;;OAGG;IACH,gBAAgB,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAIpE;;;;;;OAMG;IACH,SAAS,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC;CACzD"}

package/dist/middleware/auth.middleware.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.middleware.d.ts","sourceRoot":"","sources":["../../src/middleware/auth.middleware.ts"],"names":[],"mappings":"AAAA,OAAO,EAAmC,cAAc,EAAE,MAAM,SAAS,CAAC;AAC1E,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AACzD,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAG3D,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,OAAO,CAAC;QAChB,UAAU,OAAO;YACf,IAAI,CAAC,EAAE,kBAAkB,CAAC;SAC3B;KACF;CACF;AAID,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,UAAU,GAAG,cAAc,CAevE"}
+{"version":3,"file":"auth.middleware.d.ts","sourceRoot":"","sources":["../../src/middleware/auth.middleware.ts"],"names":[],"mappings":"AAAA,OAAO,EAAmC,cAAc,EAAE,MAAM,SAAS,CAAC;AAC1E,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AACzD,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAG3D,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,OAAO,CAAC;QAChB,UAAU,OAAO;YACf,IAAI,CAAC,EAAE,kBAAkB,CAAC;SAC3B;KACF;CACF;AAID,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,UAAU,GAAG,cAAc,CAuBvE"}

package/dist/middleware/auth.middleware.js

@@ -10,6 +10,14 @@ function createAuthMiddleware(config) {
             res.status(403).json({ error: 'No access token provided' });
             return;
         }
+        if (config.csrf?.enabled) {
+            const csrfCookie = tokenService.extractTokenFromCookie(req, 'csrf-token');
+            const csrfHeader = req.headers['x-csrf-token'];
+            if (!csrfCookie || !csrfHeader || csrfCookie !== csrfHeader) {
+                res.status(403).json({ error: 'CSRF token validation failed', code: 'CSRF_INVALID' });
+                return;
+            }
+        }
         try {
             const payload = tokenService.verifyAccessToken(token, config);
             req.user = payload;

package/dist/middleware/auth.middleware.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth.middleware.js","sourceRoot":"","sources":["../../src/middleware/auth.middleware.ts"],"names":[],"mappings":";;AAeA,oDAeC;AA3BD,6DAAyD;AAUzD,MAAM,YAAY,GAAG,IAAI,4BAAY,EAAE,CAAC;AAExC,SAAgB,oBAAoB,CAAC,MAAkB;IACrD,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QAC/D,MAAM,KAAK,GAAG,YAAY,CAAC,sBAAsB,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;QACtE,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,0BAA0B,EAAE,CAAC,CAAC;YAC5D,OAAO;QACT,CAAC;QACD,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,YAAY,CAAC,iBAAiB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;YAC9D,GAAG,CAAC,IAAI,GAAG,OAAO,CAAC;YACnB,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iCAAiC,EAAE,CAAC,CAAC;QACrE,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}
+{"version":3,"file":"auth.middleware.js","sourceRoot":"","sources":["../../src/middleware/auth.middleware.ts"],"names":[],"mappings":";;AAeA,oDAuBC;AAnCD,6DAAyD;AAUzD,MAAM,YAAY,GAAG,IAAI,4BAAY,EAAE,CAAC;AAExC,SAAgB,oBAAoB,CAAC,MAAkB;IACrD,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QAC/D,MAAM,KAAK,GAAG,YAAY,CAAC,sBAAsB,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;QACtE,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,0BAA0B,EAAE,CAAC,CAAC;YAC5D,OAAO;QACT,CAAC;QACD,IAAI,MAAM,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC;YACzB,MAAM,UAAU,GAAG,YAAY,CAAC,sBAAsB,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;YAC1E,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,cAAc,CAAuB,CAAC;YACrE,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,IAAI,UAAU,KAAK,UAAU,EAAE,CAAC;gBAC5D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,8BAA8B,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC;gBACtF,OAAO;YACT,CAAC;QACH,CAAC;QACD,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,YAAY,CAAC,iBAAiB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;YAC9D,GAAG,CAAC,IAAI,GAAG,OAAO,CAAC;YACnB,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iCAAiC,EAAE,CAAC,CAAC;QACrE,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/models/auth-config.model.d.ts

@@ -41,6 +41,30 @@ export interface AuthConfig {
         secure?: boolean;
         sameSite?: 'strict' | 'lax' | 'none';
         domain?: string;
+        /**
+         * Path for the refresh-token cookie.
+         * Defaults to `'/'` so the cookie is sent on every request and the
+         * router can be mounted at any prefix.
+         * For extra security you can restrict it to your refresh endpoint path
+         * (e.g. `'/auth/refresh'`).
+         */
+        refreshTokenPath?: string;
+    };
+    /**
+     * Anti-CSRF protection using the double-submit cookie pattern.
+     *
+     * When enabled the library sets a non-HttpOnly `csrf-token` cookie alongside
+     * the JWT cookies.  Client-side JavaScript must read this cookie and include
+     * its value in the `X-CSRF-Token` header on every authenticated request.
+     * The `createAuthMiddleware` middleware will then verify the header matches
+     * the cookie.
+     *
+     * Recommended when `cookieOptions.sameSite` is `'none'` or when you need
+     * defence-in-depth beyond `sameSite: 'lax'`.
+     */
+    csrf?: {
+        /** @default false */
+        enabled?: boolean;
     };
     bcryptSaltRounds?: number;
     sms?: {
@@ -106,6 +130,23 @@ export interface AuthConfig {
     twoFactor?: {
         appName?: string;
     };
+    /**
+     * When `true`, the local (email+password) login endpoint will reject users
+     * whose email address has not yet been verified (`isEmailVerified !== true`).
+     *
+     * **Default:** `false` — email verification is optional by default.
+     *
+     * If you enable this flag you must also configure the email-verification flow
+     * so that users can actually verify their address:
+     *  - configure `email.sendVerificationEmail` (or `email.mailer`) so the
+     *    library can send verification emails.
+     *  - expose the `POST /auth/send-verification-email` and
+     *    `GET /auth/verify-email` endpoints from `createAuthRouter`.
+     *
+     * When a user tries to log in with an unverified email the server responds
+     * with HTTP **403** and error code `EMAIL_NOT_VERIFIED`.
+     */
+    requireEmailVerification?: boolean;
     /**
      * Optional callback to inject custom claims into both the access and refresh JWTs.
      *

package/dist/models/auth-config.model.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-config.model.d.ts","sourceRoot":"","sources":["../../src/models/auth-config.model.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AAExC;;;;;;;;;;;;;;GAcG;AACH,MAAM,WAAW,YAAY;IAC3B,6EAA6E;IAC7E,QAAQ,EAAE,MAAM,CAAC;IACjB,8CAA8C;IAC9C,MAAM,EAAE,MAAM,CAAC;IACf,4BAA4B;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,sCAAsC;IACtC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,kCAAkC;IAClC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;;;OAIG;IACH,WAAW,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;CAC3B;AAED,MAAM,WAAW,UAAU;IACzB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,aAAa,CAAC,EAAE;QACd,MAAM,CAAC,EAAE,OAAO,CAAC;QACjB,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;QACrC,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,CAAC;IACF,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,GAAG,CAAC,EAAE;QACJ,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;QACjB,oBAAoB,CAAC,EAAE,MAAM,CAAC;KAC/B,CAAC;IACF,KAAK,CAAC,EAAE;QACN;;;WAGG;QACH,OAAO,CAAC,EAAE,MAAM,CAAC;QAEjB;;;;;WAKG;QACH,MAAM,CAAC,EAAE,YAAY,CAAC;QAEtB;;;WAGG;QACH,aAAa,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;QAE1F;;;WAGG;QACH,iBAAiB,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;QAE9F;;;WAGG;QACH,WAAW,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;QAE1F;;;WAGG;QACH,qBAAqB,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;QAElG;;;;WAIG;QACH,gBAAgB,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;KACnF,CAAC;IACF,KAAK,CAAC,EAAE;QACN,MAAM,CAAC,EAAE;YACP,QAAQ,EAAE,MAAM,CAAC;YACjB,YAAY,EAAE,MAAM,CAAC;YACrB,WAAW,EAAE,MAAM,CAAC;YACpB,SAAS,CAAC,EAAE,MAAM,CAAC;SACpB,CAAC;QACF,MAAM,CAAC,EAAE;YACP,QAAQ,EAAE,MAAM,CAAC;YACjB,YAAY,EAAE,MAAM,CAAC;YACrB,WAAW,EAAE,MAAM,CAAC;SACrB,CAAC;KACH,CAAC;IACF,SAAS,CAAC,EAAE;QACV,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,CAAC;IACF;;;;;;;;;;;;;;;OAeG;IACH,iBAAiB,CAAC,EAAE,CAAC,IAAI,EAAE,QAAQ,KAAK,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjE"}
+{"version":3,"file":"auth-config.model.d.ts","sourceRoot":"","sources":["../../src/models/auth-config.model.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AAExC;;;;;;;;;;;;;;GAcG;AACH,MAAM,WAAW,YAAY;IAC3B,6EAA6E;IAC7E,QAAQ,EAAE,MAAM,CAAC;IACjB,8CAA8C;IAC9C,MAAM,EAAE,MAAM,CAAC;IACf,4BAA4B;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,sCAAsC;IACtC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,kCAAkC;IAClC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;;;OAIG;IACH,WAAW,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;CAC3B;AAED,MAAM,WAAW,UAAU;IACzB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,aAAa,CAAC,EAAE;QACd,MAAM,CAAC,EAAE,OAAO,CAAC;QACjB,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;QACrC,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB;;;;;;WAMG;QACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;KAC3B,CAAC;IACF;;;;;;;;;;;OAWG;IACH,IAAI,CAAC,EAAE;QACL,qBAAqB;QACrB,OAAO,CAAC,EAAE,OAAO,CAAC;KACnB,CAAC;IACF,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,GAAG,CAAC,EAAE;QACJ,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;QACjB,oBAAoB,CAAC,EAAE,MAAM,CAAC;KAC/B,CAAC;IACF,KAAK,CAAC,EAAE;QACN;;;WAGG;QACH,OAAO,CAAC,EAAE,MAAM,CAAC;QAEjB;;;;;WAKG;QACH,MAAM,CAAC,EAAE,YAAY,CAAC;QAEtB;;;WAGG;QACH,aAAa,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;QAE1F;;;WAGG;QACH,iBAAiB,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;QAE9F;;;WAGG;QACH,WAAW,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;QAE1F;;;WAGG;QACH,qBAAqB,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;QAElG;;;;WAIG;QACH,gBAAgB,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;KACnF,CAAC;IACF,KAAK,CAAC,EAAE;QACN,MAAM,CAAC,EAAE;YACP,QAAQ,EAAE,MAAM,CAAC;YACjB,YAAY,EAAE,MAAM,CAAC;YACrB,WAAW,EAAE,MAAM,CAAC;YACpB,SAAS,CAAC,EAAE,MAAM,CAAC;SACpB,CAAC;QACF,MAAM,CAAC,EAAE;YACP,QAAQ,EAAE,MAAM,CAAC;YACjB,YAAY,EAAE,MAAM,CAAC;YACrB,WAAW,EAAE,MAAM,CAAC;SACrB,CAAC;KACH,CAAC;IACF,SAAS,CAAC,EAAE;QACV,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,CAAC;IACF;;;;;;;;;;;;;;;OAeG;IACH,wBAAwB,CAAC,EAAE,OAAO,CAAC;IAEnC;;;;;;;;;;;;;;;OAeG;IACH,iBAAiB,CAAC,EAAE,CAAC,IAAI,EAAE,QAAQ,KAAK,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjE"}

package/dist/models/user.model.d.ts

@@ -8,14 +8,15 @@ export interface BaseUser {
     resetToken?: string | null;
     resetTokenExpiry?: Date | null;
     totpSecret?: string | null;
+    isEmailVerified?: boolean;
     isTotpEnabled?: boolean;
     magicLinkToken?: string | null;
     magicLinkTokenExpiry?: Date | null;
     smsCode?: string | null;
     smsCodeExpiry?: Date | null;
     phoneNumber?: string | null;
-    /** Whether this user has verified their email address. */
-    isEmailVerified?: boolean;
+    /** When `true` this user must have 2FA active to complete login. */
+    require2FA?: boolean;
     /** Token sent in the email-verification link. */
     emailVerificationToken?: string | null;
     /** Expiry for the email-verification token. */

package/dist/models/user.model.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"user.model.d.ts","sourceRoot":"","sources":["../../src/models/user.model.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,kBAAkB,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACjC,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,gBAAgB,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAC/B,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,oBAAoB,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACnC,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,aAAa,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAC5B,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,0DAA0D;IAC1D,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,iDAAiD;IACjD,sBAAsB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACvC,+CAA+C;IAC/C,4BAA4B,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAC3C,wEAAwE;IACxE,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,8DAA8D;IAC9D,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,yCAAyC;IACzC,sBAAsB,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;CACtC"}
+{"version":3,"file":"user.model.d.ts","sourceRoot":"","sources":["../../src/models/user.model.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,kBAAkB,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACjC,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,gBAAgB,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAC/B,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,oBAAoB,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACnC,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,aAAa,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAC5B,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,oEAAoE;IACpE,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,iDAAiD;IACjD,sBAAsB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACvC,+CAA+C;IAC/C,4BAA4B,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAC3C,wEAAwE;IACxE,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,8DAA8D;IAC9D,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,yCAAyC;IACzC,sBAAsB,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;CACtC"}

package/dist/router/admin.router.d.ts

@@ -3,6 +3,7 @@ import { IUserStore } from '../interfaces/user-store.interface';
 import { ISessionStore } from '../interfaces/session-store.interface';
 import { IRolesPermissionsStore } from '../interfaces/roles-permissions-store.interface';
 import { ITenantStore } from '../interfaces/tenant-store.interface';
+import { IUserMetadataStore } from '../interfaces/user-metadata-store.interface';
 export interface AdminOptions {
     /**
      * Secret token required to access all admin endpoints.
@@ -12,10 +13,15 @@ export interface AdminOptions {
     adminSecret: string;
     /** Optional session store — enables the Sessions tab in the admin UI. */
     sessionStore?: ISessionStore;
-    /** Optional RBAC store — enables the Roles & Permissions tab. */
+    /** Optional RBAC store — enables the Roles & Permissions tab and user-role assignment. */
     rbacStore?: IRolesPermissionsStore;
-    /** Optional tenant store — enables the Tenants tab. */
+    /** Optional tenant store — enables the Tenants tab and user-tenant assignment. */
     tenantStore?: ITenantStore;
+    /**
+     * Optional user-metadata store — enables the Metadata section in the user detail
+     * panel (view and edit arbitrary per-user key/value data).
+     */
+    userMetadataStore?: IUserMetadataStore;
 }
 export declare function createAdminRouter(userStore: IUserStore, options: AdminOptions): Router;
 //# sourceMappingURL=admin.router.d.ts.map

package/dist/router/admin.router.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"admin.router.d.ts","sourceRoot":"","sources":["../../src/router/admin.router.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAqC,MAAM,SAAS,CAAC;AACpE,OAAO,EAAE,UAAU,EAAE,MAAM,oCAAoC,CAAC;AAChE,OAAO,EAAE,aAAa,EAAE,MAAM,uCAAuC,CAAC;AACtE,OAAO,EAAE,sBAAsB,EAAE,MAAM,iDAAiD,CAAC;AACzF,OAAO,EAAE,YAAY,EAAE,MAAM,sCAAsC,CAAC;AAEpE,MAAM,WAAW,YAAY;IAC3B;;;;OAIG;IACH,WAAW,EAAE,MAAM,CAAC;IACpB,yEAAyE;IACzE,YAAY,CAAC,EAAE,aAAa,CAAC;IAC7B,iEAAiE;IACjE,SAAS,CAAC,EAAE,sBAAsB,CAAC;IACnC,uDAAuD;IACvD,WAAW,CAAC,EAAE,YAAY,CAAC;CAC5B;AAgaD,wBAAgB,iBAAiB,CAC/B,SAAS,EAAE,UAAU,EACrB,OAAO,EAAE,YAAY,GACpB,MAAM,CAgMR"}
+{"version":3,"file":"admin.router.d.ts","sourceRoot":"","sources":["../../src/router/admin.router.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAqC,MAAM,SAAS,CAAC;AACpE,OAAO,EAAE,UAAU,EAAE,MAAM,oCAAoC,CAAC;AAChE,OAAO,EAAE,aAAa,EAAE,MAAM,uCAAuC,CAAC;AACtE,OAAO,EAAE,sBAAsB,EAAE,MAAM,iDAAiD,CAAC;AACzF,OAAO,EAAE,YAAY,EAAE,MAAM,sCAAsC,CAAC;AACpE,OAAO,EAAE,kBAAkB,EAAE,MAAM,6CAA6C,CAAC;AAEjF,MAAM,WAAW,YAAY;IAC3B;;;;OAIG;IACH,WAAW,EAAE,MAAM,CAAC;IACpB,yEAAyE;IACzE,YAAY,CAAC,EAAE,aAAa,CAAC;IAC7B,0FAA0F;IAC1F,SAAS,CAAC,EAAE,sBAAsB,CAAC;IACnC,kFAAkF;IAClF,WAAW,CAAC,EAAE,YAAY,CAAC;IAC3B;;;OAGG;IACH,iBAAiB,CAAC,EAAE,kBAAkB,CAAC;CACxC;AAmmBD,wBAAgB,iBAAiB,CAC/B,SAAS,EAAE,UAAU,EACrB,OAAO,EAAE,YAAY,GACpB,MAAM,CAgVR"}